The list of auto mounts is currently hardcoded so there is
no opportunity to adjust the mounts or change the permissions
if necessary.
This patch converts the mounts to a list which can be overridden
as required via host or group vars.
The auto mount configuration is assumed to only be present once
in the LXC config file and any existing statements are replaced.
Change-Id: I62deed28287dae8b289bf882ca0b1a24b207c92d
This is currently using a redirect from ansible.builtin.lxc_container
to community.general.lxc_container, so be explicit about which
module we are using.
Change-Id: I9cdde57a10c7249687ee47fe91a3e84160b46ce1
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: I6a9986cd948dbeaf2847ea4dd04deed974f80d20
For consistency reasons we try to leverage our systemd_service role as
much as we can. Instead of maintaining separate systemd unit templates
the role can be leveraged for same purposes and reduce complexity in
this role.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/865952
Change-Id: I59e6504240eafdb5f0d010ff8a051078e25b1281
For consistency reasons instead of placing a template for
systemd-networkd we better use systemd_networkd role that is present
for a while.
Change-Id: I1e9deaa2892a8fa7eb171acaf75441d7efeac297
The main problem this commit is resolving is that with openvswitch,
the ports were not get cleaned up, and after restart (hard restart or even with soft restart
lxc.service gets time-out) containers couldn't start properly, due to existing port on the bridges.
Change-Id: I707dbfc6878095f7593abe3fca3a5e5b310063e5
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/837742
Refactoring of the lxc_hosts role means that there is no need for
differences in variables between operating systems.
This patch makes the ubuntu focal CI jobs non voting as it must
merge at the same time as a corresponding patch to lxc_hosts.
Change-Id: I29e91320baebb9a3a649533a0e1d3a433dd04ad9
Switching to proc:mixed improves container isolation and is not required
for Bullseye.
But cgroup:mixed is required for container to start, as it provides
ability for the container to manage own cgroups (but not parents).
Change-Id: Ifce5b9673319d077e57cdf8a28b182b57b7d4507
Directory /openstack/{{ inventory_hostname }} can be bind mounted
inside container. So we should keep it clean without any third party
scripts.
Change-Id: I79a55cad21333553bd4f59ffb145faf96c283c9e
Spacing changes were inadvertently introduced in
https://review.opendev.org/742121 which result in duplicate entries
in LXC config files.
This commit reverts to the original formatting with spaces either
side of the '=', although it makes no attempt to fix files which
may already include duplicate entries.
Change-Id: Ia95bbc959b54f494b5861afcb4e84d4c227e7b31
The removal of support for Centos-7 means that it is no longer necessary
to maintain compatibility with LXC2 configuration keys. This patch removes
the code which substitutes LXC3 keys for LXC2 keys.
Depends-On: https://review.opendev.org/742166
Depends-On: https://review.opendev.org/742103
Change-Id: I2911a20a3391e880df80f41eed5c9a8d5e36c2f4
The pre-up-down oneshot service template was mistakenly being written to
the same path as the post-up-down oneshot service file.
Change-Id: Iba966b14c97cc3bfc0d6effe7a3df7b588639cfb
This patch removes a task which adds an entry to /etc/hosts for
the container hostname / 127.0.1.1.
Some services, such as rabbitmq, require that the ip address they
are configured to listen on resolves to a hostname with the same
ip. Before this patch there were two /etc/hosts entries for the
hostname of each container, 127.0.1.1 and the container mgmt
network address.
This patch ensures that the /etc/hosts file is unambiguous and
always resolves the container hostname to the mgmt network ip
address.
Change-Id: I900bda8031d7b0798f73adf8985e64d4535be769
Required to support Gentoo is the ability to bind mount a new shared
directory. In order to support this, _lxc_container_bind_mounts has
been created for use in per-distro variables. For Gentoo the new bind
mounts allows the sharing of package data, shrinking both the container
size and the time needed to install packages.
Also needed was the creation of the `sysctl_path` variable as Gentoo
installs sysctl to an alternate location.
Change-Id: I8c20631aff9ee30289ef2f7f862ba0d4e1bb4569
In Ica79472568799098ebf83c6cefc585f117975f37 some incorrect
variable names were used. This patch changes the variable
names to suit their purpose and ensures that they are used
consistently throughout the role.
Change-Id: If9e912641b5b6cb7791221b40dd4d56e215c2b98
===
[DEPRECATION WARNING]: Using tests as filters is deprecated.
Instead of using `result|search` use `result is search`. This
feature will be removed in version 2.9.
===
Change-Id: Id2f8065cd81cd05c36fcbc33bb9c48b6574d30d1
This code was put in to handle upgrade and transitions from Queens
to Rocky and it is no longer necessary in Stein.
Change-Id: Iffc453ccb8af5d66e556da8427eb4fec1c2133ca
The 'Ensure containers have access RO cgroups' will currently add the
same line to an lxc container's config file on every run of the role.
Add a regular expression to the task to check if the line to be inserted
already exists in the file, and if so, don't insert it again.
Change-Id: I5ac57bd59ea943c019dd0a5530c8246284b33269
This change allows the role to accept either lxc2 or lxc3 config
keys, plus a list of key substitutions to make when writing the
lxc config file.
This allows a set of config keys to remain defined as variables
outside this role and generate a valid config on both lxc2 and lxc3
based hosts.
Change-Id: Ifc871a9fcaf77ff36cfcc1c87b1f406862d46d22
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.
This should fix it.
Change-Id: Ie89ff6580bec52b598776c479a909c9a99c005b0
The 'Ensure bind mount host directories exists' task does not provide
any attributes so recursing is unnecessary. If a parent directory does
not exist, Ansible will automatically create it.
Change-Id: Ia71518e87362c52b849b1baac5a7e17f86e83865
Using sort against dicts won't work in py3 (and may not work as expected
in py2), since dictionaries can not be compared unless we pass an
attribute value.
Change-Id: Ib11f78d639ea7d520896482253e7a12eb862d598
We convert the container networks from a dict to a list in order to
allow us to enumerate the networks and assign an ID which is required
for lxc > 3.
Since dicts are unsorted we should ensure that we sort the converted
list so that unnecessary container restarts are not initiated on
subsequent runs, where the id for the network could change due to the
initial dict being unsorted.
Change-Id: I6f86b32e05adb2e0e4e214d2eb4aa67cbc283be1
Now that bionic testing is added into the tests repos, we can
start testing it in the repo.
Since bionic uses lxc >= 3, we need to make some adjustments to the role
to allow the role to work with both lxc > 3 and lxc < 3, there were
several config options changes which will impact on upgradeability.
LXC >= 3 requires networks to have an index, we can achieve this by
taking the network dict and converting it to a list, and using those to
generate the id "with_indexed_items".
Depends-On: https://review.openstack.org/#/c/566959/
Depends-On: https://review.openstack.org/#/c/567038/
Change-Id: Ib80c2ed2a01a4a6a8c48aed9bdf9a50e45ea9564
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
All of the qgroup commands were failing due to them being executed
inside the container instead of on the host running the container. this
change adds the forgotten delegate_to to correct that.
Change-Id: I0ff97d42fb20065613af24c65f523793a3b58fae
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This role will introduce quite a bit of state chagne within the host
it's deployed on. After the run we should force regather facts to ensure
we have the most up-to-date information before running any other
playbooks/roles on the host.
Change-Id: I05d71964f96a8e025aa0f89f37f8dcb2a705a2e5
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This change implements the machinectl quota system and qgroups when
they're enabled and available. This change is being implemented to
resolve an issue where machinectl based containers using a loopback file
system spam DMESG with the following:
* BTRFS error (device loop0): could not find root $INT
While various upstream sources say this error is benign[0], it raises
an inconsistency flag within the host system and is speculatively the
cause of our inconsistent read-only/Full-FS issues we've seen in the
integrated gate. Once the qgroups are properly setup the system will
remove the inconsistency flag and the message spam will stop.
* BTRFS info (device loop0): qgroup scan completed (inconsistency flag cleared)
To resolve this issue the quota system is being enabled by default
within the "lxc_host" role. This change essentially acknowledges
the built-in quota system and when enabled provides for the ability
to set / define specific quota (qgroup) options as necessary. While
many deployers may never use these options or this tooling, the role
will now properly set everything up should it ever be needed.
[0] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1651435
Closes-Bug: #1753790
Depends-On: I34a41ac8a9fe4419254284c83f4600efee274c04
Change-Id: Ica79472568799098ebf83c6cefc585f117975f37
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
machine_id is not registered until further down in the file, so
this will fail with "The error was: |changed expects a dictionary"
We don't see the failure in our gates because the two preceding
conditions: not ((default_configuration_container | changed) or
(bind_configuration_container | changed)
are always true, so the machine_id test is never used.
In an existing environment where the container is being updated
from an old configuration to the new networkd installation, it is
very possible that default_configuration_container and
bind_configuration_container are not changed, so the machine_id
var is checked for changed state. At that point ansible fails
because the var is undefined.
Change-Id: I0b95c6c5d0f52344d476e52219c1ce31edcf65da
The container and host can link journals giving operators the ability to
log stream and check on the health of a system without needing to login
(attach) to the container. This change implements journal linking for
LXC containers following the reference systemd specification.
Reference implementation:
https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--link-journal=
Change-Id: Id68cf39a77b5dd9c13c010829b47cd7a414378bc
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
The variable `lxc_user_defined_container` has been added which allows a
deployer to define the container variable file in use for a given
container type.
Depends-On: https://review.openstack.org/554383
Change-Id: Ia1373bfa916b4add49a8444d2e4553f898650328
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Allow the role to collect facts for the physical host if missing,
since the role has a hard dependency on checking the physical host's
kernel version.
In the OSA container create playbook[1], facts are collected only
if the physical host itself is included in the playbook scope. When
a '--limit containername' parameter is used, no physical host facts
are collected and the role fails with:
The conditional check 'hostvars[physical_host]['ansible_kernel'] |
version_compare('3.18.0-0-generic', '<')' failed. The error was:
Version comparison: 'dict object' has no attribute 'ansible_kernel'
Change-Id: Id84aefed6c0129909cb6153258863564c7cc914a
This change sets the hostname of containers using the hostnamectl
command which has several enhancements over legacy method. By using
hostnamectl the command will validate the hostname for correctness
ensuring the container hostnames are conforming the the RFC.
The old methods have been removed and the command has been made part of
the handlers and will be run after the activation of dbus.
Change-Id: I158a5deb0685d2dcd436d7dd92caecb9966a025e
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>