From a9acd22e8287d7ebeccae74cbff1645648291085 Mon Sep 17 00:00:00 2001
From: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date: Thu, 15 Jun 2017 11:50:44 +0100
Subject: [PATCH] Disable PrivateDevices for MemcacheD on CentOS 7

This patch adds the `memcached_disable_privatedevices` variable that
allows deployers to disable PrivateDevices in the systemd unit file.

This is a workaround to fix the systemd/LXC issues with bind
mounting an already bind mounted `/dev/ptmx` inside the LXC
container.

See Launchpad bug, lxc/lxc#1623, or systemd/systemd#6121 for more
details.

The is_metal variable is removed as it is unused.

Related-bug: 1697531
Change-Id: Id7c148bf901354a3dfc2f189ec659f2b92fc7985
---
 defaults/main.yml                             | 17 +++++++++++++--
 ...rivate-devices-issue-0088e6f8c70a601f.yaml | 21 +++++++++++++++++++
 tasks/memcached_config.yml                    | 11 ++++++++++
 templates/without-privatedevices.conf.j2      |  2 ++
 4 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/centos-private-devices-issue-0088e6f8c70a601f.yaml
 create mode 100644 templates/without-privatedevices.conf.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 90ff12f..e9a34f6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -23,8 +23,21 @@ cache_timeout: 600
 # Options are 'present' and 'latest'
 memcached_package_state: "latest"
 
-# Defines that the role will be deployed on a host machine
-is_metal: true
+# MemcacheD sets 'PrivateDevices=True' for its systemd unit by default when
+# installed into a container. This provides some additional security, but it
+# causes problems with creating mount namespaces on CentOS 7 with systemd 219.
+# While the security enhancements are helpful on bare metal hosts with
+# multiple services running, they are not as helpful when MemcacheD is running
+# in a container with its own isolated namespaces.
+#
+# Related bugs:
+#   https://bugs.launchpad.net/openstack-ansible/+bug/1697531
+#   https://github.com/lxc/lxc/issues/1623
+#   https://github.com/systemd/systemd/issues/6121
+#
+# Setting the following variable to 'yes' will disable the PrivateDevices
+# setting in the systemd unit file for MemcacheD on CentOS 7 hosts.
+memcached_disable_privatedevices: no
 
 # The default memcache memory setting is to use .25 of the available system ram
 # as long as that value is < 8192. However you can set the `memcached_memory`
diff --git a/releasenotes/notes/centos-private-devices-issue-0088e6f8c70a601f.yaml b/releasenotes/notes/centos-private-devices-issue-0088e6f8c70a601f.yaml
new file mode 100644
index 0000000..13544e0
--- /dev/null
+++ b/releasenotes/notes/centos-private-devices-issue-0088e6f8c70a601f.yaml
@@ -0,0 +1,21 @@
+---
+issues:
+  - |
+    MemcacheD sets `PrivateDevices=true` in its systemd unit file to
+    add extra security around mount namespaces. While this is useful
+    when running MemcacheD on a bare metal host with other services, it
+    is less useful when MemcacheD is already in a container with its own
+    namespaces. In addition, LXC 2.0.8 presents `/dev/ptmx` as a bind mount
+    within the container and systemd 219 (on CentOS 7) cannot make an
+    additional bind mount of `/dev/ptmx` when `PrivateDevices` is enabled.
+
+    Deployers can `memcached_disable_privatedevices` to `yes` to set
+    `PrivateDevices=false` in the systemd unit file for MariaDB on CentOS 7.
+    The default is `no`, which keeps the default systemd unit file settings
+    from the MemcacheD package.
+
+    For additional information, refer to the following bugs:
+
+    * https://bugs.launchpad.net/openstack-ansible/+bug/1697531
+    * https://github.com/lxc/lxc/issues/1623
+    * https://github.com/systemd/systemd/issues/6121
diff --git a/tasks/memcached_config.yml b/tasks/memcached_config.yml
index 20156ef..7f7e71e 100644
--- a/tasks/memcached_config.yml
+++ b/tasks/memcached_config.yml
@@ -60,6 +60,17 @@
   when:
     - ansible_service_mgr == 'systemd'
 
+# See comments above 'memcached_disable_privatedevices' in defaults/main.yml for
+# links to relevant bugs and discussion.
+- name: Remove PrivateDevices systemd options when in container
+  template:
+    src: without-privatedevices.conf.j2
+    dest: "/etc/systemd/system/memcached.service.d/without-privatedevices.conf"
+  when:
+    - ansible_pkg_mgr == 'yum'
+    - ansible_service_mgr == 'systemd'
+  notify: Restart memcached
+
 - name: Apply resource limits (systemd)
   template:
     src: "limits.conf.j2"
diff --git a/templates/without-privatedevices.conf.j2 b/templates/without-privatedevices.conf.j2
new file mode 100644
index 0000000..848b326
--- /dev/null
+++ b/templates/without-privatedevices.conf.j2
@@ -0,0 +1,2 @@
+[Service]
+PrivateDevices={{ memcached_disable_privatedevices | bool | ternary('false', 'true') }}