Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

moving virthost tasks into the beaker/virthost role for more auth control

Browse source
This commit is contained in:
Tim Flink 2015-05-07 20:17:54 +00:00
parent fa6a9c043d
commit 09a48c2c55
8 changed files with 112 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
inventory/host_vars/qa02.qa.fedoraproject.org
View file

@ -2,9 +2,15 @@
freezes: false freezes: false
fas_client_groups: sysadmin-qa,sysadmin-main fas_client_groups: sysadmin-qa,sysadmin-main
sudoers: "{{ private }}/files/sudo/qavirt-sudoers" sudoers: "{{ private }}/files/sudo/qavirt-sudoers"
datacenter: phx2
# hardware and setup information
eth0_ip: 10.5.124.152
eth0_mac: 00:21:5e:c6:cc:9c
eth_interface: eth0
volgroup: vmstore volgroup: vmstore
# beaker clients hosted on this machine
clients: clients:
- hostname: virt01.qa.fedoraproject.org - hostname: virt01.qa.fedoraproject.org
macaddress: "52:54:00:a2:de:30" macaddress: "52:54:00:a2:de:30"

1
playbooks/groups/beaker-virthosts.yml
View file

@ -31,7 +31,6 @@
- include: "{{ tasks }}/yumrepos.yml" - include: "{{ tasks }}/yumrepos.yml"
- include: "{{ tasks }}/2fa_client.yml" - include: "{{ tasks }}/2fa_client.yml"
- include: "{{ tasks }}/motd.yml" - include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/virthost.yml"
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"

2
roles/beaker/virthost/defaults/main.yml
View file

@ -1,2 +1,4 @@
--- ---
bridge_name: br0 bridge_name: br0
eth_interface: eth0
libvirt_group: kvm

80
roles/beaker/virthost/tasks/main.yml
View file

@ -1,3 +1,77 @@
---
# This is somewhat a duplication of the virthost task used by other virthosts
# doing things this way isn't ideal but for this application, we need a local
# non-root user which can control VMs and the other infra virthosts are locked
# down in a way which makes that impossible.
#
# If it's possible to unify the two tasks/roles, that's probably for the best
# but for now, we're left with the duplication :(
- name: install libvirt packages on rhel7 virthosts
yum: pkg={{ item }} state=present
with_items:
- qemu-kvm
- libvirt
- virt-install
tags:
- packages
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
# install libvirtd.conf
#
# This provides us with the ability to control VMs with non-root and
# non-fas accounts
#
- name: install libvirtd.conf
copy: src="{{ files }}/virthost/libvirtd.conf" dest=/etc/libvirt/libvirtd.conf
notify:
- restart libvirtd
tags:
- config
- name: enable libvirtd
service: name=libvirtd state=started enabled=yes
#
# Disable lvmetad as it causes lots of problems with iscsi shared lvm and caching.
#
- name: disable lvmetad
lineinfile: dest=/etc/lvm/lvm.conf regexp="^ use_lvmetad = 1" line=" use_lvmetad = 0" backrefs=yes
- name: set bridging to work right
copy: src="{{ files }}/virthost/99-bridge.rules" dest=/etc/udev/rules.d/99-bridge.rules
notify:
- restart bridge
tags:
- config
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
- name: generate config for ethernet device
template:
src: ifcfg-device.j2
dest: /etc/sysconfig/network-scripts/ifcfg-{{ eth_interface }}
owner: root
group: root
mode: 0644
notify:
- restart bridge
- restart network
- name: generate config for ethernet bridge
template:
src: ifcfg-bridge.j2
dest: /etc/sysconfig/network-scripts/ifcfg-{{ bridge_name }}
owner: root
group: root
mode: 0644
notify:
- restart bridge
- restart network
#
# This is where the duplication with regular virthosts stops
#
- name: add libvirt remote user - name: add libvirt remote user
user: user:
name: "{{ libvirt_user }}" name: "{{ libvirt_user }}"
@ -10,8 +84,8 @@
key: "{{ libvirt_remote_pubkey }}" key: "{{ libvirt_remote_pubkey }}"
- name: add polkit rule for users in kvm group - name: add polkit rule for users in kvm group
copy: template:
src: polkit/10-libvirt.rules src: 10-libvirt.rules
dest: /etc/polkit-1/rules.d/10-libvirt.rules dest: /etc/polkit-1/rules.d/10-libvirt.rules
owner: root owner: root
group: root group: root
@ -39,7 +113,7 @@
with_items: clients with_items: clients
- name: ensure vms are defined - name: ensure vms are defined
command: "virsh define --file /root/{{ item.hostname }}.libvirt.xml" command: "virsh define --file /home/{{ libvirt_user }}/{{ item.hostname }}.libvirt.xml"
when: item.hostname not in result.list_vms when: item.hostname not in result.list_vms
with_items: clients with_items: clients
sudo: true sudo: true

0
roles/beaker/virthost/files/polkit/10-libvirt.rules → roles/beaker/virthost/templates/10-libvirt.rules.j2
View file

18
roles/beaker/virthost/templates/ifcfg-bridge.j2 Normal file
View file

@ -0,0 +1,18 @@
DEVICE="{{ bridge_name }}"
STP=no
TYPE=Bridge
BOOTPROTO=static
ONBOOT=yes
IPADDR={{ eth0_ip }}
PREFIX=24
GATEWAY=10.5.131.254
DNS1=10.5.126.21
DNS2=10.5.126.22
DOMAIN="qa.fedoraproject.org phx2.fedoraproject.org fedoraproject.org"
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
NAME={{ bridge_name }}

6
roles/beaker/virthost/templates/ifcfg-device.j2 Normal file
View file

@ -0,0 +1,6 @@
NAME="{{ eth_interface }}"
HWADDR="{{ eth0_mac }}"
ONBOOT=yes
NETBOOT=yes
TYPE=Ethernet
BRIDGE={{ bridge_name }}

3
roles/beaker/virthost/templates/libvirtd.conf.j2 Normal file
View file

@ -0,0 +1,3 @@
unix_sock_group = "sysadmin-main"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"