Change installation path to the system managed path

[seantronsen]

Pull Request Template

Thank you for your contribution! Please ensure the following before submitting:

Checklist

• My code follows the style guidelines of this project
• I have added/updated comments where needed
• I have added tests that prove my fix is effective or my feature works
• I have run make test (or equivalent) locally and all tests pass
• DCO Sign-off: All commits are signed off (git commit -s) with my real name and email
• REUSE Compliance:
  • Each new/modified source file has SPDX copyright and license headers
  • Any non-commentable files include a <filename>.license sidecar
  • All referenced licenses are present in the LICENSES/ directory

Description

Moves plain Systemd units and Podman quadlets to the correct system-managed paths:

• /etc/containers/systemd -> /usr/share/containers/systemd
• /etc/systemd/system -> /usr/lib/systemd/system

Effect

This frees up the administrator-managed paths for drop-ins and local overrides. On the quadlet side, this makes simple changes much easier (e.g., testing a different image tag). More generally, the full set of Systemd override mechanisms is available.

Functionally, this PR is little more than updating the RPM to install files into the proper locations for system-managed artifacts.

Caveats

If this is accepted, we'll need a quick pass over the openchami.org tutorials to update any directory listings that still reference the old paths.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update

---

For more info, see Contributing Guidelines.

[seantronsen]

It's also possible to update scripts/{openchami-certificate-update,bootstrap_openchami.sh} to instead leverage the local admin path (e.g., /etc/containers/systemd).

For now, I kept it simple and just hit those files with the same sed subst.

If it's desirable, I can fix up those scripts too.

[seantronsen]

For reference/convenience, here is an example script for making overrides. I'm currently using this to replicate bug behaviors w.r.t. specific tagged versions of our microservices:

[rocky@head ~]$ cat override-quadlet-images.bash
#!/usr/bin/env bash

function log-error() {
        if ! [ ${#} -eq 1 ]; then
                log-error "log-error must receive only one argument, but received $#"
        fi
        PREFIX="error: "
        MESSAGE="${PREFIX} ${1}"
        echo "${MESSAGE}"
        logger --id=$$ "${MESSAGE}"
        exit 1
}

if ! [ "${UID}" -eq 0 ]; then
        log-error "superuser privileges are required to execute this script!"
fi

echo "creating container image overrides for OpenCHAMI quadlet files:"

DEST="/etc/containers/systemd"
FNAME_OVERRIDE="10-override.conf"
while IFS= read -r filename; do
        TARGET="${DEST}/$(basename ${filename}).d/${FNAME_OVERRIDE}"
        mkdir -v -p "$(dirname ${TARGET})"
        cp -v "${filename}" "${TARGET}"
        sed -i '/\[Container\]\|Image/!d' "${TARGET}"
done < <(rpm -ql openchami | grep -i '\.container')

echo "finished."

Warning

It's imperative that you use the <service-name.container>.d/<priority>-<semantic-name>.conf style for Systemd overrides. If you instead naively create /etc/containers/systemd/<service-name>.container, this ends up wiping out the previous config specified in the system managed path.

If you do follow with this advice, then the config is appended to the corresponding sections upon the next daemon-reload, thus resulting in the desired override behavior.

Example

[rocky@head ~]$ cat /etc/containers/systemd/coresmd-coredns.container.d/10-override.conf
[Container]
Image=ghcr.io/openchami/coresmd:v0.6.3

[rocky@head ~]$ sudo systemctl daemon-reload
[rocky@head ~]$ sudo systemctl cat coresmd-coredns.service
# /run/systemd/generator/coresmd-coredns.service
# Automatically generated by /usr/lib/systemd/system-generators/podman-system-generator
#
[Unit]
Wants=network-online.target
After=network-online.target
Description=The CoreSMD CoreDNS container
Wants=haproxy.service
After=haproxy.service
PartOf=openchami.target
SourcePath=/usr/share/containers/systemd/coresmd-coredns.container
RequiresMountsFor=%t/containers
RequiresMountsFor=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
RequiresMountsFor=/etc/openchami/configs/Corefile

[X-Container]
ContainerName=coresmd-coredns

HostName=coresmd-coredns
Image=ghcr.io/openchami/coresmd:v0.4.3

Exec=/coredns

# Capabilities
AddCapability=NET_ADMIN
AddCapability=NET_RAW

# Volumes
Volume=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:/root_ca/root_ca.crt:ro,Z
Volume=/etc/openchami/configs/Corefile:/Corefile:ro,Z

# Networks for the Container to use
Network=host

# Unsupported by generator options
# Proxy settings
PodmanArgs=--http-proxy=false
Image=ghcr.io/openchami/coresmd:v0.6.3

[Service]
Restart=always
Environment=PODMAN_SYSTEMD_UNIT=%n
KillMode=mixed
ExecStop=/usr/bin/podman rm -v -f -i coresmd-coredns
ExecStopPost=-/usr/bin/podman rm -v -f -i coresmd-coredns
Delegate=yes
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
ExecStart=/usr/bin/podman run --name coresmd-coredns --replace --rm --cgroups=split --hostname coresmd-coredns --network host --sdnotify=conmon -d --cap-add net_admin --cap-add net_raw -v /etc/pki/ca-trust/extracted/pem/tls-ca-bund>

Notice how the new Image= configuration is now specified at the bottom of the [X-Container] section.