-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix LXC container implementations #231
Merged
timothystewart6
merged 21 commits into
techno-tim:master
from
Nomsplease:proxmox_lxc_improvement
Mar 3, 2023
Merged
Changes from all commits
Commits
Show all changes
21 commits
Select commit
Hold shift + click to select a range
8ad2cf4
Need to become to reboot
Nomsplease 50664b8
Fix rc.local insertion of script
Nomsplease d22b6d3
Fix syntax
Nomsplease d540524
Merge branch 'techno-tim:master' into master
Nomsplease d2727ee
Remove need to set fact
Nomsplease d6771e8
Add reset for LXC container config
Nomsplease 946c522
Fix syntax
Nomsplease b52bb77
remove fact setting from reset task
Nomsplease b3a57c8
Merge branch 'master' into master
timothystewart6 450387e
Merge branch 'techno-tim:master' into master
Nomsplease 6003482
Proxmox LXC reset functions
Nomsplease 0e2ad8e
Handle if rc.local already has data
Nomsplease b63c221
Dont compare literal
Nomsplease 01c8619
Cleanup Erroneous newline
Nomsplease 23150bc
Handle rc.local not present on a hybrid cluster
Nomsplease a2ad4a6
Merge branch 'master' into proxmox_lxc_improvement
Nomsplease 8b52db3
Update roles/reset/tasks/main.yml
timothystewart6 7ba8f71
Update roles/lxc/tasks/main.yml
timothystewart6 0f7384b
Merge branch 'master' into proxmox_lxc_improvement
timothystewart6 74f5c9d
Merge branch 'master' into proxmox_lxc_improvement
timothystewart6 438888f
Merge branch 'master' into proxmox_lxc_improvement
Nomsplease File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,4 @@ | ||
| --- | ||
| - name: reboot server | ||
| become: true | ||
| reboot: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,21 @@ | ||
| --- | ||
| - name: configure rc.local for proxmox lxc containers | ||
| copy: | ||
| src: "{{ playbook_dir }}/scripts/rc.local" | ||
| dest: "/etc/rc.local" | ||
| - name: Check for rc.local file | ||
| stat: | ||
| path: /etc/rc.local | ||
| register: rcfile | ||
|
|
||
| - name: Create rc.local if needed | ||
| lineinfile: | ||
| path: /etc/rc.local | ||
| line: "#!/bin/sh -e" | ||
| create: true | ||
| insertbefore: BOF | ||
| mode: "u=rwx,g=rx,o=rx" | ||
| when: not rcfile.stat.exists | ||
|
|
||
| - name: Write rc.local file | ||
| blockinfile: | ||
| path: /etc/rc.local | ||
| content: "{{ lookup('template', 'templates/rc.local.j2') }}" | ||
| state: present | ||
| notify: reboot server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| --- | ||
| - name: reboot containers | ||
| command: | ||
| "pct reboot {{ item }}" | ||
| loop: "{{ proxmox_lxc_filtered_ids }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| --- | ||
| - name: check for container files that exist on this host | ||
| stat: | ||
| path: "/etc/pve/lxc/{{ item }}.conf" | ||
| loop: "{{ proxmox_lxc_ct_ids }}" | ||
| register: stat_results | ||
|
|
||
| - name: filter out files that do not exist | ||
| set_fact: | ||
| proxmox_lxc_filtered_files: | ||
| '{{ stat_results.results | rejectattr("stat.exists", "false") | map(attribute="stat.path") }}' | ||
|
|
||
| # used for the reboot handler | ||
| - name: get container ids from filtered files | ||
| set_fact: | ||
| proxmox_lxc_filtered_ids: | ||
| '{{ proxmox_lxc_filtered_files | map("split", "/") | map("last") | map("split", ".") | map("first") }}' | ||
|
|
||
Nomsplease marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - name: Remove LXC apparmor profile | ||
| lineinfile: | ||
| dest: "{{ item }}" | ||
| regexp: "^lxc.apparmor.profile" | ||
| line: "lxc.apparmor.profile: unconfined" | ||
| state: absent | ||
| loop: "{{ proxmox_lxc_filtered_files }}" | ||
| notify: reboot containers | ||
|
|
||
| - name: Remove lxc cgroups | ||
| lineinfile: | ||
| dest: "{{ item }}" | ||
| regexp: "^lxc.cgroup.devices.allow" | ||
| line: "lxc.cgroup.devices.allow: a" | ||
| state: absent | ||
| loop: "{{ proxmox_lxc_filtered_files }}" | ||
| notify: reboot containers | ||
|
|
||
| - name: Remove lxc cap drop | ||
| lineinfile: | ||
| dest: "{{ item }}" | ||
| regexp: "^lxc.cap.drop" | ||
| line: "lxc.cap.drop: " | ||
| state: absent | ||
| loop: "{{ proxmox_lxc_filtered_files }}" | ||
| notify: reboot containers | ||
|
|
||
| - name: Remove lxc mounts | ||
| lineinfile: | ||
| dest: "{{ item }}" | ||
| regexp: "^lxc.mount.auto" | ||
| line: 'lxc.mount.auto: "proc:rw sys:rw"' | ||
| state: absent | ||
| loop: "{{ proxmox_lxc_filtered_files }}" | ||
| notify: reboot containers | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this always run? I suppose there is a chance that the user configured these values outside of this playbook, and this would remove them
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like it should, only because I consider this playbook as a it should configure and manage everything. If we don't we could leave security issues where they don't need to exist without user knowledge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think I agree, think the logic here should be that we assume these hosts are dedicated to k3s, so we should make sure this stuff is torn down through the reset process. Don't feel too strongly here though. Would just mean removing this when condition.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That or the user just does not specify that the LXC is configured and hits those functions manually. I personally do this as the LXCs are dedicated solely to K3s, as I imagine most people do.