moving virthost tasks into the beaker/virthost role for more auth control

2015-05-07 20:17:54 +00:00 · 2015-05-07 20:17:54 +00:00 · 09a48c2c55
commit 09a48c2c55
parent fa6a9c043d
8 changed files with 112 additions and 4 deletions
--- a/inventory/host_vars/qa02.qa.fedoraproject.org
+++ b/inventory/host_vars/qa02.qa.fedoraproject.org
@ -2,9 +2,15 @@
 freezes: false
 fas_client_groups: sysadmin-qa,sysadmin-main
 sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
+datacenter: phx2

+# hardware and setup information
+eth0_ip: 10.5.124.152
+eth0_mac: 00:21:5e:c6:cc:9c
+eth_interface: eth0
 volgroup: vmstore

+# beaker clients hosted on this machine
 clients:
  - hostname: virt01.qa.fedoraproject.org
    macaddress: "52:54:00:a2:de:30"
--- a/playbooks/groups/beaker-virthosts.yml
+++ b/playbooks/groups/beaker-virthosts.yml
@ -31,7 +31,6 @@
  - include: "{{ tasks }}/yumrepos.yml"
  - include: "{{ tasks }}/2fa_client.yml"
  - include: "{{ tasks }}/motd.yml"
-  - include: "{{ tasks }}/virthost.yml"

  handlers:
  - include: "{{ handlers }}/restart_services.yml"
--- a/roles/beaker/virthost/defaults/main.yml
+++ b/roles/beaker/virthost/defaults/main.yml
@ -1,2 +1,4 @@
 ---
 bridge_name: br0
+eth_interface: eth0
+libvirt_group: kvm
--- a/roles/beaker/virthost/tasks/main.yml
+++ b/roles/beaker/virthost/tasks/main.yml
@ -1,3 +1,77 @@
+---
+# This is somewhat a duplication of the virthost task used by other virthosts
+# doing things this way isn't ideal but for this application, we need a local
+# non-root user which can control VMs and the other infra virthosts are locked
+# down in a way which makes that impossible.
+#
+# If it's possible to unify the two tasks/roles, that's probably for the best
+# but for now, we're left with the duplication :(
+
+
+- name: install libvirt packages on rhel7 virthosts
+  yum: pkg={{ item }} state=present
+  with_items:
+  - qemu-kvm
+  - libvirt
+  - virt-install
+  tags:
+  - packages
+  when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
+
+# install libvirtd.conf 
+#
+# This provides us with the ability to control VMs with non-root and
+# non-fas accounts
+#
+- name: install libvirtd.conf
+  copy: src="{{ files }}/virthost/libvirtd.conf" dest=/etc/libvirt/libvirtd.conf
+  notify:
+  - restart libvirtd
+  tags:
+  - config
+
+- name: enable libvirtd
+  service: name=libvirtd state=started enabled=yes
+
+#
+# Disable lvmetad as it causes lots of problems with iscsi shared lvm and caching. 
+#
+- name: disable lvmetad
+  lineinfile: dest=/etc/lvm/lvm.conf regexp="^    use_lvmetad = 1" line="    use_lvmetad = 0" backrefs=yes
+
+- name: set bridging to work right
+  copy: src="{{ files }}/virthost/99-bridge.rules" dest=/etc/udev/rules.d/99-bridge.rules
+  notify:
+  - restart bridge
+  tags:
+  - config
+  when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
+
+- name: generate config for ethernet device
+  template:
+    src: ifcfg-device.j2
+    dest: /etc/sysconfig/network-scripts/ifcfg-{{ eth_interface }}
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+  - restart bridge
+  - restart network
+
+- name: generate config for ethernet bridge
+  template:
+    src: ifcfg-bridge.j2
+    dest: /etc/sysconfig/network-scripts/ifcfg-{{ bridge_name }}
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+  - restart bridge
+  - restart network
+
+#
+# This is where the duplication with regular virthosts stops
+#
 - name: add libvirt remote user
  user:
    name: "{{ libvirt_user }}"
@ -10,8 +84,8 @@
    key: "{{ libvirt_remote_pubkey }}"

 - name: add polkit rule for users in kvm group
-  copy:
-    src: polkit/10-libvirt.rules
+  template:
+    src: 10-libvirt.rules
    dest: /etc/polkit-1/rules.d/10-libvirt.rules
    owner: root
    group: root
@ -39,7 +113,7 @@
  with_items: clients

 - name: ensure vms are defined
-  command: "virsh define --file /root/{{ item.hostname }}.libvirt.xml"
+  command: "virsh define --file /home/{{ libvirt_user }}/{{ item.hostname }}.libvirt.xml"
  when: item.hostname not in result.list_vms
  with_items: clients
  sudo: true
--- a/roles/beaker/virthost/templates/10-libvirt.rules.j2
+++ b/roles/beaker/virthost/templates/10-libvirt.rules.j2
--- a/roles/beaker/virthost/templates/ifcfg-bridge.j2
+++ b/roles/beaker/virthost/templates/ifcfg-bridge.j2
@ -0,0 +1,18 @@
+DEVICE="{{ bridge_name }}"
+STP=no
+TYPE=Bridge
+BOOTPROTO=static
+ONBOOT=yes
+IPADDR={{ eth0_ip }}
+PREFIX=24
+GATEWAY=10.5.131.254
+DNS1=10.5.126.21
+DNS2=10.5.126.22
+DOMAIN="qa.fedoraproject.org phx2.fedoraproject.org fedoraproject.org"
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=no
+IPV6_AUTOCONF=no
+IPV6_DEFROUTE=no
+IPV6_FAILURE_FATAL=no
+NAME={{ bridge_name }}
--- a/roles/beaker/virthost/templates/ifcfg-device.j2
+++ b/roles/beaker/virthost/templates/ifcfg-device.j2
@ -0,0 +1,6 @@
+NAME="{{ eth_interface }}"
+HWADDR="{{ eth0_mac }}"
+ONBOOT=yes
+NETBOOT=yes
+TYPE=Ethernet
+BRIDGE={{ bridge_name }}
--- a/roles/beaker/virthost/templates/libvirtd.conf.j2
+++ b/roles/beaker/virthost/templates/libvirtd.conf.j2
@ -0,0 +1,3 @@
+unix_sock_group = "sysadmin-main"
+unix_sock_rw_perms = "0770"
+auth_unix_rw = "none"