4361ed12e0
This change has shown to improve general performance and system stability. Ubuntu 14.04 has some systemD bits within it and there are a few items that can be tuned. These changes add some additional in container tuning the ensure that the pseudo systemD availability within our containers is not impeding container performance. Additionally the netfilter for bridged interfaces was set to 0 which should also improve bridge performance in general. Change-Id: Iad4f0472cf3e38c95c04b29cee8433c0781ff9ff
291 lines
11 KiB
YAML
291 lines
11 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Obtain the Systems SSH-Key
|
|
set_fact:
|
|
lxc_container_ssh_key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
|
|
when: >
|
|
lxc_container_ssh_key is not defined
|
|
delegate_to: "{{ physical_host }}"
|
|
|
|
- name: Check for lxc volume group
|
|
shell: "(which vgs > /dev/null && vgs | grep -o '{{ lxc_container_vg_name }}') || false"
|
|
register: vg_result
|
|
failed_when: false
|
|
changed_when: vg_result.rc != 0
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-vg-detect
|
|
|
|
- name: Set container backend "dir" if "lvm" not found
|
|
set_fact:
|
|
lxc_container_backing_store: dir
|
|
when: vg_result.rc != 0
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-vg-detect
|
|
|
|
- name: Container service directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: "directory"
|
|
with_items:
|
|
- "/openstack/{{ inventory_hostname }}"
|
|
- "/openstack/backup/{{ inventory_hostname }}"
|
|
- "/openstack/log/{{ inventory_hostname }}"
|
|
- "{{ lxc_container_directory }}/{{ inventory_hostname }}"
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-directories
|
|
|
|
- name: LXC autodev setup
|
|
template:
|
|
src: "autodev.j2"
|
|
dest: "/var/lib/lxc/{{ inventory_hostname }}/autodev"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0755"
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-autodev
|
|
|
|
- name: Create container
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_log: "true"
|
|
config: "{{ properties.container_config|default(lxc_container_config) }}"
|
|
template: "{{ properties.container_template|default(lxc_container_template) }}"
|
|
state: started
|
|
backing_store: "{{ properties.container_backing_store|default(lxc_container_backing_store) }}"
|
|
directory: "{{ lxc_container_rootfs_directory }}"
|
|
fs_size: "{{ properties.container_fs_size|default(lxc_container_fs_size) }}"
|
|
fs_type: "{{ properties.container_fs_type|default(lxc_container_fs_type) }}"
|
|
vg_name: "{{ properties.container_vg_name|default(lxc_container_vg_name) }}"
|
|
template_options: "{{ lxc_container_template_options }}"
|
|
container_command: |
|
|
if [ -f "/usr/lib/systemd/system/poweroff.target" ];then
|
|
ln -sf /usr/lib/systemd/system/poweroff.target /etc/systemd/system/sigpwr.target || true
|
|
fi
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd.service || true
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket || true
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket || true
|
|
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount || true
|
|
echo -e '{{ lxc_container_default_interfaces }}' | tee /etc/network/interfaces
|
|
container_config:
|
|
- "lxc.autodev=1"
|
|
- "lxc.pts=1024"
|
|
- "lxc.kmsg=0"
|
|
- "lxc.hook.autodev=/var/lib/lxc/{{ inventory_hostname }}/autodev"
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-create
|
|
|
|
- name: Load container service mounts and profile
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
mkdir -p /var/backup
|
|
mkdir -p /var/log/{{ properties.service_name }}
|
|
container_config:
|
|
- "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0"
|
|
- "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.service_name }} none defaults,bind,rw 0 0"
|
|
- "lxc.aa_profile=lxc-openstack"
|
|
when: properties.service_name is defined
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-service-config
|
|
|
|
- name: Setup basic container ssh
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
# Enable root ssh login
|
|
if grep -q "^PermitRootLogin" /etc/ssh/sshd_config;then
|
|
sed -i 's/PermitRootLogin.*/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'PermitRootLogin yes' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
# Disable ssh password auth
|
|
if grep -q "^PasswordAuthentication" /etc/ssh/sshd_config;then
|
|
sed -i 's/PasswordAuthentication.*/PasswordAuthentication\ no/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'PasswordAuthentication no' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
# Disable UseDNS in ssh
|
|
if grep -q "^UseDNS" /etc/ssh/sshd_config;then
|
|
sed -i 's/UseDNS.*/UseDNS\ no/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'UseDNS no' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
# Disable x11 forwarding in ssh
|
|
if grep -q "^X11Forwarding" /etc/ssh/sshd_config;then
|
|
sed -i 's/X11Forwarding.*/X11Forwarding\ no/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'X11Forwarding no' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
# Enable tcp keepalive in ssh
|
|
if grep -q "^TCPKeepAlive" /etc/ssh/sshd_config;then
|
|
sed -i 's/TCPKeepAlive.*/TCPKeepAlive\ yes/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'TCPKeepAlive yes' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
service ssh restart
|
|
with_dict: container_networks
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-ssh-config
|
|
|
|
- name: Create ssh key entry
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
mkdir -p ~/.ssh/
|
|
if [ ! -f "~/.ssh/authorized_keys" ];then
|
|
touch ~/.ssh/authorized_keys
|
|
fi
|
|
grep '{{ lxc_container_ssh_key }}' ~/.ssh/authorized_keys || echo '{{ lxc_container_ssh_key }}' | tee -a ~/.ssh/authorized_keys
|
|
with_dict: container_networks
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-key
|
|
|
|
- name: Container network interfaces
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
if [ ! -d "/etc/network/interfaces.d" ];then
|
|
mkdir -p /etc/network/interfaces.d
|
|
fi
|
|
echo -e '{{ lxc_container_interface }}' | tee /etc/network/interfaces.d/{{ item.value.interface }}.cfg
|
|
with_dict: container_networks
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-networks
|
|
|
|
- name: LXC host config for container networks
|
|
template:
|
|
src: "container-interface.ini.j2"
|
|
dest: "/var/lib/lxc/{{ inventory_hostname }}/{{ item.value.interface }}.ini"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
with_dict: container_networks
|
|
notify:
|
|
- Lxc container restart
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-networks
|
|
|
|
- name: Container network includes
|
|
lineinfile:
|
|
dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
|
|
line: "lxc.include = /var/lib/lxc/{{ inventory_hostname }}/{{ item.value.interface }}.ini"
|
|
backup: "true"
|
|
with_dict: container_networks
|
|
when: >
|
|
item.value.interface is defined
|
|
notify:
|
|
- Lxc container restart
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-networks
|
|
|
|
# Flush the handlers to ensure the container and networking is online.
|
|
- meta: flush_handlers
|
|
|
|
# Resets the container user's password using lxc_container because Python2.7
|
|
# may not be installed at this point.
|
|
- name: Force container user password set
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
getent passwd "{{ lxc_container_user_name }}" &&
|
|
echo "{{ lxc_container_user_name }}:{{ lxc_container_user_password }}" | chpasswd
|
|
delegate_to: "{{ physical_host }}"
|
|
no_log: True
|
|
tags:
|
|
- lxc-container-user-password-regen
|
|
|
|
# Setup proxy configs, this is done here to ensure that we have our container proxy setup
|
|
# prior to running online commands. This is using lxc_container because python2.7 may not be
|
|
# installed at this point.
|
|
- name: Run proxy config
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
if ! grep '{{ item.key }}={{ item.value }}' /etc/environment; then
|
|
echo '{{ item.key }}={{ item.value }}' | tee -a /etc/environment
|
|
fi
|
|
with_dict: global_environment_variables | default({})
|
|
when: global_environment_variables is defined
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-proxy
|
|
|
|
# Uses lxc_container because the repos need to be available before python2.7 is installed
|
|
# and python2.7 may not be installed at this point.
|
|
- name: Create main apt repos
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
# Configure defined apt-repos
|
|
rm /etc/apt/sources.list
|
|
echo '# Sources created by the ansible' | tee /etc/apt/sources.list
|
|
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }} main restricted universe multiverse' | tee -a /etc/apt/sources.list
|
|
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-updates main restricted universe multiverse' | tee -a /etc/apt/sources.list
|
|
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-backports main restricted universe multiverse' | tee -a /etc/apt/sources.list
|
|
echo 'deb {{ lxc_container_template_security_apt_repo }} {{ lxc_container_release }}-security main restricted universe multiverse' | tee -a /etc/apt/sources.list
|
|
for i in {1..3};do
|
|
timeout 60 sh -c "/usr/bin/apt-get update && /usr/bin/apt-key update"
|
|
if [ "$?" == 0 ];then
|
|
break
|
|
else
|
|
if [ ! "$i" == "3" ];then
|
|
echo "Failure to update on attempt $i retrying..."
|
|
/usr/bin/apt-get clean
|
|
sleep 2
|
|
else
|
|
echo 'Failed to update'
|
|
exit 99
|
|
fi
|
|
fi
|
|
done
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-sources
|
|
|
|
# Update the container and ensure that its all patched. This is using lxc_container
|
|
# because python2.7 may not be installed at this point.
|
|
- name: Ensure container is updated
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
apt-get -y upgrade
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-upgrade
|
|
|
|
# Uses lxc_container because python2.7 may not be installed within the container at this point.
|
|
- name: Ensure python is installed and is default 2.7
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
apt-get -y install python2.7
|
|
rm /usr/bin/python
|
|
ln -s /usr/bin/python2.7 /usr/bin/python
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-python
|