126 lines
3.7 KiB
YAML
126 lines
3.7 KiB
YAML
# Create `virt_host_key`, which we will use to log in to the target
|
|
# host. Note that this tasks runs on the ansible control host
|
|
# (because of the `delegate_to: localhost`), and we will later copy
|
|
# the public key to the appropriate location.
|
|
- name: Create virthost access key
|
|
delegate_to: localhost
|
|
command: >
|
|
ssh-keygen -f {{ virt_host_key }} -N ''
|
|
-C 'ansible_generated_virt_host'
|
|
-t rsa -b 4096
|
|
args:
|
|
creates: "{{ virt_host_key }}"
|
|
|
|
- name: Ensure tuned is installed
|
|
package:
|
|
name: "tuned"
|
|
state: "present"
|
|
become: true
|
|
|
|
- name: Ensure tuned is enabled and started
|
|
service:
|
|
name: "tuned"
|
|
enabled: "yes"
|
|
state: "started"
|
|
become: true
|
|
|
|
- name: Retrieve current tuned profile
|
|
command: tuned-adm active
|
|
register: tuned
|
|
changed_when: False
|
|
|
|
- name: Set tuned profile if not already set
|
|
command: tuned-adm profile "{{ tuned_profile }}"
|
|
become: true
|
|
when: tuned.stdout.find("{{ tuned_profile }}") != 1
|
|
|
|
# Create a non-root user on the target host. This is the user that
|
|
# will own the virtual infrastructure on which we deploy openstack.
|
|
- name: Create non-root user
|
|
user:
|
|
name: "{{ non_root_user }}"
|
|
state: present
|
|
shell: /bin/bash
|
|
become: true
|
|
|
|
- name: Get the non-root user UID
|
|
command: "id {{ non_root_user }} -u"
|
|
register: non_root_user_uid_output
|
|
changed_when: false
|
|
|
|
- name: Save the non-root user UID
|
|
set_fact:
|
|
non_root_user_uid: "{{ non_root_user_uid_output.stdout }}"
|
|
|
|
# Install the public component of `virt_host_key` in the
|
|
# `.ssh/authorized_keys` file for the non-root user.
|
|
- name: Configure non-root user authorized_keys
|
|
authorized_key:
|
|
user: "{{ ssh_user }}"
|
|
key: "{{ lookup('file', virt_host_key|quote + '.pub')|default('') }}"
|
|
become: true
|
|
|
|
- name: Ensure polkit packages are installed
|
|
package:
|
|
name: "polkit"
|
|
state: "present"
|
|
become: true
|
|
|
|
# This lets the non-root user access the `qemu://system` endpoint. We
|
|
# don't need this with the default configuration (which uses
|
|
# `qemu://session`), but this permits things to work if someone
|
|
# explicitly passes in `libvirt_uri`.
|
|
- name: Grant libvirt privileges to non-root user
|
|
template:
|
|
src: libvirt.pkla.j2
|
|
dest: "/etc/polkit-1/localauthority/50-local.d/50-{{ non_root_user }}-libvirt.pkla"
|
|
become: true
|
|
|
|
- name: Ensure XDG_RUNTIME_DIR is set
|
|
blockinfile:
|
|
dest: .bashrc
|
|
create: true
|
|
block: |
|
|
# Setting up XDG_RUNTIME_DIR for creating non-essential runtime files and other file objects in accordance with
|
|
# https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
|
|
if [[ -z "${XDG_RUNTIME_DIR}" && -d "/run/user/${UID}" ]] ; then
|
|
export XDG_RUNTIME_DIR="/run/user/${UID}"
|
|
fi
|
|
become: true
|
|
become_user: "{{ non_root_user }}"
|
|
|
|
# I'm not always root, but when I am it's because of `sudo`.
|
|
- name: Grant sudo privileges to non-root user
|
|
copy:
|
|
content: |
|
|
{{ non_root_user }} ALL=(ALL) NOPASSWD:ALL
|
|
dest: /etc/sudoers.d/{{ non_root_user }}
|
|
owner: root
|
|
group: root
|
|
mode: 0440
|
|
become: true
|
|
|
|
# This replaces the inventory entry for the virthost. The original
|
|
# entry had `ansible_user: root`, but from now on we will connect as
|
|
# the non-root user.
|
|
- name: Re-add the virthost to the inventory
|
|
add_host:
|
|
name: "{{ virthost }}"
|
|
groups: "virthost"
|
|
ansible_fqdn: "{{ virthost }}"
|
|
ansible_user: "{{ ssh_user }}"
|
|
ansible_host: "{{ virthost }}"
|
|
ansible_private_key_file: "{{ virt_host_key }}"
|
|
|
|
# Create the volume pool directory if it doesn't already exist. This
|
|
# will be the target of the libvirt volume pool we create in the next
|
|
# task.
|
|
- name: Ensure volume pool directory exists
|
|
file:
|
|
path: "{{ libvirt_volume_path }}"
|
|
state: directory
|
|
owner: "{{ non_root_user }}"
|
|
group: "{{ non_root_group }}"
|
|
become: true
|
|
|