diff --git a/roles/vmhost/defaults/main.yml b/roles/vmhost/defaults/main.yml new file mode 100644 index 0000000..13f1527 --- /dev/null +++ b/roles/vmhost/defaults/main.yml @@ -0,0 +1 @@ +vm_autostart: [] diff --git a/roles/vmhost/files/vm-autostart.service b/roles/vmhost/files/vm-autostart.service new file mode 100644 index 0000000..9c7cd79 --- /dev/null +++ b/roles/vmhost/files/vm-autostart.service @@ -0,0 +1,45 @@ +[Unit] +Description=Start virtual machines +After=libvirt.service +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +RemainAfterExit=yes +Environment=LIBVIRT_DEFAULT_URI=qemu:///system +ExecStart=/usr/local/libexec/vm-autostart.sh +Restart=on-failure + +DynamicUser=yes +SupplementaryGroups=libvirt +CapabilityBoundingSet= +DeviceAllow= +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateUsers=yes +PrivateTmp=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies= +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0027 + +[Install] +WantedBy=multi-user.target diff --git a/roles/vmhost/files/vm-autostart.sh b/roles/vmhost/files/vm-autostart.sh new file mode 100644 index 0000000..be8be11 --- /dev/null +++ b/roles/vmhost/files/vm-autostart.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# vim: set sw=4 ts=4 sts=4 et : + +if [ ! -r /etc/vm-autostart ]; then + exit 0 +fi + +while read name args; do + if [ "${name}" = delay ]; then + sleep ${args} + continue + fi + if virsh domuuid "${name}" >/dev/null 2>&1; then + if virsh domid "${name}" | grep -qE '^[0-9]+$'; then + printf 'Domain %s is already running\n' "${name}" + else + virsh start "${name}" + fi + else + printf 'Domain %s does not exist\n' "${name}" + fi +done < /etc/vm-autostart diff --git a/roles/vmhost/handlers/main.yml b/roles/vmhost/handlers/main.yml index adf5c93..55f91cd 100644 --- a/roles/vmhost/handlers/main.yml +++ b/roles/vmhost/handlers/main.yml @@ -1,2 +1,6 @@ +- name: reload systemd + systemd: + daemon_reload: true + - name: save firewalld configuration command: firewall-cmd --runtime-to-permanent diff --git a/roles/vmhost/tasks/main.yml b/roles/vmhost/tasks/main.yml index 7945929..f7e94ee 100644 --- a/roles/vmhost/tasks/main.yml +++ b/roles/vmhost/tasks/main.yml @@ -99,3 +99,42 @@ state: mounted with_items: '{{ mount_shared_volumes }}' tags: mount + +- name: ensure vm-autostart script is installed + copy: + src: vm-autostart.sh + dest: /usr/local/libexec/vm-autostart.sh + mode: u=rwx,go=rx + owner: root + group: root + tags: + - install + - vm-autostart +- name: ensure vm-autostart is configured + template: + src: vm-autostart.j2 + dest: /etc/vm-autostart + mode: u=rw,go=r + owner: root + group: root + tags: + - vm-autostart +- name: ensure vm-autostart.service unit file is installed + copy: + src: vm-autostart.service + dest: /etc/systemd/system/vm-autostart.service + mode: u=rw,go=r + owner: root + group: root + notify: + - reload systemd + tags: + - vm-autostart + - systemd +- name: ensure vm-autostart.service is enabled + service: + name: vm-autostart + enabled: true + tags: + - service + diff --git a/roles/vmhost/templates/vm-autostart.j2 b/roles/vmhost/templates/vm-autostart.j2 new file mode 100644 index 0000000..8da6114 --- /dev/null +++ b/roles/vmhost/templates/vm-autostart.j2 @@ -0,0 +1,3 @@ +{% for name in vm_autostart %} +{{ name }} +{% endfor %}