diff --git a/playbooks/galera-install.yml b/playbooks/galera-install.yml index 0db115e610..6ed61b5ba1 100644 --- a/playbooks/galera-install.yml +++ b/playbooks/galera-install.yml @@ -67,6 +67,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Galera extra lxc config lxc_container: name: "{{ container_name }}" @@ -75,7 +84,7 @@ container_config: - "lxc.mount.entry=/openstack/{{ container_name }} var/lib/mysql none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - galera-mysql-dir - name: Flush net cache diff --git a/playbooks/memcached-install.yml b/playbooks/memcached-install.yml index f0b51b4ba2..1140da160e 100644 --- a/playbooks/memcached-install.yml +++ b/playbooks/memcached-install.yml @@ -17,6 +17,16 @@ hosts: memcached max_fail_percentage: 20 user: root + pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile roles: - { role: "memcached_server", tags: [ "memcached-server" ] } - role: "system_crontab_coordination" diff --git a/playbooks/os-ceilometer-install.yml b/playbooks/os-ceilometer-install.yml index c355bd930f..16cf317e41 100644 --- a/playbooks/os-ceilometer-install.yml +++ b/playbooks/os-ceilometer-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Flush net cache command: /usr/local/bin/lxc-system-manage flush-net-cache delegate_to: "{{ physical_host }}" @@ -47,7 +56,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-ceilometer" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - ceilometer-logs - ceilometer-log-dirs @@ -59,7 +68,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-ceilometer", dest: "/var/log/ceilometer", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - ceilometer-logs roles: diff --git a/playbooks/os-cinder-install.yml b/playbooks/os-cinder-install.yml index f6709c4c7a..262a9992e6 100644 --- a/playbooks/os-cinder-install.yml +++ b/playbooks/os-cinder-install.yml @@ -18,6 +18,17 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=unconfined" + delegate_to: "{{ physical_host }}" + when: > + not is_metal | bool and + inventory_hostname in groups['cinder_volume'] + tags: + - lxc-aa-profile - name: Add volume group block device to cinder shell: | {% if item.1.volume_group is defined %} @@ -36,27 +47,16 @@ delegate_to: "{{ physical_host }}" tags: - cinder-lxc-devices - - name: Cinder extra lxc config - lxc_container: - name: "{{ container_name }}" - container_config: - - "lxc.aa_profile=unconfined" - - "lxc.cgroup.devices.allow=a *:* rmw" - delegate_to: "{{ physical_host }}" - when: (is_metal == false or is_metal == "False") and inventory_hostname not in groups['cinder_volume'] - tags: - - cinder-container-setup - name: Cinder volume extra lxc config lxc_container: name: "{{ container_name }}" container_config: - "lxc.autodev=0" - - "lxc.aa_profile=unconfined" - "lxc.cgroup.devices.allow=a *:* rmw" - "lxc.mount.entry=udev dev devtmpfs defaults 0 0" delegate_to: "{{ physical_host }}" when: > - (is_metal == false or is_metal == "False") and + not is_metal | bool and inventory_hostname in groups['cinder_volume'] and cinder_backend_lvm_inuse tags: @@ -97,7 +97,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-cinder" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - cinder-logs - cinder-log-dirs @@ -109,7 +109,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-cinder", dest: "/var/log/cinder", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - cinder-logs roles: diff --git a/playbooks/os-glance-install.yml b/playbooks/os-glance-install.yml index a4614eae27..6767ae4fab 100644 --- a/playbooks/os-glance-install.yml +++ b/playbooks/os-glance-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Glance extra lxc config lxc_container: name: "{{ container_name }}" @@ -26,7 +35,7 @@ container_config: - "lxc.mount.entry=/openstack/{{ container_name }} var/lib/glance/images none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - glance-cache-dir - name: Flush net cache @@ -58,7 +67,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-glance" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - glance-logs - glance-log-dirs @@ -70,7 +79,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-glance", dest: "/var/log/glance", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - glance-logs roles: diff --git a/playbooks/os-heat-install.yml b/playbooks/os-heat-install.yml index 641be0e9d0..ec3f3da5ab 100644 --- a/playbooks/os-heat-install.yml +++ b/playbooks/os-heat-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Sort the rabbitmq servers dist_sort: value_to_lookup: "{{ container_name }}" @@ -33,7 +42,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-heat" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - heat-logs - heat-log-dirs @@ -45,7 +54,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-heat", dest: "/var/log/heat", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - heat-logs roles: diff --git a/playbooks/os-horizon-install.yml b/playbooks/os-horizon-install.yml index 295c9afe67..da71cd2276 100644 --- a/playbooks/os-horizon-install.yml +++ b/playbooks/os-horizon-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Sort the rabbitmq servers dist_sort: value_to_lookup: "{{ container_name }}" @@ -33,7 +42,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-horizon" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - horizon-logs - horizon-log-dirs @@ -45,7 +54,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-horizon", dest: "/var/log/horizon", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - horizon-logs roles: diff --git a/playbooks/os-keystone-install.yml b/playbooks/os-keystone-install.yml index 3911dab8f1..23925700a9 100644 --- a/playbooks/os-keystone-install.yml +++ b/playbooks/os-keystone-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Sort the rabbitmq servers dist_sort: value_to_lookup: "{{ container_name }}" @@ -33,7 +42,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-keystone" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - keystone-logs - keystone-log-dirs @@ -45,7 +54,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-keystone", dest: "/var/log/keystone", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - keystone-logs roles: diff --git a/playbooks/os-neutron-install.yml b/playbooks/os-neutron-install.yml index 7cc15eccfe..7b1eb47b78 100644 --- a/playbooks/os-neutron-install.yml +++ b/playbooks/os-neutron-install.yml @@ -18,17 +18,29 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=unconfined" + delegate_to: "{{ physical_host }}" + when: > + not is_metal | bool and + inventory_hostname in groups['neutron_agent'] + tags: + - lxc-aa-profile - name: Neutron extra lxc config lxc_container: name: "{{ container_name }}" container_command: | [[ ! -d "/lib/modules" ]] && mkdir -p "/lib/modules" container_config: - - "lxc.aa_profile=unconfined" - "lxc.cgroup.devices.allow=a *:* rmw" - "lxc.mount.entry=/lib/modules lib/modules none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: > + not is_metal | bool and + inventory_hostname in groups['neutron_agent'] tags: - neutron-container-setup - name: Flush net cache @@ -60,7 +72,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-neutron" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - neutron-logs - neutron-log-dirs @@ -72,7 +84,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-neutron", dest: "/var/log/neutron", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - neutron-logs - name: Create the neutron provider networks facts diff --git a/playbooks/os-nova-install.yml b/playbooks/os-nova-install.yml index e394544c36..2c21fbea93 100644 --- a/playbooks/os-nova-install.yml +++ b/playbooks/os-nova-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Sort the rabbitmq servers dist_sort: value_to_lookup: "{{ container_name }}" @@ -49,7 +58,7 @@ delegate_to: "{{ physical_host }}" when: > inventory_hostname in groups['nova_compute'] and - (is_metal == false or is_metal == "False") + not is_metal | bool tags: - nova-kvm - nova-kvm-container-devices @@ -63,7 +72,7 @@ 'added' in device_add.stdout.lower() when: > inventory_hostname in groups['nova_compute'] and - (is_metal == false or is_metal == "False") and + not is_metal | bool and nova_virt_type == 'kvm' tags: - nova-kvm @@ -74,7 +83,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-nova" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - nova-logs - nova-log-dirs @@ -86,7 +95,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-nova", dest: "/var/log/nova", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - nova-logs roles: diff --git a/playbooks/os-swift-setup.yml b/playbooks/os-swift-setup.yml index 8546f6c0c9..215d4eece7 100644 --- a/playbooks/os-swift-setup.yml +++ b/playbooks/os-swift-setup.yml @@ -20,13 +20,22 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Create log dir file: path: "{{ item.path }}" state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-swift" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - swift-logs - swift-log-dirs @@ -44,7 +53,7 @@ owner: "syslog" group: "syslog" state: "link" - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - swift-logs roles: diff --git a/playbooks/rabbitmq-install.yml b/playbooks/rabbitmq-install.yml index c8370e5767..45adad9701 100644 --- a/playbooks/rabbitmq-install.yml +++ b/playbooks/rabbitmq-install.yml @@ -17,6 +17,16 @@ hosts: rabbitmq_all max_fail_percentage: 0 user: root + pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile roles: - role: "rabbitmq_server" tags: diff --git a/playbooks/repo-server.yml b/playbooks/repo-server.yml index fa1c5c630f..2903ac0640 100644 --- a/playbooks/repo-server.yml +++ b/playbooks/repo-server.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Package repo extra lxc config lxc_container: name: "{{ container_name }}" @@ -26,7 +35,7 @@ container_config: - "lxc.mount.entry=/openstack/{{ container_name }} var/www none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - repo-dirs - name: Flush net cache diff --git a/playbooks/roles/lxc_container_create/tasks/container_create.yml b/playbooks/roles/lxc_container_create/tasks/container_create.yml index 45cfc74e27..19354ea0ad 100644 --- a/playbooks/roles/lxc_container_create/tasks/container_create.yml +++ b/playbooks/roles/lxc_container_create/tasks/container_create.yml @@ -101,7 +101,6 @@ container_config: - "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0" - "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.log_directory | default(properties.service_name) }} none defaults,bind,rw 0 0" - - "lxc.aa_profile=lxc-openstack" when: properties.service_name is defined delegate_to: "{{ physical_host }}" tags: diff --git a/playbooks/rsyslog-install.yml b/playbooks/rsyslog-install.yml index 9ab4d2918a..639f445eb2 100644 --- a/playbooks/rsyslog-install.yml +++ b/playbooks/rsyslog-install.yml @@ -18,12 +18,21 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Ensure log stroage directory exists file: path: "/openstack/{{ container_name }}/log-storage" state: "directory" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - rsyslog-storage-dirs - name: Rsyslog server extra lxc config @@ -34,7 +43,7 @@ container_config: - "lxc.mount.entry=/openstack/{{ container_name }}/log-storage {{ storage_directory.lstrip('/') }} none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - rsyslog-storage-dirs - name: Flush net cache diff --git a/playbooks/utility-install.yml b/playbooks/utility-install.yml index 53555a2f9e..c160d89435 100644 --- a/playbooks/utility-install.yml +++ b/playbooks/utility-install.yml @@ -17,6 +17,16 @@ hosts: utility_all max_fail_percentage: 20 user: root + pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile roles: - { role: "galera_client", tags: [ "utility-galera-client" ] } - { role: "pip_lock_down", tags: [ "utility-pip-lock-down" ] }