Commit Graph

15 Commits

Author SHA1 Message Date
Jesse Pretorius
bb2e7a08a0 Revise container DNS resolution implementation
The current LXC cache preparation copies the DNS resolver config
from the host into the container.

When the host has been setup with a DNS caching system like 'unbound'
running on it, the host's resolv.conf contains only a localhost
nameserver entry which will not work from inside the container.

The Ubuntu containers use resolvconf by default. Resolvconf gathers
the DNS settings from each interface configured and compiles
/etc/resolv.conf from the interface information. This results in
a nameserver list which will start with the LXC dnsmasq service
which runs on lxcbr0. This service uses the host's DNS configuration
for name resolution.

In effect, therefore, when the containers use the DNS service on
lxcbr0, the host does the resolution and responds to the container.
This means far less moving parts and a far more predictable
implementation for name resolution.

This patch implements the changes necessary for this strategy to
work.

Change-Id: Ib139af5221dbb1f479ca068e472cf0e8aa828a8d
2016-08-17 18:42:05 +00:00
Kevin Carter
b1ab82b526 Added systemd resolver files to Ubuntu16.04 and RHEL7
This change adds the systemd resolver file to the `copy_from_host`
include list. This will ensure that all of the resolver information
on a given host is also present within a container.

Change-Id: I8cb6635f0021c65cf8245ca346c5effcd759115d
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2016-08-15 09:44:45 -05:00
Jesse Pretorius
d66cedcc15 Extend container prep to include default network interface
This patch implements the preparation commands from the
lxc-container-create role as this preparation is required
to be done for all containers and is not unique for each
container.

Change-Id: Ia8c0bb759b5df29f1b3a5e11230040ffc6e97362
2016-08-11 09:08:26 -05:00
Jesse Pretorius
6cbe56a090 Make backup directory in container cache
The /var/backup is created in all containers, so it should be created
in the container cache.

This also ensures that the bind mount to this directory can be done
when the container is first created.

Change-Id: I0e2922b31fe301002837e82970814fe8cbe6088a
2016-07-26 18:25:15 +00:00
Jesse Pretorius
a5e5567369 Improve LXC cache preparation process
Without this patch, any errors that happen during the
'apt-get update' execution will cause the 'apt-get install'
execution to never happen.

This patch implements the following:

- It sets the cache prep script to exit on error to ensure
  that the task fails if there is an error.

- It splits the upgrade and install command on to different
  lines to ensure that each command's success can be
  determined individually.

- It removes the clearing of the archive metadata introduced
  in https://review.openstack.org/310091 as this also removes
  apt lock files and other things which should not be removed.
  Removing all this is unnecessary with the new cache prep
  process and the 'apt-get clean' execution later clears the
  cache before it is packaged.

- It removes the copy of /etc/apt/sources.list.d/ from the host
  to prevent a situation where a host apt source requires
  additional packages to be installed (for example curl) and
  those packages can't be installed due to the 'apt-get update'
  command failing because the package to update the index is
  missing.

Change-Id: I07a864e4125a7fc076cbf5bf7380a8e34e6d2d7c
2016-06-23 11:43:34 -05:00
Michael Gugino
e00c385f7d Fix missing iptables in containers
On Ubuntu 16.04, iptables is not installed by default.

This patch ensures lxc hosts and containers have iptables
installed.

Change-Id: I31d367a840952c2e6a20730ce1ce1e049b44b419
2016-06-02 16:30:41 -04:00
Michael Gugino
64b3a43b94 Fix missing /run/resolvconf/resolv.conf in trusty/xenial
Ubuntu 14/16.04 uses links /etc/resolv.conf to
/run/resolvconf/resolv.conf.  This results in a
failure of rsync to copy the contents of the
lxc host's resolv.conf contents into the container
template, and only recreates the link.

This commit adds the necessary files from /run/resolvconf
to the container template to allow for proper domain
resolution during template modification.

The sync command from the tasks/lxc_cache_preparation.yml file
now ensures a source exists prior to running the sync. This is
needed because of differences in the gate vs what is seen in
production. Additionally the item variables in the sync command
have been quoted they can not be escaped.

Change-Id: I58c9a81306922f9e587e1ed3a7a2693c64bfec3c
2016-06-01 22:44:47 +00:00
Jesse Pretorius
f11bbc4f34 Make the LXC cache prep use the host resolver config
Currently the container cache preparation process uses a list of
resolver addresses in order to prepare the container DNS resolution
configuration.

This presents a few problems:
- The default value is set to Google's DNS addresses, which may not
  be accessible from a deployer's environment. This will cause an
  installation to fail and the deployer will have to dig around to
  find out why. This is counterintuitive - it would be better if the
  default process was to discover the host's configuration and to use
  that instead.
- Nothing other than a very simple resolv.conf can be implemented.
  Deployers may wish to implement more advanced settings such as
  timeouts and round-robin queries.

This patch changes the image cache preparation process to ensure that
the container resolver configuration matches that of the host. This is
simpler and more intuitive.

Change-Id: I66b448dee361e231d172eb278b290ec4dccfdf97
2016-05-27 16:21:07 +00:00
Jesse Pretorius
c2266350c8 Ensure that modified files are kept when installing/upgrading
In a situation where the LXC cache and the apt mirror used do
not have matching package versions, or where the host and the
LXC cache have mismatches, the 'apt-get upgrade' and/or
'apt-get install' actions can fail due to dpkg asking what to
do about the config file mismatches.

This patch ensures that dpkg knows what to do, which is to
keep the existing in-place file (the file copied from the
host). This ensures that whatever apt configuration was
implemented on the host is definitely used in the containers.

Change-Id: I1f8bc785a8acdac71f46eff0e0d9573ba5c62ab3
2016-05-26 16:38:00 +01:00
Jean-Philippe Evrard
81d904bc78 Include the apt keys from lxc host in cache generation
This generates apt key dump of the lxc host, copies it to the container,
loads it and then removes the temporary file for it.

All non-interactively.

This only applies for ubuntu {14,16}.04

Change-Id: I74650b5924cbe5ded16ce2dfa683e2c110c4e943
Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard@rackspace.co.uk>
2016-05-20 16:06:34 +00:00
Michael Gugino
0bc0844e96 Fix missing ca-certificates package
Occassionally during gate test, some containers
seem to be lacking or have an outdated 'ca-certificates'
package.

This patch adds ca-certificates to container cache prep
for the container build process.

Change-Id: Ib3613e4338e4dc7e2f1df75e842aa4213d207746
2016-05-19 14:56:41 -04:00
Jesse Pretorius
aca3d5e01d Make the LXC cache prep use the host package source config
Currently the container cache preparation process uses a pre-prepared
LXC base image which includes its own package repository configuration.

This presents a few problems:
- The first packages installed will make use of the base image's
  package repo configuration, resulting in a bypass of local mirrors
  to install the first set of packages.
- A set of vars need to be set in order to have the containers use a
  local mirror, otherwise it'll use the mirrors set in the role's vars
  files. This is counterintuitive.

Another problem introduced by I95c210c83ca968d11ba6f6a36b634bb798fa291f
as a result of the package repository vars moving from the role defaults
to the vars files is that the precedence has changed. The change in
precedence means that a task which sets a fact can't be used to override
the defaults set in the vars file. This method is used in all the role
tests to ensure that the OpenStack-CI repositories can be discovered from
the host and then used.

This patch changes the image cache preparation process to ensure that
the container package repository configuration matches the host
configuration. This is simpler and more intuitive.

Additionally the copy task from the deployment host into the container
cache is set to assume the same destination in the container as the
source (to reduce configuration verbosity), appropriately sets the
leading '0' for the mode (to prevent unexpected surprises), and
appropriately quotes the variable (to ensure forward compatibility
with Ansible 2.0).

Finally, the use of lxc_container_caches in the test configuration
has been removed as it is no longer used.

Change-Id: I420382fd3bbbb5fcae90ae0c6160233202a1a51a
2016-05-18 18:14:17 +01:00
Kyle L. Henderson
756c4cb6c3 Implement Ubuntu support on ppc64le
This commit allows the functional tests to pass on ppc64 with
Ubuntu. It uses a dict to map the architecture of the platform to
the appropriate repo url.  One thing to note is that ansible reports
the architecture as ppc64le while the distro uses ppc64el.

Change-Id: I99ce6b6f84b3ddff5486debbb1a26e1ba7d7d17e
2016-05-09 11:00:21 -05:00
Charles Farquhar
a2bcc99dfa
Clear apt lists in LXC image before apt-get update
When using an Ubuntu mirror that is different from the mirror used
to build the LXC image, differences in the mirror metadata can result
in a "Hash Sum mismatch" error during apt-get update.

Ading "rm -rf /var/lib/apt/lists/*" to lxc_cache_commands prevents
the problem.

Change-Id: I5fde7d0e7e84a6bd4f72dbf16d0fdfe423a2d715
Closes-Bug: 1574936
2016-05-03 08:51:14 -05:00
Kevin Carter
f5542103b3
Changed for lxc-host setup/build for multi-distro
This change updates the lxc-host setup role to build the lxc cache using the
download template based on default images found here:[0]. These images are
upsteam builds from the greater LXC/D community.

This update adds support for Ubuntu 14.04, 16.04 and RHEL/CentOS 7 container
types and the cache will be generated from the host Operating system.

[0] - https://images.linuxcontainers.org/

Change-Id: Ie13be2322d28178760481c59805101d6aeef4f36
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2016-05-03 08:49:54 -05:00