├── doc ├── source │ ├── _static │ │ └── .gitkeep │ ├── index.rst │ └── conf.py ├── requirements.txt └── Makefile ├── templates ├── meta-data │ ├── expiry │ ├── templates │ ├── config │ ├── config.5 │ └── create-message ├── sudoers.j2 ├── systemd-overrides.conf.j2 ├── lxc-openstack-common.conf.j2 ├── irqbalance.j2 ├── lxc-openstack.conf.j2 ├── lxc-net.default.j2 ├── lxc.default.j2 ├── lxc-openstack.apparmor.j2 ├── prep-scripts │ ├── _container_sys_setup.sh.j2 │ ├── redhat_prep.sh.j2 │ └── debian_prep.sh.j2 ├── lxc-image-fetch-url.py.j2 └── lxc-system-manage.j2 ├── releasenotes ├── notes │ ├── .placeholder │ ├── ubuntu-s390x-0a561bc69354d48a.yaml │ ├── package-list-name-changes-e7a3fc551d742d23.yaml │ ├── lxc-install-from-pkg-centos-e38d351a3a9ac67e.yaml │ ├── ubuntu_ppc64le-581e5fcd5950186e.yaml │ ├── cache-packages-override-e89847687abddf34.yaml │ ├── lxc-net-ipv6-255787db5db6fc75.yaml │ ├── centos_copr-dca96bcade8cfb75.yaml │ ├── ssh-pub-key-check-c42309653dbe3493.yaml │ ├── copr-repo-priority-60b3603b0c1ff2f7.yaml │ ├── no_sshd_in_lxc-b73334d0c82470b4.yaml │ ├── lxc_net_manage_iptables-95e52387dcef0015.yaml │ ├── upgrade-lxc-4750ba9aea7b5cd1.yaml │ ├── lxc_image_url-a45e19531dc56ea4.yaml │ ├── lxc_centos_repo_list-34276eedd0a06560.yaml │ ├── add-ca-certs-2398cb4856356028.yaml │ ├── container-resolv-host-match-c6e3760cf4a8e5cd.yaml │ ├── lxc-cache-prep-timeout-97dc18882f7b1e76.yaml │ ├── remove-cache-map-8552368f6d7c604c.yaml │ ├── PermitRootLogin-chages-7ce97df6d612223e.yaml │ ├── lxc-cache-gpg-156169a867d4653f.yaml │ ├── drop-machinectl-5053dc9833535cd9.yaml │ ├── lxc_net_managed-7a898d07c240b424.yaml │ ├── fix_lxc_cache_expiration-1656b5758c4ec24e.yaml │ ├── remove-machinectl-workarounds-d67a4739f6385f54.yaml │ ├── dnsmasq-lxc-conflict-fix-c8968f6a16d033c6.yaml │ ├── separate-host-vars-0f4d4bd76124ae68.yaml │ ├── debootstrap_gpg_verify-dea6004d7f5d505c.yaml │ ├── container-repo-host-match-2be99b14642e0591.yaml │ ├── lxc_apparmor_issue-e25bbc97e7f2ba62.yaml │ ├── opensuse-mirror-url-variable-6660f16c3e9bf1ff.yaml │ ├── networkmanager-compatibility-87c7c1c121469714.yaml │ ├── add-random-devices-38671b23cb1319b8.yaml │ ├── template-setup-70a3daadc2a9d93b.yaml │ ├── lxc-image-local-build-c58b17050e343039.yaml │ ├── base-container-overlayfs-ec7eeda2f5807e96.yaml │ ├── lxc-machinectl-template-9e65779a94cb767f.yaml │ ├── lxc_image_cache_server-f14701a7f8f4b8ca.yaml │ ├── package-state-c9c7e01e77b596d0.yaml │ ├── set-limit-enabled-25998f1f12987c12.yaml │ ├── centos-local-lxc-package-mirror-843e1ceac2469547.yaml │ ├── base-container-lvm-cow-2faa824f6cd4b083.yaml │ ├── set-limit-disabled-25998f1f12987c12.yaml │ ├── lxc_image_cache-f14701a7qw90al21.yaml │ └── lxc-host-setup-refactor-e43559764af67fea.yaml └── source │ ├── _static │ └── .placeholder │ ├── _templates │ └── .placeholder │ ├── unreleased.rst │ ├── zed.rst │ ├── train.rst │ ├── ussuri.rst │ ├── mitaka.rst │ ├── pike.rst │ ├── rocky.rst │ ├── stein.rst │ ├── queens.rst │ ├── newton.rst │ ├── ocata.rst │ ├── index.rst │ └── conf.py ├── tests ├── inventory ├── files │ └── container-file-copy-test.txt ├── ansible-role-requirements.yml └── test.yml ├── .gitreview ├── examples └── playbook.yml ├── README.rst ├── CONTRIBUTING.rst ├── meta ├── openstack-ansible.yml └── main.yml ├── zuul.d └── project.yaml ├── tasks ├── lxc_pre_install.yml ├── lxc_cache.yml ├── lxc_cache_rootfs.yml ├── lxc_install_apt.yml ├── main.yml ├── lxc_install_dnf.yml ├── lxc_post_install.yml ├── lxc_cache_create.yml ├── lxc_cache_preparation.yml └── lxc_net.yml ├── vars ├── debian-host.yml ├── redhat.yml ├── redhat-host.yml └── debian.yml ├── tox.ini ├── .gitignore ├── bindep.txt ├── handlers └── main.yml ├── files ├── lxc-veth-check.sh └── org.freedesktop.machine1.conf ├── defaults └── main.yml └── LICENSE /doc/source/_static/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /templates/meta-data/expiry: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /releasenotes/notes/.placeholder: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /releasenotes/source/_static/.placeholder: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /releasenotes/source/_templates/.placeholder: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /templates/meta-data/templates: -------------------------------------------------------------------------------- 1 | /etc/hostname 2 | /etc/hosts 3 | -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | [all] 2 | localhost ansible_connection=local 3 | -------------------------------------------------------------------------------- /templates/sudoers.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | Defaults:root !requiretty 3 | -------------------------------------------------------------------------------- /tests/files/container-file-copy-test.txt: -------------------------------------------------------------------------------- 1 | This is a test file to verify that the container cache file copy worked. -------------------------------------------------------------------------------- /.gitreview: -------------------------------------------------------------------------------- 1 | [gerrit] 2 | host=review.opendev.org 3 | port=29418 4 | project=openstack/openstack-ansible-lxc_hosts.git 5 | -------------------------------------------------------------------------------- /templates/meta-data/config: -------------------------------------------------------------------------------- 1 | lxc.include = LXC_TEMPLATE_CONFIG/common.conf 2 | lxc.arch = {{ ansible_facts['architecture'] }} 3 | -------------------------------------------------------------------------------- /releasenotes/notes/ubuntu-s390x-0a561bc69354d48a.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - Add support for Ubuntu on IBM z Systems (s390x). 4 | -------------------------------------------------------------------------------- /templates/meta-data/config.5: -------------------------------------------------------------------------------- 1 | lxc.include = LXC_TEMPLATE_CONFIG/common.conf 2 | lxc.arch = {{ ansible_facts['architecture'] }} 3 | -------------------------------------------------------------------------------- /templates/systemd-overrides.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | [Manager] 4 | DefaultTasksMax={{ lxc_default_tasks_max }} 5 | -------------------------------------------------------------------------------- /examples/playbook.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Basic LXC host setup 3 | hosts: "hosts" 4 | user: root 5 | roles: 6 | - { role: "lxc_hosts" } 7 | -------------------------------------------------------------------------------- /releasenotes/source/unreleased.rst: -------------------------------------------------------------------------------- 1 | ============================== 2 | Current Series Release Notes 3 | ============================== 4 | 5 | .. release-notes:: 6 | -------------------------------------------------------------------------------- /releasenotes/source/zed.rst: -------------------------------------------------------------------------------- 1 | ======================== 2 | Zed Series Release Notes 3 | ======================== 4 | 5 | .. release-notes:: 6 | :branch: unmaintained/zed 7 | -------------------------------------------------------------------------------- /releasenotes/source/train.rst: -------------------------------------------------------------------------------- 1 | ========================== 2 | Train Series Release Notes 3 | ========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/train 7 | -------------------------------------------------------------------------------- /releasenotes/notes/package-list-name-changes-e7a3fc551d742d23.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - The variable ``lxc_apt_packages`` has been renamed to 4 | ``lxc_hosts_distro_packages``. 5 | -------------------------------------------------------------------------------- /releasenotes/source/ussuri.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | Ussuri Series Release Notes 3 | =========================== 4 | 5 | .. release-notes:: 6 | :branch: stable/ussuri 7 | -------------------------------------------------------------------------------- /releasenotes/source/mitaka.rst: -------------------------------------------------------------------------------- 1 | ============================= 2 | Mitaka Series Release Notes 3 | ============================= 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/mitaka 7 | -------------------------------------------------------------------------------- /releasenotes/source/pike.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Pike Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/pike 7 | -------------------------------------------------------------------------------- /releasenotes/source/rocky.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Rocky Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/rocky 7 | -------------------------------------------------------------------------------- /releasenotes/source/stein.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Stein Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/stein 7 | -------------------------------------------------------------------------------- /releasenotes/source/queens.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Queens Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: stable/queens 7 | -------------------------------------------------------------------------------- /releasenotes/source/newton.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Newton Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/newton 7 | -------------------------------------------------------------------------------- /releasenotes/source/ocata.rst: -------------------------------------------------------------------------------- 1 | =================================== 2 | Ocata Series Release Notes 3 | =================================== 4 | 5 | .. release-notes:: 6 | :branch: origin/stable/ocata 7 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc-install-from-pkg-centos-e38d351a3a9ac67e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | LXC on CentOS is now installed via package from a COPR repository rather 5 | than installed from the upstream source. 6 | -------------------------------------------------------------------------------- /templates/lxc-openstack-common.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | {% for key, values in lxc_container_common_config.items() %} 4 | {% for value in values %} 5 | {{ key }} = {{ value }} 6 | {% endfor %} 7 | {% endfor %} 8 | -------------------------------------------------------------------------------- /releasenotes/notes/ubuntu_ppc64le-581e5fcd5950186e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - Support had been added to allow the functional tests to pass when 4 | deploying on ppc64le architecture using the Ubuntu distributions. 5 | 6 | 7 | -------------------------------------------------------------------------------- /releasenotes/notes/cache-packages-override-e89847687abddf34.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The ``lxc_cache_distro_packages`` has been moved to the role defaults from vars to enable 4 | easier overriding of the container cache package list. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc-net-ipv6-255787db5db6fc75.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - IPv6 support has been added for the LXC bridge network. This can be 4 | configured using ``lxc_net6_address``, ``lxc_net6_netmask``, and 5 | ``lxc_net6_nat``. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/centos_copr-dca96bcade8cfb75.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | EL does not need to carry thm COPR repo to install LXC as LXC 5 | is now provided by EPEL. 6 | We remove repository during upgrade and clean dnf metadata. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/ssh-pub-key-check-c42309653dbe3493.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - The check to validate whether an appropriate ssh public key 4 | is available to copy into the container cache has been 5 | corrected to check the deployment host, not the LXC host. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/copr-repo-priority-60b3603b0c1ff2f7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The COPR repository for installing LXC on CentOS 7 is now set to a higher 5 | priority than the default to ensure that LXC packages always come from the 6 | COPR repository. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/no_sshd_in_lxc-b73334d0c82470b4.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | SSHD and rsync are no longer installed or configured for all containers. 5 | This also deprecates usage of ``lxc_container_ssh_key`` and variable 6 | has no effect any longer. 7 | -------------------------------------------------------------------------------- /templates/irqbalance.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | #Configuration for the irqbalance daemon 4 | 5 | #Should irqbalance be enabled? 6 | ENABLED="1" 7 | 8 | #Balance the IRQs only once? 9 | ONESHOT="0" 10 | 11 | # Ignore hints 12 | OPTIONS="--hintpolicy=ignore" 13 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc_net_manage_iptables-95e52387dcef0015.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The variable ``lxc_net_manage_iptables`` has been added. This variable 4 | can be overridden by deployers if system wide iptables rules are already 5 | in place or managed by deployers chioce. 6 | -------------------------------------------------------------------------------- /releasenotes/notes/upgrade-lxc-4750ba9aea7b5cd1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - Hosts running LXC on Ubuntu 14.04 will now need to enable 4 | the "trusty-backports" repository. The backports repo on 5 | Ubuntu 14.04 is now required to ensure LXC is updated to 6 | the latest stable version. 7 | -------------------------------------------------------------------------------- /templates/lxc-openstack.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | {% if ansible_facts['os_family'] | lower == 'debian' %} 4 | lxc.apparmor.profile = generated 5 | lxc.apparmor.allow_nesting = 1 6 | {% endif %} 7 | lxc.start.auto = 1 8 | lxc.start.delay = 15 9 | lxc.group = onboot 10 | lxc.group = openstack 11 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc_image_url-a45e19531dc56ea4.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | Since Ubuntu has dropped older base images, which resulted in all previous 5 | tags being broken, we've switched to downloading always latest base image 6 | available. This should guarantee that we retrieve relevant images only. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc_centos_repo_list-34276eedd0a06560.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Added variables ``lxc_centos_repo_keys`` and ``lxc_centos_repos``, which 5 | allows to supply a list of repositories, which will be added to lxc_host. 6 | By default, role keeps installing EPEL repository with it's GPG key. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/add-ca-certs-2398cb4856356028.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - The ``ca-certificates`` package has been included in the LXC 4 | container build process in order to prevent issues related to 5 | trying to connect to public websites which make use of newer 6 | certificates than exist in the base CA certificate store. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/container-resolv-host-match-c6e3760cf4a8e5cd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - The LXC container cache preparation process now copies DNS 4 | resolution configuration from the host instead of implementing 5 | its own configuration. The ``lxc_cache_resolvers`` variable 6 | is therefore unnecessary and has been removed. 7 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc-cache-prep-timeout-97dc18882f7b1e76.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The maximum amount of time to wait until forcibly failing the 5 | LXC cache preparation process is now configurable using the 6 | ``lxc_cache_prep_timeout`` variable. The value is specified 7 | in seconds, with the default being 20 minutes. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-cache-map-8552368f6d7c604c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The variable lxc_cache_map is removed as the lxc_hosts ansible role 5 | has only been able to create containers matching the host architecture 6 | and OS for several releases, and lxc_cache_map simply carried copies 7 | of data from ansible_facts. 8 | -------------------------------------------------------------------------------- /releasenotes/source/index.rst: -------------------------------------------------------------------------------- 1 | ================================ 2 | OpenStack-Ansible Release Notes 3 | ================================ 4 | 5 | .. toctree:: 6 | :maxdepth: 1 7 | 8 | unreleased 9 | zed 10 | ussuri 11 | train 12 | stein 13 | rocky 14 | queens 15 | pike 16 | ocata 17 | newton 18 | mitaka 19 | -------------------------------------------------------------------------------- /releasenotes/notes/PermitRootLogin-chages-7ce97df6d612223e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | security: 3 | - The PermitRootLogin in sshd_config changed from 'yes' 4 | to 'prohibit-password' in the containers. By default 5 | there is no password set in the containers but the ssh 6 | pub key from the deployment host is injected in the 7 | targets nodes authorized_keys. 8 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc-cache-gpg-156169a867d4653f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The lxc_hosts role can now make use of a primary and secondary gpg 4 | keyserver for gpg validation of the downloaded cache. Setting the 5 | servers to use can be done using the 6 | ``lxc_image_cache_primary_keyserver`` and 7 | ``lxc_image_cache_secondary_keyserver`` variables. 8 | -------------------------------------------------------------------------------- /templates/meta-data/create-message: -------------------------------------------------------------------------------- 1 | Created a {{ ansible_facts['distribution'] | lower }} container (release={{ ansible_facts['distribution_major_version'] }}, arch={{ lxc_architecture_mapping.get(ansible_facts['architecture']) }}, variant={{ lxc_cache_default_variant }}) 2 | 3 | Use lxc-attach or chroot directly into the rootfs to set a root password 4 | or create user accounts. 5 | -------------------------------------------------------------------------------- /releasenotes/notes/drop-machinectl-5053dc9833535cd9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - | 4 | To provide compatibility with Centos-8 the LXC cache preparation has 5 | been greatly simplified to remove the requirement for machinectl and 6 | btrfs, which is a combination not available on Centos-8. This has 7 | the side effect of machinectl no longer being a supported backing 8 | store for LXC. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc_net_managed-7a898d07c240b424.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The lxc_hosts role now supports the ability to omit lxc network 5 | interface deployment. The option `lxc_net_managed` is a Boolean 6 | operator and defaults to **true**. When this option is set to 7 | **false** the role will not deploy an interface file or attempt 8 | to manage the state of the interface. 9 | -------------------------------------------------------------------------------- /tests/ansible-role-requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: apt_package_pinning 3 | src: https://opendev.org/openstack/openstack-ansible-apt_package_pinning 4 | scm: git 5 | version: master 6 | - name: pip_install 7 | src: https://opendev.org/openstack/openstack-ansible-pip_install 8 | scm: git 9 | version: master 10 | - name: pki 11 | src: https://opendev.org/openstack/ansible-role-pki 12 | scm: git 13 | version: master 14 | -------------------------------------------------------------------------------- /releasenotes/notes/fix_lxc_cache_expiration-1656b5758c4ec24e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Implemented variable ``lxc_image_cache_expiration`` that controlls for how 5 | long cached LXC image will be valid. Default value is `1year`. Variable 6 | format should be compatible with community.general.to_time_unit filter. 7 | fixes: 8 | - | 9 | LXC image cache expiration mechanism has being fixed. Previously LXC images were 10 | valid forever. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/remove-machinectl-workarounds-d67a4739f6385f54.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - With the release of CentOS 7.6, deployments were breaking and becoming very 4 | slow when we restart dbus in order to catch some PolicyKit changes. However, 5 | those changes were never actaully used so they were happening for no reason. 6 | We no longer make any modifications to the systemd-machined configuration 7 | and/or PolicyKit to maintain upstream compatibility. 8 | -------------------------------------------------------------------------------- /templates/lxc-net.default.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | USE_LXC_BRIDGE="true" 4 | LXC_BRIDGE="{{ lxc_net_bridge }}" 5 | LXC_ADDR="{{ lxc_net_address }}" 6 | LXC_NETMASK="{{ lxc_net_netmask }}" 7 | LXC_NETWORK="${LXC_ADDR}/${LXC_NETMASK}" 8 | LXC_DHCP_RANGE="{{ lxc_net_dhcp_range }}" 9 | LXC_DHCP_MAX="{{ lxc_net_dhcp_max }}" 10 | LXC_DNSMASQ_USER="{{ lxc_net_dnsmasq_user }}" 11 | LXC_DHCP_CONFILE="{{ lxc_net_dhcp_config }}" 12 | LXC_DOMAIN="{{ lxc_net_domain }}" 13 | -------------------------------------------------------------------------------- /releasenotes/notes/dnsmasq-lxc-conflict-fix-c8968f6a16d033c6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | In Ubuntu the ``dnsmasq`` package actually includes 5 | init scripts and service configuration which 6 | conflict with LXC and are best not included. The 7 | actual dependent package is ``dnsmasq-base``. The 8 | package list has been adjusted and a task added 9 | to remove the ``dnsmasq`` package and purge the 10 | related configuration files from all LXC hosts. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/separate-host-vars-0f4d4bd76124ae68.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The variable ``lxc_user_defined_container`` has been added to the lxc_hosts 4 | role allowing deployers to define the variable file loaded when preparing a 5 | base container image. This option defaults to using a base image most 6 | closely associated with the underlying OS however should a deployer need, 7 | this option can be used to customize the base container image for a given 8 | host. 9 | -------------------------------------------------------------------------------- /releasenotes/notes/debootstrap_gpg_verify-dea6004d7f5d505c.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Added variable ``lxc_apt_mirror_gpg_check`` to either enforce or disable 5 | gpg check during LXC image preparation through debootstrap. It is enabled 6 | by default. 7 | 8 | - | 9 | Added variable ``lxc_apt_mirror_gpg_file`` which provides path on the 10 | remote host to GPG file location, against which to verify packages 11 | from ``lxc_apt_mirror`` during debootstrap process. 12 | -------------------------------------------------------------------------------- /releasenotes/notes/container-repo-host-match-2be99b14642e0591.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | The LXC container cache preparation process now copies package 5 | repository configuration from the host instead of implementing 6 | its own configuration. The following variables are therefore 7 | unnecessary and have been removed: 8 | 9 | * ``lxc_container_template_main_apt_repo`` 10 | * ``lxc_container_template_security_apt_repo`` 11 | * ``lxc_container_template_apt_components`` 12 | 13 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc_apparmor_issue-e25bbc97e7f2ba62.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | issues: 3 | - | 4 | It was discovered that LXC 5.0.3 in Ubuntu 24.04 (Noble Numbat) 5 | contains packaging issue resulting in apparmor profiling conflicts. 6 | A temporary workaround has been applied in ``lxc_hosts`` role to 7 | apply a hotfix to the profile. However, it will be wiped with the 8 | next update of ``liblxc-common`` package. 9 | Please, check the `bug #2110635 `_ 10 | for more details on the issue. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/opensuse-mirror-url-variable-6660f16c3e9bf1ff.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | Deployers can set ``lxc_hosts_opensuse_mirror_url`` to use their 5 | preferred mirror for the openSUSE repositories. They can also set the 6 | ``lxc_hosts_opensuse_mirror_obs_url`` if they want to set a different 7 | mirror for the OBS repositories. If they want to use the same mirror in 8 | both cases then they can leave the latter variable to its default value. 9 | The full list of mirrors and their capabilities can be obtained at 10 | http://mirrors.opensuse.org/ 11 | -------------------------------------------------------------------------------- /releasenotes/notes/networkmanager-compatibility-87c7c1c121469714.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - | 4 | The ``lxcbr0`` bridge now allows NetworkManager to control it, which 5 | allows for networks to start in the correct order when the system boots. 6 | In addition, the ``NetworkManager-wait-online.service`` is enabled to 7 | ensure that all services that require networking to function, such as 8 | ``keepalived``, will only start when network configuration is complete. 9 | These changes are only applied if a deployer is actively using 10 | NetworkManager in their environment. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/add-random-devices-38671b23cb1319b8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fixes: 3 | - | 4 | Newer releases of CentOS ship a version of libnss that depends on the existence 5 | of /dev/random and /dev/urandom in the operating system in order to run. This 6 | causes a problem during the cache preparation process which runs inside chroot 7 | that does not contain this, resulting in errors with the following message. 8 | 9 | .. code-block:: text 10 | 11 | error: Failed to initialize NSS library 12 | 13 | This has been resolved by introducing a /dev/random and /dev/urandom inside 14 | the chroot-ed environment. 15 | -------------------------------------------------------------------------------- /releasenotes/notes/template-setup-70a3daadc2a9d93b.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | deprecations: 3 | - The option ``cache_prep_commands`` from ``lxc_cache_map`` has been 4 | removed. This option has been converted to a template file within 5 | the **lxc_hosts** role. In order to set specific cache commands within 6 | the template it is recommended that deployers set 7 | ``lxc_cache_prep_pre_commands`` or ``lxc_cache_prep_post_commands``. If the 8 | entire prep script needs to be overridden deployers can set 9 | ``lxc_cache_prep_template`` to the full local path of the prep template and 10 | the role will use this script irrespective of the base container type. 11 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc-image-local-build-c58b17050e343039.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - | 4 | All supported operating systems now build their LXC images locally on the 5 | lxc container hosts rather than relying on external pre-built base images. 6 | debootstrap and dnf are used on debian and Centos variants respectively. 7 | All variables controlling the download of images have been removed from 8 | the lxc_hosts role, and a new override, lxc_apt_mirror is added to allow 9 | local mirrors to be specified for debootstrap. Centos systems will use 10 | the mirror configuration already present on the host when building 11 | the container rootfs with dnf. 12 | -------------------------------------------------------------------------------- /releasenotes/notes/base-container-overlayfs-ec7eeda2f5807e96.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The container cache preparation process now allows ``overlayfs`` to be set 4 | as the ``lxc_container_backing_store``. When this is set a base container 5 | will be created using a name of the form 6 | ``-`distribution-release>`-``. 7 | The container will be stopped as it is not used for anything except to be 8 | a backing store for all other containers which will be based on a snapshot 9 | of the base container. The ``overlayfs`` backing store is not recommended 10 | to be used for production unless the host kernel version is 3.18 or 11 | higher. 12 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | OpenStack-Ansible LXC hosts 3 | =========================== 4 | 5 | Ansible role that configures a host for running LXC containers. 6 | 7 | Documentation for the project can be found at: 8 | https://docs.openstack.org/openstack-ansible-lxc_hosts/latest 9 | 10 | Release notes for the project can be found at: 11 | https://docs.openstack.org/releasenotes/openstack-ansible-lxc_hosts/ 12 | 13 | The project source code repository is located at: 14 | https://opendev.org/openstack/openstack-ansible-lxc_hosts/ 15 | 16 | The project home is at: 17 | https://launchpad.net/openstack-ansible 18 | 19 | The bugs can be found at: 20 | https://bugs.launchpad.net/openstack-ansible 21 | -------------------------------------------------------------------------------- /CONTRIBUTING.rst: -------------------------------------------------------------------------------- 1 | The source repository for this project can be found at: 2 | 3 | https://opendev.org/openstack/openstack-ansible-lxc_hosts 4 | 5 | Pull requests submitted through GitHub are not monitored. 6 | 7 | To start contributing to OpenStack, follow the steps in the contribution guide 8 | to set up and use Gerrit: 9 | 10 | https://docs.openstack.org/contributors/code-and-documentation/quick-start.html 11 | 12 | Bugs should be filed on Launchpad: 13 | 14 | https://bugs.launchpad.net/openstack-ansible 15 | 16 | For more specific information about contributing to this repository, see the 17 | OpenStack-Ansible contributors guide: 18 | 19 | https://docs.openstack.org/openstack-ansible/latest/contributors/contributing.html 20 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc-machinectl-template-9e65779a94cb767f.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - A new LXC container template has been added which will allow us to better 4 | manage containers on the host machines we support. The new template uses 5 | the `machinectl` command to create container rootfs using the existing 6 | cache. This in-turn will provide easier management of container images, 7 | faster build times, and the ability to instantly clone a container (or a 8 | given variant) without impacting a containers state. This new lxc container 9 | create template, and the features it provides, will only impact new 10 | containers created allowing deployers to safely adopt this change in any 11 | existing environment. 12 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc_image_cache_server-f14701a7f8f4b8ca.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The variable ``lxc_image_cache_server_mirrors`` has been added to 4 | the "lxc_hosts" role. This is a list type variable and gives 5 | deployers the ability to specify multiple lxc-image mirrors at the 6 | same time. 7 | 8 | deprecations: 9 | - The variable ``lxc_image_cache_server`` has been deprecated in the 10 | "lxc_hosts" role. By default this value will pull the first item 11 | out of ``lxc_image_cache_server_mirrors`` list which is only done 12 | for compatibility (legacy) purposes. The default string type 13 | variable, ``lxc_image_cache_server``, will be removed from the 14 | "lxc_hosts" role in the in "R" release. 15 | -------------------------------------------------------------------------------- /doc/source/index.rst: -------------------------------------------------------------------------------- 1 | =========================== 2 | OpenStack-Ansible LXC hosts 3 | =========================== 4 | 5 | Ansible role that configures a host for running LXC containers. 6 | 7 | To clone or view the source code for this repository, visit the role repository 8 | for `lxc_hosts `_. 9 | 10 | Default variables 11 | ~~~~~~~~~~~~~~~~~ 12 | 13 | .. literalinclude:: ../../defaults/main.yml 14 | :language: yaml 15 | :start-after: under the License. 16 | 17 | Dependencies 18 | ~~~~~~~~~~~~ 19 | 20 | This role needs pip >= 7.1 installed on the target host. 21 | 22 | Example playbook 23 | ~~~~~~~~~~~~~~~~ 24 | 25 | .. literalinclude:: ../../examples/playbook.yml 26 | :language: yaml 27 | -------------------------------------------------------------------------------- /releasenotes/notes/package-state-c9c7e01e77b596d0.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The lxc_hosts role now supports the ability to configure whether 4 | apt/yum tasks install the latest available package, or just ensure 5 | that the package is present. The default action is to ensure that 6 | the latest package is present. The action taken may be changed to 7 | only ensure that the package is present by setting 8 | ``lxc_hosts_package_state`` to ``present``. 9 | upgrade: 10 | - The lxc_hosts role always checks whether the latest package is 11 | installed when executed. If a deployer wishes to change the check to 12 | only validate the presence of the package, the option 13 | ``lxc_hosts_package_state`` should be set to ``present``. 14 | 15 | -------------------------------------------------------------------------------- /meta/openstack-ansible.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2017, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # (c) 2017, Jean-Philippe Evrard 17 | 18 | maturity_info: 19 | status: complete 20 | created_during: mitaka 21 | -------------------------------------------------------------------------------- /doc/requirements.txt: -------------------------------------------------------------------------------- 1 | # The order of packages is significant, because pip processes them in the order 2 | # of appearance. Changing the order has an impact on the overall integration 3 | # process, which may cause wedges in the gate later. 4 | 5 | # WARNING: 6 | # This file is maintained in the openstack-ansible-tests repository. 7 | # https://opendev.org/openstack/openstack-ansible-tests/src/branch/master/sync/doc/requirements.txt 8 | # If you need to modify this file, update the one in the 9 | # openstack-ansible-tests repository. Once it merges there, the changes will 10 | # automatically be proposed to all the repositories which use it. 11 | 12 | sphinx>=2.0.0,!=2.1.0 # BSD 13 | sphinxcontrib-svg2pdfconverter>=0.1.0 # BSD 14 | openstackdocstheme>=2.2.1 # Apache-2.0 15 | reno>=3.1.0 # Apache-2.0 16 | doc8>=0.6.0 # Apache-2.0 17 | -------------------------------------------------------------------------------- /releasenotes/notes/set-limit-enabled-25998f1f12987c12.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - An option to disable the ``machinectl`` quota system has been changed. The 4 | variable ``lxc_host_machine_quota_disabled`` is a Boolean with a default of 5 | **false**. When this option is set to **true** it will disable the 6 | ``machinectl`` quota system. 7 | - The options ``lxc_host_machine_qgroup_space_limit`` and 8 | ``lxc_host_machine_qgroup_compression_limit`` have been added allowing a 9 | deployer to set **qgroup** limits as they see fit. The default value for 10 | these options is "none" which is effectively **unlimited**. These options 11 | accept any nominal size value followed by the single letter type, example 12 | ``64G``. These options are only effective when the option 13 | ``lxc_host_machine_quota_disabled`` is set to **false**. 14 | -------------------------------------------------------------------------------- /releasenotes/notes/centos-local-lxc-package-mirror-843e1ceac2469547.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | other: 3 | - | 4 | CentOS deployments require a special COPR repository for modern LXC 5 | packages. The COPR repository is not mirrored at this time and this causes 6 | failed gate tests and production deployments. 7 | 8 | The role now syncs the LXC packages down from COPR to each host and builds 9 | a local LXC package repository in `/opt/thm-lxc2.0`. This greatly reduces 10 | the amount of times that packages must be downloaded from the COPR server 11 | during deployments, which will reduce failures until the packages can be 12 | hosted with a more reliable source. 13 | 14 | In addition, this should speed up playbook runs since ``yum`` can check a 15 | locally-hosted repository instead of a remote repository with availability 16 | and performance challenges. 17 | -------------------------------------------------------------------------------- /releasenotes/notes/base-container-lvm-cow-2faa824f6cd4b083.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The container cache preparation process now allows ``copy-on-write`` to be 4 | set as the ``lxc_container_backing_method`` when the 5 | ``lxc_container_backing_store`` is set to ``lvm``. When this is set a base 6 | container will be created using a name of the form 7 | ``-`distribution-release>`-``. 8 | The container will be stopped as it is not used for anything except to be 9 | a backing store for all other containers which will be based on a snapshot 10 | of the base container. 11 | - When using copy-on-write backing stores for containers, the base container 12 | name may be set using the variable ``lxc_container_base_name`` which 13 | defaults to 14 | ``-`distribution-release>`-``. 15 | -------------------------------------------------------------------------------- /zuul.d/project.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2017, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - project: 17 | templates: 18 | - openstack-ansible-linters-jobs 19 | - check-requirements 20 | - publish-openstack-docs-pti 21 | - build-release-notes-jobs-python3 22 | - openstack-ansible-deploy-infra_lxc-jobs 23 | - openstack-ansible-upgrade-infra_lxc-jobs 24 | - openstack-ansible-lxc-backingstore-jobs 25 | -------------------------------------------------------------------------------- /templates/lxc.default.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # LXC_AUTO - whether or not to start containers at boot 4 | LXC_AUTO="true" 5 | 6 | # BOOTGROUPS - What groups should start on bootup? 7 | # Comma separated list of groups. 8 | # Leading comma, trailing comma or embedded double 9 | # comma indicates when the NULL group should be run. 10 | # Example (default): boot the onboot group first then the NULL group 11 | BOOTGROUPS="onboot," 12 | 13 | # SHUTDOWNDELAY - Wait time for a container to shut down. 14 | # Container shutdown can result in lengthy system 15 | # shutdown times. Even 5 seconds per container can be 16 | # too long. 17 | SHUTDOWNDELAY="{{ lxc_container_shutdown_delay }}" 18 | 19 | # OPTIONS can be used for anything else. 20 | # If you want to boot everything then 21 | # options can be "-a" or "-a -A". 22 | OPTIONS= 23 | 24 | # STOPOPTS are stop options. The can be used for anything else to stop. 25 | # If you want to kill containers fast, use -k 26 | STOPOPTS="-a -A -s" 27 | 28 | USE_LXC_BRIDGE="false" # overridden in lxc-net 29 | 30 | [ ! -f /etc/default/lxc-net ] || . /etc/default/lxc-net 31 | -------------------------------------------------------------------------------- /tasks/lxc_pre_install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2014, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Create base directories 17 | ansible.builtin.file: 18 | path: "{{ item }}" 19 | state: "directory" 20 | owner: "root" 21 | group: "root" 22 | mode: "0755" 23 | with_items: 24 | - /etc/lxc 25 | - /usr/local/bin 26 | - /etc/network/interfaces.d 27 | - /etc/apparmor.d/lxc 28 | - /usr/share/lxc/templates 29 | - /openstack 30 | - /openstack/backup 31 | - /openstack/log 32 | - "{{ lxc_container_directory }}" 33 | - "{{ lxc_container_cache_path }}" 34 | tags: 35 | - lxc-directories 36 | -------------------------------------------------------------------------------- /templates/lxc-openstack.apparmor.j2: -------------------------------------------------------------------------------- 1 | # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which 2 | # will source all profiles under /etc/apparmor.d/lxc 3 | 4 | profile lxc-openstack flags=(attach_disconnected,mediate_deleted) { 5 | #include 6 | 7 | # allow standard blockdevtypes. 8 | # The concern here is in-kernel superblock parsers bringing down the 9 | # host with bad data. However, we continue to disallow proc, sys, securityfs, 10 | # etc to nonstandard locations. 11 | mount fstype=ext* -> /**, 12 | mount fstype=nbd* -> /**, 13 | mount fstype=xfs -> /**, 14 | mount fstype=btrfs -> /**, 15 | mount fstype=vfat* -> /**, 16 | mount fstype=fuseblk -> /**, 17 | mount fstype=nbd* -> /**, 18 | mount fstype=nfs* -> /**, 19 | mount fstype=rpc_pipefs, 20 | mount fstype=devpts, 21 | 22 | # allow System access. 23 | mount fstype=cgroup -> /sys/fs/cgroup/**, 24 | mount fstype=cgroup2 -> /sys/fs/cgroup/**, 25 | mount fstype=proc -> {{ lxc_container_cache_path }}/**, 26 | mount fstype=sysfs -> {{ lxc_container_cache_path }}/**, 27 | mount options=(rw,remount), 28 | mount options=(rw,bind) {{ lxc_container_cache_path }}/**/dev/shm/ -> {{ lxc_container_cache_path }}/**/run/shm/, 29 | } 30 | -------------------------------------------------------------------------------- /releasenotes/notes/set-limit-disabled-25998f1f12987c12.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | upgrade: 3 | - The variable ``lxc_host_machine_volume_size`` now accepts any valid size 4 | modifier acceptable by ``truncate -s`` and ``machinectl set-limit``. 5 | prior to this change the option assumed an integer was set for some value 6 | in gigabytes. All acceptable values can be seen within the 7 | `documentation for machinectl `_ 8 | features: 9 | - An option to disable the ``machinectl`` quota system has been added. The 10 | variable ``lxc_host_machine_quota_disabled`` is a Boolean with a default of 11 | **true**. When this option is set to **true** it will disable the 12 | ``machinectl`` quota system. 13 | other: 14 | - The variable ``lxc_host_machine_volume_size`` is used to set the size of 15 | the default sparse file as well as define a limit within the ``machinectl`` 16 | quota system. When the ``machinectl`` quota system is enabled deployers 17 | should appropriately set this value to the size of the container volume, 18 | even when not using a sparse file. 19 | - The container image cache within machinectl has been set to "64G" by 20 | default. 21 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2014, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | galaxy_info: 17 | author: rcbops 18 | description: Deployment of LXC hosts for use in Rackspace Private Cloud 19 | company: Rackspace 20 | license: Apache2 21 | role_name: lxc_hosts 22 | namespace: openstack 23 | min_ansible_version: "2.10" 24 | platforms: 25 | - name: Debian 26 | versions: 27 | - bullseye 28 | - name: Ubuntu 29 | versions: 30 | - jammy 31 | - name: EL 32 | versions: 33 | - "9" 34 | galaxy_tags: 35 | - cloud 36 | - lxc 37 | - development 38 | - openstack 39 | dependencies: 40 | - role: apt_package_pinning 41 | when: 42 | - ansible_facts['pkg_mgr'] == 'apt' 43 | -------------------------------------------------------------------------------- /templates/prep-scripts/_container_sys_setup.sh.j2: -------------------------------------------------------------------------------- 1 | 2 | # System containers will require mount points for the following 3 | mkdir -p /dev 4 | mkdir -p /proc 5 | mkdir -p /sys/fs/cgroup 6 | mkdir -p /dev/pts 7 | 8 | #gnupg requires this 9 | mkdir -p /root/.gnupg 10 | 11 | # In order for the package manager to function /dev/null, /dev/random and 12 | # /dev/urandom must exist. This is is being run here because some images do not 13 | # create /dev/null by default. 14 | [ ! -e /dev/null ] && mknod /dev/null c 1 3 15 | chown 0666 /dev/null 16 | [ ! -e /dev/random ] && mknod /dev/random c 1 8 17 | chown 0666 /dev/random 18 | [ ! -e /dev/urandom ] && mknod /dev/urandom c 1 9 19 | chown 0666 /dev/urandom 20 | ln -sf /proc/self/fd /dev/fd 21 | 22 | for i in {0..5}; do 23 | [ ! -e "/dev/pts/$i" ] && mknod "/dev/pts/$i" c 136 $i 24 | chown 0666 "/dev/pts/$i" 25 | done 26 | # file check does not seem to work at all times 27 | [ ! -e /dev/ptmx ] && mknod /dev/ptmx c 5 2 || true 28 | chown 0666 /dev/ptmx 29 | [ ! -e /dev/pts/ptmx ] && mknod /dev/pts/ptmx c 5 2 30 | chown 0000 /dev/pts/ptmx 31 | 32 | # Create the directory where local facts will be stored 33 | mkdir -p /etc/ansible/facts.d 34 | 35 | # Create the cache resolvers 36 | rm /etc/resolv.conf || true 37 | {% for resolver in lxc_cache_prep_dns %} 38 | echo "nameserver {{ resolver }}" >> /etc/resolv.conf 39 | {% endfor %} 40 | -------------------------------------------------------------------------------- /vars/debian-host.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2019, VEXXHOST, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | ## APT Cache Options 17 | cache_timeout: 600 18 | 19 | # Required apt packages. 20 | _lxc_hosts_distro_packages: 21 | - apparmor 22 | - apparmor-profiles 23 | - apparmor-utils 24 | - bridge-utils 25 | - btrfs-progs 26 | - dbus 27 | - debootstrap 28 | - dnsmasq-base 29 | - e2fsprogs 30 | - git 31 | - gzip 32 | - iptables 33 | - irqbalance 34 | - liblxc1 35 | - lxc 36 | - lxc-dev 37 | - lxc-templates 38 | - procps 39 | - python3-lxc 40 | - python3-dev 41 | - systemd-container 42 | - tar 43 | - xz-utils 44 | 45 | # Package to remove from the host 46 | lxc_hosts_remove_distro_packages: 47 | - dnsmasq 48 | 49 | lxc_ssh_service_name: ssh 50 | lxc_xz_bin: xz 51 | 52 | 53 | system_config_dir: "/etc/default" 54 | systemd_utils_prefix: "/lib/systemd" 55 | -------------------------------------------------------------------------------- /tox.ini: -------------------------------------------------------------------------------- 1 | [tox] 2 | minversion = 4.6.0 3 | skipsdist = True 4 | envlist = docs 5 | 6 | [testenv] 7 | usedevelop = False 8 | commands = 9 | /usr/bin/find . -type f -name "*.pyc" -delete 10 | passenv = 11 | COMMON_TESTS_PATH 12 | HOME 13 | http_proxy 14 | HTTP_PROXY 15 | https_proxy 16 | HTTPS_PROXY 17 | no_proxy 18 | NO_PROXY 19 | TESTING_BRANCH 20 | TESTING_HOME 21 | USER 22 | allowlist_externals = 23 | bash 24 | setenv = 25 | PYTHONUNBUFFERED=1 26 | ROLE_NAME=lxc_hosts 27 | TEST_IDEMPOTENCE=false 28 | VIRTUAL_ENV={envdir} 29 | WORKING_DIR={toxinidir} 30 | 31 | [testenv:docs] 32 | deps = 33 | -c{env:TOX_CONSTRAINTS_FILE:https://releases.openstack.org/constraints/upper/master} 34 | -r{toxinidir}/doc/requirements.txt 35 | commands = 36 | bash -c "rm -rf doc/build" 37 | doc8 doc 38 | sphinx-build -W --keep-going -b html doc/source doc/build/html 39 | 40 | [testenv:pdf-docs] 41 | deps = {[testenv:docs]deps} 42 | allowlist_externals = 43 | make 44 | commands = 45 | sphinx-build --keep-going -W -b latex doc/source doc/build/pdf 46 | make -C doc/build/pdf 47 | 48 | [doc8] 49 | # Settings for doc8: 50 | extensions = .rst 51 | 52 | [testenv:releasenotes] 53 | deps = {[testenv:docs]deps} 54 | commands = 55 | sphinx-build -a -E -W -d releasenotes/build/doctrees --keep-going -b html releasenotes/source releasenotes/build/html 56 | 57 | [testenv:venv] 58 | commands = 59 | {posargs} 60 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Add patterns in here to exclude files created by tools integrated with this 2 | # repository, such as test frameworks from the project's recommended workflow, 3 | # rendered documentation and package builds. 4 | # 5 | # Don't add patterns to exclude files created by preferred personal tools 6 | # (editors, IDEs, your operating system itself even). These should instead be 7 | # maintained outside the repository, for example in a ~/.gitignore file added 8 | # with: 9 | # 10 | # git config --global core.excludesfile '~/.gitignore' 11 | 12 | # Compiled source # 13 | ################### 14 | *.com 15 | *.class 16 | *.dll 17 | *.exe 18 | *.o 19 | *.so 20 | *.pyc 21 | build/ 22 | dist/ 23 | doc/build/ 24 | 25 | # Packages # 26 | ############ 27 | # it's better to unpack these files and commit the raw source 28 | # git has its own built in compression methods 29 | *.7z 30 | *.dmg 31 | *.gz 32 | *.iso 33 | *.jar 34 | *.rar 35 | *.tar 36 | *.zip 37 | 38 | # Logs and databases # 39 | ###################### 40 | *.log 41 | *.sql 42 | *.sqlite 43 | logs/* 44 | 45 | # OS generated files # 46 | ###################### 47 | ._* 48 | .ansible 49 | .tox 50 | *.egg-info 51 | .eggs 52 | 53 | # Generated by pbr while building docs 54 | ###################################### 55 | AUTHORS 56 | ChangeLog 57 | 58 | # Files created by releasenotes build 59 | releasenotes/build 60 | 61 | # Test temp files 62 | tests/common 63 | tests/*.retry 64 | 65 | # Vagrant artifacts 66 | .vagrant 67 | 68 | # Git clones 69 | openstack-ansible-ops 70 | previous 71 | -------------------------------------------------------------------------------- /templates/prep-scripts/redhat_prep.sh.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e -x 3 | 4 | {{ lxc_cache_prep_pre_commands }} 5 | 6 | {% include 'templates/prep-scripts/_container_sys_setup.sh.j2' %} 7 | 8 | if [[ -d "/etc/pki/rpm-gpg" ]]; then 9 | rpm --import /etc/pki/rpm-gpg/* || true 10 | fi 11 | 12 | # The containers do not need the LXC repository (only hosts need it). 13 | rm -f /etc/yum.repos.d/thm-lxc3.0* 14 | rm -f /etc/yum.repos.d/epel-lxc_hosts.repo 15 | # This repo should be installed from package, so requires extra vars to work properly 16 | rm -f /etc/yum.repos.d/CentOS-NFV-OpenvSwitch.repo 17 | 18 | # Create dnf transaction file and run it all at once 19 | echo "update" > /tmp/package-transaction.txt 20 | echo "install {{ lxc_cache_distro_packages | join(' ') }}" >> /tmp/package-transaction.txt 21 | echo "run" >> /tmp/package-transaction.txt 22 | dnf -y shell /tmp/package-transaction.txt 23 | rm -f /tmp/package-transaction.txt 24 | rm /etc/machine-id || true 25 | rm /var/lib/dbus/machine-id || true 26 | rm /etc/sysctl.d/* || true 27 | echo '' > /etc/sysctl.conf 28 | touch /etc/machine-id 29 | dnf clean all 30 | mkdir -p /var/backup 31 | chage -I -1 -d -1 -m 0 -M 99999 -E -1 root 32 | 33 | # Set the IP of the lxcbr0 interface as the DNS server 34 | echo "nameserver {{ lxc_net_address }}" > /etc/resolv.conf 35 | systemctl enable systemd-networkd 36 | systemctl enable systemd-resolved 37 | 38 | # Fully disable systemd-logind 39 | systemctl disable systemd-logind 40 | systemctl mask systemd-logind 41 | 42 | {{ lxc_cache_prep_post_commands }} 43 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc_image_cache-f14701a7qw90al21.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The option ``lxc_hosts_container_image_url`` has been added allowing 4 | deployers to define their base image url to whatever it needs to be 5 | removing the requirement for operators to maintain an internal LXC 6 | index in the event they want to host a private repository. 7 | - The option ``lxc_hosts_container_image_download_legacy`` has been 8 | added allowing a deployer to enable the use of the legacy lxc image 9 | repository. This option is a Boolean and has a default of **false**. 10 | deprecations: 11 | - The variable ``lxc_image_cache_server_mirrors`` has been deprecated 12 | in the "lxc_hosts" role. This option has been replaced by the static 13 | variable ``lxc_hosts_container_image_url``. This variable will continue 14 | to function as a single element list allowing existing automation to 15 | function when in legacy image mode but should not be considered in use 16 | by default. 17 | - The variable ``lxc_image_cache_server`` has been deprecated in the 18 | ``lxc_hosts`` role. This option has been replaced by the static 19 | variable ``lxc_hosts_container_image_url``. 20 | other: 21 | - The use of **images.linuxcontainers.org** is no longer required. While 22 | the images provided by that build system are perfectly functional they 23 | have been less than optimal in a lot ways for a very long time. The 24 | ``lxc_hosts`` role will now pull a base image from the upstream distro 25 | being deployed. If a deployer wishes to continue using the images from 26 | **images.linuxcontainers.org** they are welcome to but it is no longer 27 | forced. 28 | -------------------------------------------------------------------------------- /releasenotes/notes/lxc-host-setup-refactor-e43559764af67fea.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | features: 3 | - The ``lxc_host`` cache prep has been updated to use the LXC download 4 | template. This removes the last remaining dependency the project has on 5 | the `rpc-trusty-container.tgz image `_. 6 | - The ``lxc_host`` role will build lxc cache using the download 7 | template built from `images found here `_. 8 | These images are upstream builds from the greater LXC/D community. 9 | - The ``lxc_host`` role introduces support for CentOS 7 and Ubuntu 16.04 10 | container types. 11 | upgrade: 12 | - The ``lxc_host`` role no longer uses the distro specific lxc container 13 | create template. 14 | - | 15 | The following variable changes have been made in the ``lxc_host`` role: 16 | 17 | * **lxc_container_user_password**: Removed because the default lxc 18 | container user is no longer created by the lxc container template. 19 | * **lxc_container_template_options**: This option was renamed to 20 | *lxc_cache_download_template_options*. The deprecation filter was not 21 | used because the values provided from this option have been 22 | fundamentally changed and potentially old overrides will cause 23 | problems. 24 | * **lxc_container_base_delete**: Removed because the cache will be 25 | refreshed upon role execution. 26 | * **lxc_cache_validate_certs**: Removed because the Ansible ``get_url`` 27 | module is no longer used. 28 | * **lxc_container_caches**: Removed because the container create process 29 | will build a cached image based on the host OS. 30 | -------------------------------------------------------------------------------- /bindep.txt: -------------------------------------------------------------------------------- 1 | # This file facilitates OpenStack-CI package installation 2 | # before the execution of any tests. 3 | # 4 | # See the following for details: 5 | # - https://docs.openstack.org/infra/bindep/ 6 | # - https://opendev.org/openstack-infra/bindep 7 | # 8 | # Even if the role does not make use of this facility, it 9 | # is better to have this file empty, otherwise OpenStack-CI 10 | # will fall back to installing its default packages which 11 | # will potentially be detrimental to the tests executed. 12 | # 13 | # Note: 14 | # This file is maintained in the openstack-ansible-tests repository. 15 | # https://opendev.org/openstack/openstack-ansible-tests/src/bindep.txt 16 | # If you need to remove or add extra dependencies, you should modify 17 | # the central file instead and once your change is accepted then update 18 | # this file as well. The purpose of this file is to ensure that Python and 19 | # Ansible have all their necessary binary requirements on the test host before 20 | # tox executes. Any binary requirements needed by services/roles should be 21 | # installed by those roles in their applicable package install tasks, not through 22 | # using this file. 23 | # 24 | 25 | # The gcc compiler 26 | gcc 27 | 28 | # Base requirements for Ubuntu 29 | git-core [platform:dpkg] 30 | libssl-dev [platform:dpkg] 31 | libffi-dev [platform:dpkg] 32 | python3 [platform:dpkg] 33 | python3-apt [platform:dpkg] 34 | python3-dev [platform:dpkg] 35 | 36 | # Base requirements for RPM distros 37 | gcc-c++ [platform:rpm] 38 | git [platform:rpm] 39 | libffi-devel [platform:rpm] 40 | openssl-devel [platform:rpm] 41 | python3-dnf [platform:fedora] 42 | python3-devel [platform:rpm] 43 | 44 | # For SELinux 45 | libselinux-python3 [platform:redhat] 46 | libsemanage-python3 [platform:redhat] 47 | iptables [platform:redhat] 48 | -------------------------------------------------------------------------------- /vars/redhat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2016, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | _lxc_cache_core_repos_list: 17 | centos: "centos-stream-release centos-stream-repos" 18 | rocky: "rocky-release rocky-repos" 19 | 20 | _lxc_cache_core_repos: "{{ _lxc_cache_core_repos_list.get(ansible_facts['distribution'] | lower) }}" 21 | 22 | _lxc_hosts_container_build_command: >- 23 | dnf --assumeyes --installroot=/var/lib/machines/{{ lxc_container_base_name }} install 24 | --setopt=install_weak_deps=False --nodocs rootfiles coreutils dnf {{ _lxc_cache_core_repos }} 25 | --releasever={{ ansible_facts['distribution_major_version'] }} 26 | 27 | _lxc_copy_from_host: 28 | - /etc/default/locale 29 | - /etc/environment 30 | - /etc/localtime 31 | - /etc/locale.conf 32 | - /etc/protocols 33 | - /etc/pki/rpm-gpg/ 34 | - /etc/yum.repos.d/ 35 | 36 | _lxc_cache_prep_template: "prep-scripts/redhat_prep.sh.j2" 37 | 38 | _lxc_cache_distro_packages: 39 | - ca-certificates 40 | - git-core # needed everywhere when wheel_build=false 41 | - gnupg2 42 | - iputils 43 | - iproute 44 | - libxml2 45 | - policycoreutils 46 | - procps 47 | - python3 48 | - python3-libs 49 | - python3-setuptools 50 | - setup 51 | - sudo 52 | - systemd 53 | - systemd-networkd 54 | - systemd-resolved 55 | - systemd-udev 56 | - tzdata 57 | -------------------------------------------------------------------------------- /vars/redhat-host.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2016, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | system_config_dir: "/etc/sysconfig" 17 | systemd_utils_prefix: "/lib/systemd" 18 | 19 | _lxc_hosts_epel_packages: 20 | - lxc* 21 | - python3-lxc 22 | 23 | lxc_centos_repo_keys: 24 | - key: "/etc/pki/rpm-gpg/{{ lxc_centos_epel_key | basename }}" 25 | url: "{{ lxc_centos_epel_key }}" 26 | state: present 27 | 28 | lxc_centos_repos: 29 | - name: epel-lxc_hosts 30 | baseurl: "{{ lxc_centos_epel_mirror ~ '/' ~ ansible_facts['distribution_major_version'] ~ '/Everything/' ~ ansible_facts['architecture'] }}" 31 | description: "Extra Packages for Enterprise Linux {{ ansible_facts['distribution_major_version'] }} - $basearch" 32 | gpgcheck: true 33 | gpgkey: "file:///etc/pki/rpm-gpg/{{ lxc_centos_epel_key | basename }}" 34 | enabled: true 35 | state: present 36 | includepkgs: "{{ lxc_hosts_epel_packages | join(' ') }}" 37 | 38 | # Required rpm packages. 39 | _lxc_hosts_distro_packages: 40 | - dbus 41 | - dnsmasq 42 | - e2fsprogs 43 | - git-core 44 | - iptables 45 | - libseccomp 46 | - lxc 47 | - lxc-devel 48 | - lxc-libs 49 | - lxc-templates 50 | - policycoreutils-python-utils 51 | - procps 52 | - python3-lxc 53 | - systemd-container 54 | - tar 55 | - unzip 56 | - xz 57 | 58 | lxc_ssh_service_name: sshd 59 | 60 | lxc_xz_bin: xz 61 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2014, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Start apparmor 17 | ansible.builtin.systemd: 18 | name: "apparmor" 19 | enabled: true 20 | state: "started" 21 | 22 | - name: Reload apparmor 23 | ansible.builtin.systemd: 24 | name: "apparmor" 25 | state: "restarted" 26 | 27 | - name: Restart importd 28 | ansible.builtin.systemd: 29 | name: "systemd-importd.service" 30 | state: "restarted" 31 | 32 | - name: Restart irqbalance 33 | ansible.builtin.systemd: 34 | name: "irqbalance" 35 | state: "restarted" 36 | enabled: "yes" 37 | daemon_reload: true 38 | 39 | - name: Bring bridge up 40 | ansible.builtin.command: "ip link set {{ lxc_net_bridge }} up" # noqa: no-changed-when 41 | 42 | - name: Reload systemd units 43 | ansible.builtin.systemd: 44 | daemon_reload: true 45 | 46 | - name: Restart sshd 47 | ansible.builtin.service: 48 | name: "{{ lxc_ssh_service_name }}" 49 | state: "restarted" 50 | enabled: true 51 | 52 | - name: Remove rootfs archive 53 | ansible.builtin.file: 54 | path: "/tmp/{{ cache_basename }}" 55 | state: "absent" 56 | 57 | - name: Restart dnsmasq 58 | ansible.builtin.systemd: 59 | name: "lxc-dnsmasq" 60 | state: "restarted" 61 | enabled: "yes" 62 | daemon_reload: true 63 | register: _lxc_dnsmasq_systemd 64 | until: _lxc_dnsmasq_systemd is success 65 | retries: 5 66 | delay: 5 67 | -------------------------------------------------------------------------------- /tasks/lxc_cache.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2014, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Set LXC cache fact(s) 17 | ansible.builtin.set_fact: 18 | cache_path_fact: >- 19 | {{ lxc_container_cache_path ~ '/' ~ 20 | ansible_facts['distribution'] | lower ~ '/' ~ 21 | ansible_facts['distribution_major_version'] ~ '/' ~ 22 | lxc_architecture_mapping.get(ansible_facts['architecture']) ~ '/' ~ 23 | lxc_cache_default_variant }} 24 | cache_time: "{{ now().timestamp() }}" 25 | 26 | - name: Retrieve the expiry object 27 | ansible.builtin.slurp: 28 | src: "{{ cache_path_fact }}/expiry" 29 | failed_when: false 30 | register: expiry 31 | when: 32 | - not lxc_image_cache_refresh | bool 33 | tags: 34 | - always 35 | 36 | - name: Set cache refresh fact 37 | ansible.builtin.set_fact: 38 | lxc_image_cache_refresh: true 39 | when: 40 | - cache_time | int >= (expiry.content | default('MQo=') | b64decode | int) 41 | tags: 42 | - always 43 | 44 | - name: Including lxc_cache_rootfs tasks 45 | ansible.builtin.include_tasks: lxc_cache_rootfs.yml 46 | when: 47 | - lxc_image_cache_refresh | bool 48 | tags: 49 | - lxc_hosts-config 50 | 51 | - name: Including lxc_cache_preparation tasks 52 | ansible.builtin.include_tasks: lxc_cache_preparation.yml 53 | when: 54 | - lxc_image_cache_refresh | bool 55 | tags: 56 | - lxc_hosts-config 57 | 58 | - name: Including lxc_cache_create tasks 59 | ansible.builtin.include_tasks: lxc_cache_create.yml 60 | when: 61 | - lxc_image_cache_refresh | bool 62 | tags: 63 | - lxc_hosts-config 64 | -------------------------------------------------------------------------------- /tasks/lxc_cache_rootfs.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2020, BBC R&D 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Create sparse machines file 17 | ansible.builtin.command: "truncate -s 11G /var/lib/machines.raw" 18 | args: 19 | creates: /var/lib/machines.raw 20 | register: machines_create 21 | 22 | - name: Format the machines file 23 | community.general.filesystem: 24 | fstype: ext4 25 | dev: /var/lib/machines.raw 26 | when: 27 | - machines_create is changed 28 | 29 | - name: Create systemd mount 30 | ansible.builtin.import_role: 31 | name: systemd_mount 32 | vars: 33 | systemd_mounts: 34 | - what: "/var/lib/machines.raw" 35 | where: "/var/lib/machines" 36 | type: "ext4" 37 | options: "loop" 38 | unit: 39 | ConditionPathExists: 40 | - "/var/lib/machines.raw" 41 | state: "started" 42 | enabled: true 43 | 44 | - name: Remove the old image cache 45 | ansible.builtin.file: 46 | path: "/var/lib/machines/{{ lxc_container_base_name }}" 47 | state: absent 48 | when: 49 | - lxc_image_cache_refresh | bool 50 | 51 | - name: Create new image cache directory 52 | ansible.builtin.file: 53 | path: "/var/lib/machines/{{ lxc_container_base_name }}" 54 | state: directory 55 | mode: "0755" 56 | register: create_new_dir 57 | 58 | - name: Build the base image using a CLI tool 59 | ansible.builtin.command: "{{ lxc_hosts_container_build_command }}" 60 | when: lxc_hosts_container_build_command | length > 0 61 | changed_when: false 62 | register: _build_container_base_image 63 | until: _build_container_base_image is success 64 | retries: 5 65 | delay: 2 66 | -------------------------------------------------------------------------------- /vars/debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2016, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | _lxc_hosts_container_build_command: >- 17 | debootstrap --variant minbase 18 | --include ca-certificates 19 | {{ (lxc_apt_mirror_gpg_check | bool) | ternary('--force-check-gpg', '--no-check-gpg') }} 20 | {{ (lxc_apt_mirror_gpg_file | length > 0) | ternary('--keyring=' ~ lxc_apt_mirror_gpg_file, '') }} 21 | {{ ansible_facts['distribution_release'] }} 22 | /var/lib/machines/{{ lxc_container_base_name }} 23 | {{ lxc_apt_mirror }} 24 | 25 | _lxc_copy_from_host: 26 | - /etc/apt/sources.list 27 | - /etc/apt/sources.list.d/ 28 | - /etc/apt/apt.conf.d/ 29 | - /etc/apt/trusted.gpg.d/ 30 | - /etc/apt/trusted.gpg 31 | - /etc/apt/preferences.d/ 32 | - /etc/apt/mirrors/ 33 | - /etc/environment 34 | - /etc/localtime 35 | - /etc/protocols 36 | 37 | _lxc_cache_prep_template: "prep-scripts/debian_prep.sh.j2" 38 | 39 | _lxc_cache_distro_libpython: 40 | bullseye: libpython3.9 41 | jammy: libpython3.10 42 | bookworm: libpython3.11 43 | noble: libpython3.12 44 | trixie: libpython3.13 45 | 46 | _lxc_cache_need_systemd_resolved: >- 47 | {{ 48 | ansible_facts['distribution'] == 'Debian' or 49 | (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] is ansible.builtin.version('24', 'ge')) 50 | }} 51 | 52 | # This list should contain a minimum set of packages. Add extra packages via roles that require them. 53 | _lxc_cache_distro_packages: 54 | - ca-certificates 55 | - dbus 56 | - git # needed everywhere when wheel_build=false 57 | - iputils-ping 58 | - iproute2 59 | - libxml2 60 | - locales 61 | - netbase 62 | - procps # needed for sysctl-container.service 63 | - python3 64 | - "{{ _lxc_cache_distro_libpython[ansible_facts['distribution_release'] | lower] }}" 65 | - sudo 66 | - systemd 67 | - systemd-sysv 68 | - "{{ _lxc_cache_need_systemd_resolved | ternary('systemd-resolved', '') }}" 69 | - udev 70 | - tzdata 71 | -------------------------------------------------------------------------------- /templates/prep-scripts/debian_prep.sh.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e -x 3 | 4 | {{ lxc_cache_prep_pre_commands }} 5 | 6 | {% include 'templates/prep-scripts/_container_sys_setup.sh.j2' %} 7 | 8 | # remove configs that break containers (listchanges is missing) 9 | rm -f /etc/apt/apt.conf.d/20listchanges 10 | 11 | export DEBIAN_FRONTEND=noninteractive 12 | apt-get remove -y --purge snap* lxc* lxd* resolvconf* || true 13 | 14 | # Update base distribution 15 | apt-get update 16 | 17 | apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes eatmydata 18 | export LD_PRELOAD=/usr/lib/{{ ansible_facts['architecture'] }}-linux-gnu/libeatmydata.so 19 | 20 | #Chroots are built with phased updates disabled, so we must disable them at runtime to avoid package version errors 21 | echo "APT::Get::Always-Include-Phased-Updates \"true\";" | tee /etc/apt/apt.conf.d/95phased-updates 22 | 23 | apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes gnupg 24 | apt-get upgrade -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes 25 | apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes {{ lxc_cache_distro_packages | join(' ') }} 26 | apt-get upgrade -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes 27 | rm /etc/machine-id || true 28 | rm /var/lib/dbus/machine-id || true 29 | touch /etc/machine-id 30 | rm /etc/sysctl.d/* || true 31 | echo '' > /etc/sysctl.conf 32 | mkdir -p /root/.ssh 33 | chmod 700 /root/.ssh 34 | userdel --force --remove ubuntu || true 35 | apt-get clean 36 | mkdir -p /var/backup 37 | mkdir -p /etc/network/interfaces.d 38 | chage -I -1 -d -1 -m 0 -M 99999 -E -1 root 39 | for action in disable mask; do 40 | systemctl ${action} resolvconf.service || true 41 | systemctl ${action} systemd-networkd-resolvconf-update.path || true 42 | systemctl ${action} systemd-networkd-resolvconf-update.service || true 43 | done 44 | 45 | {% for locale in lxc_cache_locales %} 46 | sed -i 's/^# *\({{ locale }}\)/\1/' /etc/locale.gen && locale-gen 47 | {% if loop.first | bool %} 48 | update-locale LANG={{ locale }} 49 | {% endif %} 50 | {% endfor %} 51 | 52 | # Set the IP of the lxcbr0 interface as the DNS server 53 | mkdir -p /etc/systemd/resolved.conf.d 54 | echo "[Resolve]" > /etc/systemd/resolved.conf.d/openstack-ansible.conf 55 | echo "DNS={{ lxc_net_address }}" >> /etc/systemd/resolved.conf.d/openstack-ansible.conf 56 | systemctl enable systemd-networkd 57 | {{ lxc_cache_prep_post_commands }} 58 | -------------------------------------------------------------------------------- /files/lxc-veth-check.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This is a very simple script to search a host for containers that have veth pairs that are not 4 | # plugged into a given bridge. This can happen for a number of reasons however the most common 5 | # one is due to a physical network interface being bounced which severs the containers connection 6 | # to that interface. This script will identify container veth pairs. If any of the container veth 7 | # devices are missing a master the script will attempt to locate the containers network information 8 | # and connect the broken network link. 9 | 10 | # Do a simple lxc command check, if the client errors assume its not installed or ready and return 0 11 | lxc-ls --version || exit 0 12 | 13 | # Set the default script exit status 14 | exit_status=0 15 | # List all containers 16 | for container in $(lxc-ls); do 17 | # List Links for the containers 18 | for net_info in $(lxc-info -n "${container}" | awk '/Link/ {print $2}'); do 19 | # If the link information is a veth and does not have a "master" continue 20 | if ! ip -o -d link show "${net_info}" | grep veth | grep -q master; then 21 | # Search for the interface file that contains the veth 22 | lxc_interface_file=$(grep -l "\b${net_info}\b" /var/lib/lxc/${container}/{config,*.ini} | head -n 1) 23 | # If an interface file is found continue 24 | if [ ! -z "${lxc_interface_file}" ];then 25 | # Get the first network link line from the lxc configuration file 26 | veth_bridge_line=$(grep -hA10 ${net_info} "${lxc_interface_file}" | grep lxc.network.link | head -n 1) 27 | # If a network interface file has a link entry continue 28 | if [ ! -z "${veth_bridge_line}" ];then 29 | # get the link name 30 | veth_bridge=$(echo "${veth_bridge_line}" | awk -F'=' '{print $2}' | sed 's/\s//g') 31 | # Plug the veth into the link 32 | ip link set "${net_info}" master "${veth_bridge}" 33 | echo "container ${container} had a broken veth ${net_info} not being plugged into "${veth_bridge}": this issue is now resolved" 34 | else 35 | # Notify the user that the issues can not be automatically fixed for a given container and veth 36 | echo "container ${container} has a broken veth ${net_info} and an automated fix can not be found" 37 | # Because of the inability to resolve the issue automatically set the exit_status to failure 38 | exit_status=99 39 | fi 40 | fi 41 | fi 42 | done 43 | done 44 | exit "$exit_status" 45 | -------------------------------------------------------------------------------- /tasks/lxc_install_apt.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2016, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Remove conflicting packages 17 | ansible.builtin.apt: 18 | pkg: "{{ lxc_hosts_remove_distro_packages }}" 19 | state: absent 20 | purge: true 21 | tags: 22 | - lxc-apt-packages 23 | 24 | - name: Install apt packages 25 | ansible.builtin.apt: 26 | pkg: "{{ lxc_hosts_distro_packages }}" 27 | state: "{{ lxc_hosts_package_state }}" 28 | default_release: "{{ lxc_default_release | default(omit) }}" 29 | update_cache: true 30 | policy_rc_d: 101 31 | cache_valid_time: "{{ cache_timeout }}" 32 | register: install_packages 33 | until: install_packages is success 34 | retries: 5 35 | delay: 2 36 | tags: 37 | - lxc-apt-packages 38 | 39 | - name: Drop irqbalance config 40 | ansible.builtin.template: 41 | src: "irqbalance.j2" 42 | dest: "{{ system_config_dir }}/irqbalance" 43 | owner: "root" 44 | group: "root" 45 | mode: "0644" 46 | notify: 47 | - Restart irqbalance 48 | tags: 49 | - lxc-files 50 | - lxc-irqbalance 51 | - lxc_hosts-config 52 | 53 | - name: Drop lxc-openstack apparmor profile 54 | ansible.builtin.template: 55 | src: "lxc-openstack.apparmor.j2" 56 | dest: "/etc/apparmor.d/lxc/lxc-openstack" 57 | owner: "root" 58 | group: "root" 59 | mode: "0644" 60 | notify: 61 | - Start apparmor 62 | - Reload apparmor 63 | tags: 64 | - lxc-files 65 | - lxc-apparmor 66 | - lxc_hosts-config 67 | 68 | # NOTE: Addresses packaging bug https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2110635 69 | - name: Fix liblxc-common apparmor profiles 70 | ansible.builtin.lineinfile: 71 | path: /etc/apparmor.d/usr.bin.lxc-copy 72 | regexp: "^/usr/bin/lxc-start flags=" 73 | line: "/usr/bin/lxc-copy flags=(attach_disconnected) {" 74 | state: present 75 | when: 76 | - ansible_facts['distribution'] | lower == 'ubuntu' 77 | - ansible_facts['distribution_release'] == 'noble' 78 | notify: 79 | - Reload apparmor 80 | tags: 81 | - lxc-files 82 | - lxc-apparmor 83 | 84 | - name: Flush handler to reload apparmor profiles 85 | ansible.builtin.meta: flush_handlers 86 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2014, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Gather variables for each operating system 17 | ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" 18 | vars: 19 | params: 20 | files: 21 | - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}-host.yml" 22 | - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}-host.yml" 23 | - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}-host.yml" 24 | - "{{ ansible_facts['distribution'] | lower }}-host.yml" 25 | - "{{ ansible_facts['os_family'] | lower }}-host.yml" 26 | paths: 27 | - "{{ role_path }}/vars" 28 | tags: 29 | - always 30 | 31 | - name: Gather container variables 32 | ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" 33 | vars: 34 | params: 35 | files: 36 | - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_version'] | lower }}.yml" 37 | - "{{ ansible_facts['distribution'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml" 38 | - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_major_version'] | lower }}.yml" 39 | - "{{ ansible_facts['distribution'] | lower }}.yml" 40 | - "{{ ansible_facts['os_family'] | lower }}-{{ ansible_facts['distribution_version'].split('.')[0] }}.yml" 41 | - "{{ ansible_facts['os_family'] | lower }}.yml" 42 | paths: 43 | - "{{ role_path }}/vars" 44 | tags: 45 | - always 46 | 47 | - name: Including lxc_pre_install tasks 48 | ansible.builtin.include_tasks: lxc_pre_install.yml 49 | tags: 50 | - lxc_hosts-install 51 | 52 | - name: Including lxc_install tasks 53 | ansible.builtin.include_tasks: "lxc_install_{{ ansible_facts['pkg_mgr'] }}.yml" 54 | tags: 55 | - lxc_hosts-install 56 | 57 | - name: Including lxc_post_install tasks 58 | ansible.builtin.include_tasks: lxc_post_install.yml 59 | tags: 60 | - lxc_hosts-config 61 | 62 | - name: Including lxc_net tasks 63 | ansible.builtin.include_tasks: lxc_net.yml 64 | when: 65 | - lxc_net_managed | bool 66 | tags: 67 | - lxc_hosts-config 68 | 69 | - name: Including lxc_cache tasks 70 | ansible.builtin.include_tasks: lxc_cache.yml 71 | tags: 72 | - lxc_hosts-install 73 | - lxc_hosts-config 74 | 75 | - name: Flush handlers 76 | ansible.builtin.meta: flush_handlers 77 | -------------------------------------------------------------------------------- /tasks/lxc_install_dnf.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2016, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Ensure createrepo package is installed 17 | ansible.builtin.dnf: 18 | name: createrepo 19 | state: present 20 | 21 | - name: If a keyfile is provided, copy gpg keyfiles to the key location 22 | ansible.builtin.copy: 23 | src: "{{ item.keyfile }}" 24 | dest: "{{ item.key }}" 25 | mode: "0644" 26 | loop: "{{ lxc_centos_repo_keys | selectattr('keyfile', 'defined') }}" 27 | loop_control: 28 | label: "{{ item.key }}" 29 | 30 | - name: If key url is provideds, download gpg keyfiles to the key location 31 | ansible.builtin.get_url: 32 | url: "{{ item.url }}" 33 | dest: "{{ item.key }}" 34 | mode: "0640" 35 | loop: "{{ lxc_centos_repo_keys | selectattr('url', 'defined') }}" 36 | loop_control: 37 | label: "{{ item.key }}" 38 | register: _get_yum_keys 39 | until: _get_yum_keys is success 40 | retries: 5 41 | delay: 2 42 | 43 | - name: Install gpg keys 44 | ansible.builtin.rpm_key: 45 | key: "{{ item.key }}" 46 | validate_certs: "{{ item.validate_certs | default(omit) }}" 47 | state: "{{ item.state | default('present') }}" 48 | loop: "{{ lxc_centos_repo_keys }}" 49 | loop_control: 50 | label: "{{ item.key }}" 51 | 52 | - name: Install required repositories 53 | ansible.builtin.yum_repository: 54 | name: "{{ item.name }}" 55 | baseurl: "{{ item.baseurl }}" 56 | description: "{{ item.description | default(omit) }}" 57 | gpgcheck: "{{ item.gpgcheck | default(omit) }}" 58 | gpgkey: "{{ item.gpgkey }}" 59 | enabled: "{{ item.enabled | default(true) }}" 60 | state: "{{ item.state | default('present') }}" 61 | includepkgs: "{{ item.includepkgs | default(omit) }}" 62 | register: install_repo 63 | until: install_repo is success 64 | retries: 5 65 | delay: 2 66 | loop: "{{ lxc_centos_repos }}" 67 | loop_control: 68 | label: "{{ item.name }}" 69 | 70 | - name: Install distro packages 71 | ansible.builtin.package: 72 | pkg: "{{ lxc_hosts_distro_packages }}" 73 | state: "{{ lxc_hosts_package_state }}" 74 | register: install_packages 75 | until: install_packages is success 76 | retries: 5 77 | delay: 2 78 | tags: 79 | - lxc-packages 80 | 81 | - name: Remove sub system lock if found 82 | ansible.builtin.file: 83 | path: "/var/lock/subsys/lxc" 84 | state: "absent" 85 | owner: "root" 86 | group: "root" 87 | tags: 88 | - lxc-directories 89 | 90 | - name: Enable lxc service 91 | ansible.builtin.service: 92 | name: lxc 93 | enabled: "yes" 94 | tags: 95 | - lxc_hosts-config 96 | -------------------------------------------------------------------------------- /tasks/lxc_post_install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2016, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Ensure the lxc dnsmasq user exists 17 | ansible.builtin.user: 18 | name: "{{ lxc_net_dnsmasq_user }}" 19 | comment: "LXC dnsmasq" 20 | system: "yes" 21 | shell: "/bin/false" 22 | home: "/var/lib/lxc" 23 | tags: 24 | - lxc-dnsmasq-user 25 | 26 | - name: Drop base config file(s) 27 | ansible.builtin.template: 28 | src: "{{ item.src }}" 29 | dest: "{{ item.dest }}" 30 | owner: "{{ item.owner | default('root') }}" 31 | group: "{{ item.group | default('root') }}" 32 | mode: "{{ item.mode | default('0644') }}" 33 | with_items: 34 | - { src: lxc-openstack.conf.j2, dest: "/etc/lxc/lxc-openstack.conf" } 35 | - { src: lxc-net.default.j2, dest: "{{ system_config_dir }}/lxc-net", mode: "0644" } 36 | - { src: lxc.default.j2, dest: "{{ system_config_dir }}/lxc", mode: "0644" } 37 | - { src: lxc-openstack-common.conf.j2, dest: "/usr/share/lxc/config/common.conf.d/80-openstack-common.conf" } 38 | - { src: lxc-system-manage.j2, dest: "/usr/local/bin/lxc-system-manage", mode: "0755" } 39 | - { src: systemd-overrides.conf.j2, dest: "/etc/systemd/system.conf.d/osa-lxc-hosts.conf" } 40 | notify: 41 | - Reload systemd units 42 | tags: 43 | - lxc-files 44 | - lxc-config 45 | 46 | - name: Drop lxc veth check script 47 | ansible.builtin.copy: 48 | src: "lxc-veth-check.sh" 49 | dest: "/usr/local/bin/lxc-veth-check" 50 | owner: "root" 51 | group: "root" 52 | mode: "0755" 53 | tags: 54 | - lxc-files 55 | - lxc-config 56 | 57 | # NOTE: Remove this task after 2025.1 58 | - name: Remove DefaultTasksMax value from default config 59 | ansible.builtin.lineinfile: 60 | dest: /etc/systemd/system.conf 61 | state: absent 62 | regexp: "^.*DefaultTasksMax.*$" 63 | line: "DefaultTasksMax={{ lxc_default_tasks_max }}" 64 | when: 65 | - ansible_facts['service_mgr'] == 'systemd' 66 | notify: 67 | - Reload systemd units 68 | tags: 69 | - lxc-config 70 | 71 | - name: Set sshd MaxSessions 72 | ansible.builtin.lineinfile: 73 | dest: /etc/ssh/sshd_config 74 | state: present 75 | regexp: "^#?MaxSessions.*$" 76 | line: "MaxSessions 50" 77 | notify: 78 | - Restart sshd 79 | tags: 80 | - lxc-config 81 | 82 | - name: Tuning kernel for lxc 83 | ansible.posix.sysctl: 84 | name: "{{ item.key }}" 85 | value: "{{ item.value }}" 86 | sysctl_set: "{{ item.set | default('yes') }}" 87 | sysctl_file: "{{ lxc_sysctl_file }}" 88 | state: "{{ item.state | default('present') }}" 89 | reload: "{{ item.reload | default('yes') }}" 90 | failed_when: false 91 | with_items: "{{ lxc_kernel_options }}" 92 | -------------------------------------------------------------------------------- /tasks/lxc_cache_create.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2016, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Create LXC cache dir 17 | ansible.builtin.file: 18 | path: "{{ cache_path_fact }}" 19 | state: "directory" 20 | recurse: true 21 | 22 | - name: Remove existing cache archive 23 | ansible.builtin.file: 24 | path: "{{ cache_path_fact }}/rootfs.tar.xz" 25 | state: "absent" 26 | 27 | # This is using a shell command because the ansible archive module does not 28 | # provide for the options needed to properly create an LXC image archive. 29 | - name: Create lxc image 30 | ansible.builtin.shell: | 31 | tar -Opc -C {{ lxc_image_cache_path }} . | {{ lxc_xz_bin }} -T 0 -{{ lxc_image_compression_ratio }} -c - > rootfs.tar.xz 32 | args: 33 | chdir: "{{ cache_path_fact }}/" 34 | tags: 35 | - skip_ansible_lint 36 | 37 | - name: Drop container meta-data 38 | ansible.builtin.template: 39 | src: "meta-data/{{ item }}" 40 | dest: "{{ cache_path_fact }}/{{ item }}" 41 | owner: "root" 42 | group: "root" 43 | mode: "0644" 44 | with_items: 45 | - config 46 | - config.5 47 | - create-message 48 | - expiry 49 | - templates 50 | 51 | - name: Set expiry 52 | ansible.builtin.copy: 53 | content: "{{ cache_time | int + lxc_image_cache_expiration | community.general.to_seconds | int }}" 54 | dest: "{{ cache_path_fact }}/expiry" 55 | mode: "0644" 56 | 57 | - name: Set build ID 58 | ansible.builtin.copy: 59 | content: "{{ cache_time | int }}" 60 | dest: "{{ cache_path_fact }}/build_id" 61 | mode: "0644" 62 | 63 | - name: Create base container to use for containers with {{ lxc_container_backing_store }} 64 | community.general.lxc_container: 65 | name: "{{ lxc_container_base_name }}" 66 | template: "download" 67 | state: stopped 68 | backing_store: "{{ (lxc_container_backing_store == 'overlayfs') | ternary('dir', lxc_container_backing_store) }}" 69 | zfs_root: "{{ (lxc_container_backing_store == 'zfs') | ternary(lxc_container_zfs_root_name, omit) }}" 70 | template_options: "{{ lxc_cache_download_template_options }}" 71 | register: cache_download 72 | retries: 3 73 | delay: 10 74 | until: cache_download is success 75 | 76 | - name: Set the qgroup limits for btrfs 77 | when: 78 | - lxc_container_backing_store == 'btrfs' 79 | block: 80 | - name: Set the qgroup size|compression limits on machines 81 | ansible.builtin.command: "btrfs qgroup limit {{ item }} /var/lib/lxc/{{ lxc_container_base_name }}" 82 | changed_when: false 83 | with_items: 84 | - "-e {{ lxc_host_machine_qgroup_space_limit }}" 85 | - "-c {{ lxc_host_machine_qgroup_compression_limit }}" 86 | when: 87 | - not lxc_host_machine_quota_disabled 88 | rescue: 89 | - name: Notice regarding quota system 90 | ansible.builtin.debug: 91 | msg: >- 92 | There was an error processing the setup of qgroups. Check the system 93 | to ensure they're available otherwise disable the quota system by 94 | setting `lxc_host_machine_quota_disabled` to true. 95 | -------------------------------------------------------------------------------- /tasks/lxc_cache_preparation.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2015, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # NOTE(cloudnull): We're using rsync and an if block because we've no means 17 | # to loop over a block. Re-evaluate this task when/if this is 18 | # merged https://github.com/ansible/ansible/issues/13262 19 | - name: Rsyncing files from the LXC host to the container cache 20 | ansible.builtin.shell: | 21 | if [[ -e "{{ item }}" ]]; then 22 | rsync -av "{{ item }}" "{{ lxc_image_cache_path }}{{ item }}" 23 | else 24 | exit 3 25 | fi 26 | changed_when: _rsync_container_cache.rc == 0 27 | failed_when: _rsync_container_cache.rc not in [0, 3] 28 | register: _rsync_container_cache 29 | args: 30 | executable: "/bin/bash" 31 | with_items: "{{ (_lxc_copy_from_host | union(lxc_container_cache_files_from_host)) | list }}" 32 | 33 | - name: Ensure directories exist for lxc_container_cache_files 34 | ansible.builtin.file: 35 | dest: "{{ lxc_image_cache_path }}{{ item.dest | default(item.src) | dirname }}" 36 | state: directory 37 | mode: "0755" 38 | with_items: "{{ lxc_container_cache_files }}" 39 | 40 | - name: Copy files from deployment host to the container cache 41 | ansible.builtin.copy: 42 | src: "{{ item.src }}" 43 | dest: "{{ lxc_image_cache_path }}{{ item.dest | default(item.src) }}" 44 | owner: "{{ item.owner | default('root') }}" 45 | group: "{{ item.group | default('root') }}" 46 | mode: "{{ item.mode | default('0644') }}" 47 | with_items: "{{ lxc_container_cache_files }}" 48 | 49 | - name: Ensure opt directory exists in container 50 | ansible.builtin.file: 51 | dest: "{{ lxc_image_cache_path }}/opt" 52 | state: directory 53 | mode: "0755" 54 | 55 | - name: Cached image preparation script 56 | ansible.builtin.template: 57 | src: "{{ lxc_cache_prep_template }}" 58 | dest: "{{ lxc_image_cache_path }}/opt/cache-prep-commands.sh" 59 | mode: "0755" 60 | 61 | # This task runs several commands against the cached image to speed up the 62 | # lxc_container_create playbook. 63 | - name: Prepare cached image setup commands 64 | ansible.builtin.shell: "chroot {{ lxc_image_cache_path }} /opt/cache-prep-commands.sh > /var/log/lxc-cache-prep-commands.log 2>&1" 65 | changed_when: false 66 | async: "{{ lxc_cache_prep_timeout | int }}" 67 | poll: 0 68 | register: _lxc_cache_prepare_commands 69 | 70 | # NOTE(cloudnull): Wait for the cache preparation script has completed before 71 | # building the new RootFS 72 | - name: Ensure that the LXC cache has been prepared 73 | ansible.builtin.async_status: 74 | jid: "{{ _lxc_cache_prepare_commands.ansible_job_id }}" 75 | register: _lxc_cache_prepare_commands_result 76 | until: _lxc_cache_prepare_commands_result.finished 77 | delay: 10 78 | retries: "{{ lxc_cache_prep_timeout | int // 10 }}" 79 | 80 | - name: Remove requiretty for sudo on centos 81 | ansible.builtin.template: 82 | dest: "{{ lxc_image_cache_path }}/etc/sudoers.d/openstack-ansible" 83 | owner: root 84 | group: root 85 | mode: "0440" 86 | src: sudoers.j2 87 | when: 88 | - ansible_facts['pkg_mgr'] == 'dnf' 89 | -------------------------------------------------------------------------------- /templates/lxc-image-fetch-url.py.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Copyright 2017, Rackspace US, Inc. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | try: 18 | import httplib 19 | except ImportError: 20 | import http.client as httplib 21 | import ssl 22 | try: 23 | import urlparse 24 | except ImportError: 25 | import urllib.parse as urlparse 26 | import sys 27 | 28 | 29 | __DOC__ = """ 30 | USAGE: 31 | This script will take arguments passed into it to discover the url 32 | of a given container image using the distro, release, architecture, 33 | and variant as the parameters. 34 | 35 | EXAMPLE: 36 | # python lxc-image-fetch-url ubuntu xenial amd64 default 37 | """ 38 | 39 | LXC_CACHE_SERVER = '{{ lxc_image_cache_server_mirrors[0].strip() }}' 40 | LXC_INDEX = '{0}/meta/1.0/index-system'.format(LXC_CACHE_SERVER) 41 | 42 | 43 | def get_image_url(url, depth=0): 44 | if depth > 10: 45 | raise SystemExit('Too many redirects') 46 | 47 | url_path = urlparse.urlparse(url, allow_fragments=True) 48 | if url_path.scheme == 'https': 49 | conn = httplib.HTTPSConnection( 50 | host=url_path.netloc, 51 | context=ssl._create_unverified_context() 52 | ) 53 | else: 54 | conn = httplib.HTTPConnection(host=url_path.netloc) 55 | 56 | try: 57 | conn.request('GET', url_path.path) 58 | except httplib.BadStatusLine: 59 | raise SystemExit('Connection Failure') 60 | else: 61 | resp = conn.getresponse() 62 | headers = dict(resp.getheaders()) 63 | check_redirect = headers.get('location', None) 64 | if not check_redirect: 65 | check_redirect = headers.get('Location', None) 66 | 67 | if check_redirect: 68 | depth += 1 69 | return get_image_url( 70 | url=check_redirect, 71 | depth=depth 72 | ) 73 | else: 74 | return ( 75 | str(url), 76 | resp.read().decode('UTF-8').splitlines() 77 | ) 78 | finally: 79 | conn.close() 80 | 81 | 82 | def main(): 83 | try: 84 | distro = sys.argv[1] 85 | release = sys.argv[2] 86 | arch = sys.argv[3] 87 | variant = sys.argv[4] 88 | except IndexError: 89 | print('Missing argument, Please see the documentation.') 90 | raise SystemExit(__DOC__) 91 | 92 | _, meta = get_image_url(url=LXC_INDEX, depth=0) 93 | image_hint = '{0};{1};{2};{3}'.format( 94 | distro, 95 | release, 96 | arch, 97 | variant 98 | ) 99 | 100 | images = sorted([i for i in meta if i.strip().startswith(image_hint)]) 101 | if not images: 102 | print(__DOC__ + '\nAvailable options:') 103 | for line in meta: 104 | print(';'.join(line.split(';')[:-2])) 105 | 106 | raise SystemExit( 107 | 'No Image found with image hint "{0}"'.format(image_hint) 108 | ) 109 | 110 | container_url = urlparse.urljoin( 111 | urlparse.urljoin( 112 | LXC_CACHE_SERVER, 113 | images[0].split(';')[-1] 114 | ), 115 | 'rootfs.tar.xz' 116 | ) 117 | print(container_url) 118 | 119 | 120 | if __name__ == '__main__': 121 | main() 122 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2015, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | - name: Playbook for role testing 17 | hosts: localhost 18 | connection: local 19 | become: true 20 | vars: 21 | extra_host_package: iotop 22 | extra_cache_package: lshw 23 | pre_tasks: 24 | - name: Show host facts 25 | debug: 26 | var: hostvars 27 | 28 | - name: First ensure apt cache is always refreshed 29 | apt: 30 | update_cache: yes 31 | when: 32 | - ansible_facts['pkg_mgr'] == 'apt' 33 | 34 | - name: Ensure root ssh key 35 | user: 36 | name: "{{ ansible_facts['env']['USER'] | default('root') }}" 37 | generate_ssh_key: "yes" 38 | ssh_key_bits: 2048 39 | ssh_key_file: ".ssh/id_rsa" 40 | 41 | - name: Get root ssh key 42 | slurp: 43 | src: '~/.ssh/id_rsa.pub' 44 | register: _root_ssh_key 45 | 46 | - name: Prepare container ssh key fact 47 | set_fact: 48 | lxc_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}" 49 | 50 | - name: Ensure extra host package is not installed 51 | package: 52 | name: "{{ extra_host_package }}" 53 | state: absent 54 | 55 | - include_tasks: "common/common-tasks/test-set-nodepool-vars.yml" 56 | 57 | roles: 58 | - role: "lxc_hosts" 59 | lxc_net_address: 10.100.100.1 60 | lxc_net_bridge: lxcbr0 61 | lxc_kernel_options: 62 | - { key: 'fs.inotify.max_user_instances', value: 1024 } 63 | lxc_container_cache_files: 64 | - src: files/container-file-copy-test.txt 65 | dest: /tmp/file-copied-from-deployment-host.txt 66 | lxc_hosts_extra_distro_packages: 67 | - "{{ extra_host_package }}" 68 | lxc_cache_extra_distro_packages: 69 | - "{{ extra_cache_package }}" 70 | 71 | post_tasks: 72 | - name: Get sysctl content 73 | set_fact: 74 | sysctl_conf: "{{ lookup('file', '/etc/sysctl.conf') }}" 75 | 76 | - name: Check for lxc bridge 77 | stat: 78 | path: /sys/class/net/lxcbr0/bridge/bridge_id 79 | register: lxc_bridge_file 80 | 81 | - name: Check dnsmasq is running 82 | shell: ps auxfww | grep -w 'dnsmasq -u lxc-dnsmasq' 83 | changed_when: false 84 | 85 | - name: DEBIAN - Get deployed interface file contents, without Ansible managed line 86 | set_fact: 87 | interface_file: "{{ lookup('pipe', 'cat /etc/network/interfaces.d/lxc-net-bridge.cfg | tail -n +3') }}" 88 | when: ansible_facts['os_family'] | lower == "debian" 89 | 90 | - name: RHEL - Get deployed interface file contents, without Ansible managed line 91 | set_fact: 92 | interface_file: "{{ lookup('pipe', 'cat /etc/sysconfig/network-scripts/ifcfg-lxcbr0 | tail -n +3') }}" 93 | when: ansible_facts['os_family'] | lower == "redhat" 94 | 95 | - name: Get bridge interface facts 96 | setup: 97 | filter: ansible_lxcbr0 98 | register: lxcbr0_facts 99 | 100 | - name: Get installation state of extra host package 101 | package: 102 | name: "{{ extra_host_package }}" 103 | state: present 104 | register: extra_host_package_state 105 | 106 | - name: Check for extra package installed in lxc cache 107 | find: 108 | paths: "{{ lxc_image_cache_path }}" 109 | patterns: "{{ extra_cache_package }}" 110 | recurse: yes 111 | register: extra_cache_package_find 112 | 113 | - name: Check role functions 114 | assert: 115 | that: 116 | - interface_file is search('.*lxcbr0.*') 117 | - interface_file is search('.*10.100.100.1.*') 118 | - interface_file is search('.*255.255.255.0.*') 119 | - sysctl_conf is search('fs.inotify.max_user_instances.*') 120 | - "lxc_bridge_file.stat.exists" 121 | - ansible_facts['lxcbr0']['ipv4']['address'] is match('10.100.100.1') 122 | - extra_host_package_state is not changed 123 | - extra_cache_package_find.matched > 0 124 | -------------------------------------------------------------------------------- /tasks/lxc_net.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2014, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # NOTE(mhayden): One of three exit codes should be returned. 17 | # 0 = service is running 18 | # 3 = service is installed, but not running 19 | # 4 = service is not installed, and not running 20 | - name: Check if NetworkManager is running 21 | command: systemctl status NetworkManager 22 | changed_when: false 23 | failed_when: false 24 | register: networkmanager_check 25 | tags: 26 | - skip_ansible_lint 27 | 28 | - name: Ensure network services wait on networking (if using NetworkManager) 29 | ansible.builtin.service: 30 | name: NetworkManager-wait-online.service 31 | enabled: true 32 | when: networkmanager_check.rc == 0 33 | 34 | # NOTE(mhayden): There are systemd services that act like ifup/ifdown hooks 35 | # and handle the customized LXC container networking. Starting lxc-net will 36 | # trample over these hooks and cause networking issues for containers. 37 | - name: Disable and stop lxc-net 38 | ansible.builtin.systemd: 39 | name: lxc-net 40 | enabled: false 41 | state: stopped 42 | masked: true 43 | tags: 44 | - lxc-net 45 | 46 | - name: Setup LXC OVS Bridge 47 | openvswitch.openvswitch.openvswitch_bridge: 48 | bridge: "{{ lxc_net_bridge }}" 49 | fail_mode: standalone 50 | state: present 51 | when: lxc_net_bridge_type == 'openvswitch' 52 | 53 | - name: Run the systemd-networkd role 54 | ansible.builtin.include_role: 55 | name: systemd_networkd 56 | vars: 57 | _lxc_net_bridge_devices: 58 | - NetDev: 59 | Name: "{{ lxc_net_bridge }}" 60 | Kind: bridge 61 | MTUBytes: "{{ lxc_net_mtu }}" 62 | Bridge: 63 | ForwardDelaySec: 0 64 | HelloTimeSec: 2 65 | MaxAgeSec: 12 66 | STP: false 67 | systemd_networkd_prefix: "lxc-net" 68 | systemd_run_networkd: true 69 | systemd_netdevs: "{{ (lxc_net_bridge_type == 'openvswitch') | ternary([], _lxc_net_bridge_devices) }}" 70 | systemd_networks: 71 | - interface: "{{ lxc_net_bridge }}" 72 | address: "{{ lxc_net_address }}" 73 | netmask: "{{ lxc_net_netmask }}" 74 | mtu: "{{ lxc_net_mtu }}" 75 | config_overrides: 76 | Network: 77 | ConfigureWithoutCarrier: true 78 | Gateway: "{{ lxc_net_gateway is not none | ternary(lxc_net_gateway, {}) }}" 79 | 80 | - name: Run the systemd-service role 81 | ansible.builtin.include_role: 82 | name: systemd_service 83 | vars: 84 | systemd_service_enabled: true 85 | systemd_slice_name: lxc-dnsmasq 86 | systemd_services: 87 | - service_name: lxc-dnsmasq 88 | state: started 89 | enabled: true 90 | execstartpres: | 91 | {% set pres = ['-/usr/bin/pkill -u {{ lxc_net_dnsmasq_user }} "^dnsmasq"'] %} 92 | {% if lxc_net_manage_iptables | bool %} 93 | {% set _ = pres.append('/usr/local/bin/lxc-system-manage iptables-create') %} 94 | {% endif %} 95 | {{ pres }} 96 | execstarts: 97 | - /usr/local/bin/lxc-system-manage dnsmasq-start 98 | execstops: 99 | - -/usr/local/bin/lxc-system-manage dnsmasq-stop 100 | execstopposts: | 101 | {% set posts = [] %} 102 | {% if lxc_net_manage_iptables | bool %} 103 | {% set _ = posts.append('-/usr/local/bin/lxc-system-manage iptables-remove') %} 104 | {% endif %} 105 | {{ posts }} 106 | config_overrides: 107 | Unit: 108 | Before: lxc.service 109 | Service: 110 | PIDFile: /run/lxc/dnsmasq.pid 111 | when: lxc_net_nat | bool 112 | 113 | # Check that the container bridge exists, if not bring it up 114 | - name: Check Container Bridge exists 115 | ansible.builtin.stat: 116 | path: "/sys/class/net/{{ lxc_net_bridge }}/bridge/bridge_id" 117 | register: bridge_check 118 | failed_when: false 119 | changed_when: not bridge_check.stat.exists 120 | notify: 121 | - Bring bridge up 122 | tags: 123 | - lxc-bridge 124 | 125 | # Ensure lxc networks are running as they're supposed to 126 | - name: Flush handlers 127 | ansible.builtin.meta: flush_handlers 128 | -------------------------------------------------------------------------------- /doc/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | PAPER = 8 | BUILDDIR = build 9 | 10 | # User-friendly check for sphinx-build 11 | ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) 12 | $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) 13 | endif 14 | 15 | # Internal variables. 16 | PAPEROPT_a4 = -D latex_paper_size=a4 17 | PAPEROPT_letter = -D latex_paper_size=letter 18 | ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source 19 | # the i18n builder cannot share the environment and doctrees with the others 20 | I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source 21 | 22 | .PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext 23 | 24 | help: 25 | @echo "Please use \`make ' where is one of" 26 | @echo " html to make standalone HTML files" 27 | @echo " dirhtml to make HTML files named index.html in directories" 28 | @echo " singlehtml to make a single large HTML file" 29 | @echo " pickle to make pickle files" 30 | @echo " json to make JSON files" 31 | @echo " htmlhelp to make HTML files and a HTML help project" 32 | @echo " qthelp to make HTML files and a qthelp project" 33 | @echo " applehelp to make an Apple Help Book" 34 | @echo " devhelp to make HTML files and a Devhelp project" 35 | @echo " epub to make an epub" 36 | @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" 37 | @echo " latexpdf to make LaTeX files and run them through pdflatex" 38 | @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" 39 | @echo " text to make text files" 40 | @echo " man to make manual pages" 41 | @echo " texinfo to make Texinfo files" 42 | @echo " info to make Texinfo files and run them through makeinfo" 43 | @echo " gettext to make PO message catalogs" 44 | @echo " changes to make an overview of all changed/added/deprecated items" 45 | @echo " xml to make Docutils-native XML files" 46 | @echo " pseudoxml to make pseudoxml-XML files for display purposes" 47 | @echo " linkcheck to check all external links for integrity" 48 | @echo " doctest to run all doctests embedded in the documentation (if enabled)" 49 | @echo " coverage to run coverage check of the documentation (if enabled)" 50 | 51 | clean: 52 | rm -rf $(BUILDDIR)/* 53 | 54 | html: 55 | $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html 56 | @echo 57 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." 58 | 59 | dirhtml: 60 | $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml 61 | @echo 62 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." 63 | 64 | singlehtml: 65 | $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml 66 | @echo 67 | @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." 68 | 69 | pickle: 70 | $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle 71 | @echo 72 | @echo "Build finished; now you can process the pickle files." 73 | 74 | json: 75 | $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json 76 | @echo 77 | @echo "Build finished; now you can process the JSON files." 78 | 79 | htmlhelp: 80 | $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp 81 | @echo 82 | @echo "Build finished; now you can run HTML Help Workshop with the" \ 83 | ".hhp project file in $(BUILDDIR)/htmlhelp." 84 | 85 | qthelp: 86 | $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp 87 | @echo 88 | @echo "Build finished; now you can run "qcollectiongenerator" with the" \ 89 | ".qhcp project file in $(BUILDDIR)/qthelp, like this:" 90 | @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/openstack-ansible-lxc_hosts.qhcp" 91 | @echo "To view the help file:" 92 | @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/openstack-ansible-lxc_hosts.qhc" 93 | 94 | applehelp: 95 | $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp 96 | @echo 97 | @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." 98 | @echo "N.B. You won't be able to view it unless you put it in" \ 99 | "~/Library/Documentation/Help or install it in your application" \ 100 | "bundle." 101 | 102 | devhelp: 103 | $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp 104 | @echo 105 | @echo "Build finished." 106 | @echo "To view the help file:" 107 | @echo "# mkdir -p $$HOME/.local/share/devhelp/openstack-ansible-lxc_hosts" 108 | @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/openstack-ansible-lxc_hosts" 109 | @echo "# devhelp" 110 | 111 | epub: 112 | $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub 113 | @echo 114 | @echo "Build finished. The epub file is in $(BUILDDIR)/epub." 115 | 116 | latex: 117 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 118 | @echo 119 | @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." 120 | @echo "Run \`make' in that directory to run these through (pdf)latex" \ 121 | "(use \`make latexpdf' here to do that automatically)." 122 | 123 | latexpdf: 124 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 125 | @echo "Running LaTeX files through pdflatex..." 126 | $(MAKE) -C $(BUILDDIR)/latex all-pdf 127 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 128 | 129 | latexpdfja: 130 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 131 | @echo "Running LaTeX files through platex and dvipdfmx..." 132 | $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja 133 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 134 | 135 | text: 136 | $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text 137 | @echo 138 | @echo "Build finished. The text files are in $(BUILDDIR)/text." 139 | 140 | man: 141 | $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man 142 | @echo 143 | @echo "Build finished. The manual pages are in $(BUILDDIR)/man." 144 | 145 | texinfo: 146 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 147 | @echo 148 | @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." 149 | @echo "Run \`make' in that directory to run these through makeinfo" \ 150 | "(use \`make info' here to do that automatically)." 151 | 152 | info: 153 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 154 | @echo "Running Texinfo files through makeinfo..." 155 | make -C $(BUILDDIR)/texinfo info 156 | @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." 157 | 158 | gettext: 159 | $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale 160 | @echo 161 | @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." 162 | 163 | changes: 164 | $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes 165 | @echo 166 | @echo "The overview file is in $(BUILDDIR)/changes." 167 | 168 | linkcheck: 169 | $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck 170 | @echo 171 | @echo "Link check complete; look for any errors in the above output " \ 172 | "or in $(BUILDDIR)/linkcheck/output.txt." 173 | 174 | doctest: 175 | $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest 176 | @echo "Testing of doctests in the sources finished, look at the " \ 177 | "results in $(BUILDDIR)/doctest/output.txt." 178 | 179 | coverage: 180 | $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage 181 | @echo "Testing of coverage in the sources finished, look at the " \ 182 | "results in $(BUILDDIR)/coverage/python.txt." 183 | 184 | xml: 185 | $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml 186 | @echo 187 | @echo "Build finished. The XML files are in $(BUILDDIR)/xml." 188 | 189 | pseudoxml: 190 | $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml 191 | @echo 192 | @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." 193 | 194 | livehtml: html 195 | sphinx-autobuild -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html 196 | -------------------------------------------------------------------------------- /files/org.freedesktop.machine1.conf: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 27 | 28 | 30 | 31 | 34 | 35 | 38 | 39 | 42 | 43 | 46 | 47 | 50 | 51 | 54 | 55 | 58 | 59 | 62 | 63 | 66 | 67 | 70 | 71 | 74 | 75 | 78 | 79 | 82 | 83 | 86 | 87 | 90 | 91 | 94 | 95 | 98 | 99 | 102 | 103 | 106 | 107 | 110 | 111 | 114 | 115 | 118 | 119 | 122 | 123 | 126 | 127 | 130 | 131 | 134 | 135 | 138 | 139 | 142 | 143 | 146 | 147 | 150 | 151 | 154 | 155 | 158 | 159 | 162 | 163 | 166 | 167 | 170 | 171 | 174 | 175 | 178 | 179 | 182 | 183 | 186 | 187 | 190 | 191 | 192 | 193 | 194 | -------------------------------------------------------------------------------- /releasenotes/source/conf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 12 | # implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # This file is execfile()d with the current directory set to its 17 | # containing dir. 18 | # 19 | # Note that not all possible configuration values are present in this 20 | # autogenerated file. 21 | # 22 | # All configuration values have a default; values that are commented out 23 | # serve to show the default. 24 | 25 | # If extensions (or modules to document with autodoc) are in another directory, 26 | # add these directories to sys.path here. If the directory is relative to the 27 | # documentation root, use os.path.abspath to make it absolute, like shown here. 28 | # sys.path.insert(0, os.path.abspath('.')) 29 | 30 | # -- General configuration ------------------------------------------------ 31 | 32 | # If your documentation needs a minimal Sphinx version, state it here. 33 | # needs_sphinx = '1.0' 34 | 35 | # Add any Sphinx extension module names here, as strings. They can be 36 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom 37 | # ones. 38 | extensions = [ 39 | 'openstackdocstheme', 40 | 'reno.sphinxext', 41 | ] 42 | 43 | # Add any paths that contain templates here, relative to this directory. 44 | templates_path = ['_templates'] 45 | 46 | # The suffix of source filenames. 47 | source_suffix = '.rst' 48 | 49 | # The encoding of source files. 50 | # source_encoding = 'utf-8-sig' 51 | 52 | # The master toctree document. 53 | master_doc = 'index' 54 | 55 | # General information about the project. 56 | author = 'OpenStack-Ansible Contributors' 57 | category = 'Miscellaneous' 58 | copyright = '2014-2016, OpenStack-Ansible Contributors' 59 | description = 'OpenStack-Ansible deploys OpenStack environments using Ansible.' 60 | project = 'OpenStack-Ansible' 61 | role_name = 'lxc_hosts' 62 | target_name = 'openstack-ansible-' + role_name 63 | title = 'OpenStack-Ansible Release Notes: ' + role_name + 'role' 64 | 65 | # Release notes do not need a version number in the title, they 66 | # cover multiple releases. 67 | # The full version, including alpha/beta/rc tags. 68 | release = '' 69 | # The short X.Y version. 70 | version = '' 71 | 72 | # openstackdocstheme options 73 | openstackdocs_repo_name = 'openstack/' + target_name 74 | openstackdocs_bug_project = project.lower() 75 | openstackdocs_bug_tag = '' 76 | 77 | # The language for content autogenerated by Sphinx. Refer to documentation 78 | # for a list of supported languages. 79 | # language = None 80 | 81 | # There are two options for replacing |today|: either, you set today to some 82 | # non-false value, then it is used: 83 | # today = '' 84 | # Else, today_fmt is used as the format for a strftime call. 85 | # today_fmt = '%B %d, %Y' 86 | 87 | # List of patterns, relative to source directory, that match files and 88 | # directories to ignore when looking for source files. 89 | exclude_patterns = [] 90 | 91 | # The reST default role (used for this markup: `text`) to use for all 92 | # documents. 93 | # default_role = None 94 | 95 | # If true, '()' will be appended to :func: etc. cross-reference text. 96 | # add_function_parentheses = True 97 | 98 | # If true, the current module name will be prepended to all description 99 | # unit titles (such as .. function::). 100 | # add_module_names = True 101 | 102 | # If true, sectionauthor and moduleauthor directives will be shown in the 103 | # output. They are ignored by default. 104 | # show_authors = False 105 | 106 | # The name of the Pygments (syntax highlighting) style to use. 107 | pygments_style = 'native' 108 | 109 | # A list of ignored prefixes for module index sorting. 110 | # modindex_common_prefix = [] 111 | 112 | # If true, keep warnings as "system message" paragraphs in the built documents. 113 | # keep_warnings = False 114 | 115 | 116 | # -- Options for HTML output ---------------------------------------------- 117 | 118 | # The theme to use for HTML and HTML Help pages. See the documentation for 119 | # a list of builtin themes. 120 | html_theme = 'openstackdocs' 121 | 122 | # Theme options are theme-specific and customize the look and feel of a theme 123 | # further. For a list of options available for each theme, see the 124 | # documentation. 125 | # html_theme_options = {} 126 | 127 | # Add any paths that contain custom themes here, relative to this directory. 128 | # html_theme_path = [] 129 | 130 | # The name for this set of Sphinx documents. If None, it defaults to 131 | # " v documentation". 132 | # html_title = None 133 | 134 | # A shorter title for the navigation bar. Default is the same as html_title. 135 | # html_short_title = None 136 | 137 | # The name of an image file (relative to this directory) to place at the top 138 | # of the sidebar. 139 | # html_logo = None 140 | 141 | # The name of an image file (within the static path) to use as favicon of the 142 | # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 143 | # pixels large. 144 | # html_favicon = None 145 | 146 | # Add any paths that contain custom static files (such as style sheets) here, 147 | # relative to this directory. They are copied after the builtin static files, 148 | # so a file named "default.css" will overwrite the builtin "default.css". 149 | html_static_path = ['_static'] 150 | 151 | # Add any extra paths that contain custom files (such as robots.txt or 152 | # .htaccess) here, relative to this directory. These files are copied 153 | # directly to the root of the documentation. 154 | # html_extra_path = [] 155 | 156 | # If true, SmartyPants will be used to convert quotes and dashes to 157 | # typographically correct entities. 158 | # html_use_smartypants = True 159 | 160 | # Custom sidebar templates, maps document names to template names. 161 | # html_sidebars = {} 162 | 163 | # Additional templates that should be rendered to pages, maps page names to 164 | # template names. 165 | # html_additional_pages = {} 166 | 167 | # If false, no module index is generated. 168 | # html_domain_indices = True 169 | 170 | # If false, no index is generated. 171 | # html_use_index = True 172 | 173 | # If true, the index is split into individual pages for each letter. 174 | # html_split_index = False 175 | 176 | # If true, links to the reST sources are added to the pages. 177 | # html_show_sourcelink = True 178 | 179 | # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. 180 | # html_show_sphinx = True 181 | 182 | # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. 183 | # html_show_copyright = True 184 | 185 | # If true, an OpenSearch description file will be output, and all pages will 186 | # contain a tag referring to it. The value of this option must be the 187 | # base URL from which the finished HTML is served. 188 | # html_use_opensearch = '' 189 | 190 | # This is the file name suffix for HTML files (e.g. ".xhtml"). 191 | # html_file_suffix = None 192 | 193 | # Output file base name for HTML help builder. 194 | htmlhelp_basename = target_name + '-docs' 195 | 196 | 197 | # -- Options for LaTeX output --------------------------------------------- 198 | 199 | latex_elements = { 200 | # The paper size ('letterpaper' or 'a4paper'). 201 | # 'papersize': 'letterpaper', 202 | 203 | # The font size ('10pt', '11pt' or '12pt'). 204 | # 'pointsize': '10pt', 205 | 206 | # Additional stuff for the LaTeX preamble. 207 | # 'preamble': '', 208 | } 209 | 210 | # Grouping the document tree into LaTeX files. List of tuples 211 | # (source start file, target name, title, 212 | # author, documentclass [howto, manual, or own class]). 213 | latex_documents = [ 214 | (master_doc, target_name + '.tex', 215 | title, author, 'manual'), 216 | ] 217 | 218 | # The name of an image file (relative to this directory) to place at the top of 219 | # the title page. 220 | # latex_logo = None 221 | 222 | # For "manual" documents, if this is true, then toplevel headings are parts, 223 | # not chapters. 224 | # latex_use_parts = False 225 | 226 | # If true, show page references after internal links. 227 | # latex_show_pagerefs = False 228 | 229 | # If true, show URL addresses after external links. 230 | # latex_show_urls = False 231 | 232 | # Documents to append as an appendix to all manuals. 233 | # latex_appendices = [] 234 | 235 | # If false, no module index is generated. 236 | # latex_domain_indices = True 237 | 238 | 239 | # -- Options for manual page output --------------------------------------- 240 | 241 | # One entry per manual page. List of tuples 242 | # (source start file, name, description, authors, manual section). 243 | man_pages = [ 244 | (master_doc, target_name, 245 | title, [author], 1) 246 | ] 247 | 248 | # If true, show URL addresses after external links. 249 | # man_show_urls = False 250 | 251 | 252 | # -- Options for Texinfo output ------------------------------------------- 253 | 254 | # Grouping the document tree into Texinfo files. List of tuples 255 | # (source start file, target name, title, author, 256 | # dir menu entry, description, category) 257 | texinfo_documents = [ 258 | (master_doc, target_name, 259 | title, author, project, 260 | description, category), 261 | ] 262 | 263 | # Documents to append as an appendix to all manuals. 264 | # texinfo_appendices = [] 265 | 266 | # If false, no module index is generated. 267 | # texinfo_domain_indices = True 268 | 269 | # How to display URL addresses: 'footnote', 'no', or 'inline'. 270 | # texinfo_show_urls = 'footnote' 271 | 272 | # If true, do not generate a @detailmenu in the "Top" node's menu. 273 | # texinfo_no_detailmenu = False 274 | 275 | # -- Options for Internationalization output ------------------------------ 276 | locale_dirs = ['locale/'] 277 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Copyright 2014, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # Set the package install state for distribution packages 17 | # Options are 'present' and 'latest' 18 | lxc_hosts_package_state: "{{ package_state | default('present') }}" 19 | 20 | # Define a list of extra distribuition packages to install onto the host 21 | # at the discretion of the deployer 22 | lxc_hosts_extra_distro_packages: [] 23 | 24 | # Define the total list of packages which to install onto the host combining 25 | # distibution specific and deployers extra package lists 26 | lxc_hosts_distro_packages: "{{ (_lxc_hosts_distro_packages | select) + lxc_hosts_extra_distro_packages }}" 27 | 28 | # Mappings from Ansible reported architecture to distro release architecture 29 | lxc_architecture_mapping: 30 | x86_64: amd64 31 | ppc64le: ppc64el 32 | s390x: s390x 33 | armv7l: armhf 34 | aarch64: arm64 35 | 36 | # Set the volume size for the machine image caches. We only use the 37 | # most specific mountpoint from the hierarchy. 38 | # NOTE: Size is set in Gigabytes. 39 | lxc_host_machine_volume_size: |- 40 | {%- set mounts = [] -%} 41 | {%- set mount_points = ['/var/lib/machines', '/var/lib/', '/var', '/'] -%} 42 | {%- for mount in mount_points -%} 43 | {%- for dev in ansible_facts['mounts'] -%} 44 | {%- if mount == dev.mount -%} 45 | {%- set _ = mounts.append(dev.size_total // (1024**3)) -%} 46 | {%- endif -%} 47 | {%- endfor -%} 48 | {%- endfor -%} 49 | {{ mounts[0] }} 50 | 51 | # Enable or Disable the BTRFS quota system for the "/var/lib/machines" mount 52 | # point. More information on the BTRFS quota system can be found here: 53 | # * https://btrfs.wiki.kernel.org/index.php/Quota_support 54 | lxc_host_machine_quota_disabled: false 55 | 56 | # Set the default qgroup limits used for file system quotas. The default is 57 | # "none". See the following documentation for more information: 58 | # * https://btrfs.wiki.kernel.org/index.php/Manpage/btrfs-qgroup 59 | lxc_host_machine_qgroup_space_limit: none 60 | lxc_host_machine_qgroup_compression_limit: none 61 | 62 | # DefaultTasksMax systemd value. It's not recommended to change this value as it 63 | # could prevent new processes from starting on busy containers. 64 | lxc_default_tasks_max: 8192 65 | 66 | # lxc container rootfs directory and cache path 67 | lxc_container_directory: "/var/lib/lxc" 68 | lxc_container_cache_path: "/var/cache/lxc/download" 69 | 70 | lxc_container_common_config: 71 | lxc.mount.entry: 72 | - /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 73 | - /sys/kernel/security sys/kernel/security none bind,optional 0 0 74 | - /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 75 | - mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0 76 | lxc.cgroup.devices.allow: 77 | - c 254:0 rm # rtc 78 | - c 10:228 rwm # hpet 79 | 80 | # The container backing store can be set to 'overlayfs' to use overlayfs 81 | # This should only be done for production use with a linux kernel > 3.14 82 | # which is when overlayfs was merged into the mainline kernel 83 | lxc_container_backing_store: dir 84 | 85 | # The container backing method can be set to 'copy-on-write' to use LVM 86 | # snapshot-backed containers when the container backing store is set to 87 | # 'lvm'. 88 | # lxc_container_backing_method: copy-on-write 89 | 90 | # When using a base container to snapshot from for the overlayfs or LVM 91 | # copy-on-write backing stored, the base container can be set. 92 | lxc_container_base_name: >- 93 | {{ ansible_facts['distribution'] | lower ~ '-' ~ 94 | ansible_facts['distribution_major_version'] ~ '-' ~ 95 | lxc_architecture_mapping.get(ansible_facts['architecture']) }} 96 | 97 | # Set the default zfs root name 98 | lxc_container_zfs_root_name: "pool/lxc" 99 | 100 | # Allow OSA to generate the LXC network configuration and manage the interface state. 101 | lxc_net_managed: true 102 | 103 | # lxc container net network 104 | lxc_net_bridge: lxcbr0 105 | # Can be 'linuxbridge' or 'openvswitch' 106 | lxc_net_bridge_type: linuxbridge 107 | lxc_net_address: 10.0.3.1 108 | lxc_net_netmask: 255.255.255.0 109 | lxc_net_cidr: 24 110 | lxc_net_gateway: ## if null, no gateway will be on the LXC bridge. lxc_net_nat must be "false" to use a gateway. 111 | lxc_net_mtu: 1500 112 | 113 | # lxc container nat enabled 114 | lxc_net_nat: true ## If "true", nat rules will be created with the lxc network. 115 | 116 | # Enable iptables for lxc network 117 | lxc_net_manage_iptables: true ## If "true" iptables rules will be added when the bridge is up and deleted when bridge is down 118 | 119 | # lxc container dhcp settings 120 | lxc_net_dhcp_range: 10.0.3.2,10.0.3.253 121 | lxc_net_dhcp_max: 253 122 | lxc_net_dhcp_config: "" 123 | lxc_net_dnsmasq_user: lxc-dnsmasq 124 | lxc_net_domain: "" 125 | 126 | # lxc network ipv6 settings 127 | lxc_net6_address: ## ie. fd05:ffb8:32b4:1212::1 128 | lxc_net6_netmask: ## ie. 64 129 | lxc_net6_nat: false 130 | 131 | # System control kernel tuning 132 | lxc_kernel_options: 133 | - { key: "fs.inotify.max_user_instances", value: 1024 } 134 | 135 | # The compression ratio used when creating the container cache rootfs archive 136 | lxc_image_compression_ratio: 0 137 | 138 | # A list of files may be copied into the container image cache from the 139 | # deployment host during its preparation. 140 | # Example: 141 | # lxc_container_cache_files: 142 | # - src: "/etc/openstack_deploy/files/etc/issue" 143 | # dest: "/etc/issue" 144 | lxc_container_cache_files: [] 145 | 146 | # A list of files may be copied into the container image cache from the 147 | # LXC host during its preparation. 148 | # Example: 149 | # lxc_container_cache_files_from_host: 150 | # - "/etc/apt/sources.list.d/myrepo.list" 151 | lxc_container_cache_files_from_host: [] 152 | 153 | # LXC container shutdown delay before force-killing running container 154 | lxc_container_shutdown_delay: 60 155 | 156 | # DNS servers to use during cache preparation 157 | lxc_cache_prep_dns: 158 | - "{{ lxc_net_address }}" 159 | 160 | # Custom shell commands to run before/after the LXC cache prep process has taken 161 | # place. 162 | lxc_cache_prep_pre_commands: "## pre command skipped ##" 163 | lxc_cache_prep_post_commands: "## post command skipped ##" 164 | 165 | # Full path to the base image prep script. By default this will use the 166 | # named script for a given OS within the "templates/prep-scripts" directory. 167 | # If a deployer wishes to override this script with something else they can 168 | # do so by defining a user variable with the full path to the local script 169 | # which will be templated onto the deployment targets. 170 | lxc_cache_prep_template: "{{ _lxc_cache_prep_template }}" 171 | 172 | ## Define a list of extra distribuition packages to install in the container 173 | # cache at the discretion of the deployer 174 | lxc_cache_extra_distro_packages: [] 175 | 176 | # List of packages to be installed into the base container cache 177 | # Combines the distribution specific list with deployers extra list 178 | lxc_cache_distro_packages: "{{ _lxc_cache_distro_packages + lxc_cache_extra_distro_packages }}" 179 | 180 | # The maximum amount of time (in seconds) to wait until failing the cache 181 | # preparation process. This is necessary to mitigate the issue that can 182 | # arise where the cache prep hangs and never fails. 183 | # The value is specified in seconds, with the default being 20 minutes. 184 | lxc_cache_prep_timeout: "{{ _lxc_cache_prep_timeout | default(1200) }}" 185 | 186 | # Command to build a chroot for the container rootfs 187 | lxc_hosts_container_build_command: "{{ _lxc_hosts_container_build_command | default('') }}" 188 | 189 | # Local path to cached image 190 | lxc_image_cache_path: "/var/lib/machines/{{ lxc_container_base_name }}" 191 | 192 | # Expiration timeout for the cached image 193 | # Should be in format supported by the to_time_unit filter 194 | lxc_image_cache_expiration: "1year" 195 | 196 | # Set this option to true to pull a new cached image. 197 | lxc_image_cache_refresh: false 198 | 199 | ## Default download template options 200 | ## This can be customized to use a local build server and options. 201 | ## By default these options will be fulfilled by the distro specific 202 | ## variable files found in vars/ 203 | # lxc_cache_download_template_options: > 204 | # --dist NAME_OF_DISTRO 205 | # --release DISTRO_RELEASE 206 | # --arch CONTAINER_ARCH 207 | # --force-cache 208 | # --server SERVER_TO_GET_IMAGES_FROM 209 | lxc_cache_default_variant: default 210 | lxc_cache_download_template_extra_options: "" 211 | lxc_cache_download_template_options: >- 212 | --dist {{ ansible_facts['distribution'] | lower }} 213 | --release {{ ansible_facts['distribution_major_version'] }} 214 | --arch {{ lxc_architecture_mapping.get(ansible_facts['architecture']) }} 215 | --force-cache 216 | --server localhost 217 | --variant {{ lxc_cache_default_variant }} 218 | {{ lxc_cache_download_template_extra_options }} 219 | 220 | # Locales to populate in the LXC base cache 221 | lxc_cache_locales: "{{ _lxc_cache_locales | default(['en_US.UTF-8']) }}" 222 | 223 | # EL EPEL repository options 224 | lxc_centos_epel_mirror: "{{ centos_epel_mirror | default('http://download.fedoraproject.org/pub/epel') }}" 225 | lxc_centos_epel_key: >- 226 | {{ centos_epel_key | default('http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-' ~ ansible_facts['distribution_major_version']) }} 227 | lxc_hosts_epel_packages: "{{ _lxc_hosts_epel_packages | default([]) }}" 228 | 229 | lxc_centos_repo_keys: "{{ _lxc_centos_repo_keys }}" 230 | lxc_centos_repos: "{{ _lxc_centos_repos }}" 231 | 232 | # DEB repository options 233 | lxc_ubuntu_mirror: "{{ (ansible_facts['architecture'] == 'x86_64') | ternary('http://archive.ubuntu.com/ubuntu', 'http://ports.ubuntu.com/ubuntu-ports') }}" 234 | lxc_apt_mirror: "{{ (ansible_facts['distribution'] == 'Ubuntu') | ternary(lxc_ubuntu_mirror, 'http://deb.debian.org/debian') }}" 235 | lxc_apt_mirror_gpg_check: true 236 | lxc_apt_mirror_gpg_file: '' 237 | 238 | lxc_sysctl_file: "{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}" 239 | -------------------------------------------------------------------------------- /doc/source/conf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 12 | # implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # This file is execfile()d with the current directory set to its 17 | # containing dir. 18 | # 19 | # Note that not all possible configuration values are present in this 20 | # autogenerated file. 21 | # 22 | # All configuration values have a default; values that are commented out 23 | # serve to show the default. 24 | 25 | # If extensions (or modules to document with autodoc) are in another directory, 26 | # add these directories to sys.path here. If the directory is relative to the 27 | # documentation root, use os.path.abspath to make it absolute, like shown here. 28 | # sys.path.insert(0, os.path.abspath('.')) 29 | 30 | # -- General configuration ------------------------------------------------ 31 | 32 | # If your documentation needs a minimal Sphinx version, state it here. 33 | # needs_sphinx = '1.0' 34 | 35 | # Add any Sphinx extension module names here, as strings. They can be 36 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom 37 | # ones. 38 | extensions = [ 39 | 'openstackdocstheme', 40 | 'sphinx.ext.autodoc', 41 | 'sphinxcontrib.rsvgconverter', 42 | ] 43 | 44 | # Add any paths that contain templates here, relative to this directory. 45 | templates_path = ['_templates'] 46 | 47 | # The suffix(es) of source filenames. 48 | # You can specify multiple suffix as a list of string: 49 | # source_suffix = ['.rst', '.md'] 50 | source_suffix = '.rst' 51 | 52 | # The encoding of source files. 53 | # source_encoding = 'utf-8-sig' 54 | 55 | # The master toctree document. 56 | master_doc = 'index' 57 | 58 | # General information about the project. 59 | author = 'OpenStack-Ansible Contributors' 60 | category = 'Miscellaneous' 61 | copyright = '2014-2016, OpenStack-Ansible Contributors' 62 | description = 'OpenStack-Ansible deploys OpenStack environments using Ansible.' 63 | project = 'OpenStack-Ansible' 64 | role_name = 'lxc_hosts' 65 | target_name = 'openstack-ansible-' + role_name 66 | title = 'OpenStack-Ansible Documentation: ' + role_name + ' role' 67 | 68 | # openstackdocstheme options 69 | openstackdocs_repo_name = 'openstack/' + target_name 70 | openstackdocs_pdf_link = True 71 | openstackdocs_bug_project = project.lower() 72 | openstackdocs_bug_tag = '' 73 | 74 | # The language for content autogenerated by Sphinx. Refer to documentation 75 | # for a list of supported languages. 76 | # 77 | # This is also used if you do content translation via gettext catalogs. 78 | # Usually you set "language" from the command line for these cases. 79 | language = 'en' 80 | 81 | # There are two options for replacing |today|: either, you set today to some 82 | # non-false value, then it is used: 83 | # today = '' 84 | # Else, today_fmt is used as the format for a strftime call. 85 | # today_fmt = '%B %d, %Y' 86 | 87 | # List of patterns, relative to source directory, that match files and 88 | # directories to ignore when looking for source files. 89 | exclude_patterns = [] 90 | 91 | # The reST default role (used for this markup: `text`) to use for all 92 | # documents. 93 | # default_role = None 94 | 95 | # If true, '()' will be appended to :func: etc. cross-reference text. 96 | # add_function_parentheses = True 97 | 98 | # If true, the current module name will be prepended to all description 99 | # unit titles (such as .. function::). 100 | # add_module_names = True 101 | 102 | # If true, sectionauthor and moduleauthor directives will be shown in the 103 | # output. They are ignored by default. 104 | # show_authors = False 105 | 106 | # The name of the Pygments (syntax highlighting) style to use. 107 | pygments_style = 'native' 108 | 109 | # A list of ignored prefixes for module index sorting. 110 | # modindex_common_prefix = [] 111 | 112 | # If true, keep warnings as "system message" paragraphs in the built documents. 113 | # keep_warnings = False 114 | 115 | # If true, `todo` and `todoList` produce output, else they produce nothing. 116 | todo_include_todos = False 117 | 118 | 119 | # -- Options for HTML output ---------------------------------------------- 120 | 121 | # The theme to use for HTML and HTML Help pages. See the documentation for 122 | # a list of builtin themes. 123 | html_theme = 'openstackdocs' 124 | 125 | # Theme options are theme-specific and customize the look and feel of a theme 126 | # further. For a list of options available for each theme, see the 127 | # documentation. 128 | # html_theme_options = {} 129 | 130 | # Add any paths that contain custom themes here, relative to this directory. 131 | # html_theme_path = [] 132 | 133 | # The name for this set of Sphinx documents. If None, it defaults to 134 | # " v documentation". 135 | # html_title = None 136 | 137 | # A shorter title for the navigation bar. Default is the same as html_title. 138 | # html_short_title = None 139 | 140 | # The name of an image file (relative to this directory) to place at the top 141 | # of the sidebar. 142 | # html_logo = None 143 | 144 | # The name of an image file (within the static path) to use as favicon of the 145 | # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 146 | # pixels large. 147 | # html_favicon = None 148 | 149 | # Add any paths that contain custom static files (such as style sheets) here, 150 | # relative to this directory. They are copied after the builtin static files, 151 | # so a file named "default.css" will overwrite the builtin "default.css". 152 | html_static_path = ['_static'] 153 | 154 | # Add any extra paths that contain custom files (such as robots.txt or 155 | # .htaccess) here, relative to this directory. These files are copied 156 | # directly to the root of the documentation. 157 | # html_extra_path = [] 158 | 159 | # If true, SmartyPants will be used to convert quotes and dashes to 160 | # typographically correct entities. 161 | # html_use_smartypants = True 162 | 163 | # Custom sidebar templates, maps document names to template names. 164 | # html_sidebars = {} 165 | 166 | # Additional templates that should be rendered to pages, maps page names to 167 | # template names. 168 | # html_additional_pages = {} 169 | 170 | # If false, no module index is generated. 171 | # html_domain_indices = True 172 | 173 | # If false, no index is generated. 174 | # html_use_index = True 175 | 176 | # If true, the index is split into individual pages for each letter. 177 | # html_split_index = False 178 | 179 | # If true, links to the reST sources are added to the pages. 180 | # html_show_sourcelink = True 181 | 182 | # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. 183 | # html_show_sphinx = True 184 | 185 | # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. 186 | # html_show_copyright = True 187 | 188 | # If true, an OpenSearch description file will be output, and all pages will 189 | # contain a tag referring to it. The value of this option must be the 190 | # base URL from which the finished HTML is served. 191 | # html_use_opensearch = '' 192 | 193 | # This is the file name suffix for HTML files (e.g. ".xhtml"). 194 | # html_file_suffix = None 195 | 196 | # Language to be used for generating the HTML full-text search index. 197 | # Sphinx supports the following languages: 198 | # 'da', 'de', 'en', 'es', 'fi', 'fr', 'h', 'it', 'ja' 199 | # 'nl', 'no', 'pt', 'ro', 'r', 'sv', 'tr' 200 | # html_search_language = 'en' 201 | 202 | # A dictionary with options for the search language support, empty by default. 203 | # Now only 'ja' uses this config value 204 | # html_search_options = {'type': 'default'} 205 | 206 | # The name of a javascript file (relative to the configuration directory) that 207 | # implements a search results scorer. If empty, the default will be used. 208 | # html_search_scorer = 'scorer.js' 209 | 210 | # Output file base name for HTML help builder. 211 | htmlhelp_basename = target_name + '-docs' 212 | 213 | # -- Options for LaTeX output --------------------------------------------- 214 | 215 | latex_elements = { 216 | # The paper size ('letterpaper' or 'a4paper'). 217 | # 'papersize': 'letterpaper', 218 | 219 | # The font size ('10pt', '11pt' or '12pt'). 220 | # 'pointsize': '10pt', 221 | 222 | # Additional stuff for the LaTeX preamble. 223 | # 'preamble': '', 224 | 225 | # Latex figure (float) alignment 226 | # 'figure_align': 'htbp', 227 | } 228 | 229 | # Grouping the document tree into LaTeX files. List of tuples 230 | # (source start file, target name, title, 231 | # author, documentclass [howto, manual, or own class]). 232 | latex_documents = [ 233 | (master_doc, 'doc-' + target_name + '.tex', 234 | title.replace("_", r"\_"), author, 'manual'), 235 | ] 236 | 237 | latex_use_xindy = False 238 | 239 | # The name of an image file (relative to this directory) to place at the top of 240 | # the title page. 241 | # latex_logo = None 242 | 243 | # For "manual" documents, if this is true, then toplevel headings are parts, 244 | # not chapters. 245 | # latex_use_parts = False 246 | 247 | # If true, show page references after internal links. 248 | # latex_show_pagerefs = False 249 | 250 | # If true, show URL addresses after external links. 251 | # latex_show_urls = False 252 | 253 | # Documents to append as an appendix to all manuals. 254 | # latex_appendices = [] 255 | 256 | # If false, no module index is generated. 257 | # latex_domain_indices = True 258 | 259 | 260 | # -- Options for manual page output --------------------------------------- 261 | 262 | # One entry per manual page. List of tuples 263 | # (source start file, name, description, authors, manual section). 264 | man_pages = [ 265 | (master_doc, target_name, 266 | title, [author], 1) 267 | ] 268 | 269 | # If true, show URL addresses after external links. 270 | # man_show_urls = False 271 | 272 | 273 | # -- Options for Texinfo output ------------------------------------------- 274 | 275 | # Grouping the document tree into Texinfo files. List of tuples 276 | # (source start file, target name, title, author, 277 | # dir menu entry, description, category) 278 | texinfo_documents = [ 279 | (master_doc, target_name, 280 | title, author, project, 281 | description, category), 282 | ] 283 | 284 | # Documents to append as an appendix to all manuals. 285 | # texinfo_appendices = [] 286 | 287 | # If false, no module index is generated. 288 | # texinfo_domain_indices = True 289 | 290 | # How to display URL addresses: 'footnote', 'no', or 'inline'. 291 | # texinfo_show_urls = 'footnote' 292 | 293 | # If true, do not generate a @detailmenu in the "Top" node's menu. 294 | # texinfo_no_detailmenu = False 295 | # -- Options for PDF output -------------------------------------------------- 296 | 297 | pdf_documents = [ 298 | (master_doc, target_name, 299 | title, author) 300 | ] 301 | 302 | locale_dirs = ['locale/'] 303 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /templates/lxc-system-manage.j2: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright 2014, Rackspace US, Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | 16 | # This script was built for the express purpose of managing LXC on a 17 | # host. The functions within this script provide for common operations 18 | # that may be required when working with LXC in production. 19 | 20 | # {{ ansible_managed }} 21 | 22 | export USE_LXC_BRIDGE="true" 23 | export LXC_BRIDGE="{{ lxc_net_bridge }}" 24 | export LXC_ADDR="{{ lxc_net_address }}" 25 | export LXC_NETMASK="{{ lxc_net_netmask }}" 26 | export LXC_NETWORK="${LXC_ADDR}/${LXC_NETMASK}" 27 | export LXC_DHCP_RANGE="{{ lxc_net_dhcp_range }}" 28 | export LXC_DHCP_MAX="{{ lxc_net_dhcp_max }}" 29 | export LXC_IPV6_ADDR="{{ lxc_net6_address }}" 30 | export LXC_IPV6_MASK="{{ lxc_net6_netmask }}" 31 | export LXC_IPV6_NETWORK="${LXC_IPV6_ADDR}/${LXC_IPV6_MASK}" 32 | export LXC_IPV6_NAT="{{ lxc_net6_nat }}" 33 | export LXC_DHCP_CONFILE="{{ lxc_net_dhcp_config }}" 34 | export LXC_DNSMASQ_USER="{{ lxc_net_dnsmasq_user }}" 35 | export VARRUN="/run/lxc" 36 | export LXC_DOMAIN="{{ lxc_net_domain }}" 37 | 38 | function warn { 39 | echo -e "\e[0;35m${@}\e[0m" 40 | } 41 | 42 | function info { 43 | echo -e "\e[0;33m${@}\e[0m" 44 | } 45 | 46 | function success { 47 | echo -e "\e[0;32m${@}\e[0m" 48 | } 49 | 50 | function remove_rules { 51 | info "Removing LXC IPtables rules." 52 | # Remove rules from the INPUT chain 53 | iptables ${USE_IPTABLES_LOCK} -D INPUT -i "${LXC_BRIDGE}" -p udp --dport 67 -j ACCEPT 54 | iptables ${USE_IPTABLES_LOCK} -D INPUT -i "${LXC_BRIDGE}" -p tcp --dport 67 -j ACCEPT 55 | iptables ${USE_IPTABLES_LOCK} -D INPUT -i "${LXC_BRIDGE}" -p udp --dport 53 -j ACCEPT 56 | iptables ${USE_IPTABLES_LOCK} -D INPUT -i "${LXC_BRIDGE}" -p tcp --dport 53 -j ACCEPT 57 | 58 | # Remove rules from the FORWARDING chain 59 | iptables ${USE_IPTABLES_LOCK} -D FORWARD -i "${LXC_BRIDGE}" -j ACCEPT 60 | iptables ${USE_IPTABLES_LOCK} -D FORWARD -o "${LXC_BRIDGE}" -j ACCEPT 61 | 62 | # Remove rules from the nat POSTROUTING chain 63 | iptables ${USE_IPTABLES_LOCK} -t nat \ 64 | -D POSTROUTING \ 65 | -s "${LXC_NETWORK}" ! \ 66 | -d "${LXC_NETWORK}" \ 67 | -j MASQUERADE || true 68 | 69 | if [ "$LXC_IPV6_NAT" = "true" ]; then 70 | ip6tables ${USE_IPTABLES_LOCK} -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE 71 | fi 72 | 73 | success "LXC IPtables rules removed." 74 | } 75 | 76 | function add_rules { 77 | info "Creating LXC IPtables rules." 78 | set -e 79 | # Set ip_prwarding 80 | sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1 81 | echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/accept_dad || true 82 | 83 | # Configure IPv6 if necessary 84 | if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then 85 | echo 1 > /proc/sys/net/ipv6/conf/all/forwarding 86 | echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/autoconf 87 | ip -6 addr add dev ${LXC_BRIDGE} ${LXC_IPV6_ADDR}/${LXC_IPV6_MASK} || true 88 | if [ "$LXC_IPV6_NAT" = "true" ]; then 89 | ip6tables $USE_IPTABLES_LOCK -t nat -A POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE 90 | fi 91 | fi 92 | 93 | # Add rules to the INPUT chain 94 | iptables ${USE_IPTABLES_LOCK} -I INPUT -i "${LXC_BRIDGE}" -p udp --dport 67 -j ACCEPT 95 | iptables ${USE_IPTABLES_LOCK} -I INPUT -i "${LXC_BRIDGE}" -p tcp --dport 67 -j ACCEPT 96 | iptables ${USE_IPTABLES_LOCK} -I INPUT -i "${LXC_BRIDGE}" -p udp --dport 53 -j ACCEPT 97 | iptables ${USE_IPTABLES_LOCK} -I INPUT -i "${LXC_BRIDGE}" -p tcp --dport 53 -j ACCEPT 98 | 99 | # Add rules to the FORWARDING chain 100 | iptables ${USE_IPTABLES_LOCK} -I FORWARD -i "${LXC_BRIDGE}" -j ACCEPT 101 | iptables ${USE_IPTABLES_LOCK} -I FORWARD -o "${LXC_BRIDGE}" -j ACCEPT 102 | 103 | # Add rules to the nat POSTROUTING chain 104 | iptables ${USE_IPTABLES_LOCK} -t nat \ 105 | -A POSTROUTING \ 106 | -s "${LXC_NETWORK}" ! \ 107 | -d "${LXC_NETWORK}" \ 108 | -j MASQUERADE 109 | 110 | success "LXC IPtables rules created." 111 | } 112 | 113 | function cleanup { 114 | # Clean up everything 115 | remove_rules 116 | 117 | # Set the lxc bridge interface down 118 | ip link set "${LXC_BRIDGE}" down || true 119 | 120 | # Remove the lxc bridge interface 121 | brctl delbr "${LXC_BRIDGE}" || true 122 | } 123 | 124 | function pre_up { 125 | # Create the run directory if needed. 126 | if [[ ! -d "${VARRUN}" ]];then 127 | mkdir -p "${VARRUN}" 128 | fi 129 | 130 | # Source the lxc defaults 131 | if [[ -f "{{ system_config_dir}}/lxc" ]]; then 132 | source "{{ system_config_dir}}/lxc" 133 | fi 134 | 135 | # Set the lock type where applicable 136 | USE_IPTABLES_LOCK="-w" 137 | iptables -w -L -n > /dev/null 2>&1 || USE_IPTABLES_LOCK="" 138 | } 139 | 140 | function start_dnsmasq { 141 | set -e 142 | info "Starting LXC dnsmasq." 143 | 144 | # Configure IPv6 if necessary 145 | LXC_IPV6_ARG="" 146 | if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then 147 | LXC_IPV6_ARG="--dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}" 148 | fi 149 | 150 | dnsmasq "${LXC_DOMAIN_ARG}" --user="${LXC_DNSMASQ_USER}" \ 151 | --pid-file="${VARRUN}/dnsmasq.pid" \ 152 | --conf-file="${LXC_DHCP_CONFILE}" \ 153 | --listen-address="${LXC_ADDR}" \ 154 | --dhcp-range="${LXC_DHCP_RANGE}" \ 155 | --dhcp-option="6,${LXC_ADDR}" \ 156 | --dhcp-lease-max="${LXC_DHCP_MAX}" \ 157 | --except-interface="lo" \ 158 | --interface="${LXC_BRIDGE}" \ 159 | --dhcp-leasefile="${DHCP_LEASE_FILE}" \ 160 | --dhcp-no-override \ 161 | --strict-order \ 162 | --bind-interfaces \ 163 | --no-hosts \ 164 | --dhcp-authoritative $LXC_IPV6_ARG 165 | success "dnsmasq started." 166 | } 167 | 168 | function start_containers_nicely { 169 | set -e 170 | # Start all containers on a host 171 | success "Starting all containers." 172 | for container in $(lxc-ls); do 173 | lxc-start -d -n "${container}" 174 | done 175 | } 176 | 177 | function stop_containers_nicely { 178 | # Stop all containers on a host 179 | warn "Stopping all containers." 180 | for container in $(lxc-ls); do 181 | lxc-stop -n "${container}" 182 | done 183 | } 184 | 185 | function stop_containers_with_fire { 186 | # Stop all containers on a host 187 | warn "Stopping all containers with fire." 188 | for container in $(lxc-ls); do 189 | lxc-stop -k -n "${container}" 190 | done 191 | } 192 | 193 | function start_networks { 194 | set -e 195 | if [ -f "/sys/class/net/${LXC_BRIDGE}/bridge/bridge_id" ];then 196 | success "LXC container network is already online." 197 | else 198 | if [ ! "$(ip link set ${LXC_BRIDGE} up)" ];then 199 | info "Building the LXC container network." 200 | 201 | # Create lxc bridge 202 | brctl addbr "${LXC_BRIDGE}" || true 203 | 204 | # Set the lxc bridge up 205 | ip link set "${LXC_BRIDGE}" up || true 206 | 207 | # Assign an address to the lxc bridge 208 | ip addr add "${LXC_ADDR}"/"${LXC_NETMASK}" dev "${LXC_BRIDGE}" 209 | 210 | add_rules 211 | 212 | LXC_DOMAIN_ARG="" 213 | if [ -n "$LXC_DOMAIN" ]; then 214 | LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/" 215 | fi 216 | 217 | # Start DNS mask 218 | DHCP_LEASE_FILE="/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases" 219 | start_dnsmasq 220 | success "LXC container network has been created." 221 | fi 222 | fi 223 | } 224 | 225 | function stop_dnsmasq { 226 | if [[ -f "${VARRUN}/dnsmasq.pid" ]];then 227 | PID="$(cat ${VARRUN}/dnsmasq.pid)" 228 | if [[ "${PID}" ]];then 229 | warn "Stopping LXC dnsmasq." 230 | kill -9 "${PID}" || true 231 | fi 232 | rm -f "${VARRUN}/dnsmasq.pid" 233 | fi 234 | } 235 | 236 | function stop_networks { 237 | warn "Destroying the LXC container network." 238 | cleanup 239 | stop_dnsmasq 240 | } 241 | 242 | function remove_down_veth { 243 | info "Getting a list of all DOWN veth interfaces" 244 | VETHPAIRS="$(ip link list | grep veth | grep "state DOWN" | awk '/veth/ {print $2}' | sed 's/\://g')" 245 | if [[ "$VETHPAIRS" ]];then 246 | warn "Removing all DOWN veth interfaces" 247 | for veth in $VETHPAIRS; do 248 | ip link delete dev "${veth}" 249 | done 250 | else 251 | success "No DOWN veth interfaces to remove" 252 | fi 253 | } 254 | 255 | function flush_cache { 256 | warn "Flushing network cache" 257 | ip -s -s neigh flush all 258 | } 259 | 260 | # Run through the base app setup 261 | pre_up 262 | 263 | # Check function 264 | case "$1" in 265 | containers-start) 266 | start_containers_nicely 267 | ;; 268 | containers-stop) 269 | stop_containers_nicely 270 | ;; 271 | containers-force-stop) 272 | stop_containers_with_fire 273 | ;; 274 | containers-restart) 275 | stop_containers_nicely 276 | start_containers_nicely 277 | ;; 278 | containers-force-restart) 279 | stop_containers_with_fire 280 | start_containers_nicely 281 | ;; 282 | system-tear-down) 283 | stop_containers_nicely 284 | remove_down_veth 285 | stop_networks 286 | flush_cache 287 | ;; 288 | system-force-tear-down) 289 | stop_containers_with_fire 290 | remove_down_veth 291 | stop_networks 292 | flush_cache 293 | ;; 294 | system-start-up) 295 | start_networks 296 | start_containers_nicely 297 | ;; 298 | system-rebuild) 299 | stop_containers_nicely 300 | remove_down_veth 301 | stop_networks 302 | flush_cache 303 | start_networks 304 | start_containers_nicely 305 | ;; 306 | system-force-rebuild) 307 | stop_containers_with_fire 308 | remove_down_veth 309 | stop_networks 310 | flush_cache 311 | start_networks 312 | start_containers_nicely 313 | ;; 314 | dnsmasq-start) 315 | start_dnsmasq 316 | ;; 317 | dnsmasq-stop) 318 | stop_dnsmasq 319 | ;; 320 | dnsmasq-restart) 321 | stop_dnsmasq 322 | start_dnsmasq 323 | ;; 324 | iptables-create) 325 | add_rules 326 | ;; 327 | iptables-remove) 328 | remove_rules 329 | ;; 330 | iptables-recreate) 331 | remove_rules 332 | add_rules 333 | ;; 334 | veth-cleanup) 335 | remove_down_veth 336 | ;; 337 | flush-net-cache) 338 | flush_cache 339 | ;; 340 | *) 341 | info 'Management of internal LXC systems and processes:' 342 | echo ' 343 | containers-start Start all containers. 344 | containers-stop Stop all containers. 345 | containers-restart Stop all containers and then Start them. 346 | containers-force-stop Force Stop all containers. 347 | containers-force-restart Force Stop all containers and then Start them. 348 | system-start-up Start up everything that LXC needs to 349 | operate, including the containers, dnsmasq, 350 | LXC bridge, and IPtables. 351 | system-tear-down Tear down everything LXC on this system. 352 | This will remove all LXC IPtables rules, kill 353 | dnsmasq, remove the LXC bridge, stop all 354 | containers, remove DOWN veth interfaces, 355 | and flush the net cache. 356 | system-force-tear-down Force tear down everything LXC on this system. 357 | This will remove all LXC IPtables rules, kill 358 | dnsmasq, remove the LXC bridge, stop all 359 | containers, remove DOWN veth interfaces, 360 | and flush the net cache. 361 | system-rebuild Rebuild the LXC network, IPtables, dnsmasq, 362 | remove DOWN veth interfaces, flush the 363 | net cache, and restart all containers. 364 | system-force-rebuild Force rebuild the LXC network, IPtables, dnsmasq, 365 | remove DOWN veth interfaces, flush the 366 | net cache, and restart all containers. 367 | dnsmasq-start Start the LXC dnsmasq process. 368 | dnsmasq-stop Stop the LXC dnsmasq process. 369 | dnsmasq-restart Restart the LXC dnsmasq process. 370 | iptables-create Create the LXC IPtables rules for NAT. 371 | iptables-remove Remove the LXC IPtables rules for NAT. 372 | iptables-recreate Recreate the LXC IPtables rules for NAT. 373 | veth-cleanup Remove all DOWN veth interfaces from a system. 374 | flush-net-cache Flush the host network cache. This is useful if 375 | IP addresses are being recycled on to containers 376 | from other hosts. 377 | ' 378 | ;; 379 | esac 380 | --------------------------------------------------------------------------------