Migrate to rootful container architecture with infrastructure fact pattern
Major architectural change from rootless user services to system-level (rootful) containers to enable group-based Unix socket access for containerized applications. Infrastructure Changes: - PostgreSQL: Export postgres-clients group GID as Ansible fact - Valkey: Export valkey-clients group GID as Ansible fact - Valkey: Add socket-fix service to maintain correct socket group ownership - Both: Set socket directories to 770 with client group ownership Authentik Role Refactoring: - Remove rootless container configuration (subuid/subgid, lingering, user systemd) - Deploy Quadlet files to /etc/containers/systemd/ (system-level) - Use dynamic GID facts in container PodmanArgs (--group-add) - Simplify user creation to system user with infrastructure group membership - Update handlers for system scope service management - Remove unnecessary container security options (no user namespace isolation) Container Template Changes: - Pod: Remove --userns args, change WantedBy to multi-user.target - Containers: Replace Annotation with PodmanArgs using dynamic GIDs - Remove /dev/shm mounts and SecurityLabelDisable (not needed for rootful) - Change WantedBy to multi-user.target for system services Documentation Updates: - Add ADR-005: Rootful Containers with Infrastructure Fact Pattern - Update ADR-003: Podman + systemd for system-level deployment - Update authentik-deployment-guide.md for system scope commands - Update service-integration-guide.md with rootful pattern examples - Document discarded rootless approach and rationale Why Rootful Succeeds: - Direct UID/GID mapping preserves supplementary groups - Container process groups match host socket group ownership - No user namespace remapping breaking permissions Why Rootless Failed (Discarded): - User namespace UID/GID remapping broke group-based socket access - Supplementary groups remapped into subgid range didn't match socket ownership - Even with --userns=host and keep_original_groups, permissions failed Pattern Established: - Infrastructure roles create client groups and export GID facts - Application roles validate facts and consume in container templates - Rootful containers run as dedicated users with --group-add for socket access - System-level deployment provides standard systemd service management Deployment Validated: - Services in /system.slice/ ✓ - Process groups: 961 (valkey-clients), 962 (postgres-clients), 966 (authentik) ✓ - Socket permissions: 770 with client groups ✓ - HTTP endpoint responding ✓
This commit is contained in:
@@ -2,6 +2,16 @@
|
||||
# Authentik Authentication Role - Main Tasks
|
||||
# Self-contained deployment with Podman and Unix sockets
|
||||
|
||||
- name: Validate infrastructure facts are available
|
||||
assert:
|
||||
that:
|
||||
- postgresql_client_group_gid is defined
|
||||
- valkey_client_group_gid is defined
|
||||
fail_msg: |
|
||||
Required infrastructure facts are not available.
|
||||
Ensure PostgreSQL and Valkey roles have run and exported client group GIDs.
|
||||
tags: [validation]
|
||||
|
||||
- name: Setup authentik user and container namespaces
|
||||
include_tasks: user.yml
|
||||
tags: [user, setup]
|
||||
@@ -18,8 +28,6 @@
|
||||
containers.podman.podman_image:
|
||||
name: "{{ authentik_image }}:{{ authentik_version }}"
|
||||
state: present
|
||||
become: true
|
||||
become_user: "{{ authentik_user }}"
|
||||
tags: [containers, image-pull]
|
||||
|
||||
- name: Create media directory structure
|
||||
@@ -48,29 +56,23 @@
|
||||
- restart authentik worker
|
||||
tags: [config]
|
||||
|
||||
- name: Create Quadlet systemd directory (user scope)
|
||||
- name: Create Quadlet systemd directory (system scope)
|
||||
file:
|
||||
path: "{{ authentik_quadlet_dir }}"
|
||||
path: /etc/containers/systemd
|
||||
state: directory
|
||||
owner: "{{ authentik_user }}"
|
||||
group: "{{ authentik_group }}"
|
||||
mode: '0755'
|
||||
|
||||
- name: Deploy Quadlet pod and container files (user scope)
|
||||
- name: Deploy Quadlet pod and container files (system scope)
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ authentik_quadlet_dir }}/{{ item.dest }}"
|
||||
owner: "{{ authentik_user }}"
|
||||
group: "{{ authentik_group }}"
|
||||
dest: "/etc/containers/systemd/{{ item.dest }}"
|
||||
mode: '0644'
|
||||
loop:
|
||||
- { src: 'authentik.pod', dest: 'authentik.pod' }
|
||||
- { src: 'authentik-server.container', dest: 'authentik-server.container' }
|
||||
- { src: 'authentik-worker.container', dest: 'authentik-worker.container' }
|
||||
become: true
|
||||
become_user: "{{ authentik_user }}"
|
||||
notify:
|
||||
- reload systemd user
|
||||
- reload systemd
|
||||
- restart authentik pod
|
||||
- restart authentik server
|
||||
- restart authentik worker
|
||||
@@ -108,22 +110,12 @@
|
||||
timeout: 30
|
||||
when: valkey_unix_socket_enabled
|
||||
|
||||
- name: Ensure systemd user session is started
|
||||
systemd:
|
||||
name: "user@{{ authentik_uid }}.service"
|
||||
state: started
|
||||
scope: system
|
||||
register: user_session_start
|
||||
|
||||
- name: Enable and start Authentik pod (user scope)
|
||||
- name: Enable and start Authentik pod (system scope)
|
||||
systemd:
|
||||
name: "authentik-pod"
|
||||
enabled: "{{ authentik_service_enabled }}"
|
||||
state: "{{ authentik_service_state }}"
|
||||
scope: user
|
||||
daemon_reload: true
|
||||
become: true
|
||||
become_user: "{{ authentik_user }}"
|
||||
tags: [containers, service]
|
||||
|
||||
- name: Wait for Authentik to be ready
|
||||
|
||||
Reference in New Issue
Block a user