diff --git a/roles/vm-sandboxing/README.md b/roles/vm-sandboxing/README.md deleted file mode 100644 index d20497b..0000000 --- a/roles/vm-sandboxing/README.md +++ /dev/null @@ -1,94 +0,0 @@ -# fluencelabs.provider.vm-sandboxing - -Installs pre-requisites and bootstraps a VM for workload sandboxing purposes. - -## Usage - -See this [example](https://github.com/fluencelabs/ansible/blob/main/example/) - -## Role Variables - -See [defaults/](https://github.com/fluencelabs/ansible/blob/main/roles/vm-sandboxing/defaults) for details and examples. - -#### `remote_host` - -- Host target to sent meta information on VM startup. -- type: string -- default: - ```yml - libvirt_user: info-catcher.fluence.dev - ``` - -#### `vm_name` - -- libvirt domain name -- type: string -- default: - ```yml - vm_name: sandbox - ``` - -#### `vm_image_url` - -- QEMU image image URL to download -- type: string - -#### `vm_image_local_path` - -- The image path to use bootstraping the VM -- type: string - -#### `libvirt_user` - -- default debian-based distros user for libvirt -- type: string -- default: - ```yml - libvirt_user: libvirt-qemu - ``` - -#### `libvirt_group` - -- default debian-based distros group for libvirt -- type: string -- default: - ```yml - libvirt_group: kvm - ``` - -#### `bridge_name` - -- default bridge interface name -- type: string -- default: - ```yml - bridge_name: br422442 - ``` - -#### `physical_iface` - -- Physical interface to put into the VM bridge (Must be set!) -- type: string - -#### `vm_mac` - -- generated MAC address for the VM -- type: string -- default: autogenerated - -#### `vm_uuid` - -- generated UUID address for the VM -- type: string -- default: autogenerated - -#### `vm_ram` - -- generated UUID address for the VM -- type: number -- default: - ```yml - vm_ram: 1048576 - ``` - - diff --git a/roles/vm-sandboxing/defaults/main.yml b/roles/vm-sandboxing/defaults/main.yml deleted file mode 100644 index e30fdbc..0000000 --- a/roles/vm-sandboxing/defaults/main.yml +++ /dev/null @@ -1,41 +0,0 @@ -remote_host: info-catcher.fluence.dev -vm_name: sandbox -vm_image_url: https://fluence-os-images.fra1.digitaloceanspaces.com/sandbox/latest/image.qcow2 -vm_image_local_path: /var/lib/libvirt/qemu/images/{{ vm_name }}.qcow2 -libvirt_user: libvirt-qemu -libvirt_group: kvm -bridge_name: br422442 -physical_iface: "dummy0" # Physical network interface to be added to the bridge # TBD -vm_mac: "{{ '52:54:00' | community.general.random_mac(seed=inventory_hostname) }}" -vm_uuid: "{{ '123' | to_uuid }}" -vm_ram: 1048576 # RAM size in KiB (1 GiB) - -vm_template: | - - {{ vm_name }} - {{ vm_uuid }} - {{ vm_ram }} - {{ vm_cores }} - - hvm - - - - - - - -
- - - - - -
- - - - - - - diff --git a/roles/vm-sandboxing/handlers/main.yml b/roles/vm-sandboxing/handlers/main.yml deleted file mode 100644 index 6a5aa4f..0000000 --- a/roles/vm-sandboxing/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -handlers: - - name: restart libvirtd - service: - name: libvirtd - state: restarted diff --git a/roles/vm-sandboxing/meta/main.yml b/roles/vm-sandboxing/meta/main.yml deleted file mode 100644 index 2527712..0000000 --- a/roles/vm-sandboxing/meta/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -galaxy_info: - namespace: fluencelabs - role_name: vm-sandboxing - license: Apache-2.0 - author: Roman Nozdrin - description: Install and setup Fluence-specific VM sandboxing method - issue_tracker_url: https://github.com/fluencelabs/ansible/issues - min_ansible_version: "2.12" - - platforms: - - name: Ubuntu - versions: - - jammy - - name: Debian - versions: - - bookworm - - galaxy_tags: - - fluence - - web3 - diff --git a/roles/vm-sandboxing/tasks/01-bootstrap-vm.yml b/roles/vm-sandboxing/tasks/01-bootstrap-vm.yml deleted file mode 100644 index 2fe5e6e..0000000 --- a/roles/vm-sandboxing/tasks/01-bootstrap-vm.yml +++ /dev/null @@ -1,90 +0,0 @@ - - tasks: - - name: Call HTTP service at localhost - command: curl http://localhost:18080/peer_id - register: localhost_response - - - name: Gather facts - setup: - - - name: Set vm_cores to the number of logical cores - set_fact: - vm_cores: "{{ ansible_processor_vcpus - 4 }}" - - - name: Install libvirt on Debian-based systems - apt: - name: libvirt-daemon-system - state: present - when: ansible_os_family == 'Debian' - - - name: Install virsh on Debian-based systems - apt: - name: qemu-kvm - state: present - when: ansible_os_family == 'Debian' - - - name: Install bridge-utils on Debian-based systems - apt: - name: bridge-utils - state: present - when: ansible_os_family == 'Debian' - - - name: Create bridge interface br422442 - command: brctl addbr {{ bridge_name }} - args: - creates: /sys/class/net/{{ bridge_name }} - - - name: Check if physical interface is part of the bridge - command: brctl show {{ bridge_name }} - register: bridge_output - changed_when: false - - - name: Set fact if physical interface is not in bridge - set_fact: - iface_not_in_bridge: "{{ physical_iface not in bridge_output.stdout }}" - - - name: Add physical interface to the bridge if not already added - command: brctl addif {{ bridge_name }} {{ physical_iface }} - when: iface_not_in_bridge - ignore_errors: yes - - - name: Bring up the bridge interface - command: ip link set {{ bridge_name }} up - when: "bridge_name not in ansible_facts.interfaces" - - - name: Bring up the physical interface - command: ip link set {{ physical_iface }} up - - - name: Download VM image - get_url: - url: "{{ vm_image_url }}" - dest: "{{ vm_image_local_path }}" - mode: '0644' - owner: "{{ libvirt_user }}" - group: "{{ libvirt_group }}" - - - name: Ensure a simple VM is defined - community.libvirt.virt: - command: define - xml: "{{ vm_template }}" - autostart: true - notify: restart libvirtd - - - name: Start the VM - community.libvirt.virt: - name: "{{ vm_name }}" - state: running - - - name: Extract peer_id from JSON response - set_fact: - peer_id: "{{ (localhost_response.stdout | from_json).peer_id }}" - - - name: Print peer_id - debug: - msg: "The peer_id is {{ peer_id }}" - - - name: Call HTTP service on a remote host - command: curl -L http://{{ remote_host }}/peer_id/?{{ peer_id }} - register: remotehost_response - - diff --git a/roles/vm-sandboxing/tasks/main.yml b/roles/vm-sandboxing/tasks/main.yml deleted file mode 100644 index acdb703..0000000 --- a/roles/vm-sandboxing/tasks/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Bootstrap VM sandboxing - ansible.builtin.include_tasks: 01-bootstrap-vm.yml diff --git a/roles/vm-sandboxing/vars/main.yml b/roles/vm-sandboxing/vars/main.yml deleted file mode 100644 index 8b13789..0000000 --- a/roles/vm-sandboxing/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ - diff --git a/roles/vmsandboxing/README.md b/roles/vmsandboxing/README.md index e37547e..3121507 100644 --- a/roles/vmsandboxing/README.md +++ b/roles/vmsandboxing/README.md @@ -1,94 +1,3 @@ -# fluencelabs.provider.vm_sandboxing +# fluencelabs.provider.vmsandboxing Installs pre-requisites and bootstraps a VM for workload sandboxing purposes. - -## Usage - -See this [example](https://github.com/fluencelabs/ansible/blob/main/example/) - -## Role Variables - -See -[defaults/](https://github.com/fluencelabs/ansible/blob/main/roles/vm_sandboxing/defaults) -for details and examples. - -#### `vm_remote_host` - -- Host target to sent meta information on VM startup. -- type: string -- default: - ```yml - vm_libvirt_user: info-catcher.fluence.dev - ``` - -#### `vm_name` - -- libvirt domain name -- type: string -- default: - ```yml - vm_name: sandbox - ``` - -#### `vm_image_url` - -- QEMU image image URL to download -- type: string - -#### `vm_image_local_path` - -- The image path to use bootstraping the VM -- type: string - -#### `vm_libvirt_user` - -- default debian-based distros user for libvirt -- type: string -- default: - ```yml - vm_libvirt_user: libvirt-qemu - ``` - -#### `vm_libvirt_group` - -- default debian-based distros group for libvirt -- type: string -- default: - ```yml - vm_libvirt_group: kvm - ``` - -#### `vm_bridge_name` - -- default bridge interface name -- type: string -- default: - ```yml - vm_bridge_name: br422442 - ``` - -#### `vm_physical_iface` - -- Physical interface to put into the VM bridge (Must be set!) -- type: string - -#### `vm_mac` - -- generated MAC address for the VM -- type: string -- default: autogenerated - -#### `vm_uuid` - -- generated UUID address for the VM -- type: string -- default: autogenerated - -#### `vm_ram` - -- generated UUID address for the VM -- type: number -- default: - ```yml - vm_ram: 1048576 - ``` diff --git a/roles/vmsandboxing/defaults/main.yml b/roles/vmsandboxing/defaults/main.yml index e97e7ff..15d8a8b 100644 --- a/roles/vmsandboxing/defaults/main.yml +++ b/roles/vmsandboxing/defaults/main.yml @@ -1,23 +1,22 @@ vm_remote_host: info-catcher.fluence.dev vm_name: sandbox vm_image_url: https://fluence-os-images.fra1.digitaloceanspaces.com/sandbox/latest/image.qcow2 -vm_image_local_path: /var/lib/libvirt/qemu/images/{{ vm_name }}.qcow2 -vm_libvirt_user: libvirt-qemu -vm_libvirt_group: kvm -vm_cpu_reserved: 1 -vm_ram_reserved: 1024 +vm_cpu_reserved: 2 +vm_ram_reserved: 4096 -vm_start_opts_default: +vm_options_default: - cpu: "host" - - vcpus: "{{ vm_cores }}" - - ram: "{{ vm_ram }}" - - disk: "{{ vm_image_local_path }}" + - vcpus: "{{ ansible_processor_vcpus - vm_cpu_reserved }}" + - ram: "{{ ansible_memtotal_mb - vm_ram_reserved }}" + - virt_type: 'kvm' - network: "network=default" - os_variant: "ubuntu22.04" - graphics: "none" + - disk: "vol='sandbox/{{ vm_name }}',device=disk,bus=virtio,serial='root'" -vm_start_options: +vm_options: [] +_vm_options: "{{ vm_options_default + vm_options }}" vm_ip: 192.168.122.112 @@ -29,10 +28,11 @@ vm_iptables_map: | "port_map": { "tcp": [ 80, - 443 + 443, + [2222, 22] ], "udp": [ - 80 + 80 ] }, diff --git a/roles/vmsandboxing/files/hooks.schema.json b/roles/vmsandboxing/files/hooks.schema.json index 94a29ad..4c46d94 100644 --- a/roles/vmsandboxing/files/hooks.schema.json +++ b/roles/vmsandboxing/files/hooks.schema.json @@ -195,4 +195,4 @@ } }, "minProperties": 1 -} \ No newline at end of file +} diff --git a/roles/vmsandboxing/files/iptables-hook b/roles/vmsandboxing/files/iptables-hook index 0ac4540..b81dd3e 100644 --- a/roles/vmsandboxing/files/iptables-hook +++ b/roles/vmsandboxing/files/iptables-hook @@ -276,4 +276,4 @@ if __name__ == "__main__": i = 0 for actual_domain in domain: handle_domain(action, actual_domain, substitute_domain_name(vir_domain, str(i))) - i += 1 \ No newline at end of file + i += 1 diff --git a/roles/vmsandboxing/handlers/main.yml b/roles/vmsandboxing/handlers/main.yml index 3643e67..0c99743 100644 --- a/roles/vmsandboxing/handlers/main.yml +++ b/roles/vmsandboxing/handlers/main.yml @@ -2,3 +2,7 @@ service: name: libvirtd state: restarted + when: not lookup("env", "MOLECULE_SCENARIO_NAME") | default("") + +- name: start vm + shell: virsh start "{{ vm_name }}" diff --git a/roles/vmsandboxing/meta/main.yml b/roles/vmsandboxing/meta/main.yml index 0c7a85d..9a2fff7 100644 --- a/roles/vmsandboxing/meta/main.yml +++ b/roles/vmsandboxing/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: namespace: fluencelabs - role_name: vm_sandboxing + role_name: vmsandboxing license: Apache-2.0 author: Roman Nozdrin description: Install and setup Fluence-specific VM sandboxing method @@ -11,11 +11,6 @@ galaxy_info: - name: Ubuntu versions: - jammy - - name: Debian - versions: - - bookworm galaxy_tags: - fluence - - web3 - diff --git a/roles/vmsandboxing/meta/requirements.yml b/roles/vmsandboxing/meta/requirements.yml new file mode 100644 index 0000000..462bc51 --- /dev/null +++ b/roles/vmsandboxing/meta/requirements.yml @@ -0,0 +1,3 @@ +collections: + - jm1.libvirt + - jm1.pkg diff --git a/roles/vmsandboxing/requirements.yml b/roles/vmsandboxing/requirements.yml new file mode 100644 index 0000000..5ab0fc2 --- /dev/null +++ b/roles/vmsandboxing/requirements.yml @@ -0,0 +1,2 @@ +collections: + - jm1.libvirt diff --git a/roles/vmsandboxing/tasks/00-preflight.yml b/roles/vmsandboxing/tasks/00-preflight.yml deleted file mode 100644 index bfe8aa7..0000000 --- a/roles/vmsandboxing/tasks/00-preflight.yml +++ /dev/null @@ -1,62 +0,0 @@ -- name: check "vm_remote_host" variable - tags: always - ansible.builtin.assert: - that: - - vm_remote_host is defined - - vm_remote_host is string - - vm_remote_host | length - quiet: true - -- name: check "vm_name" variable - tags: always - ansible.builtin.assert: - that: - - vm_name is defined - - vm_name is string - - vm_name | length - quiet: true - -- name: check "vm_image_url" variable - tags: always - ansible.builtin.assert: - that: - - vm_image_url is defined - - vm_image_url is string - - vm_image_url | length - quiet: true - -- name: check "vm_image_local_path" variable - tags: always - ansible.builtin.assert: - that: - - vm_image_local_path is defined - - vm_image_local_path is string - - vm_image_local_path | length - quiet: true - -- name: check "vm_libvirt_user" variable - tags: always - ansible.builtin.assert: - that: - - vm_libvirt_user is defined - - vm_libvirt_user is string - - vm_libvirt_user | length - quiet: true - -- name: check "vm_libvirt_group" variable - tags: always - ansible.builtin.assert: - that: - - vm_libvirt_group is defined - - - vm_libvirt_group | length - quiet: true - -- name: check "vm_iptables_map" variable - tags: always - ansible.builtin.assert: - that: - - vm_iptables_map is defined - # - vm_iptables_map is string # need to debug - - vm_iptables_map | length - quiet: true diff --git a/roles/vmsandboxing/tasks/01-prepare-instance.yml b/roles/vmsandboxing/tasks/01-prepare-instance.yml index 7c75f43..9e59a63 100644 --- a/roles/vmsandboxing/tasks/01-prepare-instance.yml +++ b/roles/vmsandboxing/tasks/01-prepare-instance.yml @@ -1,29 +1,19 @@ - - name: Prepare CPU and RAM configuration - set_fact: - vm_cores: "{{ ansible_processor_vcpus - vm_cpu_reserved }}" - vm_ram: "{{ ansible_memtotal_mb - vm_ram_reserved }}" - - - name: Prepare start options - set_fact: - vm_start_options_final: "{{ vm_start_opts_default | combine(vm_start_options) | to_nice_yaml }}" +- name: Install required packages + apt: + name: "{{ item }}" + state: present + loop: + - libvirt-daemon-system + - qemu-kvm + - cloud-image-utils - - debug: - msg: "{{ vm_start_options_final }}" +- name: Satisfy software requirements + import_role: + name: jm1.libvirt.setup - - name: Install required packages - apt: - name: libvirt-daemon-system - state: present - loop: - - libvirt-daemon-system - - qemu-kvm - - virt-install - - - name: Create image directory - file: - path: /var/lib/libvirt/qemu/images - state: directory - - - name: Satisfy software requirements - import_role: - name: jm1.libvirt.setup +- name: Create pool + jm1.libvirt.pool: + name: sandbox + hardware: + - type: dir + - target: "/var/lib/libvirt/images/sandbox" diff --git a/roles/vmsandboxing/tasks/02-iptables.yml b/roles/vmsandboxing/tasks/02-network.yml similarity index 85% rename from roles/vmsandboxing/tasks/02-iptables.yml rename to roles/vmsandboxing/tasks/02-network.yml index 605e7ac..8621a58 100644 --- a/roles/vmsandboxing/tasks/02-iptables.yml +++ b/roles/vmsandboxing/tasks/02-network.yml @@ -17,8 +17,3 @@ copy: content: "{{ vm_iptables_map }}" dest: /etc/libvirt/hooks/hooks.json - -- name: Restart libvirtd - service: - name: libvirtd - state: restarted \ No newline at end of file diff --git a/roles/vmsandboxing/tasks/03-bootstrap-vm.yml b/roles/vmsandboxing/tasks/03-bootstrap-vm.yml index 2b91281..8c2fa55 100644 --- a/roles/vmsandboxing/tasks/03-bootstrap-vm.yml +++ b/roles/vmsandboxing/tasks/03-bootstrap-vm.yml @@ -1,30 +1,11 @@ - - name: Download VM image - get_url: - url: "{{ vm_image_url }}" - dest: "{{ vm_image_local_path }}" - mode: '0644' - owner: "{{ vm_libvirt_user }}" - group: "{{ vm_libvirt_group }}" - - - name: Create a new libvirt domain - jm1.libvirt.domain: - name: "{{ vm_name }}" - hardware: - - cpu: "host" - - vcpus: "{{ vm_cores }}" - - ram: "{{ vm_ram }}" - - disk: "{{ vm_image_local_path }}" - - network: "network=default" - - os_variant: "ubuntu22.04" - - graphics: "none" - - - name: Start VM - shell: virsh start "{{ vm_name }}" || virsh reboot "{{ vm_name }}" - - - - name: Call HTTP service on a remote host - command: curl -L http://{{ vm_remote_host }}/peer_id/ - - - name: pause for 30 seconds - pause: - seconds: 15 +- name: Create and start virtual machine + import_role: + name: jm1.libvirt.server + vars: + domain: "{{ vm_name }}" + hardware: "{{ _vm_options }}" + image: "{{ vm_name }}" + pool: "sandbox" + image_uri: "{{ vm_image_url }}" + volume_capacity: "100G" + notify: start vm diff --git a/roles/vmsandboxing/tasks/main.yml b/roles/vmsandboxing/tasks/main.yml index 272b69c..f4dfef7 100644 --- a/roles/vmsandboxing/tasks/main.yml +++ b/roles/vmsandboxing/tasks/main.yml @@ -1,15 +1,8 @@ -- name: Preflight - tags: always - ansible.builtin.include_tasks: 00-preflight.yml - - name: Prepare instance - tags: always ansible.builtin.include_tasks: 01-prepare-instance.yml -- name: ip-tables - tags: always - ansible.builtin.include_tasks: 02-iptables.yml +- name: Setup networking + ansible.builtin.include_tasks: 02-network.yml - name: Bootstrap VM ansible.builtin.include_tasks: 03-bootstrap-vm.yml - diff --git a/roles/vmsandboxing/templates/hooks.json.j2 b/roles/vmsandboxing/templates/hooks.json.j2 deleted file mode 100644 index 68018f3..0000000 --- a/roles/vmsandboxing/templates/hooks.json.j2 +++ /dev/null @@ -1,28 +0,0 @@ -{ - "{{ vm_name }}": { - "interface": "virbr0", - "private_ip": "192.168.1.122", - "port_map": { - "tcp": [ - 80, - 443 - ], - "udp": [ - 80 - ] - }, - - "port_range": [ - { - "init_port": 1000, - "ports_num": 64535, - "protocol": "tcp" - }, - { - "init_port": 1000, - "ports_num": 64535, - "protocol": "udp" - } - ] - } -} \ No newline at end of file