openstack/openstack-ansible
Code Issues Proposed changes

Removed default lxc profile on container create

Browse Source 
Having the lxc container create role drop the lxc-openstack apparmor
profile on all containers anytime its executed leads to the possibility
of the lxc container create task overwriting the running profile on a given
container. If this happens its likley to cause service interruption until the
correct profile is loaded for all containers its effected by the action.

To fix this issue the default "lxc-openstack" profile has been removed from the
lxc contianer create task and added to all plays that are known to be executed
within an lxc container. This will ensure that the profile is untouched on
subsequent runs of the lxc-container-create.yml play.

Change-Id: Ifa4640be60c18f1232cc7c8b281fb1dfc0119e56
Closes-Bug: 1487130
This commit is contained in:
kevin 2015-08-24 16:24:02 +01:00 committed by Jesse Pretorius
parent f7edf6d4a9
commit ffb701f8a3
16 changed files with 171 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
playbooks/galera-install.yml
View File

@ -67,6 +67,15 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Galera extra lxc config
lxc_container:
name: "{{ container_name }}"
@ -75,7 +84,7 @@
container_config:
- "lxc.mount.entry=/openstack/{{ container_name }} var/lib/mysql none bind 0 0"
delegate_to: "{{ physical_host }}"
when: is_metal == false or is_metal == "False"
when: not is_metal | bool
tags:
- galera-mysql-dir
- name: Flush net cache

10
playbooks/memcached-install.yml
View File

@ -17,6 +17,16 @@
hosts: memcached
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
roles:
- { role: "memcached_server", tags: [ "memcached-server" ] }
- role: "system_crontab_coordination"

13
playbooks/os-ceilometer-install.yml
View File

@ -18,6 +18,15 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Flush net cache
command: /usr/local/bin/lxc-system-manage flush-net-cache
delegate_to: "{{ physical_host }}"
@ -47,7 +56,7 @@
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-ceilometer" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- ceilometer-logs
- ceilometer-log-dirs
@ -59,7 +68,7 @@
force: "yes"
with_items:
- { src: "/openstack/log/{{ inventory_hostname }}-ceilometer", dest: "/var/log/ceilometer", state: "link" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- ceilometer-logs
roles:

28
playbooks/os-cinder-install.yml
View File

@ -18,6 +18,17 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=unconfined"
delegate_to: "{{ physical_host }}"
when: >
not is_metal | bool and
inventory_hostname in groups['cinder_volume']
tags:
- lxc-aa-profile
- name: Add volume group block device to cinder
shell: |
{% if item.1.volume_group is defined %}
@ -36,27 +47,16 @@
delegate_to: "{{ physical_host }}"
tags:
- cinder-lxc-devices
- name: Cinder extra lxc config
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=unconfined"
- "lxc.cgroup.devices.allow=a *:* rmw"
delegate_to: "{{ physical_host }}"
when: (is_metal == false or is_metal == "False") and inventory_hostname not in groups['cinder_volume']
tags:
- cinder-container-setup
- name: Cinder volume extra lxc config
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.autodev=0"
- "lxc.aa_profile=unconfined"
- "lxc.cgroup.devices.allow=a *:* rmw"
- "lxc.mount.entry=udev dev devtmpfs defaults 0 0"
delegate_to: "{{ physical_host }}"
when: >
(is_metal == false or is_metal == "False") and
not is_metal | bool and
inventory_hostname in groups['cinder_volume'] and
cinder_backend_lvm_inuse
tags:
@ -97,7 +97,7 @@
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-cinder" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- cinder-logs
- cinder-log-dirs
@ -109,7 +109,7 @@
force: "yes"
with_items:
- { src: "/openstack/log/{{ inventory_hostname }}-cinder", dest: "/var/log/cinder", state: "link" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- cinder-logs
roles:

15
playbooks/os-glance-install.yml
View File

@ -18,6 +18,15 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Glance extra lxc config
lxc_container:
name: "{{ container_name }}"
@ -26,7 +35,7 @@
container_config:
- "lxc.mount.entry=/openstack/{{ container_name }} var/lib/glance/images none bind 0 0"
delegate_to: "{{ physical_host }}"
when: is_metal == false or is_metal == "False"
when: not is_metal | bool
tags:
- glance-cache-dir
- name: Flush net cache
@ -58,7 +67,7 @@
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-glance" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- glance-logs
- glance-log-dirs
@ -70,7 +79,7 @@
force: "yes"
with_items:
- { src: "/openstack/log/{{ inventory_hostname }}-glance", dest: "/var/log/glance", state: "link" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- glance-logs
roles:

13
playbooks/os-heat-install.yml
View File

@ -18,6 +18,15 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Sort the rabbitmq servers
dist_sort:
value_to_lookup: "{{ container_name }}"
@ -33,7 +42,7 @@
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-heat" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- heat-logs
- heat-log-dirs
@ -45,7 +54,7 @@
force: "yes"
with_items:
- { src: "/openstack/log/{{ inventory_hostname }}-heat", dest: "/var/log/heat", state: "link" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- heat-logs
roles:

13
playbooks/os-horizon-install.yml
View File

@ -18,6 +18,15 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Sort the rabbitmq servers
dist_sort:
value_to_lookup: "{{ container_name }}"
@ -33,7 +42,7 @@
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-horizon" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- horizon-logs
- horizon-log-dirs
@ -45,7 +54,7 @@
force: "yes"
with_items:
- { src: "/openstack/log/{{ inventory_hostname }}-horizon", dest: "/var/log/horizon", state: "link" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- horizon-logs
roles:

13
playbooks/os-keystone-install.yml
View File

@ -18,6 +18,15 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Sort the rabbitmq servers
dist_sort:
value_to_lookup: "{{ container_name }}"
@ -33,7 +42,7 @@
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-keystone" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- keystone-logs
- keystone-log-dirs
@ -45,7 +54,7 @@
force: "yes"
with_items:
- { src: "/openstack/log/{{ inventory_hostname }}-keystone", dest: "/var/log/keystone", state: "link" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- keystone-logs
roles:

20
playbooks/os-neutron-install.yml
View File

@ -18,17 +18,29 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=unconfined"
delegate_to: "{{ physical_host }}"
when: >
not is_metal | bool and
inventory_hostname in groups['neutron_agent']
tags:
- lxc-aa-profile
- name: Neutron extra lxc config
lxc_container:
name: "{{ container_name }}"
container_command: |
[[ ! -d "/lib/modules" ]] && mkdir -p "/lib/modules"
container_config:
- "lxc.aa_profile=unconfined"
- "lxc.cgroup.devices.allow=a *:* rmw"
- "lxc.mount.entry=/lib/modules lib/modules none bind 0 0"
delegate_to: "{{ physical_host }}"
when: is_metal == false or is_metal == "False"
when: >
not is_metal | bool and
inventory_hostname in groups['neutron_agent']
tags:
- neutron-container-setup
- name: Flush net cache
@ -60,7 +72,7 @@
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-neutron" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- neutron-logs
- neutron-log-dirs
@ -72,7 +84,7 @@
force: "yes"
with_items:
- { src: "/openstack/log/{{ inventory_hostname }}-neutron", dest: "/var/log/neutron", state: "link" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- neutron-logs
- name: Create the neutron provider networks facts

17
playbooks/os-nova-install.yml
View File

@ -18,6 +18,15 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Sort the rabbitmq servers
dist_sort:
value_to_lookup: "{{ container_name }}"
@ -49,7 +58,7 @@
delegate_to: "{{ physical_host }}"
when: >
inventory_hostname in groups['nova_compute'] and
(is_metal == false or is_metal == "False")
not is_metal | bool
tags:
- nova-kvm
- nova-kvm-container-devices
@ -63,7 +72,7 @@
'added' in device_add.stdout.lower()
when: >
inventory_hostname in groups['nova_compute'] and
(is_metal == false or is_metal == "False") and
not is_metal | bool and
nova_virt_type == 'kvm'
tags:
- nova-kvm
@ -74,7 +83,7 @@
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-nova" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- nova-logs
- nova-log-dirs
@ -86,7 +95,7 @@
force: "yes"
with_items:
- { src: "/openstack/log/{{ inventory_hostname }}-nova", dest: "/var/log/nova", state: "link" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- nova-logs
roles:

13
playbooks/os-swift-setup.yml
View File

@ -20,13 +20,22 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Create log dir
file:
path: "{{ item.path }}"
state: directory
with_items:
- { path: "/openstack/log/{{ inventory_hostname }}-swift" }
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- swift-logs
- swift-log-dirs
@ -44,7 +53,7 @@
owner: "syslog"
group: "syslog"
state: "link"
when: is_metal == true or is_metal == "True"
when: is_metal | bool
tags:
- swift-logs
roles:

10
playbooks/rabbitmq-install.yml
View File

@ -17,6 +17,16 @@
hosts: rabbitmq_all
max_fail_percentage: 0
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
roles:
- role: "rabbitmq_server"
tags:

11
playbooks/repo-server.yml
View File

@ -18,6 +18,15 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Package repo extra lxc config
lxc_container:
name: "{{ container_name }}"
@ -26,7 +35,7 @@
container_config:
- "lxc.mount.entry=/openstack/{{ container_name }} var/www none bind 0 0"
delegate_to: "{{ physical_host }}"
when: is_metal == false or is_metal == "False"
when: not is_metal | bool
tags:
- repo-dirs
- name: Flush net cache

1
playbooks/roles/lxc_container_create/tasks/container_create.yml
View File

@ -101,7 +101,6 @@
container_config:
- "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0"
- "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.log_directory | default(properties.service_name) }} none defaults,bind,rw 0 0"
- "lxc.aa_profile=lxc-openstack"
when: properties.service_name is defined
delegate_to: "{{ physical_host }}"
tags:

13
playbooks/rsyslog-install.yml
View File

@ -18,12 +18,21 @@
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
- name: Ensure log stroage directory exists
file:
path: "/openstack/{{ container_name }}/log-storage"
state: "directory"
delegate_to: "{{ physical_host }}"
when: is_metal == false or is_metal == "False"
when: not is_metal | bool
tags:
- rsyslog-storage-dirs
- name: Rsyslog server extra lxc config
@ -34,7 +43,7 @@
container_config:
- "lxc.mount.entry=/openstack/{{ container_name }}/log-storage {{ storage_directory.lstrip('/') }} none bind 0 0"
delegate_to: "{{ physical_host }}"
when: is_metal == false or is_metal == "False"
when: not is_metal | bool
tags:
- rsyslog-storage-dirs
- name: Flush net cache

10
playbooks/utility-install.yml
View File

@ -17,6 +17,16 @@
hosts: utility_all
max_fail_percentage: 20
user: root
pre_tasks:
- name: Use the lxc-openstack aa profile
lxc_container:
name: "{{ container_name }}"
container_config:
- "lxc.aa_profile=lxc-openstack"
delegate_to: "{{ physical_host }}"
when: not is_metal | bool
tags:
- lxc-aa-profile
roles:
- { role: "galera_client", tags: [ "utility-galera-client" ] }
- { role: "pip_lock_down", tags: [ "utility-pip-lock-down" ] }