From 3fc79913d0cd3927c1f6e3a0dc79be29f590d23c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 7 May 2020 17:09:17 -0700 Subject: [PATCH] iad2: add a clevis role to adjust virthosts for clevis/tang clevis needs to bring up a interface to talk to the tang server at initramfs time. This is fine, but dracut then "helpfully" writes out any network config you pass it to ifcfg- files and messes up the hosts normal networking. If you have bridge devices this is even more pronounced as the device clevis used keeps the main bridge ip and doesnt enslave to the bridge, breaking everything. In order to work around this we: * tell dracut to not save ifcfg- files from it's passed network config. * tell dracut to use the first bridge device at initramfs time to talk to tang * run a systemd unit after boot to wipe any dract network config out, allowing NM to start with a clean slate. Note that you still need to run a dracut -f --regenerate-all Signed-off-by: Kevin Fenzi --- .../vmhost-x86-04.iad2.fedoraproject.org | 7 ++++++ playbooks/groups/virthost.yml | 1 + .../files/flush-dracut-network@.service | 15 ++++++++++++ roles/clevis/tasks/main.yml | 23 +++++++++++++++++++ roles/clevis/templates/99-clevis-fix.conf | 5 ++++ 5 files changed, 51 insertions(+) create mode 100644 roles/clevis/files/flush-dracut-network@.service create mode 100644 roles/clevis/tasks/main.yml create mode 100644 roles/clevis/templates/99-clevis-fix.conf diff --git a/inventory/host_vars/vmhost-x86-04.iad2.fedoraproject.org b/inventory/host_vars/vmhost-x86-04.iad2.fedoraproject.org index 96a6e60ff6..170adc5fe5 100644 --- a/inventory/host_vars/vmhost-x86-04.iad2.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-04.iad2.fedoraproject.org @@ -1,3 +1,10 @@ --- datacenter: iad2 nagios_Can_Connect: false + +br0_ip: 10.3.163.14 +br0_nm: 255.255.255.0 +br0_gw: 10.3.163.254 +br0_dev: eno1 + +dns: 10.3.163.33 diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 22c9248e66..2d70c85a94 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -29,6 +29,7 @@ - sudo - { role: openvpn/client, when: vpn|bool } - virthost + - { role: clevis, when: datacenter == 'iad2'} tasks: - import_tasks: "{{ tasks_path }}/2fa_client.yml" diff --git a/roles/clevis/files/flush-dracut-network@.service b/roles/clevis/files/flush-dracut-network@.service new file mode 100644 index 0000000000..49c22c7412 --- /dev/null +++ b/roles/clevis/files/flush-dracut-network@.service @@ -0,0 +1,15 @@ +# Remove Dracut's network configuration +# https://access.redhat.com/solutions/3017441 +# https://unix.stackexchange.com/questions/506331/networkmanager-doesnt-change-ip-address-when-dracut-cmdline-provided-static-ip + +[Unit] +Description=Remove dracut's network configuration for %I +Before=network-pre.target +Wants=network-pre.target + +[Service] +ExecStartPre=/usr/sbin/ip address show %i +ExecStart=/usr/sbin/ip -statistics address flush dev %i + +[Install] +WantedBy=default.target diff --git a/roles/clevis/tasks/main.yml b/roles/clevis/tasks/main.yml new file mode 100644 index 0000000000..88c34fd0e5 --- /dev/null +++ b/roles/clevis/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: copy in dracut config for clevis + template: + src: 99-clevis-fix.conf + dest: /etc/dracut.conf.d/99-clevis-fix.conf + tags: + - clevis + +- name: copy in the systemd unit file to wipe dracut networking + copy: + src=flush-dracut-network@.service + dest=/etc/systemd/system/flush-dracut-network@.service + notify: + reload systemd + tags: + - clevis + +- name: enable the systemd unit to wipe dracut networking + systemd: + name: flush-dracut-network@{{ br0_dev }} + enabled: true + tags: + - clevis diff --git a/roles/clevis/templates/99-clevis-fix.conf b/roles/clevis/templates/99-clevis-fix.conf new file mode 100644 index 0000000000..c7316fcdf6 --- /dev/null +++ b/roles/clevis/templates/99-clevis-fix.conf @@ -0,0 +1,5 @@ +# DHCP for talking to tang server +kernel_cmdline="ip={{ br0_ip }}::{{ br0_gw }}:{{ br0_nm }}::{{ br0_dev }}:none:{{ dns }}" + +# Don't create /etc/sysconfig/network-scripts/ifcfg-* files during boot +omit_dracutmodules+="ifcfg"