libvirt: Update howto and add setup automation.

[sferich888]

Networking/Firewall sections are not needed.
Adding simple, andible playbook to complete libvirt-howto on fedora.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sferich888
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: wking

If they are not already assigned, you can assign the PR to them by writing /assign @wking in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sjenning]

👍 on the playbook.

I've never needed to do the firewalld configuration.
/cc @steveej

[abhinavdahiya]

ansible scripts are useful when you need to perform the same task multiple time. This setup is required only once.

[sferich888]

@abhinavdahiya I agree, however, I feel ansible is slightly easier to maintain than bash. In addition to that fully expect people (and a large number of them) to need to setup this configuration (*so while the setup is a one-time operation per person, its something as a repo that will be done 100s or 1000s of times).

[wking]

Networking/Firewall sections are not needed.

I need them on my RHEL 7.5 CSB.

[wking]

How reliable is ~/.local/bin? The most robust approach to installing terraform is to place it in bin/ as a sibling of openshift-install.

[sferich888]

It should be VERY reliable on systemd based distributions, https://unix.stackexchange.com/questions/316765/which-distributions-have-home-local-bin-in-path I can at the very least trust if I put things in it for it to end up in my user's path.

One thing I have noticed on RHEL / Fedora is that .local/bin may not exists, so you may need to create it, but I think I take care of that with the playbook (now - see updated pr).

[squeed]

Yeah, the firewall steps absolutely are needed! It's very unsafe to run an unprotected libvirtd.

[sferich888]

I need them on my RHEL 7.5 CSB.

Why? If you investigate what they do, they simply allow traffic from your default interface to the libvrit NAT bridge that gets created. By default on RHEL (non CSB) and Fedora that traffic is allowed. What special rules have the CSB added that make you need to punch a hole a firewall to allow local traffic.

[sferich888]

/retest

[wking]

What special rules have the CSB added that make you need to punch a hole a firewall to allow local traffic.

I'm new to firewalld, so I may be looking in the wrong places. But:

$ sudo firewall-cmd --get-default-zone
public
$ sudo cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>
$ sudo sha1sum /etc/firewalld/zones/public.xml /usr/lib/firewalld/zones/public.xml 
7626e734e58cc487e3fa9c2d5009b96b3974293a  /etc/firewalld/zones/public.xml
7626e734e58cc487e3fa9c2d5009b96b3974293a  /usr/lib/firewalld/zones/public.xml
$ sudo rpm -qf /etc/firewalld/zones/public.xml
file /etc/firewalld/zones/public.xml is not owned by any package
$ rpm -qf /usr/lib/firewalld/zones/public.xml
firewalld-0.4.4.4-15.el7_5.noarch

Again, I'm not familiar with any of this, but that looks like it's blocking everything except those two services from everywhere, both external hosts and internal VMs. Now that I've drilled the holes suggested by the libvirt docs, I have:

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: wlp2s0 tun0
  sources: 192.168.126.0/24
  services: ssh dhcpv6-client
  ports: 16509/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[derekwaynecarr]

/test-e2e-aws-all

[derekwaynecarr]

/test e2e-aws-all

[openshift-ci-robot]

@sferich888: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gnufied]

@abhinavdahiya actually I found out that, since the installer modifies the host quite heavily and calling uninstall of a cluster could wipe other images in the storage pool, it was safer for me to try out installer via nested virtualization than local laptop.

[wking]

... uninstall of a cluster could wipe other images in the storage pool...

Tried since #660 ?

[gnufied]

@wking not yet. I am trying in a VM right now and if it works as expected, I would love to run the installer on my bare metal machine. The other thing was - uninstalling the cluster never quite wiped the old cluster. I think some of tf files and networking stuff was still left out on the host. But it was few weeks back, so I am trying it now again.

[djzager]

It would be nice if we are adding automation to carry out some of the libvirt setup for us to also have automation to undo it. The unfortunate truth of the libvirt method is that the changes being made to the system are not trivial.

[openshift-ci-robot]

@sferich888: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/rhel-images	ffb427c	link	/test rhel-images
ci/prow/e2e-aws-upgrade	ffb427c	link	/test e2e-aws-upgrade

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[abhinavdahiya]

The installer docs are not the best place to include ansible/bash scripts to setup libvirt env for dev's machines as in our current experience they vary largely to the point that these scripts become useful for a select few.

Generic docs are better to guide dev on what needs to be done and not exactly how.

/close

[openshift-ci-robot]

@abhinavdahiya: Closed this PR.

Details

In response to this:

The installer docs are not the best place to include ansible/bash scripts to setup libvirt env for dev's machines as in our current experience they vary largely to the point that these scripts become useful for a select few.

Generic docs are better to guide dev on what needs to be done and not exactly how.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.