The current LXC cache preparation copies the DNS resolver config
from the host into the container.
When the host has been setup with a DNS caching system like 'unbound'
running on it, the host's resolv.conf contains only a localhost
nameserver entry which will not work from inside the container.
The Ubuntu containers use resolvconf by default. Resolvconf gathers
the DNS settings from each interface configured and compiles
/etc/resolv.conf from the interface information. This results in
a nameserver list which will start with the LXC dnsmasq service
which runs on lxcbr0. This service uses the host's DNS configuration
for name resolution.
In effect, therefore, when the containers use the DNS service on
lxcbr0, the host does the resolution and responds to the container.
This means far less moving parts and a far more predictable
implementation for name resolution.
This patch implements the changes necessary for this strategy to
work.
Change-Id: Ib139af5221dbb1f479ca068e472cf0e8aa828a8d
This change adds the systemd resolver file to the `copy_from_host`
include list. This will ensure that all of the resolver information
on a given host is also present within a container.
Change-Id: I8cb6635f0021c65cf8245ca346c5effcd759115d
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This patch implements the preparation commands from the
lxc-container-create role as this preparation is required
to be done for all containers and is not unique for each
container.
Change-Id: Ia8c0bb759b5df29f1b3a5e11230040ffc6e97362
The /var/backup is created in all containers, so it should be created
in the container cache.
This also ensures that the bind mount to this directory can be done
when the container is first created.
Change-Id: I0e2922b31fe301002837e82970814fe8cbe6088a
Without this patch, any errors that happen during the
'apt-get update' execution will cause the 'apt-get install'
execution to never happen.
This patch implements the following:
- It sets the cache prep script to exit on error to ensure
that the task fails if there is an error.
- It splits the upgrade and install command on to different
lines to ensure that each command's success can be
determined individually.
- It removes the clearing of the archive metadata introduced
in https://review.openstack.org/310091 as this also removes
apt lock files and other things which should not be removed.
Removing all this is unnecessary with the new cache prep
process and the 'apt-get clean' execution later clears the
cache before it is packaged.
- It removes the copy of /etc/apt/sources.list.d/ from the host
to prevent a situation where a host apt source requires
additional packages to be installed (for example curl) and
those packages can't be installed due to the 'apt-get update'
command failing because the package to update the index is
missing.
Change-Id: I07a864e4125a7fc076cbf5bf7380a8e34e6d2d7c
On Ubuntu 16.04, iptables is not installed by default.
This patch ensures lxc hosts and containers have iptables
installed.
Change-Id: I31d367a840952c2e6a20730ce1ce1e049b44b419
Ubuntu 14/16.04 uses links /etc/resolv.conf to
/run/resolvconf/resolv.conf. This results in a
failure of rsync to copy the contents of the
lxc host's resolv.conf contents into the container
template, and only recreates the link.
This commit adds the necessary files from /run/resolvconf
to the container template to allow for proper domain
resolution during template modification.
The sync command from the tasks/lxc_cache_preparation.yml file
now ensures a source exists prior to running the sync. This is
needed because of differences in the gate vs what is seen in
production. Additionally the item variables in the sync command
have been quoted they can not be escaped.
Change-Id: I58c9a81306922f9e587e1ed3a7a2693c64bfec3c
Currently the container cache preparation process uses a list of
resolver addresses in order to prepare the container DNS resolution
configuration.
This presents a few problems:
- The default value is set to Google's DNS addresses, which may not
be accessible from a deployer's environment. This will cause an
installation to fail and the deployer will have to dig around to
find out why. This is counterintuitive - it would be better if the
default process was to discover the host's configuration and to use
that instead.
- Nothing other than a very simple resolv.conf can be implemented.
Deployers may wish to implement more advanced settings such as
timeouts and round-robin queries.
This patch changes the image cache preparation process to ensure that
the container resolver configuration matches that of the host. This is
simpler and more intuitive.
Change-Id: I66b448dee361e231d172eb278b290ec4dccfdf97
In a situation where the LXC cache and the apt mirror used do
not have matching package versions, or where the host and the
LXC cache have mismatches, the 'apt-get upgrade' and/or
'apt-get install' actions can fail due to dpkg asking what to
do about the config file mismatches.
This patch ensures that dpkg knows what to do, which is to
keep the existing in-place file (the file copied from the
host). This ensures that whatever apt configuration was
implemented on the host is definitely used in the containers.
Change-Id: I1f8bc785a8acdac71f46eff0e0d9573ba5c62ab3
This generates apt key dump of the lxc host, copies it to the container,
loads it and then removes the temporary file for it.
All non-interactively.
This only applies for ubuntu {14,16}.04
Change-Id: I74650b5924cbe5ded16ce2dfa683e2c110c4e943
Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard@rackspace.co.uk>
Occassionally during gate test, some containers
seem to be lacking or have an outdated 'ca-certificates'
package.
This patch adds ca-certificates to container cache prep
for the container build process.
Change-Id: Ib3613e4338e4dc7e2f1df75e842aa4213d207746
Currently the container cache preparation process uses a pre-prepared
LXC base image which includes its own package repository configuration.
This presents a few problems:
- The first packages installed will make use of the base image's
package repo configuration, resulting in a bypass of local mirrors
to install the first set of packages.
- A set of vars need to be set in order to have the containers use a
local mirror, otherwise it'll use the mirrors set in the role's vars
files. This is counterintuitive.
Another problem introduced by I95c210c83ca968d11ba6f6a36b634bb798fa291f
as a result of the package repository vars moving from the role defaults
to the vars files is that the precedence has changed. The change in
precedence means that a task which sets a fact can't be used to override
the defaults set in the vars file. This method is used in all the role
tests to ensure that the OpenStack-CI repositories can be discovered from
the host and then used.
This patch changes the image cache preparation process to ensure that
the container package repository configuration matches the host
configuration. This is simpler and more intuitive.
Additionally the copy task from the deployment host into the container
cache is set to assume the same destination in the container as the
source (to reduce configuration verbosity), appropriately sets the
leading '0' for the mode (to prevent unexpected surprises), and
appropriately quotes the variable (to ensure forward compatibility
with Ansible 2.0).
Finally, the use of lxc_container_caches in the test configuration
has been removed as it is no longer used.
Change-Id: I420382fd3bbbb5fcae90ae0c6160233202a1a51a
This commit allows the functional tests to pass on ppc64 with
Ubuntu. It uses a dict to map the architecture of the platform to
the appropriate repo url. One thing to note is that ansible reports
the architecture as ppc64le while the distro uses ppc64el.
Change-Id: I99ce6b6f84b3ddff5486debbb1a26e1ba7d7d17e
When using an Ubuntu mirror that is different from the mirror used
to build the LXC image, differences in the mirror metadata can result
in a "Hash Sum mismatch" error during apt-get update.
Ading "rm -rf /var/lib/apt/lists/*" to lxc_cache_commands prevents
the problem.
Change-Id: I5fde7d0e7e84a6bd4f72dbf16d0fdfe423a2d715
Closes-Bug: 1574936
This change updates the lxc-host setup role to build the lxc cache using the
download template based on default images found here:[0]. These images are
upsteam builds from the greater LXC/D community.
This update adds support for Ubuntu 14.04, 16.04 and RHEL/CentOS 7 container
types and the cache will be generated from the host Operating system.
[0] - https://images.linuxcontainers.org/
Change-Id: Ie13be2322d28178760481c59805101d6aeef4f36
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>