|
|
- ---
- - name: 'check if container dir exists'
- stat:
- path: '/var/lib/lxc/{{ vm_name }}'
- register: container_dir
- tags:
- - 'lxc'
-
- - name: 'check if container exists'
- container_exists:
- name: '{{ vm_name }}'
- register: container_exists
- tags:
- - 'lxc'
-
- - name: 'check if release is supported'
- assert:
- that: distro in [ 'bullseye', 'sid', 'buster' ]
- msg: 'release {{ distro }} not supported by debian template'
- tags:
- - 'lxc'
-
- - block:
- - name: 'privileged | create lxc container'
- lxc_container:
- name: '{{ vm_name }}'
- backing_store: 'lvm'
- fs_size: '{{ vm_size }}'
- vg_name: '{{ vg_name }}'
- lv_name: 'vm_{{ vm_name }}'
- fs_type: 'xfs'
- container_log: true
- template: 'debian'
- template_options: '--release {{ distro }} --packages=ssh,python3,python3-apt'
- state: 'stopped'
- # suppress messages related to file descriptors
- # leaking when lvm is invoked
- environment:
- LVM_SUPPRESS_FD_WARNINGS: 1
- when: not unprivileged
-
- - name: 'unprivileged | upload bash script'
- copy:
- src: 'find_subxid.sh'
- dest: 'find_subxid.sh'
- when: unprivileged
-
- - name: 'unprivileged | get free subxid mappings'
- command: 'bash find_subxid.sh'
- register: avail_subxid
- when: unprivileged
-
- - name: 'unprivileged | set subxid mappings'
- set_fact:
- subuidmap: '{{ avail_subxid.stdout_lines[0] }}'
- subgidmap: '{{ avail_subxid.stdout_lines[1] }}'
- when: unprivileged
-
- - name: 'unprivileged | create system subxid mappings'
- command: >-
- usermod
- -v {{ '{}-{}'.format(subuidmap.split(' ')[0],
- subuidmap.split(' ')[0]|int+subuidmap.split(' ')[1]|int-1) }}
- -w {{ '{}-{}'.format(subgidmap.split(' ')[0],
- subgidmap.split(' ')[0]|int+subgidmap.split(' ')[1]|int-1) }}
- root
-
- - name: 'unprivileged | create config seed'
- copy:
- content: |
- lxc.idmap = u 0 {{ subuidmap }}
- lxc.idmap = g 0 {{ subgidmap }}
- dest: '/tmp/lxc_unpriv_config'
- when: unprivileged
-
- - name: 'unprivileged | create lxc container'
- lxc_container:
- name: '{{ vm_name }}'
- backing_store: 'lvm'
- fs_type: 'xfs'
- fs_size: '{{ vm_size }}'
- vg_name: '{{ vg_name }}'
- lv_name: 'vm_{{ vm_name }}'
- container_log: true
- template: 'download'
- template_options: '-d debian -r {{ distro }} -a amd64'
- config: '/tmp/lxc_unpriv_config'
- state: 'stopped'
- when: unprivileged
-
- - name: 'deploy container config'
- template:
- src: 'config.j2'
- dest: '/var/lib/lxc/{{ vm_name }}/config'
-
- - name: 'unprivileged | tweak config'
- lxc_container:
- name: '{{ vm_name }}'
- container_command: |
- echo 'nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf
- apt update
- apt install -y python3 python3-apt
- systemctl mask systemd-journald-audit.socket
- state: 'stopped'
-
- - name: 'start container'
- lxc_container:
- name: '{{ vm_name }}'
- state: 'started'
- when: auto_start|bool
- when: not (container_exists.exists and container_dir.stat.isdir)
- tags:
- - 'lxc'
-
- - name: 'read unprivileged status from config'
- command: >-
- grep -e '^lxc.idmap = ' /var/lib/lxc/{{ vm_name }}/config
- register: unpriv_status
- changed_when: false
- failed_when: unpriv_status.rc > 1
-
- - name: 'set unprivileged status from config'
- set_fact:
- unprivileged: true
- subuidmap: '{{ unpriv_status.stdout_lines[0] | replace("lxc.idmap = u 0 ", "") }}'
- subgidmap: '{{ unpriv_status.stdout_lines[1] | replace("lxc.idmap = g 0 ", "") }}'
- when: unpriv_status.rc == 0
-
- - name: 'update container config'
- template:
- src: 'config.j2'
- dest: '/var/lib/lxc/{{ vm_name }}/config'
- register: container_config
- notify: 'restart container'
-
- - name: 'set container running state'
- lxc_container:
- name: '{{ vm_name }}'
- state: '{{ container_state }}'
- register: container_running_state
- tags:
- - 'lxc'
-
- - name: 'update container resolv.conf'
- template:
- src: 'resolv.conf.j2'
- dest: '/etc/resolv.conf'
- delegate_to: '{{ vm_name }}'
- connection: 'ssh_lxc'
-
- - name: 'update container net config'
- copy:
- src: 'interfaces'
- dest: '/etc/network/interfaces'
- delegate_to: '{{ vm_name }}'
- connection: 'ssh_lxc'
- notify: 'restart container'
-
- - name: 'update container apt config'
- lineinfile:
- path: '/etc/apt/apt.conf.d/02periodic'
- line: '{{ item.key }} "{{ item.value }}";'
- regexp: '^{{ item.key }} '
- create: true
- loop:
- - { key: 'APT::Periodic::Enable', value: '1' }
- - { key: 'APT::Periodic::Update-Package-Lists', value: '1' }
- - { key: 'APT::Periodic::Verbose', value: '2' }
- delegate_to: '{{ vm_name }}'
- connection: 'ssh_lxc'
-
- - meta: 'flush_handlers'
-
- - name: 'MONITORING | add to monitored hosts'
- block:
- - name: 'MONITORING | add to monitored hosts'
- set_fact:
- monitoring_entry: >
- {{ { 'address': ansible_host,
- 'host_type': 'lxc_vm' } }}
- - name: 'MONITORING | update monitoring facts'
- set_fact:
- monitoring_facts: >
- {{ hostvars[monitoring_host]['monitoring_facts']
- | default({})
- | combine({host_fqdn: monitoring_entry}) }}
- delegate_facts: true
- delegate_to: '{{ monitoring_host }}'
- tags:
- - 'monitoring'
- ...
|