diff --git a/inventory/group_vars/beaker-virthosts b/inventory/group_vars/beaker-virthosts new file mode 100644 index 0000000000..d545764330 --- /dev/null +++ b/inventory/group_vars/beaker-virthosts @@ -0,0 +1,7 @@ +--- +virthost: true +nrpe_procs_warn: 900 +nrpe_procs_crit: 1000 + +libvirt_remote_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsxg20+vmLTt/U23x6yBtxU6N2Ool8ddlC5TFwr3FktCM7hcxkQ/funJ3VD5v9iN7Qg09g2YsPaPTfvmOPOP4bzX+/Fk8vJJb5nVg++XbS80Uw62eofr8g68ZPf6IWLEBiZ8/hmumK3TxTmsj/jn17bZBFTcQL7sB7Q4y7TxODt+5W9/0mJTLXbKoCvV+BCpxEfokx+50vVcX5CxXLHdgrdhPzKHcBHKtX6d2W8xzFj2dCThgAXl5tULYI1xP0BYTOtG+RaTNQWme4JxNlQZB8xbCxN2U+e1NpZl1Hn7Y9MbRL+nLfMIuWNJjYzUTGP3o9m2Tl9RCc2nhuS652rjfcQ== tflink@imagebuilder.qa.fedoraproject.org' +libvirt_user: "{{ beaker_libvirt_user }}" diff --git a/inventory/inventory b/inventory/inventory index 70ec84bfff..056b776181 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -7,6 +7,9 @@ [beaker] beaker01.qa.fedoraproject.org +[beaker-virthosts] +qa02.qa.fedoraproject.org + [qadevel] qadevel.qa.fedoraproject.org @@ -614,7 +617,6 @@ virthost16.phx2.fedoraproject.org virthost17.phx2.fedoraproject.org virthost18.phx2.fedoraproject.org qa01.qa.fedoraproject.org -qa02.qa.fedoraproject.org qa03.qa.fedoraproject.org qa04.qa.fedoraproject.org qa05.qa.fedoraproject.org diff --git a/playbooks/groups/beaker-virthosts.yml b/playbooks/groups/beaker-virthosts.yml new file mode 100644 index 0000000000..e1e5db918a --- /dev/null +++ b/playbooks/groups/beaker-virthosts.yml @@ -0,0 +1,37 @@ +# create a new beaker virthost server system +# NOTE: should be used with --limit most of the time +# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars +# This has an extra role that configures the virthost to be used with beaker for +# virtual machine clients + +- name: make virthost server system + hosts: beaker-virthosts + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - { role: denyhosts, when: ansible_distribution_major_version != '7' } + - nagios_client + - hosts + - fas_client + - collectd/base + - { role: iscsi_client, when: datacenter == "phx2" } + - sudo + - { role: openvpn/client, when: datacenter != "phx2" } + - role: beaker/virthost + + tasks: + - include: "{{ tasks }}/yumrepos.yml" + - include: "{{ tasks }}/2fa_client.yml" + - include: "{{ tasks }}/motd.yml" + - include: "{{ tasks }}/virthost.yml" + + handlers: + - include: "{{ handlers }}/restart_services.yml" diff --git a/roles/beaker/virthost/files/polkit/10-libvirt.rules b/roles/beaker/virthost/files/polkit/10-libvirt.rules new file mode 100644 index 0000000000..c93cca6335 --- /dev/null +++ b/roles/beaker/virthost/files/polkit/10-libvirt.rules @@ -0,0 +1,4 @@ +polkit.addRule(function (action, subject) { + if (action.id == "org.libvirt.unix.manage" && subject.isInGroup("kvm")) + return polkit.Result.YES; +}); diff --git a/roles/beaker/virthost/tasks/main.yml b/roles/beaker/virthost/tasks/main.yml new file mode 100644 index 0000000000..6329c4a7f2 --- /dev/null +++ b/roles/beaker/virthost/tasks/main.yml @@ -0,0 +1,19 @@ +- name: add libvirt remote user + user: + name: "{{ libvirt_user }}" + groups: kvm + +- name: add ssh key for libvirt remote user + authorized_key: + user: "{{ libvirt_user }}" + path: /home/{{ libvirtuser }}/.ssh/authorized_keys + key: "{{ libvirt_remote_pubkey }}" + +- name: add polkit rule for users in kvm group + copy: + src: polkit/10-libvirt.rules + dest: /etc/polkit-1/rules.d/10-libvirt.rules + owner: root + group: root + mode: 0644 +