From 465ef2c09fbd7fd1bc93ad3780a222912a6f1b66 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Sun, 10 Jun 2018 14:11:04 -0500 Subject: [PATCH] Cleanup mounts in containers Cleanup mount docs, remove redundant config, and set the default backup mount. These change bring nspawn inline with our LXC capabilities. To ensure the LXC and nspawn capabilities are on level footing, the read only bind mount was removed. Change-Id: I62e2c4ed2b3c7af879e58fca1b22c7dda93fc518 Signed-off-by: Kevin Carter --- defaults/main.yml | 19 ++++++++++++++----- tasks/main.yml | 1 - templates/container_config.nspawn.j2 | 2 +- templates/container_config_old.nspawn.j2 | 2 +- vars/redhat-7.yml | 14 -------------- vars/suse-42.yml | 14 -------------- vars/ubuntu-16.04.yml | 14 -------------- vars/ubuntu-18.04.yml | 14 -------------- 8 files changed, 16 insertions(+), 64 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 11dda63..285862a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -33,7 +33,10 @@ nspawn_read_only_host_bindmount: "{{ _nspawn_read_only_host_bindmount | default( # bind mount. If any of these items are passed into the container. # nspawn_shared_host_bindmount: # - /etc/apt -nspawn_shared_host_bindmount: "{{ _nspawn_shared_host_bindmount | default([]) }}" +nspawn_shared_host_bindmount: + - /etc/localtime + - /root + - /opt # Defined CPU architecture map nspawn_architecture_mapping: @@ -84,12 +87,18 @@ container_image: "{{ nspawn_map['distro'] }}-{{ nspawn_map['release'] }}-{{ nspa container_domain: "openstack.local" # Container Default bind mounts. This option will be merged with the container -# bind mounts. This option takes a list of files on a host that will be mounted -# at the exact same path within the container. -container_default_bind_mounts: [] +# bind mounts. This option takes a list of files with `mount_path` defining the +# path on the host and `bind_dir_path` which defines the intra-container path +# and is relative, it assumes that it starts with a "/". +container_default_bind_mounts: + - mount_path: "/openstack/backup/{{ inventory_hostname }}" + bind_dir_path: "var/backup" # Container bind mounts. This option takes a list of files on a host that will -# be mounted at the exact same path within the container. +# be mounted at the exact same path within the container. This option takes a +# list of files with `mount_path` defining the path on the host and +# `bind_dir_path` which defines the intra-container path which is a relative +# and starts at "/". container_bind_mounts: [] # option used to specific specific container config values which will be diff --git a/tasks/main.yml b/tasks/main.yml index e85f8b5..24d884d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -353,7 +353,6 @@ name: systemd_networkd private: true vars: - systemd_interface_cleanup: true systemd_run_networkd: true systemd_resolved_available: "{{ nspawn_container_enable_resolved }}" systemd_resolved: diff --git a/templates/container_config.nspawn.j2 b/templates/container_config.nspawn.j2 index e57502b..1fb7901 100644 --- a/templates/container_config.nspawn.j2 +++ b/templates/container_config.nspawn.j2 @@ -16,7 +16,7 @@ BindReadOnly={{ ro_bind.source }}:{{ ro_bind.dest }} Bind=/openstack/backup/{{ inventory_hostname }}:/var/backup Bind=/openstack/log/{{ inventory_hostname }}:/var/log {% for bind in container_default_bind_mounts | union(container_bind_mounts | default([])) %} -Bind={{ bind.mount_path }}:{{ bind.bind_dir_path }} +Bind={{ bind.mount_path }}:/{{ bind.bind_dir_path }} {% endfor %} {% for bind in nspawn_shared_host_bindmount %} Bind={{ bind }}:{{ bind }} diff --git a/templates/container_config_old.nspawn.j2 b/templates/container_config_old.nspawn.j2 index 253fa12..c31a605 100644 --- a/templates/container_config_old.nspawn.j2 +++ b/templates/container_config_old.nspawn.j2 @@ -7,7 +7,7 @@ {% set _ = cli_switches.append('--bind=/openstack/backup/' + inventory_hostname + ':/var/backup') %} {% set _ = cli_switches.append('--bind=/openstack/log/' + inventory_hostname + ':/var/log') %} {% for bind in container_default_bind_mounts | union(container_bind_mounts | default([])) %} -{% set _ = cli_switches.append('--bind=' + bind.mount_path + ':' + bind.bind_dir_path) %} +{% set _ = cli_switches.append('--bind=' + bind.mount_path + ':/' + bind.bind_dir_path) %} {% endfor %} {% for bind in nspawn_shared_host_bindmount %} {% set _ = cli_switches.append('--bind=' + bind + ':' + bind) %} diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml index 0998d95..5e5ccca 100644 --- a/vars/redhat-7.yml +++ b/vars/redhat-7.yml @@ -17,17 +17,3 @@ _nspawn_map: distro: centos arch: "{{ nspawn_architecture_mapping[container_architecture] }}" release: 7 - -# This is a list of items that will be passed into the container as READ-ONLY -# files or directories. If any of these items are passed into the container -# the container create process will ensure the file is not present within the -# contianer prior to writting the config. -_nspawn_read_only_host_bindmount: - - { source: /etc/environment, dest: /etc/environment } - -# This is a list of items that will be passed into the container as a shared -# bind mount. If any of these items are passed into the container. -_nspawn_shared_host_bindmount: - - /etc/localtime - - /root - - /opt diff --git a/vars/suse-42.yml b/vars/suse-42.yml index 2b7f527..21dcebb 100644 --- a/vars/suse-42.yml +++ b/vars/suse-42.yml @@ -18,20 +18,6 @@ _nspawn_map: arch: "{{ nspawn_architecture_mapping[container_architecture] }}" release: "{{ hostvars[physical_host]['ansible_distribution_version'] }}" -# This is a list of items that will be passed into the container as READ-ONLY -# files or directories. If any of these items are passed into the container -# the container create process will ensure the file is not present within the -# contianer prior to writting the config. -_nspawn_read_only_host_bindmount: - - { source: /etc/environment, dest: /etc/environment } - -# This is a list of items that will be passed into the container as a shared -# bind mount. If any of these items are passed into the container. -_nspawn_shared_host_bindmount: - - /etc/localtime - - /root - - /opt - # This version of SUSE does not have access to systemd-resolved. This will need # to remained disabled until it does. _nspawn_container_enable_resolved: false diff --git a/vars/ubuntu-16.04.yml b/vars/ubuntu-16.04.yml index 2fba49a..2a5cc85 100644 --- a/vars/ubuntu-16.04.yml +++ b/vars/ubuntu-16.04.yml @@ -17,17 +17,3 @@ _nspawn_map: distro: ubuntu arch: "{{ nspawn_architecture_mapping[container_architecture] }}" release: xenial - -# This is a list of items that will be passed into the container as READ-ONLY -# files or directories. If any of these items are passed into the container -# the container create process will ensure the file is not present within the -# contianer prior to writting the config. -_nspawn_read_only_host_bindmount: - - { source: /etc/environment, dest: /etc/environment } - -# This is a list of items that will be passed into the container as a shared -# bind mount. If any of these items are passed into the container. -_nspawn_shared_host_bindmount: - - /etc/localtime - - /root - - /opt diff --git a/vars/ubuntu-18.04.yml b/vars/ubuntu-18.04.yml index 26e80df..be73ca4 100644 --- a/vars/ubuntu-18.04.yml +++ b/vars/ubuntu-18.04.yml @@ -17,17 +17,3 @@ _nspawn_map: distro: ubuntu arch: "{{ nspawn_architecture_mapping[container_architecture] }}" release: bionic - -# This is a list of items that will be passed into the container as READ-ONLY -# files or directories. If any of these items are passed into the container -# the container create process will ensure the file is not present within the -# contianer prior to writting the config. -_nspawn_read_only_host_bindmount: - - { source: /etc/environment, dest: /etc/environment } - -# This is a list of items that will be passed into the container as a shared -# bind mount. If any of these items are passed into the container. -_nspawn_shared_host_bindmount: - - /etc/localtime - - /root - - /opt