Disable PrivateDevices for Galera on CentOS 7

This patch adds the `galera_disable_privatedevices` variable that
allows deployers to disable PrivateDevices in the systemd unit file
shipped with MariaDB 10.1+ on CentOS 7 systems.

This is a workaround to fix the systemd/LXC issues with bind
mounting an already bind mounted `/dev/ptmx` inside the LXC
container.

See Launchpad bug, lxc/lxc#1623, or systemd/systemd#6121 for more
details.

Co-Authored-By: Major Hayden <major@mhtx.net>
Closes-bug: 1697531
Change-Id: I8a74113bd16a768a4754fb1f6ee04caf1ac82920

defaults/main.yml

@@ -152,3 +152,19 @@ galera_ssl_ca_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT"
 # This option is used for creating the CA and overriding the Galera address on the clients side.
 # Should be set to either public VIP of VIP FQDN, depending on what is currently used in the env.
 galera_ssl_address: "{{ ansible_host }}"
+
+# MariaDB 10.1+ ships with 'PrivateDevices=True' in the systemd unit file. This
+# provides some additional security, but it causes problems with creating
+# mount namespaces on CentOS 7 with systemd 219. While the security
+# enhancements are helpful on bare metal hosts with multiple services running,
+# they are not as helpful when MariaDB is running in a container with its own
+# isolated namespaces.
+#
+# Related bugs:
+#   https://bugs.launchpad.net/openstack-ansible/+bug/1697531
+#   https://github.com/lxc/lxc/issues/1623
+#   https://github.com/systemd/systemd/issues/6121
+#
+# Setting the following variable to 'yes' will disable the PrivateDevices
+# setting in the systemd unit file for MariaDB on CentOS 7 hosts.
+galera_disable_privatedevices: no

releasenotes/notes/centos-private-devices-issue-99aab9a30b1f8014.yaml

@@ -0,0 +1,21 @@
+---
+issues:
+  - |
+    MariaDB 10.1+ includes `PrivateDevices=true` in its systemd unit files to
+    add extra security around mount namespaces for MariaDB. While this is
+    useful when running MariaDB on a bare metal host with other services, it
+    is less useful when MariaDB is already in a container with its own
+    namespaces. In addition, LXC 2.0.8 presents `/dev/ptmx` as a bind mount
+    within the container and systemd 219 (on CentOS 7) cannot make an
+    additional bind mount of `/dev/ptmx` when `PrivateDevices` is enabled.
+
+    Deployers can `galera_disable_privatedevices` to `yes` to set
+    `PrivateDevices=false` in the systemd unit file for MariaDB on CentOS 7.
+    The default is `no`, which keeps the default systemd unit file settings
+    from the MariaDB package.
+
+    For additional information, refer to the following bugs:
+
+    * https://bugs.launchpad.net/openstack-ansible/+bug/1697531
+    * https://github.com/lxc/lxc/issues/1623
+    * https://github.com/systemd/systemd/issues/6121

tasks/galera_post_install.yml

@@ -112,6 +112,21 @@
   tags:
     - galera-config
 
+# See comments above 'galera_disable_privatedevices' in defaults/main.yml for
+# links to relevant bugs and discussion.
+- name: Remove PrivateDevices systemd options when in container
+  template:
+    src: without-privatedevices.conf.j2
+    dest: "/etc/systemd/system/mariadb.service.d/without-privatedevices.conf"
+  when:
+    - ansible_pkg_mgr == 'yum'
+    - ansible_service_mgr == 'systemd'
+  notify:
+    - Reload the systemd daemon
+    - Restart mysql
+  tags:
+    - galera-config
+
 - name: remove default mysql_safe_syslog
   file:
     path: "/etc/mysql/conf.d/mysqld_safe_syslog.cnf"

templates/without-privatedevices.conf.j2

@@ -0,0 +1,2 @@
+[Service]
+PrivateDevices={{ galera_disable_privatedevices | bool | ternary('false', 'true') }}

tests/group_vars/all_containers.yml

@@ -24,3 +24,4 @@ container_networks:
 physical_host: localhost
 properties:
   service_name: "{{ inventory_hostname }}"
+galera_disable_privatedevices: yes