Merge pull request #59 from SUNET/jocar-kvmhost

Generic class to setup a KVM server with cloud images
SUNET · Jan 24, 2024 · a73dc4c · a73dc4c
2 parents 560b786 + 9229785
commit a73dc4c
Show file tree

Hide file tree

Showing 15 changed files with 306 additions and 438 deletions.
diff --git a/files/kvm/sunet-modify-kvm-forwardmode b/files/kvm/sunet-modify-kvm-forwardmode
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+command_name=$(basename "$0")
+
+if [ "$#" -ne 3 ]; then
+    echo "usage: $command_name <network-name> <mode-from> <mode-to>"
+    exit 1
+fi
+
+name=$1
+mode_from=$2
+mode_to=$3
+
+# calling net-dumpxml with --inactive is based on information about "virsh net-edit" in man page
+virsh net-define <(virsh net-dumpxml "$name" --inactive | sed "s,<forward mode='$mode_from'/>,<forward mode='$mode_to'/>,")
diff --git a/manifests/cloudimage.pp b/manifests/cloudimage.pp
@@ -38,6 +38,7 @@
   Variant[String, Boolean] $apt_mirror  = 'http://se.archive.ubuntu.com/ubuntu',
 )
 {
+  warning ("sunet::cloudimage is deprecated - please migrate to sunet::kvm::host and sunet::kvm::cloudimage")
   if $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '22.04') >= 0 {
     $kvm_package = 'qemu-system-x86'
   } elsif $::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '16.04') >= 0 {
@@ -104,25 +105,25 @@
 
   $network_template = $network_ver ? {
     '1' => 'sunet/cloudimage/network_config.erb',
-    '2' => 'sunet/cloudimage/network_config-v2.erb',
+    '2' => 'sunet/kvm/network_config-v2.erb',
   }
   file {
     "${script_dir}/${name}":
       ensure => 'directory',
       mode   => '0755',
       ;
     $init_script:
-      content => template("sunet/cloudimage/mk_cloud_image.erb"),
+      content => template("sunet/kvm/mk_cloud_image.erb"),
       require => File[$script_dir],
       mode    => "0750",
       ;
     $meta_data:
-      content => template("sunet/cloudimage/meta_data.erb"),
+      content => template("sunet/kvm/meta_data.erb"),
       require => File[$script_dir],
       mode    => "0750",
       ;
     $user_data:
-      content => template("sunet/cloudimage/user_data.erb"),
+      content => template("sunet/kvm/user_data.erb"),
       require => File[$script_dir],
       mode    => "0750",
       ;

diff --git a/manifests/kvm.pp b/manifests/kvm.pp
diff --git a/manifests/kvm/cloudimage.pp b/manifests/kvm/cloudimage.pp
@@ -0,0 +1,98 @@
+# Setup an image in KVM
+define sunet::kvm::cloudimage (
+  Array[String]            $addresses       = [],
+  String                   $apt_dir         = '/etc/cosmos/apt',
+  Variant[String, Boolean] $apt_mirror      = 'http://se.archive.ubuntu.com/ubuntu',
+  Optional[String]         $apt_proxy       = undef,
+  String                   $bridge          = 'br0',
+  String                   $cpus            = '1',
+  String                   $description     = '',
+  Boolean                  $dhcp4           = true,
+  Boolean                  $dhcp6           = false,
+  Boolean                  $disable_ec2     = false,  # set to true to disable fetching of metadata from 169.254.169.254
+  Optional[String]         $gateway         = undef,
+  Optional[String]         $gateway6        = undef,
+  String                   $image_url       = 'https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-disk1.img',
+  String                   $images_dir      = '/var/lib/libvirt/images',
+  String                   $install_options = '',  # for passing arbitrary parameters to virt-install
+  String                   $local_size      = '0',
+  Optional[String]         $mac             = undef,
+  String                   $memory          = '1024',
+  Optional[String]         $network         = undef,
+  String                   $pool_name       = 'default',
+  Optional[String]         $repo            = undef,
+  Optional[Array]          $resolver        = undef,
+  String                   $rng             = '/dev/random',
+  Array[String]            $search          = [],
+  Boolean                  $secure_boot     = false,
+  String                   $size            = '10G',
+  Optional[Array]          $ssh_keys        = undef,
+  Optional[String]         $tagpattern      = undef,
+)
+{
+
+  $image_url_a = split($image_url, '/')
+  $image_name = $image_url_a[-1]
+  $image_src = "${images_dir}/${image_name}"
+  $script_dir = "${images_dir}/../sunet-files"
+  $init_script = "${script_dir}/${name}/${name}-init.sh"
+  $meta_data = "${script_dir}/${name}/${name}_meta-data"
+  $user_data = "${script_dir}/${name}/${name}_user-data"
+  $network_config = "${script_dir}/${name}/${name}_network-config"
+
+  if $secure_boot {
+    if str2bool($facts['sunet_kvmhost_can_secureboot']) {
+      $sb_args = '--boot=uefi,loader_secure=yes,loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,nvram_template=/usr/share/OVMF/OVMF_VARS.ms.fd --machine=q35 --features smm=on'
+    } else {
+      # The ovmf package in Ubuntu 18.04 did not include the boot loader and NVRAM content to
+      # do secure boot. It needs to be installed from a newer distribution.
+      #
+      # XXX an alternative here would be to set sb_args to just '--boot=uefi,loader_secure=yes'
+      # which would make it possible to install VMs and _then_ install the secure boot loader
+      # (and virsh editing all the already installed VMs).
+      fail("Secure boot of VM ${name} was requested, but it seems the `ovmf' package on this host is too old")
+    }
+  }
+
+  ensure_resource('file', $script_dir, {
+    ensure => 'directory',
+    mode   => '0755',
+  })
+
+  file {
+    "${script_dir}/${name}":
+      ensure => 'directory',
+      mode   => '0755',
+      ;
+    $init_script:
+      content => template('sunet/kvm/mk_cloud_image.erb'),
+      require => File[$script_dir],
+      mode    => '0750',
+      ;
+    $meta_data:
+      content => template('sunet/kvm/meta_data.erb'),
+      require => File[$script_dir],
+      mode    => '0750',
+      ;
+    $user_data:
+      content => template('sunet/kvm/user_data.erb'),
+      require => File[$script_dir],
+      mode    => '0750',
+      ;
+    $network_config:
+      content => template('sunet/kvm/network_config-v2.erb'),
+      require => File[$script_dir],
+      mode    => '0750',
+      ;
+  }
+
+  exec { "${name}_fetch_image":
+    command => "wget -O${image_src} ${image_url}",
+    onlyif  => "test ! -s ${image_src}"
+  }
+
+  exec { "${name}_init":
+    command => "bash ${init_script}",
+    onlyif  => "test ! -f ${images_dir}/${name}.img"
+  }
+}
diff --git a/manifests/kvm/host.pp b/manifests/kvm/host.pp
@@ -0,0 +1,64 @@
+class sunet::kvm::host(
+  Variant[String, Boolean] $nat_bridge_interface = false,
+  Hash                     $vms                   = {},
+) {
+
+  file {
+    '/etc/cosmos-manual-reboot':
+      ensure => present,
+  }
+  package { [
+    'bridge-utils',
+    'cpu-checker',
+    'libvirt-clients',
+    'libvirt-daemon-system',
+    'mtools',
+    'numad',
+    'ovmf',
+    'qemu-system',
+    'qemu-utils',
+    'virtinst',
+    'vlan',
+  ]: ensure => 'present' }
+
+  if $::facts['sunet_nftables_enabled'] != 'yes' {
+    exec { 'fix_iptables_forwarding_for_guests':
+      command => 'sed -i "/^COMMIT/i-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before.rules; ufw reload',
+      path    => ['/usr/sbin', '/usr/bin', '/sbin', '/bin', ],
+      unless  => 'grep -q -- "^-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before.rules',
+      onlyif  => 'test -f /etc/ufw/before.rules',
+    }
+
+    exec { 'fix_ip6tables_forwarding_for_guests':
+      command => 'sed -i "/^COMMIT/i-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before6.rules; ufw reload',
+      path    => ['/usr/sbin', '/usr/bin', '/sbin', '/bin', ],
+      unless  => 'grep -q -- "^-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/ufw/before6.rules',
+      onlyif  => 'test -f /etc/ufw/before6.rules',
+    }
+  }
+
+  sunet::snippets::file_line {
+    'load_vlan_module_at_boot':
+      filename => '/etc/modules',
+      line     => '8021q',
+      ;
+  }
+
+  if $nat_bridge_interface {
+    if $facts['sunet_nftables_opt_in'] == 'yes' or ($facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') >= 0) { # lint:ignore:140chars
+      file { '/usr/local/bin/sunet-kvm-modify-forwardmode':
+          content => file('sunet/kvmhost/sunet-modify-kvm-forwardmode'),
+          mode    => '0755',
+      }
+
+      exec { '/usr/local/bin/sunet-kvm-modify-forwardmode default nat open':
+        onlyif  => "virsh net-dumpxml default --inactive | grep -q \"<forward mode='nat'/>\""
+      }
+
+      sunet::nftables::kvm_nat { 'sunet::kvm::host': bridge_name => $nat_bridge_interface }
+    }
+  }
+
+  create_resources('sunet::kvm::cloudimage', $vms)
+
+}