r/blackbox-exporter: Rework to run as container

Instead of downloading the `blackbox_exporter` binary from GitHub and
copying it to the managed node, the _blackbox-exporter_ role now
installs _podman_ and configures a systemd container unit (Quadlet) to
run it in a container.  This simplifies the deployment considerably, and
will make updating easier (just run the playbook with `-e
blackbox_exporter_pull_image=true`).

roles/blackbox-exporter/defaults/main.yml

@@ -1,3 +1,6 @@
 blackbox_modules: {}
 blackbox_config:
   modules: '{{ blackbox_modules }}'
+blackbox_container_image: '{{ blackbox_container_image_name }}:{{ blackbox_container_image_tag }}'
+blackbox_container_image_name: quay.io/prometheus/blackbox-exporter
+blackbox_container_image_tag: latest

roles/blackbox-exporter/handlers/main.yml

@@ -2,12 +2,12 @@
   systemd:
     daemon_reload: true
 
-- name: restart blackbox_exporter
+- name: restart blackbox-exporter
   service:
-    name: blackbox_exporter
+    name: blackbox-exporter
     state: restarted
 
-- name: reload blackbox_exporter
+- name: reload blackbox-exporter
   service:
-    name: blackbox_exporter
+    name: blackbox-exporter
     state: reloaded

roles/blackbox-exporter/tasks/deploy.yml

@@ -1,3 +1,26 @@
+- name: ensure blackbox container is present
+  podman_image:
+    name: '{{ blackbox_container_image_name }}'
+    tag: '{{ blackbox_container_image_tag }}'
+    state: present
+    pull: '{{ blackbox_exporter_pull_image|d(false)|bool }}'
+  notify:
+  - reload systemd
+  - restart blackbox-exporter
+  tags:
+  - container
+
+- name: ensure blackbox-exporter system container is configured
+  template:
+    src: blackbox-exporter.container.j2
+    dest: /etc/containers/systemd/blackbox-exporter.container
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload systemd
+  - restart blackbox-exporter
+
 - name: ensure /etc/prometheus directory exists
   file:
     path: /etc/prometheus
@@ -6,7 +29,7 @@
     group: root
     state: directory
 
-- name: ensure blackbox_exporter is configured
+- name: ensure blackbox-exporter is configured
   copy:
     dest: /etc/prometheus/blackbox.yml
     content: |
@@ -15,19 +38,22 @@
     owner: root
     group: root
   notify:
-  - reload blackbox_exporter
+  - reload blackbox-exporter
 
-- name: ensure blackbox_exporter starts at boot
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure blackbox-exporter starts at boot
   service:
-    name: blackbox_exporter
+    name: blackbox-exporter
     enabled: true
   tags:
   - service
 - name: flush_handlers
   meta: flush_handlers
-- name: ensure blackbox_exporter is running
+- name: ensure blackbox-exporter is running
   service:
-    name: blackbox_exporter
+    name: blackbox-exporter
     state: started
   tags:
   - service

roles/blackbox-exporter/tasks/install.yml

@@ -1,55 +1,4 @@
-- name: load installation variables
-  include_vars: install.yml
-  tags:
-  - always
-
-- name: load architecture variables
-  include_vars: '{{ item }}'
-  with_first_found:
-  - '{{ ansible_architecture }}.yml'
-  - arch-defaults.yml
-  tags:
-  - always
-
-- name: ensure blackbox_exporter release archive is available
-  delegate_to: localhost
-  become: false
-  get_url:
-    url: '{{ blackbox_xptr_tar_url }}'
-    checksum: 'sha256:{{ blackbox_xptr_cksm_url }}'
-    dest: '{{ playbook_dir }}/tmp/{{ blackbox_xptr_tar_name }}'
-  tags:
-  - download
-
-- name: ensure blackbox_exporter archive is unpacked locally
-  delegate_to: localhost
-  become: false
-  unarchive:
-    src: '{{ playbook_dir }}/tmp/{{ blackbox_xptr_tar_name }}'
-    dest: '{{ playbook_dir }}/tmp/'
-    remote_src: true
-    creates: '{{ blackbox_xptr_extract_dir }}/blackbox_exporter'
-  tags:
-  - unarchive
-
-- name: ensure blackbox_exporter is installed
-  copy:
-    src: '{{ blackbox_xptr_extract_dir }}/blackbox_exporter'
-    dest: /usr/local/sbin/blackbox_exporter
-    mode: u=rwx,go=rx
-  diff: false
-  notify:
-  - restart blackbox_exporter
-
-- name: ensure blackbox_exporter systemd unit is installed
-  file:
-    src: blackbox_exporter.service
-    dest: /etc/systemd/system/blackbox_exporter.services
-    mode: u=rw,go=r
-  notify:
-  - reload systemd
-  - restart blackbox_exporter
-  tags:
-  - service
-  - systemd
-
+- name: ensure podman is installed
+  package:
+    name: podman
+    state: present

roles/blackbox-exporter/templates/blackbox-exporter.container.j2

@@ -0,0 +1,22 @@
+[Unit]
+Description=Blackbox exporter
+Documentation=https://github.com/prometheus/blackbox_exporter/blob/master/README.md
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image={{ blackbox_container_image }}
+Pull=never
+Exec=--config.file=/etc/prometheus/blackbox.yml
+Mount=type=bind,source=/etc/prometheus,target=/etc/prometheus,readonly=true
+ReadOnly=yes
+ReadOnlyTmpfs=yes
+NoNewPrivileges=yes
+User=215
+Group=215
+PublishPort=9115:9115
+
+[Service]
+Restart=always
+RestartSec=1s
+ExecReload=/usr/bin/podman kill --cidfile=%t/%N.cid -s HUP

roles/blackbox-exporter/vars/install.yml

@@ -1,14 +0,0 @@
-blackbox_xptr_version: 0.22.0
-
-blackbox_xptr_base_url:
-  https://github.com/prometheus/blackbox_exporter/releases/download
-blackbox_xptr_archive:
-  blackbox_exporter-{{ blackbox_xptr_version }}.linux-{{ blackbox_xptr_arch }}
-blackbox_xptr_tar_name: >-
-  {{ blackbox_xptr_archive }}.tar.gz
-blackbox_xptr_tar_url: >-
-  {{ blackbox_xptr_base_url }}/v{{ blackbox_xptr_version }}/{{ blackbox_xptr_tar_name }}
-blackbox_xptr_cksm_url: >-
-  {{ blackbox_xptr_base_url }}/v{{ blackbox_xptr_version }}/sha256sums.txt
-blackbox_xptr_extract_dir: >-
-  {{ playbook_dir }}/tmp/{{ blackbox_xptr_archive }}