LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
441 Commits
12 Branches
967 KiB
 
 
 
 
Tree: 48a365730f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '48a365730f'
${ noResults }
lilik_playbook/roles/lxc_guest/tasks/main.yaml

217 lines
6.3 KiB
Raw Blame History

---
- name: 'check if container dir exists'
stat:
path: '/var/lib/lxc/{{ vm_name }}'
register: container_dir
tags:
- 'lxc'
- name: 'check if container exists'
container_exists:
name: '{{ vm_name }}'
register: container_exists
tags:
- 'lxc'
- name: 'check if release is supported'
assert:
that: release in [ 'bullseye', 'sid', 'buster' ]
msg: 'release {{ release }} not supported by debian template'
when: distro == 'debian'
tags:
- 'lxc'
- block:
- name: 'privileged | create lxc container'
lxc_container:
name: '{{ vm_name }}'
backing_store: 'lvm'
fs_size: '{{ vm_size }}'
vg_name: '{{ vg_name }}'
lv_name: 'vm_{{ vm_name }}'
fs_type: 'xfs'
container_log: true
template: 'debian'
template_options: '--release {{ distro }} --packages=ssh,python3,python3-apt'
state: 'stopped'
# suppress messages related to file descriptors
# leaking when lvm is invoked
environment:
LVM_SUPPRESS_FD_WARNINGS: 1
when: (not unprivileged) and distro == 'debian'
- name: 'unprivileged | upload bash script'
copy:
src: 'find_subxid.sh'
dest: 'find_subxid.sh'
when: unprivileged
- name: 'unprivileged | get free subxid mappings'
command: 'bash find_subxid.sh'
register: avail_subxid
when: unprivileged
- name: 'unprivileged | set subxid mappings'
set_fact:
subuidmap: '{{ avail_subxid.stdout_lines[0] }}'
subgidmap: '{{ avail_subxid.stdout_lines[1] }}'
when: unprivileged
- name: 'unprivileged | create system subxid mappings'
command: >-
usermod
-v {{ '{}-{}'.format(subuidmap.split(' ')[0],
subuidmap.split(' ')[0]|int+subuidmap.split(' ')[1]|int-1) }}
-w {{ '{}-{}'.format(subgidmap.split(' ')[0],
subgidmap.split(' ')[0]|int+subgidmap.split(' ')[1]|int-1) }}
root
- name: 'unprivileged | create config seed'
copy:
content: |
lxc.idmap = u 0 {{ subuidmap }}
lxc.idmap = g 0 {{ subgidmap }}
dest: '/tmp/lxc_unpriv_config'
when: unprivileged
- name: 'unprivileged | create lxc container'
lxc_container:
name: '{{ vm_name }}'
backing_store: 'lvm'
fs_type: 'xfs'
fs_size: '{{ vm_size }}'
vg_name: '{{ vg_name }}'
lv_name: 'vm_{{ vm_name }}'
container_log: true
template: 'download'
template_options: '-d {{ distro }} -r {{ release }} -a amd64'
config: '/tmp/lxc_unpriv_config'
state: 'stopped'
when: unprivileged
- name: 'deploy container config'
template:
src: 'config.j2'
dest: '/var/lib/lxc/{{ vm_name }}/config'
- block:
- name: 'unprivilaged | alpine | start for tweak'
lxc_container:
name: '{{ vm_name }}'
state: 'restarted'
- name: 'unprivileged | alpine | tweak'
raw: |
rm /etc/network/interfaces
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
- name: 'unprivileged | alpine | restart'
lxc_container:
name: '{{ vm_name }}'
state: 'restarted'
- name: 'unprivileged | alpine | install python'
raw: |
apk update
apk upgrade
apk add python3
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
when: distro == 'alpine'
- name: 'unprivileged | tweak config'
lxc_container:
name: '{{ vm_name }}'
container_command: |
echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf
apt update
apt install -y python3 python3-apt
systemctl mask systemd-journald-audit.socket
state: 'stopped'
- name: 'start container'
lxc_container:
name: '{{ vm_name }}'
state: 'started'
when: auto_start|bool
when: not (container_exists.exists and container_dir.stat.isdir)
tags:
- 'lxc'
- name: 'read unprivileged status from config'
command: >-
grep -e '^lxc.idmap = ' /var/lib/lxc/{{ vm_name }}/config
register: unpriv_status
changed_when: false
failed_when: unpriv_status.rc > 1
- name: 'set unprivileged status from config'
set_fact:
unprivileged: true
subuidmap: '{{ unpriv_status.stdout_lines[0] | replace("lxc.idmap = u 0 ", "") }}'
subgidmap: '{{ unpriv_status.stdout_lines[1] | replace("lxc.idmap = g 0 ", "") }}'
when: unpriv_status.rc == 0
- name: 'update container config'
template:
src: 'config.j2'
dest: '/var/lib/lxc/{{ vm_name }}/config'
register: container_config
notify: 'restart container'
- name: 'set container running state'
lxc_container:
name: '{{ vm_name }}'
state: '{{ container_state }}'
register: container_running_state
tags:
- 'lxc'
- name: 'update container resolv.conf'
template:
src: 'resolv.conf.j2'
dest: '/etc/resolv.conf'
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
- name: 'update container net config'
copy:
src: 'interfaces'
dest: '/etc/network/interfaces'
delegate_to: '{{ vm_name }}'
connection: 'ssh_lxc'
notify: 'restart container'
- name: 'update container apt config'
lineinfile:
path: '/etc/apt/apt.conf.d/02periodic'
line: '{{ item.key }} "{{ item.value }}";'
regexp: '^{{ item.key }} '
create: true
loop:
- { key: 'APT::Periodic::Enable', value: '1' }
- { key: 'APT::Periodic::Update-Package-Lists', value: '1' }
- { key: 'APT::Periodic::Verbose', value: '2' }
delegate_to: '{{ vm_name }}'
when: distro == 'debian'
connection: 'ssh_lxc'
- meta: 'flush_handlers'
- name: 'MONITORING | add to monitored hosts'
block:
- name: 'MONITORING | add to monitored hosts'
set_fact:
monitoring_entry: >
{{ { 'address': ansible_host,
'host_type': 'lxc_vm' } }}
- name: 'MONITORING | update monitoring facts'
set_fact:
monitoring_facts: >
{{ hostvars[monitoring_host]['monitoring_facts']
| default({})
| combine({host_fqdn: monitoring_entry}) }}
delegate_facts: true
delegate_to: '{{ monitoring_host }}'
tags:
- 'monitoring'
...