iad2: add a clevis role to adjust virthosts for clevis/tang

clevis needs to bring up a interface to talk to the tang server
at initramfs time. This is fine, but dracut then "helpfully" writes
out any network config you pass it to ifcfg- files and messes
up the hosts normal networking. If you have bridge devices this is
even more pronounced as the device clevis used keeps the main
bridge ip and doesnt enslave to the bridge, breaking everything.

In order to work around this we:

* tell dracut to not save ifcfg- files from it's passed network config.
* tell dracut to use the first bridge device at initramfs time to
talk to tang
* run a systemd unit after boot to wipe any dract network config out,
allowing NM to start with a clean slate.

Note that you still need to run a dracut -f --regenerate-all

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

inventory/host_vars/vmhost-x86-04.iad2.fedoraproject.org

@@ -1,3 +1,10 @@
 ---
 datacenter: iad2
 nagios_Can_Connect: false
+
+br0_ip: 10.3.163.14
+br0_nm: 255.255.255.0
+br0_gw: 10.3.163.254
+br0_dev: eno1
+
+dns: 10.3.163.33

playbooks/groups/virthost.yml

@@ -29,6 +29,7 @@
   - sudo
   - { role: openvpn/client, when: vpn|bool }
   - virthost
+  - { role: clevis, when: datacenter == 'iad2'}
 
   tasks:
   - import_tasks: "{{ tasks_path }}/2fa_client.yml"

roles/clevis/files/flush-dracut-network@.service

@@ -0,0 +1,15 @@
+# Remove Dracut's network configuration
+# https://access.redhat.com/solutions/3017441
+# https://unix.stackexchange.com/questions/506331/networkmanager-doesnt-change-ip-address-when-dracut-cmdline-provided-static-ip
+
+[Unit]
+Description=Remove dracut's network configuration for %I
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+ExecStartPre=/usr/sbin/ip address show %i
+ExecStart=/usr/sbin/ip -statistics address flush dev %i
+
+[Install]
+WantedBy=default.target

roles/clevis/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: copy in dracut config for clevis
+  template:
+   src: 99-clevis-fix.conf 
+   dest: /etc/dracut.conf.d/99-clevis-fix.conf
+  tags:
+  - clevis
+
+- name: copy in the systemd unit file to wipe dracut networking
+  copy:
+   src=flush-dracut-network@.service
+   dest=/etc/systemd/system/flush-dracut-network@.service
+  notify:
+   reload systemd
+  tags:
+   - clevis
+
+- name: enable the systemd unit to wipe dracut networking
+  systemd:
+   name: flush-dracut-network@{{ br0_dev }}
+   enabled: true
+  tags:
+   - clevis

roles/clevis/templates/99-clevis-fix.conf

@@ -0,0 +1,5 @@
+# DHCP for talking to tang server
+kernel_cmdline="ip={{ br0_ip }}::{{ br0_gw }}:{{ br0_nm }}::{{ br0_dev }}:none:{{ dns }}"
+
+# Don't create /etc/sysconfig/network-scripts/ifcfg-* files during boot
+omit_dracutmodules+="ifcfg"