From 440c87a808c0cec2e2f10b6758596c2754b7dfe0 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Mon, 6 Aug 2018 13:36:03 +0100 Subject: [PATCH] Add lxc3 compatibility lxc3 deprecates many legacy config keys [1]. This change ensures that containers created on systems with lxc3 use the appropriate apparmor config keys. At this point we do not need to address lxc2->lxc3 upgrades as these would only occur during a Xenial->Bionic in-place OS upgrade, which is an unsupported upgrade path. [1] https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487 Change-Id: I9f30339210827f90818ea6993d90ca68c17fd3b2 --- inventory/group_vars/all/lxc.yml | 17 +++++++++++++++++ inventory/group_vars/all_containers.yml | 2 +- inventory/group_vars/cinder_volume.yml | 2 +- inventory/group_vars/neutron_agent.yml | 2 +- 4 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 inventory/group_vars/all/lxc.yml diff --git a/inventory/group_vars/all/lxc.yml b/inventory/group_vars/all/lxc.yml new file mode 100644 index 0000000000..b368c4b97e --- /dev/null +++ b/inventory/group_vars/all/lxc.yml @@ -0,0 +1,17 @@ +--- +# Copyright 2018, BBC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The apparmor profile lxc config key changes between LXC version 2 and 3 +lxc_config_key_apparmor: "{{ lookup('pipe', 'lxc-info --version 2>/dev/null || echo 2.0.0') is version_compare('3.0.0', 'lt') | ternary('aa_profile', 'apparmor.profile') }}" diff --git a/inventory/group_vars/all_containers.yml b/inventory/group_vars/all_containers.yml index c7a3a82e20..6cfb726220 100644 --- a/inventory/group_vars/all_containers.yml +++ b/inventory/group_vars/all_containers.yml @@ -16,7 +16,7 @@ # This is the default LXC AppArmor profile # Groups which need the unbound profile have a specific override lxc_container_config_list: - - "lxc.aa_profile=lxc-openstack" + - "lxc.{{ lxc_config_key_apparmor }}=lxc-openstack" # Needed by playbooks/common-tasks/os-lxc-container-setup.yml lxc_container_log_path: "/var/log/lxc" diff --git a/inventory/group_vars/cinder_volume.yml b/inventory/group_vars/cinder_volume.yml index 15feb21e0c..d7d84c6865 100644 --- a/inventory/group_vars/cinder_volume.yml +++ b/inventory/group_vars/cinder_volume.yml @@ -19,4 +19,4 @@ cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}' lxc_container_config_list: - - "lxc.aa_profile=unconfined" + - "lxc.{{ lxc_config_key_apparmor }}=unconfined" diff --git a/inventory/group_vars/neutron_agent.yml b/inventory/group_vars/neutron_agent.yml index c58127c98b..f1a26cbf91 100644 --- a/inventory/group_vars/neutron_agent.yml +++ b/inventory/group_vars/neutron_agent.yml @@ -22,7 +22,7 @@ neutron_dhcp_config: log-facility: "/var/log/neutron/neutron-dnsmasq.log" lxc_container_config_list: - - "lxc.aa_profile=unconfined" + - "lxc.{{ lxc_config_key_apparmor }}=unconfined" # Ensure that all neutron agent containers get a fixed mac address lxc_container_fixed_mac: true