Move all shared into this new repo

virt/docker/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Installing Docker apt repository prerequisites
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - gnupg2
+      - software-properties-common
+
+- name: Addding Docker apt repository key
+  apt_key: url='https://download.docker.com/linux/debian/gpg' state=present
+
+- name: Adding Docker apt repository sources
+  apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/debian stretch stable' state=present
+
+- name: Installing Docker
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - docker-ce
+      - docker-compose

virt/opennebula-5.10-controller/files/ssh.config

@@ -0,0 +1,3 @@
+# So ansible does not have to add each hypervisor node to known_hosts
+StrictHostKeyChecking=no
+UserKnownHostsFile=/dev/null

virt/opennebula-5.10-controller/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Adding Debian 9 OpenNebula GPG key
+  apt_key: url='https://downloads.opennebula.org/repo/repo.key' state=present
+  when: ansible_os_family == "Debian"
+
+- name: Adding Debian 9 OpenNebula repository
+  apt_repository: repo='deb https://downloads.opennebula.org/repo/5.10/Debian/9 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+- name: Adding Debian 10 OpenNebula repository
+  apt_repository: repo='deb https://downloads.opennebula.org/repo/5.10/Debian/10 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
+
+# Install OpenNebula
+- name: Installing OpenNebula controller applications
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - opennebula
+      - opennebula-sunstone
+      - opennebula-gate
+      - opennebula-flow
+
+# NO longer required for 5.10
+# Install OpenNebula ruby gem dependencies (ONE TIME)
+#- name: Installing OpenNebula ruby gem dependencies
+#  command: '/usr/share/one/install_gems --yes'
+#  run_once: true
+
+# NOTE: OpenNebula daemons do NOT start after install, contrary to how most other debian packages behave.
+# This is good as we want to set passwords and other configurations before we start OpenNebula for the first time.
+
+# Copy ssh client config for oneadmin user
+- name: Copying oneadmin SSH client config
+  copy:
+    src: 'files/ssh.config'
+    dest: '/var/lib/one/.ssh/config'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0644

virt/opennebula-5.10-kvm-node/files/libvirtd.conf

@@ -0,0 +1,493 @@
+# Master libvirt daemon configuration file
+#
+# For further information consult https://libvirt.org/format.html
+#
+# NOTE: the tests/daemon-conf regression test script requires
+# that each "PARAMETER = VALUE" line in this file have the parameter
+# name just after a leading "#".
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+# If the libvirtd service is started in parallel with network
+# startup (e.g. with systemd), binding to addresses other than
+# the wildcards (0.0.0.0/::) might not be available yet.
+#
+#listen_addr = "192.168.0.1"
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is disabled by default, uncomment this to enable it
+#mdns_adv = 1
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is substituted for the short hostname of the machine (without domain)
+#
+#mdns_name = "Virtualization Host Joe Demo"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+#unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership, you may want to
+# restrict this too.
+#unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control, then you may want to relax this too.
+#unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
+# Set the name of the directory in which sockets will be found/created.
+#unix_sock_dir = "/var/run/libvirt"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+#  - none: do not perform auth checks. If you can connect to the
+#          socket you are allowed. This is suitable if there are
+#          restrictions on connecting to the socket (eg, UNIX
+#          socket permissions), or if there is a lower layer in
+#          the network providing auth (eg, TLS/x509 certificates)
+#
+#  - sasl: use SASL infrastructure. The actual auth scheme is then
+#          controlled from /etc/sasl2/libvirt.conf. For the TCP
+#          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+#          For non-TCP or TLS sockets, any scheme is allowed.
+#
+#  - polkit: use PolicyKit to authenticate. This is only suitable
+#            for use on the UNIX sockets. The default policy will
+#            require a user to supply their own password to gain
+#            full read/write access (aka sudo like), while anyone
+#            is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+auth_unix_rw = "none"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+
+
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ "polkit" ]
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+# Use of TLS requires that x509 certificates be issued. The default locations
+# for the certificate files is as follows:
+#
+#   /etc/pki/CA/cacert.pem                 - The CA master certificate
+#   /etc/pki/libvirt/servercert.pem        - The server certificate signed with
+#                                            the cacert.pem
+#   /etc/pki/libvirt/private/serverkey.pem - The server private key
+#
+# It is possible to override the default locations by altering the 'key_file',
+# 'cert_file', and 'ca_file' values and uncommenting them below.
+#
+# NB, overriding the default of one location requires uncommenting and
+# possibly additionally overriding the other settings.
+#
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of our own server certificates
+#
+# When libvirtd starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+#tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# A whitelist of allowed SASL usernames. The format for username
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+#    "*@EXAMPLE.COM"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 5000
+
+# The maximum length of queue of connections waiting to be
+# accepted by the daemon. Note, that some protocols supporting
+# retransmission may obey this so that a later reattempt at
+# connection succeeds.
+#max_queued_clients = 1000
+
+# The maximum length of queue of accepted but not yet
+# authenticated clients. The default value is 20. Set this to
+# zero to turn this feature off.
+#max_anonymous_clients = 20
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, up to max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool are stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_workers
+# parameter.
+#max_client_requests = 5
+
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is one of:
+#
+#    level:match
+#    level:+match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# If 'match' contains the optional "+" prefix, it tells libvirt
+# to log stack trace for each message matching name.
+#
+# 'level' is the minimal level where matching messages should
+#  be logged:
+#
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# A typical need is to capture information from a hypervisor driver,
+# public API entrypoints and some of the utility code. Some utility
+# code is very verbose and is generally not desired. Taking the QEMU
+# hypervisor as an example, a suitable filter string for debugging
+# might be to turn off object, json & event logging, but enable the
+# rest of the util code:
+#
+#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+#    level:stderr
+#      output goes to stderr
+#    level:syslog:name
+#      use syslog for the output and use the given name as the ident
+#    level:file:file_path
+#      output to a file, with the given filepath
+#    level:journald
+#      output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the libvirtd ident:
+#log_outputs="3:syslog:libvirtd"
+#
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+#   audit_level == 0  -> disable all auditing
+#   audit_level == 1  -> enable auditing, only if enabled on host (default)
+#   audit_level == 2  -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Host UUID is read from one of the sources specified in host_uuid_source.
+#
+# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+# - 'machine-id': fetch the UUID from /etc/machine-id
+#
+# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+# a valid UUID a temporary UUID will be generated.
+#
+# Another option is to specify host UUID in host_uuid.
+#
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+
+###################################################################
+# Keepalive protocol:
+# This allows libvirtd to detect broken client connections or even
+# dead clients.  A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken.  In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client.  If keepalive_interval is set to
+# -1, libvirtd will never send keepalive requests; however clients
+# can still send them and the daemon will send responses.  When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+#
+# These configuration options are no longer used.  There is no way to
+# restrict such clients from connecting since they first need to
+# connect in order to ask for keepalive.
+#
+#keepalive_required = 1
+#admin_keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+
+###################################################################
+# Open vSwitch:
+# This allows to specify a timeout for openvswitch calls made by
+# libvirt. The ovs-vsctl utility is used for the configuration and
+# its timeout option is set by default to 5 seconds to avoid
+# potential infinite waits blocking libvirt.
+#
+#ovs_timeout = 5

virt/opennebula-5.10-kvm-node/files/original/libvirtd.conf

@@ -0,0 +1,493 @@
+# Master libvirt daemon configuration file
+#
+# For further information consult https://libvirt.org/format.html
+#
+# NOTE: the tests/daemon-conf regression test script requires
+# that each "PARAMETER = VALUE" line in this file have the parameter
+# name just after a leading "#".
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+# If the libvirtd service is started in parallel with network
+# startup (e.g. with systemd), binding to addresses other than
+# the wildcards (0.0.0.0/::) might not be available yet.
+#
+#listen_addr = "192.168.0.1"
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is disabled by default, uncomment this to enable it
+#mdns_adv = 1
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is substituted for the short hostname of the machine (without domain)
+#
+#mdns_name = "Virtualization Host Joe Demo"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+#unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership, you may want to
+# restrict this too.
+#unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control, then you may want to relax this too.
+#unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
+# Set the name of the directory in which sockets will be found/created.
+#unix_sock_dir = "/var/run/libvirt"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+#  - none: do not perform auth checks. If you can connect to the
+#          socket you are allowed. This is suitable if there are
+#          restrictions on connecting to the socket (eg, UNIX
+#          socket permissions), or if there is a lower layer in
+#          the network providing auth (eg, TLS/x509 certificates)
+#
+#  - sasl: use SASL infrastructure. The actual auth scheme is then
+#          controlled from /etc/sasl2/libvirt.conf. For the TCP
+#          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+#          For non-TCP or TLS sockets, any scheme is allowed.
+#
+#  - polkit: use PolicyKit to authenticate. This is only suitable
+#            for use on the UNIX sockets. The default policy will
+#            require a user to supply their own password to gain
+#            full read/write access (aka sudo like), while anyone
+#            is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+#auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+#auth_unix_rw = "none"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+
+
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ "polkit" ]
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+# Use of TLS requires that x509 certificates be issued. The default locations
+# for the certificate files is as follows:
+#
+#   /etc/pki/CA/cacert.pem                 - The CA master certificate
+#   /etc/pki/libvirt/servercert.pem        - The server certificate signed with
+#                                            the cacert.pem
+#   /etc/pki/libvirt/private/serverkey.pem - The server private key
+#
+# It is possible to override the default locations by altering the 'key_file',
+# 'cert_file', and 'ca_file' values and uncommenting them below.
+#
+# NB, overriding the default of one location requires uncommenting and
+# possibly additionally overriding the other settings.
+#
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of our own server certificates
+#
+# When libvirtd starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+#tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# A whitelist of allowed SASL usernames. The format for username
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+#    "*@EXAMPLE.COM"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 5000
+
+# The maximum length of queue of connections waiting to be
+# accepted by the daemon. Note, that some protocols supporting
+# retransmission may obey this so that a later reattempt at
+# connection succeeds.
+#max_queued_clients = 1000
+
+# The maximum length of queue of accepted but not yet
+# authenticated clients. The default value is 20. Set this to
+# zero to turn this feature off.
+#max_anonymous_clients = 20
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, up to max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool are stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_workers
+# parameter.
+#max_client_requests = 5
+
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is one of:
+#
+#    level:match
+#    level:+match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# If 'match' contains the optional "+" prefix, it tells libvirt
+# to log stack trace for each message matching name.
+#
+# 'level' is the minimal level where matching messages should
+#  be logged:
+#
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# A typical need is to capture information from a hypervisor driver,
+# public API entrypoints and some of the utility code. Some utility
+# code is very verbose and is generally not desired. Taking the QEMU
+# hypervisor as an example, a suitable filter string for debugging
+# might be to turn off object, json & event logging, but enable the
+# rest of the util code:
+#
+#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+#    level:stderr
+#      output goes to stderr
+#    level:syslog:name
+#      use syslog for the output and use the given name as the ident
+#    level:file:file_path
+#      output to a file, with the given filepath
+#    level:journald
+#      output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the libvirtd ident:
+#log_outputs="3:syslog:libvirtd"
+#
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+#   audit_level == 0  -> disable all auditing
+#   audit_level == 1  -> enable auditing, only if enabled on host (default)
+#   audit_level == 2  -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Host UUID is read from one of the sources specified in host_uuid_source.
+#
+# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+# - 'machine-id': fetch the UUID from /etc/machine-id
+#
+# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+# a valid UUID a temporary UUID will be generated.
+#
+# Another option is to specify host UUID in host_uuid.
+#
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+
+###################################################################
+# Keepalive protocol:
+# This allows libvirtd to detect broken client connections or even
+# dead clients.  A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken.  In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client.  If keepalive_interval is set to
+# -1, libvirtd will never send keepalive requests; however clients
+# can still send them and the daemon will send responses.  When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+#
+# These configuration options are no longer used.  There is no way to
+# restrict such clients from connecting since they first need to
+# connect in order to ask for keepalive.
+#
+#keepalive_required = 1
+#admin_keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+
+###################################################################
+# Open vSwitch:
+# This allows to specify a timeout for openvswitch calls made by
+# libvirt. The ovs-vsctl utility is used for the configuration and
+# its timeout option is set by default to 5 seconds to avoid
+# potential infinite waits blocking libvirt.
+#
+#ovs_timeout = 5

virt/opennebula-5.10-kvm-node/files/ssh.config

@@ -0,0 +1,3 @@
+# So ansible does not have to add each hypervisor node to known_hosts
+StrictHostKeyChecking=no
+UserKnownHostsFile=/dev/null

virt/opennebula-5.10-kvm-node/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart libvirtd
+  service: name=libvirtd state=restarted

virt/opennebula-5.10-kvm-node/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Adding Debian 9 OpenNebula GPG key
+  apt_key: url='https://downloads.opennebula.org/repo/repo.key' state=present
+  when: ansible_os_family == "Debian"
+
+- name: Adding Debian 9 OpenNebula repository
+  apt_repository: repo='deb https://downloads.opennebula.org/repo/5.10/Debian/9 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+- name: Adding Debian 10 OpenNebula repository
+  apt_repository: repo='deb https://downloads.opennebula.org/repo/5.10/Debian/10 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10"
+
+# Install OpenNebula
+- name: Installing OpenNebula controller applications
+  apt:
+    update_cache: yes
+    state: present
+    name: opennebula-node
+  notify: restart libvirtd
+
+# Copy /etc/libvirt/libvirt.conf to bypass polkit socker permissions
+- name: Copying libvirtd.conf
+  copy:
+    src: 'files/libvirtd.conf'
+    dest: '/etc/libvirt/libvirtd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: 0644
+  notify: restart libvirtd
+
+# Copy ssh client config for oneadmin user
+- name: Copying oneadmin SSH client config
+  copy:
+    src: 'files/ssh.config'
+    dest: '/var/lib/one/.ssh/config'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0644

virt/opennebula-5.4-controller/files/backups/opennebula-5.4.1-fresh-install-db.txt

@@ -0,0 +1,8 @@
+This opennebula-5.4.1-fresh-install-db file is a dump right after opennebula was installed.
+A fresh install using ansible exactly as described in the documentation
+I did however, visit sunstone and login as oneadmin just once.  I did nothing in the GUI, just logged in.
+Perhaps login identifies an empty db and stubs it out.  Or it was stubbed upon initial installation
+
+If resetting opennebula to fresh install is as simple as a fresh created db, then this file is it.
+But I am not sure if that is all it takes.  Could have stuff elsewhere.  To reset, you can also use the root
+LVM snapshot created on the controller node, then re-run ansible!

virt/opennebula-5.4-controller/files/mariadb/50-server.cnf

@@ -0,0 +1,138 @@
+#
+# These groups are read by MariaDB server.
+# Use it for options that only the server (but not clients) should see
+#
+# See the examples of server my.cnf files in /usr/share/mysql/
+#
+
+# this is read by the standalone daemon and embedded servers
+[server]
+
+# this is only for the mysqld standalone daemon
+[mysqld]
+
+#
+# * Basic Settings
+#
+user		= mysql
+pid-file	= /var/run/mysqld/mysqld.pid
+socket		= /var/run/mysqld/mysqld.sock
+port		= 3306
+basedir		= /usr
+datadir		= /var/lib/mysql
+tmpdir		= /tmp
+lc-messages-dir	= /usr/share/mysql
+skip-external-locking
+
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+#bind-address		= 127.0.0.1
+
+#
+# * Fine Tuning
+#
+key_buffer_size		= 16M
+max_allowed_packet	= 16M
+thread_stack		= 192K
+thread_cache_size       = 8
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+myisam_recover_options  = BACKUP
+#max_connections        = 100
+#table_cache            = 64
+#thread_concurrency     = 10
+
+#
+# * Query Cache Configuration
+#
+query_cache_limit	= 1M
+query_cache_size = 16M
+
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log_file        = /var/log/mysql/mysql.log
+#general_log             = 1
+#
+# Error log - should be very few entries.
+#
+log_error = /var/log/mysql/error.log
+#
+# Enable the slow query log to see queries with especially long duration
+#slow_query_log_file	= /var/log/mysql/mariadb-slow.log
+#long_query_time = 10
+#log_slow_rate_limit	= 1000
+#log_slow_verbosity	= query_plan
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+#       other settings you may need to change.
+#server-id		= 1
+#log_bin			= /var/log/mysql/mysql-bin.log
+expire_logs_days	= 10
+max_binlog_size   = 100M
+#binlog_do_db		= include_database_name
+#binlog_ignore_db	= exclude_database_name
+
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+
+innodb_buffer_pool_size = 1G
+innodb_flush_log_at_trx_commit = 2
+
+
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates you can use for example the GUI tool "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+#
+# Accept only connections using the latest and most secure TLS protocol version.
+# ..when MariaDB is compiled with OpenSSL:
+# ssl-cipher=TLSv1.2
+# ..when MariaDB is compiled with YaSSL (default in Debian):
+# ssl=on
+
+#
+# * Character sets
+#
+# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
+# utf8 4-byte character set. See also client.cnf
+#
+character-set-server  = utf8mb4
+collation-server      = utf8mb4_general_ci
+
+#
+# * Unix socket authentication plugin is built-in since 10.0.22-6
+#
+# Needed so the root database user can authenticate without a password but
+# only when running as the unix root user.
+#
+# Also available for other users if required.
+# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
+
+# this is only for embedded server
+[embedded]
+
+# This group is only read by MariaDB servers, not by MySQL.
+# If you use the same .cnf file for MySQL and MariaDB,
+# you can put MariaDB-only options here
+[mariadb]
+
+# This group is only read by MariaDB-10.1 servers.
+# If you use the same .cnf file for MariaDB of different versions,
+# use this group for options that older servers don't understand
+[mariadb-10.1]

virt/opennebula-5.4-controller/files/mariadb/original-debian9-mariadb-10.1.26--50-server.cnf

@@ -0,0 +1,134 @@
+#
+# These groups are read by MariaDB server.
+# Use it for options that only the server (but not clients) should see
+#
+# See the examples of server my.cnf files in /usr/share/mysql/
+#
+
+# this is read by the standalone daemon and embedded servers
+[server]
+
+# this is only for the mysqld standalone daemon
+[mysqld]
+
+#
+# * Basic Settings
+#
+user		= mysql
+pid-file	= /var/run/mysqld/mysqld.pid
+socket		= /var/run/mysqld/mysqld.sock
+port		= 3306
+basedir		= /usr
+datadir		= /var/lib/mysql
+tmpdir		= /tmp
+lc-messages-dir	= /usr/share/mysql
+skip-external-locking
+
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+bind-address		= 127.0.0.1
+
+#
+# * Fine Tuning
+#
+key_buffer_size		= 16M
+max_allowed_packet	= 16M
+thread_stack		= 192K
+thread_cache_size       = 8
+# This replaces the startup script and checks MyISAM tables if needed
+# the first time they are touched
+myisam_recover_options  = BACKUP
+#max_connections        = 100
+#table_cache            = 64
+#thread_concurrency     = 10
+
+#
+# * Query Cache Configuration
+#
+query_cache_limit	= 1M
+query_cache_size        = 16M
+
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+# As of 5.1 you can enable the log at runtime!
+#general_log_file        = /var/log/mysql/mysql.log
+#general_log             = 1
+#
+# Error log - should be very few entries.
+#
+log_error = /var/log/mysql/error.log
+#
+# Enable the slow query log to see queries with especially long duration
+#slow_query_log_file	= /var/log/mysql/mariadb-slow.log
+#long_query_time = 10
+#log_slow_rate_limit	= 1000
+#log_slow_verbosity	= query_plan
+#log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+#       other settings you may need to change.
+#server-id		= 1
+#log_bin			= /var/log/mysql/mysql-bin.log
+expire_logs_days	= 10
+max_binlog_size   = 100M
+#binlog_do_db		= include_database_name
+#binlog_ignore_db	= exclude_database_name
+
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates you can use for example the GUI tool "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+#
+# Accept only connections using the latest and most secure TLS protocol version.
+# ..when MariaDB is compiled with OpenSSL:
+# ssl-cipher=TLSv1.2
+# ..when MariaDB is compiled with YaSSL (default in Debian):
+# ssl=on
+
+#
+# * Character sets
+#
+# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
+# utf8 4-byte character set. See also client.cnf
+#
+character-set-server  = utf8mb4
+collation-server      = utf8mb4_general_ci
+
+#
+# * Unix socket authentication plugin is built-in since 10.0.22-6
+#
+# Needed so the root database user can authenticate without a password but
+# only when running as the unix root user.
+#
+# Also available for other users if required.
+# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/
+
+# this is only for embedded server
+[embedded]
+
+# This group is only read by MariaDB servers, not by MySQL.
+# If you use the same .cnf file for MySQL and MariaDB,
+# you can put MariaDB-only options here
+[mariadb]
+
+# This group is only read by MariaDB-10.1 servers.
+# If you use the same .cnf file for MariaDB of different versions,
+# use this group for options that older servers don't understand
+[mariadb-10.1]

virt/opennebula-5.4-controller/files/ssh.config

@@ -0,0 +1,3 @@
+# So ansible does not have to add each hypervisor node to known_hosts
+StrictHostKeyChecking=no
+UserKnownHostsFile=/dev/null

virt/opennebula-5.4-controller/files/sunstone/custom.css

@@ -0,0 +1,151 @@
+/*
+.primary-color {
+  color: #4DBBD3;
+}
+.secondary-color {
+  color: #8a8a8a;
+}
+.success-color {
+  color: #3adb76;
+}
+.warning-color {
+  color: #ffae00;
+}
+.alert-color {
+  color: #ec5840;
+}*/
+
+/*-----APP----*/
+
+body{
+	padding:0;margin:0;
+	font-family:"Lato","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif;
+	font-weight:300;
+	line-height:1.5;
+	color:#0a0a0a;
+	background:#fefefe;
+}
+
+h1,
+h2,
+h3,
+h4,
+h5,
+h6 {
+  font-weight: bold;
+  color: #555;
+}
+
+.thin-font {
+  color: #333;
+}
+
+label.secondary.is-invalid-label {
+  background-color: #ec5840;
+}
+
+.log-tab {
+  background: #6f6f6f;
+  color: #f2f2f2;
+}
+
+fieldset legend {
+    border-bottom: .1538461538rem solid #4DBBD3;
+    color: #555;
+}
+
+
+/*----BUTTONS----*/
+.button {
+    font-weight: bold;
+    margin-right: 0.2rem;
+    box-shadow: 0 2px 5px 1px rgba(0,0,0,0.1);
+    font-size: 1rem;
+    background-color: #4DBBD3;
+    color: #fefefe;
+}
+.button.secondary {
+    background-color: #8a8a8a;
+    color: #fefefe;
+}
+.button.success {
+    background-color: #3adb76;
+    color: #fefefe;
+}
+.button.alert {
+    background-color: #ec5840;
+    color: #fefefe;
+}
+
+/*----MENU----*/
+
+#menu-wrapper {
+  border: 1px solid #dfdfdf;
+  background: #f8f8f8;
+}
+
+#menu #li_support-tab a {
+    border: 1px solid #dfdfdf;
+    background: #fff;
+}
+
+/*----LAYOUT---*/
+
+#footer {
+  font-size: 0.8rem;
+  color:#8a8a8a;
+}
+
+#footer a{
+    color: #8a8a8a;
+}
+
+.provision-logo img {
+    height: 3rem;
+}
+
+/* mReschke */
+.row {
+	max-width: 100%;
+}
+
+#top-row .user-zone-info a{
+	font-weight:bold;
+	color:#555;
+}
+#top-row .user-zone-info .submenu a{
+	color:#8a8a8a;
+}
+#top-row .user-zone-info .submenu a:hover{
+	color:#0a0a0a;
+}
+
+.labels-tree li .labeltree-line{
+	color:#8a8a8a;
+}
+.labels-tree li .labeltree-line:hover{
+	color:#0a0a0a;
+}
+.labels-tree li .labeltree-line .active{
+	color:#333;
+	font-weight:bold;
+}
+.labels-tree .tree-toggle:hover{
+	color:#0a0a0a;
+}
+
+/*----TABLE----*/
+
+table tbody{
+	border-top:1px solid #f4f4f4;
+	/*color: #fff;
+	background: #4DBBD3;*/
+	border-bottom:1px solid #f4f4f4;
+}
+table thead th{
+	color:#555;
+}
+table .markrow,table .markrowchecked{
+	background-color:#f4f4f4;
+	font-weight:normal;
+}

virt/opennebula-5.4-controller/files/sunstone/original--custom.css

@@ -0,0 +1,146 @@
+/*
+.primary-color {
+  color: #4DBBD3;
+}
+.secondary-color {
+  color: #8a8a8a;
+}
+.success-color {
+  color: #3adb76;
+}
+.warning-color {
+  color: #ffae00;
+}
+.alert-color {
+  color: #ec5840;
+}*/
+
+/*-----APP----*/
+
+body{
+	padding:0;margin:0;
+	font-family:"Lato","Helvetica Neue",Helvetica,Roboto,Arial,sans-serif;
+	font-weight:300;
+	line-height:1.5;
+	color:#0a0a0a;
+	background:#fefefe;
+}
+
+h1,
+h2,
+h3,
+h4,
+h5,
+h6 {
+  font-weight: bold;
+  color: #555;
+}
+
+.thin-font {
+  color: #333;
+}
+
+label.secondary.is-invalid-label {
+  background-color: #ec5840;
+}
+
+.log-tab {
+  background: #6f6f6f;
+  color: #f2f2f2;
+}
+
+fieldset legend {
+    border-bottom: .1538461538rem solid #4DBBD3;
+    color: #555;
+}
+
+
+/*----BUTTONS----*/
+.button {
+    font-weight: bold;
+    margin-right: 0.2rem;
+    box-shadow: 0 2px 5px 1px rgba(0,0,0,0.1);
+    font-size: 1rem;
+    background-color: #4DBBD3;
+    color: #fefefe;
+}
+.button.secondary {
+    background-color: #8a8a8a;
+    color: #fefefe;
+}
+.button.success {
+    background-color: #3adb76;
+    color: #fefefe;
+}
+.button.alert {
+    background-color: #ec5840;
+    color: #fefefe;
+}
+
+/*----MENU----*/
+
+#menu-wrapper {
+  border: 1px solid #dfdfdf;
+  background: #f8f8f8;
+}
+
+#menu #li_support-tab a {
+    border: 1px solid #dfdfdf;
+    background: #fff;
+}
+
+/*----LAYOUT---*/
+
+#footer {
+  font-size: 0.8rem;
+  color:#8a8a8a;
+}
+
+#footer a{
+    color: #8a8a8a;
+}
+
+.provision-logo img {
+    height: 3rem;
+}
+
+#top-row .user-zone-info a{
+	font-weight:bold;
+	color:#555;
+}
+#top-row .user-zone-info .submenu a{
+	color:#8a8a8a;
+}
+#top-row .user-zone-info .submenu a:hover{
+	color:#0a0a0a;
+}
+
+.labels-tree li .labeltree-line{
+	color:#8a8a8a;
+}
+.labels-tree li .labeltree-line:hover{
+	color:#0a0a0a;
+}
+.labels-tree li .labeltree-line .active{
+	color:#333;
+	font-weight:bold;
+}
+.labels-tree .tree-toggle:hover{
+	color:#0a0a0a;
+}
+
+/*----TABLE----*/
+
+table tbody{
+	border-top:1px solid #f4f4f4;
+	/*color: #fff;
+	background: #4DBBD3;*/
+	border-bottom:1px solid #f4f4f4;
+}
+table thead th{
+	color:#555;
+}
+table .markrow,table .markrowchecked{
+	background-color:#f4f4f4;
+	font-weight:normal;
+}

virt/opennebula-5.4-controller/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+- name: restart mariadb
+  service: name=mariadb state=restarted
+
+- name: restart redis
+  service: name=redis-server state=restarted
+
+- name: restart opennebula
+  service: name=opennebula state=restarted
+
+- name: restart sunstone
+  service: name=opennebula-sunstone state=restarted

virt/opennebula-5.4-controller/tasks/configure-mariadb.yml

@@ -0,0 +1,38 @@
+---
+# Copy MariaDBs server config file
+- name: Writing /etc/mysql/mariadb.conf.d/50-server.cnf
+  template:
+    src: "files/mariadb/50-server.cnf"
+    dest: "/etc/mysql/mariadb.conf.d/50-server.cnf"
+    owner: root
+    group: root
+    mode: 0644 #-rw-r--r--
+  notify: restart mariadb # Only runs if file changed!
+
+# Set MySQL options defined in OpenNebula docs
+- name: Configuring MySQL isolation level for OpenNebula
+  command: mysql -e "SET GLOBAL TRANSACTION ISOLATION LEVEL READ COMMITTED;"
+
+# Create the opennebula MySQL database
+- name: Creating the OpenNebula database
+  mysql_db:
+    name: opennebula
+    state: present
+
+# Create oneadmin MySQL user
+- name: Creating MySQL oneadmin user
+  mysql_user:
+    name: oneadmin
+    host: localhost # This is local user, you cannot access MySQL on this user remotely (not '%' login), this is good
+    password: '{{ oneadmin_password }}'
+    priv: 'opennebula.*:ALL'
+    state: present # Verified if you change the PW and re-run, it DOES change properly!
+
+# Create MySQL accounts for employee mreschke
+- name: Creating MySQL account for mreschke
+  mysql_user:
+    name: mreschke
+    host: '%'
+    password: '{{ mreschke_password }}'
+    priv: '*.*:ALL'
+    state: present

virt/opennebula-5.4-controller/tasks/configure-redis.yml

@@ -0,0 +1,10 @@
+---
+# Copy Redis server config file
+- name: Writing /etc/redis/redis.conf
+  copy:
+    src: "files/redis/redis.conf"
+    dest: "/etc/redis/redis.conf"
+    owner: root
+    group: root
+    mode: 0644 # -rw-r--r--
+  notify: restart redis # Only runs if file changed!

virt/opennebula-5.4-controller/tasks/configure.yml

@@ -0,0 +1,74 @@
+---
+# Configure mariadb and redis
+- include_tasks: configure-mariadb.yml
+- include_tasks: configure-redis.yml
+
+# Configure OpenNebula /etc/one/oned.conf
+- name: Writing /etc/one/oned.conf configuration
+  template:
+    src: "files/oned.conf"
+    dest: "/etc/one/oned.conf"
+    owner: root
+    group: root
+    mode: 0644 #-rw-r--r--
+  notify: restart opennebula
+
+# Override sunstone CSS
+- name: Writing custom sunstone css file
+  copy:
+    src: 'files/sunstone/custom.css'
+    dest: '/usr/lib/one/sunstone/public/css/custom.css'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0644
+  notify: restart sunstone
+
+# Set oneadmin password (not linux password, but OpenNebula software password)
+- lineinfile:
+    path: /var/lib/one/.one/one_auth
+    regexp: '^oneadmin:'
+    line: 'oneadmin:{{ oneadmin_password }}'
+  notify: restart opennebula
+
+# Installing OpenNebula automatically creates user oneadmin ID 9869
+# We just need to set the [linux user] password here
+- name: Setting oneadmin linux password
+  user:
+    name: 'oneadmin'
+    password: '{{ oneadmin_linux_password }}'
+    update_password: always
+
+# Copy ssh client config for oneadmin user
+- name: Copying oneadmin SSH client config
+  copy:
+    src: 'files/ssh.config'
+    dest: '/var/lib/one/.ssh/config'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0644
+
+# Authorize oneadmin user to SSH into itself
+- name: Authorizing SSH keys for oneadmin
+  authorized_key:
+    user: 'oneadmin'
+    key: '{{ item }}'
+  with_file:
+    - '../../users/keys/oneadmin.key.pub'
+
+# Create oneadmin public key
+- name: Copying oneadmin SSH public key
+  copy:
+    src: '../../users/keys/oneadmin.key.pub'
+    dest: '/var/lib/one/.ssh/id_rsa.pub'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0644
+
+# Create oneadmin private key
+- name: Copying oneadmin SSH private key
+  copy:
+    src: '../../../vault/oneadmin.key'
+    dest: '/var/lib/one/.ssh/id_rsa'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0600

virt/opennebula-5.4-controller/tasks/install.yml

@@ -0,0 +1,24 @@
+---
+- name: Adding Debian 9 OpenNebula GPG key
+  apt_key: url='https://downloads.opennebula.org/repo/repo.key' state=present
+  #when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+- name: Adding Debian 9 OpenNebula repository
+  apt_repository: repo='deb https://downloads.opennebula.org/repo/5.4/Debian/9 stable opennebula' state=present
+  #when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+# Install OpenNebula
+- name: Installing OpenNebula controller applications
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - opennebula
+      - opennebula-sunstone
+      - opennebula-gate
+      - opennebula-flow
+
+# Install OpenNebula ruby gem dependencies (ONE TIME)
+- name: Installing OpenNebula ruby gem dependencies
+  command: '/usr/share/one/install_gems --yes'
+  run_once: true

virt/opennebula-5.4-controller/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+# Install and Configure OpenNebula and Mysql
+- include_tasks: install.yml
+- include_tasks: configure.yml
+
+# Ensure opennebula service is running
+- name: Starting OpenNebula Service
+  service:
+    name: opennebula
+    state: started
+
+# Ensure opennebula-sunstone service is running
+- name: Starting OpenNebula Sunstone Service
+  service:
+    name: opennebula-sunstone
+    state: started

virt/opennebula-5.4-controller/tasks/user.yml

@@ -0,0 +1,44 @@
+---
+#OBSOLETE, you can delete when ready, afte review
+# but this is done in /controller.yml as part of role: users now
+
+# Create oneadmin group
+- name: Creating group oneadmin
+  group:
+    name: 'oneadmin'
+
+# Create oneadmin user
+- name: Create user oneadmin
+  user:
+    name: 'oneadmin'
+    comment: 'oneadmin'
+    group: 'oneadmin'
+    groups: [oneadmin,disk]
+    password: '{{ oneadmin_password }}'
+    shell: /bin/bash
+
+# Set oneadmin SSH keys
+- name: Copying oneadmin SSH public key
+  copy:
+    src: oneadmin.key.pub
+    dest: /var/lib/one/.ssh/id_rsa.pub
+    owner: oneadmin
+    group: oneadmin
+    mode: 0644
+
+- name: Copying oneadmin SSH private key
+  copy:
+    src: ../../../vault/oneadmin.key
+    dest: /var/lib/one/.ssh/id_rsa
+    owner: oneadmin
+    group: oneadmin
+    mode: 0600
+
+# Authorize oneadmin to SSH to self
+- name: Authorizing oneadmin SSH keys
+  authorized_key:
+    user: 'oneadmin'
+    key: '{{ item }}'
+    exclusive: true
+  with_file:
+    - 'files/oneadmin.key.pub'

virt/opennebula-5.4-kvm-node/files/bin/cron-root-daily-12am.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+bin=/usr/local/bin
+
+################################################################################
+# Touch for cron log
+touch /tmp/cron-root-daily-12am.begin.alive
+################################################################################
+
+
+
+# Restart libvirtd
+/etc/init.d/libvirtd restart
+
+
+
+################################################################################
+# Touch for cron log
+touch /tmp/cron-root-daily-12am.end.alive
+################################################################################

virt/opennebula-5.4-kvm-node/files/libvirt.conf

@@ -0,0 +1,28 @@
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters  a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+#  "hail=qemu+ssh://root@hail.cloud.example.com/system",
+#  "sleet=qemu+ssh://root@sleet.cloud.example.com/system",
+#]
+
+#
+# These can be used in cases when no URI is supplied by the application
+# (@uri_default also prevents probing of the hypervisor driver).
+#
+#uri_default = "qemu:///system"
+
+# Disable Policy Kit
+# See https://forum.opennebula.org/t/polkitd-traps-general-protection-ip-in-libmozjs-17-0-so/399/3
+# See https://docs.opennebula.org/5.4/intro_release_notes/release_notes/platform_notes.html#disable-policykit-for-libvirt
+# mReschke 2018-03-28
+auth_unix_ro = "none"
+auth_unix_rw = "none"
+unix_sock_group = "oneadmin"
+unix_sock_ro_perms = "0770"
+unix_sock_rw_perms = "0770"

virt/opennebula-5.4-kvm-node/files/original-debian9-3.0.0--libvirt.conf

@@ -0,0 +1,18 @@
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters  a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+#  "hail=qemu+ssh://root@hail.cloud.example.com/system",
+#  "sleet=qemu+ssh://root@sleet.cloud.example.com/system",
+#]
+
+#
+# These can be used in cases when no URI is supplied by the application
+# (@uri_default also prevents probing of the hypervisor driver).
+#
+#uri_default = "qemu:///system"

virt/opennebula-5.4-kvm-node/files/ssh.config

@@ -0,0 +1,3 @@
+# So ansible does not have to add each hypervisor node to known_hosts
+StrictHostKeyChecking=no
+UserKnownHostsFile=/dev/null

virt/opennebula-5.4-kvm-node/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart libvirtd
+  service: name=libvirtd state=restarted

virt/opennebula-5.4-kvm-node/tasks/configure.yml

@@ -0,0 +1,98 @@
+---
+# Create 256G datastore LVM for .img or .qcow2 filese.  Other large VMs (databases) will use RAW LVM partitions!
+- name: LVM create 256G /dev/vg0/datastore
+  lvol:
+    vg: vg0
+    lv: datastore
+    #size: 256G
+    size: 80G
+# Format /dev/vg0/datastore as ext4
+- name: Formatting /dev/vg0/datastore as ext4
+  filesystem:
+    fstype: ext4
+    dev: /dev/vg0/datastore
+
+# Mount datastore volume
+# Adds this to /etc/fstab and mounts: /dev/vg0/datastore /var/lib/one/datastores ext4 defaults 0 0
+# NO, too complex if we are doing per node RAW LVM volumes too, need to engineer manually per node
+- name: Mount large datastore volume
+  mount:
+    path: /var/lib/one/datastores
+    src: /dev/vg0/datastore
+    fstype: ext4
+    state: mounted
+- file: {path: /var/lib/one/datastores, owner: oneadmin, group: oneadmin}
+
+# Installing OpenNebula automatically creates user oneadmin ID 9869
+# We just need to set the [linux user] password here
+- name: Setting oneadmin password
+  user:
+    name: 'oneadmin'
+    password: '{{ oneadmin_linux_password }}'
+    update_password: always
+
+# Copy ssh client config for oneadmin user
+- name: Copying oneadmin SSH client config
+  copy:
+    src: 'files/ssh.config'
+    dest: '/var/lib/one/.ssh/config'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0644
+
+# Authorize oneadmin user to SSH into itself
+- name: Authorizing SSH keys for oneadmin
+  authorized_key:
+    user: 'oneadmin'
+    key: '{{ item }}'
+  with_file:
+    - '../../users/keys/oneadmin.key.pub'
+
+# Create oneadmin public key
+- name: Copying oneadmin SSH public key
+  copy:
+    src: '../../users/keys/oneadmin.key.pub'
+    dest: '/var/lib/one/.ssh/id_rsa.pub'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0644
+
+# Create oneadmin private key
+- name: Copying oneadmin SSH private key
+  copy:
+    src: '../../../vault/oneadmin.key'
+    dest: '/var/lib/one/.ssh/id_rsa'
+    owner: 'oneadmin'
+    group: 'oneadmin'
+    mode: 0600
+
+# Copy libvirt.conf
+- name: Copying /etc/libvirt/libvirt.conf
+  copy:
+    src: libvirt.conf
+    dest: /etc/libvirt/libvirt.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart libvirtd # Only runs if file changed!
+
+# Copy scripts to /usr/local/bin
+- name: Copying scripts to /usr/local/bin
+  template:
+    src: "{{ item }}"
+    dest: /usr/local/bin/
+    owner: toor
+    group: staff
+    mode: 0755
+  with_fileglob:
+    - files/bin/*
+
+# Schedule cron
+- name: Scheduling cron cron-root-daily-12am
+  cron:
+    name: "cron-root-daily-12am"
+    minute: "0"
+    hour: "0"
+    #job: "/usr/local/bin/cron-root-daily-12am.sh > /dev/null"
+    job: "/usr/local/bin/cron-root-daily-12am.sh"
+    user: root

virt/opennebula-5.4-kvm-node/tasks/install.yml

@@ -0,0 +1,16 @@
+---
+- name: Adding Debian 9 OpenNebula GPG key
+  apt_key: url='https://downloads.opennebula.org/repo/repo.key' state=present
+  #when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+- name: Adding Debian 9 OpenNebula repository
+  apt_repository: repo='deb https://downloads.opennebula.org/repo/5.4/Debian/9 stable opennebula' state=present
+  #when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+# Install OpenNebula
+- name: Installing OpenNebula controller applications
+  apt:
+    update_cache: yes
+    state: present
+    name: opennebula-node
+  notify: restart libvirtd

virt/opennebula-5.4-kvm-node/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+# Install and Configure OpenNebula Node
+- include_tasks: install.yml
+- include_tasks: configure.yml

virt/opennebula-5.8-controller/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Adding Debian 9 OpenNebula GPG key
+  apt_key: url='https://downloads.opennebula.org/repo/repo.key' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+- name: Adding Debian 9 OpenNebula repository
+  apt_repository: repo='deb https://downloads.opennebula.org/repo/5.8/Debian/9 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+# Install OpenNebula
+- name: Installing OpenNebula controller applications
+  apt:
+    update_cache: yes
+    state: present
+    name:
+      - opennebula
+      - opennebula-sunstone
+      - opennebula-gate
+      - opennebula-flow
+
+# Install OpenNebula ruby gem dependencies (ONE TIME)
+- name: Installing OpenNebula ruby gem dependencies
+  command: '/usr/share/one/install_gems --yes'
+  run_once: true
+
+# NOTE: OpenNebula daemons do NOT start after install, contrary to how most other debian packages behave.
+# This is good as we want to set passwords and other configurations before we start OpenNebula for the first time.

virt/opennebula-5.8-kvm-node/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart libvirtd
+  service: name=libvirtd state=restarted

virt/opennebula-5.8-kvm-node/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Adding Debian 9 OpenNebula GPG key
+  apt_key: url='https://downloads.opennebula.org/repo/repo.key' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+- name: Adding Debian 9 OpenNebula repository
+  apt_repository: repo='deb https://downloads.opennebula.org/repo/5.8/Debian/9 stable opennebula' state=present
+  when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9"
+
+# Install OpenNebula
+- name: Installing OpenNebula controller applications
+  apt:
+    update_cache: yes
+    state: present
+    name: opennebula-node
+  notify: restart libvirtd