copr-hypervisor / p09: add nbde handling in rdu3

This adds network block device encryption to the 3 (so far) power9's in rdu3. This will allow them to unlock encrypted partitions from our tang server(s). Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-03-20 03:57:02 +08:00 · 2025-10-21 13:46:06 -07:00
parent 4935051cab
commit d2b4bbd372
4 changed files with 21 additions and 0 deletions
--- a/inventory/host_vars/vmhost-p09-copr02.rdu3.fedoraproject.org
+++ b/inventory/host_vars/vmhost-p09-copr02.rdu3.fedoraproject.org
@@ -21,6 +21,7 @@ mac6: ac:1f:6b:a5:4e:f4
 mac7: ac:1f:6b:a5:4e:f5
 mac8: ac:1f:6b:a5:4e:f6
 mac9: ac:1f:6b:a5:4e:f7
+nbde: true
 libvirt_host: "[{{ br0_ipv6_ip }}]"
 libvirt_pool: vmhost_p09_02
 libvirt_pool_order_id: 7
--- a/inventory/host_vars/vmhost-p09-copr03.rdu3.fedoraproject.org
+++ b/inventory/host_vars/vmhost-p09-copr03.rdu3.fedoraproject.org
@@ -21,6 +21,7 @@ mac6: ac:1f:6b:8a:9a:30
 mac7: ac:1f:6b:8a:9a:31
 mac8: ac:1f:6b:8a:9a:32
 mac9: ac:1f:6b:8a:9a:33
+nbde: true
 libvirt_host: "[{{ br0_ipv6_ip }}]"
 libvirt_pool: vmhost_p09_03
 libvirt_pool_order_id: 8
--- a/inventory/host_vars/vmhost-p09-copr04.rdu3.fedoraproject.org
+++ b/inventory/host_vars/vmhost-p09-copr04.rdu3.fedoraproject.org
@@ -21,6 +21,7 @@ mac6: ac:1f:6b:a4:e3:b0
 mac7: ac:1f:6b:a4:e3:b1
 mac8: ac:1f:6b:a4:e3:b2
 mac9: ac:1f:6b:a4:e3:b3
+nbde: true
 libvirt_host: "[{{ br0_ipv6_ip }}]"
 libvirt_pool: vmhost_p09_04
 libvirt_pool_order_id: 9
--- a/playbooks/groups/copr-hypervisor.yml
+++ b/playbooks/groups/copr-hypervisor.yml
@@ -14,6 +14,22 @@
      tags: always
    - import_tasks: "{{ tasks_path }}/yumrepos.yml"

+  - name: override nbde_client-network-flush to work around bug
+    ansible.builtin.copy:
+      src: "{{ files }}/common/nbde_client-network-flush"
+      dest: /usr/bin/nbde_client-network-flush
+      owner: root
+      group: root
+      mode: 755
+
+  - name: tell NetworkManager we don't want any auto connections
+    ansible.builtin.copy:
+      src: "{{ files }}/common/noautodefault.conf"
+      dest: /etc/NetworkManager/conf.d/noautodefault.conf
+      owner: root
+      group: root
+      mode: 644
+
  tasks:
    - import_role: name=base
    - import_role: name=hosts
@@ -23,6 +39,8 @@
    - import_role: name=zabbix/zabbix_agent
    - import_role: name=ipa/client
    - import_role: name=copr/hypervisor
+    - { import_role: linux-system-roles.nbde_client, tags: ['nbde_client'], when: (nbde|bool) }
+

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"