LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
145 Commits
12 Branches
967 KiB
 
 
 
 
Tree: fba9e26298
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fba9e26298'
${ noResults }
lilik_playbook/roles/lxc_guest/tasks/main.yaml

211 lines
6.1 KiB
Raw Blame History

---
- name: check for lxc container dir
stat:
path: '/var/lib/lxc/{{ vm_name }}'
register: lxc_existance
- name: check for lxc container existance
container_exists:
name: "{{ vm_name }}"
register: container_exists
- name: Check debian release
assert:
that: distro in [ 'wheezy', 'jessie', 'stretch', 'sid', ]
msg: "release {{ distro }} not supported by debian template"
- block:
- name: create the lxc container
lxc_container:
name: "{{ vm_name }}"
backing_store: lvm
fs_size: "{{ vm_size }}"
vg_name: "{{ inventory_hostname }}vg"
lv_name: "vm_{{ vm_name }}"
fs_type: xfs
container_log: true
template: debian
template_options: --release {{ distro }} --packages=ssh,python
state: stopped
# suppress messages related to file descriptors
# leaking when lvm is invoked
environment:
LVM_SUPPRESS_FD_WARNINGS: 1
- name: deploy container config
template:
src: config.j2
dest: "/var/lib/lxc/{{ vm_name }}/config"
- name: start container
lxc_container:
name: "{{ vm_name }}"
state: started
when: auto_start|bool
when: not (container_exists.exists and lxc_existance.stat.isdir)
- name: update container config
template:
src: config.j2
dest: "/var/lib/lxc/{{ vm_name }}/config"
register: container_config
notify: restart container
- name: set container running state
lxc_container:
name: "{{ vm_name }}"
state: "{{ container_state }}"
register: container_running_state
- name: Read container DNS configuration
container_file_read:
name: "{{ vm_name }}"
path: /etc/resolv.conf
register: vm_resolv_conf
- debug:
var: vm_resolv_conf
verbosity: 2
- name: update container DNS configuration
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep '^nameserver {{ hostvars[ext_gateway].ansible_host }}$' /etc/resolv.conf || echo 'nameserver {{ hostvars[ext_gateway].ansible_host }}' > /etc/resolv.conf"
register: container_dns_configuration
changed_when: "container_dns_configuration.stdout != 'nameserver {{ hostvars[ext_gateway].ansible_host }}'"
- name: Check if host certificate exists
container_file_exists:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
register: vm_ssh_certificate_exists
- debug:
var: vm_ssh_certificate_exists
verbosity: 2
- block:
- name: Read host public key
container_file_read:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key.pub"
register: vm_public_key
- debug:
var: vm_public_key
verbosity: 2
- name: generate host request
set_fact:
cert_request:
type: 'sign_request'
request:
keyType: 'ssh_host'
hostName: '{{ vm_name }}'
keyData: '{{ vm_public_key.text }}'
- debug:
var: cert_request
verbosity: 2
- name: start sign request
raw: "{{ cert_request | to_json }}"
delegate_to: ca_request
delegate_facts: True
register: request_result
failed_when: "( request_result.stdout | from_json ).failed"
- debug:
var: request_result
verbosity: 2
- set_fact:
request_output: "{{ request_result.results[0].stdout | from_json }}"
- debug:
var: request_output
verbosity: 2
- name: generate get request
set_fact:
get_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
var: get_request
verbosity: 2
- debug:
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
- name: wait for cert
raw: "{{ get_request | to_json }}"
delegate_to: ca_request
delegate_facts: True
register: cert_result
failed_when: "(cert_result.stdout | from_json).failed"
- debug:
var: cert_result
verbosity: 2
- set_fact:
cert_key: "{{ cert_result.results[0].stdout | string | from_json }}"
- name: Write certificate to container
container_file_write:
name: "{{ vm_name }}"
path: "/etc/ssh/ssh_host_ed25519_key-cert.pub"
text: "{{ cert_key.result }}"
register: set_pub_key
notify: restart container
when: "not vm_ssh_certificate_exists.exists"
- name: update container network configuration
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'iface eth0 inet manual' /etc/network/interfaces || sed -i 's/iface eth0 inet dhcp/iface eth0 inet manual/' /etc/network/interfaces"
register: container_network
changed_when: "container_network.stdout != 'iface eth0 inet manual'"
notify: restart container
- name: install packages
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "apt-get install python ssh -y"
register: install_packages
changed_when: "install_packages.stdout.find('0 newly installed') == -1"
notify: restart container
- name: lookup user ca key
set_fact:
user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
- name: Update container user CA key
container_file_write:
name: "{{ vm_name }}"
path: "/etc/ssh/user_ca.pub"
text: "ssh-rsa {{ user_ca_key }}"
- name: trust user ca key
shell: lxc-attach -n {{ vm_name }} --clear-env -e -- bash -c "grep -F 'TrustedUserCAKeys /etc/ssh/user_ca.pub' /etc/ssh/sshd_config || echo 'TrustedUserCAKeys /etc/ssh/user_ca.pub' >> /etc/ssh/sshd_config"
register: trust_ca_key
changed_when: "trust_ca_key.stdout != 'TrustedUserCAKeys /etc/ssh/user_ca.pub'"
notify: restart container
# Restart container when one in
# - container_dns_configuration
# - network conf has changed
# - set_pub_key
# - install_packages
# - trust_ca_key
# - container_network
# is changed by executing handlers now
- meta: flush_handlers
- name: "waiting for ssh on {{ vm_name }} vm to start"
wait_for:
host: "{{ hostvars[vm_name]['ansible_host'] }}"
port: 22
timeout: 30
delegate_to: "{{ inventory_hostname }}"
delegate_facts: True
- pause: seconds=20