M #-: Add Open vSwitch role (WIP)

sk4zuzu · sk4zuzu · commit 80280d379110 · 2026-02-12T16:32:27.000+01:00
Signed-off-by: Michal Opala &lt;sk4zuzu@gmail.com&gt;
diff --git a/playbooks/site.yml b/playbooks/site.yml
@@ -15,6 +15,15 @@
     - role: repository
       tags: [preinstall, prometheus]
 
+- hosts:
+    - "{{ frontend_group | d('frontend') }}"
+    - "{{ node_group | d('node') }}"
+  collections:
+    - opennebula.deploy
+  roles:
+    - role: openvswitch
+      tags: [network, openvswitch]
+
 - hosts: "{{ frontend_group | d('frontend') }}"
   tags: [frontend, stage1]
   collections:
diff --git a/roles/openvswitch/defaults/main.yml b/roles/openvswitch/defaults/main.yml
@@ -0,0 +1 @@
+---
diff --git a/roles/openvswitch/meta/main.yml b/roles/openvswitch/meta/main.yml
@@ -0,0 +1 @@
+---
diff --git a/roles/openvswitch/tasks/main.yml b/roles/openvswitch/tasks/main.yml
@@ -0,0 +1,70 @@
+---
+- when:
+    - ovs is defined
+    - ovs is mapping
+    - ovs | count > 0
+  block:
+    - name: Install OVS packages
+      ansible.builtin.package:
+        name: "{{ _common + (_specific[ansible_distribution] | d(_specific[ansible_os_family])) }}"
+      vars:
+        _common:
+          - findutils
+        _specific:
+          AlmaLinux:
+            - iproute
+            - iputils
+            - openvswitch3.5
+          Debian:
+            - iproute2
+            - iputils-arping
+            - openvswitch-switch
+          RedHat:
+            - iproute
+            - iputils
+            - openvswitch3.6
+      register: package
+      until: package is success
+      retries: 12
+      delay: 5
+
+    - name: Enable / Start OVS (NOW)
+      ansible.builtin.systemd_service:
+        name: "{{ _specific[ansible_os_family] }}"
+        state: started
+        enabled: true
+      vars:
+        _specific:
+          Debian: openvswitch-switch.service
+          RedHat: openvswitch.service
+
+    - name: Install OVS-related scripts
+      ansible.builtin.template:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+        owner: 0
+        group: 0
+      loop:
+        - src: opennebula-ovs.sh.jinja
+          dest: /usr/local/sbin/opennebula-ovs.sh
+          mode: u=rwx,go=rx
+        - src: opennebula-ovs.service.jinja
+          dest: /etc/systemd/system/opennebula-ovs.service
+          mode: u=rw,go=r
+      register: template
+
+    - name: Switch to OVS networking
+      ansible.builtin.systemd_service:
+        daemon_reload: "{{ item.daemon_reload | d(omit) }}"
+        name: "{{ item.name | d(omit) }}"
+        state: "{{ item.state | d(omit) }}"
+        enabled: "{{ item.enabled | d(omit) }}"
+      loop:
+        - daemon_reload: "{{ _changed }}"
+        - name: opennebula-ovs.service
+          state: "{{ 'restarted' if _changed else 'started' }}"
+          enabled: true
+      vars:
+        _changed: >-
+          {{ template is changed }}
diff --git a/roles/openvswitch/templates/opennebula-ovs.service.jinja b/roles/openvswitch/templates/opennebula-ovs.service.jinja
@@ -0,0 +1,30 @@
+[Unit]
+Description=OVS Bridge Interface Network configuration
+{% if ansible_os_family == 'Debian' %}
+After=openvswitch-switch.service network-pre.target
+Wants=network-pre.target
+Before=network.target
+Requires=openvswitch-switch.service
+{% endif %}
+{% if ansible_os_family == 'RedHat' %}
+After=openvswitch.service network-pre.target
+Wants=network-pre.target
+Before=network.target
+Requires=openvswitch.service
+{% endif %}
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=
+ExecStart=/usr/local/sbin/opennebula-ovs.sh
+TimeoutStartSec=120
+StandardOutput=journal
+StandardError=journal
+# Ensure the service runs in a clean environment
+Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+# Network operations require root
+User=root
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/openvswitch/templates/opennebula-ovs.sh.jinja b/roles/openvswitch/templates/opennebula-ovs.sh.jinja
@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+set -o errexit -o pipefail
+
+# --- Helper functions
+
+log() { echo "$*" >&2; }
+die() { log "ERROR: $*"; exit 1; }
+
+# --- Basic asserts
+
+type -p arping find ip jq ovs-vsctl &>/dev/null
+
+{% for iface in ovs.iface.keys() %}
+# {{ iface }}
+log 'Asserting {{ iface }} exists'
+ip link show dev '{{ iface }}' &>/dev/null || die 'Interface {{ iface }} does not exist'
+{% endfor %}
+
+# --- Bridge creation
+
+{% for br, v in ovs.br.items() %}
+# {{ br }}
+if ovs-vsctl br-exists '{{ br }}' &>/dev/null; then
+    log 'WARNING: Bridge {{ br }} already exists, skipping creation'
+else
+    log 'Creating OVS bridge {{ br }}'
+    ovs-vsctl add-br '{{ br }}' || die 'Failed to create bridge'
+fi
+{% for port in v.ports %}
+{% if port in ovs.iface %}
+if ovs-vsctl port-to-br '{{ port }}' &>/dev/null; then
+    log 'WARNING: Port {{ port }} already exists, skipping creation'
+else
+    log 'Adding port {{ port }} to {{ br }}'
+    ovs-vsctl add-port '{{ br }}' '{{ port }}' || die 'Failed to add port'
+fi
+{% endif %}
+{% if port in ovs.bond %}
+if ovs-vsctl port-to-br '{{ port }}' &>/dev/null; then
+    log 'WARNING: Bond {{ port }} already exists, skipping creation'
+else
+    log 'Adding bond {{ port }} to {{ br }}'
+    ovs-vsctl add-bond '{{ br }}' '{{ port }}' \
+        {{ ovs.bond[port].ifaces | map('regex_replace', '^(.*)$', "'\g<1>'") | join(' ') }} \
+        bond_mode='{{ ovs.bond[port].mode | d('active-backup') }}' \
+        other_config:bond-primary='{{ ovs.bond[port].ifaces | first }}' || die 'Failed to add bond'
+fi
+{% endif %}
+{% endfor %}
+{% if v.vlan is defined and (v.vlan is number or v.vlan is string) %}
+if [[ "$(ovs-vsctl get port '{{ br }}' tag)" == '{{ v.vlan }}' ]]; then
+    log 'WARNING: VLAN tag {{ v.vlan }} already set on {{ br }}, skipping'
+else
+    log 'Setting VLAN tag {{ v.vlan }} on {{ br }}'
+    ovs-vsctl set port '{{ br }}' tag='{{ v.vlan }}' || die 'Failed to set VLAN tag'
+fi
+{% endif %}
+{% endfor %}
+
+# --- Networking cleanup
+
+if type -p systemctl &>/dev/null && systemctl is-active --quiet NetworkManager; then
+    log 'Stopping and disabling NetworkManager'
+    systemctl disable NetworkManager || log 'WARNING: Failed to disable NetworkManager'
+    systemctl stop NetworkManager || log 'WARNING: Failed to stop NetworkManager'
+fi
+
+if type -p netplan &>/dev/null && netplan status -f json | jq -re '."netplan-global-state"."online"' &>/dev/null; then
+    log 'Disabling Netplan'
+    find /etc/netplan/ -type f -name '*.yaml' -exec mv {} {}.bak \;
+    netplan apply || log 'WARNING: Failed to disable Netplan'
+fi
+
+{% for vlan in ovs.br.values() | selectattr('vlan', 'defined') | map(attribute='vlan') %}
+{% for iface in ovs.iface.keys() %}
+# {{ iface }}.{{ vlan }}
+if ip link show '{{ iface }}.{{ vlan }}' &>/dev/null; then
+    log 'Deleting VLAN interface {{ iface }}.{{ vlan }}'
+    ip link delete '{{ iface }}.{{ vlan }}' || log 'WARNING: Failed to delete {{ iface }}.{{ vlan }}'
+fi
+{% endfor %}
+{% endfor %}
+
+# --- IP / MTU configuration
+
+{% for dev, v in ((ovs.iface.items() | list) + (ovs.br.items() | list)) %}
+# {{ dev }}
+log 'Flushing {{ dev }}'
+ip addr flush dev '{{ dev }}' || die 'Failed to flush {{ dev }}'
+{% for a in v.addrs | d([]) %}
+log 'Adding IP address {{ a.cidr }} to {{ dev }}'
+ip addr add '{{ a.cidr }}' dev '{{ dev }}' {{ "metric '{}'".format(a.metric) if a.metric is defined else "" }} || die 'Failed to add IP address'
+{% endfor %}
+{% if v.mtu is defined and (v.mtu is number or v.mtu is string) %}
+if [[ "$(ovs-vsctl get Interface '{{ dev }}' mtu_request)" == '{{ v.mtu }}' ]]; then
+    log 'WARNING: MTU {{ v.mtu }} already set on {{ dev }}, skipping'
+else
+    log 'Setting MTU {{ v.mtu }} on {{ dev }}'
+    ovs-vsctl set Interface '{{ dev }}' mtu_request='{{ v.mtu }}' || die 'Failed to set MTU'
+fi
+{% endif %}
+log 'Bringing up {{ dev }}'
+ip link set dev '{{ dev }}' up || die 'Failed to bring up {{ dev }}'
+{% endfor %}
+
+# --- Default route
+
+{% set gw = (((ovs.iface.values() | list) + (ovs.br.values() | list)) | selectattr('gw', 'defined') | first).gw | d(None) %}
+{% if gw is not none %}
+if ip --json route show default | jq -re '. != []' &>/dev/null; then
+    log 'WARNING: Default route already exists'
+else
+    log 'Adding default route via {{ gw }}'
+    ip route add default via '{{ gw }}' || die 'Failed to add default route'
+fi
+{% endif %}
+
+# --- Nameserver configuration
+
+if type -p systemctl resolvectl &>/dev/null && systemctl is-active --quiet systemd-resolved; then
+{% for dev, v in ((ovs.iface.items() | list) + (ovs.br.items() | list)) %}
+    # {{ dev }}
+{% if v.dns is defined and v.dns is sequence %}
+    log 'Setting nameservers for {{ dev }}'
+    resolvectl dns '{{ dev }}' {{ v.dns | map('regex_replace', '^(.*)$', "'\g<1>'") | join(' ') }} || die 'Failed to setup nameservers'
+{% endif %}
+{% endfor %}
+fi
+
+# --- Networking refresh
+
+{% for br, v in ovs.br.items() %}
+# {{ br }}
+{% for a in v.addrs | d([]) %}
+log 'Sending gratuitous ARP for {{ a.cidr }} on {{ br }}'
+arping -c 3 -A -I '{{ br }}' '{{ a.cidr.split('/') | first }}' || log 'WARNING: arping failed'
+{% endfor %}
+{% endfor %}
+
+# ---
+
+log 'OVS network configuration completed successfully'
+exit 0
