modules/lxc/manifests/init.pp

   1 class lxc {
   2     file {"/data/log":
   3         ensure => 'directory'
   4     }
   5     package{ 'lxc':
   6         ensure => 'installed'
   7     }
   8     define container ($contname, $ip, $dir = [], $bind = {}, $confline = []) {
   9         exec {"lxc-$contname-issue-cert":
  10           command => "/usr/bin/puppet ca destroy \"$contname\";/usr/bin/puppet ca generate \"$contname\"",
  11           unless => "/usr/bin/[ -f /var/lib/puppet/ssl/private_keys/$contname.pem ] && /usr/bin/[ -f /var/lib/puppet/ssl/certs/$contname.pem ]",
  12           before => Exec["lxc-$contname-started"]
  13         }
  14
  15         exec{ "lxc-$contname-created":
  16             logoutput => on_failure,
  17             command   => "/usr/bin/lxc-create -n $contname -t debian -- -r stretch --packages=gnupg2", ## requires gnupg for puppet seed
  18             unless    => "/usr/bin/test -d /var/lib/lxc/$contname",
  19             timeout   => '0',
  20             require   => Package['lxc'],
  21         } -> file_line {"lxc-$contname-conf1":
  22             path   => "/var/lib/lxc/$contname/config",
  23             line   => 'lxc.network.type = veth',
  24             notify => Exec["lxc-$contname-started"],
  25         } -> file_line {"lxc-$contname-conf2":
  26             path   => "/var/lib/lxc/$contname/config",
  27             line   => 'lxc.network.link = lxcbr0',
  28             notify => Exec["lxc-$contname-started"],
  29         } -> file_line {"lxc-$contname-conf3":
  30             path   => "/var/lib/lxc/$contname/config",
  31             line   => 'lxc.network.flags = up',
  32             notify => Exec["lxc-$contname-started"],
  33         } -> file_line {"lxc-$contname-conf4":
  34             path   => "/var/lib/lxc/$contname/config",
  35             line   => "lxc.network.ipv4 = $ip/24",
  36             notify => Exec["lxc-$contname-started"],
  37         } -> file_line {"lxc-$contname-conf5":
  38             path   => "/var/lib/lxc/$contname/config",
  39             line   => 'lxc.network.ipv4.gateway = 10.0.3.1',
  40             notify => Exec["lxc-$contname-started"],
  41         } -> file_line {"lxc-$contname-network":
  42             path   => "/var/lib/lxc/$contname/rootfs/etc/network/interfaces",
  43             line   => 'iface eth0 inet manual',
  44             match  => '^iface eth0 inet',
  45             notify => Exec["lxc-$contname-started"],
  46         } -> exec {"lxc-$contname-started":
  47             path => '/usr/bin',
  48             refreshonly   => true,
  49             refresh   => "/usr/bin/lxc-stop -n $contname ; /usr/bin/lxc-start -dn $contname",
  50         }-> exec {"lxc-$contname-started1":
  51             command   => "/usr/bin/lxc-start -dn $contname",
  52             unless    => "/usr/bin/[ \"\$(lxc-info -Hsn $contname)\" != \"STOPPED\" ]",
  53         }
  54         $dir.each |String $in| {
  55           file { "/var/lib/lxc/$contname/rootfs/$in":
  56             ensure  => 'directory',
  57             notify => Exec["lxc-$contname-started"],
  58             require => File_line["lxc-$contname-conf5"]
  59           }
  60         }
  61         $bind.each |String $out, Struct[{target=>String, Optional[option]=>String}] $in| {
  62           file_line { "lxc-$contname-mount-$out":
  63            path   => "/var/lib/lxc/$contname/config",
  64            line   => "lxc.mount.entry = $out ${in[target]} none bind${in[option]} 0 0",
  65            require=> File_line["lxc-$contname-conf5"],
  66            notify  => Exec["lxc-$contname-started"],
  67           }
  68         }
  69         file {"/data/log/$contname":
  70            ensure => 'directory'
  71         }->
  72         file_line { "lxc-$contname-mount-journal":
  73            path   => "/var/lib/lxc/$contname/config",
  74            line   => "lxc.mount.entry = /data/log/$contname var/log/journal none bind 0 0",
  75            require=> File_line["lxc-$contname-conf5"],
  76            notify  => Exec["lxc-$contname-started"],
  77         }
  78         file {"/var/lib/lxc/$contname/rootfs/var/log/journal":
  79             ensure  => 'directory',
  80             notify => Exec["lxc-$contname-started"],
  81             require => File_line["lxc-$contname-conf5"]
  82         }
  83         $confline.each |Integer $idx, String $in| {
  84          file_line { "lxc-$contname-confline-extra-$idx":
  85            path   => "/var/lib/lxc/$contname/config",
  86            line   => "$in",
  87            require=> File_line["lxc-$contname-conf5"],
  88            notify  => Exec["lxc-$contname-started"],
  89          }
  90         }
  91         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet":
  92              ensure => 'directory',
  93              require => Exec["lxc-$contname-created"]
  94         }
  95         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl":
  96              ensure => 'directory'
  97         }
  98         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/private_keys/":
  99              ensure => 'directory'
 100         }
 101         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/certs/":
 102              ensure => 'directory'
 103         }
 104         Exec["lxc-$contname-started1"] ->
 105         file_line {"lxc-$contname-hosts":
 106             path   => "/var/lib/lxc/$contname/rootfs/etc/hosts",
 107             line   => '10.0.3.1 puppet puppet.lan host01';
 108         }->
 109         file_line {"lxc-$contname-hosts-local":
 110             path   => "/var/lib/lxc/$contname/rootfs/etc/hosts",
 111             line   => "127.0.0.1 $contname"
 112         }->
 113         file_line {"lxc-$contname-resolv1":
 114             path   => "/var/lib/lxc/$contname/rootfs/etc/resolv.conf",
 115             ensure => 'absent',
 116             match_for_absence => "true",
 117             match  => '^domain ',
 118             line   => ''
 119         }->
 120         file_line {"lxc-$contname-resolv2":
 121             path   => "/var/lib/lxc/$contname/rootfs/etc/resolv.conf",
 122             ensure => 'absent',
 123             match_for_absence => "true",
 124             match  => '^search ',
 125             line   => ''
 126         } ->
 127         exec {"lxc-$contname-install-puppet":
 128           command => "/usr/bin/lxc-attach -n \"$contname\" -- apt-get update && /usr/bin/lxc-attach -n \"$contname\" -- apt-get install -y puppet",
 129           timeout => '0',
 130           creates => "/var/lib/lxc/$contname/rootfs/usr/bin/puppet"
 131         } ->
 132         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/private_keys/$contname.pem":
 133           source => "file:///var/lib/puppet/ssl/private_keys/$contname.pem",
 134           notify => Exec["lxc-$contname-puppet-restart"],
 135         } ->
 136         file {"/var/lib/lxc/$contname/rootfs/var/lib/puppet/ssl/certs/$contname.pem":
 137           source => "file:///var/lib/puppet/ssl/certs/$contname.pem",
 138           notify => Exec["lxc-$contname-puppet-restart"],
 139         } ->
 140         exec {"lxc-$contname-puppet-restart":
 141           command => "/usr/bin/lxc-attach -n $contname -- systemctl restart puppet",
 142           timeout   => '0',
 143           refreshonly => 'true'
 144         } ->
 145         exec {"lxc-$contname-refresh":
 146           command => "/usr/bin/lxc-attach -n $contname -- puppet agent --onetime --no-daemonize --verbose",
 147           timeout   => '0',
 148           # TODO figure out a way to verify puppet launches
 149           creates => "/var/lib/lxc/$contname/rootfs/certified"
 150           ##creates => "/var/lib/lxc/$contname/rootfs/lib/systemd/system/puppet.service"
 151         }
 152     }
 153
 154 }