Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| defaults | ||
| handlers | ||
| meta | ||
| molecule/default | ||
| tasks | ||
| templates | ||
| README.md | ||
integration_test
Installs the KVM/libvirt substrate on the control node (ubongo) so the agent
can boot throwaway Debian VMs for local integration testing (ADR-025).
This is a non-service role — no SECURITY/VERIFY/ACCESS/BACKUP files are required. It does not make ubongo a production hypervisor; it only provides the tooling needed to spin up short-lived test VMs (see ADR-015).
Target group
control (i.e. ubongo)
What it does
- Installs QEMU/KVM, libvirt daemon + clients,
virt-install, and cloud-image tools (cloud-image-utils,genisoimage). - Enables and starts
libvirtd. - Adds the configured users (
sjat,claude) to thelibvirtandkvmgroups so VMs can be managed withoutsudo. - Creates
/var/lib/boma-integration(ownedroot:libvirt, mode2775) as the cache directory for golden images and overlays.
Defaults
| Variable | Default | Purpose |
|---|---|---|
integration_test__packages |
see defaults/main.yml |
APT packages to install |
integration_test__users |
[sjat, claude] |
Users granted libvirt/kvm access |
integration_test__cache_dir |
/var/lib/boma-integration |
Image/overlay cache directory |