8 define container ($contname, $ip, $dir = [], $bind = {}, $confline = []) {
9 exec {"lxc-$contname-issue-cert":
10 command => "/usr/bin/puppet ca destroy \"$contname\";/usr/bin/puppet ca generate \"$contname\"",
11 unless => "/usr/bin/[ -f /var/lib/puppet/ssl/private_keys/$contname.pem ] && /usr/bin/[ -f /var/lib/puppet/ssl/certs/$contname.pem ]",
12 before => Exec["lxc-$contname-started"]
15 exec{ "lxc-$contname-created":
16 logoutput => on_failure,
17 command => "/usr/bin/lxc-create -n $contname -t debian -- -r stretch --packages=gnupg2", ## requires gnupg for puppet seed
18 unless => "/usr/bin/test -d /var/lib/lxc/$contname",
20 require => Package['lxc'],
21 } -> file_line {"lxc-$contname-conf1":
22 path => "/var/lib/lxc/$contname/config",
23 line => 'lxc.network.type = veth',
24 notify => Exec["lxc-$contname-started"],
25 } -> file_line {"lxc-$contname-conf2":
26 path => "/var/lib/lxc/$contname/config",
27 line => 'lxc.network.link = lxcbr0',
28 notify => Exec["lxc-$contname-started"],
29 } -> file_line {"lxc-$contname-conf3":
30 path => "/var/lib/lxc/$contname/config",
31 line => 'lxc.network.flags = up',
32 notify => Exec["lxc-$contname-started"],
33 } -> file_line {"lxc-$contname-conf4":
34 path => "/var/lib/lxc/$contname/config",
35 line => "lxc.network.ipv4 = $ip/24",
36 notify => Exec["lxc-$contname-started"],
37 } -> file_line {"lxc-$contname-conf5":
38 path => "/var/lib/lxc/$contname/config",
39 line => 'lxc.network.ipv4.gateway = 10.0.3.1',
40 notify => Exec["lxc-$contname-started"],
41 } -> file_line {"lxc-$contname-network":
42 path => "/var/lib/lxc/$contname/rootfs/etc/network/interfaces",
43 line => 'iface eth0 inet manual',
44 match => '^iface eth0 inet',
45 notify => Exec["lxc-$contname-started"],
46 } -> exec {"lxc-$contname-started":
49 refresh => "/usr/bin/lxc-stop -n $contname ; /usr/bin/lxc-start -dn $contname",
50 }-> exec {"lxc-$contname-started1":
51 command => "/usr/bin/lxc-start -dn $contname",
52 unless => "/usr/bin/[ \"\$(lxc-info -Hsn $contname)\" != \"STOPPED\" ]",
54 $dir.each |String $in| {
55 file { "/var/lib/lxc/$contname/rootfs/$in":
56 ensure => 'directory',
57 notify => Exec["lxc-$contname-started"],
58 require => File_line["lxc-$contname-conf5"]
61 $bind.each |String $out, Struct[{target=>String, Optional[option]=>String}] $in| {
62 file_line { "lxc-$contname-mount-$out":
63 path => "/var/lib/lxc/$contname/config",
64 line => "lxc.mount.entry = $out ${in[target]} none bind${in[option]} 0 0",
65 require=> File_line["lxc-$contname-conf5"],
66 notify => Exec["lxc-$contname-started"],
69 file {"/data/log/$contname":
72 file_line { "lxc-$contname-mount-journal":
73 path => "/var/lib/lxc/$contname/config",
74 line => "lxc.mount.entry = /data/log/$contname var/log/journal none bind 0 0",
75 require=> File_line["lxc-$contname-conf5"],
76 notify => Exec["lxc-$contname-started"],
78 file {"/var/lib/lxc/$contname/rootfs/var/log/journal":
79 ensure => 'directory',
80 notify => Exec["lxc-$contname-started"],
81 require => File_line["lxc-$contname-conf5"]
83 $confline.each |Integer $idx, String $in| {
84 file_line { "lxc-$contname-confline-extra-$idx":
85 path => "/var/lib/lxc/$contname/config",
87 require=> File_line["lxc-$contname-conf5"],
88 notify => Exec["lxc-$contname-started"],
91 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet":
92 ensure => 'directory',
93 require => Exec["lxc-$contname-created"]
95 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl":
98 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/private_keys/":
101 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/certs/":
102 ensure => 'directory'
104 Exec["lxc-$contname-started1"] ->
105 file_line {"lxc-$contname-hosts":
106 path => "/var/lib/lxc/$contname/rootfs/etc/hosts",
107 line => '10.0.3.1 puppet puppet.lan host01';
109 file_line {"lxc-$contname-hosts-local":
110 path => "/var/lib/lxc/$contname/rootfs/etc/hosts",
111 line => "127.0.0.1 $contname"
113 file_line {"lxc-$contname-resolv1":
114 path => "/var/lib/lxc/$contname/rootfs/etc/resolv.conf",
116 match_for_absence => "true",
120 file_line {"lxc-$contname-resolv2":
121 path => "/var/lib/lxc/$contname/rootfs/etc/resolv.conf",
123 match_for_absence => "true",
127 exec {"lxc-$contname-install-puppet":
128 command => "/usr/bin/lxc-attach -n \"$contname\" -- apt-get update && /usr/bin/lxc-attach -n \"$contname\" -- apt-get install -y puppet",
130 creates => "/var/lib/lxc/$contname/rootfs/usr/bin/puppet"
132 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/private_keys/$contname.pem":
133 source => "file:///var/lib/puppet/ssl/private_keys/$contname.pem",
134 notify => Exec["lxc-$contname-puppet-restart"],
136 file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/certs/$contname.pem":
137 source => "file:///var/lib/puppet/ssl/certs/$contname.pem",
138 notify => Exec["lxc-$contname-puppet-restart"],
140 exec {"lxc-$contname-puppet-restart":
141 command => "/usr/bin/lxc-attach -n $contname -- systemctl restart puppet",
143 refreshonly => 'true'
145 exec {"lxc-$contname-refresh":
146 command => "/usr/bin/lxc-attach -n $contname -- puppet agent --onetime --no-daemonize --verbose",
148 # TODO figure out a way to verify puppet launches
149 creates => "/var/lib/lxc/$contname/rootfs/certified"
150 ##creates => "/var/lib/lxc/$contname/rootfs/lib/systemd/system/puppet.service"