Update to 2021-12-01 19:13

2025-10-30 18:31:28 +01:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/pve/tasks/facts.yml
+++ b/roles/pve/tasks/facts.yml
@@ -0,0 +1,7 @@
+---
+
+  # The module is unavailable
+- name: Do not load nf_conntrack_proto_gre for PVE6
+  set_fact: pve_mod_to_load={{ pve_mod_to_load | difference(['nf_conntrack_proto_gre']) }}
+  when: ansible_distribution_major_version | int >= 10
+  tags: pve
--- a/roles/pve/tasks/filebeat.yml
+++ b/roles/pve/tasks/filebeat.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/pve.yml
+  tags: pve,log
--- a/roles/pve/tasks/main.yml
+++ b/roles/pve/tasks/main.yml
@@ -0,0 +1,165 @@
+---
+
+- include: facts.yml
+
+- name: Install tools
+  apt:
+    name:
+      - pigz
+      - ksm-control-daemon
+      - openvswitch-switch
+      - ethtool
+      - patch
+
+- name: Deploy vzdump config
+  template: src=vzdump.conf.j2 dest=/etc/vzdump.conf
+
+- name: Deploy ksm configuration
+  template: src=ksmtuned.conf.j2 dest=/etc/ksmtuned.conf
+  notify: restart ksmtuned
+
+- name: Handle ksm services
+  service: name=ksmtuned state={{ pve_ksm | ternary('started','stopped') }} enabled={{ pve_ksm | ternary(True,False) }}
+
+- name: Configure modules to load
+  copy: content={{ pve_mod_to_load | join("\n") }} dest=/etc/modules-load.d/firewall.conf
+  register: pve_modules
+
+- name: Load modules
+  service: name=systemd-modules-load state=restarted
+  when: pve_modules.changed
+
+- name: Enable ocfs2 support
+  set_fact: pve_ocfs2=True
+  when: fstab | default([]) | selectattr('fstype','equalto','ocfs2') | list | length > 0
+
+- name: Install ocfs2 support
+  apt: name=ocfs2-tools state=present
+  when: pve_ocfs2 == True
+
+- name: Check proxmox cluster status
+  command: pvesh get /cluster/status --output-format=json
+  register: pve_cluster_status_1
+  ignore_errors: True
+  changed_when: False
+
+- name: Parse proxmox cluster status
+  set_fact: pve_cluster={{ pve_cluster_status_1.stdout | from_json }}
+  when: pve_cluster_status_1.rc == 0
+
+- name: Check proxmox cluster status (old pvesh)
+  command: pvesh get /cluster/status
+  when: pve_cluster_status_1.rc != 0
+  register: pve_cluster_status_2
+  changed_when: False
+
+- name: Parse proxmox cluster status (old pvesh)
+  set_fact: pve_cluster={{ pve_cluster_status_2.stdout | from_json }}
+  when: pve_cluster_status_1.rc != 0
+
+- name: Deploy ocfs2 config
+  template: src=ocfs2.conf.j2 dest=/etc/ocfs2/cluster.conf
+  when: pve_ocfs2 == True
+  notify: restart o2cb
+
+- name: Deploy o2cb conf
+  template: src=o2cb.j2 dest=/etc/default/o2cb
+  when: pve_ocfs2 == True
+
+- name: Handle o2cb service
+  service: name=o2cb state=started enabled=True
+  when: pve_ocfs2 == True
+
+- name: Deploy the unlock_dev script
+  copy: src=unlock_dev dest=/usr/local/bin/unlock_dev mode=755
+
+- name: Check if the old hookd daemon is installed
+  stat: path=/usr/local/bin/pve-hookd
+  register: pve_old_hookd
+
+- name: Stop the old hookd daemon
+  service: name=pve-hookd state=stopped
+  when: pve_old_hookd.stat.exists
+
+- name: Remove the old hook daemon
+  file: path={{ item }} state=absent
+  loop:
+    - /usr/local/bin/pve-hookd
+    - /etc/hooks
+    - /etc/systemd/system/pve-hookd.service
+    - /etc/tmpfiles.d/pve-container-hooks.conf
+    - /etc/systemd/system/pve-container@.service.d/pve-container-hooks.conf
+    - /var/run/lxc/active
+
+- name: Reload systemd
+  command: systemctl daemon-reload
+  when: pve_old_hookd.stat.exists
+
+- include_tasks: pve_online.yml
+  when: pve_online == True
+
+- include_tasks: ovh.yml
+  when: pve_ovh == True
+
+- name: Create backup dir
+  file: path=/home/lbkp/pve state=directory
+
+- name: Install pre and post backup scripts
+  copy: src={{ item.src }} dest=/etc/backup/{{ item.type }}.d/{{ item.src }} mode=755
+  with_items:
+    - src: pve_dump
+      type: pre
+    - src: pve_rm_dump
+      type: post
+
+- name: Remove registration nag
+  patch: src=remove_nag.patch dest=/usr/share/perl5/PVE/API2/Subscription.pm
+  ignore_errors: True # Don't fail on old PVE where the patch doesn't apply
+  notify: restart pveproxy
+
+- name: Rise limits for containers
+  pam_limits:
+    domain: '*'
+    limit_type: "{{ item.type }}"
+    limit_item: nofile
+    value: "{{ item.value }}"
+  with_items:
+    - type: soft
+      value: 65000
+    - type: hard
+      value: 65535
+
+- name: Rise inotify instances
+  sysctl:
+    name: fs.inotify.max_user_instances
+    value: 1024
+    sysctl_file: /etc/sysctl.d/ansible.conf
+
+- name: Ensure dehydrated hook dir exists
+  file: path=/etc/dehydrated/hooks_deploy_cert.d/ state=directory
+
+- name: Deploy dehydrated hook
+  template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/20pve.sh mode=755
+
+  # See https://bugzilla.proxmox.com/show_bug.cgi?id=2326 why
+- name: Create corosync override directory
+  file: path=/etc/systemd/system/corosync.service.d/ state=directory
+  tags: pve
+
+- name: Setup corosync to be restarted in case of failure
+  copy:
+    content: |
+      [Service]
+      Restart=on-failure
+      RestartSec=1
+    dest: /etc/systemd/system/corosync.service.d/ansible.conf
+  register: pve_corosync_unit
+  tags: pve
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: pve_corosync_unit.changed
+  tags: pve
+
+- include: zabbix.yml
+- include: filebeat.yml
--- a/roles/pve/tasks/ovh.yml
+++ b/roles/pve/tasks/ovh.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Add vrack routing table
+  copy:
+    content: "1 vrack"
+    dest: /etc/iproute2/rt_tables.d/ovh.conf
--- a/roles/pve/tasks/pve_online.yml
+++ b/roles/pve/tasks/pve_online.yml
@@ -0,0 +1,38 @@
+---
+
+- name: Install dependencies
+  apt:
+    name:
+      - libnet-route-perl
+      - libnet-address-ip-local-perl
+      - libarray-diff-perl
+      - libdata-validate-ip-perl
+      - liblogger-syslog-perl
+
+- name: Deploy Online.net integration script
+  copy: src=pve-online dest=/usr/local/bin/pve-online mode=755
+
+- name: Deploy Online.net integration conf
+  template: src=pve-online.conf.j2 dest=/etc/pve-online.conf mode=600
+
+- name: Create hook directory on local storage
+  file: path=/var/lib/vz/snippets state=directory
+
+- name: Deploy Online hook
+  copy: src=online_hook.pl dest=/var/lib/vz/snippets/online_hook.pl mode=755
+
+- name: Ensure /etc/systemd/system/ exists
+  file: path=/etc/systemd/system/ state=directory
+
+- name: Disable pve-online-gre service
+  service: name=pve-online-gre state=stopped enabled=False
+  failed_when: False
+
+- name: Remove pve-online-gre service unit
+  file: path=/etc/systemd/system/pve-online-gre.service state=absent
+  register: pve_gre_unit
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: pve_gre_unit.changed
+
--- a/roles/pve/tasks/zabbix.yml
+++ b/roles/pve/tasks/zabbix.yml
@@ -0,0 +1,16 @@
+---
+
+- name: Check if check_pve_sudo is installed
+  stat: path=/var/lib/zabbix/bin/util_populate_pve_cache
+  register: pve_zabbix_scripts
+  tags: pve,zabbix
+
+- name: Setup a cron job for Zabbix monitoring cache population
+  cron:
+    name: pve_zabbix_cache
+    cron_file: pve_zabbix_cache
+    user: root
+    job: "/var/lib/zabbix/bin/util_populate_pve_cache"
+    minute: "*/5"
+    state: "{{ (pve_zabbix_cache and pve_zabbix_scripts.stat.exists) | ternary('present','absent') }}"
+  tags: pve,zabbix