From 9924a05f97e77f58c62921655077930fb1fa3b96 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Tue, 9 Jun 2020 13:44:54 +0100 Subject: [PATCH] Revert "Build out the PrivateNetwork function for services" This reverts commit 6285b6c6389134c53a5a98a0392b016a594bab16. There is no use made of this functionality anywhere outside the tests for this role, so revert the code. The intention is to reduce general overhead in systemd_service and reduce the number of skipped tasks in an OSA deployment. Conflicts: tests/test.yml Change-Id: I3d28967a64ea9d91219294bdc30d337c9c6d2e50 --- defaults/main.yml | 29 +------ handlers/main.yml | 6 -- tasks/main.yml | 67 --------------- templates/systemd-dhcp.network.j2 | 20 ----- templates/systemd-netns-access@.service.j2 | 50 ------------ templates/systemd-netns@.service.j2 | 30 ------- templates/systemd-service.j2 | 12 --- tests/test.yml | 94 ---------------------- 8 files changed, 1 insertion(+), 307 deletions(-) delete mode 100644 templates/systemd-dhcp.network.j2 delete mode 100644 templates/systemd-netns-access@.service.j2 delete mode 100644 templates/systemd-netns@.service.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 98ec004..86555cf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,35 +37,8 @@ systemd_TasksAccounting: true # Sandboxing options systemd_PrivateTmp: false systemd_PrivateDevices: false -systemd_PrivateUsers: false - -# Systemd provides for the ability to start a given service in a network -# namespace. When `systemd_PrivateNetwork` is `true` a service will be -# started within a namepsace created using the name of the service unit. systemd_PrivateNetwork: false -# When `systemd_PrivateNetwork` is enabled, it may be desirable to add a -# specific link into the service namespace using the MACVLAN interface. -# The option `systemd_PrivateNetworkIsolated`, when set to `false`, will -# create a MACVLAN interface which binds to the host interface defined -# by the option `systemd_PrivateNetworkInterface`; uses the gateway -# interface by default. The MODE used by the MACVLAN interface can be -# changed using the option `systemd_PrivateNetworkMode`. -systemd_PrivateNetworkIsolated: true -systemd_PrivateNetworkInterface: "{{ ansible_default_ipv4['interface'] }}" -systemd_PrivateNetworkMode: bridge -# When `systemd_PrivateNetworkIsolated` is disabled, an interface is -# created on the host and within the service namespace. If this interface -# needs an IP address DHCP can be enabled which will, by default, send -# DHCP requests through the interface defined by the option -# `systemd_PrivateNetworkInterface`. -systemd_PrivateNetworkDHCP: false -# DHCP can be localized to only the physical host using option -# `systemd_PrivateNetworkLocalDHCP`. Setting this option to `true`, will -# create a networkd configuration for DHCPServer using the MACVLAN interface -# defined by `systemd_PrivateNetworkInterface`. The gateway set within the -# service namespace will be set using `systemd_PrivateNetworkLocalDHCPGateway`. -systemd_PrivateNetworkLocalDHCP: false -systemd_PrivateNetworkLocalDHCPGateway: "10.0.5.1/24" +systemd_PrivateUsers: false # Start service after a given target. This is here because we want to define common # after targets used on most services. This can be overridden or agumented using diff --git a/handlers/main.yml b/handlers/main.yml index b6cdfb0..495b029 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -26,9 +26,3 @@ - 'item is changed' tags: - systemd-service - -- name: systemd networkd restart - systemd: - name: "systemd-networkd" - state: restarted - enabled: true diff --git a/tasks/main.yml b/tasks/main.yml index 34fdcfd..cf01215 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,34 +28,6 @@ tags: - always -- name: Ensure networkd is available - block: - - name: Check for networkd - command: "which networkctl" - failed_when: false - changed_when: false - register: networkd_installed - - - name: Notify user - debug: - msg: >- - Local DHCP has been disabled because networkd was not installed or - is not part of the $PATH. - run_once: true - when: - - networkd_installed.rc != 0 - - - name: Disable local DHCP - set_fact: - systemd_PrivateNetworkLocalDHCP: false - when: - - networkd_installed.rc != 0 - when: - - systemd_PrivateNetwork | bool - - systemd_PrivateNetworkLocalDHCP | bool - tags: - - systemd-service - - name: Create TEMP run dir file: path: "/var/run/{{ item.service_name | replace(' ', '_') }}" @@ -92,45 +64,6 @@ tags: - systemd-service -- name: Create netns service entry - template: - src: "systemd-netns@.service.j2" - dest: "/etc/systemd/system/systemd-netns@.service" - mode: "0644" - owner: "root" - group: "root" - when: - - systemd_PrivateNetwork | bool - tags: - - systemd-service - -- name: Create netns-access service entry - template: - src: "systemd-netns-access@.service.j2" - dest: "/etc/systemd/system/systemd-netns-access@.service" - mode: "0644" - owner: "root" - group: "root" - when: - - systemd_PrivateNetwork | bool - tags: - - systemd-service - -- name: Create netns dhcp server - template: - src: "systemd-dhcp.network.j2" - dest: "/etc/systemd/network/systemd-mv-{{ systemd_PrivateNetworkInterface }}.network" - mode: "0644" - owner: "root" - group: "root" - when: - - systemd_PrivateNetwork | bool - - systemd_PrivateNetworkLocalDHCP | bool - notify: - - systemd networkd restart - tags: - - systemd-service - - name: Create tmpfiles.d entry template: src: "systemd-tmpfiles.j2" diff --git a/templates/systemd-dhcp.network.j2 b/templates/systemd-dhcp.network.j2 deleted file mode 100644 index f76f3fd..0000000 --- a/templates/systemd-dhcp.network.j2 +++ /dev/null @@ -1,20 +0,0 @@ -[Match] -Name=mv-{{ systemd_PrivateNetworkInterface }} - -[Network] -DHCPServer=true -Address={{ systemd_PrivateNetworkLocalDHCPGateway }} -{% if (systemd_version | int) >= 230 %} -IPMasquerade=true -IPForward=true -{% endif %} - -[DHCPServer] -PoolOffset=50 -PoolSize=200 -DefaultLeaseTimeSec=300s -{% if (systemd_version | int) >= 230 %} -EmitDNS=true -EmitNTP=true -EmitTimezone=true -{% endif %} diff --git a/templates/systemd-netns-access@.service.j2 b/templates/systemd-netns-access@.service.j2 deleted file mode 100644 index 6af8b1a..0000000 --- a/templates/systemd-netns-access@.service.j2 +++ /dev/null @@ -1,50 +0,0 @@ -[Unit] -Description=Named network namespace %I -Documentation=https://github.com/openstack/ansible-role-systemd_service -After=syslog.target -After=network.target -After=systemd-netns@%i.service -After=%i.service -{% if not (systemd_PrivateNetworkIsolated | bool) %} -BoundBy=systemd-netns@%i.service -{% endif %} - -[Service] -Type=oneshot -RemainAfterExit=true - -# Start process -ExecStart=/usr/bin/env ip netns exec %I ip link set lo up -ExecStart=-/usr/bin/env ip link add mv-{{ systemd_PrivateNetworkInterface }} link {{ systemd_PrivateNetworkInterface }} type macvlan mode {{ systemd_PrivateNetworkMode }} -ExecStart=-/usr/bin/env ip link set mv-{{ systemd_PrivateNetworkInterface }} up -ExecStart=/usr/bin/env sysctl -w net.ipv4.ip_forward=1 -{% if (systemd_PrivateNetworkLocalDHCP | bool) %} -{% if (systemd_version | int) <= 230 %} -ExecStart=-/usr/bin/env iptables -t nat -D POSTROUTING -s {{ systemd_PrivateNetworkLocalDHCPGateway}} -o {{ systemd_PrivateNetworkInterface }} -j MASQUERADE -ExecStart=/usr/bin/env iptables -t nat -A POSTROUTING -s {{ systemd_PrivateNetworkLocalDHCPGateway}} -o {{ systemd_PrivateNetworkInterface }} -j MASQUERADE -{% endif %} -ExecStartPre=-/usr/bin/env ip address add {{ systemd_PrivateNetworkLocalDHCPGateway }} dev mv-{{ systemd_PrivateNetworkInterface }} -{% endif %} -{% if not (systemd_PrivateNetworkIsolated | bool) %} -ExecStart=-/usr/bin/env ip link add mv-pivot link {{ systemd_PrivateNetworkInterface }} type macvlan mode {{ systemd_PrivateNetworkMode }} -ExecStart=/usr/bin/env ip link set mv-pivot netns %I name {{ systemd_PrivateNetworkInterface }} -ExecStart=/usr/bin/env ip netns exec %I ip link set dev {{ systemd_PrivateNetworkInterface }} up -{% if (systemd_PrivateNetworkDHCP | bool) %} -ExecStart=/usr/bin/env ip netns exec %I dhclient {{ systemd_PrivateNetworkInterface }} -v -{% endif %} -# Stop process -{% if (systemd_PrivateNetworkLocalDHCP | bool) %} -{% if (systemd_version | int) <= 230 %} -ExecStop=/usr/bin/env iptables -t nat -D POSTROUTING -s {{ systemd_PrivateNetworkLocalDHCPGateway}} -o {{ systemd_PrivateNetworkInterface }} -j MASQUERADE -{% endif %} -{% endif %} -{% if (systemd_PrivateNetworkLocalDHCP | bool) %} -{% if (systemd_version | int) <= 230 %} -ExecStop=/usr/bin/env iptables -t nat -D POSTROUTING -s {{ systemd_PrivateNetworkLocalDHCPGateway}} -o {{ systemd_PrivateNetworkInterface }} -j MASQUERADE -{% endif %} -{% endif %} -{% endif %} - -[Install] -WantedBy=multi-user.target -WantedBy=network-online.target diff --git a/templates/systemd-netns@.service.j2 b/templates/systemd-netns@.service.j2 deleted file mode 100644 index 0061a46..0000000 --- a/templates/systemd-netns@.service.j2 +++ /dev/null @@ -1,30 +0,0 @@ -[Unit] -Description=Named network namespace %I -Documentation=https://github.com/openstack/ansible-role-systemd_service -After=syslog.target -After=network.target -{% if not (systemd_PrivateNetworkIsolated | bool) %} -BindsTo=systemd-netns-access@%i.service -{% endif %} -JoinsNamespaceOf=systemd-netns@%i.service - - -[Service] -Type=oneshot -RemainAfterExit=true -PrivateNetwork=true - -# Start process -ExecStartPre=-/usr/bin/env ip netns delete %I -ExecStart=/usr/bin/env ip netns add %I -ExecStart=/usr/bin/env ip netns exec %I ip link set lo up -ExecStart=/usr/bin/env umount /var/run/netns/%I -ExecStart=/usr/bin/env mount --bind /proc/self/ns/net /var/run/netns/%I - -# Stop process -ExecStop=/usr/bin/env ip netns delete %I - - -[Install] -WantedBy=multi-user.target -WantedBy=network-online.target diff --git a/templates/systemd-service.j2 b/templates/systemd-service.j2 index 04eabe0..023577b 100644 --- a/templates/systemd-service.j2 +++ b/templates/systemd-service.j2 @@ -2,22 +2,10 @@ [Unit] Description={{ item.service_name }} service - -{% if (systemd_PrivateNetwork | bool) %} -BindsTo=systemd-netns@{{ item.service_name | replace(' ', '_') }}.service -JoinsNamespaceOf=systemd-netns@{{ item.service_name | replace(' ', '_') }}.service -{% if (item.after_targets is defined) %} -{% set _ = item.after_targets.append('systemd-netns@' + item.service_name | replace(' ', '_') + '.service') %} -{% else %} -{% set _ = systemd_after_targets.append('systemd-netns@' + item.service_name | replace(' ', '_') + '.service') %} -{% endif %} -{% endif %} - {% set after_targets = item.after_targets | default(systemd_after_targets) %} {% for target in after_targets %} After={{ target }} {% endfor %} - {% for item in systemd_unit_docs %} Documentation={{ item }} {% endfor %} diff --git a/tests/test.yml b/tests/test.yml index 661b50f..4b028fb 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -14,100 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Playbook for role testing - hosts: localhost - connection: local - user: root - become: true - roles: - - role: "systemd_service" - systemd_services: - - service_name: "test isolated service0" - execstarts: "/usr/bin/env python -m SimpleHTTPServer 8001" - enabled: yes - systemd_PrivateNetwork: yes - - post_tasks: - - name: Check Services - command: systemctl status "test_isolated_service0" - changed_when: false - tags: - - skip_ansible_lint - - - name: Check Services - shell: ip netns exec test_isolated_service0 ss -ntlp | grep python - changed_when: false - tags: - - skip_ansible_lint - - - name: Check isolated services - command: ip netns exec test_isolated_service0 ip -o link - changed_when: false - register: isolated_service0 - tags: - - skip_ansible_lint - - - name: Check negative service testing - fail: - msg: >- - Two links not found within the namespace: {{ isolated_service1.stdout_lines }} - when: - - (isolated_service0.stdout_lines | length) != 1 - - -- name: Playbook for role testing - hosts: localhost - connection: local - user: root - become: true - roles: - - role: "systemd_service" - systemd_services: - - service_name: "test isolated service1" - execstarts: "/usr/bin/env python -m SimpleHTTPServer 8001" - enabled: yes - systemd_PrivateNetwork: yes - systemd_PrivateNetworkIsolated: no - systemd_PrivateNetworkDHCP: yes - systemd_PrivateNetworkLocalDHCP: yes - when: - - (ansible_os_family | lower) != "redhat" - - post_tasks: - - name: Check Services - command: systemctl status "test_isolated_service1" - changed_when: false - when: - - (ansible_os_family | lower) != "redhat" - tags: - - skip_ansible_lint - - - name: Check Services - shell: ip netns exec test_isolated_service1 ss -ntlp | grep python - changed_when: false - when: - - (ansible_os_family | lower) != "redhat" - tags: - - skip_ansible_lint - - - name: Check isolated linked services - command: ip netns exec test_isolated_service1 ip -o link - changed_when: false - register: isolated_service1 - when: - - (ansible_os_family | lower) != "redhat" - tags: - - skip_ansible_lint - - - name: Check negative service testing - fail: - msg: >- - Two links not found within the namespace: {{ isolated_service1.stdout_lines }} - when: - - (ansible_os_family | lower) != "redhat" - - (isolated_service1.stdout_lines | length) != 2 - - - name: Playbook for role testing hosts: localhost connection: local