diff --git a/lxc/defaults/main.yml b/lxc/defaults/main.yml new file mode 100644 index 00000000..86636da2 --- /dev/null +++ b/lxc/defaults/main.yml @@ -0,0 +1,18 @@ +--- +# Should LXC containers run in unprivilegied (non root) mode? +lxc_unprivilegied_containers: true + +# Network type to use. See lxc.container.conf(5). +lxc_network_type: "none" + +# Partition to bind mount into containers. +lxc_mount_part: "/home" + +# List of LXC containers to create. +# Eg.: +# lxc_containers: +# - name: php56 +# release: jessie +# - name: php70 +# release: stretch +lxc_containers: [] diff --git a/lxc/tasks/create-container.yml b/lxc/tasks/create-container.yml new file mode 100644 index 00000000..fc4b5a72 --- /dev/null +++ b/lxc/tasks/create-container.yml @@ -0,0 +1,52 @@ +--- +- name: Check if container exists + command: "lxc-ls {{name}}" + register: container_exists + +- name: Create container + command: "lxc-create -n {{name}} -t download -- --dist debian --release {{release}} --arch amd64" + when: container_exists.stdout_lines == [] + +- name: Disable network configuration inside container + replace: + name: "/var/lib/lxc/{{name}}/rootfs/etc/default/networking" + regexp: "^#CONFIGURE_INTERFACES=yes" + replace: CONFIGURE_INTERFACES=no + when: lxc_network_type == "none" + +- name: Disable interface shut down on halt inside container + lineinfile: + name: "/var/lib/lxc/{{name}}/rootfs/etc/default/halt" + line: "NETDOWN=no" + when: lxc_network_type == "none" + +- name: Make the container poweroff on SIGPWR (sent by lxc-stop) on jessie + file: + src: /lib/systemd/system/poweroff.target + dest: "/var/lib/lxc/{{name}}/rootfs/etc/systemd/system/sigpwr.target" + state: link + when: release == 'jessie' + +- name: Set the DNS resolvers + command: "cp /etc/resolv.conf /var/lib/lxc/{{name}}/rootfs/etc/" + +- name: Add hostname in /etc/hosts + lineinfile: + name: "/var/lib/lxc/{{name}}/rootfs/etc/hosts" + line: "127.0.0.1 {{name}}" + +# Still needed? +- name: Fix permission on /dev + lineinfile: + name: "/var/lib/lxc/{{name}}/rootfs/etc/rc.local" + line: "chmod 755 /dev" + insertbefore: "^exit 0$" + +- name: Check if container is running + command: "lxc-ls --running {{name}}" + register: container_running + +- name: "Start {{name}} container" + command: "lxc-start -dn {{name}}" + when: container_running.stdout_lines == [] + diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml new file mode 100644 index 00000000..e92e7d39 --- /dev/null +++ b/lxc/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install lxc tools + apt: + name: lxc + +- name: Copy LXC default containers configuration + template: + src: default.conf + dest: /etc/lxc/ + +- name: Check if root has subuids + command: grep '^root:100000:10000$' /etc/subuid + register: root_subuids + +- name: Add subuid and subgid ranges to root + command: usermod -v 100000-199999 -w 100000-109999 root + when: not root_subuids.rc + +- name: Create containers + include: "create-container.yml name={{item.name}} release={{item.release}}" + with_items: lxc_containers diff --git a/lxc/templates/default.conf b/lxc/templates/default.conf new file mode 100644 index 00000000..5aaf824e --- /dev/null +++ b/lxc/templates/default.conf @@ -0,0 +1,22 @@ +{% if lxc_unprivilegied_containers %} +# Run containers in unprivilegied mode. +# Map both user and group IDs in range 0-9999 in the container to the IDs +# 100000-109999 on the host. +lxc.id_map = u 0 100000 10000 +lxc.id_map = g 0 100000 10000 + +{% endif %} +# Set the default network virtualization method. +lxc.network.type = {{lxc_network_type}} + +{% if lxc_mount_part %} +# Mount {{lxc_mount_part}} into containers. +# lxc.mount.entry = {{lxc_mount_part}} {{lxc_mount_part |replace('/', '')}} none bind 0 0 + +{% endif %} +# Only one tty is enough. +# This require that you disabled others tty ([2-6]) in systemd. +lxc.tty = 1 + +# Run 64bits containers +lxc.arch = x86_64