D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
opt
/
saltstack
/
salt
/
lib
/
python3.10
/
site-packages
/
salt
/
modules
/
Filename :
lxc.py
back
Copy
""" Control Linux Containers via Salt :depends: lxc package for distribution lxc >= 1.0 (even beta alpha) is required """ import copy import datetime import difflib import logging import os import random import re import shlex import shutil import string import tempfile import textwrap import time import urllib.parse import salt.config import salt.utils.args import salt.utils.cloud import salt.utils.data import salt.utils.dictupdate import salt.utils.files import salt.utils.functools import salt.utils.hashutils import salt.utils.network import salt.utils.odict import salt.utils.path import salt.utils.stringutils from salt.exceptions import CommandExecutionError, SaltInvocationError from salt.utils.versions import Version # Set up logging log = logging.getLogger(__name__) # Don't shadow built-in's. __func_alias__ = {"list_": "list", "ls_": "ls"} __virtualname__ = "lxc" DEFAULT_NIC = "eth0" DEFAULT_BR = "br0" SEED_MARKER = "/lxc.initial_seed" EXEC_DRIVER = "lxc-attach" DEFAULT_PATH = "/var/lib/lxc" _marker = object() def __virtual__(): if salt.utils.path.which("lxc-start"): return __virtualname__ # To speed up the whole thing, we decided to not use the # subshell way and assume things are in place for lxc # Discussion made by @kiorky and @thatch45 # lxc-version presence is not sufficient, in lxc1.0 alpha # (precise backports), we have it and it is sufficient # for the module to execute. # elif salt.utils.path.which('lxc-version'): # passed = False # try: # passed = subprocess.check_output( # 'lxc-version').split(':')[1].strip() >= '1.0' # except Exception: # pylint: disable=broad-except # pass # if not passed: # log.warning('Support for lxc < 1.0 may be incomplete.') # return 'lxc' # return False # return ( False, "The lxc execution module cannot be loaded: the lxc-start binary is not in the" " path.", ) def get_root_path(path): """ Get the configured lxc root for containers .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.get_root_path """ if not path: path = __opts__.get("lxc.root_path", DEFAULT_PATH) return path def version(): """ Return the actual lxc client version .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.version """ k = "lxc.version" if not __context__.get(k, None): cversion = __salt__["cmd.run_all"]("lxc-info --version") if not cversion["retcode"]: ver = Version(cversion["stdout"]) if ver < Version("1.0"): raise CommandExecutionError("LXC should be at least 1.0") __context__[k] = f"{ver}" return __context__.get(k, None) def _clear_context(): """ Clear any lxc variables set in __context__ """ for var in [x for x in __context__ if x.startswith("lxc.")]: log.trace("Clearing __context__['%s']", var) __context__.pop(var, None) def _ip_sort(ip): """Ip sorting""" idx = "001" if ip == "127.0.0.1": idx = "200" if ip == "::1": idx = "201" elif "::" in ip: idx = "100" return f"{idx}___{ip}" def search_lxc_bridges(): """ Search which bridges are potentially available as LXC bridges CLI Example: .. code-block:: bash salt '*' lxc.search_lxc_bridges """ bridges = __context__.get("lxc.bridges", None) # either match not yet called or no bridges were found # to handle the case where lxc was not installed on the first # call if not bridges: bridges = set() running_bridges = set() bridges.add(DEFAULT_BR) try: output = __salt__["cmd.run_all"]("brctl show") for line in output["stdout"].splitlines()[1:]: if not line.startswith(" "): running_bridges.add(line.split()[0].strip()) except (SaltInvocationError, CommandExecutionError): pass for ifc, ip in __grains__.get("ip_interfaces", {}).items(): if ifc in running_bridges: bridges.add(ifc) elif os.path.exists(f"/sys/devices/virtual/net/{ifc}/bridge"): bridges.add(ifc) bridges = list(bridges) # if we found interfaces that have lxc in their names # we filter them as being the potential lxc bridges # we also try to default on br0 on other cases def sort_bridges(a): pref = "z" if "lxc" in a: pref = "a" elif "br0" == a: pref = "c" return f"{pref}_{a}" bridges.sort(key=sort_bridges) __context__["lxc.bridges"] = bridges return bridges def search_lxc_bridge(): """ Search the first bridge which is potentially available as LXC bridge CLI Example: .. code-block:: bash salt '*' lxc.search_lxc_bridge """ return search_lxc_bridges()[0] def _get_salt_config(config, **kwargs): if not config: config = kwargs.get("minion", {}) if not config: config = {} config.setdefault( "master", kwargs.get("master", __opts__.get("master", __opts__["id"])) ) config.setdefault( "master_port", kwargs.get( "master_port", __opts__.get("master_port", __opts__.get("ret_port", __opts__.get("4506"))), ), ) if not config["master"]: config = {} return config def cloud_init_interface(name, vm_=None, **kwargs): """ Interface between salt.cloud.lxc driver and lxc.init ``vm_`` is a mapping of vm opts in the salt.cloud format as documented for the lxc driver. This can be used either: - from the salt cloud driver - because you find the argument to give easier here than using directly lxc.init .. warning:: BE REALLY CAREFUL CHANGING DEFAULTS !!! IT'S A RETRO COMPATIBLE INTERFACE WITH THE SALT CLOUD DRIVER (ask kiorky). name name of the lxc container to create pub_key public key to preseed the minion with. Can be the keycontent or a filepath priv_key private key to preseed the minion with. Can be the keycontent or a filepath path path to the container parent directory (default: /var/lib/lxc) .. versionadded:: 2015.8.0 profile :ref:`profile <tutorial-lxc-profiles-container>` selection network_profile :ref:`network profile <tutorial-lxc-profiles-network>` selection nic_opts per interface settings compatibles with network profile (ipv4/ipv6/link/gateway/mac/netmask) eg:: - {'eth0': {'mac': '00:16:3e:01:29:40', 'gateway': None, (default) 'link': 'br0', (default) 'gateway': None, (default) 'netmask': '', (default) 'ip': '22.1.4.25'}} unconditional_install given to lxc.bootstrap (see relative doc) force_install given to lxc.bootstrap (see relative doc) config any extra argument for the salt minion config dnsservers list of DNS servers to set inside the container dns_via_dhcp do not set the dns servers, let them be set by the dhcp. autostart autostart the container at boot time password administrative password for the container bootstrap_delay delay before launching bootstrap script at Container init .. warning:: Legacy but still supported options: from_container which container we use as a template when running lxc.clone image which template do we use when we are using lxc.create. This is the default mode unless you specify something in from_container backing which backing store to use. Values can be: overlayfs, dir(default), lvm, zfs, brtfs fstype When using a blockdevice level backing store, which filesystem to use on size When using a blockdevice level backing store, which size for the filesystem to use on snapshot Use snapshot when cloning the container source vgname if using LVM: vgname lvname if using LVM: lvname thinpool: if using LVM: thinpool ip ip for the primary nic mac mac address for the primary nic netmask netmask for the primary nic (24) = ``vm_.get('netmask', '24')`` bridge bridge for the primary nic (lxcbr0) gateway network gateway for the container additional_ips additional ips which will be wired on the main bridge (br0) which is connected to internet. Be aware that you may use manual virtual mac addresses providen by you provider (online, ovh, etc). This is a list of mappings {ip: '', mac: '', netmask:''} Set gateway to None and an interface with a gateway to escape from another interface that eth0. eg:: - {'mac': '00:16:3e:01:29:40', 'gateway': None, (default) 'link': 'br0', (default) 'netmask': '', (default) 'ip': '22.1.4.25'} users administrative users for the container default: [root] and [root, ubuntu] on ubuntu default_nic name of the first interface, you should really not override this CLI Example: .. code-block:: bash salt '*' lxc.cloud_init_interface foo """ if vm_ is None: vm_ = {} vm_ = copy.deepcopy(vm_) vm_ = salt.utils.dictupdate.update(vm_, kwargs) profile_data = copy.deepcopy(vm_.get("lxc_profile", vm_.get("profile", {}))) if not isinstance(profile_data, (dict, (str,))): profile_data = {} profile = get_container_profile(profile_data) def _cloud_get(k, default=None): return vm_.get(k, profile.get(k, default)) if name is None: name = vm_["name"] # if we are on ubuntu, default to ubuntu default_template = "" if __grains__.get("os", "") in ["Ubuntu"]: default_template = "ubuntu" image = _cloud_get("image") if not image: _cloud_get("template", default_template) backing = _cloud_get("backing", "dir") if image: profile["template"] = image vgname = _cloud_get("vgname", None) if vgname: profile["vgname"] = vgname if backing: profile["backing"] = backing snapshot = _cloud_get("snapshot", False) autostart = bool(_cloud_get("autostart", True)) dnsservers = _cloud_get("dnsservers", []) dns_via_dhcp = _cloud_get("dns_via_dhcp", True) password = _cloud_get("password", "s3cr3t") password_encrypted = _cloud_get("password_encrypted", False) fstype = _cloud_get("fstype", None) lvname = _cloud_get("lvname", None) thinpool = _cloud_get("thinpool", None) pub_key = _cloud_get("pub_key", None) priv_key = _cloud_get("priv_key", None) size = _cloud_get("size", "20G") script = _cloud_get("script", None) script_args = _cloud_get("script_args", None) users = _cloud_get("users", None) if users is None: users = [] ssh_username = _cloud_get("ssh_username", None) if ssh_username and (ssh_username not in users): users.append(ssh_username) network_profile = _cloud_get("network_profile", None) nic_opts = kwargs.get("nic_opts", None) netmask = _cloud_get("netmask", "24") path = _cloud_get("path", None) bridge = _cloud_get("bridge", None) gateway = _cloud_get("gateway", None) unconditional_install = _cloud_get("unconditional_install", False) force_install = _cloud_get("force_install", True) config = _get_salt_config(_cloud_get("config", {}), **vm_) default_nic = _cloud_get("default_nic", DEFAULT_NIC) # do the interface with lxc.init mainly via nic_opts # to avoid extra and confusing extra use cases. if not isinstance(nic_opts, dict): nic_opts = salt.utils.odict.OrderedDict() # have a reference to the default nic eth0 = nic_opts.setdefault(default_nic, salt.utils.odict.OrderedDict()) # lxc config is based of ifc order, be sure to use odicts. if not isinstance(nic_opts, salt.utils.odict.OrderedDict): bnic_opts = salt.utils.odict.OrderedDict() bnic_opts.update(nic_opts) nic_opts = bnic_opts gw = None # legacy salt.cloud scheme for network interfaces settings support bridge = _cloud_get("bridge", None) ip = _cloud_get("ip", None) mac = _cloud_get("mac", None) if ip: fullip = ip if netmask: fullip += f"/{netmask}" eth0["ipv4"] = fullip if mac is not None: eth0["mac"] = mac for ix, iopts in enumerate(_cloud_get("additional_ips", [])): ifh = f"eth{ix + 1}" ethx = nic_opts.setdefault(ifh, {}) if gw is None: gw = iopts.get("gateway", ethx.get("gateway", None)) if gw: # only one and only one default gateway is allowed ! eth0.pop("gateway", None) gateway = None # even if the gateway if on default "eth0" nic # and we popped it will work # as we reinject or set it here. ethx["gateway"] = gw elink = iopts.get("link", ethx.get("link", None)) if elink: ethx["link"] = elink # allow dhcp aip = iopts.get("ipv4", iopts.get("ip", None)) if aip: ethx["ipv4"] = aip nm = iopts.get("netmask", "") if nm: ethx["ipv4"] += f"/{nm}" for i in ("mac", "hwaddr"): if i in iopts: ethx["mac"] = iopts[i] break if "mac" not in ethx: ethx["mac"] = salt.utils.network.gen_mac() # last round checking for unique gateway and such gw = None for ethx in [a for a in nic_opts]: ndata = nic_opts[ethx] if gw: ndata.pop("gateway", None) if "gateway" in ndata: gw = ndata["gateway"] gateway = None # only use a default bridge / gateway if we configured them # via the legacy salt cloud configuration style. # On other cases, we should rely on settings provided by the new # salt lxc network profile style configuration which can # be also be overridden or a per interface basis via the nic_opts dict. if bridge: eth0["link"] = bridge if gateway: eth0["gateway"] = gateway # lxc_init_interface = {} lxc_init_interface["name"] = name lxc_init_interface["config"] = config lxc_init_interface["memory"] = _cloud_get("memory", 0) # nolimit lxc_init_interface["pub_key"] = pub_key lxc_init_interface["priv_key"] = priv_key lxc_init_interface["nic_opts"] = nic_opts for clone_from in ["clone_from", "clone", "from_container"]: # clone_from should default to None if not available lxc_init_interface["clone_from"] = _cloud_get(clone_from, None) if lxc_init_interface["clone_from"] is not None: break lxc_init_interface["profile"] = profile lxc_init_interface["snapshot"] = snapshot lxc_init_interface["dnsservers"] = dnsservers lxc_init_interface["fstype"] = fstype lxc_init_interface["path"] = path lxc_init_interface["vgname"] = vgname lxc_init_interface["size"] = size lxc_init_interface["lvname"] = lvname lxc_init_interface["thinpool"] = thinpool lxc_init_interface["force_install"] = force_install lxc_init_interface["unconditional_install"] = unconditional_install lxc_init_interface["bootstrap_url"] = script lxc_init_interface["bootstrap_args"] = script_args lxc_init_interface["bootstrap_shell"] = _cloud_get("bootstrap_shell", "sh") lxc_init_interface["bootstrap_delay"] = _cloud_get("bootstrap_delay", None) lxc_init_interface["autostart"] = autostart lxc_init_interface["users"] = users lxc_init_interface["password"] = password lxc_init_interface["password_encrypted"] = password_encrypted # be sure not to let objects goes inside the return # as this return will be msgpacked for use in the runner ! lxc_init_interface["network_profile"] = network_profile for i in ["cpu", "cpuset", "cpushare"]: if _cloud_get(i, None): try: lxc_init_interface[i] = vm_[i] except KeyError: lxc_init_interface[i] = profile[i] return lxc_init_interface def _get_profile(key, name, **kwargs): if isinstance(name, dict): profilename = name.pop("name", None) return _get_profile(key, profilename, **name) if name is None: profile_match = {} else: profile_match = __salt__["config.get"]( f"lxc.{key}:{name}", default=None, merge="recurse" ) if profile_match is None: # No matching profile, make the profile an empty dict so that # overrides can be applied below. profile_match = {} if not isinstance(profile_match, dict): raise CommandExecutionError(f"lxc.{key} must be a dictionary") # Overlay the kwargs to override matched profile data overrides = salt.utils.args.clean_kwargs(**copy.deepcopy(kwargs)) profile_match = salt.utils.dictupdate.update( copy.deepcopy(profile_match), overrides ) return profile_match def get_container_profile(name=None, **kwargs): """ .. versionadded:: 2015.5.0 Gather a pre-configured set of container configuration parameters. If no arguments are passed, an empty profile is returned. Profiles can be defined in the minion or master config files, or in pillar or grains, and are loaded using :mod:`config.get <salt.modules.config.get>`. The key under which LXC profiles must be configured is ``lxc.container_profile.profile_name``. An example container profile would be as follows: .. code-block:: yaml lxc.container_profile: ubuntu: template: ubuntu backing: lvm vgname: lxc size: 1G Parameters set in a profile can be overridden by passing additional container creation arguments (such as the ones passed to :mod:`lxc.create <salt.modules.lxc.create>`) to this function. A profile can be defined either as the name of the profile, or a dictionary of variable names and values. See the :ref:`LXC Tutorial <tutorial-lxc-profiles>` for more information on how to use LXC profiles. CLI Example: .. code-block:: bash salt-call lxc.get_container_profile centos salt-call lxc.get_container_profile ubuntu template=ubuntu backing=overlayfs """ profile = _get_profile("container_profile", name, **kwargs) return profile def get_network_profile(name=None, **kwargs): """ .. versionadded:: 2015.5.0 Gather a pre-configured set of network configuration parameters. If no arguments are passed, the following default profile is returned: .. code-block:: python {'eth0': {'link': 'br0', 'type': 'veth', 'flags': 'up'}} Profiles can be defined in the minion or master config files, or in pillar or grains, and are loaded using :mod:`config.get <salt.modules.config.get>`. The key under which LXC profiles must be configured is ``lxc.network_profile``. An example network profile would be as follows: .. code-block:: yaml lxc.network_profile.centos: eth0: link: br0 type: veth flags: up To disable networking entirely: .. code-block:: yaml lxc.network_profile.centos: eth0: disable: true Parameters set in a profile can be overridden by passing additional arguments to this function. A profile can be passed either as the name of the profile, or a dictionary of variable names and values. See the :ref:`LXC Tutorial <tutorial-lxc-profiles>` for more information on how to use network profiles. .. warning:: The ``ipv4``, ``ipv6``, ``gateway``, and ``link`` (bridge) settings in network profiles will only work if the container doesn't redefine the network configuration (for example in ``/etc/sysconfig/network-scripts/ifcfg-<interface_name>`` on RHEL/CentOS, or ``/etc/network/interfaces`` on Debian/Ubuntu/etc.) CLI Example: .. code-block:: bash salt-call lxc.get_network_profile default """ profile = _get_profile("network_profile", name, **kwargs) return profile def _rand_cpu_str(cpu): """ Return a random subset of cpus for the cpuset config """ cpu = int(cpu) avail = __salt__["status.nproc"]() if cpu < avail: return f"0-{avail}" to_set = set() while len(to_set) < cpu: choice = random.randint(0, avail - 1) if choice not in to_set: to_set.add(str(choice)) return ",".join(sorted(to_set)) def _network_conf(conf_tuples=None, **kwargs): """ Network configuration defaults network_profile as for containers, we can either call this function either with a network_profile dict or network profile name in the kwargs nic_opts overrides or extra nics in the form {nic_name: {set: tings} """ nic = kwargs.get("network_profile", None) ret = [] nic_opts = kwargs.get("nic_opts", {}) if nic_opts is None: # coming from elsewhere nic_opts = {} if not conf_tuples: conf_tuples = [] old = _get_veths(conf_tuples) if not old: old = {} # if we have a profile name, get the profile and load the network settings # this will obviously by default look for a profile called "eth0" # or by what is defined in nic_opts # and complete each nic settings by sane defaults if nic and isinstance(nic, ((str,), dict)): nicp = get_network_profile(nic) else: nicp = {} if DEFAULT_NIC not in nicp: nicp[DEFAULT_NIC] = {} kwargs = copy.deepcopy(kwargs) gateway = kwargs.pop("gateway", None) bridge = kwargs.get("bridge", None) if nic_opts: for dev, args in nic_opts.items(): ethx = nicp.setdefault(dev, {}) try: ethx = salt.utils.dictupdate.update(ethx, args) except AttributeError: raise SaltInvocationError("Invalid nic_opts configuration") ifs = [a for a in nicp] ifs += [a for a in old if a not in nicp] ifs.sort() gateway_set = False for dev in ifs: args = nicp.get(dev, {}) opts = nic_opts.get(dev, {}) if nic_opts else {} old_if = old.get(dev, {}) disable = opts.get("disable", args.get("disable", False)) if disable: continue mac = opts.get( "mac", opts.get("hwaddr", args.get("mac", args.get("hwaddr", ""))) ) type_ = opts.get("type", args.get("type", "")) flags = opts.get("flags", args.get("flags", "")) link = opts.get("link", args.get("link", "")) ipv4 = opts.get("ipv4", args.get("ipv4", "")) ipv6 = opts.get("ipv6", args.get("ipv6", "")) infos = salt.utils.odict.OrderedDict( [ ( "lxc.network.type", { "test": not type_, "value": type_, "old": old_if.get("lxc.network.type"), "default": "veth", }, ), ( "lxc.network.name", {"test": False, "value": dev, "old": dev, "default": dev}, ), ( "lxc.network.flags", { "test": not flags, "value": flags, "old": old_if.get("lxc.network.flags"), "default": "up", }, ), ( "lxc.network.link", { "test": not link, "value": link, "old": old_if.get("lxc.network.link"), "default": search_lxc_bridge(), }, ), ( "lxc.network.hwaddr", { "test": not mac, "value": mac, "old": old_if.get("lxc.network.hwaddr"), "default": salt.utils.network.gen_mac(), }, ), ( "lxc.network.ipv4", { "test": not ipv4, "value": ipv4, "old": old_if.get("lxc.network.ipv4", ""), "default": None, }, ), ( "lxc.network.ipv6", { "test": not ipv6, "value": ipv6, "old": old_if.get("lxc.network.ipv6", ""), "default": None, }, ), ] ) # for each parameter, if not explicitly set, the # config value present in the LXC configuration should # take precedence over the profile configuration for info in list(infos.keys()): bundle = infos[info] if bundle["test"]: if bundle["old"]: bundle["value"] = bundle["old"] elif bundle["default"]: bundle["value"] = bundle["default"] for info, data in infos.items(): if data["value"]: ret.append({info: data["value"]}) for key, val in args.items(): if key == "link" and bridge: val = bridge val = opts.get(key, val) if key in [ "type", "flags", "name", "gateway", "mac", "link", "ipv4", "ipv6", ]: continue ret.append({f"lxc.network.{key}": val}) # gateway (in automode) must be appended following network conf ! if not gateway: gateway = args.get("gateway", None) if gateway is not None and not gateway_set: ret.append({"lxc.network.ipv4.gateway": gateway}) # only one network gateway ;) gateway_set = True # normally, this won't happen # set the gateway if specified even if we did # not managed the network underlying if gateway is not None and not gateway_set: ret.append({"lxc.network.ipv4.gateway": gateway}) # only one network gateway ;) gateway_set = True new = _get_veths(ret) # verify that we did not loose the mac settings for iface in [a for a in new]: ndata = new[iface] nmac = ndata.get("lxc.network.hwaddr", "") ntype = ndata.get("lxc.network.type", "") omac, otype = "", "" if iface in old: odata = old[iface] omac = odata.get("lxc.network.hwaddr", "") otype = odata.get("lxc.network.type", "") # default for network type is setted here # attention not to change the network type # without a good and explicit reason to. if otype and not ntype: ntype = otype if not ntype: ntype = "veth" new[iface]["lxc.network.type"] = ntype if omac and not nmac: new[iface]["lxc.network.hwaddr"] = omac ret = [] for val in new.values(): for row in val: ret.append(salt.utils.odict.OrderedDict([(row, val[row])])) # on old versions of lxc, still support the gateway auto mode # if we didn't explicitly say no to # (lxc.network.ipv4.gateway: auto) if ( Version(version()) <= Version("1.0.7") and True not in ["lxc.network.ipv4.gateway" in a for a in ret] and True in ["lxc.network.ipv4" in a for a in ret] ): ret.append({"lxc.network.ipv4.gateway": "auto"}) return ret def _get_lxc_default_data(**kwargs): kwargs = copy.deepcopy(kwargs) ret = {} for k in ["utsname", "rootfs"]: val = kwargs.get(k, None) if val is not None: ret[f"lxc.{k}"] = val autostart = kwargs.get("autostart") # autostart can have made in kwargs, but with the None # value which is invalid, we need an explicit boolean # autostart = on is the default. if autostart is None: autostart = True # we will set the regular lxc marker to restart container at # machine (re)boot only if we did not explicitly ask # not to touch to the autostart settings via # autostart == 'keep' if autostart != "keep": if autostart: ret["lxc.start.auto"] = "1" else: ret["lxc.start.auto"] = "0" memory = kwargs.get("memory") if memory is not None: # converting the config value from MB to bytes ret["lxc.cgroup.memory.limit_in_bytes"] = memory * 1024 * 1024 cpuset = kwargs.get("cpuset") if cpuset: ret["lxc.cgroup.cpuset.cpus"] = cpuset cpushare = kwargs.get("cpushare") cpu = kwargs.get("cpu") if cpushare: ret["lxc.cgroup.cpu.shares"] = cpushare if cpu and not cpuset: ret["lxc.cgroup.cpuset.cpus"] = _rand_cpu_str(cpu) return ret def _config_list(conf_tuples=None, only_net=False, **kwargs): """ Return a list of dicts from the salt level configurations conf_tuples _LXCConfig compatible list of entries which can contain - string line - tuple (lxc config param,value) - dict of one entry: {lxc config param: value) only_net by default we add to the tuples a reflection of both the real config if avalaible and a certain amount of default values like the cpu parameters, the memory and etc. On the other hand, we also no matter the case reflect the network configuration computed from the actual config if available and given values. if no_default_loads is set, we will only reflect the network configuration back to the conf tuples list """ # explicit cast only_net = bool(only_net) if not conf_tuples: conf_tuples = [] kwargs = copy.deepcopy(kwargs) ret = [] if not only_net: default_data = _get_lxc_default_data(**kwargs) for k, val in default_data.items(): ret.append({k: val}) net_datas = _network_conf(conf_tuples=conf_tuples, **kwargs) ret.extend(net_datas) return ret def _get_veths(net_data): """ Parse the nic setup inside lxc conf tuples back to a dictionary indexed by network interface """ if isinstance(net_data, dict): net_data = list(net_data.items()) nics = salt.utils.odict.OrderedDict() current_nic = salt.utils.odict.OrderedDict() no_names = True for item in net_data: if item and isinstance(item, dict): item = list(item.items())[0] # skip LXC configuration comment lines, and play only with tuples conf elif isinstance(item, str): # deal with reflection of commented lxc configs sitem = item.strip() if sitem.startswith("#") or not sitem: continue elif "=" in item: item = tuple(a.strip() for a in item.split("=", 1)) if item[0] == "lxc.network.type": current_nic = salt.utils.odict.OrderedDict() if item[0] == "lxc.network.name": no_names = False nics[item[1].strip()] = current_nic current_nic[item[0].strip()] = item[1].strip() # if not ethernet card name has been collected, assuming we collected # data for eth0 if no_names and current_nic: nics[DEFAULT_NIC] = current_nic return nics class _LXCConfig: """ LXC configuration data """ pattern = re.compile(r"^(\S+)(\s*)(=)(\s*)(.*)") non_interpretable_pattern = re.compile(r"^((#.*)|(\s*))$") def __init__(self, **kwargs): kwargs = copy.deepcopy(kwargs) self.name = kwargs.pop("name", None) path = get_root_path(kwargs.get("path", None)) self.data = [] if self.name: self.path = os.path.join(path, self.name, "config") if os.path.isfile(self.path): with salt.utils.files.fopen(self.path) as fhr: for line in salt.utils.data.decode(fhr.readlines()): match = self.pattern.findall(line.strip()) if match: self.data.append((match[0][0], match[0][-1])) match = self.non_interpretable_pattern.findall(line.strip()) if match: self.data.append(("", match[0][0])) else: self.path = None def _replace(key, val): if val: self._filter_data(key) self.data.append((key, val)) default_data = _get_lxc_default_data(**kwargs) for key, val in default_data.items(): _replace(key, val) old_net = self._filter_data("lxc.network") net_datas = _network_conf(conf_tuples=old_net, **kwargs) if net_datas: for row in net_datas: self.data.extend(list(row.items())) # be sure to reset harmful settings for idx in ["lxc.cgroup.memory.limit_in_bytes"]: if not default_data.get(idx): self._filter_data(idx) def as_string(self): chunks = ( "{0[0]}{1}{0[1]}".format(item, (" = " if item[0] else "")) for item in self.data ) return "\n".join(chunks) + "\n" def write(self): if self.path: content = self.as_string() # 2 step rendering to be sure not to open/wipe the config # before as_string succeeds. with salt.utils.files.fopen(self.path, "w") as fic: fic.write(salt.utils.stringutils.to_str(content)) fic.flush() def tempfile(self): # this might look like the function name is shadowing the # module, but it's not since the method belongs to the class ntf = tempfile.NamedTemporaryFile() ntf.write(self.as_string()) ntf.flush() return ntf def _filter_data(self, pattern): """ Removes parameters which match the pattern from the config data """ removed = [] filtered = [] for param in self.data: if not param[0].startswith(pattern): filtered.append(param) else: removed.append(param) self.data = filtered return removed def _get_base(**kwargs): """ If the needed base does not exist, then create it, if it does exist create nothing and return the name of the base lxc container so it can be cloned. """ profile = get_container_profile(copy.deepcopy(kwargs.get("profile"))) kw_overrides = copy.deepcopy(kwargs) def select(key, default=None): kw_overrides_match = kw_overrides.pop(key, _marker) profile_match = profile.pop(key, default) # let kwarg overrides be the preferred choice if kw_overrides_match is _marker: return profile_match return kw_overrides_match template = select("template") image = select("image") vgname = select("vgname") path = kwargs.get("path", None) # remove the above three variables from kwargs, if they exist, to avoid # duplicates if create() is invoked below. for param in ("path", "image", "vgname", "template"): kwargs.pop(param, None) if image: proto = urllib.parse.urlparse(image).scheme img_tar = __salt__["cp.cache_file"](image) img_name = os.path.basename(img_tar) hash_ = salt.utils.hashutils.get_hash( img_tar, __salt__["config.get"]("hash_type") ) name = f"__base_{proto}_{img_name}_{hash_}" if not exists(name, path=path): create( name, template=template, image=image, path=path, vgname=vgname, **kwargs ) if vgname: rootfs = os.path.join("/dev", vgname, name) edit_conf( info(name, path=path)["config"], out_format="commented", **{"lxc.rootfs": rootfs}, ) return name elif template: name = f"__base_{template}" if not exists(name, path=path): create( name, template=template, image=image, path=path, vgname=vgname, **kwargs ) if vgname: rootfs = os.path.join("/dev", vgname, name) edit_conf( info(name, path=path)["config"], out_format="commented", **{"lxc.rootfs": rootfs}, ) return name return "" def init( name, config=None, cpuset=None, cpushare=None, memory=None, profile=None, network_profile=None, nic_opts=None, cpu=None, autostart=True, password=None, password_encrypted=None, users=None, dnsservers=None, searchdomains=None, bridge=None, gateway=None, pub_key=None, priv_key=None, force_install=False, unconditional_install=False, bootstrap_delay=None, bootstrap_args=None, bootstrap_shell=None, bootstrap_url=None, **kwargs, ): """ Initialize a new container. This is a partial idempotent function as if it is already provisioned, we will reset a bit the lxc configuration file but much of the hard work will be escaped as markers will prevent re-execution of harmful tasks. name Name of the container image A tar archive to use as the rootfs for the container. Conflicts with the ``template`` argument. cpus Select a random number of cpu cores and assign it to the cpuset, if the cpuset option is set then this option will be ignored cpuset Explicitly define the cpus this container will be bound to cpushare cgroups cpu shares autostart autostart container on reboot memory cgroups memory limit, in MB .. versionchanged:: 2015.5.0 If no value is passed, no limit is set. In earlier Salt versions, not passing this value causes a 1024MB memory limit to be set, and it was necessary to pass ``memory=0`` to set no limit. gateway the ipv4 gateway to use the default does nothing more than lxcutils does bridge the bridge to use the default does nothing more than lxcutils does network_profile Network profile to use for the container .. versionadded:: 2015.5.0 nic_opts Extra options for network interfaces, will override ``{"eth0": {"hwaddr": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1", "ipv6": "2001:db8::ff00:42:8329"}}`` or ``{"eth0": {"hwaddr": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1/24", "ipv6": "2001:db8::ff00:42:8329"}}`` users Users for which the password defined in the ``password`` param should be set. Can be passed as a comma separated list or a python list. Defaults to just the ``root`` user. password Set the initial password for the users defined in the ``users`` parameter password_encrypted : False Set to ``True`` to denote a password hash instead of a plaintext password .. versionadded:: 2015.5.0 profile A LXC profile (defined in config or pillar). This can be either a real profile mapping or a string to retrieve it in configuration start Start the newly-created container dnsservers list of dns servers to set in the container, default [] (no setting) seed Seed the container with the minion config. Default: ``True`` install If salt-minion is not already installed, install it. Default: ``True`` config Optional config parameters. By default, the id is set to the name of the container. master salt master (default to minion's master) master_port salt master port (default to minion's master port) pub_key Explicit public key to preseed the minion with (optional). This can be either a filepath or a string representing the key priv_key Explicit private key to preseed the minion with (optional). This can be either a filepath or a string representing the key approve_key If explicit preseeding is not used; Attempt to request key approval from the master. Default: ``True`` path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 clone_from Original from which to use a clone operation to create the container. Default: ``None`` bootstrap_delay Delay in seconds between end of container creation and bootstrapping. Useful when waiting for container to obtain a DHCP lease. .. versionadded:: 2015.5.0 bootstrap_url See lxc.bootstrap bootstrap_shell See lxc.bootstrap bootstrap_args See lxc.bootstrap force_install Force installation even if salt-minion is detected, this is the way to run vendor bootstrap scripts even if a salt minion is already present in the container unconditional_install Run the script even if the container seems seeded CLI Example: .. code-block:: bash salt 'minion' lxc.init name [cpuset=cgroups_cpuset] \\ [cpushare=cgroups_cpushare] [memory=cgroups_memory] \\ [nic=nic_profile] [profile=lxc_profile] \\ [nic_opts=nic_opts] [start=(True|False)] \\ [seed=(True|False)] [install=(True|False)] \\ [config=minion_config] [approve_key=(True|False) \\ [clone_from=original] [autostart=True] \\ [priv_key=/path_or_content] [pub_key=/path_or_content] \\ [bridge=lxcbr0] [gateway=10.0.3.1] \\ [dnsservers[dns1,dns2]] \\ [users=[foo]] [password='secret'] \\ [password_encrypted=(True|False)] """ ret = {"name": name, "changes": {}} profile = get_container_profile(copy.deepcopy(profile)) if not network_profile: network_profile = profile.get("network_profile") if not network_profile: network_profile = DEFAULT_NIC # Changes is a pointer to changes_dict['init']. This method is used so that # we can have a list of changes as they are made, providing an ordered list # of things that were changed. changes_dict = {"init": []} changes = changes_dict.get("init") if users is None: users = [] dusers = ["root"] for user in dusers: if user not in users: users.append(user) kw_overrides = copy.deepcopy(kwargs) def select(key, default=None): kw_overrides_match = kw_overrides.pop(key, _marker) profile_match = profile.pop(key, default) # let kwarg overrides be the preferred choice if kw_overrides_match is _marker: return profile_match return kw_overrides_match path = select("path") bpath = get_root_path(path) state_pre = state(name, path=path) tvg = select("vgname") vgname = tvg if tvg else __salt__["config.get"]("lxc.vgname") start_ = select("start", True) autostart = select("autostart", autostart) seed = select("seed", True) install = select("install", True) seed_cmd = select("seed_cmd") salt_config = _get_salt_config(config, **kwargs) approve_key = select("approve_key", True) clone_from = select("clone_from") # If using a volume group then set up to make snapshot cow clones if vgname and not clone_from: try: kwargs["vgname"] = vgname clone_from = _get_base(profile=profile, **kwargs) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = exc.strerror if changes: ret["changes"] = changes_dict return ret if not kwargs.get("snapshot") is False: kwargs["snapshot"] = True does_exist = exists(name, path=path) to_reboot = False remove_seed_marker = False if does_exist: pass elif clone_from: remove_seed_marker = True try: clone(name, clone_from, profile=profile, **kwargs) changes.append({"create": "Container cloned"}) except (SaltInvocationError, CommandExecutionError) as exc: if "already exists" in exc.strerror: changes.append({"create": "Container already exists"}) else: ret["result"] = False ret["comment"] = exc.strerror if changes: ret["changes"] = changes_dict return ret cfg = _LXCConfig( name=name, network_profile=network_profile, nic_opts=nic_opts, bridge=bridge, path=path, gateway=gateway, autostart=autostart, cpuset=cpuset, cpushare=cpushare, memory=memory, ) old_chunks = read_conf(cfg.path, out_format="commented") cfg.write() chunks = read_conf(cfg.path, out_format="commented") if old_chunks != chunks: to_reboot = True else: remove_seed_marker = True cfg = _LXCConfig( network_profile=network_profile, nic_opts=nic_opts, cpuset=cpuset, path=path, bridge=bridge, gateway=gateway, autostart=autostart, cpushare=cpushare, memory=memory, ) with cfg.tempfile() as cfile: try: create(name, config=cfile.name, profile=profile, **kwargs) changes.append({"create": "Container created"}) except (SaltInvocationError, CommandExecutionError) as exc: if "already exists" in exc.strerror: changes.append({"create": "Container already exists"}) else: ret["comment"] = exc.strerror if changes: ret["changes"] = changes_dict return ret cpath = os.path.join(bpath, name, "config") old_chunks = [] if os.path.exists(cpath): old_chunks = read_conf(cpath, out_format="commented") new_cfg = _config_list( conf_tuples=old_chunks, cpu=cpu, network_profile=network_profile, nic_opts=nic_opts, bridge=bridge, cpuset=cpuset, cpushare=cpushare, memory=memory, ) if new_cfg: edit_conf(cpath, out_format="commented", lxc_config=new_cfg) chunks = read_conf(cpath, out_format="commented") if old_chunks != chunks: to_reboot = True # last time to be sure any of our property is correctly applied cfg = _LXCConfig( name=name, network_profile=network_profile, nic_opts=nic_opts, bridge=bridge, path=path, gateway=gateway, autostart=autostart, cpuset=cpuset, cpushare=cpushare, memory=memory, ) old_chunks = [] if os.path.exists(cfg.path): old_chunks = read_conf(cfg.path, out_format="commented") cfg.write() chunks = read_conf(cfg.path, out_format="commented") if old_chunks != chunks: changes.append({"config": "Container configuration updated"}) to_reboot = True if to_reboot: try: stop(name, path=path) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = f"Unable to stop container: {exc}" if changes: ret["changes"] = changes_dict return ret if not does_exist or (does_exist and state(name, path=path) != "running"): try: start(name, path=path) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = f"Unable to stop container: {exc}" if changes: ret["changes"] = changes_dict return ret if remove_seed_marker: run( name, f"rm -f '{SEED_MARKER}'", path=path, chroot_fallback=False, python_shell=False, ) # set the default user/password, only the first time if ret.get("result", True) and password: gid = "/.lxc.initial_pass" gids = [gid, "/lxc.initial_pass", f"/.lxc.{name}.initial_pass"] if not any( retcode( name, f'test -e "{x}"', chroot_fallback=True, path=path, ignore_retcode=True, ) == 0 for x in gids ): # think to touch the default user generated by default templates # which has a really unsecure passwords... # root is defined as a member earlier in the code for default_user in ["ubuntu"]: if ( default_user not in users and retcode( name, f"id {default_user}", python_shell=False, path=path, chroot_fallback=True, ignore_retcode=True, ) == 0 ): users.append(default_user) for user in users: try: cret = set_password( name, users=[user], path=path, password=password, encrypted=password_encrypted, ) except (SaltInvocationError, CommandExecutionError) as exc: msg = f"{user}: Failed to set password" + exc.strerror # only hardfail in unrecoverable situation: # root cannot be setted up if user == "root": ret["comment"] = msg ret["result"] = False else: log.debug(msg) if ret.get("result", True): changes.append({"password": "Password(s) updated"}) if ( retcode( name, 'sh -c \'touch "{0}"; test -e "{0}"\''.format(gid), path=path, chroot_fallback=True, ignore_retcode=True, ) != 0 ): ret["comment"] = "Failed to set password marker" changes[-1]["password"] += ". " + ret["comment"] + "." ret["result"] = False # set dns servers if any, only the first time if ret.get("result", True) and dnsservers: # retro compatibility, test also old markers gid = "/.lxc.initial_dns" gids = [gid, "/lxc.initial_dns", f"/lxc.{name}.initial_dns"] if not any( retcode( name, f'test -e "{x}"', chroot_fallback=True, path=path, ignore_retcode=True, ) == 0 for x in gids ): try: set_dns( name, path=path, dnsservers=dnsservers, searchdomains=searchdomains ) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = "Failed to set DNS: " + exc.strerror ret["result"] = False else: changes.append({"dns": "DNS updated"}) if ( retcode( name, 'sh -c \'touch "{0}"; test -e "{0}"\''.format(gid), chroot_fallback=True, path=path, ignore_retcode=True, ) != 0 ): ret["comment"] = "Failed to set DNS marker" changes[-1]["dns"] += ". " + ret["comment"] + "." ret["result"] = False # retro compatibility, test also old markers if remove_seed_marker: run(name, f"rm -f '{SEED_MARKER}'", path=path, python_shell=False) gid = "/.lxc.initial_seed" gids = [gid, "/lxc.initial_seed"] if any( retcode( name, f"test -e {x}", path=path, chroot_fallback=True, ignore_retcode=True, ) == 0 for x in gids ) or not ret.get("result", True): pass elif seed or seed_cmd: if seed: try: result = bootstrap( name, config=salt_config, path=path, approve_key=approve_key, pub_key=pub_key, priv_key=priv_key, install=install, force_install=force_install, unconditional_install=unconditional_install, bootstrap_delay=bootstrap_delay, bootstrap_url=bootstrap_url, bootstrap_shell=bootstrap_shell, bootstrap_args=bootstrap_args, ) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = "Bootstrap failed: " + exc.strerror ret["result"] = False else: if not result: ret[ "comment" ] = "Bootstrap failed, see minion log for more information" ret["result"] = False else: changes.append({"bootstrap": "Container successfully bootstrapped"}) elif seed_cmd: try: result = __salt__[seed_cmd]( info(name, path=path)["rootfs"], name, salt_config ) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = "Bootstrap via seed_cmd '{}' failed: {}".format( seed_cmd, exc.strerror ) ret["result"] = False else: if not result: ret["comment"] = ( "Bootstrap via seed_cmd '{}' failed, " "see minion log for more information ".format(seed_cmd) ) ret["result"] = False else: changes.append( { "bootstrap": ( "Container successfully bootstrapped " "using seed_cmd '{}'".format(seed_cmd) ) } ) if ret.get("result", True) and not start_: try: stop(name, path=path) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = f"Unable to stop container: {exc}" ret["result"] = False state_post = state(name, path=path) if state_pre != state_post: changes.append({"state": {"old": state_pre, "new": state_post}}) if ret.get("result", True): ret["comment"] = f"Container '{name}' successfully initialized" ret["result"] = True if changes: ret["changes"] = changes_dict return ret def cloud_init(name, vm_=None, **kwargs): """ Thin wrapper to lxc.init to be used from the saltcloud lxc driver name Name of the container may be None and then guessed from saltcloud mapping `vm_` saltcloud mapping defaults for the vm CLI Example: .. code-block:: bash salt '*' lxc.cloud_init foo """ init_interface = cloud_init_interface(name, vm_, **kwargs) name = init_interface.pop("name", name) return init(name, **init_interface) def images(dist=None): """ .. versionadded:: 2015.5.0 List the available images for LXC's ``download`` template. dist : None Filter results to a single Linux distribution CLI Examples: .. code-block:: bash salt myminion lxc.images salt myminion lxc.images dist=centos """ out = __salt__["cmd.run_stdout"]( "lxc-create -n __imgcheck -t download -- --list", ignore_retcode=True ) if "DIST" not in out: raise CommandExecutionError( "Unable to run the 'download' template script. Is it installed?" ) ret = {} passed_header = False for line in out.splitlines(): try: distro, release, arch, variant, build_time = line.split() except ValueError: continue if not passed_header: if distro == "DIST": passed_header = True continue dist_list = ret.setdefault(distro, []) dist_list.append( { "release": release, "arch": arch, "variant": variant, "build_time": build_time, } ) if dist is not None: return dict([(dist, ret.get(dist, []))]) return ret def templates(): """ .. versionadded:: 2015.5.0 List the available LXC template scripts installed on the minion CLI Examples: .. code-block:: bash salt myminion lxc.templates """ try: template_scripts = os.listdir("/usr/share/lxc/templates") except OSError: return [] else: return [x[4:] for x in template_scripts if x.startswith("lxc-")] def _after_ignition_network_profile(cmd, ret, name, network_profile, path, nic_opts): _clear_context() if ret["retcode"] == 0 and exists(name, path=path): if network_profile: network_changes = apply_network_profile( name, network_profile, path=path, nic_opts=nic_opts ) if network_changes: log.info( "Network changes from applying network profile '%s' " "to newly-created container '%s':\n%s", network_profile, name, network_changes, ) c_state = state(name, path=path) return {"result": True, "state": {"old": None, "new": c_state}} else: if exists(name, path=path): # destroy the container if it was partially created cmd = "lxc-destroy" if path: cmd += f" -P {shlex.quote(path)}" cmd += f" -n {name}" __salt__["cmd.retcode"](cmd, python_shell=False) raise CommandExecutionError( "Container could not be created with cmd '{}': {}".format( cmd, ret["stderr"] ) ) def create( name, config=None, profile=None, network_profile=None, nic_opts=None, **kwargs ): """ Create a new container. name Name of the container config The config file to use for the container. Defaults to system-wide config (usually in /etc/lxc/lxc.conf). profile Profile to use in container creation (see :mod:`lxc.get_container_profile <salt.modules.lxc.get_container_profile>`). Values in a profile will be overridden by the **Container Creation Arguments** listed below. network_profile Network profile to use for container .. versionadded:: 2015.5.0 **Container Creation Arguments** template The template to use. For example, ``ubuntu`` or ``fedora``. For a full list of available templates, check out the :mod:`lxc.templates <salt.modules.lxc.templates>` function. Conflicts with the ``image`` argument. .. note:: The ``download`` template requires the following three parameters to be defined in ``options``: * **dist** - The name of the distribution * **release** - Release name/version * **arch** - Architecture of the container The available images can be listed using the :mod:`lxc.images <salt.modules.lxc.images>` function. options Template-specific options to pass to the lxc-create command. These correspond to the long options (ones beginning with two dashes) that the template script accepts. For example: .. code-block:: bash options='{"dist": "centos", "release": "6", "arch": "amd64"}' For available template options, refer to the lxc template scripts which are usually located under ``/usr/share/lxc/templates``, or run ``lxc-create -t <template> -h``. image A tar archive to use as the rootfs for the container. Conflicts with the ``template`` argument. backing The type of storage to use. Set to ``lvm`` to use an LVM group. Defaults to filesystem within /var/lib/lxc. fstype Filesystem type to use on LVM logical volume size : 1G Size of the volume to create. Only applicable if ``backing=lvm``. vgname : lxc Name of the LVM volume group in which to create the volume for this container. Only applicable if ``backing=lvm``. lvname Name of the LVM logical volume in which to create the volume for this container. Only applicable if ``backing=lvm``. thinpool Name of a pool volume that will be used for thin-provisioning this container. Only applicable if ``backing=lvm``. nic_opts give extra opts overriding network profile values path parent path for the container creation (default: /var/lib/lxc) zfsroot Name of the ZFS root in which to create the volume for this container. Only applicable if ``backing=zfs``. (default: tank/lxc) .. versionadded:: 2015.8.0 """ # Required params for 'download' template download_template_deps = ("dist", "release", "arch") cmd = f"lxc-create -n {name}" profile = get_container_profile(copy.deepcopy(profile)) kw_overrides = copy.deepcopy(kwargs) def select(key, default=None): kw_overrides_match = kw_overrides.pop(key, None) profile_match = profile.pop(key, default) # Return the profile match if the kwarg match was None, as the # lxc.present state will pass these kwargs set to None by default. if kw_overrides_match is None: return profile_match return kw_overrides_match path = select("path") if exists(name, path=path): raise CommandExecutionError(f"Container '{name}' already exists") tvg = select("vgname") vgname = tvg if tvg else __salt__["config.get"]("lxc.vgname") # The 'template' and 'image' params conflict template = select("template") image = select("image") if template and image: raise SaltInvocationError("Only one of 'template' and 'image' is permitted") elif not any((template, image, profile)): raise SaltInvocationError( "At least one of 'template', 'image', and 'profile' is required" ) options = select("options") or {} backing = select("backing") if vgname and not backing: backing = "lvm" lvname = select("lvname") thinpool = select("thinpool") fstype = select("fstype") size = select("size", "1G") zfsroot = select("zfsroot") if backing in ("dir", "overlayfs", "btrfs", "zfs"): fstype = None size = None # some backends won't support some parameters if backing in ("aufs", "dir", "overlayfs", "btrfs"): lvname = vgname = thinpool = None if image: img_tar = __salt__["cp.cache_file"](image) template = os.path.join( os.path.dirname(salt.__file__), "templates", "lxc", "salt_tarball" ) options["imgtar"] = img_tar if path: cmd += f" -P {shlex.quote(path)}" if not os.path.exists(path): os.makedirs(path) if config: cmd += f" -f {config}" if template: cmd += f" -t {template}" if backing: backing = backing.lower() cmd += f" -B {backing}" if backing in ("zfs",): if zfsroot: cmd += f" --zfsroot {zfsroot}" if backing in ("lvm",): if lvname: cmd += f" --lvname {lvname}" if vgname: cmd += f" --vgname {vgname}" if thinpool: cmd += f" --thinpool {thinpool}" if backing not in ("dir", "overlayfs"): if fstype: cmd += f" --fstype {fstype}" if size: cmd += f" --fssize {size}" if options: if template == "download": missing_deps = [x for x in download_template_deps if x not in options] if missing_deps: raise SaltInvocationError( "Missing params in 'options' dict: {}".format( ", ".join(missing_deps) ) ) cmd += " --" for key, val in options.items(): cmd += f" --{key} {val}" ret = __salt__["cmd.run_all"](cmd, python_shell=False) # please do not merge extra conflicting stuff # inside those two line (ret =, return) return _after_ignition_network_profile( cmd, ret, name, network_profile, path, nic_opts ) def clone(name, orig, profile=None, network_profile=None, nic_opts=None, **kwargs): """ Create a new container as a clone of another container name Name of the container orig Name of the original container to be cloned profile Profile to use in container cloning (see :mod:`lxc.get_container_profile <salt.modules.lxc.get_container_profile>`). Values in a profile will be overridden by the **Container Cloning Arguments** listed below. path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 **Container Cloning Arguments** snapshot Use Copy On Write snapshots (LVM) size : 1G Size of the volume to create. Only applicable if ``backing=lvm``. backing The type of storage to use. Set to ``lvm`` to use an LVM group. Defaults to filesystem within /var/lib/lxc. network_profile Network profile to use for container .. versionadded:: 2015.8.0 nic_opts give extra opts overriding network profile values .. versionadded:: 2015.8.0 CLI Examples: .. code-block:: bash salt '*' lxc.clone myclone orig=orig_container salt '*' lxc.clone myclone orig=orig_container snapshot=True """ profile = get_container_profile(copy.deepcopy(profile)) kw_overrides = copy.deepcopy(kwargs) def select(key, default=None): kw_overrides_match = kw_overrides.pop(key, None) profile_match = profile.pop(key, default) # let kwarg overrides be the preferred choice if kw_overrides_match is None: return profile_match return kw_overrides_match path = select("path") if exists(name, path=path): raise CommandExecutionError(f"Container '{name}' already exists") _ensure_exists(orig, path=path) if state(orig, path=path) != "stopped": raise CommandExecutionError(f"Container '{orig}' must be stopped to be cloned") backing = select("backing") snapshot = select("snapshot") if backing in ("dir",): snapshot = False if not snapshot: snapshot = "" else: snapshot = "-s" size = select("size", "1G") if backing in ("dir", "overlayfs", "btrfs"): size = None # LXC commands and options changed in 2.0 - CF issue #34086 for details if Version(version()) >= Version("2.0"): # https://linuxcontainers.org/lxc/manpages//man1/lxc-copy.1.html cmd = "lxc-copy" cmd += f" {snapshot} -n {orig} -N {name}" else: # https://linuxcontainers.org/lxc/manpages//man1/lxc-clone.1.html cmd = "lxc-clone" cmd += f" {snapshot} -o {orig} -n {name}" if path: cmd += f" -P {shlex.quote(path)}" if not os.path.exists(path): os.makedirs(path) if backing: backing = backing.lower() cmd += f" -B {backing}" if backing not in ("dir", "overlayfs"): if size: cmd += f" -L {size}" ret = __salt__["cmd.run_all"](cmd, python_shell=False) # please do not merge extra conflicting stuff # inside those two line (ret =, return) return _after_ignition_network_profile( cmd, ret, name, network_profile, path, nic_opts ) def ls_(active=None, cache=True, path=None): """ Return a list of the containers available on the minion path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 active If ``True``, return only active (i.e. running) containers .. versionadded:: 2015.5.0 CLI Example: .. code-block:: bash salt '*' lxc.ls salt '*' lxc.ls active=True """ contextvar = f"lxc.ls{path}" if active: contextvar += ".active" if cache and (contextvar in __context__): return __context__[contextvar] else: ret = [] cmd = "lxc-ls" if path: cmd += f" -P {shlex.quote(path)}" if active: cmd += " --active" output = __salt__["cmd.run_stdout"](cmd, python_shell=False) for line in output.splitlines(): ret.extend(line.split()) __context__[contextvar] = ret return ret def list_(extra=False, limit=None, path=None): """ List containers classified by state extra Also get per-container specific info. This will change the return data. Instead of returning a list of containers, a dictionary of containers and each container's output from :mod:`lxc.info <salt.modules.lxc.info>`. path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 limit Return output matching a specific state (**frozen**, **running**, or **stopped**). .. versionadded:: 2015.5.0 CLI Examples: .. code-block:: bash salt '*' lxc.list salt '*' lxc.list extra=True salt '*' lxc.list limit=running """ ctnrs = ls_(path=path) if extra: stopped = {} frozen = {} running = {} else: stopped = [] frozen = [] running = [] ret = {"running": running, "stopped": stopped, "frozen": frozen} for container in ctnrs: cmd = "lxc-info" if path: cmd += f" -P {shlex.quote(path)}" cmd += f" -n {container}" c_info = __salt__["cmd.run"](cmd, python_shell=False, output_loglevel="debug") c_state = None for line in c_info.splitlines(): stat = line.split(":") if stat[0] in ("State", "state"): c_state = stat[1].strip() break if not c_state or (limit is not None and c_state.lower() != limit): continue if extra: infos = info(container, path=path) method = "update" value = {container: infos} else: method = "append" value = container if c_state == "STOPPED": getattr(stopped, method)(value) continue if c_state == "FROZEN": getattr(frozen, method)(value) continue if c_state == "RUNNING": getattr(running, method)(value) continue if limit is not None: return ret.get(limit, {} if extra else []) return ret def _change_state( cmd, name, expected, stdin=_marker, stdout=_marker, stderr=_marker, with_communicate=_marker, use_vt=_marker, path=None, ): pre = state(name, path=path) if pre == expected: return { "result": True, "state": {"old": expected, "new": expected}, "comment": f"Container '{name}' already {expected}", } if cmd == "lxc-destroy": # Kill the container first scmd = "lxc-stop" if path: scmd += f" -P {shlex.quote(path)}" scmd += f" -k -n {name}" __salt__["cmd.run"](scmd, python_shell=False) if path and " -P " not in cmd: cmd += f" -P {shlex.quote(path)}" cmd += f" -n {name}" # certain lxc commands need to be taken with care (lxc-start) # as te command itself mess with double forks; we must not # communicate with it, but just wait for the exit status pkwargs = { "python_shell": False, "redirect_stderr": True, "with_communicate": with_communicate, "use_vt": use_vt, "stdin": stdin, "stdout": stdout, } for i in [a for a in pkwargs]: val = pkwargs[i] if val is _marker: pkwargs.pop(i, None) _cmdout = __salt__["cmd.run_all"](cmd, **pkwargs) if _cmdout["retcode"] != 0: raise CommandExecutionError( "Error changing state for container '{}' using command '{}': {}".format( name, cmd, _cmdout["stdout"] ) ) if expected is not None: # some commands do not wait, so we will rcmd = "lxc-wait" if path: rcmd += f" -P {shlex.quote(path)}" rcmd += f" -n {name} -s {expected.upper()}" __salt__["cmd.run"](rcmd, python_shell=False, timeout=30) _clear_context() post = state(name, path=path) ret = {"result": post == expected, "state": {"old": pre, "new": post}} return ret def _ensure_exists(name, path=None): """ Raise an exception if the container does not exist """ if not exists(name, path=path): raise CommandExecutionError(f"Container '{name}' does not exist") def _ensure_running(name, no_start=False, path=None): """ If the container is not currently running, start it. This function returns the state that the container was in before changing path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 """ _ensure_exists(name, path=path) pre = state(name, path=path) if pre == "running": # This will be a no-op but running the function will give us a pretty # return dict. return start(name, path=path) elif pre == "stopped": if no_start: raise CommandExecutionError(f"Container '{name}' is not running") return start(name, path=path) elif pre == "frozen": if no_start: raise CommandExecutionError(f"Container '{name}' is not running") return unfreeze(name, path=path) def restart(name, path=None, lxc_config=None, force=False): """ .. versionadded:: 2015.5.0 Restart the named container. If the container was not running, the container will merely be started. name The name of the container path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 lxc_config path to a lxc config file config file will be guessed from container name otherwise .. versionadded:: 2015.8.0 force : False If ``True``, the container will be force-stopped instead of gracefully shut down CLI Example: .. code-block:: bash salt myminion lxc.restart name """ _ensure_exists(name, path=path) orig_state = state(name, path=path) if orig_state != "stopped": stop(name, kill=force, path=path) ret = start(name, path=path, lxc_config=lxc_config) ret["state"]["old"] = orig_state if orig_state != "stopped": ret["restarted"] = True return ret def start(name, **kwargs): """ Start the named container path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 lxc_config path to a lxc config file config file will be guessed from container name otherwise .. versionadded:: 2015.8.0 use_vt run the command through VT .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt myminion lxc.start name """ path = kwargs.get("path", None) cpath = get_root_path(path) lxc_config = kwargs.get("lxc_config", None) cmd = "lxc-start" if not lxc_config: lxc_config = os.path.join(cpath, name, "config") # we try to start, even without config, if global opts are there if os.path.exists(lxc_config): cmd += f" -f {shlex.quote(lxc_config)}" cmd += " -d" _ensure_exists(name, path=path) if state(name, path=path) == "frozen": raise CommandExecutionError(f"Container '{name}' is frozen, use lxc.unfreeze") # lxc-start daemonize itself violently, we must not communicate with it use_vt = kwargs.get("use_vt", None) with_communicate = kwargs.get("with_communicate", False) return _change_state( cmd, name, "running", stdout=None, stderr=None, stdin=None, with_communicate=with_communicate, path=path, use_vt=use_vt, ) def stop(name, kill=False, path=None, use_vt=None): """ Stop the named container path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 kill: False Do not wait for the container to stop, kill all tasks in the container. Older LXC versions will stop containers like this irrespective of this argument. .. versionchanged:: 2015.5.0 Default value changed to ``False`` use_vt run the command through VT .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt myminion lxc.stop name """ _ensure_exists(name, path=path) orig_state = state(name, path=path) if orig_state == "frozen" and not kill: # Gracefully stopping a frozen container is slower than unfreezing and # then stopping it (at least in my testing), so if we're not # force-stopping the container, unfreeze it first. unfreeze(name, path=path) cmd = "lxc-stop" if kill: cmd += " -k" ret = _change_state(cmd, name, "stopped", use_vt=use_vt, path=path) ret["state"]["old"] = orig_state return ret def freeze(name, **kwargs): """ Freeze the named container path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 start : False If ``True`` and the container is stopped, the container will be started before attempting to freeze. .. versionadded:: 2015.5.0 use_vt run the command through VT .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.freeze name """ use_vt = kwargs.get("use_vt", None) path = kwargs.get("path", None) _ensure_exists(name, path=path) orig_state = state(name, path=path) start_ = kwargs.get("start", False) if orig_state == "stopped": if not start_: raise CommandExecutionError(f"Container '{name}' is stopped") start(name, path=path) cmd = "lxc-freeze" if path: cmd += f" -P {shlex.quote(path)}" ret = _change_state(cmd, name, "frozen", use_vt=use_vt, path=path) if orig_state == "stopped" and start_: ret["state"]["old"] = orig_state ret["started"] = True ret["state"]["new"] = state(name, path=path) return ret def unfreeze(name, path=None, use_vt=None): """ Unfreeze the named container. path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 use_vt run the command through VT .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.unfreeze name """ _ensure_exists(name, path=path) if state(name, path=path) == "stopped": raise CommandExecutionError(f"Container '{name}' is stopped") cmd = "lxc-unfreeze" if path: cmd += f" -P {shlex.quote(path)}" return _change_state(cmd, name, "running", path=path, use_vt=use_vt) def destroy(name, stop=False, path=None): """ Destroy the named container. .. warning:: Destroys all data associated with the container. path path to the container parent directory (default: /var/lib/lxc) .. versionadded:: 2015.8.0 stop : False If ``True``, the container will be destroyed even if it is running/frozen. .. versionchanged:: 2015.5.0 Default value changed to ``False``. This more closely matches the behavior of ``lxc-destroy(1)``, and also makes it less likely that an accidental command will destroy a running container that was being used for important things. CLI Examples: .. code-block:: bash salt '*' lxc.destroy foo salt '*' lxc.destroy foo stop=True """ _ensure_exists(name, path=path) if not stop and state(name, path=path) != "stopped": raise CommandExecutionError(f"Container '{name}' is not stopped") return _change_state("lxc-destroy", name, None, path=path) # Compatibility between LXC and nspawn remove = salt.utils.functools.alias_function(destroy, "remove") def exists(name, path=None): """ Returns whether the named container exists. path path to the container parent directory (default: /var/lib/lxc) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.exists name """ _exists = name in ls_(path=path) # container may be just created but we did cached earlier the # lxc-ls results if not _exists: _exists = name in ls_(cache=False, path=path) return _exists def state(name, path=None): """ Returns the state of a container. path path to the container parent directory (default: /var/lib/lxc) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.state name """ # Don't use _ensure_exists() here, it will mess with _change_state() cachekey = f"lxc.state.{name}{path}" try: return __context__[cachekey] except KeyError: if not exists(name, path=path): __context__[cachekey] = None else: cmd = "lxc-info" if path: cmd += f" -P {shlex.quote(path)}" cmd += f" -n {name}" ret = __salt__["cmd.run_all"](cmd, python_shell=False) if ret["retcode"] != 0: _clear_context() raise CommandExecutionError( f"Unable to get state of container '{name}'" ) c_infos = ret["stdout"].splitlines() c_state = None for c_info in c_infos: stat = c_info.split(":") if stat[0].lower() == "state": c_state = stat[1].strip().lower() break __context__[cachekey] = c_state return __context__[cachekey] def get_parameter(name, parameter, path=None): """ Returns the value of a cgroup parameter for a container path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.get_parameter container_name memory.limit_in_bytes """ _ensure_exists(name, path=path) cmd = "lxc-cgroup" if path: cmd += f" -P {shlex.quote(path)}" cmd += f" -n {name} {parameter}" ret = __salt__["cmd.run_all"](cmd, python_shell=False) if ret["retcode"] != 0: raise CommandExecutionError(f"Unable to retrieve value for '{parameter}'") return ret["stdout"].strip() def set_parameter(name, parameter, value, path=None): """ Set the value of a cgroup parameter for a container. path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.set_parameter name parameter value """ if not exists(name, path=path): return None cmd = "lxc-cgroup" if path: cmd += f" -P {shlex.quote(path)}" cmd += f" -n {name} {parameter} {value}" ret = __salt__["cmd.run_all"](cmd, python_shell=False) if ret["retcode"] != 0: return False else: return True def info(name, path=None): """ Returns information about a container path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.info name """ cachekey = f"lxc.info.{name}{path}" try: return __context__[cachekey] except KeyError: _ensure_exists(name, path=path) cpath = get_root_path(path) try: conf_file = os.path.join(cpath, name, "config") except AttributeError: conf_file = os.path.join(cpath, str(name), "config") if not os.path.isfile(conf_file): raise CommandExecutionError(f"LXC config file {conf_file} does not exist") ret = {} config = [] with salt.utils.files.fopen(conf_file) as fp_: for line in fp_: line = salt.utils.stringutils.to_unicode(line) comps = [x.strip() for x in line.split("#", 1)[0].strip().split("=", 1)] if len(comps) == 2: config.append(tuple(comps)) ifaces = [] current = {} for key, val in config: if key == "lxc.network.type": current = {"type": val} ifaces.append(current) elif not current: continue elif key.startswith("lxc.network."): current[key.replace("lxc.network.", "", 1)] = val if ifaces: ret["nics"] = ifaces ret["rootfs"] = next((x[1] for x in config if x[0] == "lxc.rootfs"), None) ret["state"] = state(name, path=path) ret["ips"] = [] ret["public_ips"] = [] ret["private_ips"] = [] ret["public_ipv4_ips"] = [] ret["public_ipv6_ips"] = [] ret["private_ipv4_ips"] = [] ret["private_ipv6_ips"] = [] ret["ipv4_ips"] = [] ret["ipv6_ips"] = [] ret["size"] = None ret["config"] = conf_file if ret["state"] == "running": try: limit = int(get_parameter(name, "memory.limit_in_bytes")) except (CommandExecutionError, TypeError, ValueError): limit = 0 try: usage = int(get_parameter(name, "memory.usage_in_bytes")) except (CommandExecutionError, TypeError, ValueError): usage = 0 free = limit - usage ret["memory_limit"] = limit ret["memory_free"] = free size = run_stdout(name, "df /", path=path, python_shell=False) # The size is the 2nd column of the last line ret["size"] = size.splitlines()[-1].split()[1] # First try iproute2 ip_cmd = run_all(name, "ip link show", path=path, python_shell=False) if ip_cmd["retcode"] == 0: ip_data = ip_cmd["stdout"] ip_cmd = run_all(name, "ip addr show", path=path, python_shell=False) ip_data += "\n" + ip_cmd["stdout"] ip_data = salt.utils.network._interfaces_ip(ip_data) else: # That didn't work, try ifconfig ip_cmd = run_all(name, "ifconfig", path=path, python_shell=False) if ip_cmd["retcode"] == 0: ip_data = salt.utils.network._interfaces_ifconfig(ip_cmd["stdout"]) else: # Neither was successful, give up log.warning("Unable to run ip or ifconfig in container '%s'", name) ip_data = {} ret["ipv4_ips"] = salt.utils.network.ip_addrs( include_loopback=True, interface_data=ip_data ) ret["ipv6_ips"] = salt.utils.network.ip_addrs6( include_loopback=True, interface_data=ip_data ) ret["ips"] = ret["ipv4_ips"] + ret["ipv6_ips"] for address in ret["ipv4_ips"]: if address == "127.0.0.1": ret["private_ips"].append(address) ret["private_ipv4_ips"].append(address) elif salt.utils.cloud.is_public_ip(address): ret["public_ips"].append(address) ret["public_ipv4_ips"].append(address) else: ret["private_ips"].append(address) ret["private_ipv4_ips"].append(address) for address in ret["ipv6_ips"]: if address == "::1" or address.startswith("fe80"): ret["private_ips"].append(address) ret["private_ipv6_ips"].append(address) else: ret["public_ips"].append(address) ret["public_ipv6_ips"].append(address) for key in [x for x in ret if x == "ips" or x.endswith("ips")]: ret[key].sort(key=_ip_sort) __context__[cachekey] = ret return __context__[cachekey] def set_password(name, users, password, encrypted=True, path=None): """ .. versionchanged:: 2015.5.0 Function renamed from ``set_pass`` to ``set_password``. Additionally, this function now supports (and defaults to using) a password hash instead of a plaintext password. Set the password of one or more system users inside containers users Comma-separated list (or python list) of users to change password password Password to set for the specified user(s) encrypted : True If true, ``password`` must be a password hash. Set to ``False`` to set a plaintext password (not recommended). .. versionadded:: 2015.5.0 path path to the container parent directory default: /var/lib/lxc (system) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.set_pass container-name root '$6$uJ2uAyLU$KoI67t8As/0fXtJOPcHKGXmUpcoYUcVR2K6x93walnShTCQvjRwq25yIkiCBOqgbfdKQSFnAo28/ek6716vEV1' salt '*' lxc.set_pass container-name root foo encrypted=False """ def _bad_user_input(): raise SaltInvocationError("Invalid input for 'users' parameter") if not isinstance(users, list): try: users = users.split(",") except AttributeError: _bad_user_input() if not users: _bad_user_input() failed_users = [] for user in users: result = retcode( name, "chpasswd{}".format(" -e" if encrypted else ""), stdin=":".join((user, password)), python_shell=False, path=path, chroot_fallback=True, output_loglevel="quiet", ) if result != 0: failed_users.append(user) if failed_users: raise CommandExecutionError( "Password change failed for the following user(s): {}".format( ", ".join(failed_users) ) ) return True set_pass = salt.utils.functools.alias_function(set_password, "set_pass") def update_lxc_conf(name, lxc_conf, lxc_conf_unset, path=None): """ Edit LXC configuration options path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt myminion lxc.update_lxc_conf ubuntu \\ lxc_conf="[{'network.ipv4.ip':'10.0.3.5'}]" \\ lxc_conf_unset="['lxc.utsname']" """ _ensure_exists(name, path=path) cpath = get_root_path(path) lxc_conf_p = os.path.join(cpath, name, "config") if not os.path.exists(lxc_conf_p): raise SaltInvocationError(f"Configuration file {lxc_conf_p} does not exist") changes = {"edited": [], "added": [], "removed": []} ret = {"changes": changes, "result": True, "comment": ""} # do not use salt.utils.files.fopen ! with salt.utils.files.fopen(lxc_conf_p, "r") as fic: filtered_lxc_conf = [] for row in lxc_conf: if not row: continue for conf in row: filtered_lxc_conf.append((conf.strip(), row[conf].strip())) ret["comment"] = "lxc.conf is up to date" lines = [] orig_config = salt.utils.stringutils.to_unicode(fic.read()) for line in orig_config.splitlines(): if line.startswith("#") or not line.strip(): lines.append([line, ""]) else: line = line.split("=") index = line.pop(0) val = (index.strip(), "=".join(line).strip()) if val not in lines: lines.append(val) for key, item in filtered_lxc_conf: matched = False for idx, line in enumerate(lines[:]): if line[0] == key: matched = True lines[idx] = (key, item) if "=".join(line[1:]).strip() != item.strip(): changes["edited"].append(({line[0]: line[1:]}, {key: item})) break if not matched: if (key, item) not in lines: lines.append((key, item)) changes["added"].append({key: item}) dest_lxc_conf = [] # filter unset if lxc_conf_unset: for line in lines: for opt in lxc_conf_unset: if not line[0].startswith(opt) and line not in dest_lxc_conf: dest_lxc_conf.append(line) else: changes["removed"].append(opt) else: dest_lxc_conf = lines conf = "" for key, val in dest_lxc_conf: if not val: conf += f"{key}\n" else: conf += f"{key.strip()} = {val.strip()}\n" conf_changed = conf != orig_config chrono = datetime.datetime.now().strftime("%Y-%m-%d_%H-%M-%S") if conf_changed: # DO NOT USE salt.utils.files.fopen here, i got (kiorky) # problems with lxc configs which were wiped ! with salt.utils.files.fopen(f"{lxc_conf_p}.{chrono}", "w") as wfic: wfic.write(salt.utils.stringutils.to_str(conf)) with salt.utils.files.fopen(lxc_conf_p, "w") as wfic: wfic.write(salt.utils.stringutils.to_str(conf)) ret["comment"] = "Updated" ret["result"] = True if not any(changes[x] for x in changes): # Ensure an empty changes dict if nothing was modified ret["changes"] = {} return ret def set_dns(name, dnsservers=None, searchdomains=None, path=None): """ .. versionchanged:: 2015.5.0 The ``dnsservers`` and ``searchdomains`` parameters can now be passed as a comma-separated list. Update /etc/resolv.confo path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt myminion lxc.set_dns ubuntu "['8.8.8.8', '4.4.4.4']" """ if dnsservers is None: dnsservers = ["8.8.8.8", "4.4.4.4"] elif not isinstance(dnsservers, list): try: dnsservers = dnsservers.split(",") except AttributeError: raise SaltInvocationError("Invalid input for 'dnsservers' parameter") if searchdomains is None: searchdomains = [] elif not isinstance(searchdomains, list): try: searchdomains = searchdomains.split(",") except AttributeError: raise SaltInvocationError("Invalid input for 'searchdomains' parameter") dns = [f"nameserver {x}" for x in dnsservers] dns.extend([f"search {x}" for x in searchdomains]) dns = "\n".join(dns) + "\n" # we may be using resolvconf in the container # We need to handle that case with care: # - we create the resolv.conf runtime directory (the # linked directory) as anyway it will be shadowed when the real # run tmpfs mountpoint will be mounted. # ( /etc/resolv.conf -> ../run/resolvconf/resolv.conf) # Indeed, it can save us in any other case (running, eg, in a # bare chroot when repairing or preparing the container for # operation. # - We also teach resolvconf to use the aforementioned dns. # - We finally also set /etc/resolv.conf in all cases rstr = __salt__["test.random_hash"]() # no tmp here, apparmor won't let us execute ! script = f"/sbin/{rstr}_dns.sh" DNS_SCRIPT = "\n".join( [ # 'set -x', "#!/usr/bin/env bash", "if [ -h /etc/resolv.conf ];then", ' if [ "x$(readlink /etc/resolv.conf)"' ' = "x../run/resolvconf/resolv.conf" ];then', " if [ ! -d /run/resolvconf/ ];then", " mkdir -p /run/resolvconf", " fi", " cat > /etc/resolvconf/resolv.conf.d/head <<EOF", dns, "EOF", "", " fi", "fi", "cat > /etc/resolv.conf <<EOF", dns, "EOF", "", ] ) result = run_all( name, f"tee {script}", path=path, stdin=DNS_SCRIPT, python_shell=True ) if result["retcode"] == 0: result = run_all( name, 'sh -c "chmod +x {0};{0}"'.format(script), path=path, python_shell=True, ) # blindly delete the setter file run_all( name, 'sh -c \'if [ -f "{0}" ];then rm -f "{0}";fi\''.format(script), path=path, python_shell=True, ) if result["retcode"] != 0: error = f"Unable to write to /etc/resolv.conf in container '{name}'" if result["stderr"]: error += ": {}".format(result["stderr"]) raise CommandExecutionError(error) return True def running_systemd(name, cache=True, path=None): """ Determine if systemD is running path path to the container parent .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt '*' lxc.running_systemd ubuntu """ k = f"lxc.systemd.test.{name}{path}" ret = __context__.get(k, None) if ret is None or not cache: rstr = __salt__["test.random_hash"]() # no tmp here, apparmor won't let us execute ! script = f"/sbin/{rstr}_testsystemd.sh" # ubuntu already had since trusty some bits of systemd but was # still using upstart ... # we need to be a bit more careful that just testing that systemd # is present _script = textwrap.dedent( """\ #!/usr/bin/env bash set -x if ! command -v systemctl 1>/dev/null 2>/dev/null;then exit 2;fi for i in \\ /run/systemd/journal/dev-log\\ /run/systemd/journal/flushed\\ /run/systemd/journal/kernel-seqnum\\ /run/systemd/journal/socket\\ /run/systemd/journal/stdout\\ /var/run/systemd/journal/dev-log\\ /var/run/systemd/journal/flushed\\ /var/run/systemd/journal/kernel-seqnum\\ /var/run/systemd/journal/socket\\ /var/run/systemd/journal/stdout\\ ;do\\ if test -e ${i};then exit 0;fi done if test -d /var/systemd/system;then exit 0;fi exit 2 """ ) result = run_all( name, f"tee {script}", path=path, stdin=_script, python_shell=True ) if result["retcode"] == 0: result = run_all( name, 'sh -c "chmod +x {0};{0}"'.format(script), path=path, python_shell=True, ) else: raise CommandExecutionError(f"lxc {name} failed to copy initd tester") run_all( name, 'sh -c \'if [ -f "{0}" ];then rm -f "{0}";fi\''.format(script), path=path, ignore_retcode=True, python_shell=True, ) if result["retcode"] != 0: error = ( "Unable to determine if the container '{}'" " was running systemd, assmuming it is not." "".format(name) ) if result["stderr"]: error += ": {}".format(result["stderr"]) # only cache result if we got a known exit code if result["retcode"] in (0, 2): __context__[k] = ret = not result["retcode"] return ret def systemd_running_state(name, path=None): """ Get the operational state of a systemd based container path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt myminion lxc.systemd_running_state ubuntu """ try: ret = run_all( name, "systemctl is-system-running", path=path, ignore_retcode=True )["stdout"] except CommandExecutionError: ret = "" return ret def test_sd_started_state(name, path=None): """ Test if a systemd container is fully started path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt myminion lxc.test_sd_started_state ubuntu """ qstate = systemd_running_state(name, path=path) if qstate in ("initializing", "starting"): return False elif qstate == "": return None else: return True def test_bare_started_state(name, path=None): """ Test if a non systemd container is fully started For now, it consists only to test if the container is attachable path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt myminion lxc.test_bare_started_state ubuntu """ try: ret = run_all(name, "ls", path=path, ignore_retcode=True)["retcode"] == 0 except (CommandExecutionError,): ret = None return ret def wait_started(name, path=None, timeout=300): """ Check that the system has fully inited This is actually very important for systemD based containers see https://github.com/saltstack/salt/issues/23847 path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt myminion lxc.wait_started ubuntu """ if not exists(name, path=path): raise CommandExecutionError(f"Container {name} does does exists") if not state(name, path=path) == "running": raise CommandExecutionError(f"Container {name} is not running") ret = False if running_systemd(name, path=path): test_started = test_sd_started_state logger = log.error else: test_started = test_bare_started_state logger = log.debug now = time.time() expire = now + timeout now = time.time() started = test_started(name, path=path) while time.time() < expire and not started: time.sleep(0.3) started = test_started(name, path=path) if started is None: logger( "Assuming %s is started, although we failed to detect that" " is fully started correctly", name, ) ret = True else: ret = started return ret def _needs_install(name, path=None): ret = 0 has_minion = retcode(name, "which salt-minion", path=path, ignore_retcode=True) # we assume that installing is when no minion is running # but testing the executable presence is not enougth for custom # installs where the bootstrap can do much more than installing # the bare salt binaries. if has_minion: processes = run_stdout(name, "ps aux", path=path) if "salt-minion" not in processes: ret = 1 else: retcode(name, "salt-call --local service.stop salt-minion") else: ret = 1 return ret def bootstrap( name, config=None, approve_key=True, install=True, pub_key=None, priv_key=None, bootstrap_url=None, force_install=False, unconditional_install=False, path=None, bootstrap_delay=None, bootstrap_args=None, bootstrap_shell=None, ): """ Install and configure salt in a container. config Minion configuration options. By default, the ``master`` option is set to the target host's master. approve_key Request a pre-approval of the generated minion key. Requires that the salt-master be configured to either auto-accept all keys or expect a signing request from the target host. Default: ``True`` path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 pub_key Explicit public key to pressed the minion with (optional). This can be either a filepath or a string representing the key priv_key Explicit private key to pressed the minion with (optional). This can be either a filepath or a string representing the key bootstrap_delay Delay in seconds between end of container creation and bootstrapping. Useful when waiting for container to obtain a DHCP lease. .. versionadded:: 2015.5.0 bootstrap_url url, content or filepath to the salt bootstrap script bootstrap_args salt bootstrap script arguments bootstrap_shell shell to execute the script into install Whether to attempt a full installation of salt-minion if needed. force_install Force installation even if salt-minion is detected, this is the way to run vendor bootstrap scripts even if a salt minion is already present in the container unconditional_install Run the script even if the container seems seeded CLI Examples: .. code-block:: bash salt 'minion' lxc.bootstrap container_name [config=config_data] \\ [approve_key=(True|False)] [install=(True|False)] """ wait_started(name, path=path) if bootstrap_delay is not None: try: log.info("LXC %s: bootstrap_delay: %s", name, bootstrap_delay) time.sleep(bootstrap_delay) except TypeError: # Bad input, but assume since a value was passed that # a delay was desired, and sleep for 5 seconds time.sleep(5) c_info = info(name, path=path) if not c_info: return None # default set here as we cannot set them # in def as it can come from a chain of procedures. if bootstrap_args: # custom bootstrap args can be totally customized, and user could # have inserted the placeholder for the config directory. # For example, some salt bootstrap script do not use at all -c if "{0}" not in bootstrap_args: bootstrap_args += " -c {0}" else: bootstrap_args = "-c {0}" if not bootstrap_shell: bootstrap_shell = "sh" orig_state = _ensure_running(name, path=path) if not orig_state: return orig_state if not force_install: needs_install = _needs_install(name, path=path) else: needs_install = True seeded = ( retcode( name, f"test -e '{SEED_MARKER}'", path=path, chroot_fallback=True, ignore_retcode=True, ) == 0 ) tmp = tempfile.mkdtemp() if seeded and not unconditional_install: ret = True else: ret = False cfg_files = __salt__["seed.mkconfig"]( config, tmp=tmp, id_=name, approve_key=approve_key, pub_key=pub_key, priv_key=priv_key, ) if needs_install or force_install or unconditional_install: if install: rstr = __salt__["test.random_hash"]() configdir = f"/var/tmp/.c_{rstr}" cmd = f"install -m 0700 -d {configdir}" if run_all(name, cmd, path=path, python_shell=False)["retcode"] != 0: log.error("tmpdir %s creation failed %s", configdir, cmd) return False bs_ = __salt__["config.gather_bootstrap_script"]( bootstrap=bootstrap_url ) script = f"/sbin/{rstr}_bootstrap.sh" copy_to(name, bs_, script, path=path) result = run_all( name, f'sh -c "chmod +x {script}"', path=path, python_shell=True, ) copy_to( name, cfg_files["config"], os.path.join(configdir, "minion"), path=path, ) copy_to( name, cfg_files["privkey"], os.path.join(configdir, "minion.pem"), path=path, ) copy_to( name, cfg_files["pubkey"], os.path.join(configdir, "minion.pub"), path=path, ) bootstrap_args = bootstrap_args.format(configdir) cmd = "{0} {2} {1}".format( bootstrap_shell, bootstrap_args.replace("'", "''"), script ) # log ASAP the forged bootstrap command which can be wrapped # out of the output in case of unexpected problem log.info("Running %s in LXC container '%s'", cmd, name) ret = ( retcode(name, cmd, output_loglevel="info", path=path, use_vt=True) == 0 ) run_all( name, 'sh -c \'if [ -f "{0}" ];then rm -f "{0}";fi\''.format(script), path=path, ignore_retcode=True, python_shell=True, ) else: ret = False else: minion_config = salt.config.minion_config(cfg_files["config"]) pki_dir = minion_config["pki_dir"] copy_to(name, cfg_files["config"], "/etc/salt/minion", path=path) copy_to( name, cfg_files["privkey"], os.path.join(pki_dir, "minion.pem"), path=path, ) copy_to( name, cfg_files["pubkey"], os.path.join(pki_dir, "minion.pub"), path=path, ) run( name, "salt-call --local service.enable salt-minion", path=path, python_shell=False, ) ret = True shutil.rmtree(tmp) if orig_state == "stopped": stop(name, path=path) elif orig_state == "frozen": freeze(name, path=path) # mark seeded upon successful install if ret: run(name, f"touch '{SEED_MARKER}'", path=path, python_shell=False) return ret def attachable(name, path=None): """ Return True if the named container can be attached to via the lxc-attach command path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt 'minion' lxc.attachable ubuntu """ cachekey = f"lxc.attachable{name}{path}" try: return __context__[cachekey] except KeyError: _ensure_exists(name, path=path) # Can't use run() here because it uses attachable() and would # endlessly recurse, resulting in a traceback log.debug("Checking if LXC container %s is attachable", name) cmd = "lxc-attach" if path: cmd += f" -P {shlex.quote(path)}" cmd += f" --clear-env -n {name} -- /usr/bin/env" result = ( __salt__["cmd.retcode"]( cmd, python_shell=False, output_loglevel="quiet", ignore_retcode=True ) == 0 ) __context__[cachekey] = result return __context__[cachekey] def _run( name, cmd, output=None, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel="debug", use_vt=False, path=None, ignore_retcode=False, chroot_fallback=None, keep_env="http_proxy,https_proxy,no_proxy", ): """ Common logic for lxc.run functions path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 """ orig_state = state(name, path=path) try: if attachable(name, path=path): ret = __salt__["container_resource.run"]( name, cmd, path=path, container_type=__virtualname__, exec_driver=EXEC_DRIVER, output=output, no_start=no_start, stdin=stdin, python_shell=python_shell, output_loglevel=output_loglevel, ignore_retcode=ignore_retcode, use_vt=use_vt, keep_env=keep_env, ) else: if not chroot_fallback: raise CommandExecutionError(f"{name} is not attachable.") rootfs = info(name, path=path).get("rootfs") # Set context var to make cmd.run_chroot run cmd.run instead of # cmd.run_all. __context__["cmd.run_chroot.func"] = __salt__["cmd.run"] ret = __salt__["cmd.run_chroot"]( rootfs, cmd, stdin=stdin, python_shell=python_shell, output_loglevel=output_loglevel, ignore_retcode=ignore_retcode, ) finally: # Make sure we honor preserve_state, even if there was an exception new_state = state(name, path=path) if preserve_state: if orig_state == "stopped" and new_state != "stopped": stop(name, path=path) elif orig_state == "frozen" and new_state != "frozen": freeze(name, start=True, path=path) if output in (None, "all"): return ret else: return ret[output] def run( name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel="debug", use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env="http_proxy,https_proxy,no_proxy", ): """ .. versionadded:: 2015.8.0 Run :mod:`cmd.run <salt.modules.cmdmod.run>` within a container .. warning:: Many shell builtins do not work, failing with stderr similar to the following: .. code-block:: bash lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed in stderr if the command being run does not exist. If no output is returned using this function, try using :mod:`lxc.run_stderr <salt.modules.lxc.run_stderr>` or :mod:`lxc.run_all <salt.modules.lxc.run_all>`. name Name of the container in which to run the command cmd Command to run path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 no_start : False If the container is not running, don't start it preserve_state : True After running the command, return the container to its previous state stdin : None Standard input to be used for the command output_loglevel : debug Level at which to log the output from the command. Set to ``quiet`` to suppress logging. use_vt : False Use SaltStack's utils.vt to stream output to console. Assumes ``output=all``. chroot_fallback if the container is not running, try to run the command using chroot default: false keep_env : http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. CLI Example: .. code-block:: bash salt myminion lxc.run mycontainer 'ifconfig -a' """ return _run( name, cmd, path=path, output=None, no_start=no_start, preserve_state=preserve_state, stdin=stdin, python_shell=python_shell, output_loglevel=output_loglevel, use_vt=use_vt, ignore_retcode=ignore_retcode, chroot_fallback=chroot_fallback, keep_env=keep_env, ) def run_stdout( name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel="debug", use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env="http_proxy,https_proxy,no_proxy", ): """ .. versionadded:: 2015.5.0 Run :mod:`cmd.run_stdout <salt.modules.cmdmod.run_stdout>` within a container .. warning:: Many shell builtins do not work, failing with stderr similar to the following: .. code-block:: bash lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed in stderr if the command being run does not exist. If no output is returned using this function, try using :mod:`lxc.run_stderr <salt.modules.lxc.run_stderr>` or :mod:`lxc.run_all <salt.modules.lxc.run_all>`. name Name of the container in which to run the command cmd Command to run path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 no_start : False If the container is not running, don't start it preserve_state : True After running the command, return the container to its previous state stdin : None Standard input to be used for the command output_loglevel : debug Level at which to log the output from the command. Set to ``quiet`` to suppress logging. use_vt : False Use SaltStack's utils.vt to stream output to console ``output=all``. keep_env : http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. chroot_fallback if the container is not running, try to run the command using chroot default: false CLI Example: .. code-block:: bash salt myminion lxc.run_stdout mycontainer 'ifconfig -a' """ return _run( name, cmd, path=path, output="stdout", no_start=no_start, preserve_state=preserve_state, stdin=stdin, python_shell=python_shell, output_loglevel=output_loglevel, use_vt=use_vt, ignore_retcode=ignore_retcode, chroot_fallback=chroot_fallback, keep_env=keep_env, ) def run_stderr( name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel="debug", use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env="http_proxy,https_proxy,no_proxy", ): """ .. versionadded:: 2015.5.0 Run :mod:`cmd.run_stderr <salt.modules.cmdmod.run_stderr>` within a container .. warning:: Many shell builtins do not work, failing with stderr similar to the following: .. code-block:: bash lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed if the command being run does not exist. name Name of the container in which to run the command cmd Command to run path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 no_start : False If the container is not running, don't start it preserve_state : True After running the command, return the container to its previous state stdin : None Standard input to be used for the command output_loglevel : debug Level at which to log the output from the command. Set to ``quiet`` to suppress logging. use_vt : False Use SaltStack's utils.vt to stream output to console ``output=all``. keep_env : http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. chroot_fallback if the container is not running, try to run the command using chroot default: false CLI Example: .. code-block:: bash salt myminion lxc.run_stderr mycontainer 'ip addr show' """ return _run( name, cmd, path=path, output="stderr", no_start=no_start, preserve_state=preserve_state, stdin=stdin, python_shell=python_shell, output_loglevel=output_loglevel, use_vt=use_vt, ignore_retcode=ignore_retcode, chroot_fallback=chroot_fallback, keep_env=keep_env, ) def retcode( name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel="debug", use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env="http_proxy,https_proxy,no_proxy", ): """ .. versionadded:: 2015.5.0 Run :mod:`cmd.retcode <salt.modules.cmdmod.retcode>` within a container .. warning:: Many shell builtins do not work, failing with stderr similar to the following: .. code-block:: bash lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed in stderr if the command being run does not exist. If the retcode is nonzero and not what was expected, try using :mod:`lxc.run_stderr <salt.modules.lxc.run_stderr>` or :mod:`lxc.run_all <salt.modules.lxc.run_all>`. name Name of the container in which to run the command cmd Command to run no_start : False If the container is not running, don't start it preserve_state : True After running the command, return the container to its previous state path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 stdin : None Standard input to be used for the command output_loglevel : debug Level at which to log the output from the command. Set to ``quiet`` to suppress logging. use_vt : False Use SaltStack's utils.vt to stream output to console ``output=all``. keep_env : http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. chroot_fallback if the container is not running, try to run the command using chroot default: false CLI Example: .. code-block:: bash salt myminion lxc.retcode mycontainer 'ip addr show' """ return _run( name, cmd, output="retcode", path=path, no_start=no_start, preserve_state=preserve_state, stdin=stdin, python_shell=python_shell, output_loglevel=output_loglevel, use_vt=use_vt, ignore_retcode=ignore_retcode, chroot_fallback=chroot_fallback, keep_env=keep_env, ) def run_all( name, cmd, no_start=False, preserve_state=True, stdin=None, python_shell=True, output_loglevel="debug", use_vt=False, path=None, ignore_retcode=False, chroot_fallback=False, keep_env="http_proxy,https_proxy,no_proxy", ): """ .. versionadded:: 2015.5.0 Run :mod:`cmd.run_all <salt.modules.cmdmod.run_all>` within a container .. note:: While the command is run within the container, it is initiated from the host. Therefore, the PID in the return dict is from the host, not from the container. .. warning:: Many shell builtins do not work, failing with stderr similar to the following: .. code-block:: bash lxc_container: No such file or directory - failed to exec 'command' The same error will be displayed in stderr if the command being run does not exist. name Name of the container in which to run the command path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 cmd Command to run no_start : False If the container is not running, don't start it preserve_state : True After running the command, return the container to its previous state stdin : None Standard input to be used for the command output_loglevel : debug Level at which to log the output from the command. Set to ``quiet`` to suppress logging. use_vt : False Use SaltStack's utils.vt to stream output to console ``output=all``. keep_env : http_proxy,https_proxy,no_proxy A list of env vars to preserve. May be passed as commma-delimited list. chroot_fallback if the container is not running, try to run the command using chroot default: false CLI Example: .. code-block:: bash salt myminion lxc.run_all mycontainer 'ip addr show' """ return _run( name, cmd, output="all", no_start=no_start, preserve_state=preserve_state, stdin=stdin, python_shell=python_shell, output_loglevel=output_loglevel, use_vt=use_vt, path=path, ignore_retcode=ignore_retcode, chroot_fallback=chroot_fallback, keep_env=keep_env, ) def _get_md5(name, path): """ Get the MD5 checksum of a file from a container """ output = run_stdout( name, f'md5sum "{path}"', chroot_fallback=True, ignore_retcode=True ) try: return output.split()[0] except IndexError: # Destination file does not exist or could not be accessed return None def copy_to(name, source, dest, overwrite=False, makedirs=False, path=None): """ .. versionchanged:: 2015.8.0 Function renamed from ``lxc.cp`` to ``lxc.copy_to`` for consistency with other container types. ``lxc.cp`` will continue to work, however. For versions 2015.2.x and earlier, use ``lxc.cp``. Copy a file or directory from the host into a container name Container name source File to be copied to the container path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 dest Destination on the container. Must be an absolute path. .. versionchanged:: 2015.5.0 If the destination is a directory, the file will be copied into that directory. overwrite : False Unless this option is set to ``True``, then if a file exists at the location specified by the ``dest`` argument, an error will be raised. .. versionadded:: 2015.8.0 makedirs : False Create the parent directory on the container if it does not already exist. .. versionadded:: 2015.5.0 CLI Example: .. code-block:: bash salt 'minion' lxc.copy_to /tmp/foo /root/foo salt 'minion' lxc.cp /tmp/foo /root/foo """ _ensure_running(name, no_start=True, path=path) return __salt__["container_resource.copy_to"]( name, source, dest, container_type=__virtualname__, path=path, exec_driver=EXEC_DRIVER, overwrite=overwrite, makedirs=makedirs, ) cp = salt.utils.functools.alias_function(copy_to, "cp") def read_conf(conf_file, out_format="simple"): """ Read in an LXC configuration file. By default returns a simple, unsorted dict, but can also return a more detailed structure including blank lines and comments. out_format: set to 'simple' if you need the old and unsupported behavior. This won't support the multiple lxc values (eg: multiple network nics) CLI Examples: .. code-block:: bash salt 'minion' lxc.read_conf /etc/lxc/mycontainer.conf salt 'minion' lxc.read_conf /etc/lxc/mycontainer.conf out_format=commented """ ret_commented = [] ret_simple = {} with salt.utils.files.fopen(conf_file, "r") as fp_: for line in salt.utils.data.decode(fp_.readlines()): if "=" not in line: ret_commented.append(line) continue comps = line.split("=") value = "=".join(comps[1:]).strip() comment = None if value.strip().startswith("#"): vcomps = value.strip().split("#") value = vcomps[1].strip() comment = "#".join(vcomps[1:]).strip() ret_commented.append( {comps[0].strip(): {"value": value, "comment": comment}} ) else: ret_commented.append({comps[0].strip(): value}) ret_simple[comps[0].strip()] = value if out_format == "simple": return ret_simple return ret_commented def write_conf(conf_file, conf): """ Write out an LXC configuration file This is normally only used internally. The format of the data structure must match that which is returned from ``lxc.read_conf()``, with ``out_format`` set to ``commented``. An example might look like: .. code-block:: python [ {'lxc.utsname': '$CONTAINER_NAME'}, '# This is a commented line\\n', '\\n', {'lxc.mount': '$CONTAINER_FSTAB'}, {'lxc.rootfs': {'comment': 'This is another test', 'value': 'This is another test'}}, '\\n', {'lxc.network.type': 'veth'}, {'lxc.network.flags': 'up'}, {'lxc.network.link': 'br0'}, {'lxc.network.mac': '$CONTAINER_MACADDR'}, {'lxc.network.ipv4': '$CONTAINER_IPADDR'}, {'lxc.network.name': '$CONTAINER_DEVICENAME'}, ] CLI Example: .. code-block:: bash salt 'minion' lxc.write_conf /etc/lxc/mycontainer.conf \\ out_format=commented """ if not isinstance(conf, list): raise SaltInvocationError("Configuration must be passed as a list") # construct the content prior to write to the file # to avoid half written configs content = "" for line in conf: if isinstance(line, (str, (str,))): content += line elif isinstance(line, dict): for key in list(line.keys()): out_line = None if isinstance( line[key], (str, (str,), (int,), float), ): out_line = " = ".join((key, f"{line[key]}")) elif isinstance(line[key], dict): out_line = " = ".join((key, line[key]["value"])) if "comment" in line[key]: out_line = " # ".join((out_line, line[key]["comment"])) if out_line: content += out_line content += "\n" with salt.utils.files.fopen(conf_file, "w") as fp_: fp_.write(salt.utils.stringutils.to_str(content)) return {} def edit_conf( conf_file, out_format="simple", read_only=False, lxc_config=None, **kwargs ): """ Edit an LXC configuration file. If a setting is already present inside the file, its value will be replaced. If it does not exist, it will be appended to the end of the file. Comments and blank lines will be kept in-tact if they already exist in the file. out_format: Set to simple if you need backward compatibility (multiple items for a simple key is not supported) read_only: return only the edited configuration without applying it to the underlying lxc configuration file lxc_config: List of dict containning lxc configuration items For network configuration, you also need to add the device it belongs to, otherwise it will default to eth0. Also, any change to a network parameter will result in the whole network reconfiguration to avoid mismatchs, be aware of that ! After the file is edited, its contents will be returned. By default, it will be returned in ``simple`` format, meaning an unordered dict (which may not represent the actual file order). Passing in an ``out_format`` of ``commented`` will return a data structure which accurately represents the order and content of the file. CLI Example: .. code-block:: bash salt 'minion' lxc.edit_conf /etc/lxc/mycontainer.conf \\ out_format=commented lxc.network.type=veth salt 'minion' lxc.edit_conf /etc/lxc/mycontainer.conf \\ out_format=commented \\ lxc_config="[{'lxc.network.name': 'eth0', \\ 'lxc.network.ipv4': '1.2.3.4'}, {'lxc.network.name': 'eth2', \\ 'lxc.network.ipv4': '1.2.3.5',\\ 'lxc.network.gateway': '1.2.3.1'}]" """ data = [] try: conf = read_conf(conf_file, out_format=out_format) except Exception: # pylint: disable=broad-except conf = [] if not lxc_config: lxc_config = [] lxc_config = copy.deepcopy(lxc_config) # search if we want to access net config # in that case, we will replace all the net configuration net_config = [] for lxc_kws in lxc_config + [kwargs]: net_params = {} for kwarg in [a for a in lxc_kws]: if kwarg.startswith("__"): continue if kwarg.startswith("lxc.network."): net_params[kwarg] = lxc_kws[kwarg] lxc_kws.pop(kwarg, None) if net_params: net_config.append(net_params) nic_opts = salt.utils.odict.OrderedDict() for params in net_config: dev = params.get("lxc.network.name", DEFAULT_NIC) dev_opts = nic_opts.setdefault(dev, salt.utils.odict.OrderedDict()) for param in params: opt = param.replace("lxc.network.", "") opt = {"hwaddr": "mac"}.get(opt, opt) dev_opts[opt] = params[param] net_changes = [] if nic_opts: net_changes = _config_list( conf, only_net=True, **{"network_profile": DEFAULT_NIC, "nic_opts": nic_opts}, ) if net_changes: lxc_config.extend(net_changes) for line in conf: if not isinstance(line, dict): data.append(line) continue else: for key in list(line.keys()): val = line[key] if net_changes and key.startswith("lxc.network."): continue found = False for kw in lxc_config: if key in kw: found = True data.append({key: kw[key]}) del kw[key] if not found: data.append({key: val}) for lxc_kws in lxc_config: for kwarg in lxc_kws: data.append({kwarg: lxc_kws[kwarg]}) if read_only: return data write_conf(conf_file, data) return read_conf(conf_file, out_format) def reboot(name, path=None): """ Reboot a container. path path to the container parent default: /var/lib/lxc (system default) .. versionadded:: 2015.8.0 CLI Examples: .. code-block:: bash salt 'minion' lxc.reboot myvm """ ret = {"result": True, "changes": {}, "comment": f"{name} rebooted"} does_exist = exists(name, path=path) if does_exist and (state(name, path=path) == "running"): try: stop(name, path=path) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = f"Unable to stop container: {exc}" ret["result"] = False return ret if does_exist and (state(name, path=path) != "running"): try: start(name, path=path) except (SaltInvocationError, CommandExecutionError) as exc: ret["comment"] = f"Unable to stop container: {exc}" ret["result"] = False return ret ret["changes"][name] = "rebooted" return ret def reconfigure( name, cpu=None, cpuset=None, cpushare=None, memory=None, profile=None, network_profile=None, nic_opts=None, bridge=None, gateway=None, autostart=None, utsname=None, rootfs=None, path=None, **kwargs, ): """ Reconfigure a container. This only applies to a few property name Name of the container. utsname utsname of the container. .. versionadded:: 2016.3.0 rootfs rootfs of the container. .. versionadded:: 2016.3.0 cpu Select a random number of cpu cores and assign it to the cpuset, if the cpuset option is set then this option will be ignored cpuset Explicitly define the cpus this container will be bound to cpushare cgroups cpu shares. autostart autostart container on reboot memory cgroups memory limit, in MB. (0 for nolimit, None for old default 1024MB) gateway the ipv4 gateway to use the default does nothing more than lxcutils does bridge the bridge to use the default does nothing more than lxcutils does nic Network interfaces profile (defined in config or pillar). nic_opts Extra options for network interfaces, will override ``{"eth0": {"mac": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1", "ipv6": "2001:db8::ff00:42:8329"}}`` or ``{"eth0": {"mac": "aa:bb:cc:dd:ee:ff", "ipv4": "10.1.1.1/24", "ipv6": "2001:db8::ff00:42:8329"}}`` path path to the container parent .. versionadded:: 2015.8.0 CLI Example: .. code-block:: bash salt-call -lall mc_lxc_fork.reconfigure foobar nic_opts="{'eth1': {'mac': '00:16:3e:dd:ee:44'}}" memory=4 """ changes = {} cpath = get_root_path(path) path = os.path.join(cpath, name, "config") ret = { "name": name, "comment": f"config for {name} up to date", "result": True, "changes": changes, } profile = get_container_profile(copy.deepcopy(profile)) kw_overrides = copy.deepcopy(kwargs) def select(key, default=None): kw_overrides_match = kw_overrides.pop(key, _marker) profile_match = profile.pop(key, default) # let kwarg overrides be the preferred choice if kw_overrides_match is _marker: return profile_match return kw_overrides_match if nic_opts is not None and not network_profile: network_profile = DEFAULT_NIC if autostart is not None: autostart = select("autostart", autostart) else: autostart = "keep" if not utsname: utsname = select("utsname", utsname) if os.path.exists(path): old_chunks = read_conf(path, out_format="commented") make_kw = salt.utils.odict.OrderedDict( [ ("utsname", utsname), ("rootfs", rootfs), ("autostart", autostart), ("cpu", cpu), ("gateway", gateway), ("cpuset", cpuset), ("cpushare", cpushare), ("network_profile", network_profile), ("nic_opts", nic_opts), ("bridge", bridge), ] ) # match 0 and none as memory = 0 in lxc config is harmful if memory: make_kw["memory"] = memory kw = salt.utils.odict.OrderedDict() for key, val in make_kw.items(): if val is not None: kw[key] = val new_cfg = _config_list(conf_tuples=old_chunks, **kw) if new_cfg: edit_conf(path, out_format="commented", lxc_config=new_cfg) chunks = read_conf(path, out_format="commented") if old_chunks != chunks: ret["comment"] = f"{name} lxc config updated" if state(name, path=path) == "running": cret = reboot(name, path=path) ret["result"] = cret["result"] return ret def apply_network_profile(name, network_profile, nic_opts=None, path=None): """ .. versionadded:: 2015.5.0 Apply a network profile to a container network_profile profile name or default values (dict) nic_opts values to override in defaults (dict) indexed by nic card names path path to the container parent .. versionadded:: 2015.8.0 CLI Examples: .. code-block:: bash salt 'minion' lxc.apply_network_profile web1 centos salt 'minion' lxc.apply_network_profile web1 centos \\ nic_opts="{'eth0': {'mac': 'xx:xx:xx:xx:xx:xx'}}" salt 'minion' lxc.apply_network_profile web1 \\ "{'eth0': {'mac': 'xx:xx:xx:xx:xx:yy'}}" nic_opts="{'eth0': {'mac': 'xx:xx:xx:xx:xx:xx'}}" The special case to disable use of ethernet nics: .. code-block:: bash salt 'minion' lxc.apply_network_profile web1 centos \\ "{eth0: {disable: true}}" """ cpath = get_root_path(path) cfgpath = os.path.join(cpath, name, "config") before = [] with salt.utils.files.fopen(cfgpath, "r") as fp_: for line in fp_: before.append(line) lxcconfig = _LXCConfig(name=name, path=path) old_net = lxcconfig._filter_data("lxc.network") network_params = {} for param in _network_conf( conf_tuples=old_net, network_profile=network_profile, nic_opts=nic_opts ): network_params.update(param) if network_params: edit_conf(cfgpath, out_format="commented", **network_params) after = [] with salt.utils.files.fopen(cfgpath, "r") as fp_: for line in fp_: after.append(line) diff = "" for line in difflib.unified_diff(before, after, fromfile="before", tofile="after"): diff += line return diff def get_pid(name, path=None): """ Returns a container pid. Throw an exception if the container isn't running. CLI Example: .. code-block:: bash salt '*' lxc.get_pid name """ if name not in list_(limit="running", path=path): raise CommandExecutionError( f"Container {name} is not running, can't determine PID" ) info = __salt__["cmd.run"](f"lxc-info -n {name}").split("\n") pid = [ line.split(":")[1].strip() for line in info if re.match(r"\s*PID", line) is not None ][0] return pid def add_veth(name, interface_name, bridge=None, path=None): """ Add a veth to a container. Note : this function doesn't update the container config, just add the interface at runtime name Name of the container interface_name Name of the interface in the container bridge Name of the bridge to attach the interface to (facultative) CLI Examples: .. code-block:: bash salt '*' lxc.add_veth container_name eth1 br1 salt '*' lxc.add_veth container_name eth1 """ # Get container init PID pid = get_pid(name, path=path) # Generate a ramdom string for veth and ensure that is isn't present on the system while True: random_veth = "veth" + "".join( random.choice(string.ascii_uppercase + string.digits) for _ in range(6) ) if random_veth not in __salt__["network.interfaces"]().keys(): break # Check prerequisites if not __salt__["file.directory_exists"]("/var/run/"): raise CommandExecutionError( "Directory /var/run required for lxc.add_veth doesn't exists" ) if not __salt__["file.file_exists"](f"/proc/{pid}/ns/net"): raise CommandExecutionError( f"Proc file for container {name} network namespace doesn't exists" ) if not __salt__["file.directory_exists"]("/var/run/netns"): __salt__["file.mkdir"]("/var/run/netns") # Ensure that the symlink is up to date (change on container restart) if __salt__["file.is_link"](f"/var/run/netns/{name}"): __salt__["file.remove"](f"/var/run/netns/{name}") __salt__["file.symlink"](f"/proc/{pid}/ns/net", f"/var/run/netns/{name}") # Ensure that interface doesn't exists interface_exists = 0 == __salt__["cmd.retcode"]( "ip netns exec {netns} ip address list {interface}".format( netns=name, interface=interface_name ) ) if interface_exists: raise CommandExecutionError( "Interface {interface} already exists in {container}".format( interface=interface_name, container=name ) ) # Create veth and bring it up if ( __salt__["cmd.retcode"]( "ip link add name {veth} type veth peer name {veth}_c".format( veth=random_veth ) ) != 0 ): raise CommandExecutionError(f"Error while creating the veth pair {random_veth}") if __salt__["cmd.retcode"](f"ip link set dev {random_veth} up") != 0: raise CommandExecutionError( f"Error while bringing up host-side veth {random_veth}" ) # Attach it to the container attached = 0 == __salt__["cmd.retcode"]( "ip link set dev {veth}_c netns {container} name {interface_name}".format( veth=random_veth, container=name, interface_name=interface_name ) ) if not attached: raise CommandExecutionError( "Error while attaching the veth {veth} to container {container}".format( veth=random_veth, container=name ) ) __salt__["file.remove"](f"/var/run/netns/{name}") if bridge is not None: __salt__["bridge.addif"](bridge, random_veth)