Currently, file /etc/systemd/resolved.conf.d/openstack-ansible.conf has
incorrect format and is being ignored:
```
systemd-resolved[740]:
/etc/systemd/resolved.conf.d/openstack-ansible.conf:2:
Missing '=', ignoring line.
```
Change-Id: I23529b0dd032cbb6ba59acc3d3b668c06847da08
This has not had any practical use for several releases and mostly
carries copies of ansible facts. Remove the variable and use the
facts directly.
Change-Id: I1d2be9d07b38eaf2b737819c451a0d2339f723d0
Rather than edit resolv.conf, use the recommended method of
operation for systemd-resolved and configure the dns server
through a resolved drop-in.
Change-Id: I1b08a45ccced87ecd200f3e7294165e922df39ff
We also leverage systemd-networkd for managing lxc-net and replace
using of custom service template for lxc-dnsmasq service with our
systemd-service role. These changes are quite tighten together, so
it's quite hard to split them in different patchsets.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/861350
Change-Id: I5ac99e2b6c6e6ccd9da18ae68e1f8801f95f4f4e
aria2c and systemd-proxy templates exists but they are not referenced
and used by playbooks nowadays. Thus, we can safely remove them
Change-Id: I5223138aa7e50c92531076fe7764f204bfec3e24
Inside a chroot, phased updates are disabled [1]. This means that
the container base image always gets the latest packages regardless
of what is happening with the phasing.
At runtime, the default in Ubuntu releases 21.04 and onward is to
obey the package phasing information. This means that packages
inside the OSA built container image can be newer than the installation
candidates once the container is running, leading to installation
errors. This is particularly sensitive with source packages such as
systemd where there is a very tight version coupling between
all components leading to only one valid installation candidate.
This patch creates apt config inside the container base image to
always install the latest package version regardless of phasing.
There does not seem to be any alternative, as phasing is always
disabled during the debootstrap.
[1] https://discourse.ubuntu.com/t/phased-updates-in-apt-in-21-04/20345
Change-Id: Ia558e3aa1447220016c53349cf9dac0b822d06f4
Remove installation of aria2 everywhere as we no longer download
lxc images but build them locally.
Change-Id: I5eba0b1f08cfe23998cf1116bb017e8a8ef0bb72
NFV repo is supposed to be installed using system packages, as it should
also contain nfvsigdist variable for yum.
So avoid issue with yum update at this step we drop the repo that was
copied from host.
As alternative approach, we can drop copying yum.repos.d at all, but this
can lead to an unexpected results.
Change-Id: Ia5041c7d855a9e988afc4c2a0d16fdeb6a9c357f
This is needed to ensure that systemd-tmpfiles-setup service
is present, which is used to create /dev/fuse in centos containers
in other parts of the osa-gluster patch series.
Change-Id: I6a6401debad4937eb9f6a5be31c8cee42d7035cd
debian buster changed from stable to oldstable, without this change
apt-get update fails to run on old systems.
Change-Id: I6527d2c0c361c03cbb6fc43aa3a03896894fb8e1
This change uses dnf to build the container image for Centos-8
using dnf locally rather than rely on an external image that is
downloaded and unpacked.
The existing image prestage commands are made conditional, and
an operating system specific command can be provided via role
variables to build a chroot in /var/lib/machines.
During the transition from Centos-8 to Centos-8-Stream, the
vars files are separated, with vars/redhat.yml covering Stream,
and vars/centos-8.3.yml covering legcay Centos-8.
In addition, the systemd-logind service is masked from the base
image. This is masked in the previously downloaded container base
image, so we ensure that the same is done for locally built chroots.
Depends-On: I31880ca995735b737d33532eaa4c29be02523117
Depends-On: I74f02669b013b8580d3469a8ffe214d88cd0f525
Change-Id: I1ddfe36259610b25e86b69d64d1d7f32a56c0e4d
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I79f68c467d48b9b50143fd3a11e176f91804e805
Openstack-Ansible does not maintain support for deploying on gentoo
so we can simplify this ansible role
Change-Id: If2a63a2743714745e0f0b0eea2ee3d5b8d4c9a35
Openstack-ansible does not support Centos-7 beyond Ussuri so drop
support for Victoria.
Depends-On: https://review.opendev.org/742103
Change-Id: I395e0f7b1d362240e67a86fa4545a8be64f3053c
Centos-7 uses tasks/lxc_isntall_yum.yml so we can put all of the
Centos-8 setup exclusively in tasks/lxc_install_dnf.yml which
means there are few conditional setup tasks needed.
Add cache prep and lxc host vars files for rhel-8 variants.
This patch takes the systemd-networkd package from EPEL and installs
it into the LXC image, so that the existing lxc_container_create
role can set up the container networking in the same manner as the
other supported operating systems.
Depends-On: https://review.opendev.org/738913
Change-Id: If57de332945291d139d54e9aed5d782a69a71d97
machinectl is only used to store the image during
initial cache preparation and is unrelated to the
backing store used by LXC.
This patch removes the use of machinectl and btrfs
which makes the lxc_hosts role portable to centos-8
which does not have btrfs
Change-Id: Ib03ea09fa5b4d4b6b3d5ca38a0a6c5cf67eb1df4
We still require py2 and the lxc library on the host for bionic as
the bionic CI image still has python2 at /usr/bin/python and ansible
interpreter discovery picks that when targetting localhost.
Change-Id: Ie94afc5a3c794b1c2be266b6642bc9c74b533287
20listchanges has apt call apt-listchanges
apt-listchanges is not in the base container so we get a failure
Change-Id: I4b74670edd7b4ae9710dbb39deb82c0775a1ff66
Closes-Bug: #1839535
Debian ships a mariadb version which conflicts with the packages
installed by the galera_server role, so ensure these are absent from the
lxc base image.
Change-Id: Ic903de777d3d28962885fe4b73a3bf61a8d196f6
The Open Build Service repository for the Leap 15.0 LXC image returns
a metalink which causes aria2c to download 2 files. The first is an
empty file (the metalink) and the second is the actual LXC image. The
name of the second file changes frequently.
This change uses the `--on-download-complete` callback of aria2c to
call a helper script which links the expected filename to the actual
filename.
Change-Id: I9a2bc7ded20f772af82956a81a9864c7ee17039c
Signed-off-by: Nicolas Bock <nicolas.bock@suse.com>
Previously psmisc was not installed by default, causing
the killall in the lxc-dnsmasq systemd unit file to
silently fail if killall wasn't found. This prevented
running instances of dnsmasq to be torn down when
restarting the service.
This would exhibit as a problem during upgrades as
the older dnsmasq service would be running and the
new service would be unable to take over the port.
This would cause lxc containers to lose connectivity.
This commit switches to using pkill and ensures procps
is always installed by default.
Change-Id: I4fa838706f1163fd68ff68258bfc66cbf13bad94
This patch adds support for this role to be able to deploy on
Debian Stretch.
Change-Id: I865df7f5ff2b7022ec0922773b2a945ec7aff7f4
Needed-By: I135ea73604890eae5e9e2a7cdcab81b2b39ad426
This change allows containers to mount and remount volumes as needed.
Before this change, when users had a mounted volume within a container,
like in the case of services using NFS or RBD, it was not possible to
remount a volume within the container runtime. While a user could
unmount and mount a volume or restart a container, these actions
results in service interuption where as a remount would simply
reload the mounted volume without service interuption.
Change-Id: Iff588cad451320167b92f2d79e4693a1037be966
Closes-Bug: #1814200
Signed-off-by: cloudnull <kevin@cloudnull.com>
Increase container shutdown delay before force-killing to avoid db
corruption after controller reboots
Parameterize SHUTDOWNDELAY envvar as lxc_container_shutdown_delay
with default value 60 seconds
Rename lxc.default.j2 template to lxc-net.default.j2 to align with
destination config file name lxc-net
Add new lxc.default.j2 template to use the lxc_container_shutdown_delay
variable and allow user-defined value
Related-Bug: 1806696
Change-Id: I1d3b7990e462140fdb402883f8d25422eafca66b
The LXC cache prep is timing out regularly so use eatmydata to minimise
pressure on the filesystem during package installation.
dpkg calls fsync for each file installed from each package which can
result in very poor performance on some filesystems. This patch gives
around a 4x improvement in "slow" gate runs, and 2x on esxi hdd storage.
Change-Id: I1cc33a7647445cd2302e6ea6b9d78005262ebfa3
Previously, only the v1 of the cgroup fs was being allowed by AppArmor
and this were causing problems like the following one
audit: type=1400 audit(1540571957.300:196): apparmor="DENIED"
operation="mount" info="failed type match" error=-13
profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/"
pid=26738 comm="systemd" fstype="cgroup2" srcname="cgroup" flags="rw,
nosuid, nodev, noexec"
Change-Id: I7f6ac8af0bc1c7d9844ee0c3505b65894d3b7aa1
The 'apt-get upgrade' does not set confdef and confold currently, so an
upgrade which requires user input can break the cache build[1].
[1] http://paste.openstack.org/raw/733076/
Change-Id: Ic6689387a28539b7eb341d55a9db08f078e8e975
The default variable for different configuration keys between lxc 2 and
3 was being shared between lxc-hosts and lxc-container-create roles but
the functionality of the option is slightly different between the roles.
This change modifies the option to reduce confusion and ensures that if
the option is overriden it doesn't cause silient failures.
Change-Id: I3007843e99585ac96e499c2b1028bf3f92dd165b
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
The lxc backend store configuration option is deprecated in lxc3. This
change ensures that the option is no longer rendered in the lxc template
when the version of lxc is greater than or equal to version 3.
Change-Id: I207ed1f89604979e74667ae4c603d36304a6ed53
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
The fstab and rootfs options have slightly changed in lxc3 this change
updates our templtes to ensure we're using the correct option for the
LXC version found on disk.
Change-Id: Ib1c563db70f3ddbeb3a65c55e0917777b27fd41f
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
The machinectl template was running with the legacy uts name option.
This change updates that option so that it uses the hash and major
version to update the config variable.
Change-Id: I85b5c92422116b139e447330214b2d6b5afbf948
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
In https://review.openstack.org/588962 the implementation
of the apt key store copy into the container was changed
for bionic, but left alone for xenial. This patch makes
the approach uniform across both distributions.
Change-Id: I79f49fd02be3bbee5f22cdde000b19578167e3ca