unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: update incus image host to run on incus (#309)

Browse Source 
- remove zfs
- remove some sysctl values
- remove memlocks from limits
- install iptables, required for creating bridges

Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/309
This commit is contained in:
Ben Vincent 2025-06-08 22:58:44 +10:00
parent f43d5f685b
commit 66fdd7b615
2 changed files with 6 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
hieradata/roles/infra/incus/imagehost.yaml
View File

@ -1,11 +1,12 @@
--- ---
hiera_include: hiera_include:
- incus - incus
- zfs
profiles::packages::include: profiles::packages::include:
bridge-utils: {} bridge-utils: {}
dnsmasq: {} dnsmasq: {}
squashfs-tools: {}
iptables-nft: {}
profiles::pki::vault::alt_names: profiles::pki::vault::alt_names:
- incus-images.service.consul - incus-images.service.consul
@ -41,44 +42,9 @@ profiles::consul::client::node_rules:
segment: incus-images segment: incus-images
disposition: write disposition: write
# additional repos
profiles::yum::global::repos:
zfs-kmod:
name: zfs-kmod
descr: zfs-kmod repository
target: /etc/yum.repos.d/zfs-kmod.repo
baseurl: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os
gpgkey: https://packagerepo.service.consul/zfs/rhel9/kmod-daily/%{facts.os.architecture}/os/RPM-GPG-KEY-openzfs-2022
mirrorlist: absent
# zfs settings
zfs::manage_repo: false
zfs::zfs_arc_min: ~
zfs::zfs_arc_max: 429496729 # 400MB
zfs::zpools:
fastpool:
ensure: present
disk: /dev/vdb
ashift: 12
zfs::datasets:
fastpool:
canmount: 'off'
acltype: posix
atime: 'off'
relatime: 'off'
compression: 'zstd'
xattr: 'sa'
fastpool/data:
canmount: 'on'
mountpoint: '/data'
fastpool/data/incus:
canmount: 'on'
mountpoint: '/data/incus'
# manage incus # manage incus
incus::init: true incus::init: true
incus::server_port: 8443 incus::server_port: 8443
incus::storage_images_volume: fastpool/imagestore
# add sysadmin to incus-admin group # add sysadmin to incus-admin group
profiles::accounts::sysadmin::extra_groups: profiles::accounts::sysadmin::extra_groups:
@ -86,28 +52,6 @@ profiles::accounts::sysadmin::extra_groups:
# sysctl recommendations # sysctl recommendations
sysctl::base::values: sysctl::base::values:
fs.aio-max-nr:
value: '524288'
fs.inotify.max_queued_events:
value: '1048576'
fs.inotify.max_user_instances:
value: '1048576'
fs.inotify.max_user_watches:
value: '1048576'
kernel.dmesg_restrict:
value: '1'
kernel.keys.maxbytes:
value: '2000000'
kernel.keys.maxkeys:
value: '2000'
net.core.bpf_jit_limit:
value: '1000000000'
net.ipv4.neigh.default.gc_thresh3:
value: '8192'
net.ipv6.neigh.default.gc_thresh3:
value: '8192'
vm.max_map_count:
value: '262144'
net.ipv4.conf.all.forwarding: net.ipv4.conf.all.forwarding:
value: '1' value: '1'
net.ipv6.conf.all.forwarding: net.ipv6.conf.all.forwarding:
@ -119,7 +63,3 @@ limits::entries:
both: 1048576 both: 1048576
'root/nofile': 'root/nofile':
both: 1048576 both: 1048576
'*/memlock':
both: unlimited
'root/memlock':
both: unlimited

9
modules/incus/manifests/init.pp
View File

@ -48,11 +48,10 @@ class incus (
} }
exec { 'initiate_incus': exec { 'initiate_incus':
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized', command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
refreshonly => true, creates => '/root/.incus_initialized',
creates => '/root/.incus_initialized', require => File['/root/incus.preseed.yaml'],
subscribe => File['/root/incus.preseed.yaml'],
} }
} }