From 86b6e8e6409f76c46551becdac783a76bb853980 Mon Sep 17 00:00:00 2001
From: kevin <kevin.carter@rackspace.com>
Date: Fri, 12 Jun 2015 15:59:05 -0500
Subject: [PATCH] Updates the container build process

The container build process needs to make sure that the service
sources are correctly setup and updated prior to running any other
playbooks.

The modification here is nessisary to break out the process for the
proxy create, apt sources deployment, the update of those sources
and keys, container upgrades and the installation of python2.7 for
use with Ansible. This also allows for better debugging of a failure
in container create as we'll now be able to tell where in the process
a failure happens and be able to use tags to resolve it.

Change-Id: I36be437303a73bbc98a1cd5297f6c65591653cd7
Closes-Bug: 1464771
---
 .../tasks/container_create.yml                | 200 +++++++++++++-----
 1 file changed, 151 insertions(+), 49 deletions(-)

diff --git a/playbooks/roles/lxc_container_create/tasks/container_create.yml b/playbooks/roles/lxc_container_create/tasks/container_create.yml
index cf3e81ade2..3d84aff377 100644
--- a/playbooks/roles/lxc_container_create/tasks/container_create.yml
+++ b/playbooks/roles/lxc_container_create/tasks/container_create.yml
@@ -62,60 +62,88 @@
     vg_name: "{{ properties.container_vg_name|default(lxc_container_vg_name) }}"
     template_options: "{{ lxc_container_template_options }}"
     container_command: |
-      {% if global_environment_variables is defined %}
-      {%- for name, value in global_environment_variables.items() %}
-      {% if value %}
-      if ! grep '{{ name }}={{ value }}' /etc/environment;
-        echo '{{ name }}={{ value }}' | tee -a /etc/environment
+      echo -e '{{ lxc_container_default_interfaces }}' | tee /etc/network/interfaces
+  delegate_to: "{{ physical_host }}"
+  tags:
+    - lxc-container-create
+
+- name: Load container service mounts and profile
+  lxc_container:
+    name: "{{ inventory_hostname }}"
+    container_command: |
+      mkdir -p /var/backup
+      mkdir -p /var/log/{{ properties.service_name }}
+    container_config:
+      - "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0"
+      - "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.service_name }} none defaults,bind,rw 0 0"
+      - "lxc.aa_profile=lxc-openstack"
+  when: properties.service_name is defined
+  delegate_to: "{{ physical_host }}"
+  tags:
+    - lxc-container-service-config
+
+- name: Setup basic container ssh
+  lxc_container:
+    name: "{{ inventory_hostname }}"
+    container_command: |
+      # Enable root ssh login
+      if grep -q "^PermitRootLogin" /etc/ssh/sshd_config;then
+        sed -i 's/PermitRootLogin.*/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
+      else
+        echo 'PermitRootLogin yes' | tee -a /etc/ssh/sshd_config
       fi
-      {% endif %}
-      {%- endfor %}
-      {% endif %}
+      # Disable ssh password auth
+      if grep -q "^PasswordAuthentication" /etc/ssh/sshd_config;then
+        sed -i 's/PasswordAuthentication.*/PasswordAuthentication\ no/g' /etc/ssh/sshd_config
+      else
+        echo 'PasswordAuthentication no' | tee -a /etc/ssh/sshd_config
+      fi
+      # Disable UseDNS in ssh
+      if grep -q "^UseDNS" /etc/ssh/sshd_config;then
+        sed -i 's/UseDNS.*/UseDNS\ no/g' /etc/ssh/sshd_config
+      else
+        echo 'UseDNS no' | tee -a /etc/ssh/sshd_config
+      fi
+      # Disable x11 forwarding in ssh
+      if grep -q "^X11Forwarding" /etc/ssh/sshd_config;then
+        sed -i 's/X11Forwarding.*/X11Forwarding\ no/g' /etc/ssh/sshd_config
+      else
+        echo 'X11Forwarding no' | tee -a /etc/ssh/sshd_config
+      fi
+      # Enable tcp keepalive in ssh
+      if grep -q "^TCPKeepAlive" /etc/ssh/sshd_config;then
+        sed -i 's/TCPKeepAlive.*/TCPKeepAlive\ yes/g' /etc/ssh/sshd_config
+      else
+        echo 'TCPKeepAlive yes' | tee -a /etc/ssh/sshd_config
+      fi
+      service ssh restart
+  with_dict: container_networks
+  delegate_to: "{{ physical_host }}"
+  tags:
+    - lxc-container-ssh-config
+
+- name: Create ssh key entry
+  lxc_container:
+    name: "{{ inventory_hostname }}"
+    container_command: |
       mkdir -p ~/.ssh/
       if [ ! -f "~/.ssh/authorized_keys" ];then
         touch ~/.ssh/authorized_keys
       fi
       grep '{{ lxc_container_ssh_key }}' ~/.ssh/authorized_keys || echo '{{ lxc_container_ssh_key }}' | tee -a ~/.ssh/authorized_keys
-      # Create internal directories
-      mkdir -p /etc/network/interfaces.d
-      mkdir -p /var/backup
-      sed -i 's/PermitRootLogin.*/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
-      service ssh restart
-      # Configure defined apt-repos
-      rm /etc/apt/sources.list
-      echo '# Do not edit this file. Add new sources to /etc/apt/sources.list.d/' | tee /etc/apt/sources.list
-      echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }} main restricted universe multiverse' | tee -a /etc/apt/sources.list
-      echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-updates main restricted universe multiverse' | tee -a /etc/apt/sources.list
-      echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-backports main restricted universe multiverse' | tee -a /etc/apt/sources.list
-      echo 'deb {{ lxc_container_template_security_apt_repo }} {{ lxc_container_release }}-security main restricted universe multiverse' | tee -a /etc/apt/sources.list
-      while timeout 120 apt-get update && apt-get -y install python2.7; [ $? = 124 ]; do
-        sleep 5
-      done
-      rm /usr/bin/python
-      ln -s /usr/bin/python2.7 /usr/bin/python
-      echo -e '{{ lxc_container_default_interfaces }}' | tee /etc/network/interfaces
-    container_config:
-      - "lxc.aa_profile=lxc-openstack"
-      - "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0"
+  with_dict: container_networks
   delegate_to: "{{ physical_host }}"
   tags:
-    - lxc-container-create
-
-- name: Force container user password set
-  lxc_container:
-    name: "{{ inventory_hostname }}"
-    container_command: >
-      getent passwd "{{ lxc_container_user_name }}" &&
-      echo "{{ lxc_container_user_name }}:{{ lxc_container_user_password }}" | chpasswd
-  delegate_to: "{{ physical_host }}"
-  tags:
-    - lxc-container-user-password-regen
+    - lxc-container-key
 
 - name: Container network interfaces
   lxc_container:
     name: "{{ inventory_hostname }}"
     container_command: |
-        echo -e '{{ lxc_container_interface }}' | tee /etc/network/interfaces.d/{{ item.value.interface }}.cfg
+      if [ ! -d "/etc/network/interfaces.d" ];then
+        mkdir -p /etc/network/interfaces.d
+      fi
+      echo -e '{{ lxc_container_interface }}' | tee /etc/network/interfaces.d/{{ item.value.interface }}.cfg
   with_dict: container_networks
   delegate_to: "{{ physical_host }}"
   tags:
@@ -135,7 +163,7 @@
   tags:
     - lxc-container-networks
 
-- name: Container network configs
+- name: Container network includes
   lineinfile:
     dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
     line: "lxc.include = /var/lib/lxc/{{ inventory_hostname }}/{{ item.value.interface }}.ini"
@@ -149,15 +177,89 @@
   tags:
     - lxc-container-networks
 
-- name: Create container service directories
+# Flush the handlers to ensure the container and networking is online.
+- meta: flush_handlers
+
+# Resets the container user's password using lxc_container because Python2.7
+#  may not be installed at this point.
+- name: Force container user password set
   lxc_container:
     name: "{{ inventory_hostname }}"
     container_command: |
-      mkdir -p '/var/log/{{ properties.service_name }}'
-      mkdir -p '/etc/{{ properties.service_name }}'
-    container_config:
-      - "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.service_name }} none defaults,bind,rw 0 0"
-  when: properties.service_name is defined
+      getent passwd "{{ lxc_container_user_name }}" &&
+      echo "{{ lxc_container_user_name }}:{{ lxc_container_user_password }}" | chpasswd
+  delegate_to: "{{ physical_host }}"
+  no_log: True
+  tags:
+    - lxc-container-user-password-regen
+
+# Setup proxy configs, this is done here to ensure that we have our container proxy setup
+#  prior to running online commands. This is using lxc_container because python2.7 may not be
+#  installed at this point.
+- name: Run proxy config
+  lxc_container:
+    name: "{{ inventory_hostname }}"
+    container_command: |
+      if ! grep '{{ item.key }}={{ item.value }}' /etc/environment; then
+        echo '{{ item.key }}={{ item.value }}' | tee -a /etc/environment
+      fi
+  with_dict: global_environment_variables | default({})
+  when: global_environment_variables is defined
   delegate_to: "{{ physical_host }}"
   tags:
-    - lxc-container-service-dirs
+    - lxc-container-proxy
+
+# Uses lxc_container because the repos need to be available before python2.7 is installed
+#  and python2.7 may not be installed at this point.
+- name: Create main apt repos
+  lxc_container:
+    name: "{{ inventory_hostname }}"
+    container_command: |
+      # Configure defined apt-repos
+      rm /etc/apt/sources.list
+      echo '# Sources created by the ansible' | tee /etc/apt/sources.list
+      echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }} main restricted universe multiverse' | tee -a /etc/apt/sources.list
+      echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-updates main restricted universe multiverse' | tee -a /etc/apt/sources.list
+      echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-backports main restricted universe multiverse' | tee -a /etc/apt/sources.list
+      echo 'deb {{ lxc_container_template_security_apt_repo }} {{ lxc_container_release }}-security main restricted universe multiverse' | tee -a /etc/apt/sources.list
+      for i in {1..3};do
+        timeout 60 sh -c "/usr/bin/apt-get update && /usr/bin/apt-key update"
+        if [ "$?" == 0 ];then
+          break
+        else
+          if [ ! "$i" == "3" ];then
+            echo "Failure to update on attempt $i retrying..."
+            /usr/bin/apt-get clean
+            sleep 2
+          else
+            echo 'Failed to update'
+            exit 99
+          fi
+        fi
+      done
+  delegate_to: "{{ physical_host }}"
+  tags:
+    - lxc-container-sources
+
+# Update the container and ensure that its all patched. This is using lxc_container
+#  because python2.7 may not be installed at this point.
+- name: Ensure container is updated
+  lxc_container:
+    name: "{{ inventory_hostname }}"
+    container_command: |
+      apt-get -y upgrade
+  delegate_to: "{{ physical_host }}"
+  tags:
+    - lxc-container-upgrade
+
+# Uses lxc_container because python2.7 may not be installed within the container at this point.
+- name: Ensure python is installed and is default 2.7
+  lxc_container:
+    name: "{{ inventory_hostname }}"
+    container_command: |
+      apt-get -y install python2.7
+      rm /usr/bin/python
+      ln -s /usr/bin/python2.7 /usr/bin/python
+  delegate_to: "{{ physical_host }}"
+  tags:
+    - lxc-container-python