Ansibleを使って作ったCentOSのLXCのrootパスワードを指定する

やりたいこと

• CentOSのLXCコンテナを指定した設定でAnsibleでゴンゴンと立てる playbook を書きたい
• パスワードとかも立てるときに設定してしまいたい

問題点

• LXCのCentOSのテンプレートにはrootのパスワードを指定するオプションがない

CentOSテンプレートのusage

usage:
/usr/share/lxc/templates/lxc-centos -n|--name=<container_name>
        [-p|--path=<path>] [-c|--clean] [-R|--release=<CentOS_release>] [-a|--arch=<arch of the container>]
        [-h|--help]
Mandatory args:
  -n,--name         container name, used to as an identifier for that container from now on
Optional args:
  -p,--path         path to where the container rootfs will be created, defaults to /var/lib/lxc/name.
  -c,--clean        clean the cache
  -R,--release      CentOS release for the new container. If the host is CentOS, then it will default to the host's release.
     --fqdn         fully qualified domain name (FQDN) for DNS and system naming
     --repo         repository to use (url)
  -a,--arch         Define what arch the container will be [i686,x86_64]
  -h,--help         print this help

• lxc-create -n centos -t centos などでコンテナを作ると、ランダムなrootパスワードが設定され、 /var/lib/lxc/centos/tmp_root_pass に保存される

調査

• CentOSのテンプレート /usr/lib/share/lxc/lxc-centos に次の記述がある

/usr/lib/share/lxc/lxc-centos(抜粋)

# Some combinations of the tuning knobs below do not exactly make sense.
# but that's ok.
#
# If the "root_password" is non-blank, use it, else set a default.
# This can be passed to the script as an environment variable and is
# set by a shell conditional assignment.  Looks weird but it is what it is.
#
# If the root password contains a ding ($) then try to expand it.
# That will pick up things like ${name} and ${RANDOM}.
# If the root password contains more than 3 consecutive X's, pass it as
# a template to mktemp and take the result.
#
# If root_display_password = yes, display the temporary root password at exit.
# If root_store_password = yes, store it in the configuration directory
# If root_prompt_password = yes, invoke "passwd" to force the user to change
# the root password after the container is created.
# If root_expire_password = yes, you will be prompted to change the root
# password at the first login.
#
# These are conditional assignments...  The can be overridden from the
# preexisting environment variables...
#
# Make sure this is in single quotes to defer expansion to later!
# :{root_password='Root-${name}-${RANDOM}'}
: ${root_password='Root-${name}-XXXXXX'}
# Now, it doesn't make much sense to display, store, and force change
# together.  But, we gotta test, right???
: ${root_display_password='no'}
: ${root_store_password='yes'}
# Prompting for something interactive has potential for mayhem
# with users running under the API...  Don't default to "yes"
: ${root_prompt_password='no'}

# Expire root password? Default to yes, but can be overridden from
# the environment variable
: ${root_expire_password='yes'}

• root_password とかいう、名前そのままの環境変数が空でなければ、それがデフォルトとして設定される
• 空の場合は、すでに述べたとおり、Root-${name}-${RANDOM}というランダムなパスワードが設定される
• sudo root_password=password lxc-create -n centos -t centos をやってみたら、rootのパスワードはpasswordでいけた
• root_expire_password=noを設定すると、初回ログイン時にパスワード変更は必要なくなる

暫定的な解決策

• playbookのタスクで、environmentを使ってこんなふうに書けば良い

create-centos-container.yml

- hosts: localhost
  tasks:
    - name: create centos containers
      lxc_container:
        name: centos-test
        template: centos
        container_config: 
            - lxc.network.ipv4=10.0.3.10/24
        template_options: ''
      environment: 
          root_password: password
          root_expire_password: no
      become: true