libvirtd

32f04dbb · Szeberényi Imre · 601eebe6 · 32f04dbb · 32f04dbb
Commit 32f04dbb authored Nov 02, 2025 by Szeberényi Imre
Show whitespace changes
Inline Side-by-side

Showing with 58 additions and 11 deletions

roles/vmdriver/handlers/main.yml
+5 -0

roles/vmdriver/tasks/main.yml
+53 -11

No files found.
--- a/roles/vmdriver/handlers/main.yml
+++ b/roles/vmdriver/handlers/main.yml
@@ -5,6 +5,11 @@
    state: restarted
  become: yes

+- name: reload udev
+  command: udevadm control --reload
+  changed_when: false
+  become: yes
+
 - name: systemd daemon-reload
  ansible.builtin.systemd:
    daemon_reload: yes

--- a/roles/vmdriver/tasks/main.yml
+++ b/roles/vmdriver/tasks/main.yml
@@ -44,27 +44,61 @@
    group: kvm
    mode: "0755"

+- name: Ensure libvirt TCP socket is enabled and unmasked
+  become: yes
+  block:
+    - name: Unmask libvirtd.service
+      ansible.builtin.systemd:
+        name: libvirtd.service
+        masked: no
+
+    - name: Stop libvirtd.service (it will be socket-activated)
+      ansible.builtin.systemd:
+        name: libvirtd.service
+        state: stopped
+
+    - name: Enable and start libvirtd-tcp.socket
+      ansible.builtin.systemd:
+        name: libvirtd-tcp.socket
+        enabled: yes
+        state: started
+
+- name: Disable libvirt security drivers (AppArmor/SELinux)
+  become: yes
+  block:
+    - name: Ensure libvirtd.conf has security_driver="none"
+      ansible.builtin.lineinfile:
+        path: /etc/libvirt/libvirtd.conf
+        regexp: '^#?\s*security_driver\s*='
+        line: 'security_driver = "none"'
+        create: yes
+        backup: yes
+
+    - name: Ensure qemu.conf has security_driver="none"
+      ansible.builtin.lineinfile:
+        path: /etc/libvirt/qemu.conf
+        regexp: '^#?\s*security_driver\s*='
+        line: 'security_driver = "none"'
+        create: yes
+        backup: yes
+
+    - name: Restart libvirtd to apply security_driver changes
+      ansible.builtin.systemd:
+        name: libvirtd.service
+        state: restarted
+
 - name: Ensure Open vSwitch bridge 'cloud' exists
  command: ovs-vsctl add-br cloud
  args:
    creates: /sys/class/net/cloud

- name: Deploy sudoers fragment (if provided)
-  copy:
-    src: "sudoers"
-    dest: /etc/sudoers.d/netdriver
-    owner: root
-    group: root
-    mode: "0600"
-  when: lookup('ansible.builtin.fileglob', role_path + '/files/sudoers') | length > 0
-
 - name: Clone vmdriver repository
  git:
    repo: "{{ vmdriver_repo_url }}"
    version: "{{ vmdriver_repo_rev }}"
    dest: "{{ vmdriver_repo_dir }}"
-    update: false
-    force: false
+    update: true
+    force: true
  become: true
  become_user: "{{ vmdriver_user }}"

@@ -95,6 +129,14 @@
    virtualenv: "{{ vmdriver_venv_dir }}"
    virtualenv_python: python3.9

+- name: Deploy sudoers fragment
+  copy:
+    src: "{{ vmdriver_repo_dir }}/miscellaneous/netdriver.sudo"
+    dest: /etc/sudoers.d/netdriver
+    owner: root
+    group: root
+    mode: "0600"
+
 - name: Install postactivate script if present
  copy:
    src: "postactivate"