From f5d67edf2ffe8a21c6794209db23fe53f94180c9 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 22 Dec 2019 22:44:04 +0100 Subject: improve vm-host network config --- inventory/host_vars/ch-mimas.yml | 8 +-- inventory/host_vars/sk-2019vm.yml | 28 ++++----- inventory/host_vars/sk-testvm.yml | 8 +-- inventory/host_vars/sk-torrent.yml | 8 +-- roles/vm/host/tasks/network.yml | 97 +++++++++++++++++++------------- roles/vm/network/templates/interfaces.j2 | 10 ++-- 6 files changed, 89 insertions(+), 70 deletions(-) diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml index e073d7bc..79246de5 100644 --- a/inventory/host_vars/ch-mimas.yml +++ b/inventory/host_vars/ch-mimas.yml @@ -25,7 +25,7 @@ network: interfaces: "{{ install.interfaces }}" primary: interface: eth0 - ip: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr(hostvars[vm_host].vm_host.network.offsets[inventory_hostname]) | ipaddr('address') }}" - mask: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr('netmask') }}" - gateway: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr('address') }}" - public: "{{ (hostvars[vm_host].vm_host.network.public.prefix | ipaddr(hostvars[vm_host].vm_host.network.public.mappings[inventory_hostname])).split('/')[0] }}" + ip: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr(hostvars[vm_host].vm_host.network.bridges.public.offsets[inventory_hostname]) | ipaddr('address') }}" + mask: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr('netmask') }}" + gateway: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr('address') }}" + overlay: "{{ (hostvars[vm_host].vm_host.network.bridges.public.overlay.prefix | ipaddr(hostvars[vm_host].vm_host.network.bridges.public.overlay.offsets[inventory_hostname])).split('/')[0] }}" diff --git a/inventory/host_vars/sk-2019vm.yml b/inventory/host_vars/sk-2019vm.yml index a24ebf41..b2061380 100644 --- a/inventory/host_vars/sk-2019vm.yml +++ b/inventory/host_vars/sk-2019vm.yml @@ -13,24 +13,24 @@ base_intel_nic_stability_fix: true vm_host: network: - interface: br-public - prefix: 192.168.250.254/24 dns: - 213.133.100.100 - 213.133.98.98 - 213.133.99.99 - offsets: - sk-torrent: 136 - ch-mimas: 143 - sk-testvm: 253 - nat: yes - public: - prefix: 178.63.180.136/29 - mappings: - sk-torrent: 0 - ch-mimas: 6 - sk-testvm: 7 - + bridges: + public: + prefix: 192.168.250.254/24 + offsets: + sk-torrent: 136 + ch-mimas: 143 + sk-testvm: 253 + nat: yes + overlay: + prefix: 178.63.180.136/29 + offsets: + sk-torrent: 0 + ch-mimas: 6 + sk-testvm: 7 ssh_keys_root: "{{ ssh_keys.equinox[env_group] + ssh_keys.dan }}" diff --git a/inventory/host_vars/sk-testvm.yml b/inventory/host_vars/sk-testvm.yml index 4f740d4b..bad899e5 100644 --- a/inventory/host_vars/sk-testvm.yml +++ b/inventory/host_vars/sk-testvm.yml @@ -25,10 +25,10 @@ network: interfaces: "{{ install.interfaces }}" primary: interface: primary0 - ip: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr(hostvars[vm_host].vm_host.network.offsets[inventory_hostname]) | ipaddr('address') }}" - mask: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr('netmask') }}" - gateway: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr('address') }}" - public: "{{ (hostvars[vm_host].vm_host.network.public.prefix | ipaddr(hostvars[vm_host].vm_host.network.public.mappings[inventory_hostname])).split('/')[0] }}" + ip: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr(hostvars[vm_host].vm_host.network.bridges.public.offsets[inventory_hostname]) | ipaddr('address') }}" + mask: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr('netmask') }}" + gateway: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr('address') }}" + overlay: "{{ (hostvars[vm_host].vm_host.network.bridges.public.overlay.prefix | ipaddr(hostvars[vm_host].vm_host.network.bridges.public.overlay.offsets[inventory_hostname])).split('/')[0] }}" ### this machine will be used to migrate wolke.chaox.org: diff --git a/inventory/host_vars/sk-torrent.yml b/inventory/host_vars/sk-torrent.yml index 631e7dca..cdf5f94a 100644 --- a/inventory/host_vars/sk-torrent.yml +++ b/inventory/host_vars/sk-torrent.yml @@ -30,9 +30,9 @@ network: interfaces: "{{ install.interfaces }}" primary: interface: primary0 - ip: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr(hostvars[vm_host].vm_host.network.offsets[inventory_hostname]) | ipaddr('address') }}" - mask: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr('netmask') }}" - gateway: "{{ hostvars[vm_host].vm_host.network.prefix | ipaddr('address') }}" - public: "{{ (hostvars[vm_host].vm_host.network.public.prefix | ipaddr(hostvars[vm_host].vm_host.network.public.mappings[inventory_hostname])).split('/')[0] }}" + ip: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr(hostvars[vm_host].vm_host.network.bridges.public.offsets[inventory_hostname]) | ipaddr('address') }}" + mask: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr('netmask') }}" + gateway: "{{ hostvars[vm_host].vm_host.network.bridges.public.prefix | ipaddr('address') }}" + overlay: "{{ (hostvars[vm_host].vm_host.network.bridges.public.overlay.prefix | ipaddr(hostvars[vm_host].vm_host.network.bridges.public.overlay.offsets[inventory_hostname])).split('/')[0] }}" transmission_rpc_password: "{{ vault_transmission_rpc_password }}" diff --git a/roles/vm/host/tasks/network.yml b/roles/vm/host/tasks/network.yml index 0c7e36f9..abacf9ab 100644 --- a/roles/vm/host/tasks/network.yml +++ b/roles/vm/host/tasks/network.yml @@ -1,41 +1,60 @@ --- -- name: create interface config - copy: - dest: "/etc/network/interfaces.d/{{ vm_host.network.interface }}" - content: | - auto {{ vm_host.network.interface }} - iface {{ vm_host.network.interface }} inet static - address {{ vm_host.network.prefix | ipaddr('address') }} - netmask {{ vm_host.network.prefix | ipaddr('netmask') }} - bridge_ports none - bridge_stp off - bridge_waitport 0 - bridge_fd 0 - up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra - up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf - up modprobe br_netfilter - up /sbin/sysctl net.bridge.bridge-nf-call-iptables=0 - up /sbin/sysctl net.bridge.bridge-nf-call-ip6tables=0 - up /sbin/sysctl net.bridge.bridge-nf-call-arptables=0 - {% if 'nat' in vm_host.network and vm_host.network.nat %} - up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding - up echo 1 > /proc/sys/net/ipv4/conf/{{ ansible_default_ipv4.interface }}/forwarding - up /sbin/iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ vm_host.network.prefix | ipaddr('network/prefix') }} -j SNAT --to {{ ansible_default_ipv4.address }} - {% endif %} - {% if 'public' in vm_host.network %} - {% for dest in vm_host.network.public.mappings %} - up /bin/ip route add {{ (vm_host.network.public.prefix | ipaddr(vm_host.network.public.mappings[dest])).split('/')[0] }}/32 via {{ (vm_host.network.prefix | ipaddr(vm_host.network.offsets[dest])).split('/')[0] }} # {{ dest }} - {% endfor %} - up /bin/ip route add unreachable {{ vm_host.network.public.prefix }} - down /sbin/ip route del {{ vm_host.network.public.prefix }} - {% endif %} - {% if 'nat' in vm_host.network and vm_host.network.nat %} - down /sbin/iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ vm_host.network.prefix | ipaddr('network/prefix') }} -j SNAT --to {{ ansible_default_ipv4.address }} - {% endif %} - register: vmhost_interface_config +- name: create network bridges + when: "'bridges' in vm_host.network" + block: + - name: generate bridge interface config + loop: "{{ vm_host.network.bridges | dict2items }}" + loop_control: + label: "{{ item.key }}" + copy: + dest: "/etc/network/interfaces.d/br-{{ item.key }}" + content: | + auto br-{{ item.key }} + {% if 'prefix' in item.value %} + iface br-{{ item.key }} inet static + address {{ item.value.prefix | ipaddr('address') }} + netmask {{ item.value.prefix | ipaddr('netmask') }} + {% else %} + iface br-{{ item.key }} inet manual + {% endif %} + {% if 'interfaces' in item.value and (item.value.interfaces | length) > 0 %} + bridge_ports {{ item.value.interfaces | join(' ') }} + {% else %} + bridge_ports none + {% endif %} + bridge_stp off + bridge_waitport 0 + bridge_fd 0 + up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra + up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf + up modprobe br_netfilter + up /sbin/sysctl net.bridge.bridge-nf-call-iptables=0 + up /sbin/sysctl net.bridge.bridge-nf-call-ip6tables=0 + up /sbin/sysctl net.bridge.bridge-nf-call-arptables=0 + {% if 'prefix' in item.value %} + {% if 'nat' in item.value and item.value.nat %} + up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding + up echo 1 > /proc/sys/net/ipv4/conf/{{ ansible_default_ipv4.interface }}/forwarding + up /sbin/iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ item.value.prefix | ipaddr('network/prefix') }} -j SNAT --to {{ ansible_default_ipv4.address }} + {% endif %} + {% if 'overlay' in item.value %} + {% for dest in item.value.overlay.offsets %} + up /bin/ip route add {{ (item.value.overlay.prefix | ipaddr(item.value.overlay.offsets[dest])).split('/')[0] }}/32 via {{ (item.value.prefix | ipaddr(item.value.offsets[dest])).split('/')[0] }} # {{ dest }} + {% endfor %} + up /bin/ip route add unreachable {{ item.value.overlay.prefix }} + down /sbin/ip route del {{ item.value.overlay.prefix }} + {% endif %} + {% if 'nat' in item.value and item.value.nat %} + down /sbin/iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ item.value.prefix | ipaddr('network/prefix') }} -j SNAT --to {{ ansible_default_ipv4.address }} + {% endif %} + {% endif %} + register: vmhost_bridge_config -## We don't try to be to clever here: aka don't call ifdown before ifup because -## if there are VMs running they would end up with a broken network -- name: bring vm-host interface up - when: vmhost_interface_config is changed - command: "/sbin/ifup {{ vm_host.network.interface }}" + ## We don't try to be to clever here: aka don't call ifdown before ifup because + ## if there are VMs running they would end up with a broken network + - name: bring up bridge interfaces + loop: "{{ vmhost_bridge_config.results }}" + loop_control: + label: "br-{{ item.item.key }}" + when: item is changed + command: "/sbin/ifup br-{{ item.item.key }}" diff --git a/roles/vm/network/templates/interfaces.j2 b/roles/vm/network/templates/interfaces.j2 index aa94440e..db0e322f 100644 --- a/roles/vm/network/templates/interfaces.j2 +++ b/roles/vm/network/templates/interfaces.j2 @@ -14,11 +14,11 @@ iface {{ network.primary.interface }} inet static pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf address {{ network.primary.ip }} netmask {{ network.primary.mask }} -{% if 'public' in network.primary %} - up /bin/ip addr add dev $IFACE {{ network.primary.public }}/32 - up /bin/ip route add default via {{ network.primary.gateway }} src {{ network.primary.public }} - down /bin/ip route del default via {{ network.primary.gateway }} src {{ network.primary.public }} - down /bin/ip addr del dev $IFACE {{ network.primary.public }}/32 +{% if 'overlay' in network.primary %} + up /bin/ip addr add dev $IFACE {{ network.primary.overlay }}/32 + up /bin/ip route add default via {{ network.primary.gateway }} src {{ network.primary.overlay }} + down /bin/ip route del default via {{ network.primary.gateway }} src {{ network.primary.overlay }} + down /bin/ip addr del dev $IFACE {{ network.primary.overlay }}/32 {% else %} gateway {{ network.primary.gateway }} {% endif %} -- cgit v1.2.3