ffb701f8a3
Having the lxc container create role drop the lxc-openstack apparmor profile on all containers anytime its executed leads to the possibility of the lxc container create task overwriting the running profile on a given container. If this happens its likley to cause service interruption until the correct profile is loaded for all containers its effected by the action. To fix this issue the default "lxc-openstack" profile has been removed from the lxc contianer create task and added to all plays that are known to be executed within an lxc container. This will ensure that the profile is untouched on subsequent runs of the lxc-container-create.yml play. Change-Id: Ifa4640be60c18f1232cc7c8b281fb1dfc0119e56 Closes-Bug: 1487130
290 lines
11 KiB
YAML
290 lines
11 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Obtain the Systems SSH-Key
|
|
set_fact:
|
|
lxc_container_ssh_key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
|
|
when: >
|
|
lxc_container_ssh_key is not defined
|
|
delegate_to: "{{ physical_host }}"
|
|
|
|
- name: Check for lxc volume group
|
|
shell: "(which vgs > /dev/null && vgs | grep -o '{{ lxc_container_vg_name }}') || false"
|
|
register: vg_result
|
|
failed_when: false
|
|
changed_when: vg_result.rc != 0
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-vg-detect
|
|
|
|
- name: Set container backend "dir" if "lvm" not found
|
|
set_fact:
|
|
lxc_container_backing_store: dir
|
|
when: vg_result.rc != 0
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-vg-detect
|
|
|
|
- name: Container service directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: "directory"
|
|
with_items:
|
|
- "/openstack/{{ inventory_hostname }}"
|
|
- "/openstack/backup/{{ inventory_hostname }}"
|
|
- "/openstack/log/{{ inventory_hostname }}"
|
|
- "{{ lxc_container_directory }}/{{ inventory_hostname }}"
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-directories
|
|
|
|
- name: LXC autodev setup
|
|
template:
|
|
src: "autodev.j2"
|
|
dest: "/var/lib/lxc/{{ inventory_hostname }}/autodev"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0755"
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-autodev
|
|
|
|
- name: Create container
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_log: "true"
|
|
config: "{{ properties.container_config|default(lxc_container_config) }}"
|
|
template: "{{ properties.container_template|default(lxc_container_template) }}"
|
|
state: started
|
|
backing_store: "{{ properties.container_backing_store|default(lxc_container_backing_store) }}"
|
|
directory: "{{ lxc_container_rootfs_directory }}"
|
|
fs_size: "{{ properties.container_fs_size|default(lxc_container_fs_size) }}"
|
|
fs_type: "{{ properties.container_fs_type|default(lxc_container_fs_type) }}"
|
|
vg_name: "{{ properties.container_vg_name|default(lxc_container_vg_name) }}"
|
|
template_options: "{{ lxc_container_template_options }}"
|
|
container_command: |
|
|
if [ -f "/usr/lib/systemd/system/poweroff.target" ];then
|
|
ln -sf /usr/lib/systemd/system/poweroff.target /etc/systemd/system/sigpwr.target || true
|
|
fi
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd.service || true
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-control.socket || true
|
|
ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket || true
|
|
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount || true
|
|
echo -e '{{ lxc_container_default_interfaces }}' | tee /etc/network/interfaces
|
|
container_config:
|
|
- "lxc.autodev=1"
|
|
- "lxc.pts=1024"
|
|
- "lxc.kmsg=0"
|
|
- "lxc.hook.autodev=/var/lib/lxc/{{ inventory_hostname }}/autodev"
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-create
|
|
|
|
- name: Load container service mounts and profile
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
mkdir -p /var/backup
|
|
mkdir -p /var/log/{{ properties.log_directory | default(properties.service_name) }}
|
|
container_config:
|
|
- "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0"
|
|
- "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.log_directory | default(properties.service_name) }} none defaults,bind,rw 0 0"
|
|
when: properties.service_name is defined
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-service-config
|
|
|
|
- name: Setup basic container ssh
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
# Enable root ssh login
|
|
if grep -q "^PermitRootLogin" /etc/ssh/sshd_config;then
|
|
sed -i 's/PermitRootLogin.*/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'PermitRootLogin yes' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
# Disable ssh password auth
|
|
if grep -q "^PasswordAuthentication" /etc/ssh/sshd_config;then
|
|
sed -i 's/PasswordAuthentication.*/PasswordAuthentication\ no/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'PasswordAuthentication no' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
# Disable UseDNS in ssh
|
|
if grep -q "^UseDNS" /etc/ssh/sshd_config;then
|
|
sed -i 's/UseDNS.*/UseDNS\ no/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'UseDNS no' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
# Disable x11 forwarding in ssh
|
|
if grep -q "^X11Forwarding" /etc/ssh/sshd_config;then
|
|
sed -i 's/X11Forwarding.*/X11Forwarding\ no/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'X11Forwarding no' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
# Enable tcp keepalive in ssh
|
|
if grep -q "^TCPKeepAlive" /etc/ssh/sshd_config;then
|
|
sed -i 's/TCPKeepAlive.*/TCPKeepAlive\ yes/g' /etc/ssh/sshd_config
|
|
else
|
|
echo 'TCPKeepAlive yes' | tee -a /etc/ssh/sshd_config
|
|
fi
|
|
service ssh restart
|
|
with_dict: container_networks
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-ssh-config
|
|
|
|
- name: Create ssh key entry
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
mkdir -p ~/.ssh/
|
|
if [ ! -f "~/.ssh/authorized_keys" ];then
|
|
touch ~/.ssh/authorized_keys
|
|
fi
|
|
grep '{{ lxc_container_ssh_key }}' ~/.ssh/authorized_keys || echo '{{ lxc_container_ssh_key }}' | tee -a ~/.ssh/authorized_keys
|
|
with_dict: container_networks
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-key
|
|
|
|
- name: Container network interfaces
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
if [ ! -d "/etc/network/interfaces.d" ];then
|
|
mkdir -p /etc/network/interfaces.d
|
|
fi
|
|
echo -e '{{ lxc_container_interface }}' | tee /etc/network/interfaces.d/{{ item.value.interface }}.cfg
|
|
with_dict: container_networks
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-networks
|
|
|
|
- name: LXC host config for container networks
|
|
template:
|
|
src: "container-interface.ini.j2"
|
|
dest: "/var/lib/lxc/{{ inventory_hostname }}/{{ item.value.interface }}.ini"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
with_dict: container_networks
|
|
notify:
|
|
- Lxc container restart
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-networks
|
|
|
|
- name: Container network includes
|
|
lineinfile:
|
|
dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
|
|
line: "lxc.include = /var/lib/lxc/{{ inventory_hostname }}/{{ item.value.interface }}.ini"
|
|
backup: "true"
|
|
with_dict: container_networks
|
|
when: >
|
|
item.value.interface is defined
|
|
notify:
|
|
- Lxc container restart
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-networks
|
|
|
|
# Flush the handlers to ensure the container and networking is online.
|
|
- meta: flush_handlers
|
|
|
|
# Resets the container user's password using lxc_container because Python2.7
|
|
# may not be installed at this point.
|
|
- name: Force container user password set
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
getent passwd "{{ lxc_container_user_name }}" &&
|
|
echo "{{ lxc_container_user_name }}:{{ lxc_container_user_password }}" | chpasswd
|
|
delegate_to: "{{ physical_host }}"
|
|
no_log: True
|
|
tags:
|
|
- lxc-container-user-password-regen
|
|
|
|
# Setup proxy configs, this is done here to ensure that we have our container proxy setup
|
|
# prior to running online commands. This is using lxc_container because python2.7 may not be
|
|
# installed at this point.
|
|
- name: Run proxy config
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
if ! grep '{{ item.key }}={{ item.value }}' /etc/environment; then
|
|
echo '{{ item.key }}={{ item.value }}' | tee -a /etc/environment
|
|
fi
|
|
with_dict: global_environment_variables | default({})
|
|
when: global_environment_variables is defined
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-proxy
|
|
|
|
# Uses lxc_container because the repos need to be available before python2.7 is installed
|
|
# and python2.7 may not be installed at this point.
|
|
- name: Create main apt repos
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
# Configure defined apt-repos
|
|
rm /etc/apt/sources.list
|
|
echo '# Sources created by the ansible' | tee /etc/apt/sources.list
|
|
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }} main restricted universe multiverse' | tee -a /etc/apt/sources.list
|
|
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-updates main restricted universe multiverse' | tee -a /etc/apt/sources.list
|
|
echo 'deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-backports main restricted universe multiverse' | tee -a /etc/apt/sources.list
|
|
echo 'deb {{ lxc_container_template_security_apt_repo }} {{ lxc_container_release }}-security main restricted universe multiverse' | tee -a /etc/apt/sources.list
|
|
for i in {1..3};do
|
|
timeout 60 sh -c "/usr/bin/apt-get update && /usr/bin/apt-key update"
|
|
if [ "$?" == 0 ];then
|
|
break
|
|
else
|
|
if [ ! "$i" == "3" ];then
|
|
echo "Failure to update on attempt $i retrying..."
|
|
/usr/bin/apt-get clean
|
|
sleep 2
|
|
else
|
|
echo 'Failed to update'
|
|
exit 99
|
|
fi
|
|
fi
|
|
done
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-sources
|
|
|
|
# Update the container and ensure that its all patched. This is using lxc_container
|
|
# because python2.7 may not be installed at this point.
|
|
- name: Ensure container is updated
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
apt-get -y upgrade
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-upgrade
|
|
|
|
# Uses lxc_container because python2.7 may not be installed within the container at this point.
|
|
- name: Ensure python is installed and is default 2.7
|
|
lxc_container:
|
|
name: "{{ inventory_hostname }}"
|
|
container_command: |
|
|
apt-get -y install python2.7
|
|
rm /usr/bin/python
|
|
ln -s /usr/bin/python2.7 /usr/bin/python
|
|
delegate_to: "{{ physical_host }}"
|
|
tags:
|
|
- lxc-container-python
|