modules/lxc/manifests/init.pp

   1 class lxc {
   2     file {"/data/log":
   3         ensure => 'directory'
   4     }
   5     package{ 'lxc':
   6         ensure => 'installed'
   7     }->
   8     exec {'lxc-base-image-created':
   9         logoutput => on_failure,
  10         command => '/usr/bin/lxc-create -n base-image -t debian -- -r stretch --packages=gnupg2,puppet,lsb-release,debconf-utils && rm -r /var/lib/lxc/base-image/rootfs/var/lib/apt/lists',# gnupg2 needed for puppet managing apt-keys
  11         unless => '/usr/bin/test -d /var/lib/lxc/base-image',
  12         timeout => '0'
  13     }
  14     package {'bridge-utils':
  15         ensure => 'installed'
  16     } -> file {'/etc/network/interfaces.d/lxcbr0':
  17         source => 'puppet:///modules/lxc/lxcbr0'
  18     } ~> exec{'stop all containers':
  19       command => '/bin/bash -c \'for i in $(lxc-ls); do if [[ $i != base-image ]]; then lxc-stop -n "$i"; fi; done\'',
  20       refreshonly => true,
  21     } -> exec {'ifup lxcbr0':
  22       command => '/sbin/ifdown lxcbr0; /sbin/ifup lxcbr0',
  23       refreshonly => true,
  24       subscribe => File['/etc/network/interfaces.d/lxcbr0']
  25     }
  26     define container ($contname, $ip, $dir = [], $bind = {}, $confline = []) {
  27         exec {"lxc-$contname-issue-cert":
  28           command => "/usr/bin/puppet ca destroy \"$contname\";/usr/bin/puppet ca generate \"$contname\"",
  29           unless => "/usr/bin/[ -f /var/lib/puppet/ssl/private_keys/$contname.pem ] && /usr/bin/[ -f /var/lib/puppet/ssl/certs/$contname.pem ]",
  30           before => Exec["lxc-$contname-started"]
  31         }
  32         $ipv6 = $ipsv6[$contname]
  33
  34         exec{ "lxc-$contname-created":
  35             logoutput => on_failure,
  36             command   => "/usr/bin/lxc-copy -n base-image -N $contname",
  37             unless    => "/usr/bin/test -d /var/lib/lxc/$contname",
  38             timeout   => '0',
  39             require   => [Package['lxc'],Exec['lxc-base-image-created']],
  40         } -> file_line {"lxc-$contname-conf1":
  41             path   => "/var/lib/lxc/$contname/config",
  42             line   => 'lxc.network.type = veth',
  43             notify => Exec["lxc-$contname-started"],
  44         } -> file_line {"lxc-$contname-conf2":
  45             path   => "/var/lib/lxc/$contname/config",
  46             line   => 'lxc.network.link = lxcbr0',
  47             notify => Exec["lxc-$contname-started"],
  48         } -> file_line {"lxc-$contname-conf3":
  49             path   => "/var/lib/lxc/$contname/config",
  50             line   => 'lxc.network.flags = up',
  51             notify => Exec["lxc-$contname-started"],
  52         } -> file_line {"lxc-$contname-conf4":
  53             path   => "/var/lib/lxc/$contname/config",
  54             line   => "lxc.network.ipv4 = $ip/24",
  55             notify => Exec["lxc-$contname-started"],
  56         } -> file_line {"lxc-$contname-conf5":
  57             path   => "/var/lib/lxc/$contname/config",
  58             line   => 'lxc.network.ipv4.gateway = 10.0.3.1',
  59             notify => Exec["lxc-$contname-started"],
  60       } -> file_line {"lxc-$contname-conf6":
  61             path   => "/var/lib/lxc/$contname/config",
  62             line   => "lxc.network.ipv6 = $ipv6/64",
  63             match  => '^lxc\.network\.ipv6 =',
  64             notify => Exec["lxc-$contname-started"],
  65         } -> file_line {"lxc-$contname-conf7":
  66             path   => "/var/lib/lxc/$contname/config",
  67             line   => 'lxc.network.ipv6.gateway = fc00:0001::0000:0001',
  68             match  => '^lxc\.network\.ipv6\.gateway =',
  69             notify => Exec["lxc-$contname-started"],
  70         } -> file_line {"lxc-$contname-network":
  71             path   => "/var/lib/lxc/$contname/rootfs/etc/network/interfaces",
  72             line   => 'iface eth0 inet manual',
  73             match  => '^iface eth0 inet',
  74             notify => Exec["lxc-$contname-started"],
  75         } -> exec {"lxc-$contname-started":
  76             path => '/usr/bin',
  77             refreshonly   => true,
  78             refresh   => "/usr/bin/lxc-stop -n $contname ; /usr/bin/lxc-start -dn $contname; /usr/bin/lxc-attach -n $contname -- bash -c 'while ! [[ -S /run/systemd/private ]]; do sleep 1; done'",
  79         }-> exec {"lxc-$contname-started1":
  80             command   => "/usr/bin/lxc-start -dn $contname; /usr/bin/lxc-attach -n $contname -- bash -c 'while ! [[ -S /run/systemd/private ]]; do sleep 1; done'",
  81             unless    => "/usr/bin/[ \"\$(lxc-info -Hsn $contname)\" != \"STOPPED\" ]",
  82         }
  83         $dir.each |String $in| {
  84           file { "/var/lib/lxc/$contname/rootfs/$in":
  85             ensure  => 'directory',
  86             notify => Exec["lxc-$contname-started"],
  87             require => File_line["lxc-$contname-conf5"]
  88           }
  89         }
  90         $bind.each |String $out, Struct[{target=>String, Optional[option]=>String}] $in| {
  91           file_line { "lxc-$contname-mount-$out":
  92            path   => "/var/lib/lxc/$contname/config",
  93            line   => "lxc.mount.entry = $out ${in[target]} none bind${in[option]} 0 0",
  94            require=> [File_line["lxc-$contname-conf5"], File["$out"]],
  95            notify  => Exec["lxc-$contname-started"],
  96           }
  97         }
  98         file {"/data/log/$contname":
  99            ensure => 'directory'
 100         }->
 101         file_line { "lxc-$contname-mount-journal":
 102            path   => "/var/lib/lxc/$contname/config",
 103            line   => "lxc.mount.entry = /data/log/$contname var/log/journal none bind 0 0",
 104            require=> File_line["lxc-$contname-conf5"],
 105            notify  => Exec["lxc-$contname-started"],
 106         }
 107         file {"/var/lib/lxc/$contname/rootfs/var/log/journal":
 108             ensure  => 'directory',
 109             notify => Exec["lxc-$contname-started"],
 110             require => File_line["lxc-$contname-conf5"]
 111         }
 112         $confline.each |Integer $idx, String $in| {
 113          file_line { "lxc-$contname-confline-extra-$idx":
 114            path   => "/var/lib/lxc/$contname/config",
 115            line   => "$in",
 116            require=> File_line["lxc-$contname-conf5"],
 117            notify  => Exec["lxc-$contname-started"],
 118          }
 119         }
 120         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet":
 121              ensure => 'directory',
 122              require => Exec["lxc-$contname-created"]
 123         }
 124         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl":
 125              ensure => 'directory'
 126         }
 127         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/private_keys/":
 128              ensure => 'directory'
 129         }
 130         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/certs/":
 131              ensure => 'directory'
 132         }
 133         Exec["lxc-$contname-started1"] ->
 134         file_line {"lxc-$contname-hosts":
 135             path   => "/var/lib/lxc/$contname/rootfs/etc/hosts",
 136             line   => '10.0.3.1 puppet puppet.lan host01';
 137         }->
 138         file_line {"lxc-$contname-hosts-local":
 139             path   => "/var/lib/lxc/$contname/rootfs/etc/hosts",
 140             line   => "127.0.0.1 $contname"
 141         }->
 142         file_line {"lxc-$contname-resolv1":
 143             path   => "/var/lib/lxc/$contname/rootfs/etc/resolv.conf",
 144             ensure => 'absent',
 145             match_for_absence => "true",
 146             match  => '^domain ',
 147             line   => ''
 148         }->
 149         file_line {"lxc-$contname-resolv2":
 150             path   => "/var/lib/lxc/$contname/rootfs/etc/resolv.conf",
 151             ensure => 'absent',
 152             match_for_absence => "true",
 153             match  => '^search ',
 154             line   => ''
 155         } ->
 156         exec {"lxc-$contname-install-puppet":
 157           command => "/usr/bin/lxc-attach -n \"$contname\" -- apt-get update && /usr/bin/lxc-attach -n \"$contname\" -- apt-get install -y puppet",
 158           timeout => '0',
 159           creates => "/var/lib/lxc/$contname/rootfs/usr/bin/puppet"
 160         } ->
 161         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/private_keys/$contname.pem":
 162           source => "file:///var/lib/puppet/ssl/private_keys/$contname.pem",
 163           notify => Exec["lxc-$contname-puppet-restart"],
 164         } ->
 165         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/certs/$contname.pem":
 166           source => "file:///var/lib/puppet/ssl/certs/$contname.pem",
 167           notify => Exec["lxc-$contname-puppet-restart"],
 168         }
 169         exec {"lxc-$contname-puppet-restart":
 170           command => "/usr/bin/lxc-attach -n $contname -- systemctl stop puppet",
 171           timeout   => '0',
 172           refreshonly => 'true'
 173         } ~>
 174         exec {"lxc-$contname-refresh":
 175           command => "/usr/bin/lxc-attach -n $contname -- puppet agent --onetime --no-daemonize --verbose",
 176           timeout   => '0',
 177           # TODO figure out a way to verify puppet launches
 178           creates => "/var/lib/lxc/$contname/rootfs/certified"
 179           ##creates => "/var/lib/lxc/$contname/rootfs/lib/systemd/system/puppet.service"
 180         } ~>
 181         exec {"lxc-$contname-puppet-start":
 182           command => "/usr/bin/lxc-attach -n $contname -- systemctl start puppet",
 183           timeout   => '0',
 184           refreshonly => 'true'
 185         }
 186     }
 187
 188 }