-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhost.yaml
147 lines (146 loc) · 4.21 KB
/
host.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Copyright (C) 2017 Felipe Alfaro Solana <[email protected]>
#
# Ansible playbook: prepares the Ubuntu localhost machine (17.04+) for
# hosting LXD containers.
#
# Requirements:
# - Internet connectivity or proxy cache to install Ubuntu packages from
# - A logical volume group (VG) named "vg0" with at least 300GB of free
# disk space.
- hosts: localhost
tasks:
- name: Ensure Git is installed
package:
name: git
- name: Ensure VIM is installed
package:
name: vim
- name: Ensure proper Git user e-mail for etckeeper
git_config:
name: user.email
repo: /etc
scope: global
value: 'root@{{ ansible_fqdn }}'
- name: Ensure proper Git user name for etckeeper
git_config:
name: user.name
repo: /etc
scope: global
value: 'root'
- name: Ensure etckeeper is installed
package:
name: etckeeper
- name: Ensure logical volume for LXD exists
lvol:
vg: vg0
lv: zfs
size: 100%FREE
shrink: False
- name: Ensure LXD is installed
package:
name: "{{item}}"
with_items:
- lxd
- lxd-client
- juju
- zfsutils-linux
- name: Add user to the LXD group
user:
name: falfaro
group: lxd
- name: Ensure LXD is initialized
shell: "lxd init --network-address=0.0.0.0 --network-port=8443 --storage-backend=zfs --storage-create-device=/dev/vg0/zfs --auto"
- name: Ensure LXD bridge exists
shell: "lxc network create lxdbr0 ipv6.address=none ipv4.address=10.0.3.1/24 ipv4.nat=true"
ignore_errors: true
- name: Ensure default LXD profile attaches to LXD bridge
shell: "lxc network attach-profile lxdbr0 default eth0"
ignore_errors: true
- name: Ensure cache LXD profile uses apt-cacher cache
lxd_profile:
name: cache
state: present
description: Use apt-cacher container
config:
boot.autostart: "true"
user.user-data: |
#cloud-config
apt:
proxy: http://cache:3142
tags:
- cache
- lxd_profiles
- name: Ensure openstack LXD profile exists
lxd_profile:
name: openstack
state: present
description: LXD container for nesting OpenStack/LXD
config:
security.privileged: "true"
security.nesting: "true"
linux.kernel_modules: "iptable_nat,ip6table_nat,ebtables,openvswitch,nbd"
raw.lxc: |
lxc.aa_profile=unconfined
lxc.cap.drop=
devices:
mem:
path: /dev/mem
type: unix-char
tags:
- lxd_profiles
- openstack
- name: Ensure nested LXD profile exists
lxd_profile:
name: nested
state: present
description: LXD container for nesting Docker/LXD
config:
security.privileged: "true"
security.nesting: "true"
linux.kernel_modules: "ip_tables,ip6_tables,ebtables,netlink_diag,nf_nat,overlay,openvswitch,nbd"
raw.lxc: |
lxc.aa_profile=unconfined
lxc.mount.auto=proc:rw sys:rw
lxc.cap.drop=
devices:
mem:
path: /dev/mem
type: unix-char
aadisable:
path: /sys/module/nf_conntrack/parameters/hashsize
source: /dev/null
type: disk
aadisable1:
path: /sys/module/apparmor/parameters/enabled
source: /dev/null
type: disk
tags:
- lxd_profiles
- name: Ensure kubernetes LXD profile exists
lxd_profile:
name: kubernetes
state: present
description: LXD container for Kubernetes
config:
linux.kernel_modules: bridge,br_netfilter,ip_tables,ip6_tables,ip_vs,netlink_diag,nf_nat,overlay,xt_conntrack
raw.lxc: |-
lxc.aa_profile = unconfined
lxc.cgroup.devices.allow = a
lxc.mount.auto=proc:rw sys:rw
lxc.cap.drop =
security.nesting: "true"
security.privileged: "true"
devices:
mem:
path: /dev/mem
type: unix-char
aadisable:
path: /sys/module/nf_conntrack/parameters/hashsize
source: /dev/null
type: disk
aadisable1:
path: /sys/module/apparmor/parameters/enabled
source: /dev/null
type: disk
tags:
- lxd_profiles