Ensure that sysctl can be applied on containers

Some sysctl can be applied to containers, so we add a test to prove our containers can do it. Change-Id: I40e2f0af00d6d763efcbb07306791d3cd3feff0d Fixes-Bug: #1685677 (cherry picked from commit bb76ea23f5)
2017-08-17 10:29:59 +00:00 · 2017-08-17 10:29:59 +00:00 · 91aa3046f8
parent 04bd3ac223
commit 91aa3046f8
3 changed files with 75 additions and 0 deletions
--- a/tasks/container_create.yml
+++ b/tasks/container_create.yml
@ -518,6 +518,27 @@
  tags:
    - lxc_container_create-hostname

+- name: Ensure sysctl can be applied
+  template:
+    src: "sysctl-container.init.j2"
+    dest: "/etc/systemd/system/sysctl-container.service"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  remote_user: root
+  tags:
+    - lxc_container_create-sysctl
+
+- name: Enable container sysctl service
+  service:
+    name: "sysctl-container"
+    state: started
+    enabled: yes
+    daemon_reload: yes
+  remote_user: root
+  tags:
+    - lxc_container_create-sysctl
+
 - name: Allow the usage of local facts
  file:
    path: /etc/ansible/facts.d/
--- a/templates/sysctl-container.init.j2
+++ b/templates/sysctl-container.init.j2
@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Apply Kernel Variables in Container
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-modules-load.service
+Before=sysinit.target shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/sysctl -p
+TimeoutSec=90s
+
+[Install]
+WantedBy=multi-user.target
--- a/tests/test-containers-functional.yml
+++ b/tests/test-containers-functional.yml
@ -93,3 +93,40 @@
      assert:
        that:
          - ping_external_address.rc == 0
+
+# TODO(evrardjp): Move this to testinfra
+- name: Apply a sysctl to test if it can be applied consistenty
+  hosts: container3
+  tasks:
+    - name: Allow consuming apps to bind on non local addresses
+      sysctl:
+        name: net.ipv4.ip_nonlocal_bind
+        value: 1
+        sysctl_set: yes
+        state: present
+
+- name: Bump the container state
+  hosts: localhost
+  user: root
+  become: true
+  tasks:
+    - name: Stop container
+      command: "lxc-stop -n container3"
+      changed_when: false
+    - name: Start container
+      command: "lxc-start -d -n container3"
+      changed_when: false
+
+- name: Check if the sysctl was well applied
+  hosts: container3
+  tasks:
+    - name: Check the sysctl is persistent
+      command: sysctl -n net.ipv4.ip_nonlocal_bind
+      register: nonlocalbind
+      changed_when: false
+    - debug:
+        var: nonlocalbind
+    - name: Verify the sysctl is set
+      assert:
+        that:
+          - "'1' in nonlocalbind.stdout"