6285b6c638
This change adds the ability to effectively use the PrivateNetwork functionality systemd provides for services. Now, if enabled, services can be created in a network namespace which isolates it from the reset of the host. Additional options have been added allowing access into the network namespace over ephemeral devices as needed. Highlights: * Isolated private networking for services will sandbox using a stand alone namespace which has no access to anything via the network. * Access into a private namespace can be provided over a single network interface which can be IP'd via local DHCP + NAT or using an upstream DHCP server. * Tests have been added to exercise the new functionality. All of the funcality has been documented in the defaults of this role. Change-Id: I6751765131f32393a1605eb2100bec46199d980a Signed-off-by: Kevin Carter <kevin@cloudnull.com>
245 lines
7.6 KiB
YAML
245 lines
7.6 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
# Copyright 2018, Logan Vig <logan2211@gmail.com>
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Playbook for role testing
|
|
hosts: localhost
|
|
connection: local
|
|
user: root
|
|
become: true
|
|
roles:
|
|
- role: "systemd_service"
|
|
systemd_services:
|
|
- service_name: "test isolated service0"
|
|
execstarts: "/usr/bin/env python -m SimpleHTTPServer 8001"
|
|
enabled: yes
|
|
systemd_PrivateNetwork: yes
|
|
|
|
post_tasks:
|
|
- name: Check Services
|
|
command: systemctl status "test_isolated_service0"
|
|
changed_when: false
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Check Services
|
|
shell: ip netns exec test_isolated_service0 ss -ntlp | grep python
|
|
changed_when: false
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Check isolated services
|
|
command: ip netns exec test_isolated_service0 ip -o link
|
|
changed_when: false
|
|
register: isolated_service0
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Check negative service testing
|
|
fail:
|
|
msg: >-
|
|
Two links not found within the namespace: {{ isolated_service1.stdout_lines }}
|
|
when:
|
|
- (isolated_service0.stdout_lines | length) != 1
|
|
|
|
|
|
- name: Playbook for role testing
|
|
hosts: localhost
|
|
connection: local
|
|
user: root
|
|
become: true
|
|
roles:
|
|
- role: "systemd_service"
|
|
systemd_services:
|
|
- service_name: "test isolated service1"
|
|
execstarts: "/usr/bin/env python -m SimpleHTTPServer 8001"
|
|
enabled: yes
|
|
systemd_PrivateNetwork: yes
|
|
systemd_PrivateNetworkIsolated: no
|
|
systemd_PrivateNetworkDHCP: yes
|
|
systemd_PrivateNetworkLocalDHCP: yes
|
|
when:
|
|
- (ansible_os_family | lower) != "redhat"
|
|
|
|
post_tasks:
|
|
- name: Check Services
|
|
command: systemctl status "test_isolated_service1"
|
|
changed_when: false
|
|
when:
|
|
- (ansible_os_family | lower) != "redhat"
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Check Services
|
|
shell: ip netns exec test_isolated_service1 ss -ntlp | grep python
|
|
changed_when: false
|
|
when:
|
|
- (ansible_os_family | lower) != "redhat"
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Check isolated linked services
|
|
command: ip netns exec test_isolated_service1 ip -o link
|
|
changed_when: false
|
|
register: isolated_service1
|
|
when:
|
|
- (ansible_os_family | lower) != "redhat"
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Check negative service testing
|
|
fail:
|
|
msg: >-
|
|
Two links not found within the namespace: {{ isolated_service1.stdout_lines }}
|
|
when:
|
|
- (ansible_os_family | lower) != "redhat"
|
|
- (isolated_service1.stdout_lines | length) != 2
|
|
|
|
|
|
- name: Playbook for role testing
|
|
hosts: localhost
|
|
connection: local
|
|
user: root
|
|
become: true
|
|
roles:
|
|
- role: "systemd_service"
|
|
systemd_services:
|
|
- service_name: "test simple service0"
|
|
execstarts: "/bin/bash -c 'while true; do sleep 2 && echo test simple service; done'"
|
|
enabled: yes
|
|
- service_name: "test simple service0 with env vars"
|
|
execstarts: "/bin/bash -c 'while true; do sleep 2 && echo $ENV_VAR1; done'"
|
|
enabled: yes
|
|
environment:
|
|
ENV_VAR1: "testing"
|
|
- service_name: "test oneshot service1"
|
|
config_overrides:
|
|
Unit:
|
|
Description: Test oneshot service
|
|
After: network-online.target
|
|
Wants: network-online.target
|
|
Service:
|
|
RemainAfterExit: yes
|
|
service_type: oneshot
|
|
execstarts:
|
|
- "/bin/bash -c 'echo start1'"
|
|
- "/bin/bash -c 'echo start2'"
|
|
execstops:
|
|
- "/bin/bash -c 'echo stop1'"
|
|
- "/bin/bash -c 'echo stop2'"
|
|
enabled: yes
|
|
state: started
|
|
systemd_tempd_prefix: openstack
|
|
systemd_lock_path: /var/lock/networking
|
|
- service_name: "test timer service0"
|
|
execstarts:
|
|
- "/bin/bash -c 'echo start0'"
|
|
timer:
|
|
state: "started"
|
|
options:
|
|
OnBootSec: 30min
|
|
OnUnitActiveSec: 1h
|
|
Persistent: true
|
|
- service_name: "test timer service1"
|
|
execstarts:
|
|
- "/bin/bash -c 'echo start1'"
|
|
timer:
|
|
state: "started"
|
|
cron_minute: 30
|
|
cron_hour: 1
|
|
|
|
post_tasks:
|
|
- name: Check Services
|
|
command: systemctl status "{{ item }}"
|
|
changed_when: false
|
|
with_items:
|
|
- test_simple_service0
|
|
- test_simple_service0_with_env_vars
|
|
- test_oneshot_service1
|
|
- test_timer_service0.timer
|
|
- test_timer_service1.timer
|
|
tags:
|
|
- skip_ansible_lint
|
|
|
|
- name: Test failure condition
|
|
block:
|
|
- name: Run the systemd service role
|
|
include_role:
|
|
name: systemd_service
|
|
vars:
|
|
systemd_services:
|
|
- service_name: "test simple service1"
|
|
execstarts:
|
|
- "/bin/bash -c 'while true; do sleep 2 && echo test simple service1; done'"
|
|
- "/bin/bash -c 'while true; do sleep 2 && echo test simple service2; done'"
|
|
rescue:
|
|
- name: Set negative service test pass fact
|
|
set_fact:
|
|
systemd_service_execstarts_test: true
|
|
|
|
- name: Test failure condition
|
|
block:
|
|
- name: Run the systemd service role
|
|
include_role:
|
|
name: systemd_service
|
|
vars:
|
|
systemd_services:
|
|
- service_name: "test simple service2"
|
|
execstarts: "/bin/bash -c 'while true; do sleep 2 && echo test simple service; done'"
|
|
execstops:
|
|
- /bin/true
|
|
- /bin/true
|
|
rescue:
|
|
- name: Set negative service test pass fact
|
|
set_fact:
|
|
systemd_service_execstops_test: true
|
|
|
|
- name: Test failure condition
|
|
block:
|
|
- name: Run the systemd service role
|
|
include_role:
|
|
name: systemd_service
|
|
vars:
|
|
systemd_services:
|
|
- service_name: "test simple service3"
|
|
execstarts: "/bin/true"
|
|
execreloads:
|
|
- /bin/true
|
|
- /bin/true
|
|
rescue:
|
|
- name: Set negative service test pass fact
|
|
set_fact:
|
|
systemd_service_execreloads_test: true
|
|
|
|
- name: Check negative service testing
|
|
fail:
|
|
msg: >-
|
|
Failed negative service testing. Results --
|
|
systemd_service_execstarts_test: {{ systemd_service_execstarts_test }},
|
|
systemd_service_execstops_test: {{ systemd_service_execstops_test }},
|
|
systemd_service_execreloads_test: {{ systemd_service_execreloads_test }}
|
|
when:
|
|
- (not systemd_service_execstarts_test | bool) or
|
|
(not systemd_service_execstops_test | bool) or
|
|
(not systemd_service_execreloads_test | bool)
|
|
|
|
- name: Notify tests passed
|
|
debug:
|
|
msg: All tests have passed
|
|
vars:
|
|
systemd_service_execstarts_test: false
|
|
systemd_service_execstops_test: false
|
|
systemd_service_execreloads_test: false
|