From 91aa3046f86ca5fe51cb335c3251053eae54ff94 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Evrard <jean-philippe@evrard.me>
Date: Thu, 17 Aug 2017 10:29:59 +0000
Subject: [PATCH] Ensure that sysctl can be applied on containers

Some sysctl can be applied to containers, so we add a test
to prove our containers can do it.

Change-Id: I40e2f0af00d6d763efcbb07306791d3cd3feff0d
Fixes-Bug: #1685677
(cherry picked from commit bb76ea23f5682242df66648c5afe0c34c7c49988)
---
 tasks/container_create.yml           | 21 ++++++++++++++++
 templates/sysctl-container.init.j2   | 17 +++++++++++++
 tests/test-containers-functional.yml | 37 ++++++++++++++++++++++++++++
 3 files changed, 75 insertions(+)
 create mode 100644 templates/sysctl-container.init.j2

diff --git a/tasks/container_create.yml b/tasks/container_create.yml
index 6ff71f9..df61ce3 100644
--- a/tasks/container_create.yml
+++ b/tasks/container_create.yml
@@ -518,6 +518,27 @@
   tags:
     - lxc_container_create-hostname
 
+- name: Ensure sysctl can be applied
+  template:
+    src: "sysctl-container.init.j2"
+    dest: "/etc/systemd/system/sysctl-container.service"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  remote_user: root
+  tags:
+    - lxc_container_create-sysctl
+
+- name: Enable container sysctl service
+  service:
+    name: "sysctl-container"
+    state: started
+    enabled: yes
+    daemon_reload: yes
+  remote_user: root
+  tags:
+    - lxc_container_create-sysctl
+
 - name: Allow the usage of local facts
   file:
     path: /etc/ansible/facts.d/
diff --git a/templates/sysctl-container.init.j2 b/templates/sysctl-container.init.j2
new file mode 100644
index 0000000..621a9cd
--- /dev/null
+++ b/templates/sysctl-container.init.j2
@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Apply Kernel Variables in Container
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-modules-load.service
+Before=sysinit.target shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/sysctl -p
+TimeoutSec=90s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/tests/test-containers-functional.yml b/tests/test-containers-functional.yml
index ccd16bb..9d608b7 100644
--- a/tests/test-containers-functional.yml
+++ b/tests/test-containers-functional.yml
@@ -93,3 +93,40 @@
       assert:
         that:
           - ping_external_address.rc == 0
+
+# TODO(evrardjp): Move this to testinfra
+- name: Apply a sysctl to test if it can be applied consistenty
+  hosts: container3
+  tasks:
+    - name: Allow consuming apps to bind on non local addresses
+      sysctl:
+        name: net.ipv4.ip_nonlocal_bind
+        value: 1
+        sysctl_set: yes
+        state: present
+
+- name: Bump the container state
+  hosts: localhost
+  user: root
+  become: true
+  tasks:
+    - name: Stop container
+      command: "lxc-stop -n container3"
+      changed_when: false
+    - name: Start container
+      command: "lxc-start -d -n container3"
+      changed_when: false
+
+- name: Check if the sysctl was well applied
+  hosts: container3
+  tasks:
+    - name: Check the sysctl is persistent
+      command: sysctl -n net.ipv4.ip_nonlocal_bind
+      register: nonlocalbind
+      changed_when: false
+    - debug:
+        var: nonlocalbind
+    - name: Verify the sysctl is set
+      assert:
+        that:
+          - "'1' in nonlocalbind.stdout"