| create_organisation | ||
| create_user | ||
| create_vm | ||
| delete_organisation | ||
| delete_user | ||
| delete_vm | ||
| download_images | ||
| get_linklocal_for_vm | ||
| manage_autostart | ||
| README.md | ||
Proxmox Management
This repo contains script used to manage a multi-tenant proxmox environment for the Reudnetz w.V.. These scripts were created beacuse the ansible modules lacked the necessary features.
This hacky solution will be replaced by a clean terraform abstraction !
Overview
We use users, groups, resource pools, and roles to build a multi-tenante proxmox instance.
Proxmox by design is not a "cloud native" hypervisor platform. Although it is possible to seperate users and resources from on another there is no way give users/organisations a quota of cpu,memory,disk from which they can assign virtual machines/containers to themselfs.
To overcome this limitation an admin creates those vms/containers and then attaches them read-only to the specific user/organisation.
Moving Parts
For our hypervisor setup we need to administrate two components:
- the hypervisor platform
- routing/switching
Currently there is no idempotent automation for the hypervisor platform. State changes can be done via scripts or the cli directly (or via the WebGUI of course).
The routing/switching side is fully automated. State changes are configured by modifying the vlan_vms.yml file.
Terminology
Our abstraction is based on these objects:
- users
- organisations
- vms
Users can be part of multiple organisations. Every vm is bound to a single organisation.
Proxmox Implementation
In proxmox we use a few more components to implement our abstraction:
- users
- groups (used as organisations)
- resource pools
- used to map permissions for groups
- acls
Under the (proxmox) hood our users (as in from our abstraction) are normal users. Organisations are abstracted via groups.
VMs and file-based storage are assigned to so called Resource pools.
We now map permissions for a specific organisation (group) to a specific resource pool. This seperates the resources and creates a multi-tenant platform.
There are WIP
Requirements
HOW TO USE THESE SCRIPTS IN AN PVE ENVIRONMENT. TBD
Create an Organisation
- create proxmox related objects
./create_organisation ${name}
Create a VM
prerequisites:
- there should be a organisation created for that vm
- you should have a list of
authorized_keysfor that organisation saved as a file on that node
- search for next useable vlan/vm-id in
vlan_vms.yml
- either use an old but freed id (block should be commented)
- or use next free one
- check that we have the newest images
grep debian download_images
ls /root/images
# execute ./download_images if script url does not match images directory
- create vm
./create_vm ${vmid} ${orga}-{vmname}-${vmid} ${orga}
./get_linklocal_for_vm ${vmid}
- add vlan configuration to
vlan_vms.ymland deploy ansible
vim vlan_vms.yml
[...] copy block or create new one - change prefixed accordingly
[...] enter ll for v6 prefix
# deploy routers/switches
ansible-playbook -CD cores.yml -l cores,core_switches
ansible-playbook -D cores.yml -l cores,core_switches
# deploy hyperjump
ansible-playbook -CD vms.yml -l hyperjump
ansible-playbook -D vms.yml -l hyperjump
- configure cloud-init settings for vm
qm set ${vmid} --ipconfig0 "ip=${v4-cidr},gw=${v4-gw},ip6=${v6-prefix},gw6=fe80::1"
qm set ${vmid} --sshkeys ${path_to_authorized_keys}
- change vm specifications to order
# increase memory / cpu
qm set ${vmid} -memory 8192 --cores 4
# add more storage
# use customer-disks on hyper01 and hyper03
# use customer-disks-slow on hyper02 (dedicated sata ssd pool with more space but less bandwith)
qm set ${vmid} --virtio1 customer-disks-slow:250,iothread=1,discard=on
- start vm
qm start ${vmid}
- check reachability of vm
ping6 ${v6prefix}
nc ${v6prefix} 22
- notify customer
vmid: ${vmid}
vmname: ${vmname}
user: debian
authentication: key based auth only
v4: ${v4-cidr}
v4gw: ${v4-gw}
v6: ${v6-prefix}
v6gw: fe80::1
v6 reachable from everywhere - v4 only inside the reudnetz
ssh reverse proxy (for v4 access only) available via: ssh -p 2${vmid} <user>@hyperjump.reudnetz.org
best effort service - expect downtimes - backup your stuff !
Destroy a VM
commands need to be executed on node where vm resides
- schedule removal of replicated storage (if configured)
pvesr list | grep ${vmid}
pvesr delete ${vmid}-${replication_id}
echo wait till removal is complete - check with pvesr list
- remove vm
qm shutdown ${vmid}
qm destroy --purge 1 ${vmid}
- remove vms from
vlan_vms.ymland deploy
vim vlan_vms.yml
[...]
# remove router and switch config
ansible-playbook -CD cores.yml -l cores,core_switches
ansible-playbook -D cores.yml -l cores,core_switches
# remove ssh reverse proxy config
ansible-playbook -CD vms.yml -l hyperjump
ansible-playbook -D vms.yml -l hyperjump
Destroy User
./delete_user ${username}@pve
Destroy organisation
- remove orga and associated objects from proxmox cluster
./delete_organisation ${org}
- destroy remaining zfs volumes on other nodes
# execute on all pve nodes
zfs destroy -r rpool/customer/${orga}-images
Add/Remove user from organisation
- check which groups the user currently belongs to
pveum group list | grep ${user}@pve
- change groups memberships
# add to group
pveum user modify ${user}@pve --groups ${currentgroups},${new_group}
# remove from group
pveum user modify ${user}@pve --groups ${groups-without-other-group}