diff --git a/defaults/main.yml b/defaults/main.yml index 98ec004..86555cf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,35 +37,8 @@ systemd_TasksAccounting: true # Sandboxing options systemd_PrivateTmp: false systemd_PrivateDevices: false -systemd_PrivateUsers: false - -# Systemd provides for the ability to start a given service in a network -# namespace. When `systemd_PrivateNetwork` is `true` a service will be -# started within a namepsace created using the name of the service unit. systemd_PrivateNetwork: false -# When `systemd_PrivateNetwork` is enabled, it may be desirable to add a -# specific link into the service namespace using the MACVLAN interface. -# The option `systemd_PrivateNetworkIsolated`, when set to `false`, will -# create a MACVLAN interface which binds to the host interface defined -# by the option `systemd_PrivateNetworkInterface`; uses the gateway -# interface by default. The MODE used by the MACVLAN interface can be -# changed using the option `systemd_PrivateNetworkMode`. -systemd_PrivateNetworkIsolated: true -systemd_PrivateNetworkInterface: "{{ ansible_default_ipv4['interface'] }}" -systemd_PrivateNetworkMode: bridge -# When `systemd_PrivateNetworkIsolated` is disabled, an interface is -# created on the host and within the service namespace. If this interface -# needs an IP address DHCP can be enabled which will, by default, send -# DHCP requests through the interface defined by the option -# `systemd_PrivateNetworkInterface`. -systemd_PrivateNetworkDHCP: false -# DHCP can be localized to only the physical host using option -# `systemd_PrivateNetworkLocalDHCP`. Setting this option to `true`, will -# create a networkd configuration for DHCPServer using the MACVLAN interface -# defined by `systemd_PrivateNetworkInterface`. The gateway set within the -# service namespace will be set using `systemd_PrivateNetworkLocalDHCPGateway`. -systemd_PrivateNetworkLocalDHCP: false -systemd_PrivateNetworkLocalDHCPGateway: "10.0.5.1/24" +systemd_PrivateUsers: false # Start service after a given target. This is here because we want to define common # after targets used on most services. This can be overridden or agumented using diff --git a/handlers/main.yml b/handlers/main.yml index b6cdfb0..495b029 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -26,9 +26,3 @@ - 'item is changed' tags: - systemd-service - -- name: systemd networkd restart - systemd: - name: "systemd-networkd" - state: restarted - enabled: true diff --git a/tasks/main.yml b/tasks/main.yml index 34fdcfd..cf01215 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,34 +28,6 @@ tags: - always -- name: Ensure networkd is available - block: - - name: Check for networkd - command: "which networkctl" - failed_when: false - changed_when: false - register: networkd_installed - - - name: Notify user - debug: - msg: >- - Local DHCP has been disabled because networkd was not installed or - is not part of the $PATH. - run_once: true - when: - - networkd_installed.rc != 0 - - - name: Disable local DHCP - set_fact: - systemd_PrivateNetworkLocalDHCP: false - when: - - networkd_installed.rc != 0 - when: - - systemd_PrivateNetwork | bool - - systemd_PrivateNetworkLocalDHCP | bool - tags: - - systemd-service - - name: Create TEMP run dir file: path: "/var/run/{{ item.service_name | replace(' ', '_') }}" @@ -92,45 +64,6 @@ tags: - systemd-service -- name: Create netns service entry - template: - src: "systemd-netns@.service.j2" - dest: "/etc/systemd/system/systemd-netns@.service" - mode: "0644" - owner: "root" - group: "root" - when: - - systemd_PrivateNetwork | bool - tags: - - systemd-service - -- name: Create netns-access service entry - template: - src: "systemd-netns-access@.service.j2" - dest: "/etc/systemd/system/systemd-netns-access@.service" - mode: "0644" - owner: "root" - group: "root" - when: - - systemd_PrivateNetwork | bool - tags: - - systemd-service - -- name: Create netns dhcp server - template: - src: "systemd-dhcp.network.j2" - dest: "/etc/systemd/network/systemd-mv-{{ systemd_PrivateNetworkInterface }}.network" - mode: "0644" - owner: "root" - group: "root" - when: - - systemd_PrivateNetwork | bool - - systemd_PrivateNetworkLocalDHCP | bool - notify: - - systemd networkd restart - tags: - - systemd-service - - name: Create tmpfiles.d entry template: src: "systemd-tmpfiles.j2" diff --git a/templates/systemd-dhcp.network.j2 b/templates/systemd-dhcp.network.j2 deleted file mode 100644 index f76f3fd..0000000 --- a/templates/systemd-dhcp.network.j2 +++ /dev/null @@ -1,20 +0,0 @@ -[Match] -Name=mv-{{ systemd_PrivateNetworkInterface }} - -[Network] -DHCPServer=true -Address={{ systemd_PrivateNetworkLocalDHCPGateway }} -{% if (systemd_version | int) >= 230 %} -IPMasquerade=true -IPForward=true -{% endif %} - -[DHCPServer] -PoolOffset=50 -PoolSize=200 -DefaultLeaseTimeSec=300s -{% if (systemd_version | int) >= 230 %} -EmitDNS=true -EmitNTP=true -EmitTimezone=true -{% endif %} diff --git a/templates/systemd-netns-access@.service.j2 b/templates/systemd-netns-access@.service.j2 deleted file mode 100644 index 6af8b1a..0000000 --- a/templates/systemd-netns-access@.service.j2 +++ /dev/null @@ -1,50 +0,0 @@ -[Unit] -Description=Named network namespace %I -Documentation=https://github.com/openstack/ansible-role-systemd_service -After=syslog.target -After=network.target -After=systemd-netns@%i.service -After=%i.service -{% if not (systemd_PrivateNetworkIsolated | bool) %} -BoundBy=systemd-netns@%i.service -{% endif %} - -[Service] -Type=oneshot -RemainAfterExit=true - -# Start process -ExecStart=/usr/bin/env ip netns exec %I ip link set lo up -ExecStart=-/usr/bin/env ip link add mv-{{ systemd_PrivateNetworkInterface }} link {{ systemd_PrivateNetworkInterface }} type macvlan mode {{ systemd_PrivateNetworkMode }} -ExecStart=-/usr/bin/env ip link set mv-{{ systemd_PrivateNetworkInterface }} up -ExecStart=/usr/bin/env sysctl -w net.ipv4.ip_forward=1 -{% if (systemd_PrivateNetworkLocalDHCP | bool) %} -{% if (systemd_version | int) <= 230 %} -ExecStart=-/usr/bin/env iptables -t nat -D POSTROUTING -s {{ systemd_PrivateNetworkLocalDHCPGateway}} -o {{ systemd_PrivateNetworkInterface }} -j MASQUERADE -ExecStart=/usr/bin/env iptables -t nat -A POSTROUTING -s {{ systemd_PrivateNetworkLocalDHCPGateway}} -o {{ systemd_PrivateNetworkInterface }} -j MASQUERADE -{% endif %} -ExecStartPre=-/usr/bin/env ip address add {{ systemd_PrivateNetworkLocalDHCPGateway }} dev mv-{{ systemd_PrivateNetworkInterface }} -{% endif %} -{% if not (systemd_PrivateNetworkIsolated | bool) %} -ExecStart=-/usr/bin/env ip link add mv-pivot link {{ systemd_PrivateNetworkInterface }} type macvlan mode {{ systemd_PrivateNetworkMode }} -ExecStart=/usr/bin/env ip link set mv-pivot netns %I name {{ systemd_PrivateNetworkInterface }} -ExecStart=/usr/bin/env ip netns exec %I ip link set dev {{ systemd_PrivateNetworkInterface }} up -{% if (systemd_PrivateNetworkDHCP | bool) %} -ExecStart=/usr/bin/env ip netns exec %I dhclient {{ systemd_PrivateNetworkInterface }} -v -{% endif %} -# Stop process -{% if (systemd_PrivateNetworkLocalDHCP | bool) %} -{% if (systemd_version | int) <= 230 %} -ExecStop=/usr/bin/env iptables -t nat -D POSTROUTING -s {{ systemd_PrivateNetworkLocalDHCPGateway}} -o {{ systemd_PrivateNetworkInterface }} -j MASQUERADE -{% endif %} -{% endif %} -{% if (systemd_PrivateNetworkLocalDHCP | bool) %} -{% if (systemd_version | int) <= 230 %} -ExecStop=/usr/bin/env iptables -t nat -D POSTROUTING -s {{ systemd_PrivateNetworkLocalDHCPGateway}} -o {{ systemd_PrivateNetworkInterface }} -j MASQUERADE -{% endif %} -{% endif %} -{% endif %} - -[Install] -WantedBy=multi-user.target -WantedBy=network-online.target diff --git a/templates/systemd-netns@.service.j2 b/templates/systemd-netns@.service.j2 deleted file mode 100644 index 0061a46..0000000 --- a/templates/systemd-netns@.service.j2 +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Named network namespace %I -Documentation=https://github.com/openstack/ansible-role-systemd_service -After=syslog.target -After=network.target -{% if not (systemd_PrivateNetworkIsolated | bool) %} -BindsTo=systemd-netns-access@%i.service -{% endif %} -JoinsNamespaceOf=systemd-netns@%i.service - - -[Service] -Type=oneshot -RemainAfterExit=true -PrivateNetwork=true - -# Start process -ExecStartPre=-/usr/bin/env ip netns delete %I -ExecStart=/usr/bin/env ip netns add %I -ExecStart=/usr/bin/env ip netns exec %I ip link set lo up -ExecStart=/usr/bin/env umount /var/run/netns/%I -ExecStart=/usr/bin/env mount --bind /proc/self/ns/net /var/run/netns/%I - -# Stop process -ExecStop=/usr/bin/env ip netns delete %I - - -[Install] -WantedBy=multi-user.target -WantedBy=network-online.target diff --git a/templates/systemd-service.j2 b/templates/systemd-service.j2 index 04eabe0..023577b 100644 --- a/templates/systemd-service.j2 +++ b/templates/systemd-service.j2 @@ -2,22 +2,10 @@ [Unit] Description={{ item.service_name }} service - -{% if (systemd_PrivateNetwork | bool) %} -BindsTo=systemd-netns@{{ item.service_name | replace(' ', '_') }}.service -JoinsNamespaceOf=systemd-netns@{{ item.service_name | replace(' ', '_') }}.service -{% if (item.after_targets is defined) %} -{% set _ = item.after_targets.append('systemd-netns@' + item.service_name | replace(' ', '_') + '.service') %} -{% else %} -{% set _ = systemd_after_targets.append('systemd-netns@' + item.service_name | replace(' ', '_') + '.service') %} -{% endif %} -{% endif %} - {% set after_targets = item.after_targets | default(systemd_after_targets) %} {% for target in after_targets %} After={{ target }} {% endfor %} - {% for item in systemd_unit_docs %} Documentation={{ item }} {% endfor %} diff --git a/tests/test.yml b/tests/test.yml index 661b50f..4b028fb 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -14,100 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Playbook for role testing - hosts: localhost - connection: local - user: root - become: true - roles: - - role: "systemd_service" - systemd_services: - - service_name: "test isolated service0" - execstarts: "/usr/bin/env python -m SimpleHTTPServer 8001" - enabled: yes - systemd_PrivateNetwork: yes - - post_tasks: - - name: Check Services - command: systemctl status "test_isolated_service0" - changed_when: false - tags: - - skip_ansible_lint - - - name: Check Services - shell: ip netns exec test_isolated_service0 ss -ntlp | grep python - changed_when: false - tags: - - skip_ansible_lint - - - name: Check isolated services - command: ip netns exec test_isolated_service0 ip -o link - changed_when: false - register: isolated_service0 - tags: - - skip_ansible_lint - - - name: Check negative service testing - fail: - msg: >- - Two links not found within the namespace: {{ isolated_service1.stdout_lines }} - when: - - (isolated_service0.stdout_lines | length) != 1 - - -- name: Playbook for role testing - hosts: localhost - connection: local - user: root - become: true - roles: - - role: "systemd_service" - systemd_services: - - service_name: "test isolated service1" - execstarts: "/usr/bin/env python -m SimpleHTTPServer 8001" - enabled: yes - systemd_PrivateNetwork: yes - systemd_PrivateNetworkIsolated: no - systemd_PrivateNetworkDHCP: yes - systemd_PrivateNetworkLocalDHCP: yes - when: - - (ansible_os_family | lower) != "redhat" - - post_tasks: - - name: Check Services - command: systemctl status "test_isolated_service1" - changed_when: false - when: - - (ansible_os_family | lower) != "redhat" - tags: - - skip_ansible_lint - - - name: Check Services - shell: ip netns exec test_isolated_service1 ss -ntlp | grep python - changed_when: false - when: - - (ansible_os_family | lower) != "redhat" - tags: - - skip_ansible_lint - - - name: Check isolated linked services - command: ip netns exec test_isolated_service1 ip -o link - changed_when: false - register: isolated_service1 - when: - - (ansible_os_family | lower) != "redhat" - tags: - - skip_ansible_lint - - - name: Check negative service testing - fail: - msg: >- - Two links not found within the namespace: {{ isolated_service1.stdout_lines }} - when: - - (ansible_os_family | lower) != "redhat" - - (isolated_service1.stdout_lines | length) != 2 - - - name: Playbook for role testing hosts: localhost connection: local