├── README ├── tasks └── main.yml └── vars └── main.yml /README: -------------------------------------------------------------------------------- 1 | Deprecated by https://github.com/alexpdp7/alexpdp7/tree/master/personal_infra/playbooks/roles/proxmox_create_lxc , https://github.com/alexpdp7/alexpdp7/tree/master/personal_infra/playbooks/roles/join_ipa 2 | 3 | Just a small task to provision a Proxmox LXC container joined to FreeIPA. 4 | 5 | Typical Playbook usage: 6 | 7 | --- 8 | - hosts: 9 | tasks: 10 | - include_role: 11 | name: create-proxmox-centos7-ipa 12 | vars: 13 | hostname: 14 | vmid: "{{ hostvars['']['proxmox_vmid'] }}" 15 | root_password: "{{ hostvars['']['root_password'] }}" 16 | ipa_domain: "{{ ipa_domain_name }}" 17 | ipa_username: admin 18 | ipa_password: "{{ ipa_admin_password }}" 19 | centos_version: 8 # 7 is the default 20 | 21 | I keep IPA data on group_vars/all/(vars|vault) and proxmox_vmid/root_password on 22 | host_vars//(vars|vault). 23 | 24 | I only need a single line in the inventory for each host's hostname, and I put: 25 | 26 | ansible_become: True 27 | ansible_user: 28 | 29 | in the host's variables to connect. 30 | 31 | I use DHCP/DNS so IP configuration is automatic and I can access the containers 32 | using their hostname. 33 | 34 | You can use extra vars such as memory/swap to set up memory and swap allocation 35 | and extra_opts for extra options for pct_create. 36 | 37 | You can use an "unprivileged" boolean parameter to create an unprivileged container 38 | (with some Docker support), but at the moment this is not recommended due to: 39 | 40 | https://bugzilla.proxmox.com/show_bug.cgi?id=2036 41 | https://bugzilla.redhat.com/show_bug.cgi?id=1589968 42 | https://bugs.centos.org/view.php?id=14897 43 | 44 | Also, you cannot use ZFS mountpoints inside unprivileged containers, at least in EL8. 45 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: download centos container 3 | command: "pveam download local {{ centos_templates[centos_version] }}_amd64.tar.xz" 4 | args: 5 | creates: "/var/lib/vz/template/cache/{{ centos_templates[centos_version] }}_amd64.tar.xz" 6 | - name: create host {{ hostname }} 7 | command: > 8 | pct create {{ vmid }} /var/lib/vz/template/cache/{{ centos_templates[centos_version] }}_amd64.tar.xz 9 | -storage local-zfs 10 | -hostname {{ hostname }} 11 | -net0 name=eth0,bridge=vmbr0,ip=dhcp 12 | -onboot 1 13 | -memory {{ memory|default(512) }} 14 | -swap {{ swap|default(512) }} 15 | -rootfs local-zfs:{{ disk|default(4) }} 16 | {{ "-features nesting=1,keyctl=1 --unprivileged" if unprivileged|default(False) else "" }} 17 | {{ extra_opts|default() }} 18 | args: 19 | creates: "/etc/pve/lxc/{{ vmid }}.conf" 20 | - name: set id mappings {{ hostname }} copy out 21 | copy: 22 | remote_src: yes 23 | src: "/etc/pve/lxc/{{ vmid }}.conf" 24 | dest: /tmp/cpci 25 | when: unprivileged|default(False) 26 | - name: set id mappings {{ hostname }} 27 | blockinfile: 28 | path: /tmp/cpci 29 | block: | 30 | lxc.idmap = u 0 100000 65536 31 | lxc.idmap = g 0 100000 65536 32 | lxc.idmap = u {{ ipa_idrange_start }} {{ ipa_idrange_start }} {{ ipa_idrange_size }} 33 | lxc.idmap = g {{ ipa_idrange_start }} {{ ipa_idrange_start }} {{ ipa_idrange_size }} 34 | when: unprivileged|default(False) 35 | - name: set id mappings {{ hostname }} copy in 36 | command: "cp /tmp/cpci /etc/pve/lxc/{{ vmid }}.conf" 37 | when: unprivileged|default(False) 38 | - name: start container 39 | shell: "{ pct status {{ vmid }} | grep running ; } || pct start {{ vmid }}" 40 | - name: wait for networking to come up 41 | pause: 42 | seconds: 10 43 | - name: set root password 44 | command: "pct exec {{ vmid }} -- chpasswd" 45 | args: 46 | stdin: "root:{{ root_password }}" 47 | - name: fix hosts 48 | command: "pct exec {{ vmid }} -- sed -i 's/^.*LXC_NAME.*$//' /etc/hosts" 49 | - name: install ssh ipa sudo NetworkManager 50 | command: "pct exec {{ vmid }} -- yum install -y openssh-server ipa-client sudo NetworkManager" 51 | - name: enable NetworkManager 52 | command: "pct exec {{ vmid }} -- systemctl enable NetworkManager" 53 | - name: start NetworkManager 54 | command: "pct exec {{ vmid }} -- systemctl start NetworkManager" 55 | - name: fix hostname in nm 56 | command: "pct exec {{ vmid }} -- sh -c \"nmcli general hostname {{ hostname }} ; nmcli c down 'System eth0' ; nmcli c up 'System eth0'\"" 57 | when: centos_version == 8 58 | - name: enable ssh server 59 | command: "pct exec {{ vmid }} -- systemctl enable sshd" 60 | - name: start ssh server 61 | command: "pct exec {{ vmid }} -- systemctl start sshd" 62 | - name: install ipa 63 | # -N because LXC containers don't do ntp 64 | command: "pct exec {{ vmid }} -- bash -c \"getent passwd admin || ipa-client-install -U -N --domain={{ ipa_domain }} --mkhomedir -w {{ ipa_password }} -p {{ ipa_username }}\"" 65 | # https://bugzilla.redhat.com/show_bug.cgi?id=1593462 66 | - name: restart dbus 67 | command: "pct exec {{ vmid }} -- systemctl restart dbus" 68 | # https://serverfault.com/questions/792486/ssh-connection-takes-forever-to-initiate-stuck-at-pledge-network 69 | - name: restart systemd-logind 70 | command: "pct exec {{ vmid }} -- systemctl restart systemd-logind" 71 | - name: restart oddjobd 72 | command: "pct exec {{ vmid }} -- systemctl restart oddjobd" 73 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | centos_templates: 3 | 7: centos-7-default_20190926 4 | 8: rockylinux-8-default_20210929 5 | centos_version: 7 6 | --------------------------------------------------------------------------------