--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Ensure the lxc dnsmasq user exists user: name: "{{ lxc_net_dnsmasq_user }}" comment: "LXC dnsmasq" system: "yes" shell: "/bin/false" home: "/var/lib/lxc" tags: - lxc-dnsmasq-user - name: Drop base config file(s) template: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: "{{ item.owner|default('root') }}" group: "{{ item.group|default('root') }}" mode: "{{ item.mode|default('0644') }}" with_items: - { src: lxc-openstack.conf.j2, dest: "/etc/lxc/lxc-openstack.conf" } - { src: lxc.default.j2, dest: "{{ system_config_dir }}/lxc-net", mode: "0644" } - { src: lxc-system-manage.j2, dest: "/usr/local/bin/lxc-system-manage", mode: "0755" } tags: - lxc-files - lxc-config - name: Create machinectl base template copy: src: "lxc-machinectl.j2" dest: "/usr/share/lxc/templates/lxc-machinectl" owner: "root" group: "root" mode: "0755" - name: Drop lxc veth check script copy: src: "lxc-veth-check.sh" dest: "/usr/local/bin/lxc-veth-check" owner: "root" group: "root" mode: "0755" tags: - lxc-files - lxc-config - name: Set systemd DefaultTasksMax value lineinfile: dest: /etc/systemd/system.conf state: present regexp: "^.*DefaultTasksMax.*$" line: "DefaultTasksMax={{ lxc_default_tasks_max }}" when: - ansible_service_mgr == 'systemd' notify: - Reload systemd units tags: - lxc-config # NOTE(hwoarang): The previous task only affected newly created services. # However, for particular systemd versions like v228 the default one for # started scopes is 512 # See https://github.com/systemd/systemd/commit/9ded9cd14cc03c67291b10a5c42ce5094ba0912f # This has later been fixed in v231 # https://github.com/systemd/systemd/commit/79baeeb96d58676853521e10a358e85d83dac7f1 # The only way to change the value for already started services and scopes is # by using the sysfs interface. Moreover, it appears that lxc places itself into the # init.scope group which is being created during boot and as such it always uses # the default value. There are variours reports that the init.scope breaks things # for LXC such as # https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1497420 # https://github.com/lxc/lxc/issues/713 # https://bugs.archlinux.org/index.php?do=details&action=details.addvote&task_id=47303 # In any case, it's best to also edit the pids controller to ensure that a # better max value is used in the init.scope - name: Check that the init.scope support the pid controller stat: path: "/sys/fs/cgroup/pids/init.scope/pids.max" register: _init_scope_pid tags: - lxc-config - block: - name: Get init.scope pids.max value slurp: src: "/sys/fs/cgroup/pids/init.scope/pids.max" register: init_scope_cgroup_pids_max changed_when: false # NOTE(cloudnull): The "shell" module is being used instead of "copy" with # content as we need direct write access to the sysFS. - name: Set systemd pids.max in init.scope shell: "echo {{ lxc_default_tasks_max }} > /sys/fs/cgroup/pids/init.scope/pids.max" when: - (init_scope_cgroup_pids_max.content | b64decode) != lxc_default_tasks_max tags: - skip_ansible_lint rescue: - name: Notice regarding setting the init.scope/pids.max debug: msg: | Failed writing to "/sys/fs/cgroup/pids/init.scope/pids.max". While we prefer setting this option it's not required. See the following issues on why this is desired and what can be done when the cgroup hierarchy exists. * https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1497420 * https://github.com/lxc/lxc/issues/713 * https://bugs.archlinux.org/index.php?do=details&action=details.addvote&task_id=47303 when: _init_scope_pid.stat.exists tags: - lxc-config # Ensure apparmor reindex runs before other things that may fail - meta: flush_handlers - include_tasks: lxc_selinux.yml when: - ansible_selinux.status == "enabled"