Satellite 6 Demo using Ansible
Group of ansible roles to install Satellite 6 and multiple systems in order to perform a demo.
INFORMATION
This playbook will take a while to run.
This was based on two projects. One is by Julio Villarreal Pelegrino, and another is from me (Billy Holmes).
Overview
This colletions of roles will create a collection of systems for a Satellite 6 Demo that exist behind a jump box using internal non-public networks. It does the following actions:
- Creates a bunch of VMs via oVirt (or AWS when working)
- router server VM for proxy
- (proxied) satellite server VM
- (proxied) optional number of satellite capsule VMs
- (proxied) optional number of client VMs
- Adds and configures any extra
- extra network interfaces are added and renamed to sane values
- extra disks are added to new or existing LVMs and existing content is rsync'd (for example for
/var
) - Properly configures the storage requirements for
- Sat6 based on the install
- based on recommendations for mongodb
- Configures the router
- haproxy, dnsmasq
- Adds all the hosts in the demo for dns to work behind the proxy.
- Configures the satellite server
- installs all the packages and configures the firewall
- runs the satellite installer and starts satellite
- copies or downloads the manifest from the Red Hat Portal
- enables all the demo repos and sets them for
on-download
for deferred downloads - synchronizes the repos
- defines the demo content-views, adds all their repos, and publishes 1st version
- defines the demo lifecycle environments
- defines filters for one demo view, publishes, promotes them to environments, with one-month increment filters
- sets up the system with sane values, activiation keys, hostgroups, subnets, attaching subscriptions, and remastering the pxe-less discovery iso for automatic discovery
There will be more later, but this is as far as I've gotten.
Requirements
You will need a Red Hat Subscription for the following products:
- Red Hat Enterprise Linux Server Version 7
- Satellite 6
Additionally you will need the following:
- A Red Hat Portal account login info / or a Satellite 6 manifest file
- (AWS demo isn't working yet)
- Admin access to oVirt or RHV virtualization environment with at least 2 networks (VLANs are ok), one isolated
You will also need Ansible. There are several options:
- Red Hat Ansible Tower
- The Ansible Website
- Via a Docker image from the included Dockerfile
You will need some RHEL templates with cloud-init installed.
- Build a RHEL image yourself and enable cloud-init
- Download and install the KVM image on the Red Hat Portal for RHEL 7.3
- When working For AWS enable Cloud Access and access the RHEL 7.3 image from the market place
- Also via Cloud Access, you can bring your own image (BYOI)
You can obtain this from either the Red Hat Portal or the AWS (when working) market place if you enabled Cloud Access
Layout
Playbooks
The project has the following parent playbooks:
site.yml
- this is the main playbook that joins the VM creation and configuration playscreate_vms.yml
- this creates virtual machines from thedemo-vms
groupconfigure_vms.yml
- this configures thedirect
andproxied
VMsclean_vms.yml
- this cleans up everything, and will even unregister the RHEL systems
Groups
The project has a number of groups:
demo-vms
- all the VMs for the demoovirt-hosts
- all the VMs that should be on RHV or oVirtaws-hosts
- all the AWS hosts doesn't work yetdirect
- all the directly accessable hosts. move them into aws-hosts or ovirt-hostsproxied
- all the non-directly accessable hosts. move them into aws-hosts or ovirt-hostsrouters
-direct
router that allows access to theproxied
hostssatellites
-proxied
satellite server for the democapsules
-proxied
capsule servers doesn't work yetclients
-proxied
a bunch of clients for the demo configures and builds, but not complete
Roles
The project defines several roles that performs a lot of the magic:
vms-ovirt
- the role that is used to create the oVirt VMsvms-aws
- TODO will be the role that is used to create the AWS VMsrhel
- the role that configures a RHEL serverrouter
-rhel
based role that configures the router serversatellite
-rhel
based role that configures the satellite serversatellite-capsule
- TODO will be the role that configures satellite capsulessatellite-client
- TODO will be the role that configures satellite clients
Variables
Variable Locations
All role variables are stored as defaults in the roles/:role:/defaults/main.yml
. This allows them to
be easily overriden via
group_vars
- varibles that are defined for the specific groups aboveinventory vars
- variables that are defined for a specific host in the inventory filecommandline
- variables that override verything
Customization of Group Vars
There's a few variables that you will want to customize and their typical location.
There's a lot to customize, so only the most important are listed.
Variable file: group_vars/all/customize.yml
This holds all the variables that are global and can be public:
ovirt_url
- the URL for the oVirt/RHV management interfaceovirt_user
- the username for the oVirt/RHV management interfacevm_template
- define your basic RHEL template here for all systems except the routerrouters_vm_template
- this is like thevm_template
above, except it should be RHEL Atomic Host for the router(s)routers_storage_domain
- this is the storage domain from where to allocate the extra disk for the routerssatellite_storage_domain
- like above, but this is for the satellite servercapsule_storage_domain
- like above, but this is for the capsulessubscription_ak
- the default activation keysatellites_subscription_ak
- the activation key for the satellite serveradd_certificates
- a list of servers:port to automatically download their CA and add to configured VMsdocker_haproxy
- This will override the docker image/location for the haproxy (if you have a local registry)docker_ovirt_agent
- same as thedocker_haproxy
abovesatellite_rhsm_user
- the username for RHSM (only used for satellite configuration if you don't have a manifest file)satellite_rhsm_pass
- the password for RHSM (only used for satellite configuration if you don't have a manifest file)satellite_manifest_file
- the manifest file on the local file system to copy and then upload to the satellite serverpulp_mirror
- a local pulp mirror to configure pulp alternative content sourcesauthorized_ssh_keys
- you can leave it blank and a task will automatically put~/.ssh/id_rsa.pub
on all VMssubscription_mirror
- a list of repos that mirror the RHEL repos (it can be another satellite pulp mirror)satellite_subscription_mirror
- like above, except for the satellite server
Variable file: group_vars/all/secret.yml
- This holds all the variables that aren't public, but you need. There's a secret.yml.example file for hints:
subscription_org
- the subscription organization to pair with the activation key. You can obtain this by runningsubscription-manager identity
on any registered RHEL system.ovirt_pass
- the login for theovirt_user
abovesatellite_rhsm_pass
- the password that goes with thesatellite_rhsm_user
variable
Variable file: group_vars/demo-vms.yml
user_password
- by default we make a random password, and expect ssh-keys to work
###Special Variables
There are some varibles through the group files that are common in their function.
satellite_hammer_configure_CV_filters
- special variable that kicks off the creation of filters and rules by month ranges. It runs every time in order to update the rules, therefore the variable is set toFalse
by default. Set toTrue
to enable this for a single run by using the--extra-vars
flag.satellite_rhsm_user
- (satellite
role) used to login into the Red Hat Portal- if this and the password are defined then the role will access the portal, and attempt to find and download the
manifest.zip
that matches the name of the current default Organization for the Satellite. - if they aren't defined, and the
satellite_manifest_file
is, then the role will copy themanifest.zip
from the local ansible host, and then upload it into the satellite server.
- if this and the password are defined then the role will access the portal, and attempt to find and download the
subscription_mirror
- (rhel
role) will createmirror.repo
in/etc/yum.repos.d/
from the contents of the dictionary- it will also install plugins from
subscription_plugins
from the repos insubscription_repos_mirror
- it will also install plugins from
satellite_subscription_contract
- if not defined, when we look for a subscription to attach to the activation key sorted by highest Quantity
- if defined, then we will select the first subscription with that contract number
authorized_ssh_keys
- (rhel
role) if blank will pull in~/id_rsa.pub
- otherwise will use the contents of the variable
nic
dictionary - (global) is auto populated from inventory vars- useful for playbooks that don't call a
setup
such as the vm creation tasks - or when you don't know the ip address of the host yet
- or can not connect to it to obtain it, but still need it for a task
- useful for playbooks that don't call a
ansible_ssh_common_args
- (global) defined for theproxied
hosts in order to use the router as the jump hostvm_extra_disks
- (vms-ovirt
role and later aws) will automatically add those disks to the VMstorage_domain
- (above) the pre-existing storage domain for the added disks. (big/cheap/fast)
lv
- (rhel
role) this small variable has big consequences if defined.- it will add the extra disks
- add/configure to existing or new VG/LV
- rsync any existing files if asked
- and defined a read-head value to meet the mongodb requirements and add that rule to udev
Dependencies
Obviously you need Ansible, but if you don't use the existing Docker
image, then you also need the following.
Via the pip module or installed:
- (via yum) bind-utils
- pip - update it
- pycurl with the environment variable
PYCURL_SSL_LIBRARY=nss
or you'll break your yum - beautifulsoup4
- dnspython - for various DNS filters
- jinja2 < version 2.9 - this is needed for the
dict()
function that's not in version 2.7, and we can't use 2.9 - jmespath - for
json_query()
filter - netaddr - for the
ipaddr
filter - ovirt-engine-sdk-python - to use
ovirt_*
modules - pyOpenSSL - for the SSL socket stuff in python
- requests - might not need this one actually TODO
If you use pip, some of those above will need to be compiled, and you'll need (for centos at least):
- @development - to compile anything
- libcurl-devel
- libxml2-devel
- libxslt-devel
- openssl-devel
- python-devel
- python-firewall
- redhat-rpm-config
Host File
The host file for this role is inventory.prod. There's some special logic in it:
[test]
test-server ip=rhevm:eth0:192.168.26.63/24,int0:eth1:192.168.30.2/24,int1:eth2:192.168.31.2/24 gw=10
The above defines a test-server
in the test
group with three network interfaces and a gateway.
When expanded out by logic in the playbooks and templates, it will look like this.
- interface 1
rhevm
oVirt interface (VM)eth0
OS interface192.168.26.63/24
is host/mask of the interface
- interface 2
int0
oVirt interface (VM)eth1
OS interface192.168.30.2/24
is host/mask of the interface
- interface 3
int1
oVirt interface (VM)eth2
OS interface192.168.31.2/24
is host/mask of the interface
- gateway
- assumes 1st interface, 10 ip addresses into the CIDR of the network
192.168.26.0/24
- assumes 1st interface, 10 ip addresses into the CIDR of the network
How to run the playbook
You will need the following beforehand:
- Create and/or download a Satellite manfest (explained below).
- Download/install or create a RHEL 7 Template wth
cloud-init
enabled - Download/install or create a RHEL 7 Atomic Host Template with
cloud-init
enabled - Edit
inventory.prod
with your ip networks and dns - Edit
group_vars/all/customize.yml
with your settings - Optionally copy
group_vars/all/customize.yml
togroup_vars/all/secret.yml
and edit with your full settings. The project's.gitignore
is set to ignore the secret.yml file
How to create or download the manifest for Satellite 6
Go to rhn.redhat.com.
- Click "Satellite""
- Click "Register a Satellite"
- Set a Name, select a version and Click "Register" After this we are going to attach a subscription.
- Click "Attach Subscription" and select the subscription to attach and click "Attach Selected" After this we will download the manifest.
- Click "Download manifest" After this copy the download file inside the /files directory on the role and name it satellite_manifest.zip
Then edit the variable file on group_vars/all/customize.yml
to set it to your environment.
Run the playbook
ansible-playbook -i inventory.prod site.yml
Skipping or only running certain sections
You can add --tags=
to the playbook to limit the run to only certain tags.
The following tags are defined for different roles:
- vms-ovirt: ovirt - on all tasks below
- login - only run the login sequence
- create - only run the initial VM creation part
- disks - only run the extra attachment of disks
- tags - only tag the VMs as demo VMs
- rhel: configure - on all tasks below
- certificates - only get CA certs and add them to the system
- subscriptions - only register and attach subscriptions
- mirrors - only run the section that adds the repo mirrors
- disks - only run the disks plays that adds and rsyncs new disks
- routers: configure - since it depends on the
rhel
role, this also has a configure tag- networks - configures the networks and the extra interfaces for routing/MASQ
- docker - for starting the haproxy and rhev agent docker containers
- satellites: satellite - only satellite tasks
- satellite-packages - only install the packages to the system
- satellite-networks - only configure the firewall and network
- satellite-install - run the installer
- satellite-hammer - run all the tasks that need hammer
- satellite-manifest - only run the manifest tasks
- satellite-repos - only run the repository tasks
- satellite-sync - only synch the repositories
- satellite-view - only create the content-views
- satellite-environments - only create the lifecylce environments
- satellite-cv-filter - only create/remove the sequence of creating rules for a demo view using 4 months of filters
- satellite-provision - only run the provisioning sanity steps
License
MIT
Author Information
Billy Holmes [email protected]
Based on work by:
Julio Villarreal Pelegrino [email protected] more at: http://wwww.juliovillarreal.com