From aa49bc1021319b74a07a4525106f9f36c143bd11 Mon Sep 17 00:00:00 2001 From: Stephen Smoogen Date: Wed, 17 Feb 2021 11:08:03 -0500 Subject: [PATCH] This pull request sets up a vmhost COPR environment in RDU-CC First we add in a vmhost_copr playbook which is basically the regular virthost but meant to limit things for copr admins via rbac. Second we add in host and group variables which will use the ansible module for setting up networks. This allows for bridging to work out of the box and makes sure we know the mac addresses. --- inventory/group_vars/vmhost_copr | 26 ++++++++ .../vmhost-x86-05.rdu-cc.fedoraproject.org | 54 ++++++++++++++-- .../vmhost-x86-06.rdu-cc.fedoraproject.org | 54 ++++++++++++++-- ...vmhost-x86-copr01.rdu-cc.fedoraproject.org | 61 +++++++++++++++---- ...vmhost-x86-copr02.rdu-cc.fedoraproject.org | 22 +++---- ...vmhost-x86-copr03.rdu-cc.fedoraproject.org | 61 +++++++++++++++---- ...vmhost-x86-copr04.rdu-cc.fedoraproject.org | 61 +++++++++++++++---- inventory/inventory | 4 +- playbooks/groups/vmhost_copr.yml | 40 ++++++++++++ 9 files changed, 319 insertions(+), 64 deletions(-) create mode 100644 inventory/group_vars/vmhost_copr create mode 100644 playbooks/groups/vmhost_copr.yml diff --git a/inventory/group_vars/vmhost_copr b/inventory/group_vars/vmhost_copr new file mode 100644 index 0000000000..4b13d09f94 --- /dev/null +++ b/inventory/group_vars/vmhost_copr @@ -0,0 +1,26 @@ +--- +virthost: true + +fas_client_groups: sysadmin-copr,sysadmin-main +sudoers: "{{ private }}/files/sudo/copr-sudoers" + +nrpe_procs_warn: 1400 +nrpe_procs_crit: 1500 + +# These variables are pushed into /etc/system_identification by the base role. +# Groups and individual hosts should override them with specific info. +# See http://infrastructure.fedoraproject.org/csi/security-policy/ + +vpn: false +postfix_group: cloud +freezes: false + +csi_security_category: High +csi_primary_contact: Fedora Admins - admin@fedoraproject.org +csi_purpose: Host guest virtual machines. +csi_relationship: | + - Guests on this host will be inaccessible if the host is down. + - This host will be required by any application with a virtual machine running on it, therefore, if this host is down those applications will be impacted. + +nagios_Check_Services: + raid: true diff --git a/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org index 692e739ebd..4deb9fe021 100644 --- a/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-05.rdu-cc.fedoraproject.org @@ -1,12 +1,56 @@ --- +datacenter: rdu-cc + nrpe_procs_warn: 900 nrpe_procs_crit: 1000 -br0_ip: 8.43.85.84 -br0_nm: 255.255.254.0 -gw: 8.43.85.254 -dns: 8.8.8.8 -datacenter: rdu-cc vpn: true postfix_group: cloud freezes: false + +gw: 8.43.85.254 +dns: 8.8.8.8 + +has_ipv4: yes +br0_ipv4: 8.43.85.84 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" + +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:f005" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "ec:f4:bb:d2:97:7c" +mac1: "ec:f4:bb:d2:97:7d" +mac2: "ec:f4:bb:d2:97:78" +mac3: "ec:f4:bb:d2:97:7a" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org index ae60f48e49..e82a83adfa 100644 --- a/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-06.rdu-cc.fedoraproject.org @@ -1,12 +1,56 @@ --- +datacenter: rdu-cc + nrpe_procs_warn: 900 nrpe_procs_crit: 1000 -br0_ip: 8.43.85.85 -br0_nm: 255.255.254.0 -gw: 8.43.85.254 -dns: 8.8.8.8 -datacenter: rdu-cc vpn: true postfix_group: cloud freezes: false + +gw: 8.43.85.254 +dns: 8.8.8.8 + +has_ipv4: yes +br0_ipv4: 8.43.85.85 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" + +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:f006" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "ec:f4:bb:cd:aa:a4" +mac1: "ec:f4:bb:cd:aa:a5" +mac2: "ec:f4:bb:cd:aa:a0" +mac3: "ec:f4:bb:cd:aa:a2" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org index 0386c7c509..d7424de8b4 100644 --- a/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-copr01.rdu-cc.fedoraproject.org @@ -1,18 +1,53 @@ --- -fas_client_groups: sysadmin-copr,sysadmin-main -sudoers: "{{ private }}/files/sudo/copr-sudoers" -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 -br0_ip: 8.43.85.57 -br0_nm: 255.255.254.0 +datacenter: rdu-cc + gw: 8.43.85.254 dns: 8.8.8.8 -has_ipv6: yes -eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c001" -eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" +has_ipv4: yes +br0_ipv4: 8.43.85.57 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" -datacenter: rdu-cc -vpn: false -postfix_group: cloud -freezes: false +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:c001" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "f4:02:70:d0:05:00" +mac1: "f4:02:70:d0:05:01" +mac2: "b0:26:28:d1:df:00" +mac3: "b0:26:28:d1:df:01" +mac4: "b4:96:91:63:3b:e8" +mac5: "b4:96:91:63:3b:e9" +mac6: "b4:96:91:63:3b:ea" +mac7: "b4:96:91:63:3b:eb" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org index 98b1249722..29f4fee4c6 100644 --- a/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-copr02.rdu-cc.fedoraproject.org @@ -1,28 +1,23 @@ --- -fas_client_groups: sysadmin-copr,sysadmin-main -sudoers: "{{ private }}/files/sudo/copr-sudoers" -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 +datacenter: rdu-cc + gw: 8.43.85.254 dns: 8.8.8.8 has_ipv4: yes br0_ipv4: 8.43.85.58 -br0_ipv4_nm: 255.255.254.0 +br0_ipv4_nm: 23 br0_ipv4_gw: "{{ gw }}" has_ipv6: yes br0_ipv6: "2620:52:3:1:dead:beef:cafe:c002" +br0_ipv6_nm: 64 br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" -datacenter: rdu-cc -vpn: false -postfix_group: cloud -freezes: false mac0: "f4:02:70:d0:04:5e" -mac1: "b4:96:91:63:3b:9c" -mac2: "f4:02:70:d0:04:5f" +mac1: "f4:02:70:d0:04:5f" +mac2: "b4:96:91:63:3b:9c" mac3: "b4:96:91:63:3b:9d" mac4: "b4:96:91:63:3b:9e" mac5: "b4:96:91:63:3b:9f" @@ -36,8 +31,8 @@ network_connections: autoconnect: yes ip: address: - - "{{ br0_ipv4 }}/24" - - "{{ br0_ipv6 }}/64" + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" gateway4: "{{ br0_ipv4_gw }}" gateway6: "{{ br0_ipv6_gw }}" dns: @@ -56,3 +51,4 @@ network_connections: master: br0 mac: "{{ br0_port0_mac }}" + diff --git a/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org index c5900b175f..2e95ed3b82 100644 --- a/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-copr03.rdu-cc.fedoraproject.org @@ -1,18 +1,53 @@ --- -fas_client_groups: sysadmin-copr,sysadmin-main -sudoers: "{{ private }}/files/sudo/copr-sudoers" -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 -br0_ip: 8.43.85.59 -br0_nm: 255.255.254.0 +datacenter: rdu-cc + gw: 8.43.85.254 dns: 8.8.8.8 -has_ipv6: yes -eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c003" -eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" +has_ipv4: yes +br0_ipv4: 8.43.85.59 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" -datacenter: rdu-cc -vpn: false -postfix_group: cloud -freezes: false +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:c003" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "f4:02:70:d3:42:48" +mac1: "f4:02:70:d3:42:49" +mac2: "b0:26:28:d1:dd:c0" +mac3: "b0:26:28:d1:dd:c1" +mac4: "b4:96:91:63:3b:50" +mac5: "b4:96:91:63:3b:51" +mac6: "b4:96:91:63:3b:52" +mac7: "b4:96:91:63:3b:53" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org b/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org index 6b0a650d58..22b7475c97 100644 --- a/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org +++ b/inventory/host_vars/vmhost-x86-copr04.rdu-cc.fedoraproject.org @@ -1,18 +1,53 @@ --- -fas_client_groups: sysadmin-copr,sysadmin-main -sudoers: "{{ private }}/files/sudo/copr-sudoers" -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 -br0_ip: 8.43.85.60 -br0_nm: 255.255.254.0 +datacenter: rdu-cc + gw: 8.43.85.254 dns: 8.8.8.8 -has_ipv6: yes -eth0_ipv6: "2620:52:3:1:dead:beef:cafe:c004" -eth0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" +has_ipv4: yes +br0_ipv4: 8.43.85.60 +br0_ipv4_nm: 23 +br0_ipv4_gw: "{{ gw }}" -datacenter: rdu-cc -vpn: false -postfix_group: cloud -freezes: false +has_ipv6: yes +br0_ipv6: "2620:52:3:1:dead:beef:cafe:c004" +br0_ipv6_nm: 64 +br0_ipv6_gw: "2620:52:3:1:ffff:ffff:ffff:fffe" + +mac0: "f4:02:70:d0:04:4a" +mac1: "f4:02:70:d0:04:4b" +mac2: "b0:26:28:d1:e0:f0" +mac3: "b0:26:28:d1:e0:f1" +mac4: "b4:96:91:63:3a:a0" +mac5: "b4:96:91:63:3a:a1" +mac6: "b4:96:91:63:3a:a2" +mac7: "b4:96:91:63:3a:a3" + +br0_port0_mac: "{{ mac0 }}" + +network_connections: + - name: br0 + state: up + type: bridge + autoconnect: yes + ip: + address: + - "{{ br0_ipv4 }}/{{ br0_ipv4_nm }}" + - "{{ br0_ipv6 }}/{{ br0_ipv6_nm }}" + gateway4: "{{ br0_ipv4_gw }}" + gateway6: "{{ br0_ipv6_gw }}" + dns: + - 8.8.8.8 + - 8.8.4.4 + - 2001:4860:4860::8888 + dns_search: + - fedoraproject.org + - vpn.fedoraproject.org + - rdu-cc.fedoraproject.org + dhcp4: no + auto6: no + - name: br0-port0 + state: up + type: ethernet + master: br0 + mac: "{{ br0_port0_mac }}" diff --git a/inventory/inventory b/inventory/inventory index f975eed9dd..158be93258 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -113,8 +113,8 @@ virthost-rdu01.fedoraproject.org virthost-cc-rdu01.fedoraproject.org virthost-cc-rdu02.fedoraproject.org virthost-cc-rdu03.fedoraproject.org -#virthost-cloud01.fedorainfracloud.org -#cloudvmhost-aarch64-01.fedorainfracloud.org + +[vmhost_copr] vmhost-x86-copr01.rdu-cc.fedoraproject.org vmhost-x86-copr02.rdu-cc.fedoraproject.org vmhost-x86-copr03.rdu-cc.fedoraproject.org diff --git a/playbooks/groups/vmhost_copr.yml b/playbooks/groups/vmhost_copr.yml new file mode 100644 index 0000000000..29ff1beb27 --- /dev/null +++ b/playbooks/groups/vmhost_copr.yml @@ -0,0 +1,40 @@ +# create a new virthost server system +# This is a copy of the main one which is meant to be limited ONLY to vmhost_copr group for rbac +# NOTE: should be used with --limit most of the time +# NOTE: most of these vars_path come from group_vars/backup_server or from hostvars + +- import_playbook: "/srv/web/infra/ansible/playbooks/include/happy_birthday.yml myhosts=vmhost_copr:!buildvmhost-s390x-01.s390.fedoraproject.org" + +- name: make virthost server system + hosts: vmhost_copr + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + pre_tasks: + - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README + - import_tasks: "{{ tasks_path }}/yumrepos.yml" + + roles: + - base + - rkhunter + - nagios_client + - hosts + - { role: ipa/client, when: env == "staging" } + - { role: fas_client, when: env != "staging" } + - collectd/base + - sudo + - { role: openvpn/client, when: vpn|bool } + - virthost + + tasks: + - import_tasks: "{{ tasks_path }}/2fa_client.yml" + when: env != 'staging' + - import_tasks: "{{ tasks_path }}/motd.yml" + + handlers: + - import_tasks: "{{ handlers_path }}/restart_services.yml"