diff --git a/roles/vmhost/tasks/main.yml b/roles/vmhost/tasks/main.yml index e3da68d..93ffa3f 100644 --- a/roles/vmhost/tasks/main.yml +++ b/roles/vmhost/tasks/main.yml @@ -5,12 +5,6 @@ tags: - install -- name: ensure libvirtd is configured - template: - src: libvirtd.conf.j2 - dest: /etc/libvirt/libvirtd.conf - mode: '0644' - - name: ensure libvirt can use nfs seboolean: name: virt_use_nfs @@ -48,12 +42,24 @@ - name: ensure libvirtd starts at boot service: - name: libvirtd + name: '{{ item }}' enabled: true + loop: + - virtqemud.socket + - virtnetworkd.socket + - virtstoraged.socket + tags: + - service - name: ensure libvirtd is running service: - name: libvirtd + name: '{{ item }}' state: started + loop: + - virtqemud.socket + - virtnetworkd.socket + - virtstoraged.socket + tags: + - service - name: ensure libvirt networks are defined virt_net: diff --git a/roles/vmhost/templates/libvirtd.conf.j2 b/roles/vmhost/templates/libvirtd.conf.j2 deleted file mode 100644 index d2959aa..0000000 --- a/roles/vmhost/templates/libvirtd.conf.j2 +++ /dev/null @@ -1,482 +0,0 @@ -# Master libvirt daemon configuration file -# -# For further information consult https://libvirt.org/format.html -# -# NOTE: the tests/daemon-conf regression test script requires -# that each "PARAMETER = VALUE" line in this file have the parameter -# name just after a leading "#". - -################################################################# -# -# Network connectivity controls -# - -# Flag listening for secure TLS connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# It is necessary to setup a CA and issue server certificates before -# using this capability. -# -# This is enabled by default, uncomment this to disable it -#listen_tls = 0 - -# Listen for unencrypted TCP connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# Using the TCP socket requires SASL authentication by default. Only -# SASL mechanisms which support data encryption are allowed. This is -# DIGEST_MD5 and GSSAPI (Kerberos5) -# -# This is disabled by default, uncomment this to enable it. -#listen_tcp = 1 - - - -# Override the port for accepting secure TLS connections -# This can be a port number, or service name -# -#tls_port = "16514" - -# Override the port for accepting insecure TCP connections -# This can be a port number, or service name -# -#tcp_port = "16509" - - -# Override the default configuration which binds to all network -# interfaces. This can be a numeric IPv4/6 address, or hostname -# -# If the libvirtd service is started in parallel with network -# startup (e.g. with systemd), binding to addresses other than -# the wildcards (0.0.0.0/::) might not be available yet. -# -#listen_addr = "192.168.0.1" - - -# Flag toggling mDNS advertizement of the libvirt service. -# -# Alternatively can disable for all services on a host by -# stopping the Avahi daemon -# -# This is disabled by default, uncomment this to enable it -#mdns_adv = 1 - -# Override the default mDNS advertizement name. This must be -# unique on the immediate broadcast network. -# -# The default is "Virtualization Host HOSTNAME", where HOSTNAME -# is substituted for the short hostname of the machine (without domain) -# -#mdns_name = "Virtualization Host Joe Demo" - - -################################################################# -# -# UNIX socket access controls -# - -# Set the UNIX domain socket group ownership. This can be used to -# allow a 'trusted' set of users access to management capabilities -# without becoming root. -# -# This is restricted to 'root' by default. -unix_sock_group = "libvirt" - -# Set the UNIX socket permissions for the R/O socket. This is used -# for monitoring VM status only -# -# Default allows any user. If setting group ownership, you may want to -# restrict this too. -unix_sock_ro_perms = "0777" - -# Set the UNIX socket permissions for the R/W socket. This is used -# for full management of VMs -# -# Default allows only root. If PolicyKit is enabled on the socket, -# the default will change to allow everyone (eg, 0777) -# -# If not using PolicyKit and setting group ownership for access -# control, then you may want to relax this too. -unix_sock_rw_perms = "0770" - -# Set the UNIX socket permissions for the admin interface socket. -# -# Default allows only owner (root), do not change it unless you are -# sure to whom you are exposing the access to. -#unix_sock_admin_perms = "0700" - -# Set the name of the directory in which sockets will be found/created. -#unix_sock_dir = "/var/run/libvirt" - - - -################################################################# -# -# Authentication. -# -# - none: do not perform auth checks. If you can connect to the -# socket you are allowed. This is suitable if there are -# restrictions on connecting to the socket (eg, UNIX -# socket permissions), or if there is a lower layer in -# the network providing auth (eg, TLS/x509 certificates) -# -# - sasl: use SASL infrastructure. The actual auth scheme is then -# controlled from /etc/sasl2/libvirt.conf. For the TCP -# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. -# -# - polkit: use PolicyKit to authenticate. This is only suitable -# for use on the UNIX sockets. The default policy will -# require a user to supply their own password to gain -# full read/write access (aka sudo like), while anyone -# is allowed read/only access. -# -# Set an authentication scheme for UNIX read-only sockets -# By default socket permissions allow anyone to connect -# -# To restrict monitoring of domains you may wish to enable -# an authentication mechanism here -auth_unix_ro = "none" - -# Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. If PolicyKit -# support was compiled into libvirt, the default will be to -# use 'polkit' auth. -# -# If the unix_sock_rw_perms are changed you may wish to enable -# an authentication mechanism here -auth_unix_rw = "none" - -# Change the authentication scheme for TCP sockets. -# -# If you don't enable SASL, then all TCP traffic is cleartext. -# Don't do this outside of a dev/test scenario. For real world -# use, always enable SASL and use the GSSAPI or DIGEST-MD5 -# mechanism in /etc/sasl2/libvirt.conf -#auth_tcp = "sasl" - -# Change the authentication scheme for TLS sockets. -# -# TLS sockets already have encryption provided by the TLS -# layer, and limited authentication is done by certificates -# -# It is possible to make use of any SASL authentication -# mechanism as well, by using 'sasl' for this option -#auth_tls = "none" - - -# Change the API access control scheme -# -# By default an authenticated user is allowed access -# to all APIs. Access drivers can place restrictions -# on this. By default the 'nop' driver is enabled, -# meaning no access control checks are done once a -# client has authenticated with libvirtd -# -#access_drivers = [ "polkit" ] - -################################################################# -# -# TLS x509 certificate configuration -# - -# Use of TLS requires that x509 certificates be issued. The default locations -# for the certificate files is as follows: -# -# /etc/pki/CA/cacert.pem - The CA master certificate -# /etc/pki/libvirt/servercert.pem - The server certificate signed with -# the cacert.pem -# /etc/pki/libvirt/private/serverkey.pem - The server private key -# -# It is possible to override the default locations by altering the 'key_file', -# 'cert_file', and 'ca_file' values and uncommenting them below. -# -# NB, overriding the default of one location requires uncommenting and -# possibly additionally overriding the other settings. -# - -# Override the default server key file path -# -#key_file = "/etc/pki/libvirt/private/serverkey.pem" - -# Override the default server certificate file path -# -#cert_file = "/etc/pki/libvirt/servercert.pem" - -# Override the default CA certificate path -# -#ca_file = "/etc/pki/CA/cacert.pem" - -# Specify a certificate revocation list. -# -# Defaults to not using a CRL, uncomment to enable it -#crl_file = "/etc/pki/CA/crl.pem" - - - -################################################################# -# -# Authorization controls -# - - -# Flag to disable verification of our own server certificates -# -# When libvirtd starts it performs some sanity checks against -# its own certificates. -# -# Default is to always run sanity checks. Uncommenting this -# will disable sanity checks which is not a good idea -#tls_no_sanity_certificate = 1 - -# Flag to disable verification of client certificates -# -# Client certificate verification is the primary authentication mechanism. -# Any client which does not present a certificate signed by the CA -# will be rejected. -# -# Default is to always verify. Uncommenting this will disable -# verification - make sure an IP whitelist is set -#tls_no_verify_certificate = 1 - - -# A whitelist of allowed x509 Distinguished Names -# This list may contain wildcards such as -# -# "C=GB,ST=London,L=London,O=Red Hat,CN=*" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no DN's are checked -#tls_allowed_dn_list = ["DN1", "DN2"] - - -# A whitelist of allowed SASL usernames. The format for username -# depends on the SASL authentication mechanism. Kerberos usernames -# look like username@REALM -# -# This list may contain wildcards such as -# -# "*@EXAMPLE.COM" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no Username's are checked -#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] - - -# Override the compile time default TLS priority string. The -# default is usually "NORMAL" unless overridden at build time. -# Only set this is it is desired for libvirt to deviate from -# the global default settings. -# -#tls_priority="NORMAL" - - -################################################################# -# -# Processing controls -# - -# The maximum number of concurrent client connections to allow -# over all sockets combined. -#max_clients = 5000 - -# The maximum length of queue of connections waiting to be -# accepted by the daemon. Note, that some protocols supporting -# retransmission may obey this so that a later reattempt at -# connection succeeds. -#max_queued_clients = 1000 - -# The maximum length of queue of accepted but not yet -# authenticated clients. The default value is 20. Set this to -# zero to turn this feature off. -#max_anonymous_clients = 20 - -# The minimum limit sets the number of workers to start up -# initially. If the number of active clients exceeds this, -# then more threads are spawned, up to max_workers limit. -# Typically you'd want max_workers to equal maximum number -# of clients allowed -#min_workers = 5 -#max_workers = 20 - - -# The number of priority workers. If all workers from above -# pool are stuck, some calls marked as high priority -# (notably domainDestroy) can be executed in this pool. -#prio_workers = 5 - -# Limit on concurrent requests from a single client -# connection. To avoid one client monopolizing the server -# this should be a small fraction of the global max_workers -# parameter. -#max_client_requests = 5 - -# Same processing controls, but this time for the admin interface. -# For description of each option, be so kind to scroll few lines -# upwards. - -#admin_min_workers = 1 -#admin_max_workers = 5 -#admin_max_clients = 5 -#admin_max_queued_clients = 5 -#admin_max_client_requests = 5 - -################################################################# -# -# Logging controls -# - -# Logging level: 4 errors, 3 warnings, 2 information, 1 debug -# basically 1 will log everything possible -# Note: Journald may employ rate limiting of the messages logged -# and thus lock up the libvirt daemon. To use the debug level with -# journald you have to specify it explicitly in 'log_outputs', otherwise -# only information level messages will be logged. -#log_level = 3 - -# Logging filters: -# A filter allows to select a different logging level for a given category -# of logs -# The format for a filter is one of: -# x:name -# x:+name - -# where name is a string which is matched against the category -# given in the VIR_LOG_INIT() at the top of each libvirt source -# file, e.g., "remote", "qemu", or "util.json" (the name in the -# filter can be a substring of the full category name, in order -# to match multiple similar categories), the optional "+" prefix -# tells libvirt to log stack trace for each message matching -# name, and x is the minimal level where matching messages should -# be logged: - -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple filters can be defined in a single @filters, they just need to be -# separated by spaces. -# -# e.g. to only get warning or errors from the remote layer and only errors -# from the event layer: -#log_filters="3:remote 4:event" - -# Logging outputs: -# An output is one of the places to save logging information -# The format for an output can be: -# x:stderr -# output goes to stderr -# x:syslog:name -# use syslog for the output and use the given name as the ident -# x:file:file_path -# output to a file, with the given filepath -# x:journald -# output to journald logging system -# In all case the x prefix is the minimal level, acting as a filter -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple outputs can be defined, they just need to be separated by spaces. -# e.g. to log all warnings and errors to syslog under the libvirtd ident: -#log_outputs="3:syslog:libvirtd" -# - -# Log debug buffer size: -# -# This configuration option is no longer used, since the global -# log buffer functionality has been removed. Please configure -# suitable log_outputs/log_filters settings to obtain logs. -#log_buffer_size = 64 - - -################################################################## -# -# Auditing -# -# This setting allows usage of the auditing subsystem to be altered: -# -# audit_level == 0 -> disable all auditing -# audit_level == 1 -> enable auditing, only if enabled on host (default) -# audit_level == 2 -> enable auditing, and exit if disabled on host -# -#audit_level = 2 -# -# If set to 1, then audit messages will also be sent -# via libvirt logging infrastructure. Defaults to 0 -# -#audit_logging = 1 - -################################################################### -# UUID of the host: -# Host UUID is read from one of the sources specified in host_uuid_source. -# -# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' -# - 'machine-id': fetch the UUID from /etc/machine-id -# -# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide -# a valid UUID a temporary UUID will be generated. -# -# Another option is to specify host UUID in host_uuid. -# -# Keep the format of the example UUID below. UUID must not have all digits -# be the same. - -# NB This default all-zeros UUID will not work. Replace -# it with the output of the 'uuidgen' command and then -# uncomment this entry -#host_uuid = "00000000-0000-0000-0000-000000000000" -#host_uuid_source = "smbios" - -################################################################### -# Keepalive protocol: -# This allows libvirtd to detect broken client connections or even -# dead clients. A keepalive message is sent to a client after -# keepalive_interval seconds of inactivity to check if the client is -# still responding; keepalive_count is a maximum number of keepalive -# messages that are allowed to be sent to the client without getting -# any response before the connection is considered broken. In other -# words, the connection is automatically closed approximately after -# keepalive_interval * (keepalive_count + 1) seconds since the last -# message received from the client. If keepalive_interval is set to -# -1, libvirtd will never send keepalive requests; however clients -# can still send them and the daemon will send responses. When -# keepalive_count is set to 0, connections will be automatically -# closed after keepalive_interval seconds of inactivity without -# sending any keepalive messages. -# -#keepalive_interval = 5 -#keepalive_count = 5 - -# -# These configuration options are no longer used. There is no way to -# restrict such clients from connecting since they first need to -# connect in order to ask for keepalive. -# -#keepalive_required = 1 -#admin_keepalive_required = 1 - -# Keepalive settings for the admin interface -#admin_keepalive_interval = 5 -#admin_keepalive_count = 5 - -################################################################### -# Open vSwitch: -# This allows to specify a timeout for openvswitch calls made by -# libvirt. The ovs-vsctl utility is used for the configuration and -# its timeout option is set by default to 5 seconds to avoid -# potential infinite waits blocking libvirt. -# -#ovs_timeout = 5 diff --git a/roles/vmhost/vars/main.yml b/roles/vmhost/vars/main.yml index 0346f28..984e75b 100644 --- a/roles/vmhost/vars/main.yml +++ b/roles/vmhost/vars/main.yml @@ -5,6 +5,8 @@ vmhost_required_packages: - python3-libvirt - python3-lxml - qemu-audio-spice +- qemu-char-spice - qemu-device-display-qxl - qemu-device-display-virtio-vga - qemu-system-x86-core +- which