--- - name: check for lxc container dir stat: path: '/var/lib/lxc/{{ vm_name }}' register: lxc_existance - name: check for lxc container existance container_exists: name: "{{ vm_name }}" register: container_exists - name: Check debian release assert: that: distro in [ 'wheezy', 'jessie', 'stretch', 'sid', ] msg: "release {{ distro }} not supported by debian template" - block: - name: create the lxc container lxc_container: name: "{{ vm_name }}" backing_store: lvm fs_size: "{{ vm_size }}" vg_name: "{{ inventory_hostname }}vg" lv_name: "vm_{{ vm_name }}" fs_type: xfs container_log: true template: debian template_options: --release {{ distro }} --packages=ssh,python state: stopped # suppress messages related to file descriptors # leaking when lvm is invoked environment: LVM_SUPPRESS_FD_WARNINGS: 1 - name: deploy container config template: src: config.j2 dest: "/var/lib/lxc/{{ vm_name }}/config" - name: start container lxc_container: name: "{{ vm_name }}" state: started when: auto_start|bool when: not (container_exists.exists and lxc_existance.stat.isdir) - name: update container config template: src: config.j2 dest: "/var/lib/lxc/{{ vm_name }}/config" register: container_config notify: restart container - name: set container running state lxc_container: name: "{{ vm_name }}" state: "{{ container_state }}" register: container_running_state - name: Read container DNS configuration container_file_read: name: "{{ vm_name }}" path: /etc/resolv.conf register: vm_resolv_conf - debug: var: vm_resolv_conf verbosity: 2 - name: update container DNS configuration shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep '^nameserver {{ hostvars[ext_gateway].ansible_host }}$' /etc/resolv.conf || echo 'nameserver {{ hostvars[ext_gateway].ansible_host }}' > /etc/resolv.conf" register: container_dns_configuration changed_when: "container_dns_configuration.stdout != 'nameserver {{ hostvars[ext_gateway].ansible_host }}'" - name: Check if host certificate exists container_file_exists: name: "{{ vm_name }}" path: "/etc/ssh/ssh_host_ed25519_key-cert.pub" register: vm_ssh_certificate_exists - debug: var: vm_ssh_certificate_exists verbosity: 2 - block: - name: Read host public key container_file_read: name: "{{ vm_name }}" path: "/etc/ssh/ssh_host_ed25519_key.pub" register: vm_public_key - debug: var: vm_public_key verbosity: 2 - name: generate host request set_fact: cert_request: type: 'sign_request' request: keyType: 'ssh_host' hostName: '{{ vm_name }}' keyData: '{{ vm_public_key.text }}' - debug: var: cert_request verbosity: 2 - name: start sign request raw: "{{ cert_request | to_json }}" delegate_to: ca_request delegate_facts: True register: request_result failed_when: "( request_result.stdout | from_json ).failed" - debug: var: request_result verbosity: 2 - set_fact: request_output: "{{ request_result.results[0].stdout | from_json }}" - debug: var: request_output verbosity: 2 - name: generate get request set_fact: get_request: type: 'get_certificate' requestID: '{{ request_output.requestID }}' - debug: var: get_request verbosity: 2 - debug: msg: "Please manualy confirm sign request with id {{ request_output.requestID }}" - name: wait for cert raw: "{{ get_request | to_json }}" delegate_to: ca_request delegate_facts: True register: cert_result failed_when: "(cert_result.stdout | from_json).failed" - debug: var: cert_result verbosity: 2 - set_fact: cert_key: "{{ cert_result.results[0].stdout | string | from_json }}" - name: Write certificate to container container_file_write: name: "{{ vm_name }}" path: "/etc/ssh/ssh_host_ed25519_key-cert.pub" text: "{{ cert_key.result }}" register: set_pub_key notify: restart container when: "not vm_ssh_certificate_exists.exists" - name: update container network configuration shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces" register: container_network changed_when: "container_network.stdout != 'iface eth0 inet manual'" notify: restart container - name: install packages shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "apt-get install python ssh -y" register: install_packages changed_when: "install_packages.stdout.find('0 newly installed') == -1" notify: restart container - name: lookup user ca key set_fact: user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}" - name: Update container user CA key container_file_write: name: "{{ vm_name }}" path: "/etc/ssh/user_ca.pub" text: "ssh-rsa {{ user_ca_key }}" - name: trust user ca key shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'TrustedUserCAKeys /etc/ssh/user_ca.pub' /etc/ssh/sshd_config || echo 'TrustedUserCAKeys /etc/ssh/user_ca.pub' >> /etc/ssh/sshd_config" register: trust_ca_key changed_when: "trust_ca_key.stdout != 'TrustedUserCAKeys /etc/ssh/user_ca.pub'" notify: restart container # Restart container when one in # - container_dns_configuration # - network conf has changed # - set_pub_key # - install_packages # - trust_ca_key # - container_network # is changed by executing handlers now - meta: flush_handlers - name: "waiting for ssh on {{ vm_name }} vm to start" wait_for: host: "{{ hostvars[vm_name]['ansible_host'] }}" port: 22 timeout: 30 delegate_to: "{{ inventory_hostname }}" delegate_facts: True - pause: seconds=20