Adding container images via Ansible

millap · June 21, 2024, 12:56pm

Hi All,

I’m trying to add several containers to VyOS using Ansible, as follows -

    - name: Add filebeat image
      vyos.vyos.vyos_command:
        commands:
        - add container image beats/filebeat:7.17.20-amd64
    - name: Add heartbeat image
      vyos.vyos.vyos_command:
        commands:
        - add container image beats/heartbeat:7.17.20-amd64

The playbook tasks run, and return OK, but no containers are actually added -

TASK [Add filebeat image] ****************************************************************************************************
ok: [192.168.17.51]

TASK [Add heartbeat image] ***************************************************************************************************
ok: [192.168.17.51]

If I -vvvv the ansible command for more detail, the stdout output provides some indication of why the containers aren’t there, but I’m not entirely sure how to fix it, as manually running the same command on the CLI works.

ok: [192.168.17.51] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "commands": [
                "add container image beats/filebeat:7.17.20-amd64"
            ],
            "interval": 1,
            "match": "all",
            "provider": null,
            "retries": 10,
            "wait_for": null
        }
    },
    "stdout": [
        "Resolving \"beats/filebeat\" using unqualified-search registries (/etc/containers/registries.conf)\nTrying to pull docker.elastic.co/beats/filebeat:7.17.20-amd64...\nTrying to pull docker.io/beats/filebeat:7.17.20-amd64...\nTrying to pull quay.io/beats/filebeat:7.17.20-amd64...\nError: 3 errors occurred while pulling:\n * initializing source docker://docker.elastic.co/beats/filebeat:7.17.20-amd64: pinging container registry docker.elastic.co: Get \"https://docker.elastic.co/v2/\": dial tcp: lookup docker.elastic.co on [::1]:53: read udp [::1]:42094->[::1]:53: read: connection refused\n * initializing source docker://beats/filebeat:7.17.20-amd64: pinging container registry registry-1.docker.io: Get \"https://registry-1.docker.io/v2/\": dial tcp: lookup registry-1.docker.io on [::1]:53: read udp [::1]:50640->[::1]:53: read: connection refused\n * initializing source docker://quay.io/beats/filebeat:7.17.20-amd64: pinging container registry quay.io: Get \"https://quay.io/v2/\": dial tcp: lookup quay.io on [::1]:53: read udp [::1]:48723->[::1]:53: read: connection refused"
    ],
    "stdout_lines": [
        [
            "Resolving \"beats/filebeat\" using unqualified-search registries (/etc/containers/registries.conf)",
            "Trying to pull docker.elastic.co/beats/filebeat:7.17.20-amd64...",
            "Trying to pull docker.io/beats/filebeat:7.17.20-amd64...",
            "Trying to pull quay.io/beats/filebeat:7.17.20-amd64...",
            "Error: 3 errors occurred while pulling:",
            " * initializing source docker://docker.elastic.co/beats/filebeat:7.17.20-amd64: pinging container registry docker.elastic.co: Get \"https://docker.elastic.co/v2/\": dial tcp: lookup docker.elastic.co on [::1]:53: read udp [::1]:42094->[::1]:53: read: connection refused",
            " * initializing source docker://beats/filebeat:7.17.20-amd64: pinging container registry registry-1.docker.io: Get \"https://registry-1.docker.io/v2/\": dial tcp: lookup registry-1.docker.io on [::1]:53: read udp [::1]:50640->[::1]:53: read: connection refused",
            " * initializing source docker://quay.io/beats/filebeat:7.17.20-amd64: pinging container registry quay.io: Get \"https://quay.io/v2/\": dial tcp: lookup quay.io on [::1]:53: read udp [::1]:48723->[::1]:53: read: connection refused"
        ]
    ]
}

I’ve already updated my unqualified-search-registries by this point of the playbook with the following config via Ansible -

set container registry docker.elastic.co
set container registry docker.io
set container registry quay.io

Any advice greatly received.

Cheers
Andy

talmakion · June 21, 2024, 1:12pm

At a guess, from the logs, it’s having trouble reaching DNS.

Can you check whether you’ve got a working DNS on localhost (it’s trying to hit localhost:53) ?

If you’re using VRFs, is it reachable from your working VRF or global?

millap · June 21, 2024, 1:37pm

Hiya,

Thanks for the response. We’re not using VRF’s, and you’re right, it’s DNS, it’s always DNS!

We’re preparing these VyOS images following a basic IP setup on the console with SSH enabled to allow Ansible to finish the install. Changeing the pre-command to this fixed it -

      vyos_config:
        lines:
          - set system name-server '1.1.1.1'
          - set system name-server '9.9.9.9'
          - set container registry docker.elastic.co
          - set container registry quay.io
          - set container registry docker.io

Thanks for pointing out what should have been obvious!

All working now.

Andy

system · July 21, 2024, 1:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.