Role - tripleo-container-manage

Role Documentation

Welcome to the “tripleo-container-manage” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “tripleo-container-manage” role.

# All variables intended for modification should place placed in this file.

# All variables within this role should have a prefix of "tripleo_container_manage"
tripleo_container_manage_cli: podman
tripleo_container_manage_concurrency: 1
tripleo_container_manage_config: /var/lib/tripleo-config/
tripleo_container_manage_config_id: tripleo
tripleo_container_manage_config_overrides: {}
tripleo_container_manage_config_patterns: hashed-*.json
tripleo_container_manage_debug: false
tripleo_container_manage_healthcheck_disabled: false
tripleo_container_manage_log_path: /var/log/containers/stdouts
tripleo_container_manage_systemd_order: false

Molecule Scenarios

Molecule is being used to test the “tripleo-container-manage” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default

Driver: delegated
Molecule Options
managed: false
login_cmd_template: >-
  ssh
  -o UserKnownHostsFile=/dev/null
  -o StrictHostKeyChecking=no
  -o Compression=no
  -o TCPKeepAlive=yes
  -o VerifyHostKeyDNS=no
  -o ForwardX11=no
  -o ForwardAgent=no
  {instance}
ansible_connection_options:
  ansible_connection: ssh
Molecule Inventory
hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost
Example default playbook
- name: Converge
  hosts: all
  gather_facts: false
  vars:
    tripleo_container_manage_config: /tmp/container-configs
    tripleo_container_manage_debug: true
    tripleo_container_manage_config_patterns: '*.json'
    tripleo_container_manage_systemd_order: true
  tasks:
  - include_role:
      name: tripleo-container-manage
  post_tasks:
  - name: Verify that Fedora container was created correctly
    become: true
    block:
    - name: Check for fedora container
      command: podman container exists fedora
    - name: Gather facts about fedora container
      podman_container_info:
        name: fedora
      register: fedora_infos
    - name: Assert that fedora container has the right image
      assert:
        that:
        - "'fedora:latest' in fedora_infos.containers.0.ImageName"
        fail_msg: fedora container has wrong image
        success_msg: fedora container has the right image
    - name: Check if tripleo_fedora systemd service is active
      command: systemctl is-active --quiet tripleo_fedora
      register: tripleo_fedora_active_result
    - name: Assert that tripleo_fedora systemd service is active
      assert:
        that:
        - tripleo_fedora_active_result.rc == 0
        fail_msg: tripleo_fedora systemd service is not active
        success_msg: tripleo_fedora systemd service is active
    - name: Check if tripleo_fedora systemd healthcheck service is active
      command: systemctl is-active --quiet tripleo_fedora_healthcheck.timer
      register: tripleo_fedora_healthcheck_active_result
    - name: Assert that tripleo_fedora systemd healthcheck service is active
      assert:
        that:
        - tripleo_fedora_healthcheck_active_result.rc == 0
        fail_msg: tripleo_fedora systemd healthcheck service is not active
        success_msg: tripleo_fedora systemd healthcheck service is active

Usage

Note that right now, only Podman is supported by this role. Docker support is in the roadmap though.

This Ansible role allows to do the following tasks:

  • Collect container configs data, generated by TripleO Heat Templates. This data is used as a source of truth on which configuration we expect to apply with this role. It means that if a container is already managed by this role, no matter its state now, the configs data will reconfigure the container if needed.

  • Manage systemd shutdown files. It takes care of cleaning up the Paunch services and files and create the TripleO Container systemd service, required for service ordering when it comes to shutdown or start a node. It also manages the netns-placeholder service.

  • Delete containers that aren’t needed anymore or that will need to be re-configured. It uses a custom filter, named needs_delete() which has a set of rules which allow to determine if whether or not the container needs to be deleted. These reasons will make the containers not deleted:

    • The container is not managed by tripleo_ansible.

    • The container config_id doesn’t match with the one in input.

    Once the previous conditions checked, then these reasons will make the containers deleted:

    • The container has no config_data.

    • The container has a config_data which doesn’t match the one in input.

    Note that when a container is removed, the role also disable and remove the systemd services and healtchecks if present.

  • Create containers in a specific order defined by start_order container config, where default is 0.

    • If the container is an exec, we’ll run a dedicated playbook for execs, using async so multiple execs can be run at the same time.

    • Otherwise, the podman_container is used, in async, to create the containers. If the container has a restart policy, we’ll configure the systemd service. If the container has a healthcheck script, we’ll configure the systemd healthcheck service.

    Note: tripleo_container_manage_concurrency parameter is set to 1 by default, and putting higher value than 2 can be expose issue with Podman locks.

    Here is an example of a playbook:

- name: Manage step_1 containers using tripleo-ansible
  block:
    - name: "Manage containers for step 1 with tripleo-ansible"
      include_role:
        name: tripleo-container-manage
      vars:
        tripleo_container_manage_systemd_order: true
        tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_1"
        tripleo_container_manage_config_id: "tripleo_step1"

Roles variables

Name

Default Value

Description

tripleo_container_manage_cli

podman

Container CLI

tripleo_container_manage_concurrency

1

Number of containers managed at same time

tripleo_container_manage_config

/var/lib/tripleo-config/

Container config path

tripleo_container_manage_config_id

tripleo

Config ID

tripleo_container_manage_config_patterns

hashed-*.json

Bash REGEX to find configs

tripleo_container_manage_debug

false

Debug toggle

tripleo_container_manage_healthcheck_disable

false

Allow to disable Healthchecks

tripleo_container_manage_log_path

/var/log/containers/stdouts

Containers stdouts path

tripleo_container_manage_systemd_order

false

Manage systemd shutdown ordering

tripleo_container_manage_config_overrides

{}

Allows to override any container configuration

Debug

The role allows you to perform specific actions on a given container. This can be used to:

  • Run a container with a specific one-off configuration.

  • Output the container commands that are run to to manage containers lifecycle.

  • Output the changes that would have been made on containers by Ansible.

Note

To manage a single container, you need to know 2 things:

  • At which step the container is deployed.

  • The name of the generated JSON file for container config.

Here is an example of a playbook to manage HAproxy container at step 1 which overrides the image setting in one-off.

- hosts: localhost
  become: true
  tasks:
    - name: Manage step_1 containers using tripleo-ansible
      block:
        - name: "Manage HAproxy container at step 1 with tripleo-ansible"
          include_role:
            name: tripleo-container-manage
          vars:
            tripleo_container_manage_systemd_order: true
            tripleo_container_manage_config_patterns: 'hashed-haproxy.json'
            tripleo_container_manage_config: "/var/lib/tripleo-config/container-startup-config/step_1"
            tripleo_container_manage_config_id: "tripleo_step1"
            tripleo_container_manage_config_overrides:
              haproxy:
                image: docker.io/tripleomaster/centos-binary-haproxy:hotfix

If Ansible is run in check mode, no container will be removed nor created, however at the end of the playbook a list of commands will be displayed to show what would have been run. This is useful for debug purposes, as it was something that one could do with paunch debug command.

$ ansible-playbook haproxy.yaml --check

Adding the diff mode will output the changes what would have been made on containers by Ansible.

$ ansible-playbook haproxy.yaml --check --diff

The tripleo_container_manage_config_overrides parameter is optional and can be used to override a specific container attribute like the image or the container user. The parameter takes a dictionary where each key is the container name and its parameters that we want to override. These parameters have to exist and are the ones that define the container configuration in TripleO Heat Templates. Note that it doesn’t write down the overrides in the JSON file so if an update / upgrade is executed, the container will be re-configured with the configuration that is in the JSON file.