Ansible/Prepare_Workshop
1
0
Fork 0
Code Issues 4 Pull requests Releases Wiki Activity

Compare commits

base: Ansible:main
Branches Tags
Ansible:main
Ansible:devel
..
compare: Ansible:devel
Branches Tags
Ansible:devel
Ansible:main

10 commits
main ... devel

Author SHA1 Message Date
Sven Velt 5a4f039fc0 Detect architecture of host machine for LXC images 
Tested for amd64/x86_64 and arm64/aarch64
 2024-07-02 21:32:34 +02:00
Sven Velt c6cb78ce6f Put service user into own sudo file 
SUSE Tumbleweed doesn't have a /etc/sudoers anymore - and it's the clean
way to do it
 2024-07-02 21:31:19 +02:00
Sven Velt e286662efc Add sanity check before LXC creation 2024-07-02 21:30:27 +02:00
Sven Velt 63b265011d Move cache/retry files 2024-07-02 21:25:16 +02:00
Sven Velt 64d3c6b281 Submodule update 2024-03-12 22:06:28 +01:00
Sven Velt c2b48aef41 Rebuilt with multiple roles 2024-03-12 21:52:22 +01:00
Sven Velt dbf35931c2 If authorized_key doesn't work, try lineinfile (Python interpreter problem) 2024-03-12 21:45:13 +01:00
Sven Velt 4d95c09591 Install Python2 by request/variable 2024-03-12 21:44:35 +01:00
Sven Velt adefc850bb Add sanity checks 2024-03-12 21:43:27 +01:00
Sven Velt 6f0a8bec2c Update ansible-lxc-ssh 2024-03-12 21:41:59 +01:00
10 changed files with 156 additions and 151 deletions
Show stats Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,5 +1,6 @@
group_vars/all.yml
hosts.*
.cache
# ---> Python
# Byte-compiled / optimized / DLL files

9
.gitmodules vendored
View file

@ -1,3 +1,12 @@
[submodule ".submodules/ansible-lxc-ssh"]
path = .submodules/ansible-lxc-ssh
url = https://github.com/andreasscherbaum/ansible-lxc-ssh.git
[submodule "roles.extern/deapparmor"]
path = roles.extern/deapparmor
url = https://git.velt.biz/Ansible/role.deapparmor.git
[submodule "roles.extern/grub_add_cmdlineparameter"]
path = roles.extern/grub_add_cmdlineparameter
url = https://git.velt.biz/Ansible/role.grub_add_cmdlineparameter.git
[submodule "roles.extern/prepare_lxc_host"]
path = roles.extern/prepare_lxc_host
url = https://git.velt.biz/Ansible/role.prepare_lxc_host.git

2
.submodules/ansible-lxc-ssh

@ -1 +1 @@
Subproject commit 731cbce856522cc5205c50e08b5e238b5266ef2c
Subproject commit 87dd3cd37ad9b11cc780d3c87989b9944c193923

6
ansible.cfg
View file

@ -1,15 +1,17 @@
[defaults]
inventory = ./hosts
roles_path = ./roles.extern
connection_plugins = ./connection_plugins/
interpreter_python = auto
retry_files_enabled = True
retry_files_save_path = ./Retry/
retry_files_save_path = ./.cache/retry/
fact_caching = yaml
fact_caching_connection = ./.facts
fact_caching_connection = ./.cache/facts
gathering = smart
host_key_checking = false

88
create_inventory_lxc.yml
View file

@ -17,6 +17,14 @@
#service_password: {{ service_username }}
#service_ssh_keys: {{ ssh_keys }}
# architecture mapping from "uname -m" to package
architecture_mapping:
aarch64: arm64
x86_64: amd64
#ppc64le: ppc64el
#s390x: s390x
#armv7l: armhf
# "*cmdline_" must be listed AFTER "^cmdline_"!
cmdline_python:
alpine:
@ -44,6 +52,12 @@
voidlinux:
- "xbps-install -Suy python3 libgcc"
cmdline_python2:
debian: &cmdline_python2_debian
- "apt-get -y update"
- "apt-get install -y python python-apt"
ubuntu: *cmdline_python2_debian
cmdline_fixes:
oracle:
8:
@ -76,6 +90,13 @@
when: inventory_hostname in groups.lxc_hosts
- name: Sanity checks
assert:
that:
- ssh_keys is defined and ssh_keys is iterable
- service_user is not defined or service_user|regex_search('^[a-z][a-z0-9-]+$')
- name: Check for no-validate parameter in download template
shell: "/usr/share/lxc/templates/lxc-download --help | grep no-validate || true"
changed_when: false
@ -83,12 +104,19 @@
delegate_to: "{{ ansible_host|default('localhost') }}"
- name: Get architecture
shell: "uname -m || true"
changed_when: false
register: lxc_host_arch_native
delegate_to: "{{ ansible_host|default('localhost') }}"
- name: Create LXContainer
lxc_container:
name: "{{ inventory_hostname }}"
state: started
template: download
template_options: "-a amd64 -d {{ os_d }} -r {{ os_r }} {% if 'no-validate' in lxc_download_validate.stdout %}--no-validate{% endif %}"
template_options: "-a {{ architecture_mapping[lxc_host_arch_native.stdout] }} -d {{ os_d }} -r {{ os_r }} {% if 'no-validate' in lxc_download_validate.stdout %}--no-validate{% endif %}"
config: "{{ lxc_config_file|default('/etc/lxc/ansible.conf') }}"
container_config:
- "lxc.group = {{ os_d }}"
@ -102,9 +130,16 @@
when: lxc_created is changed
- name: Raw-Install Python
- name: Raw-Install Python3
raw: "{{ item }}"
loop: "{{ cmdline_python[os_d] }}"
when: use_python2 != True
- name: Raw-Install Python2
raw: "{{ item }}"
loop: "{{ cmdline_python2[os_d] }}"
when: use_python2 == True
- name: OS-dependent fixes
@ -120,10 +155,30 @@
- name: Add SSH keys
block:
- name: "1st try: authorized_key module"
authorized_key:
user: root
key: "{{ item }}"
loop: "{{ ssh_keys }}"
rescue:
- name: "2nd try: create ~/.ssh directory"
file:
path: /root/.ssh/
state: directory
owner: root
group: root
mode: 0700
- name: "2nd try: add key via lineinfile module"
lineinfile:
path: /root/.ssh/authorized_keys
line: "{{ item }}"
owner: root
group: root
mode: 0600
create: yes
backup: yes
loop: "{{ ssh_keys }}"
- name: "[BLOCK] when 'service_username' is set"
@ -141,10 +196,36 @@
- name: Add SSH keys
block:
- name: "1st try: authorized_key module"
authorized_key:
user: "{{ service_username }}"
key: "{{ item }}"
loop: "{{ ssh_keys_service|default(ssh_keys) }}"
rescue:
- name: "2nd try: get homedir of user"
getent:
database: passwd
key: "{{ service_username }}"
split: ":"
- name: "2nd try: create ~/.ssh directory"
file:
path: "{{ getent_passwd[service_username][4] }}/.ssh/"
state: directory
owner: "{{ service_username }}"
group: "{{ service_username }}"
mode: 0700
- name: "2nd try: add key via lineinfile module"
lineinfile:
path: "{{ getent_passwd[service_username][4] }}/.ssh/authorized_keys"
line: "{{ item }}"
owner: "{{ service_username }}"
group: "{{ service_username }}"
mode: 0600
create: yes
backup: yes
loop: "{{ ssh_keys }}"
- name: Install sudo
@ -154,9 +235,10 @@
- name: Add sudo line for service
lineinfile:
path: /etc/sudoers
path: "/etc/sudoers.d/{{ service_username }}"
regexp: "^service"
line: "{{ service_username }} ALL=(ALL:ALL) NOPASSWD: ALL"
create: yes
backup: yes

45
prepare_lxc_host.yml Normal file
View file

@ -0,0 +1,45 @@
---
- hosts: all
gather_facts: no
pre_tasks:
- name: 'Output configured connection plugin via "ansible_connection" variable'
debug:
var: ansible_connection
tags:
- never
- debug
- name: End for non-LXContainer
meta: end_host
when: "'lxc' in ansible_connection|default('')"
tags:
- always
- name: Manually gather facts (for LXC hosts only)
ansible.builtin.gather_facts:
tags:
- always
roles:
- role: deapparmor
deapparmor_reboot: True
tags:
- always
- role: grub_add_cmdlineparameter
grub_add_cmdlineparameter:
systemd.unified_cgroup_hierarchy: 0
cgroup_enable: memory
swapaccount: 1
vsyscall: emulate
tags:
- always
- role: prepare_lxc_host
tags:
- always

137
prepare_lxc_hosts.yml
View file

@ -1,137 +0,0 @@
---
- hosts:
- lxc_hosts
tasks:
- assert:
that:
- ansible_pkg_mgr == "apt"
fail_msg: "Sorry, Debian-like hosts only!"
- name: Just to be sure python3-apt is installed
command: apt install -y python3-apt
args:
creates: /usr/lib/python3/dist-packages/apt
- name: Install packages
package:
name: "{{ packages }}"
state: latest
vars:
packages:
- bridge-utils
- dnsmasq
- iptables
- lxc
- python3-lxc
- name: Copy config files
copy:
src: "{{ item }}"
dest: "/{{ item }}"
owner: root
group: root
mode: 0644
loop:
- etc/dnsmasq.d/br-lxc
- etc/lxc/ansible.conf
- etc/network/interfaces.d/br-lxc
notify:
- Restart dnsmasq
- name: Fix evil Debian default /etc/network/interfaces
lineinfile:
dest: /etc/network/interfaces
regexp: 'source.*interfaces.d'
line: 'source-directory /etc/network/interfaces.d'
backup: yes
- name: dnsmasq should use /etc/resolv.conf
lineinfile:
path: /etc/default/dnsmasq
line: 'IGNORE_RESOLVCONF=yes'
regexp: '^\s*#*\s*IGNORE_RESOLVCONF=yes'
backup: yes
notify:
- Restart dnsmasq
- name: IPv4-Forwarding
sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_file: /etc/sysctl.d/lxc.conf
sysctl_set: yes
state: present
reload: yes
- name: Raise inotify limit
sysctl:
name: fs.inotify.max_user_instances
value: '1024'
sysctl_file: 30-lxc-inotify.conf
sysctl_set: yes
state: present
reload: yes
- name: Enable CAP_SYS_TIME in Container
lineinfile:
dest: /usr/share/lxc/config/common.conf
backrefs: yes
regexp: '(^\s*[^#].*)sys_time ?(.*)$'
line: '\1\2'
backup: yes
- name: lxc-net with systemd
block:
- name: Stop lxc-net service
systemd:
name: lxc-net
state: stopped
- name: Disable lxc-net service
systemd:
name: lxc-net
enabled: no
- name: Mask lxc-net service
systemd:
name: lxc-net
masked: yes
when: ansible_service_mgr == "systemd"
- name: lxc-net without systemd
block:
- name: Disable lxc-net
service:
name: lxc-net
enabled: no
state: stopped
ignore_errors: yes
when: ansible_service_mgr != "systemd"
- name: Bring up br-lxc
command: ifup br-lxc
args:
creates: /sys/devices/virtual/net/br-lxc
handlers:
- name: Restart dnsmasq
service:
name: dnsmasq
state: restarted
ignore_errors: yes

1
roles.extern/deapparmor Submodule

@ -0,0 +1 @@
Subproject commit 9cf7fcaa026c3771b7740915d6151f18fdb7fc15

1
roles.extern/grub_add_cmdlineparameter Submodule

@ -0,0 +1 @@
Subproject commit d401c517fd71d2f828ee7c4757357dbd090e6dd1

1
roles.extern/prepare_lxc_host Submodule

@ -0,0 +1 @@
Subproject commit dd1a20fa2e6cb483bb2f1429dd093bf078eb0df2