Zwischenstand install vm

host_vars/bbb.xitq.de

@@ -7,13 +7,24 @@ install_image:
 
 passwordless_sudo: true
 
-install_vm:
-    osvariant: ubuntu20.04
-    image: /home/core/tmp/ubuntu-22.04.1-live-server-amd64.iso
-    ram: 4096
-    size: 20
-    vcpus: 2
+#install_vm:
+#    osvariant: ubuntu20.04
+#    image: /home/core/tmp/ubuntu-22.04.1-live-server-amd64.iso
+#    ram: 4096
+#    size: 20
+#    vcpus: 2
+#    network: network=default  # bridge=br0
 
 
+libvirt_pool_dir: "/var/lib/libvirt/images"
+
+vm_base_image: template2204.qcow2
+vm_base_image_archiv: "{{ vm_base_image + '.gz' }}"
+
+vm_name: myVMname
+vm_vcpus: 2
+vm_ram_mb: 4096
+vm_net: default
+
 
 ...

hosts

@@ -1,2 +1,2 @@
 bbb.xitq.de
-
+# bbb.xit

roles/bs_scripte/files/bashlib

@@ -11,9 +11,9 @@ adddate() {
     done 
 }
 
-#   Gibt den Namen der 1. aktiven NIC zurück die nicht das Loopback Interface ist
+#   Gibt den Namen der 1. aktiven NIC zurück die nicht das Loopback Interface ist und keine virtuelle NIC im KVM-Umfeld
 #   Funktioniert auf Ubuntu 20.04, andere Versionen ungetestet.
-#   Kann man sicher besser machen
+#   Kann man sicher eleganter machen
 getnic() {
-	echo `ip link show | grep "state UP" | grep -v "LOOPBACK" | awk '{print $2}' | sed 's/://g'`
+	echo `ip link show | grep "state UP" | grep -v "LOOPBACK" | grep -v virbr | awk '{print $2}' | sed 's/://g'`
 }

roles/bs_scripte/files/restart_libvirt

@@ -0,0 +1,2 @@
+#!/bin/bash
+systemctl restart libvirtd

roles/bs_scripte/tasks/main.yml

@@ -45,6 +45,14 @@
     group: users
     mode: 0755
 
+- name: Upload restart libvirt to core's Scripte directory 
+  copy: 
+    src: restart_libvirt
+    dest: /home/core/Scripte/
+    owner: core
+    group: users
+    mode: 0755
+
 - name: Install vim for script editing
   apt:
     name: 

roles/bs_sshd/tasks/main.yml

@@ -9,6 +9,9 @@
       PubkeyAuthentication yes
       AuthorizedKeysFile .ssh/authorized_keys
       PasswordAuthentication no
+      TCPKeepAlive no 
+      ClientAliveInterval 30
+      ClientAliveCountMax 960
     backup: yes
     validate: /usr/sbin/sshd -T -f %s
   notify: Restart SSHD

roles/bs_ufw/files/startufw

@@ -1,3 +1,8 @@
+#   Alle existierenden Regeln löschen und ufw auf inaktiv setzen
+echo y | sudo ufw reset
+
+#   Dann die Regeln anwenden
+
 # ssh
 sudo ufw allow 22
 # dns
@@ -26,12 +31,15 @@ sudo ufw allow from 178.15.152.60 to any port 161 proto udp
 sudo ufw deny out from any to 10.0.0.0/8
 
 # Achtung: Für greenlight-Installationen 172.x NICHT blocken, das wird vom GL-Dockercontainer verwendet
-sudo ufw deny out from any to 172.16.0.0/12
+# sudo ufw deny out from any to 172.16.0.0/12
 
-sudo ufw deny out from any to 192.168.0.0/16
+# Achtung: Für KVM nicht blocken falls network_default, d.h. NAT, dann geht das intern über 192.168.122.0
+# sudo ufw deny out from any to 192.168.0.0/16
 sudo ufw deny out from any to 100.64.0.0/10
 sudo ufw deny out from any to 198.18.0.0/15
 sudo ufw deny out from any to 169.254.0.0/16
 
+#   Dann erst ufw aktivieren, damit wir uns die ssh-Connection nicht zerschießen
+
 echo y | sudo ufw enable
 sudo ufw status >> /home/core/tmp/ufwstatus.log

roles/bs_users/tasks/setup_users.yml

@@ -1,5 +1,6 @@
 --- 
 
+# Passwort ist bobby. Kein Problem, da in der sshd_config passwordauthentification disaböed ist
 - name: Create user core
   user:
     name: core
@@ -36,4 +37,13 @@
     group: users
     mode: 0775
 
+- name: Generate SSH key for user core
+  user:
+    name: "core"
+    generate_ssh_key: yes
+    ssh_key_type: rsa
+    ssh_key_bits: 4096
+    ssh_key_file: .ssh/id_rsa
+    ssh_key_passphrase: ""
+    force: no
 ...

roles/bs_users/tasks/upload_pubkeys.yml

@@ -1,5 +1,6 @@
 ---
 
+# ignore_errors: yes weil das Verzeichnis ggf. schon durch ssh_keygen angelegt worde ist
 - name: Create root user's .ssh directory
   file: 
     path: /root/.ssh
@@ -7,6 +8,7 @@
     owner: root
     group: root
     mode: 0700
+  ignore_errors: yes
 
 - name: Upload root user's authorized keys file 
   copy: 
@@ -16,6 +18,7 @@
     group: root
     mode: 0600
 
+# ignore_errors: yes weil das Verzeichnis ggf. schon durch ssh_keygen angelegt worde ist
 - name: Create core user's .ssh directory
   file: 
     path: /home/core/.ssh
@@ -23,6 +26,7 @@
     owner: core
     group: users
     mode: 0700
+  ignore_errors: yes
 
 - name: Upload core user's authorized keys file 
   copy: 

roles/kvm_installvm/files/template2204.xml

@@ -0,0 +1,200 @@
+<domain type='kvm' id='7'>
+  <name>template2204</name>
+  <uuid>b23e5e10-6e7b-4199-968d-8ee7c23ed636</uuid>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://ubuntu.com/ubuntu/20.04"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit='KiB'>4194304</memory>
+  <currentMemory unit='KiB'>4194304</currentMemory>
+  <vcpu placement='static'>2</vcpu>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os>
+    <type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode='custom' match='exact' check='full'>
+    <model fallback='forbid'>EPYC-IBPB</model>
+    <vendor>AMD</vendor>
+    <feature policy='require' name='x2apic'/>
+    <feature policy='require' name='tsc-deadline'/>
+    <feature policy='require' name='hypervisor'/>
+    <feature policy='require' name='tsc_adjust'/>
+    <feature policy='require' name='arch-capabilities'/>
+    <feature policy='require' name='xsaves'/>
+    <feature policy='require' name='cmp_legacy'/>
+    <feature policy='require' name='perfctr_core'/>
+    <feature policy='require' name='clzero'/>
+    <feature policy='require' name='xsaveerptr'/>
+    <feature policy='require' name='virt-ssbd'/>
+    <feature policy='require' name='npt'/>
+    <feature policy='require' name='nrip-save'/>
+    <feature policy='require' name='rdctl-no'/>
+    <feature policy='require' name='skip-l1dfl-vmentry'/>
+    <feature policy='require' name='mds-no'/>
+    <feature policy='require' name='pschange-mc-no'/>
+    <feature policy='disable' name='monitor'/>
+    <feature policy='require' name='topoext'/>
+  </cpu>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source file='/var/lib/libvirt/images/template2204.qcow2' index='2'/>
+      <backingStore/>
+      <target dev='vda' bus='virtio'/>
+      <alias name='virtio-disk0'/>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='cdrom'>
+      <driver name='qemu'/>
+      <target dev='sda' bus='sata'/>
+      <readonly/>
+      <alias name='sata0-0-0'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='ich9-ehci1'>
+      <alias name='usb'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x7'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci1'>
+      <alias name='usb'/>
+      <master startport='0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci2'>
+      <alias name='usb'/>
+      <master startport='2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x1'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci3'>
+      <alias name='usb'/>
+      <master startport='4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x2'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <alias name='ide'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'>
+      <alias name='pcie.0'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x8'/>
+      <alias name='pci.1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x9'/>
+      <alias name='pci.2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0xa'/>
+      <alias name='pci.3'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0xb'/>
+      <alias name='pci.4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0xc'/>
+      <alias name='pci.5'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0xd'/>
+      <alias name='pci.6'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
+    </controller>
+    <controller type='virtio-serial' index='0'>
+      <alias name='virtio-serial0'/>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/tomcatlib'/>
+      <target dir='/libshare'/>
+      <readonly/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/fontlib'/>
+      <target dir='/fontshare'/>
+      <readonly/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:24:83:d8'/>
+      <source network='default' portid='7d4a4871-d940-4f25-89b6-b499e6e2eae0' bridge='virbr0'/>
+      <target dev='vnet0'/>
+      <model type='virtio'/>
+      <alias name='net0'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <source path='/dev/pts/1'/>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+      <alias name='serial0'/>
+    </serial>
+    <console type='pty' tty='/dev/pts/1'>
+      <source path='/dev/pts/1'/>
+      <target type='serial' port='0'/>
+      <alias name='serial0'/>
+    </console>
+    <channel type='unix'>
+      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-7-template2204/org.qemu.guest_agent.0'/>
+      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
+      <alias name='channel0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <input type='mouse' bus='ps2'>
+      <alias name='input0'/>
+    </input>
+    <input type='keyboard' bus='ps2'>
+      <alias name='input1'/>
+    </input>
+    <memballoon model='virtio'>
+      <alias name='balloon0'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <alias name='rng0'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+    </rng>
+  </devices>
+  <seclabel type='dynamic' model='dac' relabel='yes'>
+    <label>+64055:+108</label>
+    <imagelabel>+64055:+108</imagelabel>
+  </seclabel>
+</domain>
+

roles/kvm_installvm/files/virt-install_ubuntu_2204.sh

@@ -0,0 +1,17 @@
+
+#   File soll dynamisch wachsen, preallocation==off
+qemu-img create -f qcow2 -o preallocation=off dyn300g.qcow2 300G
+mv dyn300g.qcow2 /var/lib/libvirt/images
+
+#   Neue VM unter Verwendung dieses files als disk installieren
+virt-install \
+--name ubuntu2204 \
+--ram 4096 \
+--disk path=/var/lib/libvirt/images/dyn300g.qcow2 \
+--vcpus 2 \
+--os-variant ubuntu20.04 \
+--network network=default \
+--graphics none \
+--console pty,target_type=serial \
+--location /home/core/tmp/ubuntu-22.04-live-server-amd64.iso,kernel=casper/vmlinuz,initrd=casper/initrd \
+--extra-args 'console=ttyS0,115200n8

roles/kvm_installvm/files/virtinstall_options

@@ -1,11 +0,0 @@
-virt-install \
---name ubuntu2204 \
---ram 4096 \
---disk path=/var/kvm/images/ubuntu2204.img,size=20 \
---vcpus 2 \
---os-variant ubuntu22.04 \
---network bridge=br0 \
---graphics none \
---console pty,target_type=serial \
---location /home/ubuntu-22.04-live-server-amd64.iso,kernel=casper/vmlinuz,initrd=casper/initrd \
---extra-args 'console=ttyS0,115200n8

roles/kvm_installvm/tasks/main.backup.yml

@@ -0,0 +1,45 @@
+---
+
+# Das funktioniert nicht gut. Wird nicht weiter verfolgt.
+# Das Anlegen einer VM aus Ansible lohnt nicht, wir brauchen eh ein Basistemplate mit 
+# - imagefile das nicht preallocating ist
+# - minimale ssh-Konfiguration für root und core mit eingetragenen authorized_keys
+# - Filesystems zum Mounten der gesharten Verzeichnisse des Wirts
+# - LVM Filesystem, ...
+# Dieses Template kann man dann kopieren, den Namen im xmldump anpassen und auf jedem Wirt definen. 
+# Lohnt einfach nicht
+
+
+#- name: Download Ubuntu 22.04 iso to user core's tmp dir
+#  ansible.builtin.get_url:
+#    url: https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso
+#    dest: /home/core/tmp/ubuntu-22.04.1-live-server-amd64.iso
+#    mode: '0640'
+
+#- name: Download Ubuntu 20.04 iso to user core's tmp dir
+#  ansible.builtin.get_url:
+#    url: https://releases.ubuntu.com/focal/ubuntu-20.04.5-live-server-amd64.iso
+#    dest: /home/core/tmp/ubuntu-20.04.1-live-server-amd64.iso
+#    mode: '0640'
+
+#- name: DEBUG variables TEST ONLY
+#  debug: 
+#    msg: "{{ install_vm.ram }}"
+  
+#- name: Start virtual network
+#  shell:
+#    cmd: sudo /usr/bin/virsh net-start default
+
+#- name: Install VM with default host-specific host_vars settings
+#  shell: 
+#    cmd: /usr/bin/virt-install --name {{ vm }} --ram {{ install_vm.ram }} --disk path=/var/lib/libvirt/images/{{ vm }}.img,size={{ install_vm.size }} --vcpus {{ install_vm.vcpus }} --os-variant {{ install_vm.osvariant }} --network {{ install_vm.network }} --graphics none --console pty,target_type=serial --location {{ install_vm.image }},kernel=casper/vmlinuz,initrd=casper/initrd --extra-args 'console=ttyS0,115200n8'
+
+#- name: Upload vm XML-Description to core's tmp dir
+#  ansible.builtin.template:
+#    src: default.xml
+#    dest: /home/core/tmp/
+#    owner: core
+#    group: users
+#    mode: '0644'
+
+...

roles/kvm_installvm/tasks/main.yml

@@ -1,37 +1,35 @@
 ---
 
-- name: Download Ubuntu 22.04 iso to user core's tmp dir
-  ansible.builtin.get_url:
-    url: https://releases.ubuntu.com/22.04/ubuntu-22.04.1-live-server-amd64.iso
-    dest: /home/core/tmp/ubuntu-22.04.1-live-server-amd64.iso
-    mode: '0640'
+- name: Get VMs list
+  community.libvirt.virt:
+    command: list_vms
+  register: existing_vms
+  changed_when: no
 
-- name: Download Ubuntu 20.04 iso to user core's tmp dir
-  ansible.builtin.get_url:
-    url: https://releases.ubuntu.com/focal/ubuntu-20.04.5-live-server-amd64.iso
-    dest: /home/core/tmp/ubuntu-20.04.1-live-server-amd64.iso
-    mode: '0640'
+- name: Create VM if not exists
+  block:
 
-- name: DEBUG variables TEST ONLY
-  debug: 
-    msg: "{{ install_vm.ram }}"
+  - name: Upload base image archiv to core's tmp directory
+    copy: 
+      src: "{{ vm_base_image_archiv }}"
+      dest: "/home/core/tmp/"
+      owner: libvirt-qemu
+      group: kvm
+      mode: "0600"
   
+  - name: Gunzip base image in core's tmp directory
+    shell:
+      cmd: "/usr/bin/gunzip /home/core/tmp/{{ vm_base_image_archiv }}"
 
-- name: Install VM with default host-specific host_vars settings
-  shell: 
-    #cmd: echo {{ install_vm.ram }} 
-    cmd: virt-install --name {{ vm }} --ram {{ install_vm.ram }} --disk path=/var/lib/libvirt/images/{{ vm }}.img,size={{ install_vm.size }} --vcpus {{ install_vm.vcpus }} --os-variant {{ install_vm.osvariant }} --network bridge=br0 --graphics none --console pty,target_type=serial --location {{ install_vm.image }},kernel=casper/vmlinuz,initrd=casper/initrd --extra-args 'console=ttyS0,115200n8'
-
-
-
-
-- name: Upload vm XML-Description to core's tmp dir
-  ansible.builtin.template:
-    src: default.xml
-    dest: /home/core/tmp/
-    owner: core
-    group: users
-    mode: '0644'
-
+  - name: Copy unarchived base image to /var/lib/libvirt/images and rename to $vm_name
+    copy: 
+      src: "/home/core/tmp/{{ vm_base_image }}"
+      dest: "{{ libvirt_pool_dir }}/{{ vm_name }}"
+      remote_src: "yes"
+      owner: libvirt-qemu
+      group: kvm
+      mode: "0600"
+  
+  when: "vm_name not in existing_vms.list_vms"
 
 ...

roles/kvm_installvm/templates/template2204.xml

@@ -0,0 +1,198 @@
+<domain type='kvm'>
+  <name>{{ vm_name }}</name>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://ubuntu.com/ubuntu/20.04"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit='KiB'>{{ vm_ram_mb }} </memory>
+  <currentMemory unit='KiB'>{{ vm_ram_mb }}</currentMemory>
+  <vcpu placement='static'> {{ vm_vcpus }}</vcpu>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os>
+    <type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode='custom' match='exact' check='full'>
+    <model fallback='forbid'>EPYC-IBPB</model>
+    <vendor>AMD</vendor>
+    <feature policy='require' name='x2apic'/>
+    <feature policy='require' name='tsc-deadline'/>
+    <feature policy='require' name='hypervisor'/>
+    <feature policy='require' name='tsc_adjust'/>
+    <feature policy='require' name='arch-capabilities'/>
+    <feature policy='require' name='xsaves'/>
+    <feature policy='require' name='cmp_legacy'/>
+    <feature policy='require' name='perfctr_core'/>
+    <feature policy='require' name='clzero'/>
+    <feature policy='require' name='xsaveerptr'/>
+    <feature policy='require' name='virt-ssbd'/>
+    <feature policy='require' name='npt'/>
+    <feature policy='require' name='nrip-save'/>
+    <feature policy='require' name='rdctl-no'/>
+    <feature policy='require' name='skip-l1dfl-vmentry'/>
+    <feature policy='require' name='mds-no'/>
+    <feature policy='require' name='pschange-mc-no'/>
+    <feature policy='disable' name='monitor'/>
+    <feature policy='require' name='topoext'/>
+  </cpu>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source file='{{ libvirt_pool_dir }}/{{ vm_name }}.qcow2' index='2'/>
+      <backingStore/>
+      <target dev='vda' bus='virtio'/>
+      <alias name='virtio-disk0'/>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='cdrom'>
+      <driver name='qemu'/>
+      <target dev='sda' bus='sata'/>
+      <readonly/>
+      <alias name='sata0-0-0'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='ich9-ehci1'>
+      <alias name='usb'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x7'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci1'>
+      <alias name='usb'/>
+      <master startport='0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci2'>
+      <alias name='usb'/>
+      <master startport='2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x1'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci3'>
+      <alias name='usb'/>
+      <master startport='4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x2'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <alias name='ide'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'>
+      <alias name='pcie.0'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x8'/>
+      <alias name='pci.1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x9'/>
+      <alias name='pci.2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0xa'/>
+      <alias name='pci.3'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0xb'/>
+      <alias name='pci.4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0xc'/>
+      <alias name='pci.5'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0xd'/>
+      <alias name='pci.6'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
+    </controller>
+    <controller type='virtio-serial' index='0'>
+      <alias name='virtio-serial0'/>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/tomcatlib'/>
+      <target dir='/libshare'/>
+      <readonly/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+    </filesystem>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/fontlib'/>
+      <target dir='/fontshare'/>
+      <readonly/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <source network='{{ vm_net }}'/>
+      <target dev='vnet0'/>
+      <model type='virtio'/>
+      <alias name='net0'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <source path='/dev/pts/1'/>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+      <alias name='serial0'/>
+    </serial>
+    <console type='pty' tty='/dev/pts/1'>
+      <source path='/dev/pts/1'/>
+      <target type='serial' port='0'/>
+      <alias name='serial0'/>
+    </console>
+    <channel type='unix'>
+      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-7-template2204/org.qemu.guest_agent.0'/>
+      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
+      <alias name='channel0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <input type='mouse' bus='ps2'>
+      <alias name='input0'/>
+    </input>
+    <input type='keyboard' bus='ps2'>
+      <alias name='input1'/>
+    </input>
+    <memballoon model='virtio'>
+      <alias name='balloon0'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <alias name='rng0'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+    </rng>
+  </devices>
+  <seclabel type='dynamic' model='dac' relabel='yes'>
+    <label>+64055:+108</label>
+    <imagelabel>+64055:+108</imagelabel>
+  </seclabel>
+</domain>
+

roles/kvm_setup/tasks/main.yml

@@ -12,12 +12,16 @@
       - libvirt-clients
       - virtinst
       - virt-manager
+      - dnsmasq
+      - python3-libvirt
+      - libguestfs-tools
 
 - name: Check KVM ok
   shell: /usr/sbin/kvm-ok
   register: kvmok
-  # failed_when: kvm-ok 
-  
+  failed_when: kvmok["failed"] == true
+  changed_when: no
+
 - name: Debug KVM ok
   debug:
     msg: "{{ kvmok }}"
@@ -28,4 +32,28 @@
     groups: libvirt
     append: "true"
 
+# Dieses Verzeichnis muss existieren, denn die VMs versuchen das ins lokale Filesystem zu mappen
+- name: Create tomcatlib directory
+  ansible.builtin.file:
+    path: /var/tomcatlib
+    state: directory
+    mode: '0755'
+
+# Das muss hier raus
+- name: Upload Tomcat Libs
+  copy:
+    src: "{{ item }}"
+    dest: /var/tomcatlib
+    owner: root
+    mode: '0644'
+  with_fileglob:
+    - /var/tomcatlib/*.jar
+
+# Dieses Verzeichnis muss existieren, denn die VMs versuchen das ins lokale Filesystem zu mappen
+- name: Create fontlib directory
+  ansible.builtin.file:
+    path: /var/fontlib
+    state: directory
+    mode: '0755'
+
 ...

run

@@ -1 +1,11 @@
+# Auf Hetzner Rootserver aus der Serverbörse das BS-Image installieren, Server muss im rescue-Modus sein
 ansible-playbook --extra-vars "target=bbb.xitq.de" install_image.yml
+
+# Grundlegende Konsigurationen als root durchführen. Die letzt Task verbietet dem rootúser Zugriff via ssh
+ansible-playbook --extra-vars "target=bbb.xitq.de" bootstrapRoot.yml
+
+# Weitere Konfigurationen unter user core. Der ist im vorigen Playbook über die sudoers-nopasswd Gruppe entsprechend virbereitet
+ansible-playbook --extra-vars "target=bbb.xitq.de" bootstrapCore.yml
+
+# KVM installieren, neue VM anlegen
+ansible-playbook --extra-vars "target=bbb.xitq.de, vm=vhostnew" bootstrapTest.yml

ubuntu2204.xml

@@ -0,0 +1,201 @@
+<domain type='kvm' id='2'>
+  <name>ubuntu2204</name>
+  <uuid>d2612a3d-193f-49e2-b362-54c3954739e7</uuid>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://ubuntu.com/ubuntu/20.04"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit='KiB'>4194304</memory>
+  <currentMemory unit='KiB'>4194304</currentMemory>
+  <vcpu placement='static'>2</vcpu>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os>
+    <type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+  </features>
+  <cpu mode='custom' match='exact' check='full'>
+    <model fallback='forbid'>EPYC-IBPB</model>
+    <vendor>AMD</vendor>
+    <feature policy='require' name='x2apic'/>
+    <feature policy='require' name='tsc-deadline'/>
+    <feature policy='require' name='hypervisor'/>
+    <feature policy='require' name='tsc_adjust'/>
+    <feature policy='require' name='arch-capabilities'/>
+    <feature policy='require' name='xsaves'/>
+    <feature policy='require' name='cmp_legacy'/>
+    <feature policy='require' name='perfctr_core'/>
+    <feature policy='require' name='clzero'/>
+    <feature policy='require' name='xsaveerptr'/>
+    <feature policy='require' name='virt-ssbd'/>
+    <feature policy='require' name='npt'/>
+    <feature policy='require' name='nrip-save'/>
+    <feature policy='require' name='rdctl-no'/>
+    <feature policy='require' name='skip-l1dfl-vmentry'/>
+    <feature policy='require' name='mds-no'/>
+    <feature policy='require' name='pschange-mc-no'/>
+    <feature policy='disable' name='monitor'/>
+    <feature policy='require' name='topoext'/>
+  </cpu>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source file='/var/lib/libvirt/images/ubuntu2204.img' index='2'/>
+      <backingStore/>
+      <target dev='vda' bus='virtio'/>
+      <alias name='virtio-disk0'/>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='cdrom'>
+      <driver name='qemu'/>
+      <target dev='sda' bus='sata'/>
+      <readonly/>
+      <alias name='sata0-0-0'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='ich9-ehci1'>
+      <alias name='usb'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x7'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci1'>
+      <alias name='usb'/>
+      <master startport='0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci2'>
+      <alias name='usb'/>
+      <master startport='2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x1'/>
+    </controller>
+    <controller type='usb' index='0' model='ich9-uhci3'>
+      <alias name='usb'/>
+      <master startport='4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1d' function='0x2'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <alias name='ide'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'>
+      <alias name='pcie.0'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x8'/>
+      <alias name='pci.1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x9'/>
+      <alias name='pci.2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0xa'/>
+      <alias name='pci.3'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0xb'/>
+      <alias name='pci.4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0xc'/>
+      <alias name='pci.5'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0xd'/>
+      <alias name='pci.6'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x5'/>
+    </controller>
+    <controller type='virtio-serial' index='0'>
+      <alias name='virtio-serial0'/>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </controller>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/var/tomcatlib'/>
+      <target dir='/libshare'/>
+      <readonly/>
+      <alias name='fs0'/>
+      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
+    </filesystem>
+    <filesystem type='mount' accessmode='mapped'>
+      <source dir='/home/core/fonts'/>
+      <target dir='/fontshare'/>
+      <readonly/>
+      <address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
+    </filesystem>
+    <interface type='network'>
+      <mac address='52:54:00:09:ff:01'/>
+      <source network='default' portid='b6f0ab6c-b777-4a92-9ef3-7d6565f839f1' bridge='virbr0'/>
+      <target dev='vnet0'/>
+      <model type='virtio'/>
+      <alias name='net0'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <source path='/dev/pts/1'/>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+      <alias name='serial0'/>
+    </serial>
+    <console type='pty' tty='/dev/pts/1'>
+      <source path='/dev/pts/1'/>
+      <target type='serial' port='0'/>
+      <alias name='serial0'/>
+    </console>
+    <channel type='unix'>
+      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-2-ubuntu2204/org.qemu.guest_agent.0'/>
+      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
+      <alias name='channel0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <input type='mouse' bus='ps2'>
+      <alias name='input0'/>
+    </input>
+    <input type='keyboard' bus='ps2'>
+      <alias name='input1'/>
+    </input>
+    <memballoon model='virtio'>
+      <alias name='balloon0'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <alias name='rng0'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+    </rng>
+  </devices>
+  <seclabel type='dynamic' model='dac' relabel='yes'>
+    <label>+64055:+108</label>
+    <imagelabel>+64055:+108</imagelabel>
+  </seclabel>
+</domain>
+