From b7ad40a77026f1856b8a150637949292b7c5696e Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Wed, 17 Feb 2021 11:08:03 -0500 Subject: [PATCH 1/3] This pull request sets up a vmhost COPR environment in RDU-CC First we add in a vmhost_copr playbook which is basically the regular virthost but meant to limit things for copr admins via rbac. Second we add in host and group variables which will use the ansible module for setting up networks. This allows for bridging to work out of the box and makes sure we know the mac addresses. --- inventory/group_vars/vmhost_copr | 26 ++++++++ .../vmhost-x86-05.rdu-cc.fedoraproject.org | 54 ++++++++++++++-- .../vmhost-x86-06.rdu-cc.fedoraproject.org | 54 ++++++++++++++-- ...vmhost-x86-copr01.rdu-cc.fedoraproject.org | 61 +++++++++++++++---- ...vmhost-x86-copr02.rdu-cc.fedoraproject.org | 22 +++---- ...vmhost-x86-copr03.rdu-cc.fedoraproject.org | 61 +++++++++++++++---- ...vmhost-x86-copr04.rdu-cc.fedoraproject.org | 61 +++++++++++++++---- inventory/inventory | 4 +- playbooks/groups/vmhost_copr.yml | 40 ++++++++++++ 9 files changed, 319 insertions(+), 64 deletions(-) create mode 100644 inventory/group_vars/vmhost_copr create mode 100644 playbooks/groups/vmhost_copr.yml diff --git a/inventory/group_vars/vmhost_copr b/inventory/group_vars/vmhost_copr new file mode 100644 index 0000000000..4b13d09f94 --- /dev/null +++ b/inventory/group_vars/vmhost_copr @@ -0,0 +1,26 @@ +--- +virthost: true + +fas_client_groups: sysadmin-copr,sysadmin-main +sudoers: "{{ private }}/files/sudo/copr-sudoers" + +nrpe_procs_warn: 1400 +nrpe_procs_crit: 1500 + +# These variables are pushed into /etc/system_identification by the base role. +# Groups and individual hosts should override them with specific info. +# See http://infrastructure.fedoraproject.org/csi/security-policy/ + +vpn: false +postfix_group: cloud +freezes: false + +csi_security_category: High +csi_primary_contact: Fedora Admins - admin@fedoraproject.org +csi_purpose: Host guest virtual machines. +csi_relationship: | + - Guests on this host will be inaccessible if the host is down. + - This host will be required by any application with a virtual machine running on it, therefore, if this host is down those applications will be impacted. + +nagios_Check_Services: + raid: true diff --git a/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org index 692e739ebd..4deb9fe021 100644 --- a/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org @@ -1,12 +1,56 @@ --- +datacenter: rdu-cc + nrpe_procs_warn: 900 nrpe_procs_crit: 1000 -br0_ip: 8.43.85.84 -br0_nm: 255.255.254.0 -gw: 8.43.85.254 -dns: 8.8.8.8 -datacenter: rdu-cc vpn: true postfix_group: cloud freezes: false + +gw: 8.43.85.254 +dns: 8.8.8.8 + +has_ipv4: yes +br0_ipv4: 8.43.85.84 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" + +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:f005" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "ec:f4:bb:d2:97:7c" +mac1: "ec:f4:bb:d2:97:7d" +mac2: "ec:f4:bb:d2:97:78" +mac3: "ec:f4:bb:d2:97:7a" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org index ae60f48e49..e82a83adfa 100644 --- a/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org @@ -1,12 +1,56 @@ --- +datacenter: rdu-cc + nrpe_procs_warn: 900 nrpe_procs_crit: 1000 -br0_ip: 8.43.85.85 -br0_nm: 255.255.254.0 -gw: 8.43.85.254 -dns: 8.8.8.8 -datacenter: rdu-cc vpn: true postfix_group: cloud freezes: false + +gw: 8.43.85.254 +dns: 8.8.8.8 + +has_ipv4: yes +br0_ipv4: 8.43.85.85 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" + +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:f006" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "ec:f4:bb:cd:aa:a4" +mac1: "ec:f4:bb:cd:aa:a5" +mac2: "ec:f4:bb:cd:aa:a0" +mac3: "ec:f4:bb:cd:aa:a2" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org index 0386c7c509..d7424de8b4 100644 --- a/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org @@ -1,18 +1,53 @@ --- -fas_client_groups: sysadmin-copr,sysadmin-main -sudoers: "{{ private }}/files/sudo/copr-sudoers" -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 -br0_ip: 8.43.85.57 -br0_nm: 255.255.254.0 +datacenter: rdu-cc + gw: 8.43.85.254 dns: 8.8.8.8 -has_ipv6: yes -eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c001" -eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" +has_ipv4: yes +br0_ipv4: 8.43.85.57 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" -datacenter: rdu-cc -vpn: false -postfix_group: cloud -freezes: false +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:c001" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "f4:02:70:d0:05:00" +mac1: "f4:02:70:d0:05:01" +mac2: "b0:26:28:d1:df:00" +mac3: "b0:26:28:d1:df:01" +mac4: "b4:96:91:63:3b:e8" +mac5: "b4:96:91:63:3b:e9" +mac6: "b4:96:91:63:3b:ea" +mac7: "b4:96:91:63:3b:eb" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org index 98b1249722..29f4fee4c6 100644 --- a/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org @@ -1,28 +1,23 @@ --- -fas_client_groups: sysadmin-copr,sysadmin-main -sudoers: "{{ private }}/files/sudo/copr-sudoers" -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 +datacenter: rdu-cc + gw: 8.43.85.254 dns: 8.8.8.8 has_ipv4: yes br0_ipv4: 8.43.85.58 -br0_ipv4_nm: 255.255.254.0 +br0_ipv4_nm: 23 br0_ipv4_gw: "{{ gw }}" has_ipv6: yes br0_ipv6: "2620:52:3:1:dead:beef:cafe:c002" +br0_ipv6_nm: 64 br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" -datacenter: rdu-cc -vpn: false -postfix_group: cloud -freezes: false mac0: "f4:02:70:d0:04:5e" -mac1: "b4:96:91:63:3b:9c" -mac2: "f4:02:70:d0:04:5f" +mac1: "f4:02:70:d0:04:5f" +mac2: "b4:96:91:63:3b:9c" mac3: "b4:96:91:63:3b:9d" mac4: "b4:96:91:63:3b:9e" mac5: "b4:96:91:63:3b:9f" @@ -36,8 +31,8 @@ network_connections: autoconnect: yes ip: address: - - "{{ br0_ipv4 }}/24" - - "{{ br0_ipv6 }}/64" + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" gateway4: "{{ br0_ipv4_gw }}" gateway6: "{{ br0_ipv6_gw }}" dns: @@ -56,3 +51,4 @@ network_connections: master: br0 mac: "{{ br0_port0_mac }}" + diff --git a/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org index c5900b175f..2e95ed3b82 100644 --- a/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org @@ -1,18 +1,53 @@ --- -fas_client_groups: sysadmin-copr,sysadmin-main -sudoers: "{{ private }}/files/sudo/copr-sudoers" -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 -br0_ip: 8.43.85.59 -br0_nm: 255.255.254.0 +datacenter: rdu-cc + gw: 8.43.85.254 dns: 8.8.8.8 -has_ipv6: yes -eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c003" -eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" +has_ipv4: yes +br0_ipv4: 8.43.85.59 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" -datacenter: rdu-cc -vpn: false -postfix_group: cloud -freezes: false +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:c003" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "f4:02:70:d3:42:48" +mac1: "f4:02:70:d3:42:49" +mac2: "b0:26:28:d1:dd:c0" +mac3: "b0:26:28:d1:dd:c1" +mac4: "b4:96:91:63:3b:50" +mac5: "b4:96:91:63:3b:51" +mac6: "b4:96:91:63:3b:52" +mac7: "b4:96:91:63:3b:53" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org index 6b0a650d58..22b7475c97 100644 --- a/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org @@ -1,18 +1,53 @@ --- -fas_client_groups: sysadmin-copr,sysadmin-main -sudoers: "{{ private }}/files/sudo/copr-sudoers" -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 -br0_ip: 8.43.85.60 -br0_nm: 255.255.254.0 +datacenter: rdu-cc + gw: 8.43.85.254 dns: 8.8.8.8 -has_ipv6: yes -eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c004" -eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" +has_ipv4: yes +br0_ipv4: 8.43.85.60 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" -datacenter: rdu-cc -vpn: false -postfix_group: cloud -freezes: false +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:c004" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "f4:02:70:d0:04:4a" +mac1: "f4:02:70:d0:04:4b" +mac2: "b0:26:28:d1:e0:f0" +mac3: "b0:26:28:d1:e0:f1" +mac4: "b4:96:91:63:3a:a0" +mac5: "b4:96:91:63:3a:a1" +mac6: "b4:96:91:63:3a:a2" +mac7: "b4:96:91:63:3a:a3" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/inventory b/inventory/inventory index f975eed9dd..158be93258 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -113,8 +113,8 @@ virthost-rdu01.fedoraproject.org virthost-cc-rdu01.fedoraproject.org virthost-cc-rdu02.fedoraproject.org virthost-cc-rdu03.fedoraproject.org -#virthost-cloud01.fedorainfracloud.org -#cloudvmhost-aarch64-01.fedorainfracloud.org + +[vmhost_copr] vmhost-x86-copr01.rdu-cc.fedoraproject.org vmhost-x86-copr02.rdu-cc.fedoraproject.org vmhost-x86-copr03.rdu-cc.fedoraproject.org diff --git a/playbooks/groups/vmhost_copr.yml b/playbooks/groups/vmhost_copr.yml new file mode 100644 index 0000000000..29ff1beb27 --- /dev/null +++ b/playbooks/groups/vmhost_copr.yml @@ -0,0 +1,40 @@ +# create a new virthost server system +# This is a copy of the main one which is meant to be limited ONLY to vmhost_copr group for rbac +# NOTE: should be used with --limit most of the time +# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars + +- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=vmhost_copr:!buildvmhost-s390x-01.s390.fedoraproject.org" + +- name: make virthost server system + hosts: vmhost_copr + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + pre_tasks: + - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README + - import_tasks: "{{ tasks_path }}/yumrepos.yml" + + roles: + - base + - rkhunter + - nagios_client + - hosts + - { role: ipa/client, when: env == "staging" } + - { role: fas_client, when: env != "staging" } + - collectd/base + - sudo + - { role: openvpn/client, when: vpn|bool } + - virthost + + tasks: + - import_tasks: "{{ tasks_path }}/2fa_client.yml" + when: env != 'staging' + - import_tasks: "{{ tasks_path }}/motd.yml" + + handlers: + - import_tasks: "{{ handlers_path }}/restart_services.yml" From 9c2cc0b184869437d5b9e9895e1286cab0a1ca84 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Wed, 17 Feb 2021 12:50:01 -0500 Subject: [PATCH 2/3] remove extra range of ips we used for bringup from the 10.3.160 range. --- roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org b/roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org index 697204677d..78aa8bc41e 100644 --- a/roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org +++ b/roles/dhcp_server/files/dhcpd.conf.noc01.iad2.fedoraproject.org @@ -24,7 +24,6 @@ subnet 10.3.160.0 netmask 255.255.255.0 { option log-servers 10.3.163.39; option ntp-servers 10.3.163.31, 10.3.163.32; - range 10.3.160.160 10.3.160.189; range 10.3.160.200 10.3.160.249; } From 5bbb5a92f874ac719cf22816e546aef48ac8c185 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 17 Feb 2021 10:37:28 -0800 Subject: [PATCH 3/3] koji_builder: and conditional for rngd starting Signed-off-by: Kevin Fenzi --- roles/koji_builder/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/koji_builder/tasks/main.yml b/roles/koji_builder/tasks/main.yml index 0aa5a847a5..809c151144 100644 --- a/roles/koji_builder/tasks/main.yml +++ b/roles/koji_builder/tasks/main.yml @@ -330,4 +330,4 @@ tags: - koji_builder - koji_builder/rngd - when: ansible_architecture != 's390x' or ansible_architecture != 'ppc64le' + when: ansible_architecture != 's390x' and ansible_architecture != 'ppc64le'