From 70dc97b732cf9aa39508178fd152a941a75b46fb Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 13 May 2022 12:07:43 -0700 Subject: [PATCH] drop local clevis role and replace with linux-system-roles.nbde_client The linux-system-roles.nbde_client does the right things and so one less thing for us to maintain. It also avoids the problem we have on some machines now where network interface names are not as the old clevis role expected, so unlocking didn't work on boot. Hopefully this fixes all those issues. Signed-off-by: Kevin Fenzi --- inventory/group_vars/all | 9 +++++ playbooks/groups/buildhw.yml | 2 +- playbooks/groups/openqa-workers.yml | 2 +- playbooks/groups/virthost.yml | 11 +---- playbooks/manual/autosign.yml | 2 +- playbooks/manual/sign-vault.yml | 2 +- .../files/flush-dracut-network@.service | 15 ------- roles/clevis/tasks/main.yml | 40 ------------------- roles/clevis/templates/99-clevis-fix.conf | 13 ------ 9 files changed, 14 insertions(+), 82 deletions(-) delete mode 100644 roles/clevis/files/flush-dracut-network@.service delete mode 100644 roles/clevis/tasks/main.yml delete mode 100644 roles/clevis/templates/99-clevis-fix.conf diff --git a/inventory/group_vars/all b/inventory/group_vars/all index f42d5e8fe6..879263a5d3 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -148,6 +148,15 @@ nagios_Check_Services: sshd: true swap: true nat_rules: [] +# default network block device encryption settings for linux-system-roles/nbde_client +nbde_client_bindings: + - device: /dev/md2 + encryption_password: "{{ nbde_password }}" + password_temporary: no + threshold: 1 + servers: + - http://tang01.iad2.fedoraproject.org + - http://tang02.iad2.fedoraproject.org # usually we do not want to enable nested virt, only on some virthosts nested: false network_connections: diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml index 388115feec..23fd4ffd27 100644 --- a/playbooks/groups/buildhw.yml +++ b/playbooks/groups/buildhw.yml @@ -59,7 +59,7 @@ - koji_builder - { role: bkernel, when: inventory_hostname.startswith('bkernel') } - - { role: clevis, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" } + - { role: linux-system-roles.nbde_client, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" } - { role: serial-console, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" } - hosts - ipa/client diff --git a/playbooks/groups/openqa-workers.yml b/playbooks/groups/openqa-workers.yml index 959e5f7dab..ef0c204a96 100644 --- a/playbooks/groups/openqa-workers.yml +++ b/playbooks/groups/openqa-workers.yml @@ -21,7 +21,7 @@ - { role: collectd/base, tags: ['collectd_base'] } - { role: sudo, tags: ['sudo'] } - { role: openqa/worker, tags: ['openqa_worker'] } - - { role: clevis, tags: ['clevis'], when: datacenter == 'iad2'} + - { role: linux-system-roles.nbde_client, tags: ['nbde_client'], when: datacenter = 'iad2' } - apache tasks: diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 86824a1818..09f18761e7 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -14,14 +14,6 @@ - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - vars: - nbde_client_bindings: - - device: /dev/md2 - encryption_password: "{{ nbde_password }}" - servers: - - http://tang01.iad2.fedoraproject.org - - http://tang02.iad2.fedoraproject.org - pre_tasks: - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README - import_tasks: "{{ tasks_path }}/yumrepos.yml" @@ -38,8 +30,7 @@ - { role: iscsi_client, when: "inventory_hostname.startswith(('bvmhost-x86-06', 'bvmhost-x86-07')) and datacenter == 'iad2'" } - sudo - virthost - - { role: clevis, when: datacenter == 'iad2' and not inventory_hostname.startswith('bvmhost-x86-04.stg') } - - { role: linux-system-roles.nbde_client, when: inventory_hostname.startswith('bvmhost-x86-04.stg') } + - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' } - { role: serial-console, when: datacenter == 'iad2' and not inventory_hostname.startswith('buildvmhost-s390x') } tasks: diff --git a/playbooks/manual/autosign.yml b/playbooks/manual/autosign.yml index edc40480b2..b804ca50fc 100644 --- a/playbooks/manual/autosign.yml +++ b/playbooks/manual/autosign.yml @@ -73,7 +73,7 @@ owner_user: robosignatory owner_group: robosignatory - - { role: clevis, when: datacenter == 'iad2'} + - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' } - { role: serial-console, when: datacenter == 'iad2'} pre_tasks: diff --git a/playbooks/manual/sign-vault.yml b/playbooks/manual/sign-vault.yml index c4f09eb428..824cb45727 100644 --- a/playbooks/manual/sign-vault.yml +++ b/playbooks/manual/sign-vault.yml @@ -35,7 +35,7 @@ roles: - base - rkhunter - - { role: clevis, when: datacenter == 'iad2'} + - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' } - { role: serial-console, when: datacenter == 'iad2'} - sigul/server diff --git a/roles/clevis/files/flush-dracut-network@.service b/roles/clevis/files/flush-dracut-network@.service deleted file mode 100644 index 49c22c7412..0000000000 --- a/roles/clevis/files/flush-dracut-network@.service +++ /dev/null @@ -1,15 +0,0 @@ -# Remove Dracut's network configuration -# https://access.redhat.com/solutions/3017441 -# https://unix.stackexchange.com/questions/506331/networkmanager-doesnt-change-ip-address-when-dracut-cmdline-provided-static-ip - -[Unit] -Description=Remove dracut's network configuration for %I -Before=network-pre.target -Wants=network-pre.target - -[Service] -ExecStartPre=/usr/sbin/ip address show %i -ExecStart=/usr/sbin/ip -statistics address flush dev %i - -[Install] -WantedBy=default.target diff --git a/roles/clevis/tasks/main.yml b/roles/clevis/tasks/main.yml deleted file mode 100644 index 71c97d5709..0000000000 --- a/roles/clevis/tasks/main.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- name: copy in dracut config for clevis - template: - src: 99-clevis-fix.conf - dest: /etc/dracut.conf.d/99-clevis-fix.conf - tags: - - clevis - -- name: copy in the systemd unit file to wipe dracut networking - copy: - src=flush-dracut-network@.service - dest=/etc/systemd/system/flush-dracut-network@.service - notify: - reload systemd - tags: - - clevis - -- name: enable the systemd unit to wipe dracut networking (br0) - systemd: - name: flush-dracut-network@{{ br0_dev }} - enabled: true - when: br0_dev is defined - tags: - - clevis - -- name: enable the systemd unit to wipe dracut networking (eno1) - systemd: - name: flush-dracut-network@eno1 - enabled: true - when: eno1_ip is defined - tags: - - clevis - -- name: enable the systemd unit to wipe dracut networking (eth0) - systemd: - name: flush-dracut-network@eth0 - enabled: true - when: eth0_ip is defined - tags: - - clevis diff --git a/roles/clevis/templates/99-clevis-fix.conf b/roles/clevis/templates/99-clevis-fix.conf deleted file mode 100644 index 0f416a9311..0000000000 --- a/roles/clevis/templates/99-clevis-fix.conf +++ /dev/null @@ -1,13 +0,0 @@ -# DHCP for talking to tang server -{% if br0_ip is defined %} -kernel_cmdline="ip={{ br0_ip }}::{{ br0_gw }}:{{ br0_nm }}::{{ br0_dev }}:none:{{ dns }}" -{% elif eth0_ip is defined %} -kernel_cmdline="ip={{ eth0_ip }}::{{ gw }}:{{ nm }}::eth0:none:{{ dns }}" -{% elif eth0_ipv4 is defined %} -kernel_cmdline="ip={{ eth0_ipv4 }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}::eth0:none:{{ dns1 }}" -{% elif eno1_ip is defined %} -kernel_cmdline="ip={{ eno1_ip }}::{{ gw }}:{{ nm }}::eno1:none:{{ dns }}" -{% endif %} - -# Don't create /etc/sysconfig/network-scripts/ifcfg-* files during boot -omit_dracutmodules+=" ifcfg "