In order to fully automate host provisioning, we need to eliminate the
manual step of adding hosts to the Ansible inventory. Ansible has had
the _community.libvirt.libvirt_ inventory plugin for quite a while, but
by itself it is insufficient, as it has no way to add hosts to groups
dynamically. It does expose the domain XML, but parsing that and
extracting group memberships from that using Jinja templates would be
pretty terrible. Thus, I decided the easiest and most appropriate
option would be to develop my own dynamic inventory plugin.
* Supports multiple _libvirt_ servers
* Can connect to the read-only _libvirt_ socket
* Can optionally exclude VMs that are powered off
* Can exclude VMs based on their operating system (if the _libosinfo_
metadata is specified in the domain metadata)
* Can add hosts to groups as specified in the domain metadata
* Exposes guest info as inventory host variables (requires QEMU guest
agent running in the VM and does not work with a read-only _libvirt_
connection)
[ARA Records Ansible][0] is a web-based reporting tool for Ansible. It
consists of a callback plugin that submits task/playbook results to an
HTTP API and a browser GUI to display them.
[0]: https://ara.recordsansible.org/
This plugin sends a notification using _ntfy_ whenever a playbook
fails. This will be useful especially for automated deployments when
the playbook was not launched manually.
For some reason, Ansible developers felt like it was important that
users name their host groups according to Python identifier naming
conventions. This prevents, among other things, hyphens from being used
in group names. Luckily, this ridiculous behavior is configurable.
Newer versions of ansible no longer require a single top-level temporary
directory per user, as each run creates its own. Combined with the weird
random failures on *dc0.pyrocufflink.blue* that prevent Jenkins from
using Ansible occasionally, it's better to just let Ansible create its
own temporary directory directly in `/var/tmp` and clean up after itself
when it finishes.
Apparently, the `vault_password_file` setting in `ansible.cfg` overrides
the `--vault-password-file` command-line argument, which breaks the
Jenkins `ansiblePlaybook` task.
Many hosts (should) have `/tmp` mounted with the `noexec` flag, which
prevents Ansible modules written there from running. To work around
this, the `remote_tmp` configuration option should be set to a path
under `/var/tmp`, which is not mounted noexec.
Encrypting the vault password with GPG protects the key when stored on
disk and allows it to be accessed non-interactively, as long as the
GnuPG agent is set up correctly.
Dustin