summaryrefslogtreecommitdiffstats
path: root/docs/development/opnfvsecguide/introduction.rst
blob: ad80831977a3700312524efb49cfc04bf4525abb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Introduction
---------------

The OPNFV Security Guide is the collaborative work of many individuals,
involved in both the OPNFV Security Group and the wider OPNFV community.

The purpose of this guide is to provide the best practice security guidelines for
deploying the OPNFV platfornm. It is a living document that is updated as
new changes are merged into it's repository.

.. toctree::
   :maxdepth: 2

   introduction/background
   introduction/acknowledgements
-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */ }
---
- name: "Restart libvirt service"
  service: name="{{libvirt_service_name}}" state=restarted

# NOTE(Shrews) We need to enable ip forwarding for the libvirt bridge to
# operate properly with dnsmasq. This should be done before starting dnsmasq.
- name: "Enable IP forwarding in sysctl"
  sysctl:
    name: "net.ipv4.ip_forward"
    value: 1
    sysctl_set: yes
    state: present
    reload: yes

# NOTE(Shrews) Ubuntu packaging+apparmor issue prevents libvirt from loading
# the ROM from /usr/share/misc.
- name: "Look for sgabios in {{ sgabios_dir }}"
  stat: path={{ sgabios_dir }}/sgabios.bin
  register: test_sgabios_qemu

- name: "Look for sgabios in /usr/share/misc"
  stat: path=/usr/share/misc/sgabios.bin
  register: test_sgabios_misc

- name: "Place sgabios.bin"
  command: cp /usr/share/misc/sgabios.bin /usr/share/qemu/sgabios.bin
  when: >
    test_sgabios_qemu == false and
    test_sgabios_misc == true

# NOTE(TheJulia): In order to prevent conflicts, stop
# dnsmasq to prevent conflicts with libvirt restarting.
# TODO(TheJulia): We shouldn't need to do this, but the
# libvirt dhcp instance conflicts withour specific config
# and taking this path allows us to not refactor dhcp at
# this moment. Our DHCP serving should be refactored
# so we don't need to do this.
- name: "Stop default dnsmasq service"
  service:
    name: dnsmasq
    state: stopped
  ignore_errors: true

# NOTE(TheJulia): Seems if you test in a VM, this might
# be helpful if your installed your host originally
# with the default 192.168.122/0/24 network
- name: destroy libvirt network
  virt_net:
    name: "{{ vm_network }}"
    state: absent
    uri: "{{ vm_libvirt_uri }}"

- name: ensure libvirt network is present
  virt_net:
    name: "{{ vm_network }}"
    state: present
    xml: "{{ lookup('template', 'net.xml.j2') }}"
    uri: "{{ vm_libvirt_uri }}"

- name: find facts on libvirt networks
  virt_net:
    command: facts
    uri: "{{ vm_libvirt_uri }}"

# NOTE(pas-ha) yet another place where non-local libvirt will not work
- name: "Delete network interface if virtual network is not active"
  command: ip link del {{ ansible_libvirt_networks[vm_network].bridge }}
  when:
    - ansible_libvirt_networks[vm_network].state != 'active'
    - vm_libvirt_uri == 'qemu:///system'
  ignore_errors: yes

- name: set libvirt network to autostart
  virt_net:
    name: "{{ vm_network }}"
    autostart: yes
    uri: "{{ vm_libvirt_uri }}"

- name: ensure libvirt network is running
  virt_net:
    name: "{{ vm_network }}"
    state: active
    uri: "{{ vm_libvirt_uri }}"

- name: get libvirt network status
  virt_net:
    name: "{{ vm_network }}"
    command: status
    uri: "{{ vm_libvirt_uri }}"
  register: test_vm_net_status

- name: fail if libvirt network is not active
  assert:
    that: test_vm_net_status.status == 'active'

- name: define a libvirt pool if not set
  virt_pool:
    name: "{{ node_storage_pool }}"
    state: present
    uri: "{{ vm_libvirt_uri }}"
    xml: "{{ lookup('template', 'pool_dir.xml.j2') }}"

- name: ensure libvirt pool is running
  virt_pool:
    name: "{{ node_storage_pool }}"
    state: active
    autostart: yes
    uri: "{{ vm_libvirt_uri }}"

- name: create dir for bm logs
  file:
    state: directory
    path: "{{ node_logdir }}"
    recurse: yes
    mode: "0755"

- name: install virtualbmc
  pip:
    name: virtualbmc