161 lines
5.2 KiB
YAML
161 lines
5.2 KiB
YAML
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
|
|
|
---
|
|
|
|
- name: "toxcore vms.yml"
|
|
debug:
|
|
verbosity: 1
|
|
msg: "toxcore vms.yml TOXCORE_FEATURES={{TOXCORE_FEATURES}}"
|
|
|
|
- name: "assert /dev/kvm"
|
|
shell: |
|
|
[ -e /dev/kvm ]
|
|
delegate_to: localhost
|
|
|
|
- name: "make a directory for /etc/pki/qemu"
|
|
file:
|
|
path: "{{item }}"
|
|
state: directory
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
group: "{{BOX_ROOT_GROUP}}"
|
|
mode: 0770
|
|
when:
|
|
- "item != ''"
|
|
with_items:
|
|
# see /etc/libvirt/qemu.conf
|
|
- "{{ '/etc/pki/qemu' if ( 'qemu' in TOXCORE_FEATURES or 'libvirt' in TOXCORE_FEATURES ) else '' }}"
|
|
|
|
- block:
|
|
|
|
- name: increase fs.inotify.max_user_instances (default 128)
|
|
blockinfile:
|
|
dest: /etc/sysctl.d/70_toxcore_libvirt.conf
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK toxcore lxd"
|
|
mode: 0440
|
|
group: "{{BOX_ALSO_GROUP}}"
|
|
create: yes
|
|
block: |
|
|
net.ipv4.ip_forward = 1
|
|
|
|
# NB this is per user
|
|
- name: check ulimit
|
|
shell: |
|
|
[ `ulimit -n` -lt 4913709 ]
|
|
register: ulimit_retval
|
|
|
|
# Kernel ulimit is less than the expected value! This might induce RC test
|
|
- name: /etc/security/limits.conf
|
|
blockinfile:
|
|
dest: /etc/security/limits.conf
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK harden vms.yml lxd"
|
|
backup: 'yes'
|
|
mode: 0644
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
group: "{{BOX_ROOT_GROUP}}"
|
|
block: |
|
|
root soft nofile 1048576
|
|
root hard nofile 1048576
|
|
# libvirt/whonix seems to run out at 1024 user tor in the contrainer
|
|
* soft nofile 1048576
|
|
* hard nofile 1048576
|
|
* soft memlock unlimited
|
|
* hard memlock unlimited
|
|
# FixMe: either this or @ docker break su with a cryptic
|
|
# pam_open_session: Permission denied
|
|
# with dmesg entries of
|
|
# elogind-daemon[7069]: Failed to open pin file: No such file or
|
|
# elogind-daemon[7069]: Failed to allocate manager object: No such file or
|
|
# and then later when with no limts.conf but still with a chown error on ~/
|
|
# su: Error in services module
|
|
|
|
# need this in libvirt guest.
|
|
when:
|
|
# do this anyway for tor and everybody else
|
|
- true or ulimit_retval.rc|default(1) == 0
|
|
|
|
when:
|
|
- true or ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
|
|
|
|
# https://github.com/lxc/lxc/issues/3068
|
|
# lxc-create -t download -n my-container -- --keyserver hkp://p80.pool.sks-keyservers.net:80
|
|
# Hope this helps others if it didn't at least help you
|
|
# libvirt lxc docker
|
|
- block:
|
|
|
|
# see also https://stackoverflow.com/questions/26415833/docker-ignores-limits-conf-trying-to-solve-too-many-open-files-error
|
|
# FixMe: conflicts with harden - use sysctl.d
|
|
# add to your /etc/sysctl.conf : fs.file-max = 64000
|
|
- name: Add fs.file-max to /etc/sysctl.conf
|
|
lineinfile:
|
|
dest: /etc/sysctl.conf
|
|
regexp: '^#* *{{item.key}}.*'
|
|
line: "{{item.key}} = {{item.val}}"
|
|
create: true
|
|
state: present
|
|
with_items:
|
|
- { key: "fs.file-max", val: "4913709" }
|
|
#? - {key: "net.ipv4.ip_forward", val: "0"}
|
|
#? not sure about this - see docker check-config.sh
|
|
- { key: "kernel.keys.root_maxkeys", val: "1000000" }
|
|
check_mode: false
|
|
|
|
- name: /etc/sysctl.conf.d/20_hugepages.conf
|
|
check_mode: false
|
|
lineinfile:
|
|
dest: /etc/sysctl.conf.d/20_hugepages.conf
|
|
regexp: '^#* *{{item.key}}.*'
|
|
line: "{{item.key}} = {{item.val}}"
|
|
state: present
|
|
with_items:
|
|
# https://wiki.archlinux.org/title/KVM#Enabling_huge_pages
|
|
# boot cmdline hugepages=
|
|
- { key: "vm.nr_hugepages", val: "550" }
|
|
|
|
when:
|
|
- ansible_virtualization_role|replace('NA', 'host') == 'host' or
|
|
ansible_virtualization_role|replace('NA', 'host') == 'guest'
|
|
|
|
rescue:
|
|
- debug:
|
|
verbosity: 1
|
|
msg: "Ignoring error"
|
|
|
|
#libvirt
|
|
- block:
|
|
|
|
# /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
|
|
- name: "/bind-dynamic/bind-interfaces/ -i /var/lib/libvirt/dnsmasq/default.conf"
|
|
shell: |
|
|
[ -f {{item}} ] || exit 0
|
|
sed -e 's/bind-dynamic/bind-interfaces/' -i {{item}}
|
|
#? virsh net-edit default
|
|
# maybe just check ifconfig for ...
|
|
# bogus? var/lib?
|
|
with_items:
|
|
- /var/lib/libvirt/dnsmasq/network.conf
|
|
- /var/lib/libvirt/dnsmasq/default.conf
|
|
ignore_errors: true
|
|
|
|
- name: foo
|
|
shell: |
|
|
# https://pypi.org/project/negotiator-common/#on-kvm-qemu-guests
|
|
GUEST_NAME="gentoo_vm-2" # or gentoo_overlay-2
|
|
cat > /dev/null << EOF
|
|
<channel type='unix'>
|
|
<source mode='bind' path='/var/lib/libvirt/qemu/channel/target/$GUEST_NAME.negotiator-host-to-guest.0' />
|
|
<target type='virtio' name='negotiator-host-to-guest.0' />
|
|
</channel>
|
|
|
|
<channel type='unix'>
|
|
<source mode='bind' path='/var/lib/libvirt/qemu/channel/target/$GUEST_NAME.negotiator-guest-to-host.0' />
|
|
<target type='virtio' name='negotiator-guest-to-host.0' />
|
|
</channel>
|
|
EOF
|
|
|
|
when:
|
|
- "'libvirt' in TOXCORE_FEATURES" # or 'lxd' in TOXCORE_FEATURES"
|
|
- ( ansible_virtualization_type is not defined or
|
|
not (ansible_virtualization_type in ['chroot', 'lxc', 'lxd', 'docker', 'qemu', 'kvm']))
|
|
|