Refactor (refacter?) is_container

45ccb189 · James T. Lee · 5d6067c1 · 45ccb189 · 45ccb189 · 45ccb189
Commit 45ccb189 authored Dec 21, 2020 by James T. Lee
11 changed files
--- a/lib/facter/is_container.rb
+++ b/lib/facter/is_container.rb
+Facter.add('is_container') do
+  confine :kernel => 'Linux'
+  setcode do
+    Facter.value(:virtual) == 'lxc' or File.exist? '/run/.containerenv'
+  end
+end
--- a/manifests/base/bootloader/systemd.pp
+++ b/manifests/base/bootloader/systemd.pp
 class nest::base::bootloader::systemd {
-  if $::is_container or $facts['os']['architecture'] =~ /^(arm|aarch64)/ {
+  if $facts['is_container'] or $facts['os']['architecture'] =~ /^(arm|aarch64)/ {
    $bootctl_args = '--no-variables'
  } else {
    $bootctl_args = ''

--- a/manifests/base/containers.pp
+++ b/manifests/base/containers.pp
 class nest::base::containers {
-  unless $::is_container {
+  unless $facts['is_container'] {
    zfs { 'containers':
      name       => "${facts['rpool']}/containers",
      mountpoint => '/var/lib/containers',

--- a/manifests/base/puppet.pp
+++ b/manifests/base/puppet.pp
@@ -57,22 +57,21 @@ class nest::base::puppet {
      content => "fqdn: ${trusted['certname']}.nest\n",
    }
-    class { '::puppet':
+    $puppet_runmode = $facts['is_container'] ? {
+      true    => 'unmanaged',
+      default => 'systemd.timer',
+    }
+    class { 'puppet':
      dns_alt_names        => $dns_alt_names,
      dir                  => '/etc/puppetlabs/puppet',
      codedir              => '/etc/puppetlabs/code',
      ssldir               => '/etc/puppetlabs/puppet/ssl',
-      runmode              => 'systemd.timer',
+      runmode              => $puppet_runmode,
      unavailable_runmodes => ['cron'],
    }
-    if $::is_container {
-      Exec <| title == 'systemctl-daemon-reload-puppet' |> {
-        noop => true,
-      }
-    }
  } else {
-    class { '::puppet':
+    class { 'puppet':
      dns_alt_names => $dns_alt_names,
    }
  }

--- a/manifests/base/systemd.pp
+++ b/manifests/base/systemd.pp
@@ -50,7 +50,7 @@ class nest::base::systemd {
    changes => flatten($nsswitch_id_changes + $nsswitch_hosts_changes),
  }
-  unless $::is_container {
+  unless $facts['is_container'] {
    file { '/etc/resolv.conf':
      ensure => link,
      target => '/run/systemd/resolve/stub-resolv.conf',

--- a/manifests/base/users.pp
+++ b/manifests/base/users.pp
@@ -142,7 +142,7 @@ class nest::base::users {
          group  => 'users';
      }
-      if $::is_container {
+      if $facts['is_container'] {
        $user_homes = {}
      } else {
        $user_homes = { 'james' => '/home/james' }

--- a/manifests/base/zfs.pp
+++ b/manifests/base/zfs.pp
@@ -113,7 +113,7 @@ class nest::base::zfs {
  ::nest::lib::systemd_reload { 'zfs': }
-  unless $::is_container {
+  unless $facts['is_container'] {
    # Manage swap volume properties for experimenting with workarounds listed in
    # https://github.com/openzfs/zfs/issues/7734
    zfs { "${facts['rpool']}/swap":

--- a/manifests/lib/srv.pp
+++ b/manifests/lib/srv.pp
@@ -4,7 +4,7 @@ define nest::lib::srv (
  Optional[String] $owner = undef,
  Optional[String] $group = undef,
 ) {
-  unless $::is_container {
+  unless $facts['is_container'] {
    ensure_resource('zfs', 'srv', {
      'name'       => "${facts['rpool']}/srv",
      'mountpoint' => '/srv',

--- a/manifests/lib/systemd_reload.pp
+++ b/manifests/lib/systemd_reload.pp
 define nest::lib::systemd_reload {
-  exec { "systemd-daemon-reload-${name}":
+  unless $facts['is_container'] {
-    command     => '/bin/systemctl daemon-reload',
+    exec { "systemd-daemon-reload-${name}":
-    refreshonly => true,
+      command     => '/bin/systemctl daemon-reload',
-    noop        => $::is_container,
+      refreshonly => true,
+    }
  }
 }
--- a/manifests/service/mysql.pp
+++ b/manifests/service/mysql.pp
@@ -13,7 +13,7 @@ class nest::service::mysql {
    service_provider => 'systemd',
  }
-  unless $::is_container {
+  unless $facts['is_container'] {
    exec { 'mysql-tmpfiles-create':
      command => '/usr/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/mysql.conf',
      creates => '/run/mysqld',

--- a/site.pp
+++ b/site.pp
@@ -18,25 +18,16 @@ unless defined('$role') {
 case $facts['osfamily'] {
  'Gentoo': {
-    $is_container = $facts['virtual'] == 'lxc' or $facts['build']
+    # Effectively disable firewall and service resources in containers
+    if $facts['is_container'] {
-    Firewall {
+      Firewall <||> {
-      noop => $is_container,
+        ensure => absent,
-    }
+      }
-    Firewallchain {
-      noop => $is_container,
-    }
-    Sysctl {
-      noop => $is_container,
-    }
-    Service {
+      Firewallchain <||> {
-      provider => systemd,
+        policy => accept,
-    }
+      }
-    if $is_container {
      Service <||> {
        ensure => undef,
      }