For consistency reasons we try to leverage our systemd_service role as
much as we can. Instead of maintaining separate systemd unit templates
the role can be leveraged for same purposes and reduce complexity in
this role.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/865952
Change-Id: I59e6504240eafdb5f0d010ff8a051078e25b1281
For consistency reasons instead of placing a template for
systemd-networkd we better use systemd_networkd role that is present
for a while.
Change-Id: I1e9deaa2892a8fa7eb171acaf75441d7efeac297
The main problem this commit is resolving is that with openvswitch,
the ports were not get cleaned up, and after restart (hard restart or even with soft restart
lxc.service gets time-out) containers couldn't start properly, due to existing port on the bridges.
Change-Id: I707dbfc6878095f7593abe3fca3a5e5b310063e5
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/837742
You could perhaps have something that overrides a container network
like this;
---
container_extra_networks:
dns_address:
...
dhcp_use_dns: false
and would take precedence over lxc_container_enable_resolved
Also documentations says UseDNS takes true/false
https://www.freedesktop.org/software/systemd/man/systemd.network.html#UseDNS=
Change-Id: I91f25eaf0782a6b4febfc95d9ee7c33f1f965224
You could perhaps have a group_vars/designate_all.yml looking like
this;
---
lxc_container_networks:
lxcbr0_address:
...
dhcp_use_routes: false
Change-Id: Id61fdb5a3b52a01a49242fc01cc01bf2dede09af
The removal of support for Centos-7 means that it is no longer necessary
to maintain compatibility with LXC2 configuration keys. This patch removes
the code which substitutes LXC3 keys for LXC2 keys.
Depends-On: https://review.opendev.org/742166
Depends-On: https://review.opendev.org/742103
Change-Id: I2911a20a3391e880df80f41eed5c9a8d5e36c2f4
Required to support Gentoo is the ability to bind mount a new shared
directory. In order to support this, _lxc_container_bind_mounts has
been created for use in per-distro variables. For Gentoo the new bind
mounts allows the sharing of package data, shrinking both the container
size and the time needed to install packages.
Also needed was the creation of the `sysctl_path` variable as Gentoo
installs sysctl to an alternate location.
Change-Id: I8c20631aff9ee30289ef2f7f862ba0d4e1bb4569
This patch updates the container interface template to disable DHCP routes,
including the default route thru eth0/lxcbr0, when a gateway address override
is set.
Change-Id: I3ec0b8ddc68fc30aff40e80face9e3a6b1ffd4bc
Partial-Bug: #1810319
Depends-On: https://review.openstack.org/629309
This is usefull, if SR-IOV is used, and it's possible to
supply every container with it's own interface.
Especially usefull, if infinband is used (for example, for ceph),
as it can not be added into bridge.
openstack-user-config should be modified in this way for every service
within affected network:
- network:
container_bridge: "ib5"
container_type: "phys"
container_interface: "ib5"
ip_from_q: "storage"
type: "raw"
group_binds:
- cinder_volume
Change-Id: I299aa3fb26f5278d2c86bb18c5df5abddcf0ff65
Change Source into Destination to have defined static route applying on
the right CIDR and not 0.0.0.0
Change-Id: Id51ece1c72474de07dbf6cf740ecf4f93b2d1adf
Closes-Bug: #1777251
Now that bionic testing is added into the tests repos, we can
start testing it in the repo.
Since bionic uses lxc >= 3, we need to make some adjustments to the role
to allow the role to work with both lxc > 3 and lxc < 3, there were
several config options changes which will impact on upgradeability.
LXC >= 3 requires networks to have an index, we can achieve this by
taking the network dict and converting it to a list, and using those to
generate the id "with_indexed_items".
Depends-On: https://review.openstack.org/#/c/566959/
Depends-On: https://review.openstack.org/#/c/567038/
Change-Id: Ib80c2ed2a01a4a6a8c48aed9bdf9a50e45ea9564
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Patch I0d83fd4895d4c5beaf5a84a239c1a1ed71521dee dropped the ARP=yes
option for networkd because it's not supported by old systemd releases.
This however brings back a problem where the default one sysctl
arp_notify option in the kernel may not correctly set for our use case.
Containers are created with random MAC addresses so we need to ensure
that ARP entries are populated correctly when a container is restarted.
Instead of having to implement some sort of a new workaround on the host,
it's probably better to create all containers with fixed MAC addresses from
now on.
Change-Id: I8ad390fc3ce27756f26c57c92aaa3adc8e506a17
The ARP option has been added in systemd-232. As such, current stable
distributions may not support it so drop the option and let the kernel
decide what to do with ARP. Fixes the following warning:
[/etc/systemd/network/eth0.network:14] Unknown lvalue 'ARP' in section 'Link'
Link: https://github.com/systemd/systemd/pull/3854
Link: 99d2baa2ca
Depends-On: I14f8373897da28dea2ea03500c2be46c5b40d51c
Change-Id: I0d83fd4895d4c5beaf5a84a239c1a1ed71521dee
The UseDNS option requires the systemd-resolved service so set this
option based on the lxc_container_enable_resolved variable.
Change-Id: I5b7c3f01534f5ccbaf76aced673aefc6ec7fcf6e
When using a static route we need to set a route metric to ensure the
priority of the routes being passed in. This change ensures we maintain
our expected interface and functionality should any static routes be
passed into the container.
Before the implementation of networkd, EIN would amend the main table
with the defined routes in the order they were written. However
systemd-networkd inserts the defined routes at the top of the default
table which can cause confusion and conflict. This change simply adds
a route metric to all defined routes and increments the metric integer
based on the list index which explicitly ensures all defined routes
are prioritized in the order in which they were written.
Change-Id: I13768580fbd926033fde4a74cbbf90b9eda24658
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Unify container network interfaces using Systemd Networkd for ubuntu,
centos, and openSUSE. This change allows the role to use a single way to
configure container networks.
Care has been taken to ensure we're able to cleanly upgrade to the new
capabilities within existing environments without breaking any feature
compatibility or causing any container restarts.
It's also worth noting that all of the pre/post networking up/down
script options have been converted to systemd "oneshot" services. This
retains the ability to run adhoc scripts post network availability
while also opening up this capability, which used to be ubuntu only,
to all of our supported operating systems.
> Our usage of `lxc-attach` was removed in favor of `nsenter` to fix a
issue where multiple `lxc-attach` commands issued to a single physical
host could result in a hang.
> Scripts that were being generated inline have been placed into
template files. This solves a long standing memory consumption issue
when creating lots of containers. The old shell tasks will now be
executed from a generated script. While this should also help with
debugging, the main driver is to ensure better system stability.
> A lot of cleanup has been done throughout the task files and
templates. In the process of updating the role to use unified
networking a lot of duplicate tasks, scripts, and processes have
consolidated.
> Handlers have been added for network connection wait conditions and
to various service restarts.
> The OSA plugins have been added to this role as a dependency. We
rely on the connection plugins throughout the stack however we were
doing a lot of workarounds to cater to the possibility of a deployer
running this role without them. This change simply adds the plugins
as a known dependency which allows for a more streamlined setup.
Change-Id: I5d3ddcfa11d575648a69a04f2fb30236c2c89da3
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Some sysctl can be applied to containers, so we add a test
to prove our containers can do it.
Change-Id: I40e2f0af00d6d763efcbb07306791d3cd3feff0d
Fixes-Bug: #1685677
iteritems is a py2 callable and will break when using py3.
Change-Id: I1448f8d0909cefb54ea23460a91029100f5a76ff
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
There is no DHCP server running for that interface so we get errors
when no static IP is defined since wicked fails to obtain a lease for
this interface. We should either define a static IP if available or
leave it unconfigured. This is also in line with the ifcfg(5) manpage
suggestion to use BOOTPROTO=static without any IP configuration if
we just want to bring an interface up but without any further
configuration.
Change-Id: I4c1189def8fe21386d02e9ba9ddebbd8c44b55c7
This change allows for caching of the MAC addresses between runs by
using local facts on the physical host. This saves calculation time
after the first run, since the facts are effectively cached.
This also means any containers that rely on having stable MAC addresses
(such as neutron agents or rabbitmq) can be recreated with the same MAC
address if the container is destroyed. It will *not* be retained if
destroyed and removed from inventory, however, since the facts rely on
using the exact same hostname.
Change-Id: Id3d13299c1416cc4862437629b32f4309c2dc595
Add support for SUSE based distributions. We also update the bindep.txt,
run_tests.sh, tests-repo-clone.sh and Vagrantfile files from the
openstack-ansible-tests repository.
Change-Id: I9ac018ac1a94dac74a2ef213dccedf95b4272134
The veth_pair name was partially configurable, however eth0's
veth pair naming scheme was hard coded.
This change accomplishes:
- veth pair prefix templating is now consistent across all interfaces
generated by the role.
- no change is made to the default configuration of veth pair naming,
it only allows more reusability of the role by allowing the veth
pair naming to be configured by the role's consumers.
- eth0 veth pair naming scheme can be configured just as other
interfaces could be before.
Change-Id: I47004126cab85043f623aee8262151d3b53238e9
Currently the entire environment file is replaced,
which may remove any existing configuration on the
hosts including any pre-existing proxy configurations
and anything else the deployer may have put there.
This method replaces it with an additive process which
respects pre-existing content, but still allows the
global_environment_variables variable changes to be
fully reflected in the resulting environment file.
As the PATH setting in the previous template was
the default path which will already be present in
the container, that has been removed from the template.
Change-Id: I930f1711fbd56d2c97e8c80bd990350fa0c7ba73
Add the ability to append pre-up, post-up, pre-down, and post-down script
entries to the container_networks dict that are dropped along with the OSA
default configurations when templating the container's interface config files.
The keys preup, postup, predown, and postdown will be appended to the OSA
lxc_container_default_{pre,post}{up/down} lists when dropping the interface
config.
Change-Id: Idf15ec17bac03b55638fb8d862e5445093677f23
This change resolves a long standing issue where a container's mac
address regenerates when it was restarted. In most cases when a
container is restarted and it's mac address is rotated and nothing bad
happens; mac learning will resolve itself given enough time in just
about all situations. However services like neutron-agents are long
lived and are highly sensitive to network changes. These types of
services expect consistent hardware addressing and when mac
addresses rotate may become confused.
To limit the possibility of prolonged downtime caused by mac address
rotation on network sensitive containers an option has been created to
allow a container to have a fixed mac address. If this option is enabled
the container will generate fixed addresses for all networks assosiated
with the specific container. The option is `lxc_container_fixed_mac` and
it has a default value of "false".
Change-Id: Ie1a8dc172c45fc2b4cfa724a2bafa67cb481ba73
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
veth-cleanup template is broken if container_networks is not defined,
ie. if I have a container with eth0/LXC base nat network only.
Change-Id: I19663e0a32466c54b1b6ba9fadf243aed8055b7e
When creating many containers on a single contended host, the execution
of many delegated tasks in parallel results in failure. This patch
consolidates the container prep and networking tasks leveraging the
lxc-rootfs pid path on the physical host instead of relying on delegation.
Change-Id: I0823e34286a0857b539a94604dbe9cdeb8a605f0
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
A veth pair on a linux system can only have 15 characters in
its name. This PR ensures that the built veth pair is templated
and string spliced such that it can ONLY be a maximum of 15
characters long.
Change-Id: Ibe78679b9364b41cb68ec42599a906b3f1552e41
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Since overlayfs is now part of the mainstream kernel, it makes sense
to take advantage of it to speed up the container creation process.
This patch implements the ability to set 'overlayfs' as the backing
store for containers. This is an optional feature which must
explicitly be set by the deployer.
As this only works with Ansible > 2.0 a pre-requisite check has been
implemented to protect against its use with prior versions. The
inventory and key prep playbook have been adjusted to work with
Ansible versions <2 and >2.
The logging for the veth cleanup has been removed as overlayfs
containers do not have access to the /dev/log device. This causes
the container setup to be incomplete.
Depends-On: I20123b83af10c0890f4d5945b9fb230acd664213
Change-Id: If5b11ef6d94fe863a75efd174957ad43b9d2e030
The existing lineinfile implementation is buggy when changing and removing
entries from the global_environment_variables dict
Significant refactoring of the role tests was necessary in order
to get usable testing on the change as well as to resolve a few
problems with the previous implementation of the role testing.
Partial-Bug: #1573131
Change-Id: I401763d277d179249973545e873796f9dd54049b
Update the lxc template files to properly default to 'veth' when the
container_type is undefined within a user's deployment configuration.
Change-Id: I5c8b1e10e91660fccc743c430f49133615e60060
The lxc_container_create role creates containers specified via an inventory.
Multiple network interfaces can be added to a container during creation. These
interfaces are provided by the task 'LXC host config for container networks' in
openstack-ansible-lxc_container_create/tasks/container_create.yml
The task 'LXC host config for container networks' utilizes a template file,
openstack-ansible-lxc_container_create/templates/container-interface.ini.j2
The configuration for a specified interface is created using this template.
The template currenlty offers the ability to modify the value 'lxc.network.type'
which defaults to type 'veth' if no value is supplied.
Supplying a value other than 'veth' is currently valid for this template.
However, the creation of a veth pair device is hard coded into the template
whether or not 'lxc.network.type' resolves to a value other than 'veth'
This creates two unwanted side effects:
First, a veth pair that is not being utilized by the corresponding container is
created. We should not create a veth pair if it will not be used.
Secondly, if the value of the variable 'lxc.network.link' defined in the same
template file is something other than a bridge, the unwanted veth creation will
fail resulting in a container that will not start.
Additionally, if the corresponding veth pair is not created, then the template
openstack-ansible-lxc_container_create/templates/veth-cleanup.sh.j2 should be
modified to filter out interfaces that are not of type 'veth'.
This change implements interface type detection in the template files
veth-cleanup.sh.j2 and container-interface.ini.j2 to prevent creation of
unwanted veth interfaces and their associated cleanup.
Change-Id: I1c0a26d07e8de0ca862d21ea7b49e02ae447f83a
Closes-Bug: #1531935
Currently, deployers can override MTUs on a per-network basis,
but may be looking for a way to define the mtu globally.
This implements a variable named ``lxc_container_default_mtu``
that currently defaults to 1500 (standard value). If this variable
is set, it will globally override the mtu, while still keeping the
per-network override.
Change-Id: Ia7e4f9e929f513ddc09e6de9467ec6ff765e2e6f
Closes-Bug: #1518311
The change moves the role out from the main repo lxc_container_create
repository and into its own standalone repository.
Items within this change:
* The role has been updated to ensure it runs standalone.
* Tests added to the role within tox.
* Functional tests added to the role that can either be run
via the run_tests.sh script or using tox.
* dev requirements have been updated for testing usecases.
* Docs added to both the README.rst file as well as the docs
folder.
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>