roles/lxc_guest: improved syntax and upgrades

Debian version upgraded to buster. New templates compatibile with stable versions of LXC provided with debian. Cleaner syntax using `ssh_lxc.py` connection plugin. Now we don't user `lxc-attach -n ...` in the `shell` module on the host anymore, but we delegate to `{{ vm_name }}` with `connection: ssh_lxc`, using suitable Ansible module to do operation directly on the container before it is online and SSH accessible. We added an option to force an LVM VG name: if the default naming convention is not used the vg name can be overriden with the `vg_name` variable. The `xfs` filesystem seems to be broken in this release, so we used `ext4` as default for new container. This point needs further investigation.
LILiK-117bis · Apr 3, 2020 · 4ae60f5 · zolfariot · Apr 29, 2020 · 4ae60f5
1 parent 69e68b8
commit 4ae60f5
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 39 deletions.
diff --git a/MIGRATION.md b/MIGRATION.md
@@ -18,17 +18,18 @@ On the hosts:
 
 ## Roles
 
-| Role name          | Modified? | Tested?  | Production? | Notes                                                                |
-|--------------------|:---------:|:--------:|:-----------:|----------------------------------------------------------------------|
-|`roles/service`     | **YES**   | **YES**  | NO          | New `apt` module style for packages.                                 |
-|`roles/ssh_server`  | **YES**   | **YES**  | NO          | `lxc_ssh.py` --> `ssh_lxc.py`, multi-key support.                    |
-|`roles/ca`          | **YES**   | ReadNote | NO          | New `apt` module style for pacakges. Works with this [ca_manager].   |
-|`prepare_host.yaml` | **YES**   | **YES**  | NO          | Migrate Debian release to Buster and Python 2 to 3.                  |
-|`roles/ldap`        | NO        | NO       | NO          |                                                                      |
-|`roles/nginx`       | NO        | NO       | NO          |                                                                      |
-|`roles/projects`    | NO        | NO       | NO          |                                                                      |
-|`roles/dns_record`  | NO        | NO       | NO          |                                                                      |
-|`roles/openvpn`     | NO        | NO       | NO          |                                                                      |
+| Role name           | Modified? | Tested?  | Production? | Notes                                                                 |
+|----------------------|:---------:|:--------:|:-----------:|----------------------------------------------------------------------|
+|`roles/service`       | **YES**   | **YES**  | NO          | New `apt` module style for packages.                                 |
+|`roles/ssh_server`    | **YES**   | **YES**  | NO          | `lxc_ssh.py` --> `ssh_lxc.py`, multi-key support.                    |
+|`roles/ca`            | **YES**   | ReadNote | NO          | New `apt` module style for pacakges. Works with this [ca_manager].   |
+|`prepare_host.yaml`   | **YES**   | **YES**  | NO          | Migrate Debian release to Buster and Python 2 to 3.                  |
+|`roles/lxc_guest.yaml`| **YES**   | **YES**  | NO          | Updated Debian and LXC. `xfs` ***broken***, `ext4` working.          |
+|`roles/ldap`          | NO        | NO       | NO          |                                                                      |
+|`roles/nginx`         | NO        | NO       | NO          |                                                                      |
+|`roles/projects`      | NO        | NO       | NO          |                                                                      |
+|`roles/dns_record`    | NO        | NO       | NO          |                                                                      |
+|`roles/openvpn`       | NO        | NO       | NO          |                                                                      |
 
 
 ## Plugins and Modules

diff --git a/roles/lxc_guest/defaults/main.yaml b/roles/lxc_guest/defaults/main.yaml
@@ -1,5 +1,5 @@
 ---
 auto_start: true
 container_state: started
-distro: stretch
+distro: buster
 vm_size: 5G
diff --git a/roles/lxc_guest/files/interfaces b/roles/lxc_guest/files/interfaces
@@ -0,0 +1,5 @@
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet manual
diff --git a/roles/lxc_guest/tasks/main.yaml b/roles/lxc_guest/tasks/main.yaml
@@ -11,7 +11,7 @@
 
 - name: Check debian release
   assert:
-    that: distro in [ 'stretch', 'sid', 'buster' ]
+    that: distro in [ 'bullseye', 'sid', 'buster' ]
     msg: "release {{ distro }} not supported by debian template"
 
 - block:
@@ -20,12 +20,12 @@
           name: "{{ vm_name }}"
           backing_store: lvm
           fs_size: "{{ vm_size }}"
-          vg_name: "{{ inventory_hostname }}vg"
+          vg_name: "{{ vg_name | default(inventory_hostname+'vg') }}"
           lv_name: "vm_{{ vm_name }}"
-          fs_type: xfs
+          fs_type: ext4
           container_log: true
           template: debian
-          template_options: --release {{ distro }} --packages=ssh,python
+          template_options: --release {{ distro }} --packages=ssh,python3
           state: stopped
       # suppress messages related to file descriptors
       # leaking when lvm is invoked
@@ -58,30 +58,39 @@
   register: container_running_state
 
 - name: Read container DNS configuration
-  container_file_read:
-    name: "{{ vm_name }}"
-    path: /etc/resolv.conf
+  slurp:
+    src: /etc/resolv.conf
+  delegate_to: "{{ vm_name }}"
+  connection: ssh_lxc
   register: vm_resolv_conf
 
 - debug:
-    var: vm_resolv_conf
+    msg: "{{ vm_resolv_conf['content'] | b64decode }}"
     verbosity: 2
 
 - name: update container DNS configuration
-  shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -Pz1 'domain lilik.it\nnameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' /etc/resolv.conf || echo -e 'domain lilik.it\nnameserver {{ hostvars | ip_from_inventory('vm_gateway') }}' > /etc/resolv.conf"
-  register: container_dns_configuration
-  changed_when: container_dns_configuration.stdout != "domain lilik.it\nnameserver {{ hostvars | ip_from_inventory('vm_gateway') }}\n\u0000"
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+  delegate_to: "{{ vm_name }}"
+  connection: ssh_lxc
 
 - name: update container network configuration
-  shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces"
-  register: container_network
-  changed_when: "container_network.stdout != 'iface eth0 inet manual'"
+  copy:
+    src: interfaces
+    dest: /etc/network/interfaces
+  delegate_to: "{{ vm_name }}"
+  connection: ssh_lxc
   notify: restart container
 
 - name: install packages
-  shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "apt-get update && apt-get install python ssh -y"
-  register: install_packages
-  changed_when: "install_packages.stdout.find('0 newly installed') == -1"
+  apt:
+    pkg:
+      - python3
+      - ssh
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
   notify: restart container
 
   # Restart container when one in
@@ -94,6 +103,6 @@
 
 - name: add monitoring facts
   set_fact:
-    monitoring_host: "{{monitoring_host| default([]) }} + [ '{{ vm_name }}' ]"
+    monitoring_host: "{{ monitoring_host | default([]) }} + [ '{{ vm_name }}' ]"
   delegate_facts: True
   delegate_to: status
diff --git a/roles/lxc_guest/templates/config.j2 b/roles/lxc_guest/templates/config.j2
@@ -1,15 +1,19 @@
 lxc.include = /usr/share/lxc/config/debian.common.conf
 
-lxc.utsname = {{ vm_name }}
-lxc.rootfs = /dev/{{ inventory_hostname }}vg/vm_{{ vm_name }}
+lxc.uts.name = {{ vm_name }}
+lxc.rootfs.path = lvm:/dev/{{ vg_name | default(inventory_hostname+'vg') }}/vm_{{ vm_name }}
 
-lxc.tty = 4
+lxc.apparmor.profile = generated
+lxc.apparmor.allow_nesting = 1
+
+lxc.tty.max = 4
 lxc.arch = amd64
+lxc.pty.max = 1024
 
-lxc.network.type = veth
-lxc.network.flags = up
-lxc.network.link = br0
-lxc.network.name = eth0
-lxc.network.ipv4 = {{ hostvars | ip_from_inventory(vm_name) }}/24
-lxc.network.ipv4.gateway = {{ hostvars | ip_from_inventory('vm_gateway') }}
+lxc.net.0.type = veth
+lxc.net.0.flags = up
+lxc.net.0.link = br0
+lxc.net.0.name = eth0
+lxc.net.0.ipv4.address = {{ hostvars | ip_from_inventory(vm_name) }}/24
+lxc.net.0.ipv4.gateway = {{ hostvars | ip_from_inventory('vm_gateway') }}
 lxc.start.auto = {% if auto_start %}1{% else %}0{% endif %}
diff --git a/roles/lxc_guest/templates/resolv.conf.j2 b/roles/lxc_guest/templates/resolv.conf.j2
@@ -0,0 +1,2 @@
+domain dmz.lilik.it
+nameserver {{ hostvars | ip_from_inventory('vm_gateway') }}