[WIP] Add playbooks to set up the nat64 net and VM

TODOs:
- Tests

Author: hjensas

roles/config_drive/templates/network-config.j2

@@ -1 +1 @@
-{{ cifmw_config_drive_networkconfig | to_nice_yaml(indent=2, default_style="\"") }}
+{{ cifmw_config_drive_networkconfig | to_nice_yaml(indent=2) }}

roles/nat64_appliance/README.md

@@ -1,12 +1,31 @@
 # nat64_appliance
 
-`diskimage-builder` definition and element to build a NAT64 + DNS64 appliance VM image.
+`main.yml`: Tasks to build a NAT64 + DNS64 appliance VM image, uses `diskimage-builder`.
+`deploy.yml`: Tasks to deploy networks and appliance VM on a libvirt hypervisor.
+`cleanup.yml`: Tasks to destroy and undefine the VM and networks on a libvirt hypervisor, and delete the built image.
 
 ## Parameters
 
 * `cifmw_nat64_appliance_basedir`: (String) Base directory. Defaults to `{{ cifmw_basedir }}` which defaults to `~/ci-framework-data`.
 * `cifmw_nat64_appliance_workdir`: (String) Working directory. Defaults to `{{ cifmw_nat64_appliance_basedir }}/nat64_appliance`.
 * `cifmw_nat64_appliance_venv_dir`: (String) Python virtual environment directory. Defaults to `{{ cifmw_nat64_appliance_workdir }}/venv`.
+* `cifmw_nat64_libvirt_uri`: (String) The libvirt URI for the hypervisor to deploy on. Defaults to `qemu:///system`.
+* `cifmw_nat64_network_ipv4_name`: (String) Name of the nat64 IPv4 libvirt network. Defaults to: `nat64-net-v4`.
+* `cifmw_nat64_network_ipv4_bridge_name`: (String) Bridge name for the nat64 IPv4 libvirt network. Defaults to: `br-64v4`.
+* `cifmw_nat64_network_ipv4_address`: (String) IP address for the nat64 IPv4 libvirt network. Defaults to: `172.31.255.1`.
+* `cifmw_nat64_network_ipv4_prefix`: (Integer) IP prefix length for the nat64 IPv4 libvirt network. Defaults to: `24`.
+* `cifmw_nat64_network_ipv6_name`: (String) Name of the nat64 IPv6 libvirt network. Defaults to: `nat64-net-v6`.
+* `cifmw_nat64_network_ipv6_bridge_name`: (String) The bridge name for the nat64 IPv6 libvirt network. Defaults to: `br-64v6`.
+* `cifmw_nat64_network_ipv6_address`: (String) IP address for the nat64 IPv6 libvirt network. Defaults to: `fd00:abcd:abcd:fc00::1`.
+* `cifmw_nat64_network_ipv6_prefix`: (Integer) IP prefix length for the nat64 IPv6 libvirt network. Defaults to: `64`.
+* `cifmw_nat64_appliance_name`: (String) Name and hostname for the nat64 appliance VM. Defaults to: `nat64-appliance`.
+* `cifmw_nat64_appliance_ipv4_address`: (String) IPv4 address for the nat64 appliance VM. Defaults to: `172.31.255.2`.
+* `cifmw_nat64_appliance_ipv6_address`: (String) IPv6 address for the nat64 appliance VM. Defaults to: `fd00:abcd:abcd:fc00::2`.
+* `cifmw_nat64_appliance_memory`: (Integer) Memory in GiB for the nat64 appliance VM. Defaults to: `2`.
+* `cifmw_nat64_appliance_cpus`: (Interger) Virtual CPUs for the nat64 appliance VM. Defaults to: `2`.
+* `cifmw_nat64_appliance_ssh_pub_key`: (String) Path to ssh public key for the nat64 appliance VM. Defaults to: `{{ ansible_user_dir }}/.ssh/id_rsa.pub`
+* `cifmw_nat64_ipv6_prefix`: (String) IPv6 prefix for nat64. Defaults to: `fd00:abcd:abcd:fc00::/64`.
+* `cifmw_nat64_ipv6_tayga_address`: (String) Tayga IPv6 address. Defaults to: `fd00:abcd:abcd:fc00::3`.
 
 ## Building the image
 
@@ -18,12 +37,34 @@ Include the `nat64_appliance` role in a playbook. For example:
   roles:
     - nat64_appliance
 ```
-The built image will be in: `{{ cifmw_basedir }}/artifacts/roles/nat64-appliance/nat64-appliance.qcow2`
+
+The built image will be in: `{{ cifmw_nat64_appliance_workdir }}/nat64-appliance.qcow2`
 
 ## Using the nat64-appliance
 
-- [With Openstack cloud](#with-openstack-cloud){#toc-with-openstack-cloud}
 - [With Libvirt](#with-libvirt){#toc-with-libvirt}
+- [With Openstack cloud](#with-openstack-cloud){#toc-with-openstack-cloud}
+
+### With Libvirt
+
+```
+- name: "Build nat64 appliance image"
+  ansible.builtin.include_role:
+    name: nat64_appliance
+- name: "Deploy the nat64 appliance and networks"
+  ansible.builtin.include_role:
+    name: nat64_appliance
+    tasks_from: deploy.yml
+```
+
+To clenup the libvirt nat64 deployment:
+```
+- name: "Build nat64 appliance image"
+  ansible.builtin.include_role:
+    name: nat64_appliance
+    tasks_from: cleanup.yml
+```
+
 
 ### With Openstack cloud
 
@@ -220,7 +261,3 @@ $ ssh -J [email protected] fedora@fd00:abcd:aaaa:fc00::2b8
 PING sunet.se(fd00:abcd:abcd:fcff::259c:c033 (fd00:abcd:abcd:fcff::259c:c033)) 56 data bytes
 64 bytes from fd00:abcd:abcd:fcff::259c:c033 (fd00:abcd:abcd:fcff::259c:c033): icmp_seq=1 ttl=53 time=4.91 ms
 ```
-
-### With Libvirt
-
-TODO

roles/nat64_appliance/defaults/main.yml

@@ -20,3 +20,24 @@ cifmw_nat64_appliance_basedir: >-
   }}
 cifmw_nat64_appliance_workdir: "{{ cifmw_nat64_appliance_basedir }}/nat64_appliance"
 cifmw_nat64_appliance_venv_dir: "{{ cifmw_nat64_appliance_workdir }}/venv"
+
+cifmw_nat64_libvirt_uri: "qemu:///system"
+cifmw_nat64_network_ipv4_name: nat64-net-v4
+cifmw_nat64_network_ipv4_bridge_name: br-64v4
+cifmw_nat64_network_ipv4_address: 172.31.255.1
+cifmw_nat64_network_ipv4_prefix: 24
+
+cifmw_nat64_network_ipv6_name: nat64-net-v6
+cifmw_nat64_network_ipv6_bridge_name: br-64v6
+cifmw_nat64_network_ipv6_address: fd00:abcd:abcd:fc00::1
+cifmw_nat64_network_ipv6_prefix: 64
+cifmw_nat64_appliance_name: nat64-appliance
+cifmw_nat64_appliance_ipv4_address: 172.31.255.2
+cifmw_nat64_appliance_ipv6_address: fd00:abcd:abcd:fc00::2
+
+cifmw_nat64_appliance_memory: 2
+cifmw_nat64_appliance_cpus: 2
+cifmw_nat64_appliance_ssh_pub_key: "{{ ansible_user_dir }}/.ssh/id_rsa.pub"
+
+cifmw_nat64_ipv6_prefix: "fd00:abcd:abcd:fc00::/64"
+cifmw_nat64_ipv6_tayga_address: "fd00:abcd:abcd:fc00::3"

roles/nat64_appliance/files/nat64-appliance.yaml

@@ -8,6 +8,7 @@
     - block-device-efi
     - package-installs
     - nat64-router
+    - reset-bls-entries  # Requires edpm-image-builder elements.
   environment:
     DIB_RELEASE: '9-stream'
     DIB_PYTHON_VERSION: '3'
@@ -34,6 +35,16 @@
             - name: BSP
               type: 'EF02'
               size: 8MiB
+            - name: boot
+              type: '8300'
+              size: 512MiB
+              mkfs:
+                type: xfs
+                mount:
+                  mount_point: /boot
+                  fstab:
+                    options: "defaults"
+                    fsck-passno: 1
             - name: root
               type: '8300'
               size: 100%

roles/nat64_appliance/molecule/default/converge.yml

@@ -15,10 +15,20 @@
 # under the License.
 
 - name: Converge
-  hosts: all
+  hosts: instance
   tasks:
+    - name: Set selinux permissive
+      become: true
+      ansible.posix.selinux:
+        policy: targeted
+        state: permissive
+
     - name: Build nat64 appliance image
-      vars:
-        extra_args: "--dry-run"
       ansible.builtin.include_role:
         name: nat64_appliance
+
+    - name: Set selinux permissive
+      become: true
+      ansible.posix.selinux:
+        policy: targeted
+        state: enforcing

roles/nat64_appliance/molecule/default/prepare.yml

@@ -14,8 +14,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-
 - name: Prepare
   hosts: all
   roles:
-    - role: test_deps
+    - role: test_deps

roles/nat64_appliance/tasks/cleanup.yml

@@ -18,3 +18,38 @@
   ansible.builtin.file:
     state: absent
     path: "{{ cifmw_nat64_appliance_workdir }}/nat64-appliance.qcow2"
+
+- name: Stop the nat64_appliance VM
+  community.libvirt.virt:
+    command: destroy
+    name: "{{ cifmw_nat64_appliance_name }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Undefine the nat64_appliance VM
+  community.libvirt.virt:
+    command: undefine
+    name: "{{ cifmw_nat64_appliance_name }}"
+    force: true
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Destroy the nat64 networks
+  register: net_destroy
+  community.libvirt.virt_net:
+    command: destroy
+    name: "{{ item }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+  loop:
+    - "{{ cifmw_nat64_network_ipv4_name }}"
+    - "{{ cifmw_nat64_network_ipv6_name }}"
+  failed_when:
+    - net_destroy.rc is defined
+    - net_destroy.rc > 1
+
+- name: Undefine the nat64 networks
+  community.libvirt.virt_net:
+    command: undefine
+    name: "{{ item }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+  loop:
+    - "{{ cifmw_nat64_network_ipv4_name }}"
+    - "{{ cifmw_nat64_network_ipv6_name }}"

roles/nat64_appliance/tasks/deploy.yml

@@ -0,0 +1,108 @@
+---
+- name: Set MAC address facts
+  ansible.builtin.set_fact:
+    cifmw_nat64_appliance_ipv4_mac_address: "{{ '52:54:00' | community.general.random_mac }}"
+    cifmw_nat64_appliance_ipv6_mac_address: "{{ '52:54:00' | community.general.random_mac }}"
+
+- name: Create the IPv4 libvirt network for nat64
+  community.libvirt.virt_net:
+    command: define
+    name: "{{ cifmw_nat64_network_ipv4_name }}"
+    xml: "{{ lookup('template', 'ipv4_network.xml.j2') }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Ensure the IPv4 libvirt network for nat64 is created/started
+  community.libvirt.virt_net:
+    command: create
+    name: "{{ cifmw_nat64_network_ipv4_name }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Ensure the IPv4 libvirt network for nat64 is active
+  community.libvirt.virt_net:
+    state: active
+    name: "{{ cifmw_nat64_network_ipv4_name }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Ensure the IPv4 libvirt network for nat64 is enabled to autostart
+  community.libvirt.virt_net:
+    autostart: true
+    name: "{{ cifmw_nat64_network_ipv4_name }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Create the IPv6 libvirt network for nat64
+  community.libvirt.virt_net:
+    command: define
+    name: "{{ cifmw_nat64_network_ipv6_name }}"
+    xml: "{{ lookup('template', 'ipv6_network.xml.j2') }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Ensure the IPv6 libvirt network for nat64 is created/started
+  community.libvirt.virt_net:
+    command: create
+    name: "{{ cifmw_nat64_network_ipv6_name }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Ensure the IPv6 libvirt network for nat64 network is active
+  community.libvirt.virt_net:
+    state: active
+    name: "{{ cifmw_nat64_network_ipv6_name }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: Ensure the IPv6 libvirt network for nat64 is enabled to autostart
+  community.libvirt.virt_net:
+    autostart: true
+    name: "{{ cifmw_nat64_network_ipv6_name }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: "Generate nat64-appliance UUID"
+  ansible.builtin.set_fact:
+    nat64_appliance_uuid: "{{ 99999999 | random | to_uuid | lower }}"
+
+- name: "Create the config-drive ISO for the nat64-appliance"
+  vars:
+    cifmw_config_drive_iso_image: "{{ cifmw_nat64_appliance_workdir }}/{{ nat64_appliance_uuid }}.iso"
+    cifmw_config_drive_uuid: "{{ nat64_appliance_uuid }}"
+    cifmw_config_drive_name: "{{ cifmw_nat64_appliance_name }}"
+    cifmw_config_drive_hostname: "{{ cifmw_nat64_appliance_name }}"
+    cifmw_config_drive_userdata:
+      ssh_authorized_keys:
+        - "{{ lookup('file', cifmw_nat64_appliance_ssh_pub_key) }}"
+      write_files:
+        - path: "/etc/nat64/config-data"
+          owner: "root:root"
+          content: "{{ lookup('template', 'config-data.j2') }}"
+    cifmw_config_drive_networkconfig:
+      network:
+        version: 2
+        ethernets:
+          id0:
+            match:
+              macaddress: "{{ cifmw_nat64_appliance_ipv4_mac_address }}"
+            addresses:
+              - "{{ cifmw_nat64_appliance_ipv4_address }}/{{ cifmw_nat64_network_ipv4_prefix }}"
+            routes:
+              - to: "0.0.0.0/0"
+                via: "{{ cifmw_nat64_network_ipv4_address }}"
+                on-link: true
+            nameservers:
+              addresses:
+                - "{{ cifmw_nat64_network_ipv4_address }}"
+          id1:
+            match:
+              macaddress: "{{ cifmw_nat64_appliance_ipv6_mac_address }}"
+            addresses:
+              - "{{ cifmw_nat64_appliance_ipv6_address }}/{{ cifmw_nat64_network_ipv6_prefix }}"
+  ansible.builtin.include_role:
+    name: config_drive
+
+- name: "Define nat64-appliance VM"
+  community.libvirt.virt:
+    command: define
+    xml: "{{ lookup('template', 'domain.xml.j2') }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"
+
+- name: "Start VMs for type {{ vm_type }}"
+  community.libvirt.virt:
+    state: running
+    name: "{{ cifmw_nat64_appliance_name }}"
+    uri: "{{ cifmw_nat64_libvirt_uri }}"

roles/nat64_appliance/tasks/main.yml

@@ -29,7 +29,6 @@
     state: directory
     mode: "0755"
 
-
 - name: Install required RPM packages
   tags:
     - packages
@@ -61,9 +60,15 @@
     - "elements/"
     - nat64-appliance.yaml
 
+- name: Clone edpm-image-builder (reset-bls-entries dib element)
+  ansible.builtin.git:
+    repo: https://github.com/openstack-k8s-operators/edpm-image-builder.git
+    dest: "{{ cifmw_nat64_appliance_workdir }}/edpm-image-builder"
+    version: main
+
 - name: Build the nat64-appliance image using DIB
   environment:
-    ELEMENTS_PATH: "{{ cifmw_nat64_appliance_workdir }}/elements"
+    ELEMENTS_PATH: "{{ cifmw_nat64_appliance_workdir }}/elements:{{ cifmw_nat64_appliance_workdir }}/edpm-image-builder/dib/"
     DIB_IMAGE_CACHE: "{{ cifmw_nat64_appliance_workdir }}/cache"
   cifmw.general.ci_script:
     chdir: "{{ cifmw_nat64_appliance_workdir }}"

roles/nat64_appliance/templates/config-data.j2

@@ -0,0 +1,8 @@
+# The IPv6 ip subnet, for example: fd00:abcd:abcd:fc00::/64
+NAT64_IPV6_PREFIX={{ cifmw_nat64_ipv6_prefix }}
+
+# The IPv6 host address, for example: fd00:abcd:abcd:fc00::2
+NAT64_HOST_IPV6={{ cifmw_nat64_appliance_ipv6_address }}
+
+# The IPv6 address used for the tayga tun interface, for example: fd00:abcd:abcd:fc00::3
+NAT64_TAYGA_IPV6={{ cifmw_nat64_ipv6_tayga_address }}