From dbe9dbdc2716081d140edb1321bc1650c20e4025 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 25 Aug 2022 22:21:38 +0200 Subject: [PATCH 01/22] Add ntp-1.int --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index 5876707..62b39c9 100644 --- a/hosts +++ b/hosts @@ -86,6 +86,7 @@ dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re dns-fleming.adm.auro.re dns-fleming-backup.adm.auro.re +ntp-1.int.infra.auro.re prometheus-fleming.adm.auro.re #prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re From d2c1b1c07a7017379d1214abdfa559c9e34183f0 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 25 Aug 2022 23:01:00 +0200 Subject: [PATCH 02/22] chronyd: add role + playbook --- playbooks/chronyd.yml | 16 ++++++++++++++++ roles/chronyd/defaults/main.yml | 9 +++++++++ roles/chronyd/handlers/main.yml | 6 ++++++ roles/chronyd/tasks/main.yml | 24 ++++++++++++++++++++++++ roles/chronyd/templates/chrony.conf.j2 | 23 +++++++++++++++++++++++ roles/chronyd/templates/chrony.keys.j2 | 1 + 6 files changed, 79 insertions(+) create mode 100755 playbooks/chronyd.yml create mode 100644 roles/chronyd/defaults/main.yml create mode 100644 roles/chronyd/handlers/main.yml create mode 100644 roles/chronyd/tasks/main.yml create mode 100644 roles/chronyd/templates/chrony.conf.j2 create mode 100644 roles/chronyd/templates/chrony.keys.j2 diff --git a/playbooks/chronyd.yml b/playbooks/chronyd.yml new file mode 100755 index 0000000..e5a0619 --- /dev/null +++ b/playbooks/chronyd.yml @@ -0,0 +1,16 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: + - ntp-1.int.infra.auro.re + vars: + chronyd__allow_networks: + - 10.128.0.0/16 + - 2a09:6840:128::/48 + chronyd__pools: + - 0.pool.ntp.org + - 1.pool.ntp.org + - 2.pool.ntp.org + - 3.pool.ntp.org + roles: + - chronyd +... diff --git a/roles/chronyd/defaults/main.yml b/roles/chronyd/defaults/main.yml new file mode 100644 index 0000000..8355138 --- /dev/null +++ b/roles/chronyd/defaults/main.yml @@ -0,0 +1,9 @@ +--- +chronyd__pools: [] +chronyd__key_file: /etc/chrony/chrony.keys +chronyd__drift_file: /var/lib/chrony/chrony.drift +chronyd__nts_dump_dir: /var/lib/chrony +chronyd__max_update_skew: 100.0 +chronyd__rtcsync: true +chronyd__allow_networks: [] +... diff --git a/roles/chronyd/handlers/main.yml b/roles/chronyd/handlers/main.yml new file mode 100644 index 0000000..4a12e18 --- /dev/null +++ b/roles/chronyd/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart chronyd + systemd: + name: chronyd.service + state: restarted +... diff --git a/roles/chronyd/tasks/main.yml b/roles/chronyd/tasks/main.yml new file mode 100644 index 0000000..9910415 --- /dev/null +++ b/roles/chronyd/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: Install chronyd + apt: + name: chrony + +- name: Configure chronyd + template: + src: "{{ item }}.j2" + dest: "/etc/chrony/{{ item }}" + owner: root + group: root + mode: u=rw,g=r,o= + loop: + - chrony.conf + - chrony.keys + notify: + - Restart chronyd + +- name: Enable and start chronyd + systemd: + name: chronyd.service + enabled: true + state: started +... diff --git a/roles/chronyd/templates/chrony.conf.j2 b/roles/chronyd/templates/chrony.conf.j2 new file mode 100644 index 0000000..ea994d8 --- /dev/null +++ b/roles/chronyd/templates/chrony.conf.j2 @@ -0,0 +1,23 @@ +{{ ansible_managed | comment }} + +{% for pool in chronyd__pools %} +pool {{ pool }} iburst +{% endfor %} + +keyfile {{ chronyd__key_file }} +dritfile {{ chronyd__drift_file }} +ntsdumpdir {{ chronyd__nts_dump_dir }} + +log tracking measurements statistics + +maxupdateskew {{ chronyd__max_update_skew | float }} + +{% if chronyd__rtcsync %} +rtcsync +{% endif %} + +leapsectz right/UTC + +{% for network in chronyd__allow_networks %} +allow {{ network | ipaddr }} +{% endfor %} diff --git a/roles/chronyd/templates/chrony.keys.j2 b/roles/chronyd/templates/chrony.keys.j2 new file mode 100644 index 0000000..5c02948 --- /dev/null +++ b/roles/chronyd/templates/chrony.keys.j2 @@ -0,0 +1 @@ +{{ ansible_managed | comment }} From 4b2868783f7bceb78ea9d40220acca43a103fdb3 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 25 Aug 2022 23:51:09 +0200 Subject: [PATCH 03/22] chronyd: fix typo in chrony.conf.j2 --- roles/chronyd/templates/chrony.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/chronyd/templates/chrony.conf.j2 b/roles/chronyd/templates/chrony.conf.j2 index ea994d8..2e896ba 100644 --- a/roles/chronyd/templates/chrony.conf.j2 +++ b/roles/chronyd/templates/chrony.conf.j2 @@ -5,7 +5,7 @@ pool {{ pool }} iburst {% endfor %} keyfile {{ chronyd__key_file }} -dritfile {{ chronyd__drift_file }} +driftfile {{ chronyd__drift_file }} ntsdumpdir {{ chronyd__nts_dump_dir }} log tracking measurements statistics From b00d5bc09e6a5da7a17400141f527925406ddb6d Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 25 Aug 2022 23:51:57 +0200 Subject: [PATCH 04/22] chronyd: fix unit name + remove other ntp packages --- roles/chronyd/handlers/main.yml | 2 +- roles/chronyd/tasks/main.yml | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/chronyd/handlers/main.yml b/roles/chronyd/handlers/main.yml index 4a12e18..c6b9394 100644 --- a/roles/chronyd/handlers/main.yml +++ b/roles/chronyd/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart chronyd systemd: - name: chronyd.service + name: chrony.service state: restarted ... diff --git a/roles/chronyd/tasks/main.yml b/roles/chronyd/tasks/main.yml index 9910415..ee0bafc 100644 --- a/roles/chronyd/tasks/main.yml +++ b/roles/chronyd/tasks/main.yml @@ -1,4 +1,12 @@ --- +- name: Uninstall ntp and sntp + apt: + name: + - sntp + - ntp + - systemd-timesyncd + state: absent + - name: Install chronyd apt: name: chrony @@ -18,7 +26,7 @@ - name: Enable and start chronyd systemd: - name: chronyd.service + name: chrony.service enabled: true state: started ... From f5f570f635597498e3dd02b4b3a59aa6e2e36a16 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 26 Aug 2022 00:06:25 +0200 Subject: [PATCH 05/22] chronyd: deploy everywhere --- playbooks/chronyd.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/playbooks/chronyd.yml b/playbooks/chronyd.yml index e5a0619..e7b629e 100755 --- a/playbooks/chronyd.yml +++ b/playbooks/chronyd.yml @@ -13,4 +13,14 @@ - 3.pool.ntp.org roles: - chronyd + +- hosts: + - all + - "!ntp-1.int.infra.auro.re" + - "!unifi" + vars: + chronyd__pools: + - ntp-1.int.infra.auro.re + roles: + - chronyd ... From 3d2ce8f79f2e5c0ad7de0352ccb8ded9e1ebbf4a Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 26 Aug 2022 10:13:37 +0200 Subject: [PATCH 06/22] ifupdown2: add minimal role --- roles/ifupdown2/tasks/main.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 roles/ifupdown2/tasks/main.yml diff --git a/roles/ifupdown2/tasks/main.yml b/roles/ifupdown2/tasks/main.yml new file mode 100644 index 0000000..0c6d547 --- /dev/null +++ b/roles/ifupdown2/tasks/main.yml @@ -0,0 +1,31 @@ +--- +- name: Gather package facts + package_facts: + manager: apt + +- name: Check if ifupdown2 is installed + set_fact: + must_mask: "{{ 'ifupdown2' not in ansible_facts.packages }}" + +- name: Mask networking before installing ifupdown2 + systemd: + name: networking.service + masked: true + when: must_mask + +- name: Install ifupdown2 + apt: + name: ifupdown2 + +- name: Unmask networking now that ifupdown2 is installed + systemd: + name: networking.service + masked: false + when: must_mask + +- name: Enable and start networking + systemd: + name: networking.service + state: started + enabled: true +... From e26d5dfc2738fc1472cfcf618e1e6b408734ea90 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 26 Aug 2022 19:11:40 +0200 Subject: [PATCH 07/22] resolvconf: add role --- roles/resolvconf/tasks/main.yml | 9 +++++++++ roles/resolvconf/templates/resolv.conf.j2 | 11 +++++++++++ 2 files changed, 20 insertions(+) create mode 100644 roles/resolvconf/tasks/main.yml create mode 100644 roles/resolvconf/templates/resolv.conf.j2 diff --git a/roles/resolvconf/tasks/main.yml b/roles/resolvconf/tasks/main.yml new file mode 100644 index 0000000..d650b78 --- /dev/null +++ b/roles/resolvconf/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: Install resolv.conf + template: + src: resolv.conf.j2 + dest: /etc/resolv.conf + owner: root + group: root + mode: u=rw,g=r,o=r +... diff --git a/roles/resolvconf/templates/resolv.conf.j2 b/roles/resolvconf/templates/resolv.conf.j2 new file mode 100644 index 0000000..9376000 --- /dev/null +++ b/roles/resolvconf/templates/resolv.conf.j2 @@ -0,0 +1,11 @@ +{{ ansible_managed | comment }} + +{% for nameserver in resolvconf__nameservers %} +nameserver {{ nameserver | ipaddr }} +{% endfor %} +{% if resolvconf__domain is defined %} +domain {{ resolvconf__domain }} +{% endif %} +{% if resolvconf__search is defined %} +search {{ resolvconf__search | join(" ") }} +{% endif %} From a5a4d28ccc902cbde09fa0566108c62f85e83c45 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 26 Aug 2022 20:52:23 +0200 Subject: [PATCH 08/22] ifupdown2: simple interfaces file configuration --- roles/ifupdown2/defaults/main.yml | 3 +++ roles/ifupdown2/handlers/main.yml | 6 ++++++ roles/ifupdown2/tasks/main.yml | 10 ++++++++++ roles/ifupdown2/templates/interfaces.j2 | 12 ++++++++++++ 4 files changed, 31 insertions(+) create mode 100644 roles/ifupdown2/defaults/main.yml create mode 100644 roles/ifupdown2/handlers/main.yml create mode 100644 roles/ifupdown2/templates/interfaces.j2 diff --git a/roles/ifupdown2/defaults/main.yml b/roles/ifupdown2/defaults/main.yml new file mode 100644 index 0000000..a419f07 --- /dev/null +++ b/roles/ifupdown2/defaults/main.yml @@ -0,0 +1,3 @@ +--- +ifupdown2__interfaces: {} +... diff --git a/roles/ifupdown2/handlers/main.yml b/roles/ifupdown2/handlers/main.yml new file mode 100644 index 0000000..a065d26 --- /dev/null +++ b/roles/ifupdown2/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart networking + systemd: + name: networking.service + state: restarted +... diff --git a/roles/ifupdown2/tasks/main.yml b/roles/ifupdown2/tasks/main.yml index 0c6d547..5b1ed81 100644 --- a/roles/ifupdown2/tasks/main.yml +++ b/roles/ifupdown2/tasks/main.yml @@ -23,6 +23,16 @@ masked: false when: must_mask +- name: Configure ifupdown2 + template: + src: interfaces.j2 + dest: /etc/network/interfaces + owner: root + group: root + mode: u=rw,g=r,o= + notify: + - Restart networking + - name: Enable and start networking systemd: name: networking.service diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 new file mode 100644 index 0000000..236a0ee --- /dev/null +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -0,0 +1,12 @@ +{{ ansible_managed | comment }} + +{% for name, iface in ifupdown2__interfaces.items() %} +allow-hotplug {{ name }} +iface {{ name }} +{% for address in iface.addresses %} + address {{ address | ipaddr }} +{% endfor %} +{% for gateway in iface.gateways %} + gateway {{ gateway | ipaddr }} +{% endfor %} +{% endfor %} From 5ae7126ce29a8986774f84081df3bc90be3daa4f Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 04:10:11 +0200 Subject: [PATCH 09/22] ifupdown2: add support for stanzas with no gateway --- roles/ifupdown2/templates/interfaces.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index 236a0ee..81ce05f 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -6,7 +6,8 @@ iface {{ name }} {% for address in iface.addresses %} address {{ address | ipaddr }} {% endfor %} -{% for gateway in iface.gateways %} +{% for gateway in iface.gateways | default([]) %} gateway {{ gateway | ipaddr }} {% endfor %} + {% endfor %} From 15e2db49f378e20938e0b77f96d1ea9bd345cedd Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 04:22:15 +0200 Subject: [PATCH 10/22] add remove_domain_suffix filter --- ansible.cfg | 1 + filter_plugins/net_utils.py | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 filter_plugins/net_utils.py diff --git a/ansible.cfg b/ansible.cfg index 6476e6f..b04e116 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,6 +3,7 @@ ask_vault_pass = True roles_path = ./roles retry_files_enabled = False inventory = ./hosts +filter_plugins = ./filter_plugins ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S nocows = 1 forks = 15 diff --git a/filter_plugins/net_utils.py b/filter_plugins/net_utils.py new file mode 100644 index 0000000..082f34d --- /dev/null +++ b/filter_plugins/net_utils.py @@ -0,0 +1,13 @@ +import dns.name + + +class FilterModule: + def filters(self): + return { + "remove_domain_suffix": remove_domain_suffix, + } + + +def remove_domain_suffix(name): + parent = dns.name.from_text(name).parent() + return parent.to_text() From 1281a6a51aa5b017a3c55754fc9b4c28372db0b5 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 04:26:14 +0200 Subject: [PATCH 11/22] ifupdown2: add playbook --- playbooks/ifupdown2.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 playbooks/ifupdown2.yml diff --git a/playbooks/ifupdown2.yml b/playbooks/ifupdown2.yml new file mode 100755 index 0000000..01d72f0 --- /dev/null +++ b/playbooks/ifupdown2.yml @@ -0,0 +1,32 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: + - ntp-1.int.infra.auro.re + vars: + # TODO: netbox + ifupdown2__hosts: + ntp-1.int.infra.auro.re: + ens18: + gateways: + - 2a09:6840:128::254 + - 10.128.0.254 + addresses: + - 2a09:6840:128::203/56 + - 10.128.0.203/16 + ifupdown2__interfaces: "{{ ifupdown2__hosts[inventory_hostname] }}" + roles: + - ifupdown2 + +- hosts: + - ntp-1.int.infra.auro.re + vars: + resolvconf__nameservers: + - 2a09:6840:128::127 + - 10.128.0.127 + resolvconf__domain: auro.re + resolvconf__search: + - "{{ inventory_hostname | remove_domain_suffix }}" + - auro.re + roles: + - resolvconf +... From f723c3e1a458d47619fa446f23b951aae06adf31 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 04:46:16 +0200 Subject: [PATCH 12/22] ifupdown2: notify ifup -a + auto instead of allow-hotplug --- roles/ifupdown2/handlers/main.yml | 3 +++ roles/ifupdown2/tasks/main.yml | 1 + roles/ifupdown2/templates/interfaces.j2 | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/ifupdown2/handlers/main.yml b/roles/ifupdown2/handlers/main.yml index a065d26..9a5d0c0 100644 --- a/roles/ifupdown2/handlers/main.yml +++ b/roles/ifupdown2/handlers/main.yml @@ -3,4 +3,7 @@ systemd: name: networking.service state: restarted + +- name: Bring all interfaces up + shell: /usr/sbin/ifup -a ... diff --git a/roles/ifupdown2/tasks/main.yml b/roles/ifupdown2/tasks/main.yml index 5b1ed81..aa07c7f 100644 --- a/roles/ifupdown2/tasks/main.yml +++ b/roles/ifupdown2/tasks/main.yml @@ -32,6 +32,7 @@ mode: u=rw,g=r,o= notify: - Restart networking + - Bring all interfaces up - name: Enable and start networking systemd: diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index 81ce05f..d61606c 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -1,7 +1,7 @@ {{ ansible_managed | comment }} {% for name, iface in ifupdown2__interfaces.items() %} -allow-hotplug {{ name }} +auto {{ name }} iface {{ name }} {% for address in iface.addresses %} address {{ address | ipaddr }} From 76f76a0ca41454325be38ad307c924c8e3f7ce4c Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 06:52:38 +0200 Subject: [PATCH 13/22] ntp: add logdir + local + logchange support --- playbooks/chronyd.yml | 1 + roles/chronyd/defaults/main.yml | 2 ++ roles/chronyd/templates/chrony.conf.j2 | 7 +++++++ 3 files changed, 10 insertions(+) diff --git a/playbooks/chronyd.yml b/playbooks/chronyd.yml index e7b629e..b2a5c56 100755 --- a/playbooks/chronyd.yml +++ b/playbooks/chronyd.yml @@ -11,6 +11,7 @@ - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org + chronyd__local_stratum: 10 roles: - chronyd diff --git a/roles/chronyd/defaults/main.yml b/roles/chronyd/defaults/main.yml index 8355138..8214c05 100644 --- a/roles/chronyd/defaults/main.yml +++ b/roles/chronyd/defaults/main.yml @@ -3,7 +3,9 @@ chronyd__pools: [] chronyd__key_file: /etc/chrony/chrony.keys chronyd__drift_file: /var/lib/chrony/chrony.drift chronyd__nts_dump_dir: /var/lib/chrony +chronyd__log_dir: /var/log/chrony chronyd__max_update_skew: 100.0 chronyd__rtcsync: true chronyd__allow_networks: [] +chronyd__log_change_seconds: 0.5 ... diff --git a/roles/chronyd/templates/chrony.conf.j2 b/roles/chronyd/templates/chrony.conf.j2 index 2e896ba..2db858a 100644 --- a/roles/chronyd/templates/chrony.conf.j2 +++ b/roles/chronyd/templates/chrony.conf.j2 @@ -7,6 +7,7 @@ pool {{ pool }} iburst keyfile {{ chronyd__key_file }} driftfile {{ chronyd__drift_file }} ntsdumpdir {{ chronyd__nts_dump_dir }} +logdir {{ chronyd__log_dir }} log tracking measurements statistics @@ -16,6 +17,12 @@ maxupdateskew {{ chronyd__max_update_skew | float }} rtcsync {% endif %} +{% if chronyd__local_stratum is defined %} +local stratum {{ chronyd__local_stratum | int }} +{% endif %} + +logchange {{ chronyd__log_change_seconds | float }} + leapsectz right/UTC {% for network in chronyd__allow_networks %} From f6b12fd69664e8378900c8a48a03e86d9dda2880 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 08:31:42 +0200 Subject: [PATCH 14/22] ifupdown2: add minimal support for bridges --- roles/ifupdown2/templates/interfaces.j2 | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index d61606c..63eba91 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -3,11 +3,27 @@ {% for name, iface in ifupdown2__interfaces.items() %} auto {{ name }} iface {{ name }} -{% for address in iface.addresses %} +{% for address in iface.addresses | default([]) %} address {{ address | ipaddr }} {% endfor %} {% for gateway in iface.gateways | default([]) %} gateway {{ gateway | ipaddr }} {% endfor %} +{% if iface.bridge_ports is defined %} + bridge-ports {{ iface.bridge_ports | join(" ") }} +{% endif %} +{% if iface.bridge_vlan_aware is defined %} + bridge-vlan-aware {{ iface.bridge_vlan_aware + | ternary("yes", "no") }} +{% endif %} +{% if iface.bridge_vids is defined %} + bridge-vids {{ iface.bridge_vids | join(",") }} +{% endif %} +{% if iface.vlan_id is defined %} + vlan-id {{ iface.vlan_id | int }} +{% endif %} +{% if iface.vlan_raw_device is defined %} + vlan-raw-device {{ iface.vlan_raw_device }} +{% endif %} {% endfor %} From d5b0fd85c8059e158ab2d304a3e56cea0f47f931 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 09:18:16 +0200 Subject: [PATCH 15/22] ifupdown2: add bridge_disable_pvid option --- roles/ifupdown2/templates/interfaces.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index 63eba91..eecf4fe 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -25,5 +25,9 @@ iface {{ name }} {% if iface.vlan_raw_device is defined %} vlan-raw-device {{ iface.vlan_raw_device }} {% endif %} +{% if iface.bridge_disable_pvid | default(false) %} + bridge-pvid 0 + post-up bridge vlan del dev {{ name }} vid 1 self +{% endif %} {% endfor %} From 5485254c4745de20563be3415c7e0a68569bb169 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 09:28:07 +0200 Subject: [PATCH 16/22] ifupdown2: add forward option --- roles/ifupdown2/templates/interfaces.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index eecf4fe..4d53123 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -29,5 +29,9 @@ iface {{ name }} bridge-pvid 0 post-up bridge vlan del dev {{ name }} vid 1 self {% endif %} +{% if iface.forward | default(false) %} + ip-forward yes + ip6-forward yes +{% endif %} {% endfor %} From 34b0ed54784dccacb9a923d841f4a649d9372f0a Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 09:35:56 +0200 Subject: [PATCH 17/22] ifupdown2: add ipv6_addrgen option --- roles/ifupdown2/templates/interfaces.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index 4d53123..a1e8f8a 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -33,5 +33,9 @@ iface {{ name }} ip-forward yes ip6-forward yes {% endif %} +{% if iface.ipv6_addrgen is defined %} + ipv6-addrgen {{ iface.ipv6_addrgen + | ternary("yes", "no") }} +{% endif %} {% endfor %} From 8cc6e916b77059faf84747fc74dd98f662c90579 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 10:21:04 +0200 Subject: [PATCH 18/22] ifupdown2: add sample playbook --- hosts | 5 ++ playbooks/ifupdown2.yml | 181 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 186 insertions(+) diff --git a/hosts b/hosts index 26e2665..52f5078 100644 --- a/hosts +++ b/hosts @@ -93,6 +93,11 @@ ntp-1.int.infra.auro.re prometheus-fleming.adm.auro.re #prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re +dns-1.int.infra.auro.re +isp-1.rtr.infra.auro.re +isp-2.rtr.infra.auro.re +dhcp-1.isp.auro.re +dhcp-2.isp.auro.re radius-fleming-backup.adm.auro.re unifi-fleming.adm.auro.re routeur-fleming.adm.auro.re diff --git a/playbooks/ifupdown2.yml b/playbooks/ifupdown2.yml index 01d72f0..fcd816c 100755 --- a/playbooks/ifupdown2.yml +++ b/playbooks/ifupdown2.yml @@ -2,6 +2,11 @@ --- - hosts: - ntp-1.int.infra.auro.re + - dns-1.int.infra.auro.re + - dhcp-1.isp.auro.re + - dhcp-2.isp.auro.re + - isp-1.rtr.infra.auro.re + - isp-2.rtr.infra.auro.re vars: # TODO: netbox ifupdown2__hosts: @@ -13,12 +18,188 @@ addresses: - 2a09:6840:128::203/56 - 10.128.0.203/16 + dns-1.int.infra.auro.re: + ens18: + gateways: + - 2a09:6840:128::254 + - 10.128.0.254 + addresses: + - 2a09:6840:128::127/56 + - 10.128.0.127/16 + dhcp-1.isp.auro.re: + ens18: + gateways: + - 2a09:6840:128::254 + - 10.128.0.254 + addresses: + - 2a09:6840:128::204/56 + - 10.128.0.204/16 + ens19: null + clients: + bridge_vlan_aware: true + bridge_ports: + - ens19 + bridge_vids: + - 1000-1004 + client-0: + addresses: + - 100.64.0.2/27 + vlan_id: 1000 + vlan_raw_device: clients + client-1: + addresses: + - 100.64.0.34/27 + vlan_id: 1001 + vlan_raw_device: clients + client-2: + addresses: + - 100.64.0.66/27 + vlan_id: 1002 + vlan_raw_device: clients + client-3: + addresses: + - 100.64.0.98/27 + vlan_id: 1003 + vlan_raw_device: clients + client-4: + addresses: + - 100.64.0.130/27 + vlan_id: 1004 + vlan_raw_device: clients + dhcp-2.isp.auro.re: + ens18: + gateways: + - 2a09:6840:128::254 + - 10.128.0.254 + addresses: + - 2a09:6840:128::91/56 + - 10.128.0.91/16 + ens19: null + clients: + bridge_vlan_aware: true + bridge_ports: + - ens19 + bridge_vids: + - 1000-1004 + client-0: + addresses: + - 100.64.0.3/27 + vlan_id: 1000 + vlan_raw_device: clients + client-1: + addresses: + - 100.64.0.35/27 + vlan_id: 1001 + vlan_raw_device: clients + client-2: + addresses: + - 100.64.0.67/27 + vlan_id: 1002 + vlan_raw_device: clients + client-3: + addresses: + - 100.64.0.99/27 + vlan_id: 1003 + vlan_raw_device: clients + client-4: + addresses: + - 100.64.0.131/27 + vlan_id: 1004 + vlan_raw_device: clients + isp-1.rtr.infra.auro.re: + ens18: + gateways: + - 2a09:6840:128::254 + - 10.128.0.254 + addresses: + - 2a09:6840:128::255/56 + - 10.128.0.255/16 + ens19: null + clients: + bridge_vlan_aware: true + bridge_ports: + - ens19 + bridge_vids: + - 1000-1004 + bridge_disable_pvid: true + forward: true + ipv6_addrgen: false + client-0: + forward: true + vlan_id: 1000 + vlan_raw_device: clients + ipv6_addrgen: false + client-1: + forward: true + vlan_id: 1001 + vlan_raw_device: clients + ipv6_addrgen: false + client-2: + forward: true + vlan_id: 1002 + vlan_raw_device: clients + ipv6_addrgen: false + client-3: + forward: true + vlan_id: 1003 + vlan_raw_device: clients + ipv6_addrgen: false + client-4: + forward: true + vlan_id: 1004 + vlan_raw_device: clients + ipv6_addrgen: false + isp-2.rtr.infra.auro.re: + ens18: + gateways: + - 2a09:6840:128::254 + - 10.128.0.254 + addresses: + - 2a09:6840:128::158/56 + - 10.128.0.158/16 + ens19: null + clients: + bridge_vlan_aware: true + bridge_ports: + - ens19 + bridge_vids: + - 1000-1004 + client-0: + forward: true + vlan_id: 1000 + vlan_raw_device: clients + ipv6_addrgen: false + client-1: + forward: true + vlan_id: 1001 + vlan_raw_device: clients + ipv6_addrgen: false + client-2: + forward: true + vlan_id: 1002 + vlan_raw_device: clients + ipv6_addrgen: false + client-3: + forward: true + vlan_id: 1003 + vlan_raw_device: clients + ipv6_addrgen: false + client-4: + forward: true + vlan_id: 1004 + vlan_raw_device: clients + ipv6_addrgen: false ifupdown2__interfaces: "{{ ifupdown2__hosts[inventory_hostname] }}" roles: - ifupdown2 - hosts: - ntp-1.int.infra.auro.re + - dns-1.int.infra.auro.re + - dhcp-1.isp.auro.re + - dhcp-2.isp.auro.re + - isp-1.rtr.infra.auro.re + - isp-2.rtr.infra.auro.re vars: resolvconf__nameservers: - 2a09:6840:128::127 From c6ac61aa53c72c433a8520b276720a6424e9c3c3 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 11:15:18 +0200 Subject: [PATCH 19/22] keepalived: add minimal support for keepalived --- playbooks/keepalived.yml | 25 ++++++ roles/keepalived/defaults/main.yml | 3 + roles/keepalived/handlers/main.yml | 6 ++ roles/keepalived/tasks/main.yml | 21 +++++ roles/keepalived/templates/keepalived.conf.j2 | 83 +++++++++++++++++++ 5 files changed, 138 insertions(+) create mode 100755 playbooks/keepalived.yml create mode 100644 roles/keepalived/defaults/main.yml create mode 100644 roles/keepalived/handlers/main.yml create mode 100644 roles/keepalived/tasks/main.yml create mode 100644 roles/keepalived/templates/keepalived.conf.j2 diff --git a/playbooks/keepalived.yml b/playbooks/keepalived.yml new file mode 100755 index 0000000..4267447 --- /dev/null +++ b/playbooks/keepalived.yml @@ -0,0 +1,25 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: + - isp-1.rtr.infra.auro.re + - isp-2.rtr.infra.auro.re + vars: + # keepalived__notify_master + # keepalived__notify_backup + # keepalived__notify_fault + keepalived__virtual_router_id: 80 + keepalived__interface: ens18 + keepalived__virtual_addresses: + client-0: + - 100.64.0.1/27 + client-1: + - 100.64.0.33/27 + client-2: + - 100.64.0.65/27 + client-3: + - 100.64.0.97/27 + client-4: + - 100.64.0.129/27 + roles: + - keepalived +... diff --git a/roles/keepalived/defaults/main.yml b/roles/keepalived/defaults/main.yml new file mode 100644 index 0000000..c222175 --- /dev/null +++ b/roles/keepalived/defaults/main.yml @@ -0,0 +1,3 @@ +--- +keepalived__virtual_addresses: {} +... diff --git a/roles/keepalived/handlers/main.yml b/roles/keepalived/handlers/main.yml new file mode 100644 index 0000000..df390cb --- /dev/null +++ b/roles/keepalived/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Reload keepalived + systemd: + name: keepalived.service + state: reloaded +... diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml new file mode 100644 index 0000000..de1a44a --- /dev/null +++ b/roles/keepalived/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install keepalived + apt: + name: keepalived + +- name: Configure keepalived + template: + src: keepalived.conf.j2 + dest: /etc/keepalived/keepalived.conf + owner: root + group: root + mode: u=rw,g=,o= + notify: + - Reload keepalived + +- name: Enable and start keepalived + systemd: + name: keepalived + enabled: true + state: started +... diff --git a/roles/keepalived/templates/keepalived.conf.j2 b/roles/keepalived/templates/keepalived.conf.j2 new file mode 100644 index 0000000..264c9bd --- /dev/null +++ b/roles/keepalived/templates/keepalived.conf.j2 @@ -0,0 +1,83 @@ +{{ ansible_managed | comment }} + +global_defs { + dynamic_interfaces + script_user root + enable_script_security + vrrp_version 3 +} + +{% +set ipv4_enabled = + keepalived__ipv4_enabled + | default(keepalived__virtual_addresses.values() + | flatten | ansible.utils.ipv4) +%} +{% +set ipv6_enabled = + keepalived__ipv6_enabled + | default(keepalived__virtual_addresses.values() + | flatten | ansible.utils.ipv6) +%} + +vrrp_sync_group group { + group { +{% if ipv4_enabled %} + instance_v4 +{% endif %} +{% if ipv6_enabled %} + instance_v6 +{% endif %} + } +{% if keepalived__notify_master is defined %} + notify_master {{ keepalived__notify_master | enquote('"') }} +{% endif %} +{% if keepalived__notify_backup is defined %} + notify_backup {{ keepalived__notify_backup | enquote('"') }} +{% endif %} +{% if keepalived__notify_fault is defined %} + notify_fault {{ keepalived__notify_fault | enquote('"') }} +{% endif %} +} + +{% if ipv4_enabled %} +vrrp_instance instance_v4 { + virtual_router_id {{ keepalived__virtual_router_id }} + interface {{ keepalived__interface }} + state BACKUP + priority 250 + nopreempt + advert_int 1 + accept + virtual_ipaddress { +{% for dev, addresses in keepalived__virtual_addresses.items() %} +{% for address in addresses %} +{% if address | ansible.utils.ipv4 %} + {{ address }} dev {{ dev }} +{% endif %} +{% endfor %} +{% endfor %} + } +} +{% endif %} + +{% if ipv6_enabled %} +vrrp_instance instance_v6 { + virtual_router_id {{ keepalived__virtual_router_id }} + interface {{ keepalived__interface }} + state BACKUP + priority 250 + nopreempt + advert_int 1 + accept + virtual_ipaddress { +{% for dev, addresses in keepalived__virtual_addresses.items() %} +{% for address in addresses %} +{% if address | ansible.utils.ipv6 %} + {{ address }} dev {{ dev }} +{% endif %} +{% endfor %} +{% endfor %} + } +} +{% endif %} From 9820ae62e8145db215598d567978088cb7850d49 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 12:55:53 +0200 Subject: [PATCH 20/22] keepalived: better support for notify scripts --- roles/keepalived/defaults/main.yml | 3 ++ roles/keepalived/tasks/main.yml | 13 ++++++-- roles/keepalived/templates/keepalived.conf.j2 | 24 +++++++++----- roles/keepalived/templates/notify.sh.j2 | 33 +++++++++++++++++++ 4 files changed, 61 insertions(+), 12 deletions(-) create mode 100644 roles/keepalived/templates/notify.sh.j2 diff --git a/roles/keepalived/defaults/main.yml b/roles/keepalived/defaults/main.yml index c222175..6bbee8b 100644 --- a/roles/keepalived/defaults/main.yml +++ b/roles/keepalived/defaults/main.yml @@ -1,3 +1,6 @@ --- keepalived__virtual_addresses: {} +keepalived__notify_master: [] +keepalived__notify_backup: [] +keepalived__notify_fault: [] ... diff --git a/roles/keepalived/tasks/main.yml b/roles/keepalived/tasks/main.yml index de1a44a..6330901 100644 --- a/roles/keepalived/tasks/main.yml +++ b/roles/keepalived/tasks/main.yml @@ -5,11 +5,18 @@ - name: Configure keepalived template: - src: keepalived.conf.j2 - dest: /etc/keepalived/keepalived.conf + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: root group: root - mode: u=rw,g=,o= + mode: "{{ item.mode }}" + loop: + - src: keepalived.conf.j2 + dest: /etc/keepalived/keepalived.conf + mode: u=rw,g=,o= + - src: notify.sh.j2 + dest: /etc/keepalived/notify.sh + mode: u=rwx,g=,o= notify: - Reload keepalived diff --git a/roles/keepalived/templates/keepalived.conf.j2 b/roles/keepalived/templates/keepalived.conf.j2 index 264c9bd..257e44c 100644 --- a/roles/keepalived/templates/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived.conf.j2 @@ -20,6 +20,7 @@ set ipv6_enabled = | flatten | ansible.utils.ipv6) %} +{% if ipv4_enabled and ipv6_enabled %} vrrp_sync_group group { group { {% if ipv4_enabled %} @@ -29,16 +30,11 @@ vrrp_sync_group group { instance_v6 {% endif %} } -{% if keepalived__notify_master is defined %} - notify_master {{ keepalived__notify_master | enquote('"') }} -{% endif %} -{% if keepalived__notify_backup is defined %} - notify_backup {{ keepalived__notify_backup | enquote('"') }} -{% endif %} -{% if keepalived__notify_fault is defined %} - notify_fault {{ keepalived__notify_fault | enquote('"') }} -{% endif %} + notify_master "/etc/keepalived/notify.sh master" + notify_backup "/etc/keepalived/notify.sh backup" + notify_fault "/etc/keepalived/notify.sh fault" } +{% endif %} {% if ipv4_enabled %} vrrp_instance instance_v4 { @@ -58,6 +54,11 @@ vrrp_instance instance_v4 { {% endfor %} {% endfor %} } +{% if not (ipv4_enabled and ipv6_enabled) %} + notify_master "/etc/keepalived/notify.sh master" + notify_backup "/etc/keepalived/notify.sh backup" + notify_fault "/etc/keepalived/notify.sh fault" +{% endif %} } {% endif %} @@ -79,5 +80,10 @@ vrrp_instance instance_v6 { {% endfor %} {% endfor %} } +{% if not (ipv4_enabled and ipv6_enabled) %} + notify_master "/etc/keepalived/notify.sh master" + notify_backup "/etc/keepalived/notify.sh backup" + notify_fault "/etc/keepalived/notify.sh fault" +{% endif %} } {% endif %} diff --git a/roles/keepalived/templates/notify.sh.j2 b/roles/keepalived/templates/notify.sh.j2 new file mode 100644 index 0000000..4f58259 --- /dev/null +++ b/roles/keepalived/templates/notify.sh.j2 @@ -0,0 +1,33 @@ +#!/bin/bash + +master=( +{% for notify in keepalived__notify_master %} + {{ notify | quote }} +{% endfor %} +) + +backup=( +{% for notify in keepalived__notify_backup %} + {{ notify | quote }} +{% endfor %} +) + +fault=( +{% for notify in keepalived__notify_fault %} + {{ notify | quote }} +{% endfor %} +) + +case "$1" in + master | backup | fault) + scripts="$1[@]" + ;; + *) + echo "Usage: $0 (master|backup|fault)" >&2 + exit 1 +esac + +for script in "${!scripts}" +do + eval "${script}" +done From 1d409506042b78d39eb86f5d9c70f5f17ea08715 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 13:17:35 +0200 Subject: [PATCH 21/22] keepalived: add IPv6 support in playbook --- playbooks/keepalived.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/playbooks/keepalived.yml b/playbooks/keepalived.yml index 4267447..e8239a1 100755 --- a/playbooks/keepalived.yml +++ b/playbooks/keepalived.yml @@ -4,22 +4,29 @@ - isp-1.rtr.infra.auro.re - isp-2.rtr.infra.auro.re vars: - # keepalived__notify_master - # keepalived__notify_backup - # keepalived__notify_fault keepalived__virtual_router_id: 80 keepalived__interface: ens18 keepalived__virtual_addresses: client-0: - 100.64.0.1/27 + - 2a09:6841::/56 + - fe80::1/10 client-1: - 100.64.0.33/27 + - 2a09:6841:0:100::/56 + - fe80::1/10 client-2: - 100.64.0.65/27 + - 2a09:6841:0:100::/56 + - fe80::1/10 client-3: - 100.64.0.97/27 + - 2a09:6841:0:200::/56 + - fe80::1/10 client-4: - 100.64.0.129/27 + - 2a09:6841:0:300::/56 + - fe80::1/10 roles: - keepalived ... From e86b17094be9ccd36dfe6ffac27d7e097ab80146 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 13:47:08 +0200 Subject: [PATCH 22/22] keepalived: print link-local VIP first + silence priority warning --- filter_plugins/net_utils.py | 27 +++++++++++++++++++ roles/keepalived/defaults/main.yml | 1 + roles/keepalived/templates/keepalived.conf.j2 | 9 ++++--- 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/filter_plugins/net_utils.py b/filter_plugins/net_utils.py index 082f34d..5eecace 100644 --- a/filter_plugins/net_utils.py +++ b/filter_plugins/net_utils.py @@ -1,3 +1,6 @@ +import ipaddress +from operator import attrgetter + import dns.name @@ -5,9 +8,33 @@ class FilterModule: def filters(self): return { "remove_domain_suffix": remove_domain_suffix, + "ipaddr_sort": ipaddr_sort, } def remove_domain_suffix(name): parent = dns.name.from_text(name).parent() return parent.to_text() + + +def ipaddr_sort(addrs, types, unknown_after=True): + check_types = { + "global": attrgetter("is_global"), + "link-local": attrgetter("is_link_local"), + "loopback": attrgetter("is_loopback"), + "multicast": attrgetter("is_multicast"), + "private": attrgetter("is_private"), + "reserved": attrgetter("is_reserved"), + "site_local": attrgetter("is_site_local"), + "unspecified": attrgetter("is_unspecified"), + } + + def addr_weight(addr): + if isinstance(addr, str): + addr = ipaddress.ip_address(addr.split("/")[0]) + for index, ty in enumerate(types): + if check_types[ty](ipaddress.ip_address(addr)): + return index + return len(types) if unknown_after else -1 + + return sorted(addrs, key=addr_weight) diff --git a/roles/keepalived/defaults/main.yml b/roles/keepalived/defaults/main.yml index 6bbee8b..ee034f3 100644 --- a/roles/keepalived/defaults/main.yml +++ b/roles/keepalived/defaults/main.yml @@ -3,4 +3,5 @@ keepalived__virtual_addresses: {} keepalived__notify_master: [] keepalived__notify_backup: [] keepalived__notify_fault: [] +keepalived__max_auto_priority: -1 ... diff --git a/roles/keepalived/templates/keepalived.conf.j2 b/roles/keepalived/templates/keepalived.conf.j2 index 257e44c..c99ae10 100644 --- a/roles/keepalived/templates/keepalived.conf.j2 +++ b/roles/keepalived/templates/keepalived.conf.j2 @@ -5,6 +5,9 @@ global_defs { script_user root enable_script_security vrrp_version 3 +{% if keepalived__max_auto_priority is defined %} + max_auto_priority {{ keepalived__max_auto_priority | int }} +{% endif %} } {% @@ -38,7 +41,7 @@ vrrp_sync_group group { {% if ipv4_enabled %} vrrp_instance instance_v4 { - virtual_router_id {{ keepalived__virtual_router_id }} + virtual_router_id {{ keepalived__virtual_router_id | int }} interface {{ keepalived__interface }} state BACKUP priority 250 @@ -64,7 +67,7 @@ vrrp_instance instance_v4 { {% if ipv6_enabled %} vrrp_instance instance_v6 { - virtual_router_id {{ keepalived__virtual_router_id }} + virtual_router_id {{ keepalived__virtual_router_id | int }} interface {{ keepalived__interface }} state BACKUP priority 250 @@ -73,7 +76,7 @@ vrrp_instance instance_v6 { accept virtual_ipaddress { {% for dev, addresses in keepalived__virtual_addresses.items() %} -{% for address in addresses %} +{% for address in addresses | ipaddr_sort(["link-local"]) %} {% if address | ansible.utils.ipv6 %} {{ address }} dev {{ dev }} {% endif %}