From 4ae60f5b944e9eb662f2479c3169ee4a40f08f11 Mon Sep 17 00:00:00 2001 From: Zolfa Date: Fri, 3 Apr 2020 20:18:16 +0200 Subject: [PATCH] roles/lxc_guest: improved syntax and upgrades Debian version upgraded to buster. New templates compatibile with stable versions of LXC provided with debian. Cleaner syntax using `ssh_lxc.py` connection plugin. Now we don't user `lxc-attach -n ...` in the `shell` module on the host anymore, but we delegate to `{{ vm_name }}` with `connection: ssh_lxc`, using suitable Ansible module to do operation directly on the container before it is online and SSH accessible. We added an option to force an LVM VG name: if the default naming convention is not used the vg name can be overriden with the `vg_name` variable. The `xfs` filesystem seems to be broken in this release, so we used `ext4` as default for new container. This point needs further investigation. --- MIGRATION.md | 23 ++++++------ roles/lxc_guest/defaults/main.yaml | 2 +- roles/lxc_guest/files/interfaces | 5 +++ roles/lxc_guest/tasks/main.yaml | 45 ++++++++++++++---------- roles/lxc_guest/templates/config.j2 | 22 +++++++----- roles/lxc_guest/templates/resolv.conf.j2 | 2 ++ 6 files changed, 60 insertions(+), 39 deletions(-) create mode 100644 roles/lxc_guest/files/interfaces create mode 100644 roles/lxc_guest/templates/resolv.conf.j2 diff --git a/MIGRATION.md b/MIGRATION.md index 6d4cc03..9bb917c 100644 --- a/MIGRATION.md +++ b/MIGRATION.md @@ -18,17 +18,18 @@ On the hosts: ## Roles -| Role name | Modified? | Tested? | Production? | Notes | -|--------------------|:---------:|:--------:|:-----------:|----------------------------------------------------------------------| -|`roles/service` | **YES** | **YES** | NO | New `apt` module style for packages. | -|`roles/ssh_server` | **YES** | **YES** | NO | `lxc_ssh.py` --> `ssh_lxc.py`, multi-key support. | -|`roles/ca` | **YES** | ReadNote | NO | New `apt` module style for pacakges. Works with this [ca_manager]. | -|`prepare_host.yaml` | **YES** | **YES** | NO | Migrate Debian release to Buster and Python 2 to 3. | -|`roles/ldap` | NO | NO | NO | | -|`roles/nginx` | NO | NO | NO | | -|`roles/projects` | NO | NO | NO | | -|`roles/dns_record` | NO | NO | NO | | -|`roles/openvpn` | NO | NO | NO | | +| Role name | Modified? | Tested? | Production? | Notes | +|----------------------|:---------:|:--------:|:-----------:|----------------------------------------------------------------------| +|`roles/service` | **YES** | **YES** | NO | New `apt` module style for packages. | +|`roles/ssh_server` | **YES** | **YES** | NO | `lxc_ssh.py` --> `ssh_lxc.py`, multi-key support. | +|`roles/ca` | **YES** | ReadNote | NO | New `apt` module style for pacakges. Works with this [ca_manager]. | +|`prepare_host.yaml` | **YES** | **YES** | NO | Migrate Debian release to Buster and Python 2 to 3. | +|`roles/lxc_guest.yaml`| **YES** | **YES** | NO | Updated Debian and LXC. `xfs` ***broken***, `ext4` working. | +|`roles/ldap` | NO | NO | NO | | +|`roles/nginx` | NO | NO | NO | | +|`roles/projects` | NO | NO | NO | | +|`roles/dns_record` | NO | NO | NO | | +|`roles/openvpn` | NO | NO | NO | | ## Plugins and Modules diff --git a/roles/lxc_guest/defaults/main.yaml b/roles/lxc_guest/defaults/main.yaml index 5f4fdab..b8826d2 100644 --- a/roles/lxc_guest/defaults/main.yaml +++ b/roles/lxc_guest/defaults/main.yaml @@ -1,5 +1,5 @@ --- auto_start: true container_state: started -distro: stretch +distro: buster vm_size: 5G diff --git a/roles/lxc_guest/files/interfaces b/roles/lxc_guest/files/interfaces new file mode 100644 index 0000000..c61c62c --- /dev/null +++ b/roles/lxc_guest/files/interfaces @@ -0,0 +1,5 @@ +auto lo +iface lo inet loopback + +auto eth0 +iface eth0 inet manual diff --git a/roles/lxc_guest/tasks/main.yaml b/roles/lxc_guest/tasks/main.yaml index 63f036b..2142a7b 100644 --- a/roles/lxc_guest/tasks/main.yaml +++ b/roles/lxc_guest/tasks/main.yaml @@ -11,7 +11,7 @@ - name: Check debian release assert: - that: distro in [ 'stretch', 'sid', 'buster' ] + that: distro in [ 'bullseye', 'sid', 'buster' ] msg: "release {{ distro }} not supported by debian template" - block: @@ -20,12 +20,12 @@ name: "{{ vm_name }}" backing_store: lvm fs_size: "{{ vm_size }}" - vg_name: "{{ inventory_hostname }}vg" + vg_name: "{{ vg_name | default(inventory_hostname+'vg') }}" lv_name: "vm_{{ vm_name }}" - fs_type: xfs + fs_type: ext4 container_log: true template: debian - template_options: --release {{ distro }} --packages=ssh,python + template_options: --release {{ distro }} --packages=ssh,python3 state: stopped # suppress messages related to file descriptors # leaking when lvm is invoked @@ -58,30 +58,39 @@ register: container_running_state - name: Read container DNS configuration - container_file_read: - name: "{{ vm_name }}" - path: /etc/resolv.conf + slurp: + src: /etc/resolv.conf + delegate_to: "{{ vm_name }}" + connection: ssh_lxc register: vm_resolv_conf - debug: - var: vm_resolv_conf + msg: "{{ vm_resolv_conf['content'] | b64decode }}" verbosity: 2 - name: update container DNS configuration - shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -Pz1 'domain lilik.it\nnameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' /etc/resolv.conf || echo -e 'domain lilik.it\nnameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf" - register: container_dns_configuration - changed_when: container_dns_configuration.stdout != "domain lilik.it\nnameserver {{ hostvars | ip_from_inventory('vm_gateway') }}\n\u0000" + template: + src: resolv.conf.j2 + dest: /etc/resolv.conf + delegate_to: "{{ vm_name }}" + connection: ssh_lxc - name: update container network configuration - shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces" - register: container_network - changed_when: "container_network.stdout != 'iface eth0 inet manual'" + copy: + src: interfaces + dest: /etc/network/interfaces + delegate_to: "{{ vm_name }}" + connection: ssh_lxc notify: restart container - name: install packages - shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "apt-get update && apt-get install python ssh -y" - register: install_packages - changed_when: "install_packages.stdout.find('0 newly installed') == -1" + apt: + pkg: + - python3 + - ssh + state: present + update_cache: yes + cache_valid_time: 3600 notify: restart container # Restart container when one in @@ -94,6 +103,6 @@ - name: add monitoring facts set_fact: - monitoring_host: "{{monitoring_host| default([]) }} + [ '{{ vm_name }}' ]" + monitoring_host: "{{ monitoring_host | default([]) }} + [ '{{ vm_name }}' ]" delegate_facts: True delegate_to: status diff --git a/roles/lxc_guest/templates/config.j2 b/roles/lxc_guest/templates/config.j2 index 8cab915..a554fc1 100644 --- a/roles/lxc_guest/templates/config.j2 +++ b/roles/lxc_guest/templates/config.j2 @@ -1,15 +1,19 @@ lxc.include = /usr/share/lxc/config/debian.common.conf -lxc.utsname = {{ vm_name }} -lxc.rootfs = /dev/{{ inventory_hostname }}vg/vm_{{ vm_name }} +lxc.uts.name = {{ vm_name }} +lxc.rootfs.path = lvm:/dev/{{ vg_name | default(inventory_hostname+'vg') }}/vm_{{ vm_name }} -lxc.tty = 4 +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 + +lxc.tty.max = 4 lxc.arch = amd64 +lxc.pty.max = 1024 -lxc.network.type = veth -lxc.network.flags = up -lxc.network.link = br0 -lxc.network.name = eth0 -lxc.network.ipv4 = {{ hostvars | ip_from_inventory(vm_name) }}/24 -lxc.network.ipv4.gateway = {{ hostvars | ip_from_inventory('vm_gateway') }} +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.link = br0 +lxc.net.0.name = eth0 +lxc.net.0.ipv4.address = {{ hostvars | ip_from_inventory(vm_name) }}/24 +lxc.net.0.ipv4.gateway = {{ hostvars | ip_from_inventory('vm_gateway') }} lxc.start.auto = {% if auto_start %}1{% else %}0{% endif %} diff --git a/roles/lxc_guest/templates/resolv.conf.j2 b/roles/lxc_guest/templates/resolv.conf.j2 new file mode 100644 index 0000000..b24742e --- /dev/null +++ b/roles/lxc_guest/templates/resolv.conf.j2 @@ -0,0 +1,2 @@ +domain dmz.lilik.it +nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}