2017-02-14 08:58:59 +01:00
# proxmox - OUT of maintenance, please use the v4 - https://git.101010.fr/puppet/proxmox4
2015-01-06 08:55:34 +01:00
2015-01-19 14:40:17 +01:00
#### Table of Contents
1. [Overview ](#overview )
2. [Module Description ](#module-description )
3. [Setup ](#setup )
* [What Proxmox affects ](#what-proxmox-affects )
* [Beginning with Proxmox ](#beginning-with-proxmox )
4. [Usage ](#usage )
* [Hypervisor ](#hypervisor )
* [VM ](#vm )
5. [Reference ](#reference )
* [Classes ](#classes )
* [Defined types ](#defined-types )
* [Parameters ](#parameters )
2015-01-27 14:25:06 +01:00
6. [Other notes ](#other-notes )
7. [Limitations ](#limitations )
8. [Development ](#development )
9. [License ](#license )
2015-01-19 14:40:17 +01:00
2015-01-06 08:55:34 +01:00
## Overview
2015-01-26 16:45:36 +01:00
The proxmox module provide a simple way to manage Proxmox hypervisor and OpenVZ network's configuration with Puppet.
2015-01-06 08:55:34 +01:00
## Module Description
2015-01-07 11:51:34 +01:00
The proxmox module automates installing Proxmox on Debian systems.
2015-01-06 08:55:34 +01:00
## Setup
2015-01-19 14:40:17 +01:00
### What Proxmox affects:
2015-01-06 08:55:34 +01:00
2015-03-18 11:15:24 +01:00
* Package/service/configuration files for Proxmox.
* A new `sources.list` file for Proxmox.
* Proxmox's cluster (master and nodes).
2015-01-07 11:51:34 +01:00
* System repository
2015-03-18 11:15:24 +01:00
* The static table lookup for hostnames `hosts` .
2015-01-14 00:02:16 +01:00
* Users and group permissions for WebGUI.
2015-03-18 11:15:24 +01:00
* WebGUI's service (pveproxy).
2015-02-03 18:03:46 +01:00
* Kernel modules loaded at the boot time.
* OpenVZ's configuration file.
* OpenVZ's service.
* OpenVZ CT network's configuration.
2015-01-06 08:55:34 +01:00
2015-01-19 14:40:17 +01:00
### Beginning with Proxmox
2015-01-06 08:55:34 +01:00
2015-01-07 11:51:34 +01:00
To begin using proxmox module with default parameters, declare the hypervisor's class with `include proxmox::hypervisor` .
2015-01-06 08:55:34 +01:00
2015-01-07 11:51:34 +01:00
## Usage
2015-01-06 08:55:34 +01:00
2015-01-07 11:51:34 +01:00
### Hypervisor
2015-01-06 08:55:34 +01:00
2015-01-07 11:51:34 +01:00
```
2015-01-09 00:30:15 +01:00
include proxmox::hypervisor
2015-01-07 11:51:34 +01:00
```
2015-06-01 11:49:22 +02:00
**Note**: The module will NOT automatically reboot the system on the PVE Kernel. You will need to reboot it manually and start again the puppet agent.
2015-01-27 14:25:06 +01:00
#### KVM only
2015-01-06 08:55:34 +01:00
2015-01-08 23:02:50 +01:00
If you will use only KVM you can have a most recent kernel with:
```
class { 'proxmox::hypervisor':
kvm_only => true,
}
```
2015-01-27 14:25:06 +01:00
#### Disable additionnal modules
Disable all additionnal modules load at the boot time:
```
class { 'proxmox::hypervisor':
pve_modules_list => [ '' ],
}
```
2015-01-07 11:51:34 +01:00
2015-03-18 11:15:24 +01:00
#### Create a cluster full KVM (for Ceph)
```
node "pve_node" {
# Install an hypervisor full KVM
class { 'proxmox::hypervisor':
pveproxy_allow => '127.0.0.1,192.168.0.0/24',
kvm_only => true,
cluster_master_ip => '192.168.0.201',
cluster_name => 'DeepThought',
}
# Access to PVE Webgui
proxmox::hypervisor::group { 'sysadmin': role => "Administrator", users => [ 'marvin@pam', 'arthur@pam' ] }
# SSH authorized keys between all nodes without passphrase (the module generate a key if not present)
ssh_authorized_key { 'hyper01':
ensure => present,
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDQxnLaBlnujnByt3V7YLZv1+PTjREJ3hphZFdCVNs9ebED55/kEAPmtJzcq2OL7qk8PajvhpB7efuZAatKeCdhILpFBKRrCo/q3MsQUSyaHbrGKs8Kkpz0EBHp1Tgpd8i1+kF1EzVPqT/euNcI6cA3fyMrvdgTI25BwFt93A6bBpf4We7A0l0Ba2nCAs5ekWyKKLh54GO7KBHlMmIzboYpxwgnFcbb9UhuyUz2J6PSC0K+P+hdMXY4dFk/lPMEXLgve/TTPYpgDxgxWMUaobCanwBWcXkZ4MdJw2Qs6TQ0v+cOxX3ogr78w69naGB3joJ4ll31WA+Uo0mcZU3ylFj3',
type => 'ssh-rsa',
user => 'root',
options => 'from="192.168.0.201"',
}
ssh_authorized_key { 'hyper02':
ensure => present,
key => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQCxJeQ1R1rhPoig4jZLA8/Haru3nhVMgvDgO7nIqpwuPkDrheINVHOAd+DyQF0I2MtAjzg9gKfyix/cJ0cWMbd6/FdSVJ39dGYtNG9/YwTBcQiYwT0xS4NgJHzKrYE9PH2HEmjTmzcDeZ/u+IZjhO3Kyy9yZKcOhwV6fD+mzjQb4S2zsy67R/aoySbZjuoZYHrBrfjc66WbPbLtsFXIXuk46N376Y5sX37Bj17HhDEdP/lc9v939SswW1RZ2t1mVAjsMdsyBULDZk5av6Uj//YT1KuZBmBWkp7nPp1yt2ANPPGAnEW3oYjzXJd56Xtf3d0nbHOdHvMmIiV9fZyRUATd',
type => 'ssh-rsa',
user => 'root',
options => 'from="192.168.0.202"',
}
# Verify the authenticity of each hosts (/etc/ssh/ssh_host_{rsa,ecdsa}_key.pub)
sshkey { 'hyper01':
ensure => present,
2015-05-13 17:16:37 +02:00
host_aliases => [ 'hyper01.domain.org', '192.168.42.201' ],
2015-03-18 11:15:24 +01:00
key => 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ3TC6B3+eVbohjk662FwM/1YUCjMwMT9lmZcNcfllF9Vm082lMXtKix20elUCK9yJDpPWvzFiqdyhgqPAeCNt4=',
target => '/root/.ssh/known_hosts',
type => 'ecdsa-sha2-nistp256',
}
sshkey { 'hyper02':
ensure => present,
2015-05-13 17:16:37 +02:00
host_aliases => [ 'hyper02.domain.org', '192.168.42.202' ],
2015-03-18 11:15:24 +01:00
key => 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEqUpnig3DIQVZEr3LxJCVEF/fl4n1s8LNuUUaLRueCW2ygzNBOv2m7O42K/Ok7aa4kjGaXbnneYXMw3wBULJ1U='
target => '/root/.ssh/known_hosts',
type => 'ecdsa-sha2-nistp256',
}
# If you don't have a DNS service, i recommend to have an entry for each nodes in the hosts file
host { 'hyper01':
name => "hyper01.${::domain}",
ensure => present,
ip => '192.168.42.201',
host_aliases => 'hyper01',
}
host { 'hyper02':
name => "hyper02.${::domain}",
ensure => present,
ip => '192.168.42.202',
host_aliases => 'hyper02',
}
}
node /hyper0[12]/ inherits "pve_node" {
}
```
Will create a Cluster Proxmox with name "Deepthought", the master will be "hyper01". You also can manage all ssh ressources (and host) manually on each nodes.
2015-01-07 11:51:34 +01:00
### VM
2015-01-26 16:45:36 +01:00
Only OpenVZ is supported right now but the vm's class will check-it by it self:
```
include proxmox::vm
```
#### proxmox::vm::openvz
Automatically call by the `proxmox::vm` class, it will manage network configuration, but only few configurations are possible:
* Only one Virtual Ethernet device (aka veth) and it will work with **DHCP** .
* If a veth is available, it will be the main network's interface (set the default gateway throught eth0).
* If a veth is available, only one Virtual Network device (aka venet) as chance to work (the first one), because all others routes will be flushed.
* If there are only venet: no changes.
2015-01-06 08:55:34 +01:00
## Reference
2015-01-07 11:51:34 +01:00
### Classes
* `proxmox` : Main class, do nothing right now.
* `proxmox::hypervisor` : Install the Proxmox hypervisor on the system.
2015-01-26 16:45:36 +01:00
* `proxmox::vm` : Manage virtual machines and containers.
2015-01-14 00:02:16 +01:00
### Defined types
* `proxmox::hypervisor::group` : Manage groups for Proxmox WebGUI and set permissions.
2015-01-17 19:05:25 +01:00
```
proxmox::hypervisor::group { 'sysadmin':
role => "Administrator",
users => [ 'user1@pam', 'toto@pve' ],
}
```
2015-01-14 19:43:52 +01:00
* `proxmox::hypervisor::user` : Manage user for Proxmox WebGUI.
2015-01-17 19:05:25 +01:00
```
proxmox::hypervisor::user { 'marvin':
group => 'sysadmin',
}
```
2015-01-14 19:43:52 +01:00
Mainly used by the `proxmox::hypervisor::group` defined type to create the group, permissions and also create/add the users to a group. Because to add a user to a group via this defined type, the group should already exist.
2015-01-14 00:02:16 +01:00
2015-01-08 23:02:50 +01:00
### Parameters
#### proxmox::hypervisor
* `ve_pkg_ensure` : What to set the Virtual Environnment package to. Can be 'present', 'absent' or 'version'. Defaults to 'present'.
* `ve_pkg_name` : The list of VirtualEnvironnment packages. Can be an array [ 'proxmox-ve-2.6.32', 'ksm-control-daemon', 'vzprocps', 'open-iscsi', 'bootlogd', 'pve-firmware' ].
* `kvm_only` : If set to 'true', Puppet will install a newer kernel compatible only with KVM. Accepts 'true' or 'false'. Defaults to 'false'.
2015-12-09 15:31:55 +01:00
* `kernel_kvm_pkg_name` : The list of packages to install the newer kernel. Can be an array [ 'pve-kernel-3.10.0-13-pve', '...' ].
* `kernel_pkg_name` : The list of packages to install a kernel compatible with both KVM and OpenVZ. Can be an array [ 'pve-kernel-2.6.32-43-pve', '...' ].
2015-01-08 23:02:50 +01:00
* `rec_pkg_name` : The list of recommended and usefull packages for Proxmox. Can be an array [ 'ntp', 'ssh', 'lvm2', 'bridge-utils' ].
* `old_pkg_ensure` : What to set useless packages (non recommended, previous kernel, ...). Can be 'present' or 'absent'. Defaults to 'absent'.
* `old_pkg_name` : The list of useless packages. Can be an array [ 'acpid', 'linux-image-amd64', 'linux-base', 'linux-image-3.2.0-4-amd64' ].
2015-01-09 09:50:01 +01:00
* `pve_enterprise_repo_ensure` : Choose to keep the PVE enterprise repository. Can be 'present' or 'absent'. Defaults to 'absent'.
2015-01-09 18:14:43 +01:00
* `pveproxy_default_path` : Path of the configuration file read by the PveProxy service. Defaults to '/etc/default/pveproxy'.
* `pveproxy_default_content` : Template file use to generate the previous configuration file. Default to 'proxmox/hypervisor/pveproxy_default.erb'.
* `pveproxy_allow` : Can be ip addresses, range or network; separated by a comma (example: '192.168.0.0/24,10.10.0.1-10.10.0.5'). Defaults to '127.0.0.1'.
* `pveproxy_deny` : Unauthorized IP addresses. Can be 'all' or ip addresses, range or network; separated by a comma. Defaults to 'all'.
* `pveproxy_policy` : The policy access. Can be 'allow' or 'deny'. Defaults to 'deny'.
2015-01-09 19:13:05 +01:00
* `pveproxy_service_name` : WebGUI's service name (replace Apache2 since v3.0). Defaults to 'pveproxy'.
* `pveproxy_service_manage` : If set to 'true', Puppet will manage the WebGUI's service. Can be 'true' or 'false'. Defaults to 'true'.
* `pveproxy_service_enabled` : If set to 'true', Puppet will ensure the WebGUI's service is running. Can be 'true' or 'false'. Defaults to 'true'.
2015-01-19 14:40:17 +01:00
* `pve_modules_list` : The list of additionnal modules to load at boot time.
* `pve_modules_file_path` : The configuration file that will contain the modules list. Defaults to '/etc/modules-load.d/proxmox.conf'.
2015-01-26 16:45:36 +01:00
* `pve_modules_file_content` : Template file used to generate the previous configuration file. Defaults to 'proxmox/hypervisor/proxmox_modules.conf.erb'.
2015-02-03 18:03:46 +01:00
* `vz_config_file_path` : Path of the main OpenVZ's configuration file. Defaults to '/etc/vz/vz.conf'.
* `vz_config_file_tpl` : Template file use to generate the OpenVZ's configuration file. Defaults to 'proxmox/hypervisor/vz.conf.erb'.
* `vz_iptables_modules` : If set to 'true', OpenVZ will share a list of iptables modules to the containers. Can be 'true' or 'false'. Defaults to 'true'.
* `vz_service_name` : The OpenVZ's service name. Defaults to 'vz'.
* `vz_service_manage` : If set to 'true', Puppet will manage the OpenVZ's service. Can be 'true' or 'false'. Defaults to 'true'.
* `vz_service_enabled` : If set to 'true', Puppet will ensure the OpenVZ's service is running. Can be 'true' or 'false'. Defaults to 'true'.
* `labs_firewall_rule` : If set to 'true', Puppet will set a iptable rule to allow WebGUI and VNC's port access. Can be 'true' or 'false'. Defaults to 'false'.
2015-03-18 11:15:24 +01:00
* `cluster_master_ip` : The ip address of the "master" node that will create the cluster. Must be an IP address. Defaults to 'undef'.
* `cluster_name` : The cluster's name. Defaults to 'undef'.
2015-01-26 16:45:36 +01:00
#### proxmox::vm
* `vm_interfaces_path` : The main network configuration's file. Defaults to '/etc/network/interfaces'.
* `vm_interfaces_content` : Template file used to generate the previous configuration file. Defaults to 'proxmox/vm/openvz_interfaces.erb'.
* `vm_interfaces_tail_path` : A second network configuration file that will be concatenated in the main. Defaults to '/etc/network/interfaces.tail'.
* `vm_interfaces_tail_content` : Template file used to generate the previous configuration file. Defaults to 'proxmox/vm/openzv_interfaces.tail.erb'.
* `network_service_name` : Network's service name. Defaults to 'networking'.
* `network_service_manage` : If set to 'true', Puppet will manage the network's service. Can be 'true' or 'false'. Defaults to 'true'.
* `network_service_enabled` : If set to 'true', Puppet will ensure the network's service is running. Can be 'true' or 'false'. Defaults to 'true'.
2015-01-08 23:02:50 +01:00
2015-01-27 14:25:06 +01:00
Other notes
-----------
By default `proxmox::hypervisor` comes with several modules kernel load at boot time. Mainly iptables's modules to allow it in the OpenVZ CT.
The default modules list:
* `iptable_filter`
* `iptable_mangle`
* `iptable_nat`
* `ipt_length` (=xt_length)
* `ipt_limit` (=xt_limit)
* `ipt_LOG`
* `ipt_MASQUERADE`
* `ipt_multiport` (=xt_multiport)
* `ipt_owner` (=xt_owner)
* `ipt_recent` (=xt_recent)
* `ipt_REDIRECT`
* `ipt_REJECT`
* `ipt_state` (=xt_state)
* `ipt_TCPMSS` (=xt_TCPMSS)
* `ipt_tcpmss` (=xt_tcpmss)
* `ipt_TOS`
* `ipt_tos`
* `ip_conntrack` (=nf_conntrack)
* `ip_nat_ftp` (=nf_nat_ftp)
* `xt_iprange`
* `xt_comment`
* `ip6table_filter`
* `ip6table_mangle`
* `ip6t_REJECT' `
See [hypervisor usage ](#hypervisor ) if you want to disable it or [parameters ](#parameters ) if you want to edit this list.
2015-01-07 11:51:34 +01:00
Limitations
-----------
2015-01-06 08:55:34 +01:00
2015-01-26 16:45:36 +01:00
This module will only work on Debian 7.x versions.
2015-01-06 08:55:34 +01:00
2015-01-07 11:51:34 +01:00
Development
-----------
2015-01-06 08:55:34 +01:00
2015-01-07 11:51:34 +01:00
Free to send contributions, fork it, ...
2015-01-06 08:55:34 +01:00
2015-01-07 11:51:34 +01:00
License
-------
2015-01-06 08:55:34 +01:00
2015-01-07 11:51:34 +01:00
WTFPL (http://wtfpl.org/)
2015-01-06 08:55:34 +01:00