PoC to deploy with quadlets

lib/puppet/provider/cpdb_create/cpdb_create.rb

@@ -1,28 +1,46 @@
-Puppet::Type.type(:cpdb_create).provide(:cpdb_create) do
+#Puppet::Type.type(:cpdb_create).provide(:cpdb_create) do
+Puppet::Type.type(:cpdb_create).provide(:podman) do
 
-  commands :cpdb => '/usr/share/candlepin/cpdb'
+  #commands :cpdb => '/usr/share/candlepin/cpdb'
+  commands :podman => '/bin/podman'
 
   def create
     create_database
-    write_done_file
+    #write_done_file
   end
 
   def exists?
-    File.exist?(done_file)
+    false#File.exist?(done_file)
   end
 
   private
 
   def create_database
-    cpdb(
-      "--create",
-      "--schema-only",
-      "--dbhost=#{resource[:db_host]}",
-      "--dbport=#{resource[:db_port]}",
-      "--database=#{resource[:db_name]}#{resource[:ssl_options]}",
-      "--user=#{resource[:db_user]}",
-      "--password=#{resource[:db_password]}"
-    )
+    if resource[:container_based]
+      podman(
+        "run",
+        "--network=host",
+        "quay.io/ehelms/candlepin:4.3.12",
+        "/usr/share/candlepin/cpdb",
+        "--create",
+        "--schema-only",
+        "--dbhost=#{resource[:db_host]}",
+        "--dbport=#{resource[:db_port]}",
+        "--database=#{resource[:db_name]}#{resource[:ssl_options]}",
+        "--user=#{resource[:db_user]}",
+        "--password=#{resource[:db_password]}"
+      )
+    else
+      cpdb(
+        "--create",
+        "--schema-only",
+        "--dbhost=#{resource[:db_host]}",
+        "--dbport=#{resource[:db_port]}",
+        "--database=#{resource[:db_name]}#{resource[:ssl_options]}",
+        "--user=#{resource[:db_user]}",
+        "--password=#{resource[:db_password]}"
+      )
+    end
   end
 
   def done_file

lib/puppet/provider/cpdb_update/cpdb_update.rb

@@ -1,14 +1,17 @@
-Puppet::Type.type(:cpdb_update).provide(:cpdb_update) do
+#Puppet::Type.type(:cpdb_update).provide(:cpdb_update) do
+Puppet::Type.type(:cpdb_update).provide(:podman) do
 
-  commands :cpdb => '/usr/share/candlepin/cpdb'
-  commands :rpm => 'rpm'
+  #commands :cpdb => '/usr/share/candlepin/cpdb'
+  #commands :rpm => 'rpm'
+  commands :podman => 'podman'
 
   def create
     migrate_database
-    update_version_file
+    #update_version_file
   end
 
   def exists?
+    return false
     return false if previous_candlepin_version.nil?
     return false if candlepin_rpm_version.nil?
 
@@ -18,14 +21,29 @@ def exists?
   private
 
   def migrate_database
-    output = cpdb(
-      "--update",
-      "--dbhost=#{resource[:db_host]}",
-      "--dbport=#{resource[:db_port]}",
-      "--database=#{resource[:db_name]}#{resource[:ssl_options]}",
-      "--user=#{resource[:db_user]}",
-      "--password=#{resource[:db_password]}"
-    )
+    if resource[:container_based]
+      podman(
+        "run",
+        "--network=host",
+        "quay.io/ehelms/candlepin:4.3.12",
+        "/usr/share/candlepin/cpdb",
+        "--update",
+        "--dbhost=#{resource[:db_host]}",
+        "--dbport=#{resource[:db_port]}",
+        "--database=#{resource[:db_name]}#{resource[:ssl_options]}",
+        "--user=#{resource[:db_user]}",
+        "--password=#{resource[:db_password]}"
+      )
+    else
+      cpdb(
+        "--update",
+        "--dbhost=#{resource[:db_host]}",
+        "--dbport=#{resource[:db_port]}",
+        "--database=#{resource[:db_name]}#{resource[:ssl_options]}",
+        "--user=#{resource[:db_user]}",
+        "--password=#{resource[:db_password]}"
+      )
+    end
   end
 
   def version_file

lib/puppet/type/cpdb_create.rb

@@ -25,6 +25,10 @@
     desc "Password of the database user"
   end
 
+  newparam(:container_based) do
+    desc "To use a container"
+  end
+
   autorequire(:concat) do
     ['/etc/candlepin/candlepin.conf']
   end

lib/puppet/type/cpdb_update.rb

@@ -29,6 +29,10 @@
     ['/etc/candlepin/candlepin.conf']
   end
 
+  newparam(:container_based) do
+    desc "To use a container"
+  end
+
   autorequire(:cpdb_create) do
     [self[:db_name]]
   end

manifests/artemis.pp

@@ -22,15 +22,15 @@
     group   => $candlepin::group,
   }
 
-  file { "${candlepin::tomcat_conf}/login.config":
+  file { "/etc/tomcat/conf/login.config":
     ensure  => file,
     content => file('candlepin/tomcat/login.config'),
     mode    => '0640',
     owner   => $candlepin::user,
     group   => $candlepin::group,
   }
 
-  file { "${candlepin::tomcat_conf}/cert-users.properties":
+  file { "/etc/tomcat/conf/cert-users.properties":
     ensure  => file,
     content => Deferred('inline_epp', ["katelloUser=<%= \$artemis_client_dn %>\n", { 'artemis_client_dn' => $candlepin::artemis_client_dn }]),
     mode    => '0640',
@@ -46,6 +46,13 @@
     group   => $candlepin::group,
   }
 
+  file { "${candlepin::tomcat_conf}/conf.d":
+    ensure  => directory,
+    mode    => '0755',
+    owner   => $candlepin::user,
+    group   => $candlepin::group,
+  }
+
   file { "${candlepin::tomcat_conf}/conf.d/jaas.conf":
     ensure  => file,
     content => file('candlepin/tomcat/jaas.conf'),

manifests/config.pp

@@ -55,6 +55,13 @@
     'truststore_password' => $candlepin::_truststore_password,
   }
 
+  file { $candlepin::tomcat_conf:
+    ensure  => directory,
+    mode    => '0755',
+    owner   => 'root',
+    group   => $candlepin::group,
+  }
+
   file { "${candlepin::tomcat_conf}/server.xml":
     ensure  => file,
     content => epp('candlepin/tomcat/server.xml.epp', $server_context),
@@ -70,4 +77,26 @@
     owner   => 'root',
     group   => $candlepin::group,
   }
+
+  file { '/etc/tomcat/logging.properties':
+    ensure  => file,
+    content => template('candlepin/tomcat/logging.properties'),
+    mode    => '0644',
+    owner   => 'root',
+    group   => $candlepin::group,
+  }
+
+  file { '/etc/tomcat/conf':
+    ensure  => directory,
+    mode    => '0750',
+    owner   => 'root',
+    group   => $candlepin::group,
+  }
+
+  file { '/etc/tomcat/conf/conf.d':
+    ensure  => directory,
+    mode    => '0750',
+    owner   => 'root',
+    group   => $candlepin::group,
+  }
 }

manifests/database/postgresql.pp

@@ -77,20 +77,22 @@
     }
 
     cpdb_create { $db_name:
-      ensure      => present,
-      db_host     => $db_host,
-      db_port     => $db_port,
-      db_user     => $db_user,
-      db_password => $db_password,
-      ssl_options => $ssl_options,
+      ensure          => present,
+      db_host         => $db_host,
+      db_port         => $db_port,
+      db_user         => $db_user,
+      db_password     => $db_password,
+      ssl_options     => $ssl_options,
+      container_based => true,
     } ->
     cpdb_update { $db_name:
-      ensure      => present,
-      db_host     => $db_host,
-      db_port     => $db_port,
-      db_user     => $db_user,
-      db_password => $db_password,
-      ssl_options => $ssl_options,
+      ensure          => present,
+      db_host         => $db_host,
+      db_port         => $db_port,
+      db_user         => $db_user,
+      db_password     => $db_password,
+      ssl_options     => $ssl_options,
+      container_based => true,
     }
 
     # if both manage_db and init_db enforce order of resources

manifests/init.pp

@@ -173,6 +173,9 @@
 #   Disable FIPS within the Java environment for Tomcat explicitly.
 #   When set to false, no flag is added. Then on FIPS enabled systems, a Candlepin build that supports FIPS is required.
 #
+# @param use_container
+#   If true, deploys systemd service using a container.
+#
 # @example Set debug logging
 #   class { 'candlepin':
 #     loggers => {
@@ -237,6 +240,7 @@
   String $user = 'tomcat',
   String $group = 'tomcat',
   Boolean $disable_fips = true,
+  Boolean $use_container = true,
 ) inherits candlepin::params {
   contain candlepin::service
 

manifests/install.pp

@@ -4,37 +4,41 @@
 class candlepin::install {
   assert_private()
 
-  $enable_pki_core = $facts['os']['release']['major'] == '8'
+  if !$candlepin::use_container {
+    $enable_pki_core = $facts['os']['release']['major'] == '8'
 
-  if $candlepin::java_package {
-    stdlib::ensure_packages([$candlepin::java_package])
-    Package[$candlepin::java_package] -> Package['candlepin']
-  }
-
-  if $enable_pki_core {
-    package { 'pki-core':
-      ensure      => installed,
-      enable_only => true,
-      provider    => 'dnfmodule',
-      before      => Package['candlepin'],
+    if $candlepin::java_package {
+      stdlib::ensure_packages([$candlepin::java_package])
+      Package[$candlepin::java_package] -> Package['candlepin']
     }
-  }
 
-  package { ['candlepin']:
-    ensure => $candlepin::version,
-  }
+    if $enable_pki_core {
+      package { 'pki-core':
+        ensure      => installed,
+        enable_only => true,
+        provider    => 'dnfmodule',
+        before      => Package['candlepin'],
+      }
+    }
 
-  if $facts['os']['selinux']['enabled'] {
-    package { ['candlepin-selinux']:
+    package { ['candlepin']:
       ensure => $candlepin::version,
     }
 
-    if $enable_pki_core {
-      Package['pki-core'] -> Package['candlepin-selinux']
+    if $facts['os']['selinux']['enabled'] {
+      package { ['candlepin-selinux']:
+        ensure => $candlepin::version,
+      }
+
+      if $enable_pki_core {
+        Package['pki-core'] -> Package['candlepin-selinux']
+      }
     }
-  }
 
-  if $candlepin::run_init {
-    stdlib::ensure_packages(['wget'], { ensure => $candlepin::wget_version, })
+    if $candlepin::run_init {
+      stdlib::ensure_packages(['wget'], { ensure => $candlepin::wget_version, })
+    }
+  } else {
+    stdlib::ensure_packages(['podman'])
   }
 }

manifests/service.pp

@@ -4,21 +4,18 @@
 class candlepin::service {
   assert_private()
 
-  service { 'tomcat':
-    ensure     => running,
-    enable     => true,
-    hasstatus  => true,
-    hasrestart => true,
+  file { "/etc/containers/systemd/tomcat.container":
+    ensure  => present,
+    content => template('candlepin/candlepin.container'),
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
+  } ~>
+  service { "tomcat":
+    ensure   => 'running',
+    enable   => true,
+    restart  => true,
+    provider => 'systemd',
   }
 
-  if $candlepin::run_init {
-    exec { 'cpinit':
-      # tomcat startup is slow - try multiple times (the initialization service is idempotent)
-      command => "/usr/bin/wget --no-check-certificate --no-proxy --timeout=30 --tries=40 --wait=20 --retry-connrefused -qO- https://localhost:${candlepin::ssl_port}/candlepin/admin/init > /var/log/candlepin/cpinit.log 2>&1 && touch /var/lib/candlepin/cpinit_done",
-      require => [Package['wget'], Service['tomcat']],
-      creates => '/var/lib/candlepin/cpinit_done',
-      # timeout is roughly "wait" * "tries" from above
-      timeout => 800,
-    }
-  }
 }

templates/candlepin.container

@@ -0,0 +1,20 @@
+[Unit]
+Description=Candlepin
+After=local-fs.target
+
+[Container]
+Image=quay.io/ehelms/candlepin:4.3.12
+PodmanArgs=--cgroups=enabled
+LogDriver=journald
+
+Volume=/etc/tomcat/logging.properties:/etc/tomcat/logging.properties
+Volume=/etc/tomcat/server.xml:/etc/tomcat/server.xml
+Volume=/etc/tomcat/conf:/etc/tomcat/conf
+Volume=/etc/tomcat/tomcat.conf:/etc/tomcat/tomcat.conf
+Volume=/etc/candlepin:/etc/candlepin
+
+PublishPort=8443:8443
+
+[Install]
+# Start by default on boot
+WantedBy=multi-user.target default.target