From 09a48c2c553712a36e73820e6bfd7dc6f300eabd Mon Sep 17 00:00:00 2001 From: Tim Flink Date: Thu, 7 May 2015 20:17:54 +0000 Subject: [PATCH] moving virthost tasks into the beaker/virthost role for more auth control --- inventory/host_vars/qa02.qa.fedoraproject.org | 6 ++ playbooks/groups/beaker-virthosts.yml | 1 - roles/beaker/virthost/defaults/main.yml | 2 + roles/beaker/virthost/tasks/main.yml | 80 ++++++++++++++++++- .../10-libvirt.rules.j2} | 0 .../beaker/virthost/templates/ifcfg-bridge.j2 | 18 +++++ .../beaker/virthost/templates/ifcfg-device.j2 | 6 ++ .../virthost/templates/libvirtd.conf.j2 | 3 + 8 files changed, 112 insertions(+), 4 deletions(-) rename roles/beaker/virthost/{files/polkit/10-libvirt.rules => templates/10-libvirt.rules.j2} (100%) create mode 100644 roles/beaker/virthost/templates/ifcfg-bridge.j2 create mode 100644 roles/beaker/virthost/templates/ifcfg-device.j2 create mode 100644 roles/beaker/virthost/templates/libvirtd.conf.j2 diff --git a/inventory/host_vars/qa02.qa.fedoraproject.org b/inventory/host_vars/qa02.qa.fedoraproject.org index 7a31a23035..5cdb0c2bcf 100644 --- a/inventory/host_vars/qa02.qa.fedoraproject.org +++ b/inventory/host_vars/qa02.qa.fedoraproject.org @@ -2,9 +2,15 @@ freezes: false fas_client_groups: sysadmin-qa,sysadmin-main sudoers: "{{ private }}/files/sudo/qavirt-sudoers" +datacenter: phx2 +# hardware and setup information +eth0_ip: 10.5.124.152 +eth0_mac: 00:21:5e:c6:cc:9c +eth_interface: eth0 volgroup: vmstore +# beaker clients hosted on this machine clients: - hostname: virt01.qa.fedoraproject.org macaddress: "52:54:00:a2:de:30" diff --git a/playbooks/groups/beaker-virthosts.yml b/playbooks/groups/beaker-virthosts.yml index f13ecbd100..e17c07f7b9 100644 --- a/playbooks/groups/beaker-virthosts.yml +++ b/playbooks/groups/beaker-virthosts.yml @@ -31,7 +31,6 @@ - include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/2fa_client.yml" - include: "{{ tasks }}/motd.yml" - - include: "{{ tasks }}/virthost.yml" handlers: - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/beaker/virthost/defaults/main.yml b/roles/beaker/virthost/defaults/main.yml index a1359876a0..69e8863972 100644 --- a/roles/beaker/virthost/defaults/main.yml +++ b/roles/beaker/virthost/defaults/main.yml @@ -1,2 +1,4 @@ --- bridge_name: br0 +eth_interface: eth0 +libvirt_group: kvm diff --git a/roles/beaker/virthost/tasks/main.yml b/roles/beaker/virthost/tasks/main.yml index 7363223e28..54e2ba155c 100644 --- a/roles/beaker/virthost/tasks/main.yml +++ b/roles/beaker/virthost/tasks/main.yml @@ -1,3 +1,77 @@ +--- +# This is somewhat a duplication of the virthost task used by other virthosts +# doing things this way isn't ideal but for this application, we need a local +# non-root user which can control VMs and the other infra virthosts are locked +# down in a way which makes that impossible. +# +# If it's possible to unify the two tasks/roles, that's probably for the best +# but for now, we're left with the duplication :( + + +- name: install libvirt packages on rhel7 virthosts + yum: pkg={{ item }} state=present + with_items: + - qemu-kvm + - libvirt + - virt-install + tags: + - packages + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7' + +# install libvirtd.conf +# +# This provides us with the ability to control VMs with non-root and +# non-fas accounts +# +- name: install libvirtd.conf + copy: src="{{ files }}/virthost/libvirtd.conf" dest=/etc/libvirt/libvirtd.conf + notify: + - restart libvirtd + tags: + - config + +- name: enable libvirtd + service: name=libvirtd state=started enabled=yes + +# +# Disable lvmetad as it causes lots of problems with iscsi shared lvm and caching. +# +- name: disable lvmetad + lineinfile: dest=/etc/lvm/lvm.conf regexp="^ use_lvmetad = 1" line=" use_lvmetad = 0" backrefs=yes + +- name: set bridging to work right + copy: src="{{ files }}/virthost/99-bridge.rules" dest=/etc/udev/rules.d/99-bridge.rules + notify: + - restart bridge + tags: + - config + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7' + +- name: generate config for ethernet device + template: + src: ifcfg-device.j2 + dest: /etc/sysconfig/network-scripts/ifcfg-{{ eth_interface }} + owner: root + group: root + mode: 0644 + notify: + - restart bridge + - restart network + +- name: generate config for ethernet bridge + template: + src: ifcfg-bridge.j2 + dest: /etc/sysconfig/network-scripts/ifcfg-{{ bridge_name }} + owner: root + group: root + mode: 0644 + notify: + - restart bridge + - restart network + +# +# This is where the duplication with regular virthosts stops +# - name: add libvirt remote user user: name: "{{ libvirt_user }}" @@ -10,8 +84,8 @@ key: "{{ libvirt_remote_pubkey }}" - name: add polkit rule for users in kvm group - copy: - src: polkit/10-libvirt.rules + template: + src: 10-libvirt.rules dest: /etc/polkit-1/rules.d/10-libvirt.rules owner: root group: root @@ -39,7 +113,7 @@ with_items: clients - name: ensure vms are defined - command: "virsh define --file /root/{{ item.hostname }}.libvirt.xml" + command: "virsh define --file /home/{{ libvirt_user }}/{{ item.hostname }}.libvirt.xml" when: item.hostname not in result.list_vms with_items: clients sudo: true diff --git a/roles/beaker/virthost/files/polkit/10-libvirt.rules b/roles/beaker/virthost/templates/10-libvirt.rules.j2 similarity index 100% rename from roles/beaker/virthost/files/polkit/10-libvirt.rules rename to roles/beaker/virthost/templates/10-libvirt.rules.j2 diff --git a/roles/beaker/virthost/templates/ifcfg-bridge.j2 b/roles/beaker/virthost/templates/ifcfg-bridge.j2 new file mode 100644 index 0000000000..3a7301f002 --- /dev/null +++ b/roles/beaker/virthost/templates/ifcfg-bridge.j2 @@ -0,0 +1,18 @@ +DEVICE="{{ bridge_name }}" +STP=no +TYPE=Bridge +BOOTPROTO=static +ONBOOT=yes +IPADDR={{ eth0_ip }} +PREFIX=24 +GATEWAY=10.5.131.254 +DNS1=10.5.126.21 +DNS2=10.5.126.22 +DOMAIN="qa.fedoraproject.org phx2.fedoraproject.org fedoraproject.org" +DEFROUTE=yes +IPV4_FAILURE_FATAL=no +IPV6INIT=no +IPV6_AUTOCONF=no +IPV6_DEFROUTE=no +IPV6_FAILURE_FATAL=no +NAME={{ bridge_name }} diff --git a/roles/beaker/virthost/templates/ifcfg-device.j2 b/roles/beaker/virthost/templates/ifcfg-device.j2 new file mode 100644 index 0000000000..2fc6fa774c --- /dev/null +++ b/roles/beaker/virthost/templates/ifcfg-device.j2 @@ -0,0 +1,6 @@ +NAME="{{ eth_interface }}" +HWADDR="{{ eth0_mac }}" +ONBOOT=yes +NETBOOT=yes +TYPE=Ethernet +BRIDGE={{ bridge_name }} diff --git a/roles/beaker/virthost/templates/libvirtd.conf.j2 b/roles/beaker/virthost/templates/libvirtd.conf.j2 new file mode 100644 index 0000000000..e36ce0a364 --- /dev/null +++ b/roles/beaker/virthost/templates/libvirtd.conf.j2 @@ -0,0 +1,3 @@ +unix_sock_group = "sysadmin-main" +unix_sock_rw_perms = "0770" +auth_unix_rw = "none"