Ensure that sysctl can be applied on containers

Some sysctl can be applied to containers, so we add a test to prove our containers can do it. Change-Id: I40e2f0af00d6d763efcbb07306791d3cd3feff0d Fixes-Bug: #1685677
openstack · Aug 17, 2017 · bb76ea2 · bb76ea2
1 parent e88e41c
commit bb76ea2
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 0 deletions.
diff --git a/tasks/container_create.yml b/tasks/container_create.yml
@@ -502,6 +502,27 @@
   tags:
     - lxc_container_create-hostname
 
+- name: Ensure sysctl can be applied
+  template:
+    src: "sysctl-container.init.j2"
+    dest: "/etc/systemd/system/sysctl-container.service"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  remote_user: root
+  tags:
+    - lxc_container_create-sysctl
+
+- name: Enable container sysctl service
+  service:
+    name: "sysctl-container"
+    state: started
+    enabled: yes
+    daemon_reload: yes
+  remote_user: root
+  tags:
+    - lxc_container_create-sysctl
+
 - name: Allow the usage of local facts
   file:
     path: /etc/ansible/facts.d/

diff --git a/templates/sysctl-container.init.j2 b/templates/sysctl-container.init.j2
@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Apply Kernel Variables in Container
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-modules-load.service
+Before=sysinit.target shutdown.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/sysctl -p
+TimeoutSec=90s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/tests/test-containers-functional.yml b/tests/test-containers-functional.yml
@@ -93,3 +93,40 @@
       assert:
         that:
           - ping_external_address.rc == 0
+
+# TODO(evrardjp): Move this to testinfra
+- name: Apply a sysctl to test if it can be applied consistenty
+  hosts: container3
+  tasks:
+    - name: Allow consuming apps to bind on non local addresses
+      sysctl:
+        name: net.ipv4.ip_nonlocal_bind
+        value: 1
+        sysctl_set: yes
+        state: present
+
+- name: Bump the container state
+  hosts: localhost
+  user: root
+  become: true
+  tasks:
+    - name: Stop container
+      command: "lxc-stop -n container3"
+      changed_when: false
+    - name: Start container
+      command: "lxc-start -d -n container3"
+      changed_when: false
+
+- name: Check if the sysctl was well applied
+  hosts: container3
+  tasks:
+    - name: Check the sysctl is persistent
+      command: sysctl -n net.ipv4.ip_nonlocal_bind
+      register: nonlocalbind
+      changed_when: false
+    - debug:
+        var: nonlocalbind
+    - name: Verify the sysctl is set
+      assert:
+        that:
+          - "'1' in nonlocalbind.stdout"