# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- --- - name: "toxcore vms.yml" debug: verbosity: 1 msg: "toxcore vms.yml TOXCORE_FEATURES={{TOXCORE_FEATURES}}" - name: "assert /dev/kvm" shell: | [ -e /dev/kvm ] delegate_to: localhost - name: "make a directory for /etc/pki/qemu" file: path: "{{item }}" state: directory owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" mode: 0770 when: - "item != ''" with_items: # see /etc/libvirt/qemu.conf - "{{ '/etc/pki/qemu' if ( 'qemu' in TOXCORE_FEATURES or 'libvirt' in TOXCORE_FEATURES ) else '' }}" - block: - name: increase fs.inotify.max_user_instances (default 128) blockinfile: dest: /etc/sysctl.d/70_toxcore_libvirt.conf marker: "# {mark} ANSIBLE MANAGED BLOCK toxcore lxd" mode: 0440 group: "{{BOX_ALSO_GROUP}}" create: yes block: | net.ipv4.ip_forward = 1 # NB this is per user - name: check ulimit shell: | [ `ulimit -n` -lt 4913709 ] register: ulimit_retval # Kernel ulimit is less than the expected value! This might induce RC test - name: /etc/security/limits.conf blockinfile: dest: /etc/security/limits.conf create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK harden vms.yml lxd" backup: 'yes' mode: 0644 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" block: | root soft nofile 1048576 root hard nofile 1048576 # libvirt/whonix seems to run out at 1024 user tor in the contrainer * soft nofile 1048576 * hard nofile 1048576 * soft memlock unlimited * hard memlock unlimited # FixMe: either this or @ docker break su with a cryptic # pam_open_session: Permission denied # with dmesg entries of # elogind-daemon[7069]: Failed to open pin file: No such file or # elogind-daemon[7069]: Failed to allocate manager object: No such file or # and then later when with no limts.conf but still with a chown error on ~/ # su: Error in services module # need this in libvirt guest. when: # do this anyway for tor and everybody else - true or ulimit_retval.rc|default(1) == 0 when: - true or ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS # https://github.com/lxc/lxc/issues/3068 # lxc-create -t download -n my-container -- --keyserver hkp://p80.pool.sks-keyservers.net:80 # Hope this helps others if it didn't at least help you # libvirt lxc docker - block: # see also https://stackoverflow.com/questions/26415833/docker-ignores-limits-conf-trying-to-solve-too-many-open-files-error # FixMe: conflicts with harden - use sysctl.d # add to your /etc/sysctl.conf : fs.file-max = 64000 - name: Add fs.file-max to /etc/sysctl.conf lineinfile: dest: /etc/sysctl.conf regexp: '^#* *{{item.key}}.*' line: "{{item.key}} = {{item.val}}" create: true state: present with_items: - { key: "fs.file-max", val: "4913709" } #? - {key: "net.ipv4.ip_forward", val: "0"} #? not sure about this - see docker check-config.sh - { key: "kernel.keys.root_maxkeys", val: "1000000" } check_mode: false - name: /etc/sysctl.conf.d/20_hugepages.conf check_mode: false lineinfile: dest: /etc/sysctl.conf.d/20_hugepages.conf regexp: '^#* *{{item.key}}.*' line: "{{item.key}} = {{item.val}}" state: present with_items: # https://wiki.archlinux.org/title/KVM#Enabling_huge_pages # boot cmdline hugepages= - { key: "vm.nr_hugepages", val: "550" } when: - ansible_virtualization_role|replace('NA', 'host') == 'host' or ansible_virtualization_role|replace('NA', 'host') == 'guest' rescue: - debug: verbosity: 1 msg: "Ignoring error" #libvirt - block: # /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper - name: "/bind-dynamic/bind-interfaces/ -i /var/lib/libvirt/dnsmasq/default.conf" shell: | [ -f {{item}} ] || exit 0 sed -e 's/bind-dynamic/bind-interfaces/' -i {{item}} #? virsh net-edit default # maybe just check ifconfig for ... # bogus? var/lib? with_items: - /var/lib/libvirt/dnsmasq/network.conf - /var/lib/libvirt/dnsmasq/default.conf ignore_errors: true when: - "'libvirt' in TOXCORE_FEATURES" # or 'lxd' in TOXCORE_FEATURES" - ( ansible_virtualization_type is not defined or not (ansible_virtualization_type in ['chroot', 'lxc', 'lxd', 'docker', 'qemu', 'kvm']))