This pull request sets up a vmhost COPR environment in RDU-CC

First we add in a vmhost_copr playbook which is basically the regular virthost but meant to limit things for copr admins via rbac. Second we add in host and group variables which will use the ansible module for setting up networks. This allows for bridging to work out of the box and makes sure we know the mac addresses.
2021-02-17 11:08:03 -05:00 · 2021-02-17 11:08:03 -05:00 · aa49bc1021
commit aa49bc1021
parent 20232f0d7b
9 changed files with 319 additions and 64 deletions
--- a/inventory/group_vars/vmhost_copr
+++ b/inventory/group_vars/vmhost_copr
@ -0,0 +1,26 @@
+---
+virthost: true
+
+fas_client_groups: sysadmin-copr,sysadmin-main
+sudoers: "{{ private }}/files/sudo/copr-sudoers"
+
+nrpe_procs_warn: 1400
+nrpe_procs_crit: 1500
+
+# These variables are pushed into /etc/system_identification by the base role.
+# Groups and individual hosts should override them with specific info.
+# See http://infrastructure.fedoraproject.org/csi/security-policy/
+
+vpn: false
+postfix_group: cloud
+freezes: false
+
+csi_security_category: High
+csi_primary_contact: Fedora Admins - admin@fedoraproject.org
+csi_purpose: Host guest virtual machines.
+csi_relationship: |
+   - Guests on this host will be inaccessible if the host is down.
+   - This host will be required by any application with a virtual machine running on it, therefore, if this host is down those applications will be impacted.
+
+nagios_Check_Services:
+  raid: true
--- a/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org
+++ b/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org
@ -1,12 +1,56 @@
 ---
+datacenter: rdu-cc
+
 nrpe_procs_warn: 900
 nrpe_procs_crit: 1000
-br0_ip: 8.43.85.84
-br0_nm: 255.255.254.0
-gw: 8.43.85.254
-dns: 8.8.8.8

-datacenter: rdu-cc
 vpn: true
 postfix_group: cloud
 freezes: false
+
+gw: 8.43.85.254
+dns: 8.8.8.8
+
+has_ipv4: yes
+br0_ipv4: 8.43.85.84
+br0_ipv4_nm: 23
+br0_ipv4_gw: "{{ gw }}"
+
+has_ipv6: yes
+br0_ipv6: "2620:52:3:1:dead:beef:cafe:f005"
+br0_ipv6_nm: 64
+br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
+
+mac0: "ec:f4:bb:d2:97:7c"
+mac1: "ec:f4:bb:d2:97:7d"
+mac2: "ec:f4:bb:d2:97:78"
+mac3: "ec:f4:bb:d2:97:7a"
+
+br0_port0_mac: "{{ mac0 }}"
+
+network_connections:
+  - name: br0
+    state: up
+    type: bridge
+    autoconnect: yes
+    ip:
+      address: 
+      - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}"
+      - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}"
+      gateway4: "{{ br0_ipv4_gw }}"
+      gateway6: "{{ br0_ipv6_gw }}"
+      dns: 
+      - 8.8.8.8
+      - 8.8.4.4
+      - 2001:4860:4860::8888
+      dns_search: 
+      - fedoraproject.org
+      - vpn.fedoraproject.org
+      - rdu-cc.fedoraproject.org
+      dhcp4: no
+      auto6: no
+  - name: br0-port0
+    state: up
+    type: ethernet
+    master: br0
+    mac: "{{ br0_port0_mac }}"
--- a/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org
+++ b/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org
@ -1,12 +1,56 @@
 ---
+datacenter: rdu-cc
+
 nrpe_procs_warn: 900
 nrpe_procs_crit: 1000
-br0_ip: 8.43.85.85
-br0_nm: 255.255.254.0
-gw: 8.43.85.254
-dns: 8.8.8.8

-datacenter: rdu-cc
 vpn: true
 postfix_group: cloud
 freezes: false
+
+gw: 8.43.85.254
+dns: 8.8.8.8
+
+has_ipv4: yes
+br0_ipv4: 8.43.85.85
+br0_ipv4_nm: 23
+br0_ipv4_gw: "{{ gw }}"
+
+has_ipv6: yes
+br0_ipv6: "2620:52:3:1:dead:beef:cafe:f006"
+br0_ipv6_nm: 64
+br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
+
+mac0: "ec:f4:bb:cd:aa:a4"
+mac1: "ec:f4:bb:cd:aa:a5"
+mac2: "ec:f4:bb:cd:aa:a0"
+mac3: "ec:f4:bb:cd:aa:a2"
+
+br0_port0_mac: "{{ mac0 }}"
+
+network_connections:
+  - name: br0
+    state: up
+    type: bridge
+    autoconnect: yes
+    ip:
+      address: 
+      - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}"
+      - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}"
+      gateway4: "{{ br0_ipv4_gw }}"
+      gateway6: "{{ br0_ipv6_gw }}"
+      dns: 
+      - 8.8.8.8
+      - 8.8.4.4
+      - 2001:4860:4860::8888
+      dns_search: 
+      - fedoraproject.org
+      - vpn.fedoraproject.org
+      - rdu-cc.fedoraproject.org
+      dhcp4: no
+      auto6: no
+  - name: br0-port0
+    state: up
+    type: ethernet
+    master: br0
+    mac: "{{ br0_port0_mac }}"
--- a/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org
+++ b/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org
@ -1,18 +1,53 @@
 ---
-fas_client_groups: sysadmin-copr,sysadmin-main
-sudoers: "{{ private }}/files/sudo/copr-sudoers"
-nrpe_procs_warn: 900
-nrpe_procs_crit: 1000
-br0_ip: 8.43.85.57
-br0_nm: 255.255.254.0
+datacenter: rdu-cc
+
 gw: 8.43.85.254
 dns: 8.8.8.8

-has_ipv6: yes
-eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c001"
-eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
+has_ipv4: yes
+br0_ipv4: 8.43.85.57
+br0_ipv4_nm: 23
+br0_ipv4_gw: "{{ gw }}"

-datacenter: rdu-cc
-vpn: false
-postfix_group: cloud
-freezes: false
+has_ipv6: yes
+br0_ipv6: "2620:52:3:1:dead:beef:cafe:c001"
+br0_ipv6_nm: 64
+br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
+
+mac0: "f4:02:70:d0:05:00"
+mac1: "f4:02:70:d0:05:01"
+mac2: "b0:26:28:d1:df:00"
+mac3: "b0:26:28:d1:df:01"
+mac4: "b4:96:91:63:3b:e8"
+mac5: "b4:96:91:63:3b:e9"
+mac6: "b4:96:91:63:3b:ea"
+mac7: "b4:96:91:63:3b:eb"
+
+br0_port0_mac: "{{ mac0 }}"
+
+network_connections:
+  - name: br0
+    state: up
+    type: bridge
+    autoconnect: yes
+    ip:
+      address: 
+      - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}"
+      - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}"
+      gateway4: "{{ br0_ipv4_gw }}"
+      gateway6: "{{ br0_ipv6_gw }}"
+      dns: 
+      - 8.8.8.8
+      - 8.8.4.4
+      - 2001:4860:4860::8888
+      dns_search: 
+      - fedoraproject.org
+      - vpn.fedoraproject.org
+      - rdu-cc.fedoraproject.org
+      dhcp4: no
+      auto6: no
+  - name: br0-port0
+    state: up
+    type: ethernet
+    master: br0
+    mac: "{{ br0_port0_mac }}"
--- a/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org
+++ b/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org
@ -1,28 +1,23 @@
 ---
-fas_client_groups: sysadmin-copr,sysadmin-main
-sudoers: "{{ private }}/files/sudo/copr-sudoers"
-nrpe_procs_warn: 900
-nrpe_procs_crit: 1000
+datacenter: rdu-cc
+
 gw: 8.43.85.254
 dns: 8.8.8.8

 has_ipv4: yes
 br0_ipv4: 8.43.85.58
-br0_ipv4_nm: 255.255.254.0
+br0_ipv4_nm: 23
 br0_ipv4_gw: "{{ gw }}"

 has_ipv6: yes
 br0_ipv6: "2620:52:3:1:dead:beef:cafe:c002"
+br0_ipv6_nm: 64
 br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"

-datacenter: rdu-cc
-vpn: false
-postfix_group: cloud
-freezes: false

 mac0: "f4:02:70:d0:04:5e"
-mac1: "b4:96:91:63:3b:9c"
-mac2: "f4:02:70:d0:04:5f"
+mac1: "f4:02:70:d0:04:5f"
+mac2: "b4:96:91:63:3b:9c"
 mac3: "b4:96:91:63:3b:9d"
 mac4: "b4:96:91:63:3b:9e"
 mac5: "b4:96:91:63:3b:9f"
@ -36,8 +31,8 @@ network_connections:
    autoconnect: yes
    ip:
      address: 
-      - "{{ br0_ipv4 }}/24"
-      - "{{ br0_ipv6 }}/64"
+      - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}"
+      - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}"
      gateway4: "{{ br0_ipv4_gw }}"
      gateway6: "{{ br0_ipv6_gw }}"
      dns: 
@ -56,3 +51,4 @@ network_connections:
    master: br0
    mac: "{{ br0_port0_mac }}"

+
--- a/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org
+++ b/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org
@ -1,18 +1,53 @@
 ---
-fas_client_groups: sysadmin-copr,sysadmin-main
-sudoers: "{{ private }}/files/sudo/copr-sudoers"
-nrpe_procs_warn: 900
-nrpe_procs_crit: 1000
-br0_ip: 8.43.85.59
-br0_nm: 255.255.254.0
+datacenter: rdu-cc
+
 gw: 8.43.85.254
 dns: 8.8.8.8

-has_ipv6: yes
-eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c003"
-eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
+has_ipv4: yes
+br0_ipv4: 8.43.85.59
+br0_ipv4_nm: 23
+br0_ipv4_gw: "{{ gw }}"

-datacenter: rdu-cc
-vpn: false
-postfix_group: cloud
-freezes: false
+has_ipv6: yes
+br0_ipv6: "2620:52:3:1:dead:beef:cafe:c003"
+br0_ipv6_nm: 64
+br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
+
+mac0: "f4:02:70:d3:42:48"
+mac1: "f4:02:70:d3:42:49"
+mac2: "b0:26:28:d1:dd:c0"
+mac3: "b0:26:28:d1:dd:c1"
+mac4: "b4:96:91:63:3b:50"
+mac5: "b4:96:91:63:3b:51"
+mac6: "b4:96:91:63:3b:52"
+mac7: "b4:96:91:63:3b:53"
+
+br0_port0_mac: "{{ mac0 }}"
+
+network_connections:
+  - name: br0
+    state: up
+    type: bridge
+    autoconnect: yes
+    ip:
+      address: 
+      - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}"
+      - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}"
+      gateway4: "{{ br0_ipv4_gw }}"
+      gateway6: "{{ br0_ipv6_gw }}"
+      dns: 
+      - 8.8.8.8
+      - 8.8.4.4
+      - 2001:4860:4860::8888
+      dns_search: 
+      - fedoraproject.org
+      - vpn.fedoraproject.org
+      - rdu-cc.fedoraproject.org
+      dhcp4: no
+      auto6: no
+  - name: br0-port0
+    state: up
+    type: ethernet
+    master: br0
+    mac: "{{ br0_port0_mac }}"
--- a/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org
+++ b/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org
@ -1,18 +1,53 @@
 ---
-fas_client_groups: sysadmin-copr,sysadmin-main
-sudoers: "{{ private }}/files/sudo/copr-sudoers"
-nrpe_procs_warn: 900
-nrpe_procs_crit: 1000
-br0_ip: 8.43.85.60
-br0_nm: 255.255.254.0
+datacenter: rdu-cc
+
 gw: 8.43.85.254
 dns: 8.8.8.8

-has_ipv6: yes
-eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c004"
-eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
+has_ipv4: yes
+br0_ipv4: 8.43.85.60
+br0_ipv4_nm: 23
+br0_ipv4_gw: "{{ gw }}"

-datacenter: rdu-cc
-vpn: false
-postfix_group: cloud
-freezes: false
+has_ipv6: yes
+br0_ipv6: "2620:52:3:1:dead:beef:cafe:c004"
+br0_ipv6_nm: 64
+br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe"
+
+mac0: "f4:02:70:d0:04:4a"
+mac1: "f4:02:70:d0:04:4b"
+mac2: "b0:26:28:d1:e0:f0"
+mac3: "b0:26:28:d1:e0:f1"
+mac4: "b4:96:91:63:3a:a0"
+mac5: "b4:96:91:63:3a:a1"
+mac6: "b4:96:91:63:3a:a2"
+mac7: "b4:96:91:63:3a:a3"
+
+br0_port0_mac: "{{ mac0 }}"
+
+network_connections:
+  - name: br0
+    state: up
+    type: bridge
+    autoconnect: yes
+    ip:
+      address: 
+      - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}"
+      - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}"
+      gateway4: "{{ br0_ipv4_gw }}"
+      gateway6: "{{ br0_ipv6_gw }}"
+      dns: 
+      - 8.8.8.8
+      - 8.8.4.4
+      - 2001:4860:4860::8888
+      dns_search: 
+      - fedoraproject.org
+      - vpn.fedoraproject.org
+      - rdu-cc.fedoraproject.org
+      dhcp4: no
+      auto6: no
+  - name: br0-port0
+    state: up
+    type: ethernet
+    master: br0
+    mac: "{{ br0_port0_mac }}"
--- a/inventory/inventory
+++ b/inventory/inventory
@ -113,8 +113,8 @@ virthost-rdu01.fedoraproject.org
 virthost-cc-rdu01.fedoraproject.org
 virthost-cc-rdu02.fedoraproject.org
 virthost-cc-rdu03.fedoraproject.org
-#virthost-cloud01.fedorainfracloud.org
-#cloudvmhost-aarch64-01.fedorainfracloud.org
+
+[vmhost_copr]
 vmhost-x86-copr01.rdu-cc.fedoraproject.org
 vmhost-x86-copr02.rdu-cc.fedoraproject.org
 vmhost-x86-copr03.rdu-cc.fedoraproject.org
--- a/playbooks/groups/vmhost_copr.yml
+++ b/playbooks/groups/vmhost_copr.yml
@ -0,0 +1,40 @@
+# create a new virthost server system
+# This is a copy of the main one which is meant to be limited ONLY to vmhost_copr group for rbac
+# NOTE: should be used with --limit most of the time
+# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars
+
+- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=vmhost_copr:!buildvmhost-s390x-01.s390.fedoraproject.org"
+
+- name: make virthost server system
+  hosts: vmhost_copr
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "/srv/private/ansible/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  pre_tasks:
+  - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
+  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
+
+  roles:
+  - base
+  - rkhunter
+  - nagios_client
+  - hosts
+  - { role: ipa/client, when: env == "staging" }
+  - { role: fas_client, when: env != "staging" }
+  - collectd/base
+  - sudo
+  - { role: openvpn/client, when: vpn|bool }
+  - virthost
+
+  tasks:
+  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
+    when: env != 'staging'
+  - import_tasks: "{{ tasks_path }}/motd.yml"
+
+  handlers:
+  - import_tasks: "{{ handlers_path }}/restart_services.yml"