From f5d67edf2ffe8a21c6794209db23fe53f94180c9 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 22 Dec 2019 22:44:04 +0100
Subject: improve vm-host network config

---
 roles/vm/host/tasks/network.yml          | 97 +++++++++++++++++++-------------
 roles/vm/network/templates/interfaces.j2 | 10 ++--
 2 files changed, 63 insertions(+), 44 deletions(-)

(limited to 'roles')

diff --git a/roles/vm/host/tasks/network.yml b/roles/vm/host/tasks/network.yml
index 0c7e36f9..abacf9ab 100644
--- a/roles/vm/host/tasks/network.yml
+++ b/roles/vm/host/tasks/network.yml
@@ -1,41 +1,60 @@
 ---
-- name: create interface config
-  copy:
-    dest: "/etc/network/interfaces.d/{{ vm_host.network.interface }}"
-    content: |
-      auto {{ vm_host.network.interface }}
-      iface {{ vm_host.network.interface }} inet static
-        address {{ vm_host.network.prefix | ipaddr('address') }}
-        netmask {{ vm_host.network.prefix | ipaddr('netmask') }}
-        bridge_ports none
-        bridge_stp off
-        bridge_waitport 0
-        bridge_fd 0
-        up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
-        up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
-        up modprobe br_netfilter
-        up /sbin/sysctl net.bridge.bridge-nf-call-iptables=0
-        up /sbin/sysctl net.bridge.bridge-nf-call-ip6tables=0
-        up /sbin/sysctl net.bridge.bridge-nf-call-arptables=0
-      {% if 'nat' in vm_host.network and vm_host.network.nat %}
-        up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding
-        up echo 1 > /proc/sys/net/ipv4/conf/{{ ansible_default_ipv4.interface }}/forwarding
-        up /sbin/iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ vm_host.network.prefix | ipaddr('network/prefix') }} -j SNAT --to {{ ansible_default_ipv4.address }}
-      {% endif %}
-      {% if 'public' in vm_host.network %}
-      {%   for dest in vm_host.network.public.mappings %}
-        up /bin/ip route add {{ (vm_host.network.public.prefix | ipaddr(vm_host.network.public.mappings[dest])).split('/')[0] }}/32 via {{ (vm_host.network.prefix | ipaddr(vm_host.network.offsets[dest])).split('/')[0] }}  # {{ dest }}
-      {%   endfor %}
-        up /bin/ip route add unreachable {{ vm_host.network.public.prefix }}
-        down /sbin/ip route del {{ vm_host.network.public.prefix }}
-      {% endif %}
-      {% if 'nat' in vm_host.network and vm_host.network.nat %}
-        down /sbin/iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ vm_host.network.prefix | ipaddr('network/prefix') }} -j SNAT --to {{ ansible_default_ipv4.address }}
-      {% endif %}
-  register: vmhost_interface_config
+- name: create network bridges
+  when: "'bridges' in vm_host.network"
+  block:
+    - name: generate bridge interface config
+      loop: "{{ vm_host.network.bridges | dict2items }}"
+      loop_control:
+        label: "{{ item.key }}"
+      copy:
+        dest: "/etc/network/interfaces.d/br-{{ item.key }}"
+        content: |
+          auto br-{{ item.key }}
+          {% if 'prefix' in item.value %}
+          iface br-{{ item.key }} inet static
+            address {{ item.value.prefix | ipaddr('address') }}
+            netmask {{ item.value.prefix | ipaddr('netmask') }}
+          {% else %}
+          iface br-{{ item.key }} inet manual
+          {% endif %}
+          {% if 'interfaces' in item.value and (item.value.interfaces | length) > 0 %}
+            bridge_ports {{ item.value.interfaces | join(' ') }}
+          {% else %}
+            bridge_ports none
+          {% endif %}
+            bridge_stp off
+            bridge_waitport 0
+            bridge_fd 0
+            up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
+            up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
+            up modprobe br_netfilter
+            up /sbin/sysctl net.bridge.bridge-nf-call-iptables=0
+            up /sbin/sysctl net.bridge.bridge-nf-call-ip6tables=0
+            up /sbin/sysctl net.bridge.bridge-nf-call-arptables=0
+          {% if 'prefix' in item.value %}
+          {%   if 'nat' in item.value and item.value.nat %}
+            up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding
+            up echo 1 > /proc/sys/net/ipv4/conf/{{ ansible_default_ipv4.interface }}/forwarding
+            up /sbin/iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ item.value.prefix | ipaddr('network/prefix') }} -j SNAT --to {{ ansible_default_ipv4.address }}
+          {%   endif %}
+          {%   if 'overlay' in item.value %}
+          {%     for dest in item.value.overlay.offsets %}
+            up /bin/ip route add {{ (item.value.overlay.prefix | ipaddr(item.value.overlay.offsets[dest])).split('/')[0] }}/32 via {{ (item.value.prefix | ipaddr(item.value.offsets[dest])).split('/')[0] }}  # {{ dest }}
+          {%     endfor %}
+            up /bin/ip route add unreachable {{ item.value.overlay.prefix }}
+            down /sbin/ip route del {{ item.value.overlay.prefix }}
+          {%   endif %}
+          {%   if 'nat' in item.value and item.value.nat %}
+            down /sbin/iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ item.value.prefix | ipaddr('network/prefix') }} -j SNAT --to {{ ansible_default_ipv4.address }}
+          {%   endif %}
+          {% endif %}
+      register: vmhost_bridge_config
 
-## We don't try to be to clever here: aka don't call ifdown before ifup because
-## if there are VMs running they would end up with a broken network
-- name: bring vm-host interface up
-  when: vmhost_interface_config is changed
-  command: "/sbin/ifup {{ vm_host.network.interface }}"
+    ## We don't try to be to clever here: aka don't call ifdown before ifup because
+    ## if there are VMs running they would end up with a broken network
+    - name: bring up bridge interfaces
+      loop: "{{ vmhost_bridge_config.results }}"
+      loop_control:
+        label: "br-{{ item.item.key }}"
+      when: item is changed
+      command: "/sbin/ifup br-{{ item.item.key }}"
diff --git a/roles/vm/network/templates/interfaces.j2 b/roles/vm/network/templates/interfaces.j2
index aa94440e..db0e322f 100644
--- a/roles/vm/network/templates/interfaces.j2
+++ b/roles/vm/network/templates/interfaces.j2
@@ -14,11 +14,11 @@ iface {{ network.primary.interface }} inet static
   pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
   address {{ network.primary.ip }}
   netmask {{ network.primary.mask }}
-{% if 'public' in network.primary %}
-  up /bin/ip addr add dev $IFACE {{ network.primary.public }}/32
-  up /bin/ip route add default via {{ network.primary.gateway }} src {{ network.primary.public }}
-  down /bin/ip route del default via {{ network.primary.gateway }} src {{ network.primary.public }}
-  down /bin/ip addr del dev $IFACE {{ network.primary.public }}/32
+{% if 'overlay' in network.primary %}
+  up /bin/ip addr add dev $IFACE {{ network.primary.overlay }}/32
+  up /bin/ip route add default via {{ network.primary.gateway }} src {{ network.primary.overlay }}
+  down /bin/ip route del default via {{ network.primary.gateway }} src {{ network.primary.overlay }}
+  down /bin/ip addr del dev $IFACE {{ network.primary.overlay }}/32
 {% else %}
   gateway {{ network.primary.gateway }}
 {% endif %}
-- 
cgit v1.2.3