sjat
d1941c987e
Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
20 lines
993 B
YAML
20 lines
993 B
YAML
---
|
|
# integration_test — installs the local KVM/libvirt substrate on the control node
|
|
# (ubongo) so the agent can run throwaway VM integration tests (ADR-025). Non-service
|
|
# role; applied to the `control` group. Not a production hypervisor (ADR-015).
|
|
integration_test__packages:
|
|
- qemu-system-x86 # KVM
|
|
- qemu-utils # qemu-img (overlays)
|
|
- libvirt-daemon-system
|
|
- libvirt-clients # virsh
|
|
- virt-install # virt-install (trixie: the real pkg; `virtinst` is transitional)
|
|
- cloud-image-utils # cloud-localds (NoCloud seed)
|
|
- genisoimage # cloud-localds fallback
|
|
# Users granted libvirt/kvm access (run VMs without sudo).
|
|
integration_test__users:
|
|
- sjat
|
|
- claude
|
|
# Where the golden image + overlays live (outside the repo).
|
|
integration_test__cache_dir: "/var/lib/boma-integration"
|
|
# nftables drop-in dir — must match base__firewall_dropin_dir (base role default: /etc/nftables.d)
|
|
integration_test__nftables_dropin_dir: /etc/nftables.d
|