add gateway ansible-init role

sjpb · sjpb · commit 360276768770 · 2025-03-05T15:51:15.000Z
diff --git a/ansible/.gitignore b/ansible/.gitignore
@@ -86,3 +86,5 @@ roles/*
 !roles/pytools/**
 !roles/rebuild/
 !roles/rebuild/**
+!roles/gateway/
+!roles/gateway/**
diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml
@@ -79,7 +79,7 @@
 - import_playbook: extras.yml
 
 # TODO: is this the right place?
-- name: Install compute_init script
+- name: Install compute_init playbook
   hosts: compute_init
   tags: compute_init # tagged to allow running on cluster instances for dev
   become: yes
@@ -88,6 +88,15 @@
         name: compute_init
         tasks_from: install.yml
 
+- name: Install gateway playbook
+  hosts: gateway
+  tags: compute_init
+  become: yes
+  gather_facts: no
+  tasks:
+    - include_role:
+        name: gateway
+
 - hosts: builder
   become: yes
   gather_facts: yes
diff --git a/ansible/roles/gateway/files/gateway-init.yml b/ansible/roles/gateway/files/gateway-init.yml
@@ -0,0 +1,93 @@
+- hosts: localhost
+  #become: true
+  gather_facts: false
+  vars:
+    os_metadata: "{{ lookup('url', 'http://169.254.169.254/openstack/latest/meta_data.json') | from_json }}"
+    #gateway_ip: "{{ os_metadata.meta.gateway_ip | default('') }}"
+    access_ip:  "{{ os_metadata.meta.access_ip | default('') }}"
+    gateway_ip: 172.16.0.1  # DEBUG - actual
+    # gateway_ip: 192.168.9.1
+    #gateway_ip: 10.20.0.0
+    gateway_ip: ''
+  tasks:
+    - name: Read nmcli device info
+      command: nmcli --get GENERAL.DEVICE,GENERAL.CONNECTION,IP4.ADDRESS,IP4.GATEWAY device show
+      register: _nmcli_device_raw
+      changed_when: false
+
+    - name: Set fact for nmcli devices
+      set_fact:
+        # creates a dict with keys as per zip arg below, values might be ''
+        nmcli_devices: >-
+          {{
+            _nmcli_device_raw.stdout_lines |
+            batch(5, '') |
+            map('zip', ['device', 'connection', 'ip4_address', 'ip4_gateway']) |
+            map('map', 'reverse') | map('community.general.dict')
+          }}
+        # batch=5 because per device have 4x lines + blank line between devices
+        # batch takes default '' because last devices doesn't have trailing blank line
+
+    - name: Examine whether device address contains gateway_ip
+      set_fact:
+        device_is_gateway_device: "{{ nmcli_devices | map(attribute='ip4_address') | map('ansible.utils.network_in_network', gateway_ip) }}"
+    
+    - name: Get name of connection containing gateway_ip
+      # might be empty string
+      set_fact:
+        gateway_ip_connection: >-
+          {{ nmcli_devices | map(attribute='connection') |
+            zip(device_is_gateway_device) | selectattr('1') | 
+            map(attribute=0) | list | first | default ('') }}
+    
+    - name: Error if device has a gateway which is not the desired one
+    # TODO: document
+      assert:
+        that: item.gateway == gateway_ip
+        fail_msg: "Device {{ item | to_nice_json }} has gateway: cannot apply gateway {{ gateway_ip }}"
+      when:
+        - item.connection == gateway_ip_connection
+        - item.ip4_gateway != ''
+        - item.ip4_gateway != gateway_ip
+      loop: "{{ nmcli_devices }}"
+
+    - name: Remove undesired gateways
+      command: >-
+        echo nmcli connection modify '{{ item.connection }}' ipv4.gateway ''
+        &&
+        echo nmcli connection up '{{ item.connection }}'
+      when:
+        - gateway_ip != ''
+        - item.ip4_gateway != ''
+        - item.connection != gateway_ip_connection
+      loop: "{{ nmcli_devices }}"
+    
+    - name: Add desired gateways
+      command: >-
+        echo nmcli connection modify '{{ item.connection }}'
+            ipv4.address {{ item.ip4_address }}
+            ipv4.gateway {{ gateway_ip }}
+        &&
+        echo nmcli connection up '{{ item.connection }}'
+      when:
+        - gateway_ip != ''
+        - item.ip4_gateway != gateway_ip
+        - item.connection == gateway_ip_connection
+      loop: "{{ nmcli_devices }}"
+    
+    - name: Create dummy connection and gateway
+      # see https://docs.k3s.io/installation/airgap#default-network-route
+      command: >-
+        nmcli connection add type dummy ifname dummy0 con-name dummy0
+        &&
+        nmcli connection modify dummy0
+          ipv4.address {{ access_ip }}
+          ipv4.gateway {{ access_ip }}
+          ipv4.route-metric 1000
+          ipv4.method manual
+        &&
+        nmcli connection up dummy0
+      when:
+        - gateway_ip == '' # no gateway specified
+        - nmcli_devices | selectattr('ip4_gateway', 'ne', '') | length == 0
+        # no gateway from networks
diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml
@@ -0,0 +1,7 @@
+- name: Add gateway playbook
+  copy:
+    src: gateway-init.yml
+    dest: /etc/ansible-init/playbooks/05-gateway-init.yml
+    owner: root
+    group: root
+    mode: 0644
diff --git a/environments/common/inventory/groups b/environments/common/inventory/groups
@@ -169,3 +169,6 @@ extra_packages
 
 [chrony]
 # Hosts where crony configuration is applied. See docs/chrony.md for more details.
+
+[gateway]
+# Add builder to this group to install gateway ansible-init playbook into image
diff --git a/environments/common/layouts/everything b/environments/common/layouts/everything
@@ -112,3 +112,7 @@ builder
 
 [chrony]
 # Hosts where crony configuration is applied. See docs/chrony.md for more details.
+
+[gateway:children]
+# Add builder to this group to install gateway ansible-init playbook into image
+builder
