8 exec {'lxc-base-image-created':
9 logoutput => on_failure,
10 command => '/usr/bin/lxc-create -n base-image -t debian -- -r stretch --packages=gnupg2,puppet,lsb-release,debconf-utils && rm -r /var/lib/lxc/base-image/rootfs/var/lib/apt/lists',# gnupg2 needed for puppet managing apt-keys
11 unless => '/usr/bin/test -d /var/lib/lxc/base-image',
14 package {'bridge-utils':
16 } -> file {'/etc/network/interfaces.d/lxcbr0':
17 source => 'puppet:///modules/lxc/lxcbr0'
18 } ~> exec{'stop all containers':
19 command => '/bin/bash -c \'for i in $(lxc-ls); do if [[ $i != base-image ]]; then lxc-stop -n "$i"; fi; done\'',
21 } -> exec {'ifup lxcbr0':
22 command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0',
24 subscribe => File['/etc/network/interfaces.d/lxcbr0']
27 define container_bind($container, $out = $name, $target, $option = ""){
28 file{"/var/lib/lxc/$container/rootfs/$target":
30 require => File_line["lxc-$container-conf5"],
31 before => Exec["lxc-$container-started"]
33 file_line { "lxc-$container-mount-$out":
34 path => "/var/lib/lxc/$container/config",
35 line => "lxc.mount.entry = $out $target none bind$option 0 0",
36 require=> [File_line["lxc-$container-conf5"], File["$out"]],
37 notify => Exec["lxc-$container-started"],
40 define container ($contname, $ip, $dir = [], $bind = {}, $confline = []) {
41 exec {"lxc-$contname-issue-cert":
42 command => "/usr/bin/puppet ca destroy \"$contname\";/usr/bin/puppet ca generate \"$contname\"",
43 unless => "/usr/bin/[ -f /var/lib/puppet/ssl/private_keys/$contname.pem ] && /usr/bin/[ -f /var/lib/puppet/ssl/certs/$contname.pem ]",
44 before => Exec["lxc-$contname-started"]
46 $ipv6 = $ipsv6[$contname]
48 exec{ "lxc-$contname-created":
49 logoutput => on_failure,
50 command => "/usr/bin/lxc-copy -n base-image -N $contname",
51 unless => "/usr/bin/test -d /var/lib/lxc/$contname",
53 require => [Package['lxc'],Exec['lxc-base-image-created']],
54 } -> file_line {"lxc-$contname-conf1":
55 path => "/var/lib/lxc/$contname/config",
56 line => 'lxc.network.type = veth',
57 notify => Exec["lxc-$contname-started"],
58 } -> file_line {"lxc-$contname-conf2":
59 path => "/var/lib/lxc/$contname/config",
60 line => 'lxc.network.link = lxcbr0',
61 notify => Exec["lxc-$contname-started"],
62 } -> file_line {"lxc-$contname-conf3":
63 path => "/var/lib/lxc/$contname/config",
64 line => 'lxc.network.flags = up',
65 notify => Exec["lxc-$contname-started"],
66 } -> file_line {"lxc-$contname-conf4":
67 path => "/var/lib/lxc/$contname/config",
68 line => "lxc.network.ipv4 = $ip/24",
69 notify => Exec["lxc-$contname-started"],
70 } -> file_line {"lxc-$contname-conf5":
71 path => "/var/lib/lxc/$contname/config",
72 line => 'lxc.network.ipv4.gateway = 10.0.3.1',
73 notify => Exec["lxc-$contname-started"],
74 } -> file_line {"lxc-$contname-conf6":
75 path => "/var/lib/lxc/$contname/config",
76 line => "lxc.network.ipv6 = $ipv6/64",
77 match => '^lxc\.network\.ipv6 =',
78 notify => Exec["lxc-$contname-started"],
79 } -> file_line {"lxc-$contname-conf7":
80 path => "/var/lib/lxc/$contname/config",
81 line => 'lxc.network.ipv6.gateway = fc00:0001::0000:0001',
82 match => '^lxc\.network\.ipv6\.gateway =',
83 notify => Exec["lxc-$contname-started"],
84 } -> file_line {"lxc-$contname-network":
85 path => "/var/lib/lxc/$contname/rootfs/etc/network/interfaces",
86 line => 'iface eth0 inet manual',
87 match => '^iface eth0 inet',
88 notify => Exec["lxc-$contname-started"],
89 } -> exec {"lxc-$contname-started":
92 # TODO use `systemctl is-system-running --wait` in systemd v240+
93 refresh => "/usr/bin/lxc-stop -n $contname ; /usr/bin/lxc-start -dn $contname; /usr/bin/lxc-attach -n $contname -- bash -c 'while ! [[ -S /run/systemd/private ]]; do sleep 1; done'",
94 }-> exec {"lxc-$contname-started1":
95 command => "/usr/bin/lxc-start -dn $contname; /usr/bin/lxc-attach -n $contname -- bash -c 'while ! [[ -S /run/systemd/private ]]; do sleep 1; done'",
96 unless => "/usr/bin/[ \"\$(lxc-info -Hsn $contname)\" != \"STOPPED\" ]",
98 $dir.each |String $in| {
99 file { "/var/lib/lxc/$contname/rootfs/$in":
100 ensure => 'directory',
101 notify => Exec["lxc-$contname-started"],
102 require => File_line["lxc-$contname-conf5"]
105 $bind.each |String $out, Struct[{target=>String, Optional[option]=>String}] $in| {
106 file_line { "lxc-$contname-mount-$out":
107 path => "/var/lib/lxc/$contname/config",
108 line => "lxc.mount.entry = $out ${in[target]} none bind${in[option]} 0 0",
109 require=> [File_line["lxc-$contname-conf5"], File["$out"]],
110 notify => Exec["lxc-$contname-started"],
113 file {"/data/log/$contname":
114 ensure => 'directory'
116 file_line { "lxc-$contname-mount-journal":
117 path => "/var/lib/lxc/$contname/config",
118 line => "lxc.mount.entry = /data/log/$contname var/log/journal none bind 0 0",
119 require=> File_line["lxc-$contname-conf5"],
120 notify => Exec["lxc-$contname-started"],
122 file {"/var/lib/lxc/$contname/rootfs/var/log/journal":
123 ensure => 'directory',
124 notify => Exec["lxc-$contname-started"],
125 require => File_line["lxc-$contname-conf5"]
127 $confline.each |Integer $idx, String $in| {
128 file_line { "lxc-$contname-confline-extra-$idx":
129 path => "/var/lib/lxc/$contname/config",
131 require=> File_line["lxc-$contname-conf5"],
132 notify => Exec["lxc-$contname-started"],
135 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet":
136 ensure => 'directory',
137 require => Exec["lxc-$contname-created"]
139 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl":
140 ensure => 'directory'
142 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/private_keys/":
143 ensure => 'directory'
145 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/certs/":
146 ensure => 'directory'
148 Exec["lxc-$contname-started1"] ->
149 file_line {"lxc-$contname-hosts":
150 path => "/var/lib/lxc/$contname/rootfs/etc/hosts",
151 line => '10.0.3.1 puppet puppet.lan host01';
153 file_line {"lxc-$contname-hosts-local":
154 path => "/var/lib/lxc/$contname/rootfs/etc/hosts",
155 line => "127.0.0.1 $contname"
157 file_line {"lxc-$contname-resolv1":
158 path => "/var/lib/lxc/$contname/rootfs/etc/resolv.conf",
160 match_for_absence => "true",
164 file_line {"lxc-$contname-resolv2":
165 path => "/var/lib/lxc/$contname/rootfs/etc/resolv.conf",
167 match_for_absence => "true",
171 exec {"lxc-$contname-install-puppet":
172 command => "/usr/bin/lxc-attach -n \"$contname\" -- apt-get update && /usr/bin/lxc-attach -n \"$contname\" -- apt-get install -y puppet",
174 creates => "/var/lib/lxc/$contname/rootfs/usr/bin/puppet"
176 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/private_keys/$contname.pem":
177 source => "file:///var/lib/puppet/ssl/private_keys/$contname.pem",
178 notify => Exec["lxc-$contname-puppet-restart"],
180 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/certs/$contname.pem":
181 source => "file:///var/lib/puppet/ssl/certs/$contname.pem",
182 notify => Exec["lxc-$contname-puppet-restart"],
184 exec {"lxc-$contname-puppet-restart":
185 command => "/usr/bin/lxc-attach -n $contname -- systemctl stop puppet",
187 refreshonly => 'true'
189 exec {"lxc-$contname-refresh":
190 command => "/usr/bin/lxc-attach -n $contname -- puppet agent --onetime --no-daemonize --verbose",
192 # TODO figure out a way to verify puppet launches
193 creates => "/var/lib/lxc/$contname/rootfs/certified"
194 ##creates => "/var/lib/lxc/$contname/rootfs/lib/systemd/system/puppet.service"
196 exec {"lxc-$contname-puppet-start":
197 command => "/usr/bin/lxc-attach -n $contname -- systemctl start puppet",
199 refreshonly => 'true'