Commit Graph

132 Commits

Author SHA1 Message Date
Zuul 51ce768243 Merge "Allow LXC container auto mounts to be customised" 2024-01-16 10:14:26 +00:00
Jonathan Rosser 8a32fc65d9 Allow LXC container auto mounts to be customised
The list of auto mounts is currently hardcoded so there is
no opportunity to adjust the mounts or change the permissions
if necessary.

This patch converts the mounts to a list which can be overridden
as required via host or group vars.

The auto mount configuration is assumed to only be present once
in the LXC config file and any existing statements are replaced.
Change-Id: I62deed28287dae8b289bf882ca0b1a24b207c92d
2024-01-15 15:04:47 +00:00
Jonathan Rosser 0b897c1eb0 Use FQCN for lxc_container module
This is currently using a redirect from ansible.builtin.lxc_container
to community.general.lxc_container, so be explicit about which
module we are using.

Change-Id: I9cdde57a10c7249687ee47fe91a3e84160b46ce1
2023-10-24 08:01:40 +01:00
Dmitriy Rabotyagov d6f0630c8c Properly apply tags for include_tasks
Change-Id: I5307fe00a8cf875b622f8b077242596648d52182
2023-09-08 13:01:40 +02:00
Dmitriy Rabotyagov 3cdcb1115f Fix linters issue and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I6a9986cd948dbeaf2847ea4dd04deed974f80d20
2023-07-11 21:43:23 +02:00
Dmitriy Rabotyagov 5af3d0c200 Replace systemd_service templates with role
For consistency reasons we try to leverage our systemd_service role as
much as we can. Instead of maintaining separate systemd unit templates
the role can be leveraged for same purposes and reduce complexity in
this role.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/865952
Change-Id: I59e6504240eafdb5f0d010ff8a051078e25b1281
2022-11-29 08:28:17 +00:00
Dmitriy Rabotyagov 517b75ac61 Replace usage of networkd template with role
For consistency reasons instead of placing a template for
systemd-networkd we better use systemd_networkd role that is present
for a while.

Change-Id: I1e9deaa2892a8fa7eb171acaf75441d7efeac297
2022-10-14 16:17:19 +00:00
siavash sardari 0b7a8645de Add ovs support for lxc containers.
The main problem this commit is resolving is that with openvswitch,
the ports were not get cleaned up, and after restart (hard restart or even with soft restart
lxc.service gets time-out) containers couldn't start properly, due to existing port on the bridges.

Change-Id: I707dbfc6878095f7593abe3fca3a5e5b310063e5
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/837742
2022-06-08 08:10:06 +00:00
Jonathan Rosser 91b7997b34 Unify variables for all operating systems.
Refactoring of the lxc_hosts role means that there is no need for
differences in variables between operating systems.

This patch makes the ubuntu focal CI jobs non voting as it must
merge at the same time as a corresponding patch to lxc_hosts.

Change-Id: I29e91320baebb9a3a649533a0e1d3a433dd04ad9
2022-04-27 15:58:29 +00:00
Dmitriy Rabotyagov 3834c32c0e Add Debian Bullseye support
Switching to proc:mixed improves container isolation and is not required
for Bullseye.
But cgroup:mixed is required for container to start, as it provides
ability for the container to manage own cgroups (but not parents).

Change-Id: Ifce5b9673319d077e57cdf8a28b182b57b7d4507
2021-06-01 10:44:24 +03:00
Dmitriy Rabotyagov 8c6c6caa04 Do not create extras in /openstack/{{ inventory_hostname }}
Directory /openstack/{{ inventory_hostname }} can be bind mounted
inside container. So we should keep it clean without any third party
scripts.

Change-Id: I79a55cad21333553bd4f59ffb145faf96c283c9e
2021-04-29 09:42:48 +00:00
Jonathan Rosser 5d22a389c2 Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: If6b30e40bf71f60ee72fdc1459ce5e5a9f4f7d93
2021-02-24 14:18:48 +00:00
Andrew Bonney 9a397730b4 Fix formatting of LXC container config files
Spacing changes were inadvertently introduced in
https://review.opendev.org/742121 which result in duplicate entries
in LXC config files.

This commit reverts to the original formatting with spaces either
side of the '=', although it makes no attempt to fix files which
may already include duplicate entries.

Change-Id: Ia95bbc959b54f494b5861afcb4e84d4c227e7b31
2021-02-01 09:46:30 +00:00
Jonathan Rosser 29ee8f0e14 Remove support for LXC2 configuration keys
The removal of support for Centos-7 means that it is no longer necessary
to maintain compatibility with LXC2 configuration keys. This patch removes
the code which substitutes LXC3 keys for LXC2 keys.

Depends-On: https://review.opendev.org/742166
Depends-On: https://review.opendev.org/742103
Change-Id: I2911a20a3391e880df80f41eed5c9a8d5e36c2f4
2020-10-05 18:09:10 +01:00
Jonathan Rosser c27ee13684 Fix linter errors
Also remove centos-7 jobs which are no longer supported

Change-Id: I82dc5ca09e436d5703cf8a4bb59ea7d2c3120411
2020-10-05 08:09:23 +00:00
Jonathan Rosser 303e5c44ae Ansible 'version' is a test not a filter.
The previously used syntax worked on ansible < 2.9, but now it is
invalid and fails.

Change-Id: Ic8fc9327e6814d310d862ab3ce8d323f30faa359
2020-05-10 18:38:01 +01:00
Dmitriy Rabotyagov 866b5c233a Use version test instead of version_compare
This test was changed to 'version' in ansible 2.5 [1].

[1] https://docs.ansible.com/ansible/2.8/user_guide/playbooks_tests.html#version-compariso

Change-Id: Ia3b6674398665bb84ea6d1da95956aeab1bf7735
2019-09-10 13:47:06 +03:00
Jimmy McCrory 605bfb83fe Fix path of pre-up-down oneshot service file
The pre-up-down oneshot service template was mistakenly being written to
the same path as the post-up-down oneshot service file.

Change-Id: Iba966b14c97cc3bfc0d6effe7a3df7b588639cfb
2019-07-24 20:36:20 -05:00
Jonathan Rosser fe13e7729d Do not add container /etc/hosts entry for 127.0.1.1
This patch removes a task which adds an entry to /etc/hosts for
the container hostname / 127.0.1.1.

Some services, such as rabbitmq, require that the ip address they
are configured to listen on resolves to a hostname with the same
ip. Before this patch there were two /etc/hosts entries for the
hostname of each container, 127.0.1.1 and the container mgmt
network address.

This patch ensures that the /etc/hosts file is unambiguous and
always resolves the container hostname to the mgmt network ip
address.

Change-Id: I900bda8031d7b0798f73adf8985e64d4535be769
2019-07-13 21:32:55 +01:00
Jonathan Rosser 6b33973241 Do not use 'null' when trying to locate vars files
This generates warnings in the ansible log

Change-Id: I317d6db32783ef5d63ac6a2554dcb983871a96a5
2019-05-12 18:25:25 +00:00
Matthew Thode c84d4924ef
Add gentoo support
Required to support Gentoo is the ability to bind mount a new shared
directory.  In order to support this, _lxc_container_bind_mounts has
been created for use in per-distro variables.  For Gentoo the new bind
mounts allows the sharing of package data, shrinking both the container
size and the time needed to install packages.

Also needed was the creation of the `sysctl_path` variable as Gentoo
installs sysctl to an alternate location.

Change-Id: I8c20631aff9ee30289ef2f7f862ba0d4e1bb4569
2019-02-26 09:00:13 -06:00
Jesse Pretorius a14dcc8489 Resolve btrfs backing store variable inconsistency
In Ica79472568799098ebf83c6cefc585f117975f37 some incorrect
variable names were used. This patch changes the variable
names to suit their purpose and ensures that they are used
consistently throughout the role.

Change-Id: If9e912641b5b6cb7791221b40dd4d56e215c2b98
2019-01-07 17:17:26 +00:00
Zuul 927fcae2ac Merge "Fix ansible deprecation warnings" 2018-12-18 10:56:59 +00:00
Jonathan Rosser 5351d7dc87 Fix ansible deprecation warnings
===
[DEPRECATION WARNING]: Using tests as filters is deprecated.
Instead of using `result|search` use `result is search`. This
feature will be removed in version 2.9.
===

Change-Id: Id2f8065cd81cd05c36fcbc33bb9c48b6574d30d1
2018-12-03 17:12:52 +00:00
Mohammed Naser 952353bc72 cleanup: remove rocky-only upgrade code
This code was put in to handle upgrade and transitions from Queens
to Rocky and it is no longer necessary in Stein.

Change-Id: Iffc453ccb8af5d66e556da8427eb4fec1c2133ca
2018-11-27 10:33:27 -05:00
Jimmy McCrory 296f428b9c Stop creating duplicate lines in lxc config files
The 'Ensure containers have access RO cgroups' will currently add the
same line to an lxc container's config file on every run of the role.

Add a regular expression to the task to check if the line to be inserted
already exists in the file, and if so, don't insert it again.

Change-Id: I5ac57bd59ea943c019dd0a5530c8246284b33269
2018-11-03 23:43:16 -07:00
Jonathan Rosser 959a56eb6b Convert lxc2 to lxc3 config keys dynamically
This change allows the role to accept either lxc2 or lxc3 config
keys, plus a list of key substitutions to make when writing the
lxc config file.

This allows a set of config keys to remain defined as variables
outside this role and generate a valid config on both lxc2 and lxc3
based hosts.

Change-Id: Ifc871a9fcaf77ff36cfcc1c87b1f406862d46d22
2018-09-11 15:44:41 +00:00
Zuul cbc51af0f0 Merge "use include_tasks instead of include" 2018-09-08 20:59:26 +00:00
ZhijunWei 65598063b0 use include_tasks instead of include
include is marked as deprecated since ansible 2.4[0]

Switch to include_tasks or import_playbook as necessary

[0] https://docs.ansible.com/ansible/2.4/include_module.html#deprecated

Change-Id: I0fa8217c21b733f291e535cdd89de24eb6e0346d
2018-08-19 12:52:19 -04:00
melissaml f1a47766f5 Remove the duplicated word
Change-Id: I2f9ec4ab1607f29d05f1c6ccd72d5cc041b790a7
2018-08-17 14:30:57 +08:00
zhulingjie 9d89be45a7 Remove the unnecessary space
Change-Id: I1cd0f166eec5444f116410c1deaad92345824cb1
2018-07-11 23:19:01 -04:00
Jean-Philippe Evrard b2020d5c10 Fix usage of "|" for tests
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.

This should fix it.

Change-Id: Ie89ff6580bec52b598776c479a909c9a99c005b0
2018-07-12 17:00:53 +02:00
Jimmy McCrory c9d55cd0fb Don't recurse when creating bind mount directories
The 'Ensure bind mount host directories exists' task does not provide
any attributes so recursing is unnecessary. If a parent directory does
not exist, Ansible will automatically create it.

Change-Id: Ia71518e87362c52b849b1baac5a7e17f86e83865
2018-05-31 18:27:06 -05:00
Andy McCrae 7794e23cc0 Use attribute for sort
Using sort against dicts won't work in py3 (and may not work as expected
in py2), since dictionaries can not be compared unless we pass an
attribute value.

Change-Id: Ib11f78d639ea7d520896482253e7a12eb862d598
2018-05-31 12:04:05 +01:00
Andy McCrae 4c8c76e4e1 Ensure container configuration is sorted
We convert the container networks from a dict to a list in order to
allow us to enumerate the networks and assign an ID which is required
for lxc > 3.

Since dicts are unsorted we should ensure that we sort the converted
list so that unnecessary container restarts are not initiated on
subsequent runs, where the id for the network could change due to the
initial dict being unsorted.

Change-Id: I6f86b32e05adb2e0e4e214d2eb4aa67cbc283be1
2018-05-29 10:57:30 +01:00
Zuul 2bc8bd5b0e Merge "Add Bionic testing" 2018-05-25 00:00:04 +00:00
Zuul 81510eaaf6 Merge "Add task to regather facts after run" 2018-05-24 13:17:49 +00:00
Jean-Philippe Evrard 62eff6ca2a Add Bionic testing
Now that bionic testing is added into the tests repos, we can
start testing it in the repo.

Since bionic uses lxc >= 3, we need to make some adjustments to the role
to allow the role to work with both lxc > 3 and lxc < 3, there were
several config options changes which will impact on upgradeability.

LXC >= 3 requires networks to have an index, we can achieve this by
taking the network dict and converting it to a list, and using those to
generate the id "with_indexed_items".

Depends-On: https://review.openstack.org/#/c/566959/
Depends-On: https://review.openstack.org/#/c/567038/
Change-Id: Ib80c2ed2a01a4a6a8c48aed9bdf9a50e45ea9564
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-05-24 00:02:19 +00:00
Kevin Carter 3b1b5a34bf
Add missing "delegate_to"
All of the qgroup commands were failing due to them being executed
inside the container instead of on the host running the container. this
change adds the forgotten delegate_to to correct that.

Change-Id: I0ff97d42fb20065613af24c65f523793a3b58fae
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-05-18 08:34:17 -05:00
Kevin Carter e9726bf252 Add task to regather facts after run
This role will introduce quite a bit of state chagne within the host
it's deployed on. After the run we should force regather facts to ensure
we have the most up-to-date information before running any other
playbooks/roles on the host.

Change-Id: I05d71964f96a8e025aa0f89f37f8dcb2a705a2e5
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-05-15 16:30:08 +00:00
Kevin Carter 25478e9b4e
Enable quota system and set qgroups
This change implements the machinectl quota system and qgroups when
they're enabled and available. This change is being implemented to
resolve an issue where machinectl based containers using a loopback file
system spam DMESG with the following:

* BTRFS error (device loop0): could not find root $INT

While various upstream sources say this error is benign[0], it raises
an inconsistency flag within the host system and is speculatively the
cause of our inconsistent read-only/Full-FS issues we've seen in the
integrated gate. Once the qgroups are properly setup the system will
remove the inconsistency flag and the message spam will stop.

* BTRFS info (device loop0): qgroup scan completed (inconsistency flag cleared)

To resolve this issue the quota system is being enabled by default
within the "lxc_host" role. This change essentially acknowledges
the built-in quota system and when enabled provides for the ability
to set / define specific quota (qgroup) options as necessary. While
many deployers may never use these options or this tooling, the role
will now properly set everything up should it ever be needed.

[0] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1651435
Closes-Bug: #1753790
Depends-On: I34a41ac8a9fe4419254284c83f4600efee274c04
Change-Id: Ica79472568799098ebf83c6cefc585f117975f37
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-05-14 22:33:44 -05:00
Logan V e58699c1bd Remove veth wiring check for machine-id
machine_id is not registered until further down in the file, so
this will fail with "The error was: |changed expects a dictionary"

We don't see the failure in our gates because the two preceding
conditions: not ((default_configuration_container | changed) or
           (bind_configuration_container | changed)

are always true, so the machine_id test is never used.

In an existing environment where the container is being updated
from an old configuration to the new networkd installation, it is
very possible that default_configuration_container and
bind_configuration_container are not changed, so the machine_id
var is checked for changed state. At that point ansible fails
because the var is undefined.

Change-Id: I0b95c6c5d0f52344d476e52219c1ce31edcf65da
2018-04-01 23:13:51 -05:00
Zuul 61fcf1af80 Merge "Add container journal linking" 2018-03-24 14:58:59 +00:00
Kevin Carter 72a16fd9e5 Add container journal linking
The container and host can link journals giving operators the ability to
log stream and check on the health of a system without needing to login
(attach) to the container. This change implements journal linking for
LXC containers following the reference systemd specification.

Reference implementation:
https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--link-journal=

Change-Id: Id68cf39a77b5dd9c13c010829b47cd7a414378bc
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-03-24 01:45:25 +00:00
Kevin Carter 846b4f9ed2 Allow deployers to define the container type
The variable `lxc_user_defined_container` has been added which allows a
deployer to define the container variable file in use for a given
container type.

Depends-On: https://review.openstack.org/554383
Change-Id: Ia1373bfa916b4add49a8444d2e4553f898650328
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-03-24 01:18:07 +00:00
Zuul 883bc78164 Merge "Collect physical host facts if missing" 2018-03-19 15:26:16 +00:00
Zuul 8c8a22affa Merge "Use hostnamectl to set the container hostname" 2018-03-19 13:13:40 +00:00
Zuul 52ac75ca14 Merge "Add lxc.haltsignal to container configs" 2018-03-19 09:17:59 +00:00
Logan V 59f326b63e Collect physical host facts if missing
Allow the role to collect facts for the physical host if missing,
since the role has a hard dependency on checking the physical host's
kernel version.

In the OSA container create playbook[1], facts are collected only
if the physical host itself is included in the playbook scope. When
a '--limit containername' parameter is used, no physical host facts
are collected and the role fails with:

The conditional check 'hostvars[physical_host]['ansible_kernel'] |
version_compare('3.18.0-0-generic', '<')' failed. The error was:
Version comparison: 'dict object' has no attribute 'ansible_kernel'

Change-Id: Id84aefed6c0129909cb6153258863564c7cc914a
2018-03-18 22:40:41 -05:00
Kevin Carter a2fc120d06 Use hostnamectl to set the container hostname
This change sets the hostname of containers using the hostnamectl
command which has several enhancements over legacy method. By using
hostnamectl the command will validate the hostname for correctness
ensuring the container hostnames are conforming the the RFC.

The old methods have been removed and the command has been made part of
the handlers and will be run after the activation of dbus.

Change-Id: I158a5deb0685d2dcd436d7dd92caecb9966a025e
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-03-18 01:34:43 +00:00