From 06c20157ed31cc56362f5549aa60afc0e1d4c4c2 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 21 Apr 2025 15:13:54 +1000 Subject: [PATCH] feat: add incus image host - add role - add consul service + checks - manage the datavol as zfs - insure the incus fact exists before attempting to read it --- hieradata/roles/infra/incus/imagehost.yaml | 125 ++++++++++++++++++ modules/incus/manifests/init.pp | 22 ++- site/roles/manifests/infra/incus/imagehost.pp | 10 ++ 3 files changed, 152 insertions(+), 5 deletions(-) create mode 100644 hieradata/roles/infra/incus/imagehost.yaml create mode 100644 site/roles/manifests/infra/incus/imagehost.pp diff --git a/hieradata/roles/infra/incus/imagehost.yaml b/hieradata/roles/infra/incus/imagehost.yaml new file mode 100644 index 0000000..ef0ca71 --- /dev/null +++ b/hieradata/roles/infra/incus/imagehost.yaml @@ -0,0 +1,125 @@ +--- +hiera_include: + - incus + - zfs + +profiles::packages::include: + bridge-utils: {} + dnsmasq: {} + +profiles::pki::vault::alt_names: + - incus-images.service.consul + - incus-images.query.consul + - "incus-images.service.%{facts.country}-%{facts.region}.consul" + +profiles::ssh::sign::principals: + - incus-images.service.consul + - incus-images.query.consul + - "incus-images.service.%{facts.country}-%{facts.region}.consul" + +# configure consul service +consul::services: + incus-images: + service_name: 'incus-images' + tags: + - 'incus' + - 'images' + - 'container' + - 'lxd' + address: "%{facts.networking.ip}" + port: 8443 + checks: + - id: 'incus_https_check' + name: 'incus HTTPS Check' + http: "https://%{facts.networking.fqdn}:8443" + method: 'GET' + tls_skip_verify: true + interval: '10s' + timeout: '1s' +profiles::consul::client::node_rules: + - resource: service + segment: incus-images + disposition: write + +# additional repos +profiles::yum::global::repos: + zfs-kmod: + name: zfs-kmod + descr: zfs-kmod repository + target: /etc/yum.repos.d/zfs-kmod.repo + baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os + gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022 + mirrorlist: absent + +# zfs settings +zfs::manage_repo: false +zfs::zfs_arc_min: ~ +zfs::zfs_arc_max: 429496729 # 400MB +zfs::zpools: + fastpool: + ensure: present + disk: /dev/vdb + ashift: 12 +zfs::datasets: + fastpool: + canmount: 'off' + acltype: posix + atime: 'off' + relatime: 'off' + compression: 'zstd' + xattr: 'sa' + fastpool/data: + canmount: 'on' + mountpoint: '/data' + fastpool/data/incus: + canmount: 'on' + mountpoint: '/data/incus' + +# manage incus +incus::init: true +incus::server_port: 8443 +incus::storage_images_volume: fastpool/imagestore + +# add sysadmin to incus-admin group +profiles::accounts::sysadmin::extra_groups: + - incus-admin + +# sysctl recommendations +sysctl::base::values: + fs.aio-max-nr: + value: '524288' + fs.inotify.max_queued_events: + value: '1048576' + fs.inotify.max_user_instances: + value: '1048576' + fs.inotify.max_user_watches: + value: '1048576' + kernel.dmesg_restrict: + value: '1' + kernel.keys.maxbytes: + value: '2000000' + kernel.keys.maxkeys: + value: '2000' + net.core.bpf_jit_limit: + value: '1000000000' + net.ipv4.neigh.default.gc_thresh3: + value: '8192' + net.ipv6.neigh.default.gc_thresh3: + value: '8192' + vm.max_map_count: + value: '262144' + net.ipv4.conf.all.forwarding: + value: '1' + net.ipv6.conf.all.forwarding: + value: '1' + +# limits.d recommendations +limits::entries: + '*/nofile': + both: 1048576 + 'root/nofile': + both: 1048576 + '*/memlock': + both: unlimited + 'root/memlock': + both: unlimited diff --git a/modules/incus/manifests/init.pp b/modules/incus/manifests/init.pp index 6933997..077de8f 100644 --- a/modules/incus/manifests/init.pp +++ b/modules/incus/manifests/init.pp @@ -9,6 +9,7 @@ class incus ( String $bridge = 'incusbr0', Stdlib::Port $server_port = 8443, Stdlib::IP::Address $server_addr = $facts['networking']['ip'], + Optional[String] $storage_images_volume = undef, ) { package { $packages: @@ -55,11 +56,22 @@ class incus ( } } - # set core.https_address - if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" { - exec { 'incus_config_set_core_https_address': - path => ['/bin', '/usr/bin'], - command => "incus config set core.https_address ${server_addr}:${server_port}", + if $facts['incus'] and $facts['incus']['config'] { + # set core.https_address + if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" { + exec { 'incus_config_set_core_https_address': + path => ['/bin', '/usr/bin'], + command => "incus config set core.https_address ${server_addr}:${server_port}", + } + } + # set storage.images_volume # path to store images + if $storage_images_volume { + if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume { + exec { 'incus_config_set_storage_images_volume': + path => ['/bin', '/usr/bin'], + command => "incus config set storage.images_volume ${storage_images_volume}", + } + } } } } diff --git a/site/roles/manifests/infra/incus/imagehost.pp b/site/roles/manifests/infra/incus/imagehost.pp new file mode 100644 index 0000000..26a4716 --- /dev/null +++ b/site/roles/manifests/infra/incus/imagehost.pp @@ -0,0 +1,10 @@ +# a role to deploy a incus image server +class roles::infra::incus::imagehost { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } +}