Disable PrivateDevices for MemcacheD on CentOS 7

This patch adds the `memcached_disable_privatedevices` variable that
allows deployers to disable PrivateDevices in the systemd unit file.

This is a workaround to fix the systemd/LXC issues with bind
mounting an already bind mounted `/dev/ptmx` inside the LXC
container.

See Launchpad bug, lxc/lxc#1623, or systemd/systemd#6121 for more
details.

The is_metal variable is removed as it is unused.

Related-bug: 1697531
Change-Id: Id7c148bf901354a3dfc2f189ec659f2b92fc7985

defaults/main.yml

@@ -23,8 +23,21 @@ cache_timeout: 600
 # Options are 'present' and 'latest'
 memcached_package_state: "latest"
 
-# Defines that the role will be deployed on a host machine
-is_metal: true
+# MemcacheD sets 'PrivateDevices=True' for its systemd unit by default when
+# installed into a container. This provides some additional security, but it
+# causes problems with creating mount namespaces on CentOS 7 with systemd 219.
+# While the security enhancements are helpful on bare metal hosts with
+# multiple services running, they are not as helpful when MemcacheD is running
+# in a container with its own isolated namespaces.
+#
+# Related bugs:
+#   https://bugs.launchpad.net/openstack-ansible/+bug/1697531
+#   https://github.com/lxc/lxc/issues/1623
+#   https://github.com/systemd/systemd/issues/6121
+#
+# Setting the following variable to 'yes' will disable the PrivateDevices
+# setting in the systemd unit file for MemcacheD on CentOS 7 hosts.
+memcached_disable_privatedevices: no
 
 # The default memcache memory setting is to use .25 of the available system ram
 # as long as that value is < 8192. However you can set the `memcached_memory`

releasenotes/notes/centos-private-devices-issue-0088e6f8c70a601f.yaml

@@ -0,0 +1,21 @@
+---
+issues:
+  - |
+    MemcacheD sets `PrivateDevices=true` in its systemd unit file to
+    add extra security around mount namespaces. While this is useful
+    when running MemcacheD on a bare metal host with other services, it
+    is less useful when MemcacheD is already in a container with its own
+    namespaces. In addition, LXC 2.0.8 presents `/dev/ptmx` as a bind mount
+    within the container and systemd 219 (on CentOS 7) cannot make an
+    additional bind mount of `/dev/ptmx` when `PrivateDevices` is enabled.
+
+    Deployers can `memcached_disable_privatedevices` to `yes` to set
+    `PrivateDevices=false` in the systemd unit file for MariaDB on CentOS 7.
+    The default is `no`, which keeps the default systemd unit file settings
+    from the MemcacheD package.
+
+    For additional information, refer to the following bugs:
+
+    * https://bugs.launchpad.net/openstack-ansible/+bug/1697531
+    * https://github.com/lxc/lxc/issues/1623
+    * https://github.com/systemd/systemd/issues/6121

tasks/memcached_config.yml

@@ -60,6 +60,17 @@
   when:
     - ansible_service_mgr == 'systemd'
 
+# See comments above 'memcached_disable_privatedevices' in defaults/main.yml for
+# links to relevant bugs and discussion.
+- name: Remove PrivateDevices systemd options when in container
+  template:
+    src: without-privatedevices.conf.j2
+    dest: "/etc/systemd/system/memcached.service.d/without-privatedevices.conf"
+  when:
+    - ansible_pkg_mgr == 'yum'
+    - ansible_service_mgr == 'systemd'
+  notify: Restart memcached
+
 - name: Apply resource limits (systemd)
   template:
     src: "limits.conf.j2"

templates/without-privatedevices.conf.j2

@@ -0,0 +1,2 @@
+[Service]
+PrivateDevices={{ memcached_disable_privatedevices | bool | ternary('false', 'true') }}