diff --git a/defaults/main.yml b/defaults/main.yml index 58253d0f..47a82f6e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,7 +15,7 @@ # lxc container rootfs directory and cache path lxc_container_directory: "/var/lib/lxc" -lxc_container_cache_path: "/var/cache/lxc" +lxc_container_cache_path: "/var/cache/lxc/download" # lxc container net network lxc_net_bridge: lxcbr0 @@ -44,16 +44,6 @@ lxc_container_net_name: eth0 ## name of the interface inside the container. lxc_kernel_options: - { key: 'fs.inotify.max_user_instances', value: 1024 } -# Default image to build from -lxc_container_user_password: "{{ lookup('pipe', 'date --rfc-3339=ns | sha512sum | base64 | head -c 32') }}" -lxc_container_template_options: > - --release {{ lxc_container_release }} - --user {{ lxc_container_user_name }} - --password {{ lxc_container_user_password }} - -# Set this boolean value to remove any previously prepared base image -lxc_container_base_delete: no - lxc_pip_packages: - lxc-python2 @@ -68,16 +58,8 @@ lxc_cache_sshd_configuration: - { regexp: "^X11Forwarding", line: "X11Forwarding no" } - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" } -# Validate Certificates when downloading lxc_container_caches. -# May be set to "no" when proxy server is intercepting the certificates. -lxc_cache_validate_certs: "yes" - -# Prebuilt images to deploy onto hosts for use in containers. -# lxc_container_caches: -# - url: "https://rpc-repo.rackspace.com/container_images/rpc-trusty-container.tgz" -# name: "trusty.tgz" -# sha256sum: "56c6a6e132ea7d10be2f3e8104f47136ccf408b30e362133f0dc4a0a9adb4d0c" -# chroot_path: trusty/rootfs-amd64 +# The compression ratio used when creating the container cache rootfs archive +lxc_image_compression_ratio: 0 # A list of files may be copied into the container image cache during its preparation. # Example: @@ -85,3 +67,22 @@ lxc_cache_validate_certs: "yes" # - src: "/etc/openstack_deploy/files/etc/issue" # dest: "/etc/issue" lxc_container_cache_files: [] + +lxc_image_cache_server: images.linuxcontainers.org + +## Default download template options +## This can be customized to use a local build server and options. +## By default these options will be fulfilled by the distro specific +## variable files found in vars/ +# lxc_cache_download_template_options: > +# --dist NAME_OF_DISTRO +# --release DISTRO_RELEASE +# --arch CONTAINER_ARCH +# --force-cache +# --server SERVER_TO_GET_IMAGES_FROM +lxc_cache_download_template_options: > + --dist {{ lxc_cache_map.distro }} + --release {{ lxc_cache_map.release }} + --arch {{ lxc_cache_map.arch }} + --force-cache + --server {{ lxc_image_cache_server }} diff --git a/files/lxc-veth-check.sh b/files/lxc-veth-check.sh new file mode 100644 index 00000000..babe0e24 --- /dev/null +++ b/files/lxc-veth-check.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +# This is a very simple script to search a host for containers that have veth pairs that are not +# plugged into a given bridge. This can happen for a number of reasons however the most common +# one is due to a physical network interface being bounced which severs the containers connection +# to that interface. This script will identify container veth pairs. If any of the container veth +# devices are missing a master the script will attempt to locate the containers network information +# and connect the broken network link. + +# Do a simple lxc command check, if the client errors assume its not installed or ready and return 0 +lxc-ls --version || exit 0 + +# Set the default script exit status +exit_status=0 +# List all containers +for container in $(lxc-ls); do + # List Links for the containers + for net_info in $(lxc-info -n "${container}" | awk '/Link/ {print $2}'); do + # If the link information is a veth and does not have a "master" continue + if ! ip -o -d link show "${net_info}" | grep veth | grep -q master; then + # Search for the interface file that contains the veth + lxc_interface_file=$(grep -l "${net_info}" /var/lib/lxc/${container}/{config,*.ini} | head -n 1) + # If an interface file is found continue + if [ ! -z "${lxc_interface_file}" ];then + # Get the first network link line from the lxc configuration file + veth_bridge_line=$(grep -hA10 ${net_info} "${lxc_interface_file}" | grep lxc.network.link | head -n 1) + # If a network interface file has a link entry continue + if [ ! -z "${veth_bridge_line}" ];then + # get the link name + veth_bridge=$(echo "${veth_bridge_line}" | awk -F'=' '{print $2}' | sed 's/\s//g') + # Plug the veth into the link + ip link set "${net_info}" master "${veth_bridge}" + echo "container ${container} had a broken veth ${net_info} not being plugged into "${veth_bridge}": this issue is now resolved" + else + # Notify the user that the issues can not be automatically fixed for a given container and veth + echo "container ${container} has a broken veth ${net_info} and an automated fix can not be found" + # Because of the inability to resolve the issue automatically set the exit_status to failure + exit_status=99 + fi + fi + fi + done +done +exit "$exit_status" diff --git a/handlers/main.yml b/handlers/main.yml index 070ed26b..21f6ccb9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -31,5 +31,23 @@ pattern: "irqbalance" enabled: "yes" +- name: Restart bridge + shell: "ifdown {{ lxc_net_bridge }} || true" + notify: + - Bring bridge up + - Veth check + - name: Bring bridge up command: "ifup {{ lxc_net_bridge }}" + +- name: Veth check + command: "/usr/local/bin/lxc-veth-check" + +- name: Destroy base container + lxc_container: + name: "cache-{{ lxc_cache_map.distro }}" + state: absent + register: cache_destroy + retries: 3 + delay: 10 + until: cache_destroy|success diff --git a/manual-test.rc b/manual-test.rc new file mode 100644 index 00000000..fa1cdf95 --- /dev/null +++ b/manual-test.rc @@ -0,0 +1,22 @@ +export VIRTUAL_ENV=$(pwd) +export ANSIBLE_HOST_KEY_CHECKING=False +export ANSIBLE_SSH_CONTROL_PATH=/tmp/%%h-%%r + +# TODO (odyssey4me) These are only here as they are non-standard folder +# names for Ansible 1.9.x. We are using the standard folder names for +# Ansible v2.x. We can remove this when we move to Ansible 2.x. +export ANSIBLE_ACTION_PLUGINS=${HOME}/.ansible/plugins/action +export ANSIBLE_CALLBACK_PLUGINS=${HOME}/.ansible/plugins/callback +export ANSIBLE_FILTER_PLUGINS=${HOME}/.ansible/plugins/filter +export ANSIBLE_LOOKUP_PLUGINS=${HOME}/.ansible/plugins/lookup + +# This is required as the default is the current path or a path specified +# in ansible.cfg +export ANSIBLE_LIBRARY=${HOME}/.ansible/plugins/library + +# This is required as the default is '/etc/ansible/roles' or a path +# specified in ansible.cfg +export ANSIBLE_ROLES_PATH=${HOME}/.ansible/roles:$(pwd)/.. + +echo "Run manual functional tests by executing the following:" +echo "# ./.tox/functional/bin/ansible-playbook -i tests/inventory tests/test.yml -e \"rolename=$(pwd)\"" diff --git a/meta/main.yml b/meta/main.yml index ea35a7ed..622c29d1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,11 +18,15 @@ galaxy_info: description: Deployment of LXC hosts for use in Rackspace Private Cloud company: Rackspace license: Apache2 - min_ansible_version: 1.6.6 + min_ansible_version: 1.9.4 platforms: - name: Ubuntu versions: - trusty + - xenial + - name: EL + versions: + - 7 categories: - cloud - lxc diff --git a/other-requirements.txt b/other-requirements.txt index 67cd643a..a145f8b4 100644 --- a/other-requirements.txt +++ b/other-requirements.txt @@ -14,7 +14,13 @@ # TODO(odyssey4me) remove this once https://review.openstack.org/288634 has merged # and the disk images are rebuilt and redeployed. curl +wget # Requirements for Paramiko 2.0 -libssl-dev -libffi-dev +libssl-dev [platform:dpkg] +libffi-dev [platform:dpkg] +libffi-devel [platform:rpm] +openssl-devel [platform:rpm] + +# For selinux +libselinux-python [platform:rpm] diff --git a/releasenotes/notes/lxc-host-setup-refactor-e43559764af67fea.yaml b/releasenotes/notes/lxc-host-setup-refactor-e43559764af67fea.yaml new file mode 100644 index 00000000..9b55f8ae --- /dev/null +++ b/releasenotes/notes/lxc-host-setup-refactor-e43559764af67fea.yaml @@ -0,0 +1,29 @@ +--- +features: + - The ``lxc_host`` cache prep has been updated to use the LXC download + template. This removes the last remaining dependency the project has on + the `rpc-trusty-container.tgz image `_. + - The ``lxc_host`` role will build lxc cache using the download + template built from `images found here `_. + These images are upstream builds from the greater LXC/D community. + - The ``lxc_host`` role introduces support for CentOS 7 and Ubuntu 16.04 + container types. +upgrade: + - The ``lxc_host`` role no longer uses the distro specific lxc container + create template. + - | + The following variable changes have been made in the ``lxc_host`` role: + + * **lxc_container_user_password**: Removed because the default lxc + container user is no longer created by the lxc container template. + * **lxc_container_template_options**: This option was renamed to + *lxc_cache_download_template_options*. The deprecation filter was not + used because the values provided from this option have been + fundamentally changed and potentially old overrides will cause + problems. + * **lxc_container_base_delete**: Removed because the cache will be + refreshed upon role execution. + * **lxc_cache_validate_certs**: Removed because the Ansible ``get_url`` + module is no longer used. + * **lxc_container_caches**: Removed because the container create process + will build a cached image based on the host OS. diff --git a/run_tests.sh b/run_tests.sh index f7a19cc7..bfe311e1 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -19,7 +19,11 @@ FUNCTIONAL_TEST=${FUNCTIONAL_TEST:-true} # prep the host if [ "$(which apt-get)" ]; then - apt-get install -y build-essential python2.7 python-dev git-core libssl-dev libffi-dev + apt-get update && apt-get install -y build-essential python2.7 python-dev git-core libffi-dev libssl-dev +fi + +if [ "$(which yum)" ]; then + yum install -y '@Development Tools' python-devel git libffi-devel openssl-devel fi # get pip, if necessary @@ -33,9 +37,9 @@ pip install tox # run through each tox env and execute the test for tox_env in $(awk -F= '/envlist/ {print $2}' tox.ini | sed 's/,/ /g'); do - if [ "${tox_env}" != "ansible-functional" ]; then + if [ "${tox_env}" != "functional" ]; then tox -e ${tox_env} - elif [ "${tox_env}" == "ansible-functional" ]; then + elif [ "${tox_env}" == "functional" ]; then if ${FUNCTIONAL_TEST}; then tox -e ${tox_env} fi diff --git a/tasks/lxc_cache.yml b/tasks/lxc_cache.yml index 026f2ee9..0fa63970 100644 --- a/tasks/lxc_cache.yml +++ b/tasks/lxc_cache.yml @@ -13,57 +13,20 @@ # See the License for the specific language governing permissions and # limitations under the License. -# TODO(odyssey4me) -# Ansible 1.9x only actually checks whether there's a local file - it never -# checks whether the local file matches the given sha256sum. Ansible 2.x -# fixes this, so once we move to Ansible 2.x we can pass this a sha256sum -# which will: -# a) allow us to remove force: yes -# b) allow the module to calculate the checksum of dest file which would -# result in file being downloaded only if provided and dest sha256sum -# checksums differ -# Currently 'force:yes' will always download the file, then do a sha256sum -# comparison between the downloaded file and the existing file, then replace -# the existing file if it doesn't match. - -- name: Download lxc cache(s) - get_url: - url: "{{ item.url }}" - dest: "/var/cache/lxc_{{ item.name }}" - mode: "0644" - force: yes - sha256sum: "{{ item.sha256sum }}" - validate_certs: "{{ lxc_cache_validate_certs }}" +- name: Create container + lxc_container: + name: "cache-{{ lxc_cache_map.distro }}" + template: "download" + state: stopped + backing_store: "dir" + template_options: "{{ lxc_cache_download_template_options }}" register: cache_download retries: 3 delay: 10 - until: cache_download | success - with_items: lxc_container_caches + until: cache_download|success tags: - lxc-cache - lxc-cache-download -- name: Remove existing lxc cached images - file: - path: "{{ lxc_container_cache_path }}/{{ item.chroot_path }}" - state: absent - with_items: lxc_container_caches - when: > - cache_download | changed or - lxc_container_base_delete | bool - tags: - - lxc-cache - - lxc-cache-existing-remove - -- name: Move lxc cached image into place - unarchive: - src: "/var/cache/lxc_{{ item.name }}" - dest: "{{ lxc_container_cache_path }}/" - copy: "no" - with_items: lxc_container_caches - when: > - cache_download | changed or - lxc_container_base_delete | bool - tags: - - lxc-cache - - lxc-cache-unarchive +- include: lxc_cache_preparation.yml +- include: lxc_cache_create.yml diff --git a/tasks/lxc_cache_create.yml b/tasks/lxc_cache_create.yml new file mode 100644 index 00000000..44b454fe --- /dev/null +++ b/tasks/lxc_cache_create.yml @@ -0,0 +1,36 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Create lxc image + shell: | + rm {{ lxc_container_cache_path }}/{{ lxc_cache_map.distro }}/{{ lxc_cache_map.release }}/{{ lxc_cache_map.arch }}/default/rootfs.tar.xz + tar -Opc -C /var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs . | xz -{{ lxc_image_compression_ratio }} -c - > rootfs.tar.xz + args: + chdir: "{{ lxc_container_cache_path }}/{{ lxc_cache_map.distro }}/{{ lxc_cache_map.release }}/{{ lxc_cache_map.arch }}/default/" + notify: Destroy base container + tags: + - lxc-cache + - lxc-image-cache-create + +# TODO(cloudnull) This should be removed just as soon as the lxc-container create +# play supports using the download template instead of the distro specific one. +- name: Create LEGACY LXC container cache + shell: | + mkdir -p /var/cache/lxc/{{ lxc_cache_map.release }} + cp -R /var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs /var/cache/lxc/{{ lxc_cache_map.release }}/rootfs-amd64 + notify: Destroy base container + tags: + - lxc-cache + - lxc-legacy-image-cache-create diff --git a/tasks/lxc_cache_preparation.yml b/tasks/lxc_cache_preparation.yml index 17f41503..17bbbcdc 100644 --- a/tasks/lxc_cache_preparation.yml +++ b/tasks/lxc_cache_preparation.yml @@ -15,89 +15,93 @@ - name: Copy files from deployment host to the container cache copy: - src: "{{ item[1].src }}" - dest: "{{ lxc_container_cache_path }}/{{ item[0].chroot_path }}/{{ item[1].dest }}" - owner: "{{ item[1].owner | default('root') }}" - group: "{{ item[1].group | default('root') }}" - mode: "{{ item[1].mode | default('644') }}" - with_nested: - - lxc_container_caches - - lxc_container_cache_files + src: "{{ item.src }}" + dest: "/var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs{{ item.dest }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('644') }}" + with_items: lxc_container_cache_files tags: - lxc-cache - lxc-cache-copy-files -- name: Create apt repos in the cached container - template: - src: sources.list.j2 - dest: "{{ lxc_container_cache_path }}/{{ item.chroot_path }}/etc/apt/sources.list" - with_items: lxc_container_caches - tags: - - lxc-cache - - lxc-cache-update - -- name: Update container resolvers - template: - src: lxc-resolve-base.j2 - dest: "{{ lxc_container_cache_path }}/{{ item.chroot_path }}/run/resolvconf/resolv.conf" - with_items: lxc_container_caches - tags: - - lxc-cache - - lxc-cache-update - -- name: Update container resolvconf base - template: - src: lxc-resolve-base.j2 - dest: "{{ lxc_container_cache_path }}/{{ item.chroot_path }}/etc/resolvconf/resolv.conf.d/base" - with_items: lxc_container_caches - tags: - - lxc-cache - - lxc-cache-update - -- name: Update container resolvconf tail +- name: Cached image preparation script copy: - content: "# Null Tail" - dest: "{{ lxc_container_cache_path }}/{{ item.chroot_path }}/etc/resolvconf/resolv.conf.d/tail" - with_items: lxc_container_caches - tags: - - lxc-cache - - lxc-cache-update - -- name: Update container resolvconf original - copy: - content: "# Null original" - dest: "{{ lxc_container_cache_path }}/{{ item.chroot_path }}/etc/resolvconf/resolv.conf.d/original" - with_items: lxc_container_caches + content: | + #!/usr/bin/env bash + set -x + {{ lxc_cache_map.cache_base_commands }} + dest: "/var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs/usr/local/bin/cache-prep-commands.sh" + mode: "0755" tags: - lxc-cache - lxc-cache-update # This task runs several commands against the cached image to speed up the # lxc_container_create playbook. -- name: Prepare cached image - command: "chroot {{ lxc_container_cache_path }}/{{ item[0].chroot_path }} {{ item[1] }}" - with_nested: - - lxc_container_caches - - lxc_cache_commands - when: cache_download|changed +- name: Prepare cached image setup commands + command: "chroot /var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs /usr/local/bin/cache-prep-commands.sh" + tags: + - lxc-cache + - lxc-cache-update + +- name: Create repos in the cached container + copy: + content: "{{ item.value }}" + dest: "/var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs{{ item.key }}" + with_dict: lxc_cache_map.repos + tags: + - lxc-cache + - lxc-cache-update + +- name: Copy cached image preparation package script into the target + copy: + content: | + #!/usr/bin/env bash + set -x + {{ lxc_cache_install_command }} {{ lxc_cache_map.cache_packages | join(' ') }} + dest: "/var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs/usr/local/bin/cache-package-prep-commands.sh" + mode: "0755" + tags: + - lxc-cache + - lxc-cache-update + +- name: Prepare cached image with packages + command: "chroot /var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs /usr/local/bin/cache-package-prep-commands.sh" + tags: + - lxc-cache + - lxc-cache-update + +- name: Cached image post-preparation package script + copy: + content: | + #!/usr/bin/env bash + set -x + {{ lxc_cache_map.cache_post_commands }} + dest: "/var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs/usr/local/bin/cache-post-prep-commands.sh" + mode: "0755" + tags: + - lxc-cache + - lxc-cache-update + +- name: Post-prepare cached image setup commands + command: "chroot /var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs /usr/local/bin/cache-post-prep-commands.sh" tags: - lxc-cache - lxc-cache-update - name: Adjust sshd configuration in container lineinfile: - dest: "{{ lxc_container_cache_path }}/{{ item[0].chroot_path }}/etc/ssh/sshd_config" - regexp: "{{ item[1].regexp }}" - line: "{{ item[1].line }}" + dest: "/var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs/etc/ssh/sshd_config" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" state: present - with_nested: - - lxc_container_caches - - lxc_cache_sshd_configuration + with_items: lxc_cache_sshd_configuration tags: - lxc-cache - lxc-cache-update -- name: Obtain the system's ssh public key +- name: Obtain the deploy system's ssh public key set_fact: lxc_container_ssh_key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}" when: lxc_container_ssh_key is not defined @@ -107,9 +111,9 @@ - name: Deploy ssh public key into the cached image lineinfile: - dest: "{{ lxc_container_cache_path }}/{{ item.chroot_path }}/root/.ssh/authorized_keys" + dest: "/var/lib/lxc/cache-{{ lxc_cache_map.distro }}/rootfs/root/.ssh/authorized_keys" line: "{{ lxc_container_ssh_key }}" - with_items: lxc_container_caches + create: true tags: - lxc-cache - lxc-cache-update diff --git a/tasks/lxc_install.yml b/tasks/lxc_install.yml index e989829d..bb781e00 100644 --- a/tasks/lxc_install.yml +++ b/tasks/lxc_install.yml @@ -19,6 +19,12 @@ tags: - install-apt +- include: lxc_install_yum.yml + when: + - ansible_pkg_mgr == 'yum' + tags: + - install-yum + - name: Install pip packages pip: name: "{{ item }}" diff --git a/tasks/lxc_install_apt.yml b/tasks/lxc_install_apt.yml index 54c818bc..86c8ddcc 100644 --- a/tasks/lxc_install_apt.yml +++ b/tasks/lxc_install_apt.yml @@ -38,19 +38,33 @@ until: install_packages|success retries: 5 delay: 2 - with_items: lxc_apt_packages + with_items: lxc_packages tags: - lxc-apt-packages -# The functionality with changing the container cache has been added into the -# upstream LXC templates with patch [ https://github.com/lxc/lxc/pull/558 ] -# TODO: remove the below patch and pass lxc_container_cache_path to lxc -# templates as appropriate once the lxc update goes mainstream -- name: Patch lxc-ubuntu cache path - replace: - dest: /usr/share/lxc/templates/lxc-ubuntu - regexp: '\$LOCALSTATEDIR/cache/lxc' - replace: "{{ lxc_container_cache_path }}" - backup: yes +- name: Drop irqbalance config + template: + src: "irqbalance.j2" + dest: "/etc/default/irqbalance" + owner: "root" + group: "root" + mode: "0644" + notify: + - Restart irqbalance tags: - - lxc-cache-path + - lxc-files + - lxc-irqbalance + +- name: Drop lxc-openstack app armor profile + template: + src: "lxc-openstack.apparmor.j2" + dest: "/etc/apparmor.d/lxc/lxc-openstack" + owner: "root" + group: "root" + mode: "0644" + notify: + - Load lxc-openstack apparmor profile + - Restart apparmor + tags: + - lxc-files + - lxc-apparmor diff --git a/tasks/lxc_install_yum.yml b/tasks/lxc_install_yum.yml new file mode 100644 index 00000000..bfdeb473 --- /dev/null +++ b/tasks/lxc_install_yum.yml @@ -0,0 +1,213 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Install yum packages + yum: + pkg: "{{ item }}" + state: present + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: lxc_packages + tags: + - lxc-packages + +- name: Create base directories + file: + path: "{{ item }}" + state: "directory" + owner: "root" + group: "root" + with_items: + - /opt/lxc_embedded + tags: + - lxc-directories + +- name: download file with sha256 check + get_url: + url: "{{ lxc_download_url }}" + dest: "/opt/lxc_embedded/{{ lxc_download_url | basename }}" + register: source_download + tags: + - lxc-source + - lxc-source-download + +- name: Move lxc cached image into place + unarchive: + src: "/opt/lxc_embedded/{{ lxc_download_url | basename }}" + dest: "/opt/lxc_embedded/" + copy: "no" + when: source_download|changed + tags: + - lxc-source + - lxc-source-unarchive + +- name: Create new linked lib location + copy: + content: "/opt/lxc_embedded/x86_64-linux-gnu" + dest: "/etc/ld.so.conf.d/lxc-x86_64.conf" + mode: "0644" + tags: + - lxc-source + - lxc-ldconfig + +- name: Create python3 link + file: + src: /usr/bin/python3.4 + dest: /usr/bin/python3 + state: link + tags: + - lxc-source + +- name: Build and install LXC + shell: '{{ item }}' + args: + creates: /opt/lxc_embedded/bin/lxc-ls + chdir: "/opt/lxc_embedded/{{ lxc_download_url | basename | replace('.tar.gz', '') }}" + environment: + PYTHONDEV_CFLAGS: "-I/usr/include/python3.4m" + PYTHONDEV_LIBS: "-lpython3.4m" + with_items: + - ./autogen.sh + - ./configure --prefix=/opt/lxc_embedded + --libdir=/opt/lxc_embedded/x86_64-linux-gnu + --libexecdir=/opt/lxc_embedded/x86_64-linux-gnu + --with-rootfs-path=/opt/lxc_embedded/x86_64-linux-gnu/lxc + --sysconfdir=/etc + --localstatedir=/var + --with-config-path=/var/lib/lxc + --with-distro={{ ansible_distribution | lower }} + --enable-seccomp + --enable-python + --enable-doc + --enable-rpath + --enable-selinux + --enable-capabilities + --enable-configpath-log + --disable-tests + --disable-lua + - make + - make install + tags: + - lxc-source + - lxc-source-compile + +- name: Ensure embedded LXC is within the PATH + lineinfile: + dest: "{{ item.dest }}" + line: "{{ item.line }}" + create: "true" + with_items: + - { dest: "/etc/profile.d/lxc-path.sh", line: "pathmunge /opt/lxc_embedded/bin" } + tags: + - lxc-source + - lxc-path + +- name: Remove sub system lock if found + file: + path: "{{ item }}" + state: "absent" + owner: "root" + group: "root" + with_items: + - /var/lock/subsys/lxc + tags: + - lxc-directories + +- name: Drop post up script + copy: + content: | + #!/usr/bin/env bash + if [ "${DEVICE}" == "{{ lxc_net_bridge }}" ];then + if [ "{{ lxc_net_nat }}" == "True" ];then + /usr/local/bin/lxc-system-manage iptables-create + /usr/local/bin/lxc-system-manage dnsmasq-start || true + fi + fi + dest: "/etc/sysconfig/network-scripts/ifup-post-{{ lxc_net_bridge }}" + owner: "root" + group: "root" + mode: "0755" + tags: + - lxc-post-up + +- name: Drop post down script + copy: + content: | + #!/usr/bin/env bash + if [ "${DEVICE}" == "{{ lxc_net_bridge }}" ];then + if [ "{{ lxc_net_nat }}" == "True" ];then + /usr/local/bin/lxc-system-manage dnsmasq-stop + /usr/local/bin/lxc-system-manage iptables-remove + fi + fi + dest: "/etc/sysconfig/network-scripts/ifdown-post-{{ lxc_net_bridge }}" + owner: "root" + group: "root" + mode: "0755" + tags: + - lxc-post-down + +- name: Create networking post-up data + lineinfile: + dest: "{{ item.dest }}" + line: "{{ item.line }}" + insertbefore: "^exit\ 0$" + with_items: + - dest: "/etc/sysconfig/network-scripts/ifup-post" + line: ". /etc/sysconfig/network-scripts/ifup-post-{{ lxc_net_bridge }}" + tags: + - lxc-post-up + +- name: Create networking post-down data + lineinfile: + dest: "{{ item.dest }}" + line: "{{ item.line }}" + insertbefore: "^exit\ 0$" + with_items: + - dest: "/etc/sysconfig/network-scripts/ifdown-post" + line: ". /etc/sysconfig/network-scripts/ifdown-post-{{ lxc_net_bridge }}" + tags: + - lxc-post-down + +- name: Link embedded lxc to python3 + shell: > + find /opt/lxc_embedded/lib64/python3.4/site-packages/* -maxdepth 0 | xargs -n1 ln -sf + args: + chdir: /usr/lib64/python3.4 + tags: + - lxc-links + +- name: Run ldconfig to make sure all libs are linked + command: ldconfig -v + tags: + - lxc-links + +# This is needed because Ansible will not read an exported PATH and the default path is too restrictive +- name: Update the sudoers defaults + lineinfile: + dest: /etc/sudoers + state: present + regexp: '{{ item.regexp }}' + line: '{{ item.line }}' + validate: 'visudo -cf %s' + with_items: + - regexp: '^Defaults.*env_reset.*' + line: 'Defaults env_reset' + - regexp: '^Defaults.*secure_path.*' + line: 'Defaults secure_path="/opt/lxc_embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' + tags: + - lxc-path diff --git a/tasks/lxc_net.yml b/tasks/lxc_net.yml index 21c31bea..71759141 100644 --- a/tasks/lxc_net.yml +++ b/tasks/lxc_net.yml @@ -13,27 +13,79 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Drop lxc net bridge + template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "root" + group: "root" + mode: "0644" + with_items: "{{ lxc_cached_network_interfaces }}" + notify: + - Bring bridge up + tags: + - lxc-files + - lxc-net + - lxc-bridge + - lxc-interfaces + +# All Debian installations of LXC use the lxc-net service. This service breaks our network +# model and needs to be disabled +- name: Disable and stop lxc-net + service: + name: lxc-net + enabled: no + state: stopped + when: + - ansible_os_family == "Debian" + tags: + - lxc-net + +# All installations of LXC on init based systems (upstart primarily) will need to have the +# the lxc-net service override in place to ensure its not restarted on system boot +- name: Drop lxc-net override file for upstart + template: + src: manual-init.override.j2 + dest: /etc/init/lxc-net.override + owner: root + group: root + mode: 0644 + when: + - pid1_name == "init" + tags: + - lxc-files + - lxc-net + +# All Debian based systems use the interfaces.d directory for extra network configs +# this check ensures the needed source line is in the base config file - name: Ensure networking includes interfaces.d lineinfile: dest: "/etc/network/interfaces" line: "source /etc/network/interfaces.d/*.cfg" backup: "yes" + when: + - ansible_os_family == "Debian" tags: - lxc-net - lxc-interfaces -- name: Drop lxc net bridge +- name: Drop lxc net bridge - Debian template: src: "lxc-net-bridge.cfg.j2" dest: "/etc/network/interfaces.d/lxc-net-bridge.cfg" owner: "root" group: "root" mode: "0644" + when: + - ansible_os_family == "Debian" + notify: + - Restart bridge tags: - lxc-files - lxc-net - lxc-bridge +# Check that the container bridge exists, if not bring it up - name: Check Container Bridge exists file: state: "file" @@ -44,5 +96,7 @@ notify: - Bring bridge up tags: - - lxc-net - lxc-bridge + +# Ensure lxc networks are running as they're supposed to +- meta: flush_handlers diff --git a/tasks/lxc_post_install.yml b/tasks/lxc_post_install.yml index 9e4e4f99..593eda1d 100644 --- a/tasks/lxc_post_install.yml +++ b/tasks/lxc_post_install.yml @@ -32,38 +32,23 @@ mode: "{{ item.mode|default('0644') }}" with_items: - { src: lxc-openstack.conf.j2, dest: "/etc/lxc/lxc-openstack.conf" } + - { src: default.conf.j2, dest: "/etc/lxc/default.conf" } - { src: lxc.default.j2, dest: "/etc/default/lxc-net", mode: "0644" } - { src: lxc-system-manage.j2, dest: "/usr/local/bin/lxc-system-manage", mode: "0755" } tags: - lxc-files - lxc-config -- name: Drop irqbalance config - template: - src: "irqbalance.j2" - dest: "/etc/default/irqbalance" +- name: Drop lxc veth check script + copy: + src: "lxc-veth-check.sh" + dest: "/usr/local/bin/lxc-veth-check" owner: "root" group: "root" - mode: "0644" - notify: - - Restart irqbalance + mode: "0755" tags: - lxc-files - - lxc-irqbalance - -- name: Drop lxc-openstack app armor profile - template: - src: "lxc-openstack.apparmor.j2" - dest: "/etc/apparmor.d/lxc/lxc-openstack" - owner: "root" - group: "root" - mode: "0644" - notify: - - Load lxc-openstack apparmor profile - - Restart apparmor - tags: - - lxc-files - - lxc-apparmor + - lxc-config # Ensure apparmor reindex runs before other things that may fail - meta: flush_handlers diff --git a/tasks/lxc_pre_install.yml b/tasks/lxc_pre_install.yml index 9689cd0a..d1b1bead 100644 --- a/tasks/lxc_pre_install.yml +++ b/tasks/lxc_pre_install.yml @@ -32,14 +32,3 @@ - "{{ lxc_container_cache_path }}" tags: - lxc-directories - -- name: Drop lxc-net override file - template: - src: manual-init.override.j2 - dest: /etc/init/lxc-net.override - owner: root - group: root - mode: 0644 - tags: - - lxc-files - - lxc-config diff --git a/tasks/main.yml b/tasks/main.yml index 1206bc8c..6503f4a3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -35,10 +35,23 @@ with_first_found: - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" - "{{ ansible_os_family | lower }}.yml" tags: - always +- name: Check init system + command: cat /proc/1/comm + register: _pid1_name + tags: + - always + +- name: Set the name of pid1 + set_fact: + pid1_name: "{{ _pid1_name.stdout }}" + tags: + - always + - include: lxc_pre_install.yml - include: lxc_install.yml - include: lxc_post_install.yml @@ -46,7 +59,6 @@ - include: lxc_net.yml - include: lxc_dnsmasq_cleanup.yml - include: lxc_cache.yml -- include: lxc_cache_preparation.yml - when: lxc_container_caches is defined + - name: Flush handlers meta: flush_handlers diff --git a/templates/default.conf.j2 b/templates/default.conf.j2 new file mode 100644 index 00000000..1e684443 --- /dev/null +++ b/templates/default.conf.j2 @@ -0,0 +1,5 @@ +lxc.network.type = {{ lxc_container_net_type }} +lxc.network.name = {{ lxc_container_net_name }} +lxc.network.link = {{ lxc_container_net_link }} +lxc.network.flags = up +lxc.network.hwaddr = 00:16:3e:xx:xx:xx \ No newline at end of file diff --git a/templates/lxc-net-ifcfg-bridge.cfg.j2 b/templates/lxc-net-ifcfg-bridge.cfg.j2 new file mode 100644 index 00000000..8f6f374d --- /dev/null +++ b/templates/lxc-net-ifcfg-bridge.cfg.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +DEVICE={{ lxc_net_bridge }} +TYPE=Bridge +IPADDR={{ lxc_net_address }} +NETMASK={{ lxc_net_netmask }} +{% if lxc_net_gateway is not none %} +GATEWAY={{ lxc_net_gateway }} +{% endif %} +{% if lxc_net_mtu is defined %} +MTU={{ lxc_net_mtu }} +{% endif %} +ONBOOT=yes +BOOTPROTO=none +NM_CONTROLLED=no +DELAY=0 +STP=no diff --git a/templates/lxc-resolve-base.j2 b/templates/lxc-resolve-base.j2 deleted file mode 100644 index a1556f88..00000000 --- a/templates/lxc-resolve-base.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% for item in lxc_cache_resolvers %} -{{ item }} -{% endfor %} diff --git a/templates/sources.list.j2 b/templates/sources.list.j2 deleted file mode 100644 index fa9a336b..00000000 --- a/templates/sources.list.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} -deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }} {{ lxc_container_template_apt_components | join(" ") }} -deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-updates {{ lxc_container_template_apt_components | join(" ") }} -deb {{ lxc_container_template_main_apt_repo }} {{ lxc_container_release }}-backports {{ lxc_container_template_apt_components | join(" ") }} -deb {{ lxc_container_template_security_apt_repo }} {{ lxc_container_release }}-security {{ lxc_container_template_apt_components | join(" ") }} diff --git a/tests/files/container-file-copy-test.txt b/tests/files/container-file-copy-test.txt index 0541c930..0a68a484 100644 --- a/tests/files/container-file-copy-test.txt +++ b/tests/files/container-file-copy-test.txt @@ -1 +1 @@ -This is a test file to verify that the container cache file copy worked. +This is a test file to verify that the container cache file copy worked. \ No newline at end of file diff --git a/tests/files/expected-lxc-net-bridge.cfg b/tests/files/expected-lxc-net-bridge.cfg deleted file mode 100644 index 4b7cb59d..00000000 --- a/tests/files/expected-lxc-net-bridge.cfg +++ /dev/null @@ -1,15 +0,0 @@ -auto lxcbr0 -iface lxcbr0 inet static - address 10.100.100.1 - netmask 255.255.255.0 - # dnsmasq start and stop - post-up /usr/local/bin/lxc-system-manage iptables-create - post-up /usr/local/bin/lxc-system-manage dnsmasq-start || true - post-down /usr/local/bin/lxc-system-manage iptables-remove - post-down /usr/local/bin/lxc-system-manage dnsmasq-stop - bridge_fd 0 - bridge_maxwait 0 - bridge_ports none - bridge_hello 2 - bridge_maxage 12 - bridge_stp off diff --git a/tests/test.yml b/tests/test.yml index c6759f9b..dafbbcd3 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -17,9 +17,14 @@ hosts: localhost connection: local pre_tasks: + - name: Show host facts + debug: + var: hostvars - name: First ensure apt cache is always refreshed apt: update_cache: yes + when: + - ansible_pkg_mgr == 'apt' - name: Ensure root ssh key user: name: "{{ ansible_env.USER | default('root') }}" @@ -46,43 +51,34 @@ - src: files/container-file-copy-test.txt dest: /tmp/file-copied-from-deployment-host.txt post_tasks: - - name: Open sysctl file - slurp: - src: /etc/sysctl.conf - register: sysctl_file - - name: Read files - set_fact: - sysctl_content: "{{ sysctl_file.content | b64decode }}" - - name: Check for container tar - stat: - path: /var/cache/lxc_trusty.tgz - register: container_tar_file - - name: Check for container cache dir - stat: - path: /var/cache/lxc/trusty/rootfs-amd64/ - register: container_cache_dir + - name: Get sysctl content + shell: | + cat /etc/sysctl.conf + register: sysctl_content - name: Check for lxc bridge stat: path: /sys/class/net/lxcbr0/bridge/bridge_id register: lxc_bridge_file - name: Check dnsmasq is running shell: ps auxfww | grep -w 'dnsmasq -u lxc-dnsmasq' - - name: Get deployed interface file contents, without Ansible managed line + - name: DEBIAN - Get deployed interface file contents, without Ansible managed line shell: | cat /etc/network/interfaces.d/lxc-net-bridge.cfg | tail -n +3 - register: interface_file - - name: Get expected interface file contents + register: _debian_interface_file + when: ansible_os_family | lower == "debian" + - name: DEBIAN - interface file fact + set_fact: + interface_file: "{{ _debian_interface_file.stdout }}" + when: ansible_os_family | lower == "debian" + - name: RHEL - Get deployed interface file contents, without Ansible managed line shell: | - cat files/expected-lxc-net-bridge.cfg - register: expected_interface_file - - name: Get the deployed test file from the container cache - slurp: - src: /var/cache/lxc/trusty/rootfs-amd64/tmp/file-copied-from-deployment-host.txt - register: copied_file - - name: Get the expected test file which should have been copied - slurp: - src: files/container-file-copy-test.txt - register: expected_copied_file + cat /etc/sysconfig/network-scripts/ifcfg-lxcbr0 | tail -n +3 + register: _rhel_interface_file + when: ansible_os_family | lower == "redhat" + - name: RHEL - interface file fact + set_fact: + interface_file: "{{ _rhel_interface_file.stdout }}" + when: ansible_os_family | lower == "redhat" - name: Get bridge interface facts setup: filter: ansible_lxcbr0 @@ -90,10 +86,9 @@ - name: Check role functions assert: that: - - "'fs.inotify.max_user_instances' in sysctl_content" + - interface_file | search('.*lxcbr0.*') + - interface_file | search('.*10.100.100.1.*') + - interface_file | search('.*255.255.255.0.*') + - sysctl_content.stdout | search('fs.inotify.max_user_instances.*') - "lxc_bridge_file.stat.exists" - - "container_cache_dir.stat.isdir" - - "container_tar_file.stat.exists" - - "interface_file.stdout | match(expected_interface_file.stdout)" - - "copied_file.content | match(expected_copied_file.content)" - "lxcbr0_facts.ansible_facts.ansible_lxcbr0.ipv4.address | match('10.100.100.1')" diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml new file mode 100644 index 00000000..86a102c5 --- /dev/null +++ b/vars/redhat-7.yml @@ -0,0 +1,70 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +lxc_download_url: "https://linuxcontainers.org/downloads/lxc/lxc-1.0.8.tar.gz" + +# Required rpm packages. +lxc_packages: + - '@Development Tools' + - automake + - autoconf + - bridge-utils + - debootstrap + - docbook2X + - dnsmasq + - git + - libseccomp + - libseccomp-devel + - libcap-devel + - libselinux + - libselinux-devel + - python-devel + - python34-libs + - python34-devel + - pkgconfig + - redhat-lsb + - xz + +lxc_cache_map: + distro: centos + arch: amd64 + release: 7 + cache_packages: + - openssh-server + - sudo + repos: {} + cache_base_commands: | + rm /etc/resolv.conf + {% for resolver in lxc_cache_resolvers %} + echo "{{ resolver }}" | tee -a /etc/resolv.conf + {% endfor %} + {{ lxc_cache_install_command }} wget python2 + rm -f /usr/bin/python + ln -s /usr/bin/python2.7 /usr/bin/python + /usr/bin/wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -O /tmp/epel-release-latest-7.noarch.rpm + /usr/bin/rpm -ivh /tmp/epel-release-latest-7.noarch.rpm || true + cache_post_commands: | + yum clean all + +lxc_cache_install_command: "yum install -y" + +pip_install_options: > + --global-option=build_ext + --global-option="-L/opt/lxc_embedded/x86_64-linux-gnu/" + --global-option="-I/opt/lxc_embedded/include/" + +lxc_cached_network_interfaces: + - src: "lxc-net-ifcfg-bridge.cfg.j2" + dest: "/etc/sysconfig/network-scripts/ifcfg-lxcbr0" diff --git a/vars/ubuntu-14.04.yml b/vars/ubuntu-14.04.yml index 95e60689..52c5f0d4 100644 --- a/vars/ubuntu-14.04.yml +++ b/vars/ubuntu-14.04.yml @@ -18,17 +18,13 @@ cache_timeout: 600 # Container repos lxc_container_template_main_apt_repo: "https://mirror.rackspace.com/ubuntu" -lxc_container_template_security_apt_repo: "https://mirror.rackspace.com/ubuntu" +lxc_container_template_security_apt_repo: "{{ lxc_container_template_main_apt_repo }}" lxc_container_template_apt_components: - main - universe -# Default image to build from -lxc_container_release: trusty -lxc_container_user_name: ubuntu - # Required apt packages. -lxc_apt_packages: +lxc_packages: - apparmor - apparmor-utils - bridge-utils @@ -45,11 +41,91 @@ lxc_apt_packages: - lxc-templates - python-dev - python3-lxc + - pxz -# Commands to run against cached LXC image -lxc_cache_commands: - - apt-get update - - apt-get -y upgrade - - apt-get -y install python2.7 - - rm -f /usr/bin/python - - ln -s /usr/bin/python2.7 /usr/bin/python +lxc_cache_map: + distro: ubuntu + arch: amd64 + release: trusty + cache_packages: + - bridge-utils + - bsdmainutils + - build-essential + - cgmanager + - cgmanager-utils + - cgroup-lite + - comerr-dev + - curl + - debconf-utils + - debhelper + - dh-apparmor + - gettext + - gir1.2-glib-2.0 + - git + - groff-base + - intltool-debian + - iptables + - iso-codes + - krb5-multidev + - libcgmanager-dev + - libdbus-1-dev + - libdbus-glib-1-2 + - libdevmapper-event1.02.1 + - libexpat1-dev + - libffi-dev + - libpq-dev + - libpq5 + - libpython-dev + - libxml2-dev + - libxslt1-dev + - libxslt1.1 + - lvm2 + - openssh-server + - python-apt + - python-apt-common + - python-dev + - python-pycurl + - python-software-properties + - python3-apt + - python3-dbus + - python3-gi + - python3-minimal + - python3-pycurl + - python3-software-properties + - software-properties-common + - sqlite3 + - ssh + - sshpass + - time + repos: + "/etc/apt/sources.list": | + deb {{ lxc_container_template_main_apt_repo }} trusty {{ lxc_container_template_apt_components | join(' ') }} + deb {{ lxc_container_template_main_apt_repo }} trusty-updates {{ lxc_container_template_apt_components | join(' ') }} + deb {{ lxc_container_template_main_apt_repo }} trusty-backports {{ lxc_container_template_apt_components | join(' ') }} + deb {{ lxc_container_template_security_apt_repo }} trusty-security {{ lxc_container_template_apt_components | join(' ') }} + cache_base_commands: | + rm /run/resolvconf/resolv.conf + # This enforces the resolvers from within the image + {% for resolver in lxc_cache_resolvers %} + echo "{{ resolver }}" | tee -a /run/resolvconf/resolv.conf + {% endfor %} + cp /run/resolvconf/resolv.conf /etc/resolvconf/resolv.conf.d/base + echo "# NONE" > /etc/resolvconf/resolv.conf.d/tail + echo "# NONE" > /etc/resolvconf/resolv.conf.d/original + # This is done because its possible the base repos being installed will use https + # and ansible needs access to python2.7 which the system may not have by default + {{ lxc_cache_install_command }} apt-transport-https python2.7 + apt-get -y upgrade + rm -f /usr/bin/python + ln -s /usr/bin/python2.7 /usr/bin/python + mkdir -p /root/.ssh + chmod 700 /root/.ssh + userdel --force --remove ubuntu || true + cache_post_commands: | + apt-get clean + +lxc_cache_install_command: "export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y" + +lxc_cached_network_interfaces: + - src: "lxc-net-bridge.cfg.j2" + dest: "/etc/network/interfaces.d/lxc-net-bridge.cfg" diff --git a/vars/ubuntu-16.04.yml b/vars/ubuntu-16.04.yml new file mode 100644 index 00000000..551a9499 --- /dev/null +++ b/vars/ubuntu-16.04.yml @@ -0,0 +1,84 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## APT Cache Options +cache_timeout: 600 + +# Container repos +lxc_container_template_main_apt_repo: "https://mirror.rackspace.com/ubuntu" +lxc_container_template_security_apt_repo: "{{ lxc_container_template_main_apt_repo }}" + +lxc_container_template_apt_components: + - main + - universe + +# Required apt packages. +lxc_packages: + - apparmor + - apparmor-utils + - bridge-utils + - cgmanager + - cgroup-lite + - debootstrap + - dnsmasq + - git + - irqbalance + - language-pack-en + - liblxc1 + - lxc + - lxc-dev + - lxc-templates + - python-dev + - python3-lxc + - pxz + +lxc_cache_map: + distro: ubuntu + arch: amd64 + release: xenial + cache_packages: + - openssh-server + repos: + "/etc/apt/sources.list": | + deb {{ lxc_container_template_main_apt_repo }} xenial {{ lxc_container_template_apt_components | join(' ') }} + deb {{ lxc_container_template_main_apt_repo }} xenial-updates {{ lxc_container_template_apt_components | join(' ') }} + deb {{ lxc_container_template_main_apt_repo }} xenial-backports {{ lxc_container_template_apt_components | join(' ') }} + deb {{ lxc_container_template_security_apt_repo }} xenial-security {{ lxc_container_template_apt_components | join(' ') }} + cache_base_commands: | + rm /run/resolvconf/resolv.conf + # This enforces the resolvers from within the image + {% for resolver in lxc_cache_resolvers %} + echo "{{ resolver }}" | tee -a /run/resolvconf/resolv.conf + {% endfor %} + cp /run/resolvconf/resolv.conf /etc/resolvconf/resolv.conf.d/base + echo "# NONE" > /etc/resolvconf/resolv.conf.d/tail + echo "# NONE" > /etc/resolvconf/resolv.conf.d/original + # This is done because its possible the base repos being installed will use https + # and ansible needs access to python2.7 which the system may not have by default + {{ lxc_cache_install_command }} apt-transport-https python2.7 + apt-get -y upgrade + rm -f /usr/bin/python + ln -s /usr/bin/python2.7 /usr/bin/python + mkdir -p /root/.ssh + chmod 700 /root/.ssh + userdel --force --remove ubuntu || true + cache_post_commands: | + apt-get clean + +lxc_cache_install_command: "export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y" + +lxc_cached_network_interfaces: + - src: "lxc-net-bridge.cfg.j2" + dest: "/etc/network/interfaces.d/lxc-net-bridge.cfg"