Merge branch 'develop' into release/v1.9.0

lae · Sep 13, 2024 · a67997a · a67997a
2 parents f6cb915 + 32e92cb
commit a67997a
Show file tree

Hide file tree

Showing 8 changed files with 631 additions and 0 deletions.
diff --git a/.github/workflows/amplify.yml b/.github/workflows/amplify.yml
@@ -0,0 +1,22 @@
+---
+name: Amplify Security
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+    branches: ["main"]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  amplify-security-scan:
+    name: Amplify Security Scan
+    runs-on: ubuntu-latest
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Amplify Runner
+        uses: amplify-security/runner-action@v0.1.0
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,60 @@
+---
+name: CI
+
+"on":
+  pull_request: {}
+  push:
+    branches: ["main"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  vagrant-deploy:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - run: sudo apt install nfs-kernel-server
+      - run: sudo pipx inject ansible-core jmespath netaddr
+      - run: ansible-galaxy install geerlingguy.ntp
+      - name: setup vagrant
+        run: |
+          # Copyright The containerd Authors
+          # 
+          # Licensed under the Apache License, Version 2.0 (the "License");
+          # you may not use this file except in compliance with the License.
+          # You may obtain a copy of the License at
+          # 
+          #     http://www.apache.org/licenses/LICENSE-2.0
+          # 
+          # Unless required by applicable law or agreed to in writing, software
+          # distributed under the License is distributed on an "AS IS" BASIS,
+          # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+          # See the License for the specific language governing permissions and
+          # limitations under the License.
+          curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
+          echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+          sudo sed -i 's/^# deb-src/deb-src/' /etc/apt/sources.list
+          sudo apt-get update
+          sudo apt-get install -y libvirt-daemon libvirt-daemon-system vagrant
+          sudo systemctl enable --now libvirtd
+          sudo usermod -aG libvirt ${USER}
+          sudo apt-get build-dep -y vagrant ruby-libvirt
+          sudo apt-get install -y --no-install-recommends libxslt-dev libxml2-dev libvirt-dev ruby-bundler ruby-dev zlib1g-dev
+          vagrant plugin install vagrant-libvirt
+      - run: >
+          sudo -E -u ${USER}
+          ANSIBLE_STDOUT_CALLBACK=debug
+          ANSIBLE_DISPLAY_SKIPPED_HOSTS=no
+          ANSIBLE_DISPLAY_OK_HOSTS=no
+          DEBIAN_FRONTEND=noninteractive
+          PATH=$PIPX_BIN_DIR:$PATH
+          vagrant up --no-tty || true
diff --git a/.yamllint.yml b/.yamllint.yml
@@ -0,0 +1,5 @@
+---
+yaml:
+  rules:
+    line-length:
+      max: 120
diff --git a/README.md b/README.md
@@ -218,6 +218,9 @@ of the `ops` group. Read the **User and ACL Management** section for more info.
 The backend needs to be supported by [Proxmox][pvesm]. Read the **Storage
 Management** section for more info.
 
+`pve_metric_servers` allows you to configure a metric server for the PVE cluster.
+This is useful if you want to use InfluxDB, Graphite or other (with telegraf).
+
 `pve_ssh_port` allows you to change the SSH port. If your SSH is listening on
 a port other than the default 22, please set this variable. If a new node is
 joining the cluster, the PVE cluster needs to communicate once via SSH.
@@ -386,6 +389,7 @@ pve_check_for_kernel_update: true # Runs a script on the host to check kernel ve
 pve_reboot_on_kernel_update: false # If set to true, will automatically reboot the machine on kernel updates
 pve_reboot_on_kernel_update_delay: 60 # Number of seconds to wait before and after a reboot process to proceed with next task in cluster mode
 pve_remove_old_kernels: true # Currently removes kernel from main Debian repository
+# pve_default_kernel_version: # version to pin proxmox-default-kernel to (see https://pve.proxmox.com/wiki/Roadmap#Kernel_6.8)
 pve_pcie_passthrough_enabled: false # Set this to true to enable PCIe passthrough.
 pve_iommu_passthrough_mode: false # Set this to true to allow VMs to bypass the DMA translation. This might increase performance for IOMMU passthrough.
 pve_iommu_unsafe_interrupts: false # Set this to true if your system doesn't support interrupt remapping.
@@ -420,6 +424,7 @@ pve_roles: [] # Added more roles with specific privileges. See section on User M
 pve_groups: [] # List of group definitions to manage in PVE. See section on User Management.
 pve_users: [] # List of user definitions to manage in PVE. See section on User Management.
 pve_storages: [] # List of storages to manage in PVE. See section on Storage Management.
+pve_metric_servers: [] # List of metric servers to configure in PVE.
 pve_datacenter_cfg: {} # Dictionary to configure the PVE datacenter.cfg config file.
 pve_domains_cfg: [] # List of realms to use as authentication sources in the PVE domains.cfg config file.
 pve_no_log: false # Set this to true in production to prevent leaking of storage credentials in run logs. (may be used in other tasks in the future)
@@ -835,6 +840,64 @@ Then system interrupt remapping is supported and you do not need to enable unsaf
 
 `pve_pcie_report_msrs` can be used to enable or disable logging messages of msrs warnings. If you see a lot of warning messages in your 'dmesg' system log, this value can be used to silence msrs warnings.
 
+## Metrics Server Configuration
+
+You can configure metric servers in Proxmox VE using the `pve_metric_servers` role variable. Below is an example configuration for different types of metric servers:
+
+```yaml
+pve_metric_servers:
+  - id: influxdb1
+    port: 8086
+    server: influxdb.example.com
+    type: influxdb
+    protocol: http
+    organization: myorg
+    bucket: mybucket
+    token: mytoken
+    timeout: 30
+    max_body_size: 25000000
+    verify_certificate: true
+  - id: graphite1
+    port: 2003
+    server: graphite.example.com
+    type: graphite
+    protocol: tcp
+    path: mygraphitepath
+    mtu: 1500
+```
+
+### Configuration Variables
+
+- `id`: (required) Unique identifier for the metric server.
+- `port`: (optional) Port of the metric server. Default is `8089`.
+- `server`: (required) DNS name or IP address of the metric server.
+- `type`: (optional) Type of metric server. Possible values: `influxdb`, `graphite`. Default is `influxdb`.
+- `protocol`: (optional) Protocol used to send metrics. Possible values: `udp`, `tcp`, `http`, `https`. Default is `udp`.
+- `disable`: (optional) Disable the metric server. Default is `false`.
+- `organization`: (optional) Organization name. Available only for influxdb with the http v2 API.
+- `bucket`: (optional) Bucket name for influxdb. Useful only with the http v2 API or compatible.
+- `token`: (optional) InfluxDB access token. Required only when using the http v2 API.
+- `path`: (optional) Graphite root path. Available only for graphite.
+- `api_path_prefix`: (optional) API path prefix inserted between `<host>:<port>/` and `/api2/`. Useful if the InfluxDB service is running behind a reverse proxy. Available only for influxdb with the http v2 API.
+- `timeout`: (optional) Timeout in seconds. Available only for influxdb with the http v2 API or Graphite TCP socket.
+- `max_body_size`: (optional) Maximum body size in bytes. Available only for influxdb with the http v2 API. Default is `25000000`.
+- `mtu`: (optional) MTU for UDP metric transmission.
+- `verify_certificate`: (optional) Verify SSL certificate. Available only for influxdb with https.
+
+## Non-default scenarios and other use cases
+
+### Preventing upgrade to Linux kernel 6.8
+
+Proxmox 8.2 introduces Linux 6.8, which may cause issues in some deployments.
+To work around this, you can pin the kernel version used to 6.5 by adding the following role variable:
+
+```yaml
+pve_default_kernel_version: 1.0.1
+```
+
+This creates a pin on the `proxmox-default-kernel` package, which is [the method suggested by PVE](https://pve.proxmox.com/wiki/Roadmap#Kernel_6.8).
+It can be later removed by unsetting this role variable.
+
 ## Developer Notes
 
 When developing new features or fixing something in this role, you can test out
@@ -878,6 +941,7 @@ John Marion ([@jmariondev](https://github.com/jmariondev))
 foerkede ([@foerkede](https://github.com/foerkede)) - ZFS storage support  
 Guiffo Joel ([@futuriste](https://github.com/futuriste)) - Pool configuration support  
 Adam Delo ([@ol3d](https://github.com/ol3d)) - PCIe Passthrough Support
+Antoine Thys ([@thystips](https://github.com/thystips)) - Metric Servers Support
 
 [Full list of contributors](https://github.com/lae/ansible-role-proxmox/graphs/contributors)
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -8,6 +8,7 @@ pve_check_for_kernel_update: true
 pve_reboot_on_kernel_update: false
 pve_reboot_on_kernel_update_delay: 60
 pve_remove_old_kernels: true
+# pve_default_kernel_version:
 pve_run_system_upgrades: false
 pve_run_proxmox_upgrades: true
 pve_pcie_passthrough_enabled: false
@@ -56,6 +57,7 @@ pve_groups: []
 pve_users: []
 pve_acls: []
 pve_storages: []
+pve_metric_servers: []
 pve_ssh_port: 22
 pve_manage_ssh: true
 pve_hooks: {}