Role - tripleo_container_manage¶
Role Documentation¶
Welcome to the “tripleo_container_manage” role documentation.
Role Defaults¶
This section highlights all of the defaults and variables set within the “tripleo_container_manage” role.
# All variables intended for modification should place placed in this file.
tripleo_container_manage_hide_sensitive_logs: '{{ hide_sensitive_logs | default(true)
}}'
tripleo_container_manage_debug: '{{ ((ansible_verbosity | int) >= 2) | bool }}'
tripleo_container_manage_clean_orphans: true
# All variables within this role should have a prefix of "tripleo_container_manage"
tripleo_container_manage_check_puppet_config: false
tripleo_container_manage_cli: podman
tripleo_container_manage_concurrency: 1
tripleo_container_manage_config: /var/lib/tripleo-config/
tripleo_container_manage_config_id: tripleo
tripleo_container_manage_config_overrides: {}
tripleo_container_manage_config_patterns: '*.json'
# Some containers where Puppet is run, can take up to 10 minutes to finish
# in slow environments.
tripleo_container_manage_create_retries: 120
# Default delay is 5s so 120 retries makes a timeout of 10 minutes which is
# what we have observed a necessary value for nova and neutron db-sync execs.
tripleo_container_manage_exec_retries: 120
tripleo_container_manage_healthcheck_disabled: false
tripleo_container_manage_log_path: /var/log/containers/stdouts
tripleo_container_manage_systemd_order: false
tripleo_container_manage_systemd_teardown: true
tripleo_container_manage_valid_exit_code: []
Molecule Scenarios¶
Molecule is being used to test the “tripleo_container_manage” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.
Scenario: default¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
ansible_connection: local
ansible_distribution: centos9
Example default playbook¶
- name: Create fedora container from /tmp/container-configs with old healthcheck
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_healthcheck_disabled: true
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: fedora.json
tripleo_container_manage_systemd_order: true
tasks:
- include_role:
name: tripleo_container_manage
post_tasks:
- name: Verify that Fedora container was created correctly and manually create old
healthcheck for migration testing
when:
- not ansible_check_mode|bool
block:
# Reproduce what was done before to create and enable healthchecks
- name: Enable and start systemd timers
systemd:
state: started
name: tripleo_fedora_healthcheck.timer
enabled: true
daemon_reload: false
- name: Add systemd requires for healthchecks
command: systemctl add-requires tripleo_fedora.service tripleo_fedora_healthcheck.timer
# Check that migration is ready to be tested
- name: Check for fedora container
command: podman container exists fedora
- name: Check if tripleo_fedora systemd healthcheck service is active
command: systemctl is-active --quiet tripleo_fedora_healthcheck.timer
register: tripleo_fedora_healthcheck_active_result
- name: Assert that tripleo_fedora systemd healthcheck service is active
assert:
that:
- tripleo_fedora_healthcheck_active_result.rc == 0
fail_msg: tripleo_fedora systemd healthcheck service is not active
success_msg: tripleo_fedora systemd healthcheck service is active
- name: Create all containers from /tmp/container-configs
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: '*.json'
tripleo_container_manage_systemd_order: true
tripleo_container_manage_valid_exit_code: [0]
tasks:
- include_role:
name: tripleo_container_manage
post_tasks:
- name: Verify that Fedora container was created correctly
when:
- not ansible_check_mode|bool
block:
- name: Check for fedora container
command: podman container exists fedora
- name: Gather facts about fedora container
containers.podman.podman_container_info:
name: fedora
register: fedora_infos
- name: Assert that fedora container has the right image
assert:
that:
- "'fedora:latest' in fedora_infos.containers.0.ImageName"
fail_msg: fedora container has wrong image
success_msg: fedora container has the right image
- name: Check if tripleo_fedora systemd service is active
command: systemctl is-active --quiet tripleo_fedora
register: tripleo_fedora_active_result
- name: Assert that tripleo_fedora systemd service is active
assert:
that:
- tripleo_fedora_active_result.rc == 0
fail_msg: tripleo_fedora systemd service is not active
success_msg: tripleo_fedora systemd service is active
- name: Check if tripleo_fedora healthcheck is active and healthy
assert:
that:
- "'healthy' in fedora_infos.containers.0.State.Healthcheck.Status"
fail_msg: fedora container healthcheck is not healthy
success_msg: fedora container healthcheck is healthy
- name: Verify that Fedora systemd healthcheck container was removed correctly
command: systemctl is-active --quiet tripleo_fedora_healthcheck.timer
register: tripleo_fedora_healthcheck_active_result
failed_when:
- tripleo_fedora_healthcheck_active_result.rc == 0
- name: Verify that Fedora bis container was created correctly
block:
- name: Check for fedora_bis container
command: podman container exists fedora_bis
- name: Gather facts about fedora_bis container
containers.podman.podman_container_info:
name: fedora_bis
register: fedora_bis_infos
- name: Assert that fedora_bis container has the right image
assert:
that:
- "'fedora:latest' in fedora_bis_infos.containers.0.ImageName"
fail_msg: fedora_bis container has wrong image
success_msg: fedora_bis container has the right image
- name: Verify that Fedora three container was created correctly
block:
- name: Check for fedora_three container
command: podman container exists fedora_three
- name: Gather facts about fedora_three container
containers.podman.podman_container_info:
name: fedora_three
register: fedora_three_infos
- name: Assert that fedora_three container has the right image
assert:
that:
- "'fedora:latest' in fedora_three_infos.containers.0.ImageName"
fail_msg: fedora_three container has wrong image
success_msg: fedora_three container has the right image
- name: Test idempotency on fedora container
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: '*.json'
tripleo_container_manage_systemd_order: true
tasks:
- name: Gather facts about fedora container before new run
containers.podman.podman_container_info:
name: fedora
register: fedora_infos_old
when:
- not ansible_check_mode|bool
- include_role:
name: tripleo_container_manage
- name: Gather facts about fedora container after new run
containers.podman.podman_container_info:
name: fedora
register: fedora_infos_new
when:
- not ansible_check_mode|bool
post_tasks:
- name: Assert that fedora container has not been re-created
assert:
that:
- fedora_infos_new['containers'][0]['Id'] == fedora_infos_old['containers'][0]['Id']
fail_msg: fedora container was wrongly re-created
success_msg: fedora container was not re-created
when:
- not ansible_check_mode|bool
- name: Test systemd state on fedora container after a manual stop
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: '*.json'
tripleo_container_manage_systemd_order: true
tasks:
- name: Stop systemd service for tripleo_fedora in a manual stop
systemd:
name: tripleo_fedora.service
state: stopped
enabled: false
daemon_reload: true
# https://github.com/ansible/ansible/pull/68136
ignore_errors: '{{ ansible_check_mode }}'
- include_role:
name: tripleo_container_manage
post_tasks:
- name: Check if tripleo_fedora systemd service is active after a manual stop
command: systemctl is-active --quiet tripleo_fedora
register: tripleo_fedora_active_result
- name: Assert that tripleo_fedora systemd service is active after a manual stop
when:
- not ansible_check_mode|bool
assert:
that:
- tripleo_fedora_active_result.rc == 0
fail_msg: tripleo_fedora systemd service is not active after a manual stop
success_msg: tripleo_fedora systemd service is active after a manual stop
- name: Manage only one container
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: fedora.json
tripleo_container_manage_clean_orphans: false
tripleo_container_manage_config_overrides:
fedora:
image: fedora:rawhide
tasks:
- include_role:
name: tripleo_container_manage
post_tasks:
- name: Verify that all containers still exist
when:
- not ansible_check_mode|bool
block:
- name: Check for fedora container
command: podman container exists fedora
- name: Gather facts about fedora container
containers.podman.podman_container_info:
name: fedora
register: fedora_infos
- name: Assert that fedora container has the right image
assert:
that:
- "'fedora:rawhide' in fedora_infos.containers.0.ImageName"
fail_msg: fedora container has wrong image {{ fedora_infos.containers }}
success_msg: fedora container has the right image
- name: Check if tripleo_fedora systemd service is active
command: systemctl is-active --quiet tripleo_fedora
register: tripleo_fedora_active_result
- name: Assert that tripleo_fedora systemd service is active
assert:
that:
- tripleo_fedora_active_result.rc == 0
fail_msg: tripleo_fedora systemd service is not active
success_msg: tripleo_fedora systemd service is active
- name: Check if tripleo_fedora healthcheck is active and healthy
assert:
that:
- "'healthy' in fedora_infos.containers.0.State.Healthcheck.Status"
fail_msg: fedora container healthcheck is not healthy
success_msg: fedora container healthcheck is healthy
- name: Check for fedora_bis container
command: podman container exists fedora_bis
- name: Check for fedora_three container
command: podman container exists fedora_three
- name: Manage a wrong container (user error)
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: feduraaa.json
tripleo_container_manage_clean_orphans: false
tasks:
- include_role:
name: tripleo_container_manage
post_tasks:
- name: Verify that all containers still exist
when:
- not ansible_check_mode|bool
block:
- name: Check for fedora container
command: podman container exists fedora
- name: Gather facts about fedora container
containers.podman.podman_container_info:
name: fedora
register: fedora_infos
- name: Check if tripleo_fedora systemd service is active
command: systemctl is-active --quiet tripleo_fedora
register: tripleo_fedora_active_result
- name: Assert that tripleo_fedora systemd service is active
assert:
that:
- tripleo_fedora_active_result.rc == 0
fail_msg: tripleo_fedora systemd service is not active
success_msg: tripleo_fedora systemd service is active
- name: Check if tripleo_fedora healthcheck is active and healthy
assert:
that:
- "'healthy' in fedora_infos.containers.0.State.Healthcheck.Status"
fail_msg: fedora container healthcheck is not healthy
success_msg: fedora container healthcheck is healthy
- name: Check for fedora_bis container
command: podman container exists fedora_bis
- name: Check for fedora_three container
command: podman container exists fedora_three
- name: Test a container removal
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: fedora_*.json
tripleo_container_manage_systemd_order: true
tasks:
- name: Remove fedora container config
file:
path: /tmp/container-configs/fedora.json
state: absent
- include_role:
name: tripleo_container_manage
post_tasks:
- name: Verify that all containers still exist
when:
- not ansible_check_mode|bool
block:
- name: Check that fedora container was removed
command: podman container exists fedora
register: container_exist
failed_when: container_exist.rc == 0
- name: Check if tripleo_fedora systemd service is still active
command: systemctl is-active --quiet tripleo_fedora
register: tripleo_fedora_active_result
failed_when: tripleo_fedora_active_result.rc == 0
- name: Check for fedora_bis container
command: podman container exists fedora_bis
- name: Check for fedora_three container
command: podman container exists fedora_three
- name: Test a container update
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: fedora_*.json
tripleo_container_manage_systemd_order: true
tasks:
- name: Modify the fedora_bis container config
copy:
content: |
{
"image": "fedora:rawhide",
"net": "host",
"command": "sleep 10"
}
dest: /tmp/container-configs/fedora_bis.json
- include_role:
name: tripleo_container_manage
post_tasks:
- name: Verify that Fedora bis container was re-created correctly
when:
- not ansible_check_mode|bool
block:
- name: Check for fedora_bis container
command: podman container exists fedora_bis
- name: Gather facts about fedora_bis container
containers.podman.podman_container_info:
name: fedora_bis
register: fedora_bis_infos
- name: Assert that fedora_bis container has the right image
assert:
that:
- "'fedora:rawhide' in fedora_bis_infos.containers.0.ImageName"
fail_msg: fedora_bis container has wrong image
success_msg: fedora_bis container has the right image
- name: Check for fedora_three container
command: podman container exists fedora_three
when:
- not ansible_check_mode|bool
- name: Test a container config override
become: true
hosts: all
gather_facts: false
vars:
tripleo_container_manage_config: /tmp/container-configs
tripleo_container_manage_debug: true
tripleo_container_manage_config_patterns: fedora_*.json
tripleo_container_manage_systemd_order: true
tripleo_container_manage_config_overrides:
fedora_bis:
image: fedora:latest
tasks:
- include_role:
name: tripleo_container_manage
post_tasks:
- name: Verify that Fedora bis container was re-created correctly
when:
- not ansible_check_mode|bool
block:
- name: Check for fedora_bis container
command: podman container exists fedora_bis
- name: Gather facts about fedora_bis container
containers.podman.podman_container_info:
name: fedora_bis
register: fedora_bis_infos
- name: Assert that fedora_bis container has the right image
assert:
that:
- "'fedora:latest' in fedora_bis_infos.containers.0.ImageName"
fail_msg: fedora_bis container has wrong image
success_msg: fedora_bis container has the right image
- name: Check for fedora_three container
command: podman container exists fedora_three
when:
- not ansible_check_mode|bool
Usage¶
Note that right now, only Podman is supported by this role. Docker support is in the roadmap though.
This Ansible role allows to do the following tasks:
Collect container configs data, generated by TripleO Heat Templates. This data is used as a source of truth on which configuration we expect to apply with this role. It means that if a container is already managed by this role, no matter its state now, the configs data will reconfigure the container if needed.
Manage systemd shutdown files. It takes care of cleaning up the Paunch services and files and create the TripleO Container systemd service, required for service ordering when it comes to shutdown or start a node. It also manages the netns-placeholder service.
Delete containers that aren’t needed anymore or that will need to be re-configured. It uses a custom filter, named needs_delete() which has a set of rules which allow to determine if whether or not the container needs to be deleted. These reasons will make the containers not deleted:
The container is not managed by tripleo_ansible.
The container config_id doesn’t match with the one in input.
Once the previous conditions checked, then these reasons will make the containers deleted:
The container has no config_data.
The container has a config_data which doesn’t match the one in input.
Note that when a container is removed, the role also disable and remove the systemd services and healtchecks if present.
Create containers in a specific order defined by start_order container config, where default is 0.
If the container is an exec, we’ll run a dedicated playbook for execs, using async so multiple execs can be run at the same time.
Otherwise, the podman_container is used, in async, to create the containers. If the container has a restart policy, we’ll configure the systemd service. If the container has a healthcheck script, we’ll configure the systemd healthcheck service.
Note: tripleo_container_manage_concurrency parameter is set to 1 by default, and putting higher value than 2 can be expose issue with Podman locks. If a container is meant to exit after running a script (defined in EntryPoint), we can check its return code and fail if the code isn’t expected. It can be done with tripleo_container_manage_valid_exit_code. If defined to a list of integers, the role will wait for the container to be exited and then checks the return code.
Here is an example of a playbook:
- name: Manage step_1 containers using tripleo-ansible
block:
- name: "Manage containers for step 1 with tripleo-ansible"
include_role:
name: tripleo_container_manage
vars:
tripleo_container_manage_systemd_order: true
tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_1"
tripleo_container_manage_config_id: "tripleo_step1"
Roles variables¶
Name |
Default Value |
Description |
---|---|---|
tripleo_container_manage_cli |
podman |
Container CLI |
tripleo_container_manage_concurrency |
1 |
Number of containers managed at same time |
tripleo_container_manage_config |
/var/lib/tripleo-config/ |
Container config path |
tripleo_container_manage_config_id |
tripleo |
Config ID |
tripleo_container_manage_config_patterns |
*.json |
Bash REGEX to find configs |
tripleo_container_manage_debug |
false |
Debug toggle |
tripleo_container_manage_healthcheck_disable |
false |
Allow to disable Healthchecks |
tripleo_container_manage_log_path |
/var/log/containers/stdouts |
Containers stdouts path |
tripleo_container_manage_systemd_order |
false |
Manage systemd shutdown ordering |
tripleo_container_manage_config_overrides |
{} |
Allows to override any container configuration |
tripleo_container_manage_clean_orphans |
true |
Option to clean orphans |
tripleo_container_manage_valid_exit_code |
[] |
Allow to check if a container returned the exit code in parameter. Must be a list. e.g. [0,3] |
Healthchecks¶
Previously, the container healthcheck was implemented by a systemd timer which
would run podman exec
to determine if a given container was healthy..
Now, we are using the native healthcheck interface in Podman; which is easier
to integrate and consume.
We are now using the native healthcheck interface in Podman; which is easier to integrate with and consume.
To check if a container (e.g. keystone) is healthy, run the following command:
$ sudo podman healthcheck run keystone
The return code should be 0 and “healthy” should be printed as the output.
One can also use the podman inspect keystone
output to figure out that
the healthcheck is periodically running and healthy:
"Healthcheck": {
"Status": "healthy",
"FailingStreak": 0,
"Log": [
{
"Start": "2020-04-14T18:48:57.272180578Z",
"End": "2020-04-14T18:48:57.806659104Z",
"ExitCode": 0,
"Output": ""
},
(...)
]
}
Debug¶
The role allows you to perform specific actions on a given container. This can be used to:
Run a container with a specific one-off configuration.
Output the container commands that are run to to manage containers lifecycle.
Output the changes that would have been made on containers by Ansible.
Note
To manage a single container, you need to know 2 things:
At which step the container is deployed.
The name of the generated JSON file for container config.
Here is an example of a playbook to manage HAproxy container at step 1 which overrides the image setting in one-off.
- hosts: localhost
become: true
tasks:
- name: Manage step_1 containers using tripleo-ansible
block:
- name: "Manage HAproxy container at step 1 with tripleo-ansible"
include_role:
name: tripleo_container_manage
vars:
tripleo_container_manage_systemd_order: true
tripleo_container_manage_config_patterns: 'haproxy.json'
tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_1"
tripleo_container_manage_config_id: "tripleo_step1"
tripleo_container_manage_clean_orphans: false
tripleo_container_manage_config_overrides:
haproxy:
image: docker.io/tripleomaster/centos-binary-haproxy:hotfix
If Ansible is run in check mode, no container will be removed nor created, however at the end of the playbook a list of commands will be displayed to show what would have been run. This is useful for debug purposes, as it was something that one could do with paunch debug command.
$ ansible-playbook haproxy.yaml --check
Adding the diff mode will output the changes what would have been made on containers by Ansible.
$ ansible-playbook haproxy.yaml --check --diff
The tripleo_container_manage_clean_orphans
parameter is optional
and can be set to false to not clean orphaned containers for a
config_id. It can be used to manage a single container without
impacting other running containers with same config_id.
The tripleo_container_manage_config_overrides
parameter is optional
and can be used to override a specific container attribute like the image
or the container user. The parameter takes a dictionary where each key is the
container name and its parameters that we want to override. These parameters
have to exist and are the ones that define the container configuration in
TripleO Heat Templates. Note that it doesn’t write down the overrides in the
JSON file so if an update / upgrade is executed, the container will be
re-configured with the configuration that is in the JSON file.