requirements.yml file
requirements.yml file to install role
Ansible role used to generate or teardown a LXD container test environment. This role is intended to be used as a base for testing other roles and playbooks.
Example playbooks for both use cases are provided.
Future versions of this role are intended to better handle these issues.
sudo lxd init already run
atc0005.lxd-host
role role is intended
to handle this, though as of this writing that role is still incompleteThe state variable is set outside of the role to act as a control flag for
either building up a test environment or tearing it down.
create or removeRole variables are set within default/main.yml.
Though most variables are intended for use solely at either LXD host or LXD
container level, setting them at higher levels of precedence (e.g., playbook
task variable) will override variables of the same name set at lower levels
(e.g., group_vars/all.yml or host_vars/ansible-centos-1.yml). This
follows established Ansible variable
precedence
behavior.
The playbooks found in the ansible-playbook-lxd-testenv repo
have most of the common variables listed here directly within the playbooks in
an effort to make it easy to override default values.
This role makes a distinction between the Bootstrap and Configure phases and offers boolean flags to control whether tasks applicable to those phases are run within certain containers.
Bootstrap tasks perform the bare-minimum changes to LXD containers in order to run native Ansible modules against them (which includes basic fact gathering).
Configure tasks perform non-essential, but expected provisioning tasks that are normally applied when standing up a fresh system. Some examples:
These variables are intended to be set at the playbook or role level and not per Ansible "host" or LXD container.
| Variable | Default value | Purpose |
|---|---|---|
state |
create |
Flag with valid values of create or remove. Used to control whether a test environment will be created or removed/destroyed. |
lxd_host_create_profiles |
true |
Controls whether Ansible will attempt to create LXD profiles as part of the setup process. |
lxd_host_remove_profiles |
false |
Controls whether Ansible will attempt to remove custom LXD profiles as part of the teardown process. |
lxd_host_ssh_user_known_hosts_file |
$HOME/.ssh/known_hosts |
Host copy of file specific to user running playbook. Updated to reflect host keys of all containers. |
lxd_host_ssh_system_known_hosts_file |
/etc/ssh/known_hosts |
Host copy of file for all users. Updated to reflect host keys of all containers. |
lxd_host_ssh_client_user_config_file |
$HOME/.ssh/config |
Host copy of file specific to user running playbook. Entries force SSH/Ansible to disable recording and validation of container host keys. |
lxd_host_ssh_client_system_config_file |
/etc/ssh/ssh_config |
Host copy of file for all users. Entries force SSH/Ansible to disable recording and validation of container host keys. |
lxd_host_etc_hosts_file |
/etc/hosts |
This variable exists to allow targeting a hosts file in a non-standard location. |
lxd_host_update_user_known_hosts_file |
false |
Controls whether the lxd_host_ssh_user_known_hosts_file file (usually for the user running playbook) is populated with host keys of all containers. |
lxd_host_update_system_known_hosts_file |
false |
Controls whether the lxd_host_ssh_system_known_hosts_file file (system-wide file for all users) is populated with host keys of all containers. |
lxd_host_update_ssh_client_user_config_file |
false |
Controls whether the lxd_host_ssh_client_user_config_file file (usually for the user running playbook) is populated with host/ip entries which disable host key checks for matching hosts. |
lxd_host_update_ssh_client_system_config_file |
true |
Controls whether the lxd_host_ssh_client_system_config_file file (system-wide for all users) is populated with host/ip entries which disable host key checks for matching hosts. |
lxd_host_update_etc_hosts_file |
true |
Controls whether the lxd_host_etc_hosts_file file on the LXD container host is updated to include new container name/IP pairs |
lxd_host_stop_containers_before_removal |
false |
Controls whether an attempt should be made to stop containers before destroying them. Light testing indicates this is not a necessary step, but YMMV. |
lxd_host_ssh_private_key_for_containers |
$HOME/.ssh/id_ed25519 |
Generated if it does not exist. See notes for public key. |
lxd_host_ssh_public_key_for_containers |
$HOME/.ssh/id_ed25519.pub |
Inserted into root and ansible user profiles within each container. |
lxd_host_apt_install_socket_path |
/var/lib/lxd/unix.socket |
Default location of UNIX socket for APT-based installations. This socket is used for communication between LXD client and LXD daemon running on the local system. This role attempts to automatically identify which of the two LXD socket locations are valid and use it. If the lxd_host_https_api_url is set then HTTPS REST API access will be used instead of this UNIX socket. |
lxd_host_snap_install_socket_path |
/var/snap/lxd/common/lxd/unix.socket |
Default location of UNIX socket for snap-based installations. This socket is used for communication between LXD client and LXD daemon running on the local system. This role attempts to automatically identify which of the two LXD socket locations are valid and use it. If the lxd_host_https_api_url is set then HTTPS REST API access will be used instead of this UNIX socket. |
lxd_host_https_api_url |
empty string | HTTPS REST API URL used to connect to LXD daemon in order to manage container profiles and containers. If this value is set, this API access will be used instead of the local UNIX socket. |
lxd_host_https_api_trust_password |
empty string | If set, this password will be used by the lxd_* modules to setup a trust relationship (i.e., that the client certificate be added to the trusted cert store) with the LXD daemon. Only specify this password if you wish to use a TCP socket instead of UNIX socket. You will need to set this password on the LXD server first via lxc config set core.trust_password PASSWORD_HERE before using this role. See the Setting up a trust relationship links in this README for more information. |
lxd_host_client_cert_file_apt_install_path |
$HOME/.config/lxc/client.crt |
REQUIRED if using HTTPS REST API. Location of LXD client certificate file for APT-based installations. LXD v2.0 will automatically generate this the first time you use the lxc command (e.g., lxc list). Later versions require that you first add a remote, so run lxc remote add local-rest-api https://127.0.0.1:8443 to trigger cert generation. |
lxd_host_client_key_file_apt_install_path |
$HOME/.config/lxc/client.key |
REQUIRED if using HTTPS REST API. Location of LXD client certificate file for APT-based installations. LXD v2.0 will automatically generate this the first time you use the lxc command (e.g., lxc list). Later versions require that you first add a remote, so run lxc remote add local-rest-api https://127.0.0.1:8443 to trigger cert generation. |
lxd_host_client_cert_file_snap_install_path |
$HOME/snap/lxd/current/.config/lxc/client.crt |
REQUIRED if using HTTPS REST API. Location of LXD client certificate file for snap-based installations. LXD v2.0 will automatically generate this the first time you use the lxc command (e.g., lxc list). Later versions require that you first add a remote, so run lxc remote add local-rest-api https://127.0.0.1:8443 to trigger cert generation. |
lxd_host_client_key_file_snap_install_path |
$HOME/snap/lxd/current/.config/lxc/client.key |
REQUIRED if using HTTPS REST API. Location of LXD client certificate file for snap-based installations. LXD v2.0 will automatically generate this the first time you use the lxc command (e.g., lxc list). Later versions require that you first add a remote, so run lxc remote add local-rest-api https://127.0.0.1:8443 to trigger cert generation. |
lxd_host_remove_container_settings |
false |
Controls whether this role removes lxd_host_ssh_known_hosts_file and lxd_host_etc_hosts_file entries as part of teardown tasks. Usually, but not required to be performed along with container removal. Defaults to false |
lxd_host_remove_containers |
false |
Controls whether containers are removed as part of teardown process. Defaults to false. |
This role exposes both flags as options that can be set for one or all containers in order to provision containers in the desired state for further work. For example, you may wish to provision a fresh container with minimal changes in order to test basic configuration changes provided by another playbook or tool.
| Variable | Default value | Purpose |
|---|---|---|
lxd_containers_etc_hosts_file |
/etc/hosts |
This variable exists to allow targeting a hosts file in a non-standard location. |
lxd_containers_update_hosts_file |
false |
Controls whether lxd_containers_etc_hosts_file within containers are updated to include entries for all containers generated by this role. Since the LXD-provided dnsmasq instance bound to the bridge already handles name resolution, this option is not really needed and may be removed in a future role update. |
lxd_containers_source_alias |
ubuntu/xenial/amd64 |
Default human-friendly alias of container image to use when spinning up new containers for testing purposes. Should be overridden in a playbook, group_vars or host_vars. Most often this variable is initially overridden within a groups_vars file, then again within a host_vars file for a specific system. |
lxd_containers_source_server |
https://images.linuxcontainers.org | Server listed in the Ansible module examples. Used to fetch LXD container images for generating fresh containers. |
lxd_containers_source_fingerprint |
empty string | Fingerprint of image used to create one or more containers. When setting this variable, you should also explicitly set the lxd_containers_source_server in the same location (e.g., host_vars file) in order to ensure that the container image identified by the fingerprint value is pulled from the correct image server (i.e., "remote"). |
lxd_containers_source_protocol |
simplestreams |
Protocol used to retrieve images from image servers. Valid options are lxd or simplestreams. See output of lxc remote list to determine which protocol should be used for which server specified by lxd_containers_source_server. |
lxd_containers_source_mode |
pull |
Note: While configurable, this should not need to be changed. This is the mode of the operation used to retrieve images from an image server. |
lxd_containers_source_type |
image |
Note: While configurable, this should not need to be changed. Valid options include image, migration, copy or none. |
lxd_containers_create |
true |
Controls whether containers are generated when this role is run. TODO: Validation is needed to assert that this is not set at the same time as the flag for removing containers. |
lxd_containers_create_timeout |
600 |
A timeout for changing the state of the container. This is also used as a timeout for waiting until IPv4 addresses are set to the all network interfaces in the container after starting or restarting. |
lxd_containers_wait_for_ipv4_addresses |
true |
If this is true, the lxd_container waits until IPv4 addresses are set to the all network interfaces in the container after starting or restarting. |
lxd_containers_bootstrap |
true |
Controls whether Python, sudo and other REQUIRED packages (see lxd_containers_packages_required) are installed as part of preparing new containers for management by Ansible. |
lxd_containers_configure |
true |
Create service account, groups, enable SSH at boot, install extra packages (defined in lxd_containers_packages_extra). |
lxd_containers_packages_required |
openssh-server, sudo |
Packages installed as part of the bootstrap phase for new containers |
lxd_containers_packages_extra |
nano |
Packages installed as part of the configuration phase that are considered non-essential for the operation of this role, but extend functionality for other purposes. |
lxd_containers_package_installation_retry_attempts |
5 |
Number of retry attempts performed after initial package installation attempt fails. |
lxd_containers_package_installation_retry_delay |
5 |
Delay between package installation attempts. |
lxd_containers_profiles |
default |
LXD profiles applied to all new containers by default. |
lxd_containers_proxy_server |
empty string | If set, this value is set on containers at the time of creation to allow use of a proxy server. Intended either to permit containers restricted Internet access or to allow faster package retrieval via caching proxy. |
lxd_containers_docker_config_file_template |
docker-daemon-config.json.j2 |
Template file included with role used for setting Docker daemon storage driver. |
lxd_containers_docker_storage_driver |
vfs |
Docker storage drivers: overlay2 is incompatible with LXD LTS (2.0, 3.0), overlay is incompatible with ZFS backed LXD storage. vfs is slow, but compatible with both. Override this from a playbook (or other higher level Ansible variable source) if not using ZFS for better performance. |
lxd_containers_sudoers_include_file |
/etc/sudoers.d/ansible |
Location of sudoers include file used to grant service account full sudo privileges within new containers |
lxd_containers_service_account |
ansible |
Service account created within containers that is granted full sudo privileges. Often used by playbooks as a dedicated remote management account. |
lxd_containers_service_group |
ansible |
Service group that goes with the service account already noted here. |
lxd_containers_docker_main_config_file |
/etc/docker/daemon.json |
Path to Docker "daemon" configuration file. Role-provided template for this file configures the active storage driver used within new containers intended to test Docker workflows. |
lxd_containers_default_python_install_command |
see example below | Crude one-liner shell command to use appropriate package manager to install Python for Ansible use via a raw command. |
lxd_containers_python_path |
/usr/bin/python |
Location of Python interpreter used by Ansible on remote hosts (containers in our case). |
lxd_containers_add_proxy_to_etc_environment_file |
true |
Controls whether lxd_containers_environment_file is updated with http_proxy, https_proxy and ftp_proxy environment vars set to the value of lxd_containers_proxy_server. |
lxd_containers_environment_file |
/etc/environment |
If lxd_containers_add_proxy_to_etc_environment_file is enabled, then the standard http_proxy, https_proxy and ftp_proxy environment variables are set within this file. |
lxd_containers_sshd_service_name |
sshd |
The service name used to start/stop or enable/disable OpenSSH. CentOS 6, 7 refer to the service as sshd, while Ubuntu refers to it as ssh, though newer versions provide a symlink to sshd for compatibility with the CentOS service name. This should be overridden as needd to match older container OSes. |
Current shell command for the lxd_containers_default_python_install_command variable:
if [ -f /usr/bin/apt-get ]; then
apt-get install -y python python-apt;
fi
if [ -f /usr/bin/yum ]; then
yum install -y python;
fi
If not set elsewhere and if Python 2.x is not found on the system as
/usr/bin/python, the above command is used in an attempt to install Python 2
for further Ansible management steps.
An existing installation of LXD
packages and initial
configuration via sudo lxd init. The atc0005.lxd-host
role is intended to serve
that purpose in the future once it is ready.
See Requirements section for additional items.
WARNING: Review known Limitations before using this role.
- name: Configure base LXD host
hosts: localhost
# Rely on this setting to be specified in host_vars or group_vars files. If
# we lock in the 'local' option here then that rules out setting up any
# remote hosts as LXD hosts.
# connection: local
# Should be fine to gather facts for just the future LXD host
gather_facts: yes
tasks:
# Stub role for now. Later work will have it install required packages
# needed in order to configure host system for running LXD containers
- name: Apply lxd-host role to install LXD packages, perform initial setup
import_role:
name: atc0005.lxd-host
- name: Setup LXD test environment
hosts: all
# Rely on this setting to be specified in host_vars or group_vars files. If
# we lock in the 'local' option here then that rules out setting up any
# remote hosts as Docker hosts.
# connection: local
# This is handled by the earlier atc0005.lxd-host role play
gather_facts: no
tasks:
# Default role settings handle creation; we have to explicitly enable
# container/settings removal tasks
- name: Apply lxd-testenv role to create test environment
import_role:
name: atc0005.lxd-testenv
vars:
# Valid values: "create" and "remove"
state: "create"
# Note: Other values can be set here to override role defaults.
# See the README file for details.
WARNING: Review known Limitations before using this role.
- name: Tear down our LXD test environment
hosts: all
# Rely on this setting to be specified in host_vars or group_vars files. If
# we lock in the 'local' option here then that rules out connecting via SSH
# later, perhaps as a means of validating earlier playbook tasks.
# connection: local
# Fact gathering is not needed for container and settings removal
gather_facts: no
tasks:
- name: Apply lxd-testenv role
import_role:
name: atc0005.lxd-testenv
vars:
# Valid values: "create" and "remove"
state: "remove"
lxd_host_remove_container_settings: true
lxd_host_remove_containers: true
requirements.yml fileNote: This role is not yet available via Ansible Galaxy, so for now you will
need to install it via a requirements.yml file.
Note: The version numbers listed below are for illustration only. See the releases section of this site to determine the latest available version.
---
# This stub role is referenced by the lxd-testenv setup playbook,
# so we're using an early tag/release to satisfy those requirements
- name: "atc0005.lxd-host"
src: https://github.com/atc0005/ansible-role-lxd-host.git"
version: "v0.1-alpha"
- name: "atc0005.lxd-testenv"
src: https://github.com/atc0005/ansible-role-lxd-testenv.git"
version: "v1.1"
...
master branchExample requirements.yml file that uses the latest from the master branch:
---
# This stub role is referenced by the lxd-testenv setup playbook,
# so we're including that there to satisfy those requirements.
# Referencing the master branch for this role to match the same branch
# reference for the atc0005.lxd-testenv repo.
- name: "atc0005.lxd-host"
src: https://github.com/atc0005/ansible-role-lxd-host.git"
version: "master"
- name: "atc0005.lxd-testenv"
src: https://github.com/atc0005/ansible-role-lxd-testenv.git"
version: "master"
...
requirements.yml file to install roleansible-galaxy does not yet natively support updating existing
roles, the example installation instructions provided below include the
--force parameter to force pulling in the latest updates as directed by
the requirements.yml file.ansible-galaxy install -r requirements.yml --forceroles directory in the same location as your playbooksansible-galaxy install -r requirements.yml -p roles --forcesudo ansible-galaxy install -r requirements.yml --forceMIT
This role was created in 2019 by Adam Chalkley as part of building an on-demand development environment toolkit managed by Ansible.
https://docs.ansible.com/ansible/latest/modules/lxd_container_module.html
https://docs.ansible.com/ansible/latest/modules/lxd_profile_module.html
Setting up trust relationship between LXD client and LXD server