base / big network cleanup

Everything should now be using linux-system-roles/network, so we drop
our hacky nmcli calls and everything that referred to them, including
exclude variables. Also, lets just let NM handle resolv.conf so it's not
wrong all the time on reboots.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

inventory/group_vars/aarch64_test

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 freezes: false
 host_group: cloud
 sudoers: "{{ private }}/files/sudo/arm-packager-sudoers"

inventory/group_vars/all

@@ -10,7 +10,6 @@ additional_host_keytabs: []
 ansible_base: /srv/web/infra
 # Default to managing the network, we want to not do this on select
 # hosts (like cloud nodes)
-ansible_ifcfg_blocklist: false
 # List of interfaces to explicitly disable
 ansible_ifcfg_disabled: []
 # on MOST infra systems, the interface connected to the infra network
@@ -172,7 +171,6 @@ nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
 nm: 255.255.255.0
 # Most of our machines have manual resolv.conf files
 # These settings are for machines where NM is supposed to control resolv.conf.
-nm_controlled_resolv: False
 nrpe_check_postfix_queue_crit: 5
 # by default, the number of emails in queue before we whine
 nrpe_check_postfix_queue_warn: 2

inventory/group_vars/buildvm_s390x_stg

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: True
 createrepo: False
 csi_primary_contact: Fedora Admins - admin@fedoraproject.org
 csi_purpose: Koji service employs a set of machines to build packages for the Fedora project. This playbook builds vm builders.

inventory/group_vars/cloud

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 datacenter: cloud
 nagios_Check_Services:
   mail: false

inventory/group_vars/cloud_aws

@@ -5,7 +5,6 @@
 #ansible_become_method: sudo
 
 # Disable ethX ifcfg, let amazon handle these via DHCP.
-ansible_ifcfg_blocklist: true
 datacenter: aws
 nagios_Check_Services:
   dhcpd: false

inventory/group_vars/copr

@@ -1,6 +1,5 @@
 ---
 _forward_src: "forward"
-ansible_ifcfg_blocklist: true
 backend_base_url: "https://download.copr.fedorainfracloud.org"
 builders:
   # max|max_spawn|max_prealloc

inventory/group_vars/copr_aws

@@ -1,6 +1,5 @@
 ---
 _forward_src: "forward"
-ansible_ifcfg_blocklist: true
 aws_arch_subnets:
   # Your requested instance type (a1.xlarge) is not supported in your requested Availability Zone (us-east-1a).
   # Your requested instance type (a1.xlarge) is not supported in your requested Availability Zone (us-east-1d).
@@ -65,7 +64,6 @@ devel: false
 dist_git_base_url: "copr-dist-git.fedorainfracloud.org"
 frontend_base_url: "https://copr.fedorainfracloud.org"
 keygen_host: "54.83.48.73"
-nm_controlled_resolv: True
 postfix_group: copr
 rpm_vendor_copr_name: Fedora Copr
 services_disabled: false

inventory/group_vars/copr_dev

@@ -1,7 +1,6 @@
 ---
 #_forward-src: "{{ files }}/copr/forward-dev"
 _forward_src: "forward_dev"
-ansible_ifcfg_blocklist: true
 backend_base_url: "https://download.copr-dev.fedorainfracloud.org"
 builders:
   # max|max_spawn|max_prealloc

inventory/group_vars/copr_dev_aws

@@ -1,6 +1,5 @@
 ---
 _forward_src: "forward_dev"
-ansible_ifcfg_blocklist: true
 aws_arch_subnets:
   # Your requested instance type (a1.xlarge) is not supported in your requested Availability Zone (us-east-1a).
   # Your requested instance type (a1.xlarge) is not supported in your requested Availability Zone (us-east-1d).
@@ -64,7 +63,6 @@ devel: true
 dist_git_base_url: "copr-dist-git-dev.fedorainfracloud.org"
 frontend_base_url: "https://copr-fe-dev.cloud.fedoraproject.org"
 keygen_host: "54.225.23.248"
-nm_controlled_resolv: True
 postfix_group: copr
 rpm_vendor_copr_name: Fedora Copr (devel)
 services_disabled: false

inventory/group_vars/copr_stg

@@ -1,7 +1,6 @@
 ---
 #_forward-src: "{{ files }}/copr/forward-dev"
 _forward_src: "forward_dev"
-ansible_ifcfg_blocklist: true
 backend_base_url: "https://copr-be-stg.fedorainfracloud.org"
 # don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules
 copr_backend_ips: ["172.25.33.49", "209.132.184.44"]

inventory/group_vars/download_rdu2

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 datacenter: rdu
 # nfs mount options, overrides the all/default
 nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=3"

inventory/group_vars/maintainer_test

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 datacenter: aws
 freezes: false
 ipa_client_shell_groups:

inventory/group_vars/openstack_compute

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 baseiptables: False
 host_group: openstack-compute
 nrpe_procs_crit: 1200

inventory/group_vars/os

@@ -8,5 +8,4 @@ ipa_client_sudo_groups:
 #openshift_ansible_upgrading: False
 ipa_host_group: openshift
 ipa_host_group_desc: OpenShift cluster
-nm_controlled_resolv: True
 no_http2: True

inventory/group_vars/os_stg

@@ -9,5 +9,4 @@ ipa_client_sudo_groups:
 # openshift_ansible_upgrading: True
 ipa_host_group: openshift
 ipa_host_group_desc: OpenShift cluster
-nm_controlled_resolv: True
 no_http2: False

inventory/group_vars/osbs

@@ -20,7 +20,6 @@ ipa_host_group_desc: OpenShift Build Service
 koji_url: "koji.fedoraproject.org"
 lvm_size: 60000
 mem_size: 8192
-nm_controlled_resolv: True
 num_cpus: 2
 #openshift_ansible_upgrading: True
 

inventory/group_vars/osbs_stg

@@ -20,7 +20,6 @@ ipa_host_group_desc: OpenShift Build Service
 koji_url: "koji.stg.fedoraproject.org"
 lvm_size: 60000
 mem_size: 8192
-nm_controlled_resolv: True
 num_cpus: 2
 openshift_ansible_upgrading: True
 # docker images required by OpenShift Origin

inventory/group_vars/retrace

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 custom_rules:
   - '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 2049 -j ACCEPT'
   - '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 5432 -j ACCEPT'

inventory/group_vars/sign_vault

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 freezes: true
 host_group: sign
 nagios_Check_Services:

inventory/host_vars/backup01.iad2.fedoraproject.org

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 datacenter: iad2
 dns1: 10.3.163.33
 dns2: 10.3.163.34

inventory/host_vars/buildvmhost-s390x-01.s390.fedoraproject.org

@@ -1,4 +1,3 @@
-ansible_ifcfg_blocklist: true
 dns1: 10.3.163.33
 dns2: 10.3.163.34
 dns_search1: fedoraproject.org

inventory/host_vars/copr-db-stg.aws.fedoraproject.org

@@ -1,7 +1,6 @@
 ---
 ansible_become: yes
 ansible_become_user: root
-ansible_ifcfg_blocklist: True
 ansible_user: ec2-user
 # Copr vars
 copr_hostbase: copr-db-stg
@@ -33,7 +32,6 @@ nagios_Check_Services:
   raid: false
   sshd: false
   swap: false
-nm_controlled_resolv: True
 public_ip: 52.200.82.86
 root_auth_users: msuchy frostyx praiskup schlupov
 swap_file_path: /swap

inventory/host_vars/copr-dist-git-dev.aws.fedoraproject.org

@@ -1,7 +1,6 @@
 ---
 ansible_become: yes
 ansible_become_user: root
-ansible_ifcfg_blocklist: True
 ansible_ssh_user: fedora
 # Copr vars
 copr_hostbase: copr-dist-git-dev
@@ -23,7 +22,6 @@ nagios_Check_Services:
   raid: false
   sshd: false
   swap: false
-nm_controlled_resolv: True
 public_ip: 54.243.51.13
 root_auth_users: msuchy frostyx praiskup schlupov
 swap_file_path: /swap

inventory/host_vars/copr-dist-git.aws.fedoraproject.org

@@ -1,7 +1,6 @@
 ---
 ansible_become: yes
 ansible_become_user: root
-ansible_ifcfg_blocklist: True
 ansible_ssh_user: fedora
 # Copr vars
 copr_hostbase: copr-dist-git
@@ -26,6 +25,5 @@ nagios_Check_Services:
   raid: false
   sshd: false
   swap: false
-nm_controlled_resolv: True
 public_ip: 3.89.184.181
 root_auth_users: msuchy frostyx praiskup schlupov

inventory/host_vars/copr-fe-dev.aws.fedoraproject.org

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: True
 # Copr vars
 copr_hostbase: copr-fe-dev
 datacenter: aws
@@ -17,7 +16,6 @@ nagios_Check_Services:
   raid: false
   sshd: false
   swap: false
-nm_controlled_resolv: True
 principal_alias: "HTTP/copr-fe-dev.cloud.fedoraproject.org@STG.FEDORAPROJECT.ORG"
 public_ip: 18.208.24.211
 root_auth_users: msuchy frostyx praiskup schlupov ttomecek

inventory/host_vars/copr-fe.aws.fedoraproject.org

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: True
 # this overrides vars/Fedora.yml
 base_pkgs_erase: ['PackageKit*', 'sendmail', 'at']
 # Copr vars
@@ -23,7 +22,6 @@ nagios_Check_Services:
   raid: false
   sshd: false
   swap: false
-nm_controlled_resolv: True
 public_ip: 3.225.109.36
 root_auth_users: msuchy frostyx praiskup schlupov ttomecek
 sar_output_file: copr.json

inventory/host_vars/copr-keygen-dev.aws.fedoraproject.org

@@ -1,7 +1,6 @@
 ---
 ansible_become: yes
 ansible_become_user: root
-ansible_ifcfg_blocklist: True
 ansible_ssh_user: fedora
 datacenter: aws
 #volumes: [ {volume_id: '9e2b4c55-9ec3-4508-af46-a40f3a5bd982', device: '/dev/vdc'} ]
@@ -22,6 +21,5 @@ nagios_Check_Services:
   raid: false
   sshd: false
   swap: false
-nm_controlled_resolv: True
 public_ip: 54.225.23.248
 root_auth_users: msuchy frostyx praiskup schlupov

inventory/host_vars/copr-keygen.aws.fedoraproject.org

@@ -1,7 +1,6 @@
 ---
 ansible_become: yes
 ansible_become_user: root
-ansible_ifcfg_blocklist: True
 ansible_ssh_user: fedora
 datacenter: aws
 db_backup_dir: ['/backup']
@@ -22,6 +21,5 @@ nagios_Check_Services:
   raid: false
   sshd: true
   swap: false
-nm_controlled_resolv: True
 public_ip: 54.83.48.73
 root_auth_users: msuchy frostyx praiskup schlupov

inventory/host_vars/iddev.fedorainfracloud.org

@@ -1,5 +1,4 @@
 ---
-ansible_ifcfg_blocklist: true
 datacenter: aws
 nagios_Check_Services:
   dhcpd: false

inventory/host_vars/retrace-stg.aws.fedoraproject.org

@@ -2,7 +2,6 @@
 #ansible_ssh_user: ec2-user
 #ansible_become_user: root
 #ansible_become: yes
-ansible_ifcfg_blocklist: True
 datacenter: aws
 # Clean-up packages of following EOLed operating systems
 eol_opsys: []
@@ -69,7 +68,6 @@ nagios_Check_Services:
   raid: false
   sshd: false
   swap: false
-nm_controlled_resolv: True
 public_hostname: retrace-stg.aws.fedoraproject.org
 public_ip: 3.228.218.234
 rs_internal_arch_list: [source, x86_64]

roles/base/files/resolv.conf/cloud-noc01.fedorainfracloud.org

@@ -1,4 +0,0 @@
-search cloud.fedoraproject.org fedoraproject.org
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options rotate timeout:1

roles/base/files/resolv.conf/coloamer

@@ -1,4 +0,0 @@
-search vpn.fedoraproject.org fedoraproject.org
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options rotate timeout:1

roles/base/files/resolv.conf/copr-aws

@@ -1,4 +0,0 @@
-search fedoraproject.org fedorainfracloud.org
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-nameserver 1.1.1.1

roles/base/files/resolv.conf/dedicatedsolutions

@@ -1,4 +0,0 @@
-search vpn.fedoraproject.org fedoraproject.org
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options rotate timeout:1

roles/base/files/resolv.conf/fedorainfracloud

@@ -1,4 +0,0 @@
-search fedorainfracloud.org cloud.fedoraproject.org fedoraproject.org
-nameserver 8.43.85.74
-nameserver 140.211.169.201
-options rotate timeout:1

roles/base/files/resolv.conf/host1plus

@@ -1,5 +0,0 @@
-search vpn.fedoraproject.org fedoraproject.org
-nameserver 217.69.160.18
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options rotate timeout:1

roles/base/files/resolv.conf/iad2

@@ -1,4 +0,0 @@
-search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org
-nameserver 10.3.163.33
-nameserver 10.3.163.34
-options rotate timeout:1

roles/base/files/resolv.conf/ibiblio

@@ -1,4 +0,0 @@
-search vpn.fedoraproject.org fedoraproject.org
-nameserver 152.2.21.1
-nameserver 152.2.253.100
-options rotate timeout:1

roles/base/files/resolv.conf/internetx

@@ -1,4 +0,0 @@
-search vpn.fedoraproject.org fedoraproject.org
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options rotate timeout:1

roles/base/files/resolv.conf/kojibuilder

@@ -1,4 +0,0 @@
-search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org
-nameserver 10.3.163.33
-nameserver 10.3.163.34
-options rotate timeout:1

roles/base/files/resolv.conf/kojibuilder_iad2

@@ -1,4 +0,0 @@
-search iad2.fedoraproject.org vpn.fedoraproject.org fedoraproject.org
-nameserver 10.3.163.33
-nameserver 10.3.163.34
-options rotate timeout:1

roles/base/files/resolv.conf/osuosl

@@ -1,4 +0,0 @@
-search vpn.fedoraproject.org fedoraproject.org
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options rotate timeout:1

roles/base/files/resolv.conf/rdu

@@ -1,3 +0,0 @@
-search vpn.fedoraproject.org rdu2.fedoraproject.org fedoraproject.org
-nameserver 172.31.2.24
-options rotate timeout:5

roles/base/files/resolv.conf/rdu-cc

@@ -1,4 +0,0 @@
-search vpn.fedoraproject.org fedoraproject.org
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options rotate timeout:1

roles/base/files/resolv.conf/resolv.conf

@@ -1,4 +0,0 @@
-search vpn.fedoraproject.org fedoraproject.org
-nameserver 8.8.8.8
-nameserver 8.8.4.4
-options rotate timeout:1

roles/base/files/resolv.conf/staging

@@ -1,4 +0,0 @@
-search stg.iad2.fedoraproject.org iad2.fedoraproject.org fedoraproject.org
-nameserver 10.3.163.33
-nameserver 10.3.163.34
-options rotate timeout:1

roles/base/tasks/main.yml

@@ -26,92 +26,6 @@
   tags:
   - selinux
 
-# XXX fixme # a datacenter 'fact' from setup
-- name: /etc/resolv.conf
-  copy: src={{ item }} dest=/etc/resolv.conf
-  when: not nm_controlled_resolv or not network_connections is defined
-  with_first_found:
-  - "{{ resolvconf }}"
-  - resolv.conf/{{ inventory_hostname }}
-  - resolv.conf/{{ host_group }}
-  - resolv.conf/{{ datacenter }}
-  - resolv.conf/resolv.conf
-  tags:
-  - config
-  - resolvconf
-  - base
-  - ifcfg
-
-- name: check for NetworkManager/nmcli
-  command: /usr/bin/test -f /usr/bin/nmcli
-  register: nmclitest
-  ignore_errors: true
-  changed_when: false
-  failed_when: "1 != 1"
-  check_mode: no
-  tags:
-   - config
-   - resolvconf
-   - base
-   - ifcfg
-
-- name: disable resolv.conf control from NM
-  ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
-  notify:
-  - restart NetworkManager
-  when: ansible_distribution_major_version|int >=7 and ansible_distribution == 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blocklist) and ( not nm_controlled_resolv ) and ( not network_connections is defined )
-  tags:
-   - config
-   - resolvconf
-   - base
-   - ifcfg
-
-- name: disable resolv.conf control from NM
-  ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
-  notify:
-  - restart NetworkManager
-  when: ansible_distribution_major_version|int >=29 and ansible_distribution == 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blocklist) and ( not nm_controlled_resolv ) and ( not network_connections is defined )
-  tags:
-   - config
-   - resolvconf
-   - base
-   - ifcfg
-
-- name: get interface uuid
-  shell: nmcli -f "DEVICE,UUID" c show --active | grep -E '^eth|^br|^em|^eno|^enP|^enc900'
-  register: if_uuid
-  changed_when: false
-  failed_when: 'if_uuid.stdout == ""'
-  check_mode: no
-  when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blocklist )
-  tags:
-   - config
-   - ifcfg
-   - base
-
-- name: copy ifcfg files - non virthost
-  template: src=ifcfg.j2 dest=/etc/sysconfig/network-scripts/ifcfg-{{item}} mode=0644
-  with_items:
-  - "{{ ansible_interfaces }}"
-  notify:
-#  - restart NetworkManager
-  - reload NetworkManager-connections
-  - apply interface-changes
-  when:
-  - virthost is not defined
-  - item.startswith(('eth','br','enc','em','eno'))
-  - hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['type'] == 'ether'
-  - hostvars[inventory_hostname]['ansible_' + item.replace('-','_')]['active']
-  - ansible_distribution_major_version|int >=7
-  - nmclitest is success
-  - not ansible_ifcfg_blocklist
-  - ansible_ifcfg_allowlist is not defined or item in ansible_ifcfg_allowlist
-  - not network_connections is defined
-  tags:
-   - config
-   - ifcfg
-   - base
-
 - name: global default packages to install (yum)
   package: state=present name={{ item }}
   with_items:
@@ -157,13 +71,6 @@
   - config
   - base
 
-- name: make sure our resolv.conf is the one being used - set RESOLV_MODS=no in /etc/sysconfig/network
-  lineinfile: dest=/etc/sysconfig/network create=yes backup=yes state=present line='RESOLV_MODS=no' regexp=^RESOLV_MODS=
-  when: not nm_controlled_resolv
-  tags:
-  - config
-  - base
-
 - name: dist pkgs to remove (yum)
   package: state=absent name={{ item }}
   with_items:
@@ -456,24 +363,6 @@
   - config
   - base
 
-#
-# Disable the cdc_ether module as we don't want it loading mgmt usb0 and spewing to logs.
-#
-- name: Disable cdc_ether module
-  copy: src=disable-cdc_ether.conf dest=/etc/modprobe.d/disable-cdc_ether.conf
-  when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
-  tags:
-  - config
-  - base
-  - cdc_ether
-
-# Remove old filename for above: remove this when we're pretty sure the file's
-# gone from all hosts
-- name: Remove old cdc_ether config file
-  file:
-    path: /etc/modprobe.d/blacklist-cdc_ether.conf
-    state: absent
-
 #
 # Watchdog stuff
 #