--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Install yum packages yum: pkg: "{{ item }}" state: present register: install_packages until: install_packages|success retries: 5 delay: 2 with_items: "{{ lxc_hosts_distro_packages }}" tags: - lxc-packages - name: Create base directories file: path: "/opt/lxc_embedded" state: "directory" owner: "root" group: "root" tags: - lxc-directories - name: download file with sha256 check get_url: url: "{{ lxc_download_url }}" dest: "/opt/lxc_embedded/{{ lxc_download_url | basename }}" checksum: "sha256:{{ lxc_sha256sum }}" register: source_download tags: - lxc-source - lxc-source-download - name: Move lxc cached image into place unarchive: src: "/opt/lxc_embedded/{{ lxc_download_url | basename }}" dest: "/opt/lxc_embedded/" copy: "no" when: source_download|changed tags: - lxc-source - lxc-source-unarchive # don't trigger ANSIBLE0016 - skip_ansible_lint - name: Create new linked lib location copy: content: "/opt/lxc_embedded/x86_64-linux-gnu" dest: "/etc/ld.so.conf.d/lxc-x86_64.conf" mode: "0644" tags: - lxc-source - lxc-ldconfig - name: Create python3 link file: src: /usr/bin/python3.4 dest: /usr/bin/python3 state: link tags: - lxc-source - name: Build and install LXC command: '{{ item }}' args: creates: /opt/lxc_embedded/bin/lxc-ls chdir: "/opt/lxc_embedded/{{ lxc_download_url | basename | replace('.tar.gz', '') }}" environment: PYTHONDEV_CFLAGS: "-I/usr/include/python3.4m" PYTHONDEV_LIBS: "-lpython3.4m" changed_when: false with_items: - ./autogen.sh - ./configure --prefix=/opt/lxc_embedded --libdir=/opt/lxc_embedded/x86_64-linux-gnu --libexecdir=/opt/lxc_embedded/x86_64-linux-gnu --with-rootfs-path=/opt/lxc_embedded/x86_64-linux-gnu/lxc --sysconfdir=/etc --localstatedir=/var --with-config-path=/var/lib/lxc --with-distro={{ ansible_distribution | lower }} --with-init-script=systemd --enable-seccomp --enable-python --enable-doc --enable-rpath --enable-selinux --enable-capabilities --enable-configpath-log --disable-tests --disable-lua - make - make install tags: - lxc-source - lxc-source-compile - name: Ensure embedded LXC is within the PATH lineinfile: dest: "{{ item.dest }}" line: "{{ item.line }}" create: "true" with_items: - { dest: "/etc/profile.d/lxc-path.sh", line: "pathmunge /opt/lxc_embedded/bin" } tags: - lxc-source - lxc-path - name: Remove sub system lock if found file: path: "/var/lock/subsys/lxc" state: "absent" owner: "root" group: "root" tags: - lxc-directories - name: Drop post up script copy: content: | #!/usr/bin/env bash if [ "${DEVICE}" == "{{ lxc_net_bridge }}" ];then if [ "{{ lxc_net_nat }}" == "True" ];then /usr/local/bin/lxc-system-manage iptables-create /usr/local/bin/lxc-system-manage dnsmasq-start || true fi fi dest: "/etc/sysconfig/network-scripts/ifup-post-{{ lxc_net_bridge }}" owner: "root" group: "root" mode: "0755" tags: - lxc-post-up - name: Drop post down script copy: content: | #!/usr/bin/env bash if [ "${DEVICE}" == "{{ lxc_net_bridge }}" ];then if [ "{{ lxc_net_nat }}" == "True" ];then /usr/local/bin/lxc-system-manage dnsmasq-stop /usr/local/bin/lxc-system-manage iptables-remove fi fi dest: "/etc/sysconfig/network-scripts/ifdown-post-{{ lxc_net_bridge }}" owner: "root" group: "root" mode: "0755" tags: - lxc-post-down - name: Create networking post-up data lineinfile: dest: "{{ item.dest }}" line: "{{ item.line }}" insertbefore: "^exit\ 0$" with_items: - dest: "/etc/sysconfig/network-scripts/ifup-post" line: ". /etc/sysconfig/network-scripts/ifup-post-{{ lxc_net_bridge }}" tags: - lxc-post-up - name: Create networking post-down data lineinfile: dest: "{{ item.dest }}" line: "{{ item.line }}" insertbefore: "^exit\ 0$" with_items: - dest: "/etc/sysconfig/network-scripts/ifdown-post" line: ". /etc/sysconfig/network-scripts/ifdown-post-{{ lxc_net_bridge }}" tags: - lxc-post-down - name: Link embedded lxc to python3 shell: > find /opt/lxc_embedded/lib64/python3.4/site-packages/* -maxdepth 0 | xargs -n1 ln -sf args: chdir: /usr/lib64/python3.4 changed_when: false tags: - lxc-links - name: Run ldconfig to make sure all libs are linked command: ldconfig -v changed_when: false tags: - lxc-links # This is needed because Ansible will not read an exported PATH and the default path is too restrictive - name: Update the sudoers defaults lineinfile: dest: /etc/sudoers state: present regexp: '{{ item.regexp }}' line: '{{ item.line }}' validate: 'visudo -cf %s' with_items: - regexp: '^Defaults.*env_reset.*' line: 'Defaults env_reset' - regexp: '^Defaults.*secure_path.*' line: 'Defaults secure_path="/opt/lxc_embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' tags: - lxc-path - name: Enable lxc service service: name: lxc enabled: "yes" - name: Create directory for compiling SELinux rule file: path: "/tmp/lxc-attach-selinux/" state: 'directory' mode: '0755' - name: Drop SELinux config copy: src: "lxc-attach.te" dest: "/tmp/lxc-attach-selinux/lxc-attach.te" owner: "root" group: "root" mode: "0755" - name: Compile and load SELinux module command: '{{ item }}' args: creates: '/etc/selinux/targeted/modules/active/modules/lxc-attach.pp' chdir: "/tmp/lxc-attach-selinux/" with_items: - make -f /usr/share/selinux/devel/Makefile - semodule -i /tmp/lxc-attach-selinux/lxc-attach.pp when: - ansible_selinux.status == "enabled"