openstack/openstack-ansible
Code Issues Proposed changes

Updates the container build process

Browse Source 
The container build process needs to make sure that the service
sources are correctly setup and updated prior to running any other
playbooks.

The modification here is nessisary to break out the process for the
proxy create, apt sources deployment, the update of those sources
and keys, container upgrades and the installation of python2.7 for
use with Ansible. This also allows for better debugging of a failure
in container create as we'll now be able to tell where in the process
a failure happens and be able to use tags to resolve it.

Change-Id: I36be437303a73bbc98a1cd5297f6c65591653cd7
Closes-Bug: 1464771
This commit is contained in:
kevin 2015-06-12 15:59:05 -05:00
parent e6da43ac27
commit 86b6e8e640
1 changed files with 151 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
playbooks/roles/lxc_container_create/tasks/container_create.yml
View File

@ -62,59 +62,87 @@
vg_name: "{{ properties.container_vg_name|default(lxc_container_vg_name) }}"
template_options: "{{ lxc_container_template_options }}"
container_command: |
{% if global_environment_variables is defined %}
{%- for name, value in global_environment_variables.items() %}
{% if value %}
if ! grep '{{ name }}={{ value }}' /etc/environment;
echo '{{ name }}={{ value }}' | tee -a /etc/environment
echo -e '{{ lxc_container_default_interfaces }}' | tee /etc/network/interfaces
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-create
- name: Load container service mounts and profile
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
mkdir -p /var/backup
mkdir -p /var/log/{{ properties.service_name }}
container_config:
- "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0"
- "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.service_name }} none defaults,bind,rw 0 0"
- "lxc.aa_profile=lxc-openstack"
when: properties.service_name is defined
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-service-config
- name: Setup basic container ssh
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
# Enable root ssh login
if grep -q "^PermitRootLogin" /etc/ssh/sshd_config;then
sed -i 's/PermitRootLogin.*/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
else
echo 'PermitRootLogin yes' | tee -a /etc/ssh/sshd_config
fi
{% endif %}
{%- endfor %}
{% endif %}
# Disable ssh password auth
if grep -q "^PasswordAuthentication" /etc/ssh/sshd_config;then
sed -i 's/PasswordAuthentication.*/PasswordAuthentication\ no/g' /etc/ssh/sshd_config
else
echo 'PasswordAuthentication no' | tee -a /etc/ssh/sshd_config
fi
# Disable UseDNS in ssh
if grep -q "^UseDNS" /etc/ssh/sshd_config;then
sed -i 's/UseDNS.*/UseDNS\ no/g' /etc/ssh/sshd_config
else
echo 'UseDNS no' | tee -a /etc/ssh/sshd_config
fi
# Disable x11 forwarding in ssh
if grep -q "^X11Forwarding" /etc/ssh/sshd_config;then
sed -i 's/X11Forwarding.*/X11Forwarding\ no/g' /etc/ssh/sshd_config
else
echo 'X11Forwarding no' | tee -a /etc/ssh/sshd_config
fi
# Enable tcp keepalive in ssh
if grep -q "^TCPKeepAlive" /etc/ssh/sshd_config;then
sed -i 's/TCPKeepAlive.*/TCPKeepAlive\ yes/g' /etc/ssh/sshd_config
else
echo 'TCPKeepAlive yes' | tee -a /etc/ssh/sshd_config
fi
service ssh restart
with_dict: container_networks
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-ssh-config
- name: Create ssh key entry
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
mkdir -p ~/.ssh/
if [ ! -f "~/.ssh/authorized_keys" ];then
touch ~/.ssh/authorized_keys
fi
grep '{{ lxc_container_ssh_key }}' ~/.ssh/authorized_keys || echo '{{ lxc_container_ssh_key }}' | tee -a ~/.ssh/authorized_keys
# Create internal directories
mkdir -p /etc/network/interfaces.d
mkdir -p /var/backup
sed -i 's/PermitRootLogin.*/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
service ssh restart
# Configure defined apt-repos
rm /etc/apt/sources.list
echo '# Do not edit this file. Add new sources to /etc/apt/sources.list.d/' | tee /etc/apt/sources.list
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }} main restricted universe multiverse' | tee -a /etc/apt/sources.list
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-updates main restricted universe multiverse' | tee -a /etc/apt/sources.list
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-backports main restricted universe multiverse' | tee -a /etc/apt/sources.list
echo 'deb {{ lxc_container_template_security_apt_repo }} {{ lxc_container_release }}-security main restricted universe multiverse' | tee -a /etc/apt/sources.list
while timeout 120 apt-get update && apt-get -y install python2.7; [ $? = 124 ]; do
sleep 5
done
rm /usr/bin/python
ln -s /usr/bin/python2.7 /usr/bin/python
echo -e '{{ lxc_container_default_interfaces }}' | tee /etc/network/interfaces
container_config:
- "lxc.aa_profile=lxc-openstack"
- "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0"
with_dict: container_networks
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-create
- name: Force container user password set
lxc_container:
name: "{{ inventory_hostname }}"
container_command: >
getent passwd "{{ lxc_container_user_name }}" &&
echo "{{ lxc_container_user_name }}:{{ lxc_container_user_password }}" | chpasswd
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-user-password-regen
- lxc-container-key
- name: Container network interfaces
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
if [ ! -d "/etc/network/interfaces.d" ];then
mkdir -p /etc/network/interfaces.d
fi
echo -e '{{ lxc_container_interface }}' | tee /etc/network/interfaces.d/{{ item.value.interface }}.cfg
with_dict: container_networks
delegate_to: "{{ physical_host }}"
@ -135,7 +163,7 @@
tags:
- lxc-container-networks
- name: Container network configs
- name: Container network includes
lineinfile:
dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
line: "lxc.include = /var/lib/lxc/{{ inventory_hostname }}/{{ item.value.interface }}.ini"
@ -149,15 +177,89 @@
tags:
- lxc-container-networks
- name: Create container service directories
# Flush the handlers to ensure the container and networking is online.
- meta: flush_handlers
# Resets the container user's password using lxc_container because Python2.7
# may not be installed at this point.
- name: Force container user password set
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
mkdir -p '/var/log/{{ properties.service_name }}'
mkdir -p '/etc/{{ properties.service_name }}'
container_config:
- "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.service_name }} none defaults,bind,rw 0 0"
when: properties.service_name is defined
getent passwd "{{ lxc_container_user_name }}" &&
echo "{{ lxc_container_user_name }}:{{ lxc_container_user_password }}" | chpasswd
delegate_to: "{{ physical_host }}"
no_log: True
tags:
- lxc-container-user-password-regen
# Setup proxy configs, this is done here to ensure that we have our container proxy setup
# prior to running online commands. This is using lxc_container because python2.7 may not be
# installed at this point.
- name: Run proxy config
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
if ! grep '{{ item.key }}={{ item.value }}' /etc/environment; then
echo '{{ item.key }}={{ item.value }}' | tee -a /etc/environment
fi
with_dict: global_environment_variables | default({})
when: global_environment_variables is defined
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-service-dirs
- lxc-container-proxy
# Uses lxc_container because the repos need to be available before python2.7 is installed
# and python2.7 may not be installed at this point.
- name: Create main apt repos
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
# Configure defined apt-repos
rm /etc/apt/sources.list
echo '# Sources created by the ansible' | tee /etc/apt/sources.list
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }} main restricted universe multiverse' | tee -a /etc/apt/sources.list
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-updates main restricted universe multiverse' | tee -a /etc/apt/sources.list
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-backports main restricted universe multiverse' | tee -a /etc/apt/sources.list
echo 'deb {{ lxc_container_template_security_apt_repo }} {{ lxc_container_release }}-security main restricted universe multiverse' | tee -a /etc/apt/sources.list
for i in {1..3};do
timeout 60 sh -c "/usr/bin/apt-get update && /usr/bin/apt-key update"
if [ "$?" == 0 ];then
break
else
if [ ! "$i" == "3" ];then
echo "Failure to update on attempt $i retrying..."
/usr/bin/apt-get clean
sleep 2
else
echo 'Failed to update'
exit 99
fi
fi
done
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-sources
# Update the container and ensure that its all patched. This is using lxc_container
# because python2.7 may not be installed at this point.
- name: Ensure container is updated
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
apt-get -y upgrade
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-upgrade
# Uses lxc_container because python2.7 may not be installed within the container at this point.
- name: Ensure python is installed and is default 2.7
lxc_container:
name: "{{ inventory_hostname }}"
container_command: |
apt-get -y install python2.7
rm /usr/bin/python
ln -s /usr/bin/python2.7 /usr/bin/python
delegate_to: "{{ physical_host }}"
tags:
- lxc-container-python