This has not had any practical use for several releases and mostly
carries copies of ansible facts. Remove the variable and use the
facts directly.
Change-Id: I1d2be9d07b38eaf2b737819c451a0d2339f723d0
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
This is a follow-up change to [1].
[1] https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/888180
Change-Id: I2564e3dcb2efad8f6a2ed21bec61668c1b6f6209
Right now we write output of `date -d @{{ timestamp }} to
the expiry file, and then attempt to comapre with timestamp.
However, output of `date -d` is datetime and not timestamp,
so these 2 things can not be properly compared. So image cache
was valid forever.
Change-Id: I42f5b43f09d3c530813dd7fd334eafce7a5eaf39
This patch aims to handle creation of OVS bridge if
`lxc_net_bridge_type` is set to `openvswitch`. That will finalize path
when deployer prefers to have OVS as the only bridge provider and do not
use LXB for any bridges.
Change-Id: Idd7a6eecf718df7fd8b4ae008f7dc00e42e8c32c
This change adds a new role default option which will allow operators
to omit the deployment of specific lxc bridge network config. This
change is being implemented because, as an operator, I have a host
setup specifically built for OpenStack which includes an interface
config covering the lxc deployment. Currently when running a deployment
the role will attempt to deploy a new interface file which at best
conflicts with the host setup and at worst fails to run due to the
interface being in a state unknown to OSA.
The new config option `lxc_net_managed` is default **true** keeping
the existing expectations, but when set to **false** the role will
no longer deploy an interface file or attempt to bring up the interface
using the distro tools.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Icdf4a1f5ff98dc1b86c6a87ea4e606b7c74e1aac
Instead of overriding this value everywhere, it's easier to
define it from the start to the value we want. In this case,
we want to define it to "present", while still being
overridable.
Change-Id: If9db9aec4b48d2118aae0f2ef611f0e044d63fb3
This patch switches the debian/ubuntu OS to build their lxc base
images locally using debootstrap rather than download a pre-built
lxc image. This unifies the approach with Centos-8 which is already
building a local image using dnf.
The LXC cache prestage tasks are removed, and all variables
associated with the download of the lxc image are removed from
defaults/main.yml.
A new variable lxc_apt_mirror is introduced, which is passed to
debootstrap to provide the apt source that the container rootfs
should be built from.
Depends-On: https://review.opendev.org/786396
Change-Id: Ia5a62cee7ab493857df16f7ae906796d22ba616c
This change uses dnf to build the container image for Centos-8
using dnf locally rather than rely on an external image that is
downloaded and unpacked.
The existing image prestage commands are made conditional, and
an operating system specific command can be provided via role
variables to build a chroot in /var/lib/machines.
During the transition from Centos-8 to Centos-8-Stream, the
vars files are separated, with vars/redhat.yml covering Stream,
and vars/centos-8.3.yml covering legcay Centos-8.
In addition, the systemd-logind service is masked from the base
image. This is masked in the previously downloaded container base
image, so we ensure that the same is done for locally built chroots.
Depends-On: I31880ca995735b737d33532eaa4c29be02523117
Depends-On: I74f02669b013b8580d3469a8ffe214d88cd0f525
Change-Id: I1ddfe36259610b25e86b69d64d1d7f32a56c0e4d
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I79f68c467d48b9b50143fd3a11e176f91804e805
The same can be achieved with two ternary operators. Much
less code and duplication.
Default lxc_container_backing_store to 'dir' to match the
lxc_container_create role and further simplify the code.
Change-Id: I59bbbcd8a66970a4fb30339aed457b50fb4dad50
Openstack-ansible does not support Centos-7 beyond Ussuri so drop
support for Victoria.
Depends-On: https://review.opendev.org/742103
Change-Id: I395e0f7b1d362240e67a86fa4545a8be64f3053c
Centos-7 uses tasks/lxc_isntall_yum.yml so we can put all of the
Centos-8 setup exclusively in tasks/lxc_install_dnf.yml which
means there are few conditional setup tasks needed.
Add cache prep and lxc host vars files for rhel-8 variants.
This patch takes the systemd-networkd package from EPEL and installs
it into the LXC image, so that the existing lxc_container_create
role can set up the container networking in the same manner as the
other supported operating systems.
Depends-On: https://review.opendev.org/738913
Change-Id: If57de332945291d139d54e9aed5d782a69a71d97
The LXC image prep script copies the contents of /etc/pki/rpm-gpg to
the container image so that these keys can be used inside the container.
Importantly, /etc/pki/rpm-gpg is only a staging area where keys are
kept on the filesystem and is not the actual set of keys imported
into the package manager database.
For the EPEL key to be properly copied into the LXC container image
it must first be staged into the host /etc/pki/rpm-gpg directory
and then installed using the rpm_key module. If the key is installed
directly using rpm_key then it is not available as a file to copy
into the container image.
Depends-On: https://review.opendev.org/735289
Change-Id: Ifdeb447e1ef000dbe83394f6e5b0ed3c7afc84c5
Repository variables lxc_centos_epel_mirror and lxc_centos_epel_key will
default to centos_epel_mirror and centos_epel_key
Change-Id: Icf84a0a55654fa890947bae5b608870eddad7324
When using a custom repo with centos_epel_mirror, you maybe need to
change the gpg key url because offline env
You can use this variable: lxc_centos_epel_gpg_key
Change-Id: Ia30f20df6971a9a44a69e5cc22020831a95a1489
Increase container shutdown delay before force-killing to avoid db
corruption after controller reboots
Parameterize SHUTDOWNDELAY envvar as lxc_container_shutdown_delay
with default value 60 seconds
Rename lxc.default.j2 template to lxc-net.default.j2 to align with
destination config file name lxc-net
Add new lxc.default.j2 template to use the lxc_container_shutdown_delay
variable and allow user-defined value
Related-Bug: 1806696
Change-Id: I1d3b7990e462140fdb402883f8d25422eafca66b
The default variable for different configuration keys between lxc 2 and
3 was being shared between lxc-hosts and lxc-container-create roles but
the functionality of the option is slightly different between the roles.
This change modifies the option to reduce confusion and ensures that if
the option is overriden it doesn't cause silient failures.
Change-Id: I3007843e99585ac96e499c2b1028bf3f92dd165b
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
The fstab and rootfs options have slightly changed in lxc3 this change
updates our templtes to ensure we're using the correct option for the
LXC version found on disk.
Change-Id: Ib1c563db70f3ddbeb3a65c55e0917777b27fd41f
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
The machinectl template was running with the legacy uts name option.
This change updates that option so that it uses the hash and major
version to update the config variable.
Change-Id: I85b5c92422116b139e447330214b2d6b5afbf948
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This change allows the deployer to specify lists of distro packages
which will be installed in addition to those specified by this role.
Change-Id: I35ac3be4ec61c432492871de80f6d7f29cca828d
To enable a common variable for overriding the OpenSUSE mirror,
we use opensuse_mirror by default and provide a default value
if it is not set. This ensures that a common variable can be used
to set them all between lxc_hosts and openstack_hosts. Doing it
this way also means that we do not need to add any 'glue' in the
group_vars to keep them consistent.
Change-Id: I22ac019d8783bc8e6c9d71c22c04314b77c55261
This change implements the machinectl quota system and qgroups when
they're enabled and available. This change is being implemented to
resolve an issue where machinectl based containers using a loopback file
system spam DMESG with the following:
* BTRFS error (device loop0): could not find root $INT
While various upstream sources say this error is benign[0], it raises
an inconsistency flag within the host system and is speculatively the
cause of our inconsistent read-only/Full-FS issues we've seen in the
integrated gate. Once the qgroups are properly setup the system will
remove the inconsistency flag and the message spam will stop.
* BTRFS info (device loop0): qgroup scan completed (inconsistency flag cleared)
To resolve this issue the quota system is being enabled by default
and unlimited qgroups are being setup to ensure we're not running
into file system limitations. This change essentially acknowledges
the built-in quota system and provides for the ability to set /
define specific quota (qgroup) options as necessary. While many
deployers may never use these options or this tooling, the role will
now properly set everything up should it ever be needed.
[0] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1651435
Closes-Bug: #1753790
Change-Id: I34a41ac8a9fe4419254284c83f4600efee274c04
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Now that bionic testing is added into the tests repos, we can
start testing it in the repo.
cgmanager isn't in bionic, and therefore is removed
The service module isn't in bionic, and therefore it's been renamed to
"systemd".
The apparmor setup we were doing was breaking the apparmor profiles
required. While this worked in xenial it breaks bionic. To fix this
we're just disabling the apparmor profiles instead of trying to to
augment them through block file changes.
Depends-On: https://review.openstack.org/#/c/566959/
Change-Id: Ie4bca80d0dba7b0da0b5829b91cd6d815894aeaa
Co-Authored-By: Kevin Carter <kevin.carter@rackspace.com>
The hosts may end up in a rather messed up state when mixing
distribution and pip packages. The python lxc bindings are already
provided in the distro repositories so we can simply use these in order
to keep the host as clean as possible.
Change-Id: Ia370f393b961b453ad60e5539f5027d19bf4281f
Implements: blueprint openstack-distribution-packages
The new Ubuntu base image we use does not ship with any locales
or locale configuration. A fix[1] attempted to remedy this by
copying the default locale configuration from the host, but it
is not a valid fix since the locale from the host is not present
or generated in the container cache. This causes things to break
on the system when valid locales are used, such as database
systems[2].
Instead, to prepare locales in Ubuntu[3], we should install the
locales package and provide a list of valid locales to prep
the base image. It is not necessary to copy /etc/default/locale
from the system. The first locale provided will be used as
the system's base locale by running 'update-locale' which
builds /etc/default/locale.
[1] e62de979cb
[2] http://paste.openstack.org/show/719241/
[3] https://www.thomas-krenn.com/en/wiki/Configure_Locales_in_Ubuntu#No_locale_set
Change-Id: Iaa5351777d7db464e8a897fdf33c0f440bfa601b
The host and container image variable files have been split. This split
now gives deployers the ability to change or customize the container
image used on a given host.
Change-Id: I839bbcfff3f33dde144e9fb8d078fa1d97f8c410
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
For a very long time we've been parsing and using the lxc images as
provided by upstream lxc. While these images are functional there are by
no means optimal. In general they're quite a bit larger than they need
to be and contian a lot of little sharp edges that have cut us over
the years. This change removes all of the lxc image cache parsing and
meta-data linking and simply downloads the rootfs a given url. To
maintain compatibility with the legacy images a script has been created
to parse the image index and return the legacy image url.
The result of this change:
* Access to smaller more optimal base image which is well known by the
corresponding communities.
* Deployers now have the ability to set and forget the download url for an
internal image instead of having to create a cache infrastructure
compatible with the lxc download template.
* Any rootfs tarball will work as an image.
* Fewer tasks are executed and less memory is consumed resulting in faster
deployment times.
* The base cache has a uniform meta-data setup giving all container
types the same access to config, devices, and templating.
Change-Id: I1775e775bbb7fe86bdffdd8296c2cff5ebc5bac8
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This change moves the image prep scripts out of a ser of variables and
into an actual template. This change will reduce our overall memory
footprint by simply rendering a template instead of injecting content
into a file using the copy module. The result will be faster time to
execution and more understandable output, especially when running in
debug.
Change-Id: Ic90fa7c8fdec8ffd844070ee78d30bd63a33a2a9
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
It appears that when setting a limit which is greater than the size
of the underlying filesystem, machinectl does not change the quota at
all. As such, lets calculate the limit based on the /var/lib/machines
mountpoint or any of its parents.
Change-Id: I8ddc9931cbca5db8c1a411fd2581b34763179d01
The LXC-Container-Create role now has the ability to setup all of the
network interfaces using systemd-networkd. Those changes give us a
uniform interface to consume when we create containers and free's the
roles from having to care about specific container interface config.
This change removes our now redundant tasks.
This also ensures "dbus" is available in the base contianer image
which was simply added for consistency.
Change-Id: I9278b1f73e1e0fdf98ab5fbe016a77aeb3f75be2
Depends-On: I5d3ddcfa11d575648a69a04f2fb30236c2c89da3
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
In I85fefc6ce186bb6808ac37a9ea79a50e29671115 the format for
lxc_host_machine_volume_size was changed from a forced GB
value to a value where the size can be specified by the user.
Unfortunately this totally breaks previous settings, as
demonstrated by the need to implement this patch to get the
integrated build to work again:
https://review.openstack.org/544724
Unfortunately this means that any value set in any previous
series will also fail, meaning that an upgrade from a previous
setting in a previous or same series will fail.
This is not an acceptable outcome, so this patch forces it
back to using Gigabytes as documented and makes sure it's
consistent across the old/new systemd implementations. It also
converts any other values set (perhaps with trailing G/K) to
use G so that regardles sof someone setting it in the interim
state it will still work.
Change-Id: Iee220190b92613707f890929aad855dec46892da
The machinectl cache is currently set image to 16G by default. If
multiple container images are imported into the cache this may be too
small by default. This change sets the cache to "64G" by default allowing
the cache more room to grow by.
This change also disables the quota system once the limit has been set
The option `lxc_host_machine_quota_disabled` has been added to disable or
enable the quota system as needed. This is done after the default limit has
been set so an adequately sized sparce file can be created should it not
already exist.
> More documentation can be seen here [0] with regard to the set-limit
option.
Because we support both modern and older systemd, the cache prep tasks
for old systemd have been updated so that deployers using earlier
versions of systemd can benefit from the ability to grow an existing
cache via playbook run.
[0] https://www.freedesktop.org/software/systemd/man/machinectl.html#set-limit%20%5BNAME%5D%20BYTES
Closes-Bug: #1745361
Change-Id: I85fefc6ce186bb6808ac37a9ea79a50e29671115
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
In https://review.openstack.org/523525 the default value was
changed for SuSE and CentOS to be higher, but the value was
also overridden using role vars which have a high precedence.
This patch ensures that the value uses the role defaults to
ensure it has the lowest precedence. It also changes the reno
to ensure that the change in default is communicated.
The increased timeout will have no real effect on gating, but
will benefit installations where the mirror is a bit slow.
Change-Id: I41a68313d1841d14001acca591db5c5638e53ffc