sjat
d1941c987e
Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
35 lines
804 B
YAML
35 lines
804 B
YAML
---
|
|
- name: Install the KVM/libvirt substrate
|
|
ansible.builtin.apt:
|
|
name: "{{ integration_test__packages }}"
|
|
state: present
|
|
update_cache: true
|
|
cache_valid_time: 3600
|
|
tags: [packages]
|
|
|
|
- name: Enable and start libvirtd
|
|
ansible.builtin.systemd:
|
|
name: libvirtd
|
|
enabled: true
|
|
state: started
|
|
tags: [config]
|
|
|
|
- name: Grant users libvirt + kvm access
|
|
ansible.builtin.user:
|
|
name: "{{ item }}"
|
|
groups: [libvirt, kvm]
|
|
append: true
|
|
loop: "{{ integration_test__users }}"
|
|
tags: [users]
|
|
|
|
- name: Create the integration cache dir
|
|
ansible.builtin.file:
|
|
path: "{{ integration_test__cache_dir }}"
|
|
state: directory
|
|
owner: root
|
|
group: libvirt
|
|
mode: "2775"
|
|
tags: [config]
|
|
|
|
- name: Import firewall tasks
|
|
ansible.builtin.import_tasks: firewall.yml
|