Add container journal linking

The container and host can link journals giving operators the ability to
log stream and check on the health of a system without needing to login
(attach) to the container. This change implements journal linking for
LXC containers following the reference systemd specification.

Reference implementation:
https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--link-journal=

Change-Id: Id68cf39a77b5dd9c13c010829b47cd7a414378bc
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

defaults/main.yml

@@ -165,3 +165,9 @@ lxc_container_enable_resolved: true
 
 # Dictionary of settings for containers
 properties: {}
+
+# Set "/var/log/journal/{{ machine_id }}" to be a bind mount to the physical
+# host. This option will link the container journal and the physical host
+# journals making it possible to log stream from the container on the physical
+# host.
+lxc_container_journal_link: true

releasenotes/notes/journal-link-3c23aab5b5ed3441.yaml

@@ -0,0 +1,14 @@
+---
+features:
+  - In a greenfield deployment containers will now bind link
+    their journals to the physical host machine in the
+    ``/var/log/journal/{{ machine_id }}`` location. During an
+    upgrade this change will be added to the container config but
+    will not go into effect until the container is restarted.
+    Because the restart is not forced the operator can perform
+    restarts to best suit the needs of their environment.
+    Journal linking provides operators the ability to log stream
+    and health check containerized systems without having to
+    attach or otherwise login. If this feature is not needed or
+    desired it can be disabled by setting the option
+    ``lxc_container_journal_link`` to *false*.

tasks/lxc_container_config.yml

@@ -277,6 +277,38 @@
     mode: "0444"
     remote_src: "yes"
   remote_user: root
+
+- name: Link container journal to host
+  block:
+    - name: Retrieve the machine-id
+      slurp:
+        src: /etc/machine-id
+      register: machine_id
+
+    - name: Set bind mount for journal linking
+      set_fact:
+        lxc_container_journal_path: "/var/log/journal/{{ (machine_id.content | b64decode).strip() }}"
+
+    - name: Ensure journal directory exists
+      file:
+        path: "{{ lxc_container_journal_path }}"
+        state: "directory"
+        group: "systemd-journal"
+        owner: "root"
+        mode: "02755"
+      delegate_to: "{{ item }}"
+      with_items:
+        - "{{ physical_host }}"
+        - "{{ inventory_hostname }}"
+
+    - name: Add bind mount configuration to container
+      lineinfile:
+        dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
+        line: "lxc.mount.entry = {{ lxc_container_journal_path }} {{ lxc_container_journal_path.lstrip('/') }} none bind,create=dir 0 0"
+        backup: "true"
+      delegate_to: "{{ physical_host }}"
+  when:
+    - lxc_container_journal_link | bool
 # ENVIRONMENT AND HOSTNAME SETTINGS
 
 

tests/test-containers-functional.yml

@@ -164,3 +164,27 @@
       assert:
         that:
           - "'1' in nonlocalbind.stdout"
+
+- name: Test journal linking
+  hosts: all_containers
+  user: root
+  become: true
+  gather_facts: false
+  tasks:
+    - name: Get container machine-id
+      command: "cat /etc/machine-id"
+      changed_when: false
+      register: container_machine_id
+
+    - name: Stat linked journal on the host
+      stat:
+        path: "/var/log/journal/{{ container_machine_id.stdout.strip() }}/system.journal"
+      register: journal_stat
+      delegate_to: "{{ physical_host }}"
+
+    - name: Check for linked journal
+      fail:
+        msg: >-
+          Container journal [/var/log/journal/{{ container_machine_id.stdout.strip() }}] not found
+      when:
+        - not journal_stat.stat.exists