From 0680dd6f18f009ffe784e5c1dd11b123fe1c6e1c Mon Sep 17 00:00:00 2001 From: Sven Velt Date: Sat, 28 Nov 2020 16:12:53 +0100 Subject: [PATCH] Cleaned up, untested --- .gitignore | 1 + .gitmodules | 3 + .submodules/ansible-lxc-ssh | 1 + ansible.cfg | 18 ++++ connection_plugins/lxc_ssh.py | 1 + create_inventory_lxc.yml | 118 ++++++++++++++++++++++++++ files/etc/dnsmasq.d/br-lxc | 17 ++++ files/etc/lxc/ansible.conf | 13 +++ files/etc/network/interfaces.d/br-lxc | 9 ++ hosts.example | 65 ++++++++++++++ prepare_lxc_hosts.yml | 87 +++++++++++++++++++ 11 files changed, 333 insertions(+) create mode 100644 .gitmodules create mode 160000 .submodules/ansible-lxc-ssh create mode 100644 ansible.cfg create mode 120000 connection_plugins/lxc_ssh.py create mode 100644 create_inventory_lxc.yml create mode 100644 files/etc/dnsmasq.d/br-lxc create mode 100644 files/etc/lxc/ansible.conf create mode 100644 files/etc/network/interfaces.d/br-lxc create mode 100644 hosts.example create mode 100644 prepare_lxc_hosts.yml diff --git a/.gitignore b/.gitignore index 1c5186f..035dac5 100644 --- a/.gitignore +++ b/.gitignore @@ -131,6 +131,7 @@ dmypy.json # ---> Ansible *.retry +.facts # ---> Vim # Swap diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..927e236 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule ".submodules/ansible-lxc-ssh"] + path = .submodules/ansible-lxc-ssh + url = https://github.com/andreasscherbaum/ansible-lxc-ssh.git diff --git a/.submodules/ansible-lxc-ssh b/.submodules/ansible-lxc-ssh new file mode 160000 index 0000000..d08e694 --- /dev/null +++ b/.submodules/ansible-lxc-ssh @@ -0,0 +1 @@ +Subproject commit d08e694c16a2d0f71a2883f4c0e8590eb5c743b5 diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..f074541 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,18 @@ +[defaults] +inventory = ./hosts + +connection_plugins = ./connection_plugins/ + +interpreter_python = auto + +retry_files_enabled = True +retry_files_save_path = ./Retry/ + +fact_caching = yaml +fact_caching_connection = ./.facts +gathering = smart + +[colors] +verbose = bright blue +error = bright red + diff --git a/connection_plugins/lxc_ssh.py b/connection_plugins/lxc_ssh.py new file mode 120000 index 0000000..71a147d --- /dev/null +++ b/connection_plugins/lxc_ssh.py @@ -0,0 +1 @@ +../.submodules/ansible-lxc-ssh/lxc_ssh.py \ No newline at end of file diff --git a/create_inventory_lxc.yml b/create_inventory_lxc.yml new file mode 100644 index 0000000..3dc17b7 --- /dev/null +++ b/create_inventory_lxc.yml @@ -0,0 +1,118 @@ +--- +- hosts: all + + gather_facts: no + + serial: 1 + + vars: + # List(!) of SSH keys for authorized_keys. Set here or in group_vars/all.yml + #ssh_keys: [] + + cmdline_python: + alpine: + - "apk add -U python3" + centos: &cmdline_python_centos + - "yum clean all" + - "yum makecache" + - "yum install -y python3 || true" + debian: &cmdline_python_debian + - "apt-get -y update" + - "apt-get install -y python3 python3-apt" + devuan: *cmdline_python_debian + fedora: *cmdline_python_centos + opensuse: + - "zypper --gpg-auto-import-keys --no-gpg-checks -n refresh" + - "zypper --gpg-auto-import-keys --no-gpg-checks -n install python3" + ubuntu: *cmdline_python_debian + voidlinux: + - "xbps-install -Suy python3 libgcc" + + ssh_package_name: + opensuse: openssh + voidlinux: openssh + + ssh_service_name: + devuan: ssh + + + + tasks: + + - name: End for non-LXContainer + meta: end_host + when: inventory_hostname in groups.lxc_hosts + + + - name: Create LXContainer + lxc_container: + name: "{{ inventory_hostname }}" + state: started + template: download + template_options: "-a amd64 -d {{ os_d }} -r {{ os_r }} --no-validate" + config: /etc/lxc/ansible.conf + register: lxc_created + delegate_to: "{{ ansible_host }}" + + + - pause: + seconds: 10 + when: lxc_created is changed + + + - name: Raw-Install Python + raw: "{{ item }}" + loop: "{{ cmdline_python[os_d] }}" + + + - setup: + + + - name: Set root password + shell: "echo root:root | chpasswd" + + + - name: Install SSH + package: + name: "{{ ssh_package_name[os_d]|default('openssh-server') }}" + state: latest + + + - name: "Set «PermitRootLogin» to «yes»" + lineinfile: + dest: /etc/ssh/sshd_config + regexp: '^#? *PermitRootLogin' + line: "PermitRootLogin yes" + backup: yes + notify: "Restart SSH" + + + - name: Enable SSH + service: + name: "{{ ssh_service_name[os_d]|default('sshd') }}" + enabled: yes + + + - name: Start SSH + service: + name: "{{ ssh_service_name[os_d]|default('sshd') }}" + state: started + ignore_errors: yes + + + - name: Add SSH keys + authorized_key: + user: root + key: "{{ item }}" + loop: "{{ ssh_keys }}" + + + + handlers: + + - name: Restart SSH + service: + name: "{{ ssh_service_name[os_d]|default('sshd') }}" + state: restarted + + diff --git a/files/etc/dnsmasq.d/br-lxc b/files/etc/dnsmasq.d/br-lxc new file mode 100644 index 0000000..8215982 --- /dev/null +++ b/files/etc/dnsmasq.d/br-lxc @@ -0,0 +1,17 @@ +#strict-order +local=/br-lxc/ +domain=br-lxc +expand-hosts + +#except-interface=lo + +#bind-interfaces +interface=br-lxc + +dhcp-range=br-lxc,192.168.1.100,192.168.1.199,2m + +dhcp-no-override +dhcp-authoritative + +dhcp-option=option:dns-server,192.168.1.1 + diff --git a/files/etc/lxc/ansible.conf b/files/etc/lxc/ansible.conf new file mode 100644 index 0000000..2ce98cd --- /dev/null +++ b/files/etc/lxc/ansible.conf @@ -0,0 +1,13 @@ +lxc.groups = ansible + +lxc.start.auto = 1 + +### 2020-09 wg. NTP in Debian 10 +lxc.apparmor.profile = unconfined + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = eth0 +lxc.net.0.link = br-lxc +lxc.net.0.hwaddr = fe:fe:fe:xx:xx:xx + diff --git a/files/etc/network/interfaces.d/br-lxc b/files/etc/network/interfaces.d/br-lxc new file mode 100644 index 0000000..60b7a21 --- /dev/null +++ b/files/etc/network/interfaces.d/br-lxc @@ -0,0 +1,9 @@ +auto br-lxc +iface br-lxc inet static + address 192.168.1.1/24 + + bridge_ports none + + up /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE + down /sbin/iptables -t nat -D POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE + diff --git a/hosts.example b/hosts.example new file mode 100644 index 0000000..4bdf79f --- /dev/null +++ b/hosts.example @@ -0,0 +1,65 @@ +[all:vars] +ansible_python_interpreter = /usr/bin/python3 +ansible_user = root + +############################################################ +### Host machine(s) ######################################## +############################################################ + +[lxc_hosts] +debian-host-local ansible_connection=local +debian-host-remote ansible_host=192.168.1.42 + + +############################################################ +### LXContainers ########################################### +############################################################ + +[containers_local] +lxc-local-alpine3B os_d=alpine os_r=3.11 +lxc-local-alpine3C os_d=alpine os_r=3.12 +lxc-local-debian9 os_d=debian os_r=stretch +lxc-local-debian10 os_d=debian os_r=buster +lxc-local-devuan9 os_d=devuan os_r=ascii +lxc-local-devuan10 os_d=devuan os_r=beowulf +lxc-local-centos7 os_d=centos os_r=7 ansible_python_interpreter=/usr/bin/python +lxc-local-centos8 os_d=centos os_r=8 +lxc-local-fedora32 os_d=fedora os_r=32 +lxc-local-fedora33 os_d=fedora os_r=33 +lxc-local-suse152 os_d=opensuse os_r=15.2 +lxc-local-ubu1604 os_d=ubuntu os_r=xenial +lxc-local-ubu1804 os_d=ubuntu os_r=bionic +lxc-local-ubu2004 os_d=ubuntu os_r=focal +lxc-local-void os_d=voidlinux os_r=current + +[containers_local:vars] +ansible_connection = lxc + + +############################################################ +### LXContainers ########################################### +############################################################ + +[containers_remote] +lxc-remote-alpine3B os_d=alpine os_r=3.11 +lxc-remote-alpine3C os_d=alpine os_r=3.12 +lxc-remote-debian9 os_d=debian os_r=stretch +lxc-remote-debian10 os_d=debian os_r=buster +lxc-remote-devuan9 os_d=devuan os_r=ascii +lxc-remote-devuan10 os_d=devuan os_r=beowulf +lxc-remote-centos7 os_d=centos os_r=7 ansible_python_interpreter=/usr/bin/python +lxc-remote-centos8 os_d=centos os_r=8 +lxc-remote-fedora32 os_d=fedora os_r=32 +lxc-remote-fedora33 os_d=fedora os_r=33 +lxc-remote-suse152 os_d=opensuse os_r=15.2 +lxc-remote-ubu1604 os_d=ubuntu os_r=xenial +lxc-remote-ubu1804 os_d=ubuntu os_r=bionic +lxc-remote-ubu2004 os_d=ubuntu os_r=focal +lxc-remote-void os_d=voidlinux os_r=current + +[containers_remote:vars] +ansible_host = 192.168.1.42 +ansible_connection = lxc_ssh +ansible_ssh_extra_args = {{ inventory_hostname }} + + diff --git a/prepare_lxc_hosts.yml b/prepare_lxc_hosts.yml new file mode 100644 index 0000000..3c3c118 --- /dev/null +++ b/prepare_lxc_hosts.yml @@ -0,0 +1,87 @@ +--- +- hosts: + - lxc_hosts + + tasks: + - assert: + that: + - ansible_pkg_mgr == "apt" + fail_msg: "Sorry, Debian-like hosts only!" + + + - name: Just to be sure python3-apt is installed + command: apt install -y python3-apt + args: + creates: /usr/lib/python3/dist-packages/apt + + + - name: Install packages + package: + name: "{{ packages }}" + state: latest + vars: + packages: + - bridge-utils + - dnsmasq + - iptables + - lxc + - python3-lxc + + + - name: Copy config files + copy: + src: "{{ item }}" + dest: "/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - etc/dnsmasq.d/br-lxc + - etc/lxc/akademie.conf + - etc/network/interfaces.d/br-lxc + notify: + - Restart dnsmasq + + + - name: dnsmasq should use /etc/resolv.conf + lineinfile: + path: /etc/default/dnsmasq + line: 'IGNORE_RESOLVCONF=yes' + regexp: '^\s*#*\s*IGNORE_RESOLVCONF=yes' + backup: yes + notify: + - Restart dnsmasq + + + - name: IPv4-Forwarding + sysctl: + name: net.ipv4.ip_forward + value: 1 + sysctl_file: /etc/sysctl.d/lxc.conf + sysctl_set: yes + state: present + reload: yes + + + - name: Disable lxc-net + service: + name: lxc-net + enabled: no + state: stopped + ignore_errors: yes + + + - name: Bring up br-lxc + command: ifup br-lxc + args: + creates: /sys/devices/virtual/net/br-lxc + + + + handlers: + - name: Restart dnsmasq + service: + name: dnsmasq + state: restarted + ignore_errors: yes +