simp / pupmod-simp-libvirt Goto Github PK

• Overview
• This is a SIMP module
• Module Description
• Usage
  • Basic Usage
  • Advanced Usage
• Development
  • Acceptance tests

This module manages the installation of libvirt as well as providing a rudimentary ability to create virtual machines on your system.

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
• If used independently, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp_options for details.

You can use this module to install and manage basic aspects of libvirt, KSM, KVM, and the polkit rules that surround usage of libvirt capabilities.

You can also use the libvirt::vm defined type to spin up local virtual machines on your nodes.

See REFERENCE.md for API details.

Simply include the libvirt class to add support to your system.

include libvirt

If you want KSM support, then you should set the follwing in Hiera:

---
libvirt::ksm: true

This example uses the simp-network module to create a bridge and then spins up a single VM on the resulting system. It also allows users in the virshusers group to execute libvirt commands via polkit.

include libvirt
include network

# Set up a local bridge on the network
network::eth { "em1":
  bridge => 'br0',
  hwaddr => $facts['macaddress_em1']
}

network::eth { "br0":
  net_type => 'Bridge',
  hwaddr   => $facts['macaddress_em1'],
  require  => Network::Eth['em1']
}

# Create polkit policy to allow users in virsh users group to use libvirt
class { 'libvirt::polkit':
  ensure => present,
  group  => 'virshusers',
  local  => true,
  active => true
}

# Create group and add users.
group{ 'virshusers':
  members => ['user1','user2']
}

# Kickstart a VM on the system and bind it to the local bridge
libvirt::vm { 'test_system':
  mac_addr  => 'AA:BB:CC:DD:EE:FF',
  size      => 20,
  networks  => { 'type' => 'bridge', 'target' => 'br0' },
  pxe       => true,
  disk_opts => { 'bus' => 'virtio' },
  require   => Network::Eth['br0']
}

Please read our Contribution Guide

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle exec rake beaker:suites

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_fips=yes

• BEAKER_debug: show the commands being run on the STU and their output.
• BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
• BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
• BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
• BEAKER_fips=yes: enable FIPS-mode on the virtual instances. This can take a very long time, because it must enable FIPS in the kernel command-line, rebuild the initramfs, then reboot.

Please refer to the SIMP Beaker Helpers documentation for more information.