diff --git a/db/etcd/files/etcd-3.3-debian11-original/etcd b/db/etcd/files/etcd-3.3-debian11-original/etcd new file mode 100644 index 0000000..cf1262c --- /dev/null +++ b/db/etcd/files/etcd-3.3-debian11-original/etcd @@ -0,0 +1,392 @@ +## etcd(1) daemon options +## See "/usr/share/doc/etcd-server/op-guide/configuration.md.gz" + +### Member flags + +##### --name +## Human-readable name for this member. +## This value is referenced as this node's own entries listed in the +## `--initial-cluster` flag (e.g., `default=http://localhost:2380`). This +## needs to match the key used in the flag if using static bootstrapping. When +## using discovery, each member must have a unique name. `Hostname` or +## `machine-id` can be a good choice. +## default: "default" +# ETCD_NAME="default" + +##### --data-dir +## Path to the data directory. +## default: "${name}.etcd" +# ETCD_DATA_DIR="/var/lib/etcd/default" + +##### --wal-dir +## Path to the dedicated wal directory. If this flag is set, etcd will write +## the WAL files to the walDir rather than the dataDir. This allows a +## dedicated disk to be used, and helps avoid io competition between logging +## and other IO operations. +## default: "" +# ETCD_WAL_DIR + +##### --snapshot-count +## Number of committed transactions to trigger a snapshot to disk. +## default: "100000" +# ETCD_SNAPSHOT_COUNT="100000" + +##### --heartbeat-interval +## Time (in milliseconds) of a heartbeat interval. +## default: "100" +# ETCD_HEARTBEAT_INTERVAL="100" + +##### --election-timeout +## Time (in milliseconds) for an election to timeout. See +## /usr/share/doc/etcd-server/tuning.md.gz for details. +## default: "1000" +# ETCD_ELECTION_TIMEOUT="1000" + +##### --listen-peer-urls +## List of URLs to listen on for peer traffic. This flag tells the etcd to +## accept incoming requests from its peers on the specified scheme://IP:port +## combinations. Scheme can be either http or https.If 0.0.0.0 is specified as +## the IP, etcd listens to the given port on all interfaces. If an IP address is +## given as well as a port, etcd will listen on the given port and interface. +## Multiple URLs may be used to specify a number of addresses and ports to listen +## on. The etcd will respond to requests from any of the listed addresses and +## ports. +## default: "http://localhost:2380" +## example: "http://10.0.0.1:2380" +## invalid example: "http://example.com:2380" (domain name is invalid for binding) +# ETCD_LISTEN_PEER_URLS="http://localhost:2380" + +##### --listen-client-urls +## List of URLs to listen on for client traffic. This flag tells the etcd to +## accept incoming requests from the clients on the specified scheme://IP:port +## combinations. Scheme can be either http or https. If 0.0.0.0 is specified as +## the IP, etcd listens to the given port on all interfaces. If an IP address is +## given as well as a port, etcd will listen on the given port and interface. +## Multiple URLs may be used to specify a number of addresses and ports to listen +## on. The etcd will respond to requests from any of the listed addresses and +## ports. +## default: "http://localhost:2379" +## example: "http://10.0.0.1:2379" +## invalid example: "http://example.com:2379" (domain name is invalid for binding) +# ETCD_LISTEN_CLIENT_URLS="http://localhost:2379" + +##### --max-snapshots +## Maximum number of snapshot files to retain (0 is unlimited) +## The default for users on Windows is unlimited, and manual purging down to 5 +## (or some preference for safety) is recommended. +## default: 5 +# ETCD_MAX_SNAPSHOTS="5" + +##### --max-wals +## Maximum number of wal files to retain (0 is unlimited) +## The default for users on Windows is unlimited, and manual purging down to 5 +## (or some preference for safety) is recommended. +## default: 5 +# ETCD_MAX_WALS="5" + +##### --cors +## Comma-separated white list of origins for CORS (cross-origin resource +## sharing). +## default: none +# ETCD_CORS + +#### --quota-backend-bytes +## Raise alarms when backend size exceeds the given quota (0 defaults to low +## space quota). +## default: 0 +# ETCD_QUOTA_BACKEND_BYTES="0" + +#### --backend-batch-limit +## BackendBatchLimit is the maximum operations before commit the backend +## transaction. +## default: 0 +# ETCD_BACKEND_BATCH_LIMIT="0" + +#### --backend-batch-interval +## BackendBatchInterval is the maximum time before commit the backend +## transaction. +## default: 0 +# ETCD_BACKEND_BATCH_INTERVAL="0" + +#### --max-txn-ops +## Maximum number of operations permitted in a transaction. +## default: 128 +# ETCD_MAX_TXN_OPS="128" + +#### --max-request-bytes +## Maximum client request size in bytes the server will accept. +## default: 1572864 +# ETCD_MAX_REQUEST_BYTES="1572864" + +#### --grpc-keepalive-min-time +## Minimum duration interval that a client should wait before pinging server. +## default: 5s +# ETCD_GRPC_KEEPALIVE_MIN_TIME="5" + +#### --grpc-keepalive-interval +## Frequency duration of server-to-client ping to check if a connection is +## alive (0 to disable). +## default: 2h +# ETCD_GRPC_KEEPALIVE_INTERVAL="2h" + +#### --grpc-keepalive-timeout +## Additional duration of wait before closing a non-responsive connection +## (0 to disable). +## default: 20s +# ETCD_GRPC_KEEPALIVE_TIMEOUT="20s" + + +### Clustering flags + +# `--initial` prefix flags are used in bootstrapping (static bootstrap, +# discovery-service bootstrap or runtime reconfiguration) a new member, and +# ignored when restarting an existing member. + +# `--discovery` prefix flags need to be set when using discovery service. + +##### --initial-advertise-peer-urls + +## List of this member's peer URLs to advertise to the rest of the cluster. +## These addresses are used for communicating etcd data around the cluster. At +## least one must be routable to all cluster members. These URLs can contain +## domain names. +## default: "http://localhost:2380" +## example: "http://example.com:2380, http://10.0.0.1:2380" +# ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380" + +##### --initial-cluster +## Initial cluster configuration for bootstrapping. +## The key is the value of the `--name` flag for each node provided. The +## default uses `default` for the key because this is the default for the +## `--name` flag. +## default: "default=http://localhost:2380" +# ETCD_INITIAL_CLUSTER="default=http://localhost:2380" + +##### --initial-cluster-state +## Initial cluster state ("new" or "existing"). Set to `new` for all members +## present during initial static or DNS bootstrapping. If this option is set to +## `existing`, etcd will attempt to join the existing cluster. If the wrong value +## is set, etcd will attempt to start but fail safely. +## default: "new" +# ETCD_INITIAL_CLUSTER_STATE="new" + +##### --initial-cluster-token +## Initial cluster token for the etcd cluster during bootstrap. +## default: "etcd-cluster" +# ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" + +##### --advertise-client-urls +## List of this member's client URLs to advertise to the rest of the cluster. +## These URLs can contain domain names. +## Be careful if advertising URLs such as http://localhost:2379 from a cluster +## member and are using the proxy feature of etcd. This will cause loops, because +## the proxy will be forwarding requests to itself until its resources (memory, +## file descriptors) are eventually depleted. +## default: "http://localhost:2379" +## example: "http://example.com:2379, http://10.0.0.1:2379" +# ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379" + +##### --discovery +## Discovery URL used to bootstrap the cluster. +## default: none +# ETCD_DISCOVERY + +##### --discovery-srv +## DNS srv domain used to bootstrap the cluster. +## default: none +# ETCD_DISCOVERY_SRV + +##### --discovery-fallback +## Expected behavior ("exit" or "proxy") when discovery services fails. "proxy" +## supports v2 API only. +## default: "proxy" +# ETCD_DISCOVERY_FALLBACK="proxy" + +##### --discovery-proxy +## HTTP proxy to use for traffic to discovery service. +## default: none +# ETCD_DISCOVERY_PROXY + +##### --strict-reconfig-check +## Reject reconfiguration requests that would cause quorum loss. +## default: false +# ETCD_STRICT_RECONFIG_CHECK + +##### --auto-compaction-retention +## Auto compaction retention for mvcc key value store in hour. 0 means disable +## auto compaction. +## default: 0 +# ETCD_AUTO_COMPACTION_RETENTION="0" + +##### --enable-v2 +## Accept etcd V2 client requests +## default: true +# ETCD_ENABLE_V2="true" + + +### Proxy flags + +# `--proxy` prefix flags configures etcd to run in proxy mode. "proxy" supports +# v2 API only. + +##### --proxy +## Proxy mode setting ("off", "readonly" or "on"). +## default: "off" +# ETCD_PROXY="off" + +##### --proxy-failure-wait +## Time (in milliseconds) an endpoint will be held in a failed state before +## being reconsidered for proxied requests. +## default: 5000 +# ETCD_PROXY_FAILURE_WAIT="5000" + +##### --proxy-refresh-interval +## Time (in milliseconds) of the endpoints refresh interval. +## default: 30000 +# ETCD_PROXY_REFRESH_INTERVAL="30000" + +##### --proxy-dial-timeout +## Time (in milliseconds) for a dial to timeout or 0 to disable the timeout +## default: 1000 +# ETCD_PROXY_DIAL_TIMEOUT="1000" + +##### --proxy-write-timeout +## Time (in milliseconds) for a write to timeout or 0 to disable the timeout. +## default: 5000 +# ETCD_PROXY_WRITE_TIMEOUT="5000" + +##### --proxy-read-timeout +## Time (in milliseconds) for a read to timeout or 0 to disable the timeout. +## Don't change this value if using watches because use long polling requests. +## default: 0 +# ETCD_PROXY_READ_TIMEOUT="0" + + +### Security flags + +# The security flags help to build a secure etcd cluster. + +##### --ca-file (**DEPRECATED**) +## Path to the client server TLS CA file. `--ca-file ca.crt` could be replaced +## by `--trusted-ca-file ca.crt --client-cert-auth` and etcd will perform the +## same. +## default: none +# ETCD_CA_FILE + +##### --cert-file +## Path to the client server TLS cert file. +## default: none +# ETCD_CERT_FILE + +##### --key-file +## Path to the client server TLS key file. +## default: none +# ETCD_KEY_FILE + +##### --client-cert-auth +## Enable client cert authentication. +## CN authentication is not supported by gRPC-gateway. +## default: false +# ETCD_CLIENT_CERT_AUTH + +#### --client-crl-file +## Path to the client certificate revocation list file. +## default: "" +# ETCD_CLIENT_CRL_FILE + +##### --trusted-ca-file +## Path to the client server TLS trusted CA key file. +## default: none +# ETCD_TRUSTED_CA_FILE + +##### --auto-tls +## Client TLS using generated certificates +## default: false +# ETCD_AUTO_TLS + +##### --peer-ca-file (**DEPRECATED**) +## Path to the peer server TLS CA file. `--peer-ca-file ca.crt` could be +## replaced by `--peer-trusted-ca-file ca.crt --peer-client-cert-auth` and etcd +## will perform the same. +## default: none +# ETCD_PEER_CA_FILE + +##### --peer-cert-file +## Path to the peer server TLS cert file. +## default: none +# ETCD_PEER_CERT_FILE + +##### --peer-key-file +## Path to the peer server TLS key file. +## default: none +# ETCD_PEER_KEY_FILE + +##### --peer-client-cert-auth +## Enable peer client cert authentication. +## default: false +# ETCD_PEER_CLIENT_CERT_AUTH + +#### --peer-crl-file +## Path to the peer certificate revocation list file. +## default: "" +# ETCD_PEER_CRL_FILE + +##### --peer-trusted-ca-file +## Path to the peer server TLS trusted CA file. +## default: none +# ETCD_PEER_TRUSTED_CA_FILE + +##### --peer-auto-tls +## Peer TLS using generated certificates +## default: false +# ETCD_PEER_AUTO_TLS + +#### --peer-cert-allowed-cn +## Allowed CommonName for inter peer authentication. +## default: none +# ETCD_PEER_CERT_ALLOWED_CN + +#### --cipher-suites +## Comma-separated list of supported TLS cipher suites between server/client and +## peers. +## default: "" +# ETCD_CIPHER_SUITES + +#### --experimental-peer-skip-client-san-verification +## Skip verification of SAN field in client certificate for peer connections. +## default: false +#+ ETCD_EXPERIMENTAL_PEER_SKIP_CLIENT_SAN_VERIFICATION + + +### Logging flags + +#### --log-outputs +## Specify 'stdout' or 'stderr' to skip journald logging even when running +## under systemd, or list of comma separated output targets. +## default: default +# ETCD_LOG_OUTPUTS + +##### --debug +## Drop the default log level to DEBUG for all subpackages. +## default: false (INFO for all packages) +# ETCD_DEBUG + +##### --log-package-levels +## Set individual etcd subpackages to specific log levels. An example being +## `etcdserver=WARNING,security=DEBUG` +## default: none (INFO for all packages) +# ETCD_LOG_PACKAGE_LEVELS + + +### Unsafe flags + +# Please be CAUTIOUS when using unsafe flags because it will break the guarantees given by the consensus protocol. +# For example, it may panic if other members in the cluster are still alive. +# Follow the instructions when using these flags. + +##### --force-new-cluster +## Force to create a new one-member cluster. It commits configuration changes +## forcing to remove all existing members in the cluster and add itself. It needs +## to be set to restore a backup. +## default: false +# ETCD_FORCE_NEW_CLUSTER diff --git a/db/etcd/tasks/install-debian.yml b/db/etcd/tasks/install-debian.yml new file mode 100644 index 0000000..d594239 --- /dev/null +++ b/db/etcd/tasks/install-debian.yml @@ -0,0 +1,9 @@ +--- + +# Install etcd +- name: Installing etcd + apt: + update_cache: yes + state: present + name: + - etcd diff --git a/db/etcd/tasks/main.yml b/db/etcd/tasks/main.yml new file mode 100644 index 0000000..7d8bb30 --- /dev/null +++ b/db/etcd/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- include_tasks: install-debian.yml + when: ansible_os_family == "Debian" diff --git a/db/mysql-percona/README.md b/db/mysql-percona/README.md new file mode 100644 index 0000000..2a5470b --- /dev/null +++ b/db/mysql-percona/README.md @@ -0,0 +1,26 @@ +This is the new role for MySQL percona. + +Do not use the deprecated mysql-percona-5.7 for new installations. + +This role is more advanced with tons of customizable variables. + +Example usage: + +- role: mysql-percona + vars: + mysql_version_major: 8 + mysql_version_minor: 0 + mysql_datadir: "/opt/mysql" + mysql_default_authentication_plugin: "mysql_native_password" + mysql_innodb_buffer_pool_size: "3G" + mysql_users: + - name: mreschke + pass: 'passhere' + host: '%' + - name: squaethem + - name: tableau + +See `defaults` for all variables. See `tasks/users.yml` for all user options + + +~mReschke 2022-03-09 diff --git a/db/mysql-percona/defaults/main.yml b/db/mysql-percona/defaults/main.yml new file mode 100644 index 0000000..33df922 --- /dev/null +++ b/db/mysql-percona/defaults/main.yml @@ -0,0 +1,56 @@ +--- + +# Version to install, defaulting to 5.6 +mysql_version_major: "8" +mysql_version_minor: "0" +mysql_version: "{{ mysql_version_major|int }}.{{ mysql_version_minor|int }}" + +# Basic settings +mysql_root_password: "techie" +mysql_port: "3306" +mysql_bind_address: "127.0.0.1" +mysql_language: "/usr/share/mysql/" +mysql_datadir: "/var/lib/mysql" +mysql_tempdir: "/tmp" + +# Fine tuning +mysql_key_buffer: "16M" +mysql_max_allowed_packet: "256M" +mysql_thread_stack: "192K" +mysql_cache_size: "8" +mysql_myisam_recover: "BACKUP" +mysql_max_connections: "500" +mysql_table_cache: "64" +mysql_thread_concurrency: "10" +mysql_query_cache_limit: "1M" +mysql_query_cache_size: "16M" +mysql_character_set_server: "utf8mb4" +mysql_collation_server: "utf8mb4_0900_ai_ci" +mysql_mysqldump_max_allowed_packet: "128M" +mysql_isamchk_key_buffer: "16M" +mysql_sort_buffer_size: "256K" + +# InnoDB tuning +mysql_innodb_file_per_table: "1" +mysql_innodb_flush_method: "fdatasync" +mysql_innodb_buffer_pool_size: "1G" +mysql_innodb_flush_log_at_trx_commit: "1" +mysql_innodb_lock_wait_timeout: "50" +mysql_innodb_log_buffer_size: "1M" +mysql_innodb_log_file_size: "64M" + +mysql_character_set_client_handshake: "FALSE" + +mysql_timezone_info: "false" + +mysql_databases: [] +mysql_users: [] + +install_rpm_repositories: "true" + +# To disable log_bin in percona >=8, enabled by default +mysql_disable_log_bin: "true" + +# Default Auth Plugin +# used in templates when Percona Server >= 5.7 +mysql_default_authentication_plugin: "mysql_native_password" diff --git a/db/mysql-percona/handlers/main.yml b/db/mysql-percona/handlers/main.yml new file mode 100644 index 0000000..f3e4e9c --- /dev/null +++ b/db/mysql-percona/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: "Restart percona" + service: "name=mysql state=restarted" diff --git a/db/mysql-percona/tasks/check-settings.yml b/db/mysql-percona/tasks/check-settings.yml new file mode 100644 index 0000000..b95c98e --- /dev/null +++ b/db/mysql-percona/tasks/check-settings.yml @@ -0,0 +1,20 @@ +--- + +- name: "Check if percona-server is installed" + shell: dpkg -l | grep -i percona-server-server + ignore_errors: yes + register: percona_server_is_installed + +- name: "Check for innodb_log_file_size setting (Ubuntu)" + shell: + cmd: grep -E ^innodb_log_file_size /etc/mysql/my.cnf | awk -F= '{ print $2}' | sed 's/\s//g' + removes: "/etc/mysql/my.cnf" + register: configured_innodb_log_file_size + +- name: "Abort when innodb_log_file_size changes" + fail: + msg: "The existing MySQL server has innodb_log_file_size={{ configured_innodb_log_file_size.stdout }}, but your are trying to set it to {{ mysql_innodb_log_file_size }}. Please, change this value for the variable in either ansible or the server itself. See: https://dev.mysql.com/doc/refman/5.6/en/innodb-redo-log.html" + when: + - percona_server_is_installed.stdout|trim != "" + - not configured_innodb_log_file_size.stdout | regex_search('^skipped') + - configured_innodb_log_file_size.stdout != mysql_innodb_log_file_size diff --git a/db/mysql-percona/tasks/configure.yml b/db/mysql-percona/tasks/configure.yml new file mode 100644 index 0000000..768ed77 --- /dev/null +++ b/db/mysql-percona/tasks/configure.yml @@ -0,0 +1,26 @@ +--- + +- name: "Update the my.cnf" + template: "src=etc_mysql_my.cnf.j2 dest=/etc/mysql/my.cnf owner=root mode=0644" + register: "config_file" + notify: + - "Restart percona" + +- name: "Ensure that percona is running and enabled" + service: + name: "mysql" + state: "started" + enabled: "yes" + register: mysql_service + +# This service restart is needed when changing default mysql_datadir, mysql_native_password +# and other settings. So better restart when the my.cnf file changes +# Restart when my.cnf has changed and it has not been restarted by the above task +- name: "Restart mysql to apply changes done in my.cnf file" + service: + name: "mysql" + state: "restarted" + when: + - config_file.changed + - mysql_service is defined + - not mysql_service.changed diff --git a/db/mysql-percona/tasks/install.yml b/db/mysql-percona/tasks/install.yml new file mode 100644 index 0000000..78a4da8 --- /dev/null +++ b/db/mysql-percona/tasks/install.yml @@ -0,0 +1,92 @@ +--- +# (do not put quotes on key id, for some reason it won't work) +- name: "Obtaining percona public key" + apt_key: + keyserver: "keyserver.ubuntu.com" + id: 9334A25F8507EFA5 + +- name: "Adding percona repository" + apt_repository: + repo: "deb http://repo.percona.com/apt {{ ansible_distribution_release }} main" + state: "present" + +- name: "Update apt cache" + apt: + update_cache: yes + cache_valid_time: 300 + +- name: "Install percona-release package (Percona version >= 8)" + apt: + deb: "https://repo.percona.com/apt/percona-release_latest.{{ ansible_distribution_release }}_all.deb" + when: mysql_version_major|int >= 8 + +# https://www.percona.com/doc/percona-server/LATEST/installation/apt_repo.html +- name: "Enable Percona repository (Percona version >= 8)" + command: "percona-release setup ps{{ mysql_version_major }}{{ mysql_version_minor }}" + when: mysql_version_major|int >= 8 + +- name: "Install python-is-python3 (Ubuntu >= Focal/20.04)" + apt: + name: "python-is-python3" + when: + - ansible_distribution_version is version_compare('20.04', '>=') + +- name: "Get the major version of python used to run ansible" + command: "{{ ansible_python_interpreter | default('/usr/bin/python') }} -c 'import sys; print(sys.version_info.major)'" + register: ansible_python_major + changed_when: false + +- debug: + msg: "ansible_python_interpreter major version: {{ ansible_python_major.stdout }}" + +- name: "Install package dependencies for ansible MySQL modules (python 2)" + apt: + name: "python-mysqldb" + when: + - ansible_python_major.stdout == "2" + +- name: "Install package dependencies for ansible MySQL modules (python 3)" + apt: + name: "python3-mysqldb" + when: + - ansible_python_major.stdout == "3" + +- name: "Install percona packages and dependencies on Ubuntu (Percona version < 8)" + apt: + name: + - "percona-server-server-{{ mysql_version_major }}.{{ mysql_version_minor }}" + - "percona-server-client-{{ mysql_version_major }}.{{ mysql_version_minor }}" + - "percona-toolkit" + - "percona-xtrabackup" + state: "present" + when: mysql_version_major|int < 8 + +- name: "Install | configure debconf for version 8.0 (Use Legacy Authentication Method)" + debconf: + name: 'percona-server-server' + question: 'percona-server-server/default-auth-override' + value: 'Use Legacy Authentication Method (Retain MySQL 5.x Compatibility)' + vtype: select + changed_when: false + when: + - mysql_version_major|int >= 8 + - mysql_default_authentication_plugin is defined + - mysql_default_authentication_plugin == "mysql_native_password" + +- name: "Install percona packages and dependencies on Ubuntu (Percona version >= 8)" + apt: + name: + - "percona-server-server={{ mysql_version_major }}.{{ mysql_version_minor }}*" + - "percona-server-client={{ mysql_version_major }}.{{ mysql_version_minor }}*" + - "percona-toolkit" + - "percona-xtrabackup-80" + state: "present" + when: mysql_version_major|int >= 8 + +- name: "Adjust permissions of datadir" + file: + path: "{{ mysql_datadir }}" + owner: "mysql" + group: "mysql" + mode: 0700 + state: "directory" diff --git a/db/mysql-percona/tasks/main.yml b/db/mysql-percona/tasks/main.yml new file mode 100644 index 0000000..5d7237a --- /dev/null +++ b/db/mysql-percona/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- include: check-settings.yml +- include: install.yml +- include: configure.yml +- include: secure.yml +- include: users.yml diff --git a/db/mysql-percona/tasks/secure.yml b/db/mysql-percona/tasks/secure.yml new file mode 100644 index 0000000..998ddff --- /dev/null +++ b/db/mysql-percona/tasks/secure.yml @@ -0,0 +1,35 @@ +--- +- name: "Copy .my.cnf file into the root home folder" + template: + src: root-my-cnf.j2 + dest: /root/.my.cnf + owner: root + group: root + mode: 0600 + +- name: "Set the root password" + mysql_user: + name: root + host: "{{ item }}" + password: "{{ mysql_root_password }}" + check_implicit_admin: yes + state: present + with_items: + - "{{ ansible_hostname }}" + - "127.0.0.1" + - "::1" + - "localhost" + +- name: "Ensure anonymous users are not in the database" + mysql_user: + name: '' + host: "{{ item }}" + state: absent + with_items: + - "{{ ansible_hostname }}" + - "localhost" + +- name: "Remove the test database" + mysql_db: + name: test + state: absent diff --git a/db/mysql-percona/tasks/users.yml b/db/mysql-percona/tasks/users.yml new file mode 100644 index 0000000..f2a8835 --- /dev/null +++ b/db/mysql-percona/tasks/users.yml @@ -0,0 +1,11 @@ +--- + +- name: "Make sure the MySQL users are present" + mysql_user: + name: "{{ item.name }}" + password: "{{ item.pass | default('techie') }}" + priv: "{{ item.priv | default('*.*:ALL') }}" + state: "present" + host: "{{ item.host | default('%') }}" + with_items: "{{ mysql_users }}" + no_log: "true" diff --git a/db/mysql-percona/templates/etc_mysql_my.cnf.j2 b/db/mysql-percona/templates/etc_mysql_my.cnf.j2 new file mode 100644 index 0000000..5f10baf --- /dev/null +++ b/db/mysql-percona/templates/etc_mysql_my.cnf.j2 @@ -0,0 +1,129 @@ +# +# The MySQL database server configuration file. +# +# For explanations see +# http://dev.mysql.com/doc/mysql/en/server-system-variables.html + +[client] +port = {{ mysql_port }} +socket = /var/run/mysqld/mysqld.sock + +[mysqld_safe] +socket = /var/run/mysqld/mysqld.sock +nice = 0 +open-files-limit = 16384 + +[mysqld] +# * Basic Settings +user = mysql +pid-file = /var/run/mysqld/mysqld.pid +socket = /var/run/mysqld/mysqld.sock +port = {{ mysql_port }} +basedir = /usr +datadir = {{ mysql_datadir }} +tmpdir = {{ mysql_tempdir }} +{% if mysql_version is version('8.0', '>=') and mysql_disable_log_bin|bool %} +disable_log_bin +{% endif %} +{% if mysql_version is version('5.7', '<') %} +# language is for pre-5.5. In 5.5 it is an alias for lc_messages_dir. +language = {{ mysql_language }} +{% else %} +lc_messages_dir = {{ mysql_language }} +{% endif %} +bind-address = {{ mysql_bind_address }} +skip-external-locking +{% if mysql_sql_mode is defined %} +sql_mode={{ mysql_sql_mode }} +{% endif %} +{% if mysql_default_authentication_plugin is defined and mysql_version is version('5.7', '>=') %} +default_authentication_plugin={{ mysql_default_authentication_plugin }} +{% endif %} + +# * Fine Tuning +key_buffer_size = {{ mysql_key_buffer }} +max_allowed_packet = {{ mysql_max_allowed_packet }} +thread_stack = {{ mysql_thread_stack }} +thread_cache_size = {{ mysql_cache_size }} +{% if mysql_version is version('5.7', '<') %} +myisam-recover = {{ mysql_myisam_recover }} +{% else %} +myisam-recover-options = {{ mysql_myisam_recover }} +{% endif %} +max_connections = {{ mysql_max_connections }} +table_open_cache = {{ mysql_table_cache }} +{% if mysql_version is version('5.7', '<') %} +thread_concurrency = {{ mysql_thread_concurrency }} +{% endif %} +sort_buffer_size = {{ mysql_sort_buffer_size }} + +# ** Query Cache Configuration, removed in MySQL >= 8.0 +{% if mysql_version_major|int < 8 %} +query_cache_limit = {{ mysql_query_cache_limit }} +query_cache_size = {{ mysql_query_cache_size }} +{% endif %} + +# ** Logging and Replication +log_error = /var/log/mysql/error.log +{% if mysql_version_major|int < 8 %} +log_warnings = 2 +{% else %} +log_error_verbosity = 2 +{% endif %} +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +#log_slow_queries = /var/log/mysql/mysql-slow.log +#long_query_time = 2 +#log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = include_database_name + +# ** InnoDB +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +innodb_flush_log_at_trx_commit = {{ mysql_innodb_flush_log_at_trx_commit }} +innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }} +{% if mysql_innodb_flush_method != 'fdatasync': %} +innodb_flush_method = {{ mysql_innodb_flush_method }} +{% endif %} +innodb_lock_wait_timeout = {{ mysql_innodb_lock_wait_timeout }} +innodb_log_buffer_size = {{ mysql_innodb_log_buffer_size }} +innodb_log_file_size = {{ mysql_innodb_log_file_size }} +innodb_file_per_table = {{ mysql_innodb_file_per_table }} + +{% if mysql_optimizer_switch is defined %} +# Check https://bugs.mysql.com/bug.php?id=69721 for more info +optimizer_switch = {{ mysql_optimizer_switch }} +{% endif %} + +# ** Security Features +# Read the manual, too, if you want chroot! +# chroot = /var/lib/mysql/ + +character_set_server = {{ mysql_character_set_server }} +collation_server = {{ mysql_collation_server }} +character-set-client-handshake = {{ mysql_character_set_client_handshake }} + +[mysqldump] +quick +quote-names +max_allowed_packet = {{ mysql_mysqldump_max_allowed_packet }} + +[mysql] +#no-auto-rehash # faster start of mysql but no tab completition + +[isamchk] +key_buffer = {{ mysql_isamchk_key_buffer }} + +# +# * IMPORTANT: Additional settings that can override those from this file! +# The files must end with '.cnf', otherwise they'll be ignored. +# +!includedir /etc/mysql/conf.d/ diff --git a/db/mysql-percona/templates/root-my-cnf.j2 b/db/mysql-percona/templates/root-my-cnf.j2 new file mode 100644 index 0000000..f7fd1e1 --- /dev/null +++ b/db/mysql-percona/templates/root-my-cnf.j2 @@ -0,0 +1,3 @@ +[client] +user=root +password="{{ mysql_root_password }}" diff --git a/server/files/bin/speedtest b/server/files/bin/speedtest index 359224c..a5a0e7c 100755 Binary files a/server/files/bin/speedtest and b/server/files/bin/speedtest differ diff --git a/server/files/bin/speedtest-ookla b/server/files/bin/speedtest-ookla deleted file mode 100755 index a5a0e7c..0000000 Binary files a/server/files/bin/speedtest-ookla and /dev/null differ diff --git a/server/files/debian/11/sources.list b/server/files/debian/11/sources.list new file mode 100644 index 0000000..65feb15 --- /dev/null +++ b/server/files/debian/11/sources.list @@ -0,0 +1,11 @@ +# Debian 11 Bullseye Software +deb http://deb.debian.org/debian bullseye main contrib non-free +deb-src http://deb.debian.org/debian bullseye main contrib non-free + +# Debian 11 Bullseye Updates +deb http://deb.debian.org/debian bullseye-updates main contrib non-free +deb-src http://deb.debian.org/debian bullseye-updates main contrib non-free + +# Debian 11 Bullseye Security +deb http://security.debian.org/debian-security bullseye-security main contrib non-free +deb-src http://security.debian.org/debian-security bullseye-security main contrib non-free diff --git a/server/files/profile.d/bash_aliases.sh b/server/files/profile.d/bash_aliases.sh index de34394..e9a4b76 100644 --- a/server/files/profile.d/bash_aliases.sh +++ b/server/files/profile.d/bash_aliases.sh @@ -52,5 +52,6 @@ alias pops='poetry shell && echo "poetry shell has been deactivated" && echo && # Docker alias dps="docker ps" alias dpsa="docker ps -a" +alias dnet="docker network ls" alias dimg="docker images" alias dimga="docker images -a" diff --git a/server/tasks/debian/all.yml b/server/tasks/debian/all.yml index 2e1d9d8..173dfb9 100644 --- a/server/tasks/debian/all.yml +++ b/server/tasks/debian/all.yml @@ -5,22 +5,27 @@ # Copy Debian 9 sources.list - name: Copying Debian 9 apt/sources.list - copy: src=debian/9/sources.list dest=/etc/apt/sources.list + copy: src=debian/9/sources.list dest=/etc/apt/sources.list mode=0644 when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" # Copy Debian 10 sources.list - name: Copying Debian 10 apt/sources.list - copy: src=debian/10/sources.list dest=/etc/apt/sources.list + copy: src=debian/10/sources.list dest=/etc/apt/sources.list mode=0644 when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" +# Copy Debian 11 sources.list +- name: Copying Debian 11 apt/sources.list + copy: src=debian/11/sources.list dest=/etc/apt/sources.list mode=0644 + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "11" + # Copy Ubuntu 16.04 sources.list - name: Copying Ubuntu 16.04 apt/sources.list - copy: src=ubuntu/16.04/sources.list dest=/etc/apt/sources.list + copy: src=ubuntu/16.04/sources.list dest=/etc/apt/sources.list mode=0644 when: ansible_distribution == "Ubuntu" and ansible_distribution_version == "16.04" # Ignore apt translations - name: Ignoring apt tranlations - copy: src=debian/99translations dest=/etc/apt/apt.conf.d/99translations + copy: src=debian/99translations dest=/etc/apt/apt.conf.d/99translations mode=0644 # Install common apps for all debian machines - name: Installing common Debian/Ubuntu applications diff --git a/server/tasks/manjaro/all.yml b/server/tasks/manjaro/all.yml index dc2f583..dd80101 100644 --- a/server/tasks/manjaro/all.yml +++ b/server/tasks/manjaro/all.yml @@ -4,7 +4,8 @@ # ------------------------------------------------------------------------------ # Configure /etc/pacman.conf -- lineinfile: path=/etc/pacman.conf regexp='^#Color' line='Color' +- name: Enabling pacman colors + lineinfile: path=/etc/pacman.conf regexp='^#Color' line='Color' # Change the games:x:50: group to staff - name: Ensuring group staff:50 diff --git a/user/tasks/create.yml b/user/tasks/create.yml index a968525..fe80edc 100644 --- a/user/tasks/create.yml +++ b/user/tasks/create.yml @@ -24,6 +24,11 @@ user_groups: [root] when: user == 'root' +# Home directory, use /home/username if undefined +# - set_fact: +# home: "/home/{{ user }}" +# when: (home is undefined or home == "") + # ------------------------------------------------------------------------------ - include_tasks: debug.yml @@ -39,6 +44,7 @@ user_groups: "" add_groups: "" ssh_info: "" + home: "" add_sudo: no create: yes ssh_keys: no diff --git a/user/tasks/debian.yml b/user/tasks/debian.yml index 15206d1..ce35b63 100644 --- a/user/tasks/debian.yml +++ b/user/tasks/debian.yml @@ -1,4 +1,9 @@ --- +- name: Check if ~/.bashrc exists + stat: + path: '{{ "~" + user | expanduser }}/.bashrc' + register: bashrc + # Comment out ~/.bashrc HIST stuff # So it obeys /etc/profile.d/bash_history.sh instead - name: Commenting out ~/.bashrc HIST stuff @@ -6,14 +11,21 @@ path: '{{ "~" + user | expanduser }}/.bashrc' regexp: '^HISTCONTROL=ignoreboth' line: '# HISTCONTROL=ignoreboth' -- lineinfile: + when: bashrc.stat.exists == true + +- name: Commenting out ~/.bashrc HIST stuff + lineinfile: path: '{{ "~" + user | expanduser }}/.bashrc' regexp: '^HISTSIZE=1000' line: '# HISTSIZE=1000' -- lineinfile: + when: bashrc.stat.exists == true + +- name: Commenting out ~/.bashrc HIST stuff + lineinfile: path: '{{ "~" + user | expanduser }}/.bashrc' regexp: '^HISTFILESIZE=2000' line: '# HISTFILESIZE=2000' + when: bashrc.stat.exists == true # Debian has these by default in ~/.bashrc #HISTCONTROL=ignoreboth diff --git a/user/tasks/debug.yml b/user/tasks/debug.yml index f97673d..e841568 100644 --- a/user/tasks/debug.yml +++ b/user/tasks/debug.yml @@ -7,4 +7,5 @@ - "ID: {{ users[user]['id'] }}" - "GID: {{ users[user]['gid'] }}" - "Groups: {{ user_groups }}" + - "Home: {{ home }}" #- "Password: {{ users[user]['password'] }}" diff --git a/user/tasks/user.yml b/user/tasks/user.yml index c36961e..84161e8 100644 --- a/user/tasks/user.yml +++ b/user/tasks/user.yml @@ -15,5 +15,6 @@ groups: '{{ user_groups }}' password: "{{ users[user]['password'] }}" update_password: always + home: "{{ home }}" create_home: "{{ create_home | default('yes') }}" shell: "{{ shell | default('/bin/bash') }}" diff --git a/virt/docker/tasks/main.yml b/virt/docker/tasks/main.yml index 62a381d..8654add 100644 --- a/virt/docker/tasks/main.yml +++ b/virt/docker/tasks/main.yml @@ -9,11 +9,20 @@ - gnupg2 - software-properties-common -- name: Addding Docker apt repository key +- name: Addding Debian Docker apt repository key apt_key: url='https://download.docker.com/linux/debian/gpg' state=present -- name: Adding Docker apt repository sources +- name: Adding Debian 9 Docker apt repository sources apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/debian stretch stable' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" + +- name: Adding Debian 10 Docker apt repository sources + apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/debian buster stable' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +- name: Adding Debian 11 Docker apt repository sources + apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "11" - name: Installing Docker apt: @@ -21,4 +30,6 @@ state: present name: - docker-ce + - docker-ce-cli + - containerd.io - docker-compose diff --git a/virt/opennebula-6.2-controller/files/originals/oned.conf b/virt/opennebula-6.2-controller/files/originals/oned.conf new file mode 100644 index 0000000..3c919ea --- /dev/null +++ b/virt/opennebula-6.2-controller/files/originals/oned.conf @@ -0,0 +1,1461 @@ +#******************************************************************************* +# OpenNebula Configuration file +#******************************************************************************* + +#******************************************************************************* +# Daemon configuration attributes +#------------------------------------------------------------------------------- +# MANAGER_TIMER: Time in seconds the core uses to evaluate periodical functions. +# MONITORING_INTERVALS cannot have a smaller value than MANAGER_TIMER. +# +# MONITORING_INTERVAL_MARKET: Time in seconds between market monitorization. +# MONITORING_INTERVAL_DATASTORE: Time in seconds between image monitorization. +# MONITORING_INTERVAL_DB_UPDATE: Time in seconds between DB writes of VM +# monitoring information. -1 to disable DB updating and 0 to write every update +# +# DS_MONITOR_VM_DISK: Number of MONIROTING_INTERVAL_DATASTORE intervals to monitor +# VM disks. 0 to disable. Only applies to fs and fs_lvm datastores +# +# SCRIPTS_REMOTE_DIR: Remote path to store the monitoring and VM management +# scripts. +# +# DB: Configuration attributes for the database backend +# backend : can be sqlite or mysql (default is sqlite) +# server : (mysql) host name or an IP address for the MySQL server +# port : (mysql) port for the connection to the server. +# If set to 0, the default port is used. +# user : (mysql) user's MySQL login ID +# passwd : (mysql) the password for user +# db_name : (mysql) the database name +# connections: (mysql) number of max. connections to mysql server +# compare_binary: (mysql) compare strings using BINARY clause +# makes name searches case sensitive. +# encoding: charset to use for the db connections +# timeout : (sqlite) timeout in ms for acquiring lock to DB, +# should be at least 100 ms +# errors_limit : number of consecutive DB errors to stop oned node in HA +# default 25, use -1 to disable this feature +# +# VNC_PORTS: VNC port pool for automatic VNC port assignment, if possible the +# port will be set to ``START`` + ``VMID`` +# start : first port to assign +# reserved: comma separated list of ports or ranges. Two numbers separated by +# a colon indicate a range. +# +# LOG: Configuration for the logging system +# system: defines the logging system: +# file to log in the oned.log file +# syslog to use the syslog facilities +# std to use the default log stream (stderr) to use with systemd +# debug_level: 0 = ERROR, 1 = WARNING, 2 = INFO, 3 = DEBUG +# +#******************************************************************************* + +LOG = [ + SYSTEM = "file", + DEBUG_LEVEL = 3 +] + +#MANAGER_TIMER = 15 + +MONITORING_INTERVAL_DATASTORE = 300 +MONITORING_INTERVAL_MARKET = 600 +MONITORING_INTERVAL_DB_UPDATE = 0 + +#DS_MONITOR_VM_DISK = 10 + +SCRIPTS_REMOTE_DIR=/var/tmp/one + +DB = [ BACKEND = "sqlite", + TIMEOUT = 2500 ] + +# Sample configuration for MySQL +# DB = [ BACKEND = "mysql", +# SERVER = "localhost", +# PORT = 0, +# USER = "oneadmin", +# PASSWD = "oneadmin", +# DB_NAME = "opennebula", +# CONNECTIONS = 25, +# COMPARE_BINARY = "no" ] + +VNC_PORTS = [ + START = 5900, + RESERVED = "32768:65536" + # RESERVED = "6800, 6801, 6810:6820, 9869" +] + +#******************************************************************************* +# Server network and connection +#------------------------------------------------------------------------------- +# PORT: Port where oned will listen for xmlrpc calls. +# +# LISTEN_ADDRESS: Host IP to listen on for xmlrpc calls (default: all IPs). +# +# HOSTNAME: This Hostname is used by OpenNebula daemon to connect to the +# frontend during drivers operations. If this variable is not set, OpenNebula +# will auto detect it. It can be in FQDN format, hostname or an IP + +PORT = 2633 + +LISTEN_ADDRESS = "0.0.0.0" + +# HOSTNAME = "one-hostname" + +#******************************************************************************* +# API configuration attributes +#------------------------------------------------------------------------------- +# VM_SUBMIT_ON_HOLD: Forces VMs to be created on hold state instead of pending. +# Values: YES or NO. +# API_LIST_ORDER: Sets order (by ID) of elements in list API calls. +# Values: ASC (ascending order) or DESC (descending order) +#******************************************************************************* +# +#API_LIST_ORDER = "DESC" +#VM_SUBMIT_ON_HOLD = "NO" + +#******************************************************************************* +# Federation & HA configuration attributes +#------------------------------------------------------------------------------- +# Control the federation capabilities of oned. Operation in a federated setup +# requires a special DB configuration. +# +# FEDERATION: Federation attributes +# MODE: Operation mode of this oned. +# STANDALONE no federated.This is the default operational mode +# MASTER this oned is the master zone of the federation +# SLAVE this oned is a slave zone +# ZONE_ID: The zone ID as returned by onezone command +# SERVER_ID: ID identifying this server in the zone as returned by the +# onezone server-add command. This ID controls the HA configuration of +# OpenNebula: +# -1 (default) OpenNebula will operate in "solo" mode no HA +# Operate in HA (leader election and state replication) +# MASTER_ONED: The xml-rpc endpoint of the master oned, e.g. +# http://master.one.org:2633/RPC2 +# +# +# RAFT: Algorithm attributes +# LIMIT_PURGE: Number of logs that will be deleted on each purge. +# LOG_RETENTION: Number of DB log records kept, it determines the +# synchronization window across servers and extra storage space needed. +# LOG_PURGE_TIMEOUT: How often applied records are purged according the log +# retention value. (in seconds) +# ELECTION_TIMEOUT_MS: Timeout to start a election process if no heartbeat +# or log is received from leader. +# BROADCAST_TIMEOUT_MS: How often heartbeats are sent to followers. +# XMLRPC_TIMEOUT_MS: To timeout raft related API calls. To set an infinite +# timeout set this value to 0. +# +# RAFT_LEADER_HOOK: Executed when a server transits from follower->leader +# The purpose of this hook is to configure the Virtual IP. +# COMMAND: raft/vip.sh is a fully working script, this should not be changed +# ARGUMENTS: and must be replaced. For example +# ARGUMENTS = "leader ens1 10.0.0.2/24" +# +# RAFT_FOLLOWER_HOOK: Executed when a server transits from leader->follower +# The purpose of this hook is to configure the Virtual IP. +# COMMAND: raft/vip.sh is a fully working script, this should not be changed +# ARGUMENTS: and must be replaced. For example +# ARGUMENTS = "follower ens1 10.0.0.2/24" +# +# NOTE: Timeout tunning depends on the latency of the servers (network and load) +# as well as the max downtime tolerated by the system. Timeouts needs to be +# greater than 10ms +# +#******************************************************************************* + +FEDERATION = [ + MODE = "STANDALONE", + ZONE_ID = 0, + SERVER_ID = -1, + MASTER_ONED = "" +] + +RAFT = [ + LIMIT_PURGE = 100000, + LOG_RETENTION = 250000, + LOG_PURGE_TIMEOUT = 60, + ELECTION_TIMEOUT_MS = 5000, + BROADCAST_TIMEOUT_MS = 500, + XMLRPC_TIMEOUT_MS = 1000 +] + +# Executed when a server transits from follower->leader +# RAFT_LEADER_HOOK = [ +# COMMAND = "raft/vip.sh", +# ARGUMENTS = "leader interface ip_cidr [interface ip_cidr ...]" +# ] + +# Executed when a server transits from leader->follower +# RAFT_FOLLOWER_HOOK = [ +# COMMAND = "raft/vip.sh", +# ARGUMENTS = "follower interface ip_cidr [interface ip_cidr ...]" +# ] + +#******************************************************************************* +# Default showback cost +#------------------------------------------------------------------------------- +# The following attributes define the default cost for Virtual Machines that +# don't have a CPU, MEMORY or DISK cost. This is used by the oneshowback +# calculate method. +#******************************************************************************* + +DEFAULT_COST = [ + CPU_COST = 0, + MEMORY_COST = 0, + DISK_COST = 0 +] + +# Should showback calculation count only running VMs. +# If 'no' showback will inlcude also reserved CPU and MEMORY, e.g. VM states +# POWEROFF or SUSPENDED +SHOWBACK_ONLY_RUNNING = "no" + +#******************************************************************************* +# XML-RPC server configuration +#------------------------------------------------------------------------------- +# These are configuration parameters for oned's xmlrpc-c server +# +# MAX_CONN: Maximum number of simultaneous TCP connections the server +# will maintain +# +# MAX_CONN_BACKLOG: Maximum number of TCP connections the operating system +# will accept on the server's behalf without the server accepting them from +# the operating system +# +# KEEPALIVE_TIMEOUT: Maximum time in seconds that the server allows a +# connection to be open between RPCs +# +# KEEPALIVE_MAX_CONN: Maximum number of RPCs that the server will execute on +# a single connection +# +# TIMEOUT: Maximum time in seconds the server will wait for the client to +# do anything while processing an RPC. This timeout will be also used when +# proxy calls to the master in a federation. +# +# RPC_LOG: Create a separated log file for xml-rpc requests, in +# "/var/log/one/one_xmlrpc.log". +# +# MESSAGE_SIZE: Buffer size in bytes for XML-RPC responses. +# +# LOG_CALL_FORMAT: Format string to log XML-RPC calls. Interpreted strings: +# %i -- request id +# %m -- method name +# %u -- user id +# %U -- user name +# %l[number] -- param list and number of characters (optional) to print +# each parameter, default is 20. Example: %l300 +# %p -- user password +# %g -- group id +# %G -- group name +# %a -- auth token +# %A -- client IP address (only IPv4 supported) +# %P -- client TCP port +# %% -- % +#******************************************************************************* + +#MAX_CONN = 15 +#MAX_CONN_BACKLOG = 15 +#KEEPALIVE_TIMEOUT = 15 +#KEEPALIVE_MAX_CONN = 30 +#TIMEOUT = 15 +#RPC_LOG = NO +#MESSAGE_SIZE = 1073741824 +#LOG_CALL_FORMAT = "Req:%i UID:%u IP:%A %m invoked %l20" + +#******************************************************************************* +# Physical Networks configuration +#******************************************************************************* +# NETWORK_SIZE: Here you can define the default size for the virtual networks +# +# MAC_PREFIX: Default MAC prefix to be used to create the auto-generated MAC +# addresses is defined here (this can be overwritten by the Virtual Network +# template) +# +# VLAN_IDS: VLAN ID pool for the automatic VLAN_ID assignment. This pool +# is for 802.1Q networks (Open vSwitch and 802.1Q drivers). The driver +# will try first to allocate VLAN_IDS[START] + VNET_ID +# start: First VLAN_ID to use +# reserved: Comma separated list of VLAN_IDs or ranges. Two numbers +# separated by a colon indicate a range. +# +# VXLAN_IDS: Automatic VXLAN Network ID (VNI) assignment. This is used +# for vxlan networks. +# start: First VNI to use +# NOTE: reserved is not supported by this pool +# +# PCI_PASSTHROUGH_BUS: Default bus to attach passthrough devices in the guest, +# in hex notation. It may be overwritten in the PCI device using the BUS +# attribute. +#******************************************************************************* + +NETWORK_SIZE = 254 + +MAC_PREFIX = "02:00" + +VLAN_IDS = [ + START = "2", + RESERVED = "0, 1, 4095" +] + +VXLAN_IDS = [ + START = "2" +] + +#PCI_PASSTHROUGH_BUS = "0x01" + +#******************************************************************************* +# DataStore Configuration +#******************************************************************************* +# DATASTORE_LOCATION: Path for Datastores. It IS the same for all the hosts +# and front-end. It defaults to /var/lib/one/datastores (in self-contained mode +# defaults to $ONE_LOCATION/var/datastores). Each datastore has its own +# directory (called BASE_PATH) in the form: $DATASTORE_LOCATION/ +# You can symlink this directory to any other path if needed. BASE_PATH is +# generated from this attribute each time oned is started. +# +# DATASTORE_CAPACITY_CHECK: Checks that there is enough capacity before +# creating a new image. Defaults to Yes +# +# DEFAULT_IMAGE_TYPE: This can take values +# OS Image file holding an operating system +# CDROM Image file holding a CDROM +# DATABLOCK Image file holding a datablock, created as an empty block +# +# DEFAULT_DEVICE_PREFIX: This can be set to +# hd IDE prefix +# sd SCSI +# vd KVM virtual disk +# +# DEFAULT_CDROM_DEVICE_PREFIX: Same as above but for CDROM devices. +# +# DEFAULT_IMAGE_PERSISTENT: Control the default value for the PERSISTENT +# attribute on image creation (oneimage clone, onevm disk-saveas). If blank +# images will inherit the persistent attribute from the base image. +# +# DEFAULT_IMAGE_PERSISTENT_NEW: Control the default value for the PERSISTENT +# attribute on image creation (oneimage create). By default images are no +# persistent if not set. +#******************************************************************************* + +#DATASTORE_LOCATION = /var/lib/one/datastores + +DATASTORE_CAPACITY_CHECK = "yes" + +DEFAULT_DEVICE_PREFIX = "sd" +DEFAULT_CDROM_DEVICE_PREFIX = "hd" + +DEFAULT_IMAGE_TYPE = "OS" +#DEFAULT_IMAGE_PERSISTENT = "" +#DEFAULT_IMAGE_PERSISTENT_NEW = "" + +#******************************************************************************* +# Monitor Daemon +#******************************************************************************* +# Monitor daemon, specific monitor drivers can be added in the monitord +# configuration file (monitord.conf) +# +# name : OpenNebula name for the daemon +# +# executable : path of the information driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the monitor daemon +# -c : configuration file (monitord.conf by default) +# +# threads : number of threads used to process messages from monitor daemon +#******************************************************************************* +IM_MAD = [ + NAME = "monitord", + EXECUTABLE = "onemonitord", + ARGUMENTS = "-c monitord.conf", + THREADS = 8 ] + +#******************************************************************************* +# Virtualization Driver Configuration +#******************************************************************************* +# You can add more virtualization managers with different configurations but +# make sure it has different names. +# +# name : name of the virtual machine manager driver +# +# executable: path of the virtualization driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable +# +# default : default values and configuration parameters for the driver, can +# be an absolute path or relative to $ONE_LOCATION/etc (or +# /etc/one/ if OpenNebula was installed in /) +# +# type : driver type, supported drivers: xen, kvm, xml +# +# keep_snapshots: do not remove snapshots on power on/off cycles and live +# migrations if the hypervisor supports that. +# +# live_resize: [yes|no] Hypervisor supports hotplug VCPU and memory +# +# support_shareable: [yes|no] Hypervisor supports shareable disks +# +# imported_vms_actions : comma-separated list of actions supported +# for imported vms. The available actions are: +# migrate +# live-migrate +# terminate +# terminate-hard +# undeploy +# undeploy-hard +# hold +# release +# stop +# suspend +# resume +# delete +# delete-recreate +# reboot +# reboot-hard +# resched +# unresched +# poweroff +# poweroff-hard +# disk-attach +# disk-detach +# nic-attach +# nic-detach +# disk-snapshot-create +# disk-snapshot-delete +# disk-snapshot-rename +# disk-snapshot-revert +# disk-resize +# disk-saveas +# resize +# update +# updateconf +# snapshot-create +# snapshot-delete +# snapshot-revert +# recover +# retry +#******************************************************************************* + +#------------------------------------------------------------------------------- +# KVM Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -l actions executed locally, command can be +# overridden for each action. +# Valid actions: deploy, shutdown, cancel, save, restore, migrate, poll +# An example: "-l migrate=migrate_local,save" +# -d comma separated list of actions which forward SSH agent +# from frontend to remote host (default migrate) +# -p more than one action per host in parallel, needs support from hypervisor +# -s to execute remote commands, bash by default +# -w Timeout in seconds to execute external commands (default unlimited) +# +# Note: You can use type = "qemu" to use qemu emulated guests, e.g. if your +# CPU does not have virtualization extensions or use nested Qemu-KVM hosts +#------------------------------------------------------------------------------- +VM_MAD = [ + NAME = "kvm", + SUNSTONE_NAME = "KVM", + EXECUTABLE = "one_vmm_exec", + ARGUMENTS = "-t 15 -r 0 kvm", + DEFAULT = "vmm_exec/vmm_exec_kvm.conf", + TYPE = "kvm", + KEEP_SNAPSHOTS = "yes", + LIVE_RESIZE = "yes", + SUPPORT_SHAREABLE = "yes", + IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, hold, release, suspend, + resume, delete, reboot, reboot-hard, resched, unresched, disk-attach, + disk-detach, nic-attach, nic-detach, snapshot-create, snapshot-delete, + resize, updateconf, update" +] + +# This variant should be used for nested virtualization +VM_MAD = [ + NAME = "qemu", + SUNSTONE_NAME = "QEMU", + EXECUTABLE = "one_vmm_exec", + ARGUMENTS = "-t 15 -r 0 kvm", + DEFAULT = "vmm_exec/vmm_exec_kvm.conf", + TYPE = "qemu", + KEEP_SNAPSHOTS = "yes", + LIVE_RESIZE = "yes", + SUPPORT_SHAREABLE = "yes", + IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, hold, release, suspend, + resume, delete, reboot, reboot-hard, resched, unresched, disk-attach, + disk-detach, nic-attach, nic-detach, snapshot-create, snapshot-delete, + resize, updateconf, update" +] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# LXD Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -l actions executed locally, command can be +# overridden for each action. +# Valid actions: deploy, shutdown, cancel, save, restore, migrate, poll +# An example: "-l migrate=migrate_local,save" +# -d comma separated list of actions which forward SSH agent +# from frontend to remote host (default migrate) +# -p more than one action per host in parallel, needs support from hypervisor +# -s to execute remote commands, bash by default +# -w Timeout in seconds to execute external commands (default unlimited) +# +#------------------------------------------------------------------------------- +VM_MAD = [ + NAME = "lxd", + SUNSTONE_NAME = "LXD", + EXECUTABLE = "one_vmm_exec", + ARGUMENTS = "-t 15 -r 0 lxd", + # DEFAULT = "vmm_exec/vmm_exec_lxd.conf", + TYPE = "xml", + KEEP_SNAPSHOTS = "no", + IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, reboot, reboot-hard, + poweroff, poweroff-hard, suspend, resume, stop, delete, nic-attach, + nic-detach, resize, updateconf, update" +] + +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# LXC Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -l actions executed locally, command can be +# overridden for each action. +# Valid actions: deploy, shutdown, cancel, save, restore, migrate, poll +# An example: "-l migrate=migrate_local,save" +# -d comma separated list of actions which forward SSH agent +# from frontend to remote host (default migrate) +# -p more than one action per host in parallel, needs support from hypervisor +# -s to execute remote commands, bash by default +# -w Timeout in seconds to execute external commands (default unlimited) +# +#------------------------------------------------------------------------------- +VM_MAD = [ + NAME = "lxc", + SUNSTONE_NAME = "LXC", + EXECUTABLE = "one_vmm_exec", + ARGUMENTS = "-t 15 -r 0 lxc", + # DEFAULT = "vmm_exec/vmm_exec_lxc.conf", + TYPE = "xml", + KEEP_SNAPSHOTS = "no", + IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, reboot, reboot-hard, + poweroff, poweroff-hard, suspend, resume, stop, delete, nic-attach, + nic-detach, resize, updateconf, update" +] + +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# Firecracker Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -l actions executed locally, command can be +# overridden for each action. +# Valid actions: deploy, shutdown, cancel, save, restore, migrate, poll +# An example: "-l migrate=migrate_local,save" +# -d comma separated list of actions which forward SSH agent +# from frontend to remote host (default migrate) +# -p more than one action per host in parallel, needs support from hypervisor +# -s to execute remote commands, bash by default +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +VM_MAD = [ + NAME = "firecracker", + SUNSTONE_NAME = "Firecracker", + EXECUTABLE = "one_vmm_exec", + ARGUMENTS = "-t 15 -r 0 firecracker", + TYPE = "xml", + KEEP_SNAPSHOTS = "no" +] + +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# vCenter Virtualization Driver Manager Configuration +# -r number of retries when monitoring a host +# -t number of threads, i.e. number of hosts monitored at the same time +# -p more than one action per host in parallel, needs support from hypervisor +# -s to execute commands, bash by default +# -w Timeout in seconds to execute external commands (default unlimited) +#------------------------------------------------------------------------------- +VM_MAD = [ + NAME = "vcenter", + SUNSTONE_NAME = "VMWare vCenter", + EXECUTABLE = "one_vmm_sh", + ARGUMENTS = "-p -t 15 -r 0 -s sh vcenter", + TYPE = "xml", + KEEP_SNAPSHOTS = "yes", + DS_LIVE_MIGRATION = "yes", + COLD_NIC_ATTACH = "yes", + LIVE_RESIZE = "yes", + IMPORTED_VMS_ACTIONS = "terminate, terminate-hard, hold, release, suspend, + resume, delete, reboot, reboot-hard, resched, unresched, poweroff, + poweroff-hard, disk-attach, disk-detach, nic-attach, nic-detach, + snapshot-create, snapshot-delete, migrate, live-migrate, + resize, updateconf, update" +] +#------------------------------------------------------------------------------- + +#------------------------------------------------------------------------------- +# Dummy Virtualization Driver Configuration +#------------------------------------------------------------------------------- +#VM_MAD = [ NAME="dummy", SUNSTONE_NAME="Testing", EXECUTABLE="one_vmm_dummy", +# TYPE="xml" ] +#------------------------------------------------------------------------------- + +#******************************************************************************* +# Transfer Manager Driver Configuration +#******************************************************************************* +# You can add more transfer managers with different configurations but make +# sure it has different names. +# name : name for this transfer driver +# +# executable: path of the transfer driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# arguments : +# -t: number of threads, i.e. number of transfers made at the same time +# -d: list of transfer drivers separated by commas, if not defined all the +# drivers available will be enabled +# -w: Timeout in seconds to execute external commands (default unlimited) +#******************************************************************************* + +TM_MAD = [ + EXECUTABLE = "one_tm", + ARGUMENTS = "-t 15 -d dummy,lvm,shared,fs_lvm,fs_lvm_ssh,qcow2,ssh,ceph,dev,vcenter,iscsi_libvirt" +] + +#******************************************************************************* +# Datastore Driver Configuration +#******************************************************************************* +# Drivers to manage the datastores, specialized for the storage backend +# executable: path of the transfer driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable +# -t number of threads, i.e. number of repo operations at the same time +# -d datastore mads separated by commas +# -s system datastore tm drivers, used to monitor shared system ds. +# -w Timeout in seconds to execute external commands (default unlimited) +#******************************************************************************* + +DATASTORE_MAD = [ + EXECUTABLE = "one_datastore", + ARGUMENTS = "-t 15 -d dummy,fs,lvm,ceph,dev,iscsi_libvirt,vcenter -s shared,ssh,ceph,fs_lvm,fs_lvm_ssh,qcow2,vcenter" +] + +#******************************************************************************* +# Marketplace Driver Configuration +#******************************************************************************* +# Drivers to manage different marketplaces, specialized for the storage backend +# executable: path of the transfer driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable +# -t number of threads, i.e. number of repo operations at the same time +# -m marketplace mads separated by commas +# --proxy proxy address if required to access the internet +# -w Timeout in seconds to execute external commands (default unlimited) +#******************************************************************************* + +MARKET_MAD = [ + EXECUTABLE = "one_market", + ARGUMENTS = "-t 15 -m http,s3,one,linuxcontainers,turnkeylinux,dockerhub,docker_registry" +] + +#******************************************************************************* +# IPAM Driver Configuration +#******************************************************************************* +# Drivers to manage different IPAMs +# executable: path of the IPAM driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable +# -t number of threads, i.e. number of operations at the same time +# -i IPAM mads separated by commas +#******************************************************************************* + +IPAM_MAD = [ + EXECUTABLE = "one_ipam", + ARGUMENTS = "-t 1 -i dummy,aws,equinix,vultr" +] + +#******************************************************************************* +# Hook Manager Configuration +#******************************************************************************* +# The Driver (HM_MAD) +# ----------------------------------------------- +# +# Used to execute the Hooks: +# executable: path of the hook driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# arguments : for the driver executable, can be an absolute path or relative +# to $ONE_LOCATION/etc (or /etc/one/ if OpenNebula was installed +# in /) +# + +HM_MAD = [ + EXECUTABLE = "one_hm", + ARGUMENTS = "-p 2101 -l 2102 -b 127.0.0.1"] + +#******************************************************************************* +# Hook Log Configuration +#******************************************************************************* +# +# LOG_RETENTION: Number of execution records saved in the database for each hook. +# + +HOOK_LOG_CONF = [ + LOG_RETENTION = 20 ] + +#******************************************************************************* +# Auth Manager Configuration +#******************************************************************************* +# AUTH_MAD: The Driver that will be used to authenticate (authn) and +# authorize (authz) OpenNebula requests. If defined OpenNebula will use the +# built-in auth policies. +# +# executable: path of the auth driver executable, can be an +# absolute path or relative to $ONE_LOCATION/lib/mads (or +# /usr/lib/one/mads/ if OpenNebula was installed in /) +# +# authn : list of authentication modules separated by commas, if not +# defined all the modules available will be enabled +# authz : list of authentication modules separated by commas +# +# DEFAULT_AUTH: The default authentication driver to use when OpenNebula does +# not know the user and needs to authenticate it externally. If you want to +# use "default" (not recommended, but supported for backwards compatibility +# reasons) make sure you create a symlink pointing to the actual authentication +# driver in /var/lib/one/remotes/auth, and add "default" to the 'auth' +# parameter in the 'AUTH_MAD' section. +# +# SESSION_EXPIRATION_TIME: Time in seconds to keep an authenticated token as +# valid. During this time, the driver is not used. Use 0 to disable session +# caching +# +# ENABLE_OTHER_PERMISSIONS: Whether or not users can set the permissions for +# 'other', so publishing or sharing resources with others. Users in the oneadmin +# group will still be able to change these permissions. Values: YES or NO. +# +# DEFAULT_UMASK: Similar to Unix umask, sets the default resources permissions. +# Its format must be 3 octal digits. For example a umask of 137 will set +# the new object's permissions to 640 "um- u-- ---" +#******************************************************************************* + +AUTH_MAD = [ + EXECUTABLE = "one_auth_mad", + AUTHN = "ssh,x509,ldap,server_cipher,server_x509" +] + +#DEFAULT_AUTH = "default" + +SESSION_EXPIRATION_TIME = 900 + +#ENABLE_OTHER_PERMISSIONS = "YES" + +DEFAULT_UMASK = 177 + +#******************************************************************************* +# OneGate +# ONEGATE_ENDPOINT: The URL for the onegate server (the Gate to OpenNebula for +# VMs). The onegate server is started using a separate command. The endpoint +# MUST be consistent with the values in onegate-server.conf +#******************************************************************************* + +#ONEGATE_ENDPOINT = "http://frontend:5030" + +#******************************************************************************* +# VM Operations Permissions +#****************************************************************************** +# The following parameters define the operations associated to the ADMIN, +# MANAGE and USE permissions. Note that some VM operations require additional +# permissions on other objects. Also some operations refers to a class of +# actions: +# - disk-snapshot, includes create, delete and revert actions +# - disk-attach, includes attach and detach actions +# - nic-attach, includes attach and detach actions +# - snapshot, includes create, delete and revert actions +# - resched, includes resched and unresched actions +#****************************************************************************** + +VM_ADMIN_OPERATIONS = "migrate, delete, recover, retry, deploy, resched" + +VM_MANAGE_OPERATIONS = "undeploy, hold, release, stop, suspend, resume, reboot, + poweroff, disk-attach, nic-attach, disk-snapshot, terminate, disk-resize, + snapshot, updateconf, rename, resize, update, disk-saveas" + +VM_USE_OPERATIONS = "" + +#******************************************************************************* +# Default Permissions for VDC ACL rules +#******************************************************************************* +# Default ACL rules created when resource is added to a VDC. The following +# attributes configures the permissions granted to the VDC group for each +# resource types: +# DEFAULT_VDC_HOST_ACL: permissions granted on hosts added to a VDC. +# DEFAULT_VDC_NET_ACL: permissions granted on vnets added to a VDC. +# DEFAULT_VDC_DATASTORE_ACL: permissions granted on datastores to a VDC. +# +# DEFAULT_VDC_CLUSTER_HOST_ACL: permissions granted to cluster hosts when a +# cluster is added to the VDC. +# DEFAULT_VDC_CLUSTER_NET_ACL: permissions granted to cluster vnets when a +# cluster is added to the VDC. +# DEFAULT_VDC_CLUSTER_DATASTORE_ACL: permissions granted to cluster datastores +# when a cluster is added to the VDC. +# +# When defining the permissions you can use "" or "-" to not add any rule to +# that specific resource. Also you can combine several permissions with "+", +# for exampl "MANAGE+USE". Valid permissions are USE, MANAGE or ADMIN. +# +# Example: +# DEFAULT_VDC_HOST_ACL = "MANAGE" +# Adds @ HOST/# MANAGE # when a host is added to the VDC, +# eg. onevdc addhost +# +# DEFAULT_VDC_VNET_ACL = "USE" +# Adds @ NET/# USE # when a vnet is added to the VDC, +# eg. onevdc addvnet +# +# DEFAULT_VDC_DATASTORE_ACL = "USE" +# Adds @ DATASTORE/# USE # when a vnet is added to the VDC, +# eg. onevdc adddatastore +# +# DEFAULT_VDC_CLUSTER_HOST_ACL = "MANAGE" +# DEFAULT_VDC_CLUSTER_NET_ACL = "USE" +# DEFAULT_VDC_CLUSTER_DATASTORE_ACL = "USE" +# Adds: +# @ HOST/% MANAGE # +# @ DATASTORE+NET/% USE # +# when a cluster is added to the VDC, e.g. onevdc addcluster +#******************************************************************************* + +DEFAULT_VDC_HOST_ACL = "MANAGE" +DEFAULT_VDC_VNET_ACL = "USE" +DEFAULT_VDC_DATASTORE_ACL = "USE" + +DEFAULT_VDC_CLUSTER_HOST_ACL = "MANAGE" +DEFAULT_VDC_CLUSTER_NET_ACL = "USE" +DEFAULT_VDC_CLUSTER_DATASTORE_ACL = "USE" + +#******************************************************************************* +# Restricted Attributes Configuration +#******************************************************************************* +# The following attributes are restricted to users outside the oneadmin group +#******************************************************************************* + +VM_RESTRICTED_ATTR = "CONTEXT/FILES" +VM_RESTRICTED_ATTR = "NIC/MAC" +VM_RESTRICTED_ATTR = "NIC/VLAN_ID" +VM_RESTRICTED_ATTR = "NIC/BRIDGE" +VM_RESTRICTED_ATTR = "NIC/FILTER" +VM_RESTRICTED_ATTR = "NIC/FILTER_IP_SPOOFING" +VM_RESTRICTED_ATTR = "NIC/FILTER_MAC_SPOOFING" +VM_RESTRICTED_ATTR = "NIC/INBOUND_AVG_BW" +VM_RESTRICTED_ATTR = "NIC/INBOUND_PEAK_BW" +VM_RESTRICTED_ATTR = "NIC/INBOUND_PEAK_KB" +VM_RESTRICTED_ATTR = "NIC/OUTBOUND_AVG_BW" +VM_RESTRICTED_ATTR = "NIC/OUTBOUND_PEAK_BW" +VM_RESTRICTED_ATTR = "NIC/OUTBOUND_PEAK_KB" +VM_RESTRICTED_ATTR = "NIC/OPENNEBULA_MANAGED" +VM_RESTRICTED_ATTR = "NIC/VCENTER_INSTANCE_ID" +VM_RESTRICTED_ATTR = "NIC/VCENTER_NET_REF" +VM_RESTRICTED_ATTR = "NIC/VCENTER_PORTGROUP_TYPE" +VM_RESTRICTED_ATTR = "NIC/EXTERNAL" +VM_RESTRICTED_ATTR = "NIC_ALIAS/MAC" +VM_RESTRICTED_ATTR = "NIC_ALIAS/VLAN_ID" +VM_RESTRICTED_ATTR = "NIC_ALIAS/BRIDGE" +VM_RESTRICTED_ATTR = "NIC_ALIAS/INBOUND_AVG_BW" +VM_RESTRICTED_ATTR = "NIC_ALIAS/INBOUND_PEAK_BW" +VM_RESTRICTED_ATTR = "NIC_ALIAS/INBOUND_PEAK_KB" +VM_RESTRICTED_ATTR = "NIC_ALIAS/OUTBOUND_AVG_BW" +VM_RESTRICTED_ATTR = "NIC_ALIAS/OUTBOUND_PEAK_BW" +VM_RESTRICTED_ATTR = "NIC_ALIAS/OUTBOUND_PEAK_KB" +VM_RESTRICTED_ATTR = "NIC_ALIAS/OPENNEBULA_MANAGED" +VM_RESTRICTED_ATTR = "NIC_ALIAS/VCENTER_INSTANCE_ID" +VM_RESTRICTED_ATTR = "NIC_ALIAS/VCENTER_NET_REF" +VM_RESTRICTED_ATTR = "NIC_ALIAS/VCENTER_PORTGROUP_TYPE" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/MAC" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/VLAN_ID" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/BRIDGE" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/FILTER" +VM_RESTRICTED_ATTR = "NIC_DEFAULT/EXTERNAL" +VM_RESTRICTED_ATTR = "DISK/TOTAL_BYTES_SEC" +VM_RESTRICTED_ATTR = "DISK/TOTAL_BYTES_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/TOTAL_BYTES_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/READ_BYTES_SEC" +VM_RESTRICTED_ATTR = "DISK/READ_BYTES_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/READ_BYTES_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/WRITE_BYTES_SEC" +VM_RESTRICTED_ATTR = "DISK/WRITE_BYTES_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/WRITE_BYTES_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/TOTAL_IOPS_SEC" +VM_RESTRICTED_ATTR = "DISK/TOTAL_IOPS_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/TOTAL_IOPS_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/READ_IOPS_SEC" +VM_RESTRICTED_ATTR = "DISK/READ_IOPS_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/READ_IOPS_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC" +VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC_MAX_LENGTH" +VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC_MAX" +VM_RESTRICTED_ATTR = "DISK/SIZE_IOPS_SEC" +VM_RESTRICTED_ATTR = "DISK/OPENNEBULA_MANAGED" +VM_RESTRICTED_ATTR = "DISK/VCENTER_DS_REF" +VM_RESTRICTED_ATTR = "DISK/VCENTER_INSTANCE_ID" +#VM_RESTRICTED_ATTR = "DISK/SIZE" +VM_RESTRICTED_ATTR = "DISK/ORIGINAL_SIZE" +VM_RESTRICTED_ATTR = "DISK/SIZE_PREV" +VM_RESTRICTED_ATTR = "DEPLOY_ID" +VM_RESTRICTED_ATTR = "CPU_COST" +VM_RESTRICTED_ATTR = "MEMORY_COST" +VM_RESTRICTED_ATTR = "DISK_COST" +VM_RESTRICTED_ATTR = "PCI" +VM_RESTRICTED_ATTR = "EMULATOR" +VM_RESTRICTED_ATTR = "RAW" +VM_RESTRICTED_ATTR = "USER_PRIORITY" +VM_RESTRICTED_ATTR = "USER_INPUTS/CPU" +VM_RESTRICTED_ATTR = "USER_INPUTS/MEMORY" +VM_RESTRICTED_ATTR = "USER_INPUTS/VCPU" +VM_RESTRICTED_ATTR = "VCENTER_VM_FOLDER" +VM_RESTRICTED_ATTR = "VCENTER_ESX_HOST" +VM_RESTRICTED_ATTR = "TOPOLOGY/PIN_POLICY" +VM_RESTRICTED_ATTR = "TOPOLOGY/HUGEPAGE_SIZE" + +#VM_RESTRICTED_ATTR = "RANK" +#VM_RESTRICTED_ATTR = "SCHED_RANK" +#VM_RESTRICTED_ATTR = "REQUIREMENTS" +#VM_RESTRICTED_ATTR = "SCHED_REQUIREMENTS" + +IMAGE_RESTRICTED_ATTR = "SOURCE" +IMAGE_RESTRICTED_ATTR = "VCENTER_IMPORTED" + +#******************************************************************************* +# The following restricted attributes only apply to VNets that are a reservation. +# Normal VNets do not have restricted attributes. +#******************************************************************************* + +VNET_RESTRICTED_ATTR = "VN_MAD" +VNET_RESTRICTED_ATTR = "PHYDEV" +VNET_RESTRICTED_ATTR = "VLAN_ID" +VNET_RESTRICTED_ATTR = "BRIDGE" +VNET_RESTRICTED_ATTR = "CONF" +VNET_RESTRICTED_ATTR = "BRIDGE_CONF" +VNET_RESTRICTED_ATTR = "OVS_BRIDGE_CONF" +VNET_RESTRICTED_ATTR = "IP_LINK_CONF" +VNET_RESTRICTED_ATTR = "FILTER" +VNET_RESTRICTED_ATTR = "FILTER_IP_SPOOFING" +VNET_RESTRICTED_ATTR = "FILTER_MAC_SPOOFING" + +VNET_RESTRICTED_ATTR = "AR/VN_MAD" +VNET_RESTRICTED_ATTR = "AR/PHYDEV" +VNET_RESTRICTED_ATTR = "AR/VLAN_ID" +VNET_RESTRICTED_ATTR = "AR/BRIDGE" +VNET_RESTRICTED_ATTR = "AR/FILTER" +VNET_RESTRICTED_ATTR = "AR/FILTER_IP_SPOOFING" +VNET_RESTRICTED_ATTR = "AR/FILTER_MAC_SPOOFING" + +VNET_RESTRICTED_ATTR = "CLUSTER_IDS" + +VNET_RESTRICTED_ATTR = "EXTERNAL" + +USER_RESTRICTED_ATTR = "VM_USE_OPERATIONS" +USER_RESTRICTED_ATTR = "VM_MANAGE_OPERATIONS" +USER_RESTRICTED_ATTR = "VM_ADMIN_OPERATIONS" + +GROUP_RESTRICTED_ATTR = "VM_USE_OPERATIONS" +GROUP_RESTRICTED_ATTR = "VM_MANAGE_OPERATIONS" +GROUP_RESTRICTED_ATTR = "VM_ADMIN_OPERATIONS" + +#******************************************************************************* +# Encrypted Attributes Configuration +#******************************************************************************* +# The following attributes are encrypted +#******************************************************************************* + +HOST_ENCRYPTED_ATTR = "EC2_ACCESS" +HOST_ENCRYPTED_ATTR = "EC2_SECRET" +HOST_ENCRYPTED_ATTR = "AZ_SUB" +HOST_ENCRYPTED_ATTR = "AZ_CLIENT" +HOST_ENCRYPTED_ATTR = "AZ_SECRET" +HOST_ENCRYPTED_ATTR = "AZ_TENANT" +HOST_ENCRYPTED_ATTR = "VCENTER_PASSWORD" +HOST_ENCRYPTED_ATTR = "NSX_PASSWORD" +HOST_ENCRYPTED_ATTR = "ONE_PASSWORD" + +VM_ENCRYPTED_ATTR = "CONTEXT/PASSWORD" + +IMAGE_ENCRYPTED_ATTR = "LUKS_PASSWORD" + +# DDC encrypted attrs +DOCUMENT_ENCRYPTED_ATTR = "PROVISION_BODY" + +#******************************************************************************* +# Inherited Attributes Configuration +#******************************************************************************* +# The following attributes will be copied from the resource template to the +# instantiated VMs. More than one attribute can be defined. +# +# INHERIT_IMAGE_ATTR: Attribute to be copied from the Image template +# to each VM/DISK. +# +# INHERIT_DATASTORE_ATTR: Attribute to be copied from the Datastore template +# to each VM/DISK. +# +# INHERIT_VNET_ATTR: Attribute to be copied from the Network template +# to each VM/NIC. +#******************************************************************************* + +#INHERIT_IMAGE_ATTR = "EXAMPLE" +#INHERIT_IMAGE_ATTR = "SECOND_EXAMPLE" +#INHERIT_DATASTORE_ATTR = "COLOR" +#INHERIT_VNET_ATTR = "BANDWIDTH_THROTTLING" + +INHERIT_DATASTORE_ATTR = "CEPH_HOST" +INHERIT_DATASTORE_ATTR = "CEPH_SECRET" +INHERIT_DATASTORE_ATTR = "CEPH_KEY" +INHERIT_DATASTORE_ATTR = "CEPH_USER" +INHERIT_DATASTORE_ATTR = "CEPH_CONF" +INHERIT_DATASTORE_ATTR = "CEPH_TRASH" +INHERIT_DATASTORE_ATTR = "POOL_NAME" + +INHERIT_DATASTORE_ATTR = "ISCSI_USER" +INHERIT_DATASTORE_ATTR = "ISCSI_USAGE" +INHERIT_DATASTORE_ATTR = "ISCSI_HOST" + +INHERIT_IMAGE_ATTR = "ISCSI_USER" +INHERIT_IMAGE_ATTR = "ISCSI_USAGE" +INHERIT_IMAGE_ATTR = "ISCSI_HOST" +INHERIT_IMAGE_ATTR = "ISCSI_IQN" +INHERIT_IMAGE_ATTR = "LUKS_SECRET" + +INHERIT_DATASTORE_ATTR = "GLUSTER_HOST" +INHERIT_DATASTORE_ATTR = "GLUSTER_VOLUME" + +INHERIT_DATASTORE_ATTR = "DISK_TYPE" +INHERIT_DATASTORE_ATTR = "ALLOW_ORPHANS" + +INHERIT_DATASTORE_ATTR = "VCENTER_ADAPTER_TYPE" +INHERIT_DATASTORE_ATTR = "VCENTER_DISK_TYPE" +INHERIT_DATASTORE_ATTR = "VCENTER_DS_REF" +INHERIT_DATASTORE_ATTR = "VCENTER_DS_IMAGE_DIR" +INHERIT_DATASTORE_ATTR = "VCENTER_DS_VOLATILE_DIR" +INHERIT_DATASTORE_ATTR = "VCENTER_INSTANCE_ID" + +INHERIT_IMAGE_ATTR = "DISK_TYPE" +INHERIT_IMAGE_ATTR = "VCENTER_ADAPTER_TYPE" +INHERIT_IMAGE_ATTR = "VCENTER_DISK_TYPE" + +INHERIT_VNET_ATTR = "VLAN_TAGGED_ID" +INHERIT_VNET_ATTR = "FILTER" +INHERIT_VNET_ATTR = "FILTER_IP_SPOOFING" +INHERIT_VNET_ATTR = "FILTER_MAC_SPOOFING" +INHERIT_VNET_ATTR = "MTU" +INHERIT_VNET_ATTR = "METRIC" +INHERIT_VNET_ATTR = "IP6_METRIC" +INHERIT_VNET_ATTR = "METHOD" +INHERIT_VNET_ATTR = "IP6_METHOD" +INHERIT_VNET_ATTR = "INBOUND_AVG_BW" +INHERIT_VNET_ATTR = "INBOUND_PEAK_BW" +INHERIT_VNET_ATTR = "INBOUND_PEAK_KB" +INHERIT_VNET_ATTR = "OUTBOUND_AVG_BW" +INHERIT_VNET_ATTR = "OUTBOUND_PEAK_BW" +INHERIT_VNET_ATTR = "OUTBOUND_PEAK_KB" +INHERIT_VNET_ATTR = "CONF" +INHERIT_VNET_ATTR = "BRIDGE_CONF" +INHERIT_VNET_ATTR = "OVS_BRIDGE_CONF" +INHERIT_VNET_ATTR = "IP_LINK_CONF" +INHERIT_VNET_ATTR = "EXTERNAL_IP" +INHERIT_VNET_ATTR = "EXTERNAL" +INHERIT_VNET_ATTR = "AWS_ALLOCATION_ID" +INHERIT_VNET_ATTR = "VULTR_IP_ID" +INHERIT_VNET_ATTR = "GATEWAY" +INHERIT_VNET_ATTR = "VXLAN_MODE" +INHERIT_VNET_ATTR = "VXLAN_TEP" +INHERIT_VNET_ATTR = "VXLAN_MC" + +INHERIT_VNET_ATTR = "VCENTER_NET_REF" +INHERIT_VNET_ATTR = "VCENTER_SWITCH_NAME" +INHERIT_VNET_ATTR = "VCENTER_SWITCH_NPORTS" +INHERIT_VNET_ATTR = "VCENTER_PORTGROUP_TYPE" +INHERIT_VNET_ATTR = "VCENTER_CCR_REF" +INHERIT_VNET_ATTR = "VCENTER_INSTANCE_ID" + +#******************************************************************************* +# Transfer Manager Driver Behavior Configuration +#******************************************************************************* +# The configuration for each driver is defined in TM_MAD_CONF. These +# values are used when creating a new datastore and should not be modified +# since they define the datastore behavior. +# name : name of the transfer driver, listed in the -d option of the +# TM_MAD section +# ln_target : determines how the persistent images will be cloned when +# a new VM is instantiated. +# NONE: The image will be linked and no more storage capacity will be used +# SELF: The image will be cloned in the Images datastore +# SYSTEM: The image will be cloned in the System datastore +# clone_target : determines how the non persistent images will be +# cloned when a new VM is instantiated. +# NONE: The image will be linked and no more storage capacity will be used +# SELF: The image will be cloned in the Images datastore +# SYSTEM: The image will be cloned in the System datastore +# shared : determines if the storage holding the system datastore is shared +# among the different hosts or not. Valid values: "yes" or "no" +# ds_migrate : The driver allows migrations across datastores. Valid values: +# "yes" or "no". Note: THIS ONLY APPLIES TO SYSTEM DS. +# allow_orphans: Snapshots can live without parents. Suported values: +# YES: Children can be orphan (no parent snapshot) +# |- snap_1 +# |- snap_2 +# |- snap_3 +# NO: New snapshots are set active and child of the previous one +# |- snap_1 +# |- snap_2 +# |- snap_3 +# MIXED: Snapshots are children of last snapshot reverted to +# |- snap_1 (<--- revert) +# |- snap_3 +# |- snap_4 +# |- snap_2 +#******************************************************************************* + +TM_MAD_CONF = [ + NAME = "dummy", LN_TARGET = "NONE", CLONE_TARGET = "SYSTEM", SHARED = "YES", + DS_MIGRATE = "YES" +] + +TM_MAD_CONF = [ + NAME = "lvm", LN_TARGET = "NONE", CLONE_TARGET = "SELF", SHARED = "YES", + DRIVER = "raw" +] + +TM_MAD_CONF = [ + NAME = "shared", LN_TARGET = "NONE", CLONE_TARGET = "SYSTEM", SHARED = "YES", + DS_MIGRATE = "YES", TM_MAD_SYSTEM = "ssh", LN_TARGET_SSH = "SYSTEM", + CLONE_TARGET_SSH = "SYSTEM", DISK_TYPE_SSH = "FILE" +] + +TM_MAD_CONF = [ + NAME = "fs_lvm", LN_TARGET = "SYSTEM", CLONE_TARGET = "SYSTEM", SHARED="YES", + DRIVER = "raw" +] + +TM_MAD_CONF = [ + NAME = "fs_lvm_ssh", LN_TARGET = "SYSTEM", CLONE_TARGET = "SYSTEM", SHARED="YES", + DRIVER = "raw" +] + +TM_MAD_CONF = [ + NAME = "qcow2", LN_TARGET = "NONE", CLONE_TARGET = "SYSTEM", SHARED = "YES", + DS_MIGRATE = "YES", TM_MAD_SYSTEM = "ssh", LN_TARGET_SSH = "SYSTEM", + CLONE_TARGET_SSH = "SYSTEM", DISK_TYPE_SSH = "FILE", DRIVER = "qcow2", + ALLOW_ORPHANS="FORMAT" +] + +TM_MAD_CONF = [ + NAME = "ssh", LN_TARGET = "SYSTEM", CLONE_TARGET = "SYSTEM", SHARED = "NO", + DS_MIGRATE = "YES", ALLOW_ORPHANS="YES" +] + +TM_MAD_CONF = [ + NAME = "ceph", LN_TARGET = "NONE", CLONE_TARGET = "SELF", SHARED = "YES", + DS_MIGRATE = "NO", DRIVER = "raw", ALLOW_ORPHANS="mixed", + TM_MAD_SYSTEM = "ssh,shared", LN_TARGET_SSH = "SYSTEM", CLONE_TARGET_SSH = "SYSTEM", + DISK_TYPE_SSH = "FILE", LN_TARGET_SHARED = "NONE", + CLONE_TARGET_SHARED = "SELF", DISK_TYPE_SHARED = "RBD" +] + +TM_MAD_CONF = [ + NAME = "iscsi_libvirt", LN_TARGET = "NONE", CLONE_TARGET = "SELF", SHARED = "YES", + DS_MIGRATE = "NO", DRIVER = "raw" +] + +TM_MAD_CONF = [ + NAME = "dev", LN_TARGET = "NONE", CLONE_TARGET = "NONE", SHARED = "YES", + TM_MAD_SYSTEM = "ssh,shared", + LN_TARGET_SSH = "SYSTEM", LN_TARGET_SHARED = "NONE", + DISK_TYPE_SSH = "FILE", DISK_TYPE_SHARED = "FILE", + CLONE_TARGET_SSH = "SYSTEM", CLONE_TARGET_SHARED = "SELF", + DRIVER = "raw" +] + +TM_MAD_CONF = [ + NAME = "vcenter", LN_TARGET = "NONE", CLONE_TARGET = "SYSTEM", SHARED = "YES" +] + +#******************************************************************************* +# Datastore Manager Driver Behavior Configuration +#******************************************************************************* +# The configuration for each driver is defined in DS_MAD_CONF. These +# values are used when creating a new datastore and should not be modified +# since they define the datastore behavior. +# name : name of the transfer driver, listed in the -d option of the +# DS_MAD section +# required_attrs : comma separated list of required attributes in the DS +# template +# persistent_only: specifies whether the datastore can only manage persistent +# images +#******************************************************************************* + +DS_MAD_CONF = [ + NAME = "ceph", + REQUIRED_ATTRS = "DISK_TYPE,BRIDGE_LIST", + PERSISTENT_ONLY = "NO", + MARKETPLACE_ACTIONS = "export" +] + +DS_MAD_CONF = [ + NAME = "dev", REQUIRED_ATTRS = "DISK_TYPE", PERSISTENT_ONLY = "YES" +] + +DS_MAD_CONF = [ + NAME = "iscsi_libvirt", REQUIRED_ATTRS = "DISK_TYPE,ISCSI_HOST", + PERSISTENT_ONLY = "YES" +] + +DS_MAD_CONF = [ + NAME = "dummy", REQUIRED_ATTRS = "", PERSISTENT_ONLY = "NO" +] + +DS_MAD_CONF = [ + NAME = "fs", REQUIRED_ATTRS = "", PERSISTENT_ONLY = "NO", + MARKETPLACE_ACTIONS = "export" +] + +DS_MAD_CONF = [ + NAME = "lvm", REQUIRED_ATTRS = "DISK_TYPE,BRIDGE_LIST", + PERSISTENT_ONLY = "NO" +] + +DS_MAD_CONF = [ + NAME = "vcenter", + REQUIRED_ATTRS = "VCENTER_INSTANCE_ID,VCENTER_DS_REF,VCENTER_DC_REF", + PERSISTENT_ONLY = "NO", + MARKETPLACE_ACTIONS = "export" +] + +#******************************************************************************* +# MarketPlace Driver Behavior Configuration +#******************************************************************************* +# The configuration for each driver is defined in MARKET_MAD_CONF. These +# values are used when creating a new marketplaces and should not be modified +# since they define the marketplace behavior. +# name : name of the market driver +# required_attrs : comma separated list of required attributes in the Market +# template +# app_actions: List of actions allowed for a MarketPlaceApp +# - monitor The apps of the marketplace will be monitored +# - create, the app in the marketplace +# - delete, the app from the marketplace +# public: set to yes for external marketplaces. A public marketplace can be +# removed even if it has registered apps. +#******************************************************************************* + +MARKET_MAD_CONF = [ + NAME = "one", + SUNSTONE_NAME = "OpenNebula.org Marketplace", + REQUIRED_ATTRS = "", + APP_ACTIONS = "monitor", + PUBLIC = "yes" +] + +MARKET_MAD_CONF = [ + NAME = "http", + SUNSTONE_NAME = "HTTP server", + REQUIRED_ATTRS = "BASE_URL,PUBLIC_DIR", + APP_ACTIONS = "create, delete, monitor" +] + +MARKET_MAD_CONF = [ + NAME = "s3", + SUNSTONE_NAME = "Amazon S3", + REQUIRED_ATTRS = "ACCESS_KEY_ID,SECRET_ACCESS_KEY,REGION,BUCKET", + APP_ACTIONS = "create, delete, monitor" +] + +MARKET_MAD_CONF = [ + NAME = "linuxcontainers", + SUNSTONE_NAME = "LinuxContainers.org", + REQUIRED_ATTRS = "", + APP_ACTIONS = "monitor", + PUBLIC = "yes" +] + +MARKET_MAD_CONF = [ + NAME = "turnkeylinux", + SUNSTONE_NAME = "TurnkeyLinux", + REQUIRED_ATTRS = "", + APP_ACTIONS = "monitor", + PUBLIC = "yes" +] + +MARKET_MAD_CONF = [ + NAME = "dockerhub", + SUNSTONE_NAME = "DockerHub", + REQUIRED_ATTRS = "", + APP_ACTIONS = "monitor", + PUBLIC = "yes" +] + +MARKET_MAD_CONF = [ + NAME = "docker_registry", + SUNSTONE_NAME = "DockerRegistry", + REQUIRED_ATTRS = "BASE_URL", + APP_ACTIONS = "monitor" +] + +#******************************************************************************* +# Authentication Driver Behavior Definition +#******************************************************************************* +# The configuration for each driver is defined in AUTH_MAD_CONF. These +# values must not be modified since they define the driver behavior. +# name : name of the auth driver +# +# password_change : allow the end users to change their own password. Oneadmin +# can still change other user's passwords +# +# driver_managed_groups : allow the driver to set the user's group even after +# user creation. In this case addgroup, delgroup and chgrp +# will be disabled, with the exception of chgrp to one of +# the groups in the list of secondary groups +# +# driver_managed_group_admin : when set to "NO" user needs to manage group +# admin membership manually; when "YES" group admin +# membership is managed by the auth driver +# (see ldap_auth.conf) +# +# max_token_time : limit the maximum token validity, in seconds. Use -1 for +# unlimited maximum, 0 to disable login tokens +#******************************************************************************* + +AUTH_MAD_CONF = [ + NAME = "core", + PASSWORD_CHANGE = "YES", + DRIVER_MANAGED_GROUPS = "NO", + DRIVER_MANAGED_GROUP_ADMIN = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "public", + PASSWORD_CHANGE = "NO", + DRIVER_MANAGED_GROUPS = "NO", + DRIVER_MANAGED_GROUP_ADMIN = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "ssh", + PASSWORD_CHANGE = "YES", + DRIVER_MANAGED_GROUPS = "NO", + DRIVER_MANAGED_GROUP_ADMIN = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "x509", + PASSWORD_CHANGE = "NO", + DRIVER_MANAGED_GROUPS = "NO", + DRIVER_MANAGED_GROUP_ADMIN = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "ldap", + PASSWORD_CHANGE = "YES", + DRIVER_MANAGED_GROUPS = "YES", + DRIVER_MANAGED_GROUP_ADMIN = "YES", + MAX_TOKEN_TIME = "86400" +] + +AUTH_MAD_CONF = [ + NAME = "server_cipher", + PASSWORD_CHANGE = "NO", + DRIVER_MANAGED_GROUPS = "NO", + DRIVER_MANAGED_GROUP_ADMIN = "NO", + MAX_TOKEN_TIME = "-1" +] + +AUTH_MAD_CONF = [ + NAME = "server_x509", + PASSWORD_CHANGE = "NO", + DRIVER_MANAGED_GROUPS = "NO", + DRIVER_MANAGED_GROUP_ADMIN = "NO", + MAX_TOKEN_TIME = "-1" +] + +#******************************************************************************* +# Virtual Network Driver Behavior Definition +#******************************************************************************* +# The configuration for each driver is defined in VN_MAD_CONF. These +# values must not be modified since they define the driver behavior. +# name : name of the auth driver +# BRIDGE_TYPE : define the technology used by the driver +#******************************************************************************* + +VN_MAD_CONF = [ + NAME = "dummy", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "802.1Q", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "ebtables", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "fw", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "ovswitch", + BRIDGE_TYPE = "openvswitch" + #openvswitch or openvswitch_dpdk +] + +VN_MAD_CONF = [ + NAME = "vxlan", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "vcenter", + BRIDGE_TYPE = "vcenter_port_groups" +] + +VN_MAD_CONF = [ + NAME = "ovswitch_vxlan", + BRIDGE_TYPE = "openvswitch" +] + +VN_MAD_CONF = [ + NAME = "bridge", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "elastic", + BRIDGE_TYPE = "linux" +] + +VN_MAD_CONF = [ + NAME = "nodeport", + BRIDGE_TYPE = "linux" +] diff --git a/virt/opennebula-6.2-controller/files/ssh.config b/virt/opennebula-6.2-controller/files/ssh.config new file mode 100644 index 0000000..4490e56 --- /dev/null +++ b/virt/opennebula-6.2-controller/files/ssh.config @@ -0,0 +1,3 @@ +# So ansible does not have to add each hypervisor node to known_hosts +StrictHostKeyChecking=no +UserKnownHostsFile=/dev/null \ No newline at end of file diff --git a/virt/opennebula-6.2-controller/tasks/main.yml b/virt/opennebula-6.2-controller/tasks/main.yml new file mode 100644 index 0000000..a4ae296 --- /dev/null +++ b/virt/opennebula-6.2-controller/tasks/main.yml @@ -0,0 +1,65 @@ +--- +- name: Adding Debian OpenNebula GPG key + apt_key: url='https://downloads.opennebula.io/repo/repo.key' state=present + when: ansible_os_family == "Debian" + +# Note, using http instead of https so apt-cacher-ng may cache the repo +- name: Adding Debian 10 OpenNebula repository + apt_repository: repo='deb http://downloads.opennebula.io/repo/6.2/Debian/10 stable opennebula' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +- name: Adding Debian 11 OpenNebula repository + apt_repository: repo='deb http://downloads.opennebula.io/repo/6.2/Debian/11 stable opennebula' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "11" + +# Install OpenNebula +- name: Installing OpenNebula controller applications + apt: + update_cache: yes + state: present + name: + - opennebula + - opennebula-sunstone + - opennebula-fireedge + - opennebula-gate + - opennebula-flow + - opennebula-provision + +# NOTE: OpenNebula daemons do NOT start after install, contrary to how most other debian packages behave. +# This is good as we want to set passwords and other configurations before we start OpenNebula for the first time. + +# Set permissions on /var/lib/one folder +- name: Ensuring permissions on /var/lib/one directory + file: + path: /var/lib/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/lib/one/.ssh folder +- name: Creating /var/lib/one/.ssh directory + file: + path: /var/lib/one/.ssh + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/log/one folder or the daemon will not start +- name: Creating /var/log/one directory + file: + path: /var/log/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Copy ssh client config for oneadmin user +- name: Copying oneadmin SSH client config + copy: + src: 'files/ssh.config' + dest: '/var/lib/one/.ssh/config' + owner: 'oneadmin' + group: 'oneadmin' + mode: '0644' diff --git a/virt/opennebula-6.2-kvm-node/files/ssh.config b/virt/opennebula-6.2-kvm-node/files/ssh.config new file mode 100644 index 0000000..a65775d --- /dev/null +++ b/virt/opennebula-6.2-kvm-node/files/ssh.config @@ -0,0 +1,3 @@ +# So ansible does not have to add each hypervisor node to known_hosts +StrictHostKeyChecking=no +UserKnownHostsFile=/dev/null diff --git a/virt/opennebula-6.2-kvm-node/handlers/main.yml b/virt/opennebula-6.2-kvm-node/handlers/main.yml new file mode 100644 index 0000000..097f7b8 --- /dev/null +++ b/virt/opennebula-6.2-kvm-node/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart libvirtd + service: name=libvirtd state=restarted diff --git a/virt/opennebula-6.2-kvm-node/tasks/main.yml b/virt/opennebula-6.2-kvm-node/tasks/main.yml new file mode 100644 index 0000000..2908824 --- /dev/null +++ b/virt/opennebula-6.2-kvm-node/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: Adding Debian OpenNebula GPG key + apt_key: url='https://downloads.opennebula.io/repo/repo.key' state=present + when: ansible_os_family == "Debian" + +# Note, using http instead of https so apt-cacher-ng may cache the repo +- name: Adding Debian 10 OpenNebula repository + apt_repository: repo='deb http://downloads.opennebula.io/repo/6.2/Debian/10 stable opennebula' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +- name: Adding Debian 11 OpenNebula repository + apt_repository: repo='deb http://downloads.opennebula.io/repo/6.2/Debian/11 stable opennebula' state=present + when: ansible_os_family == "Debian" and ansible_distribution_major_version == "11" + +# Install OpenNebula Node +- name: Installing OpenNebula controller applications + apt: + update_cache: yes + state: present + name: opennebula-node-kvm + notify: restart libvirtd + +# Copy /etc/libvirt/libvirt.conf to bypass polkit socket permissions +# - name: Copying libvirtd.conf +# copy: +# src: 'libvirtd-debian10.conf' +# dest: '/etc/libvirt/libvirtd.conf' +# owner: 'root' +# group: 'root' +# mode: '0644' +# notify: restart libvirtd +# when: ansible_os_family == "Debian" and ansible_distribution_major_version == "10" + +# # Copy /etc/libvirt/libvirt.conf to bypass polkit socker permissions +# - name: Copying libvirtd.conf +# copy: +# src: 'libvirtd-debian9.conf' +# dest: '/etc/libvirt/libvirtd.conf' +# owner: 'root' +# group: 'root' +# mode: '0644' +# notify: restart libvirtd +# when: ansible_os_family == "Debian" and ansible_distribution_major_version == "9" + +# Set permissions on /var/lib/one folder +- name: Ensuring permissions on /var/lib/one directory + file: + path: /var/lib/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/lib/one/.ssh folder +- name: Creating /var/lib/one/.ssh directory + file: + path: /var/lib/one/.ssh + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Create /var/log/one folder or the daemon will not start +- name: Creating /var/log/one directory + file: + path: /var/log/one + state: directory + owner: oneadmin + group: oneadmin + mode: '0755' + +# Copy ssh client config for oneadmin user +- name: Copying oneadmin SSH client config + copy: + src: 'files/ssh.config' + dest: '/var/lib/one/.ssh/config' + owner: 'oneadmin' + group: 'oneadmin' + mode: '0644' diff --git a/web/haproxy/files/originals/debian11/49-haproxy.conf b/web/haproxy/files/originals/debian11/49-haproxy.conf new file mode 100644 index 0000000..36a1261 --- /dev/null +++ b/web/haproxy/files/originals/debian11/49-haproxy.conf @@ -0,0 +1,9 @@ +# Create an additional socket in haproxy's chroot in order to allow logging via +# /dev/log to chroot'ed HAProxy processes +$AddUnixListenSocket /var/lib/haproxy/dev/log + +# Send HAProxy messages to a dedicated logfile +:programname, startswith, "haproxy" { + /var/log/haproxy.log + stop +} diff --git a/web/haproxy/files/originals/debian11/haproxy.cfg b/web/haproxy/files/originals/debian11/haproxy.cfg new file mode 100644 index 0000000..a6f8a9c --- /dev/null +++ b/web/haproxy/files/originals/debian11/haproxy.cfg @@ -0,0 +1,34 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http diff --git a/web/haproxy/files/originals/debian11/rsyslog.conf b/web/haproxy/files/originals/debian11/rsyslog.conf new file mode 100644 index 0000000..86d3bed --- /dev/null +++ b/web/haproxy/files/originals/debian11/rsyslog.conf @@ -0,0 +1,92 @@ +# /etc/rsyslog.conf configuration file for rsyslog +# +# For more information install rsyslog-doc and see +# /usr/share/doc/rsyslog-doc/html/configuration/index.html + + +################# +#### MODULES #### +################# + +module(load="imuxsock") # provides support for local system logging +module(load="imklog") # provides kernel logging support +#module(load="immark") # provides --MARK-- message capability + +# provides UDP syslog reception +#module(load="imudp") +#input(type="imudp" port="514") + +# provides TCP syslog reception +#module(load="imtcp") +#input(type="imtcp" port="514") + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.* -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Some "catch-all" log files. +# +*.=debug;\ + auth,authpriv.none;\ + mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* diff --git a/web/haproxy/files/original-debian9-haproxy-1.7.5-haproxy.cfg b/web/haproxy/files/originals/debian9/haproxy-1.7.5-haproxy.cfg similarity index 100% rename from web/haproxy/files/original-debian9-haproxy-1.7.5-haproxy.cfg rename to web/haproxy/files/originals/debian9/haproxy-1.7.5-haproxy.cfg diff --git a/web/haproxy/files/original-debian9-rsyslog-8.24.0-rsyslog.conf b/web/haproxy/files/originals/debian9/rsyslog-8.24.0-rsyslog.conf similarity index 100% rename from web/haproxy/files/original-debian9-rsyslog-8.24.0-rsyslog.conf rename to web/haproxy/files/originals/debian9/rsyslog-8.24.0-rsyslog.conf