ansible/infra-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ba666dfbf1d3aa485a10f3d179215205c755333
infra-automation/cheatsheets/test-deploy-linux-vm-role.md
Infrastructure Team 5ba666dfbf Add quick reference cheatsheets for all playbooks 
Cheatsheets created:
- deploy-debian12-vm.md - Basic Debian 12 deployment reference
- deploy-debian-lvm-netinst.md - Network installer with native LVM
- deploy-linux-vm.md - Multi-distribution quick reference
- deploy-linux-vm-lvm.md - Multi-distro with post-config LVM
- deploy-linux-vm-role.md - Role-based deployment guide
- test-deploy-linux-vm-role.md - Testing and validation procedures

Each cheatsheet includes:
- Quick deployment commands
- Variable reference tables
- Tag-based execution examples
- Post-deployment verification steps
- LVM management commands (where applicable)
- Troubleshooting procedures
- Security validation steps
- VM management commands
2025-11-10 22:52:11 +01:00

414 lines
11 KiB
Markdown
Raw Blame History

# Test Deploy Linux VM Role - Quick Reference
## Playbook
`plays/test-deploy-linux-vm-role.yml`
## Description
Test playbook for the `deploy_linux_vm` role. Deploys a Debian 12 test VM with full LVM configuration and SSH hardening (GSSAPI disabled) to validate role functionality.
## Quick Test
### Run Full Test
```bash
ansible-playbook plays/test-deploy-linux-vm-role.yml
```
### Test with Different Distribution
```bash
# Test with Ubuntu
ansible-playbook plays/test-deploy-linux-vm-role.yml \
-e "deploy_linux_vm_os_distribution=ubuntu-22.04"
# Test with AlmaLinux
ansible-playbook plays/test-deploy-linux-vm-role.yml \
-e "deploy_linux_vm_os_distribution=almalinux-9"
```
### Test with Custom Resources
```bash
ansible-playbook plays/test-deploy-linux-vm-role.yml \
-e "deploy_linux_vm_vcpus=4" \
-e "deploy_linux_vm_memory_mb=4096"
```
## Test Configuration
### Default Test Settings
```yaml
VM Name: test-lvm-vm
Hostname: test-lvm
Distribution: debian-12
vCPUs: 2
Memory: 2048 MB
Disk: 20 GB
LVM: Enabled (30GB on /dev/vdb)
```
### Features Being Tested
✅ LVM configuration (CLAUDE.md compliant)
✅ SSH hardening (GSSAPI disabled)
✅ Multi-distribution support
✅ Security features (Firewall, SELinux/AppArmor, Audit)
✅ Automatic updates
✅ Cloud-init provisioning
## Test Execution Flow
### 1. Pre-flight Validation
- Checks if test VM already exists
- Validates distribution support
- Verifies virtualization capabilities
### 2. VM Deployment (~2-3 minutes)
- Downloads cloud image (if not cached)
- Creates primary disk (20GB)
- Creates LVM disk (30GB on /dev/vdb)
- Generates cloud-init with security hardening
- Deploys VM with both disks
### 3. LVM Configuration (~3-5 minutes)
- Installs LVM packages
- Creates vg_system volume group
- Creates 8 logical volumes
- Formats filesystems
- Migrates existing data
- Updates /etc/fstab
### 4. Validation
- Verifies VM is running
- Checks SSH connectivity
- Validates LVM configuration
- Confirms security features
### Total Test Time: ~5-8 minutes
## Post-Test Verification
### Get Test VM Information
```bash
# Get IP address
ssh grokbox "virsh domifaddr test-lvm-vm"
# SSH to test VM
ssh -J grokbox ansible@<VM_IP>
```
### Verify LVM Configuration
```bash
# Check LVM status
ssh -J grokbox ansible@<VM_IP> "sudo pvs && sudo vgs && sudo lvs"
# Expected output:
# VG: vg_system
# PV: /dev/vdb (30.00g)
# LVs: lv_opt, lv_tmp, lv_home, lv_var, lv_var_log, lv_var_tmp, lv_var_audit, lv_swap
```
### Verify SSH Hardening
```bash
# Check GSSAPI is disabled
ssh -J grokbox ansible@<VM_IP> "sudo sshd -T | grep -i gssapi"
# Expected output:
# gssapiauthentication no
# gssapicleanupcredentials no
```
### Verify Security Features
```bash
# Check firewall (Debian)
ssh -J grokbox ansible@<VM_IP> "sudo ufw status"
# Check SELinux (RHEL - if testing RHEL family)
ssh -J grokbox ansible@<VM_IP> "getenforce"
# Expected: Enforcing
```
### Reboot and Verify LVM Mounts
```bash
# Reboot test VM
ssh -J grokbox ansible@<VM_IP> "sudo reboot"
# Wait ~1 minute, then verify all mounts
ssh -J grokbox ansible@<VM_IP> "df -h && lsblk"
# Check all LVM volumes are mounted
ssh -J grokbox ansible@<VM_IP> "mount | grep vg_system"
```
## Tag-Based Testing
### Test Specific Components
```bash
# Test pre-flight validation only
ansible-playbook plays/test-deploy-linux-vm-role.yml --tags validate,preflight
# Test VM deployment only (skip LVM)
ansible-playbook plays/test-deploy-linux-vm-role.yml --skip-tags lvm
# Test LVM configuration only (if VM exists)
ansible-playbook plays/test-deploy-linux-vm-role.yml --tags lvm,post-deploy
# Test cloud-init generation only
ansible-playbook plays/test-deploy-linux-vm-role.yml --tags cloud-init
```
## Test Validation Checklist
Complete this checklist to validate test success:
### Basic Functionality
- [ ] Playbook completes without errors
- [ ] VM created: `virsh list | grep test-lvm-vm`
- [ ] IP assigned: `virsh domifaddr test-lvm-vm`
- [ ] SSH accessible: `ssh -J grokbox ansible@<VM_IP>`
### LVM Configuration
- [ ] Physical volume exists: `sudo pvs` shows /dev/vdb
- [ ] Volume group created: `sudo vgs` shows vg_system
- [ ] All 8 LVs created: `sudo lvs` shows all volumes
- [ ] Filesystems formatted: `lsblk -f` shows ext4/swap
- [ ] Fstab updated: `cat /etc/fstab | grep vg_system`
- [ ] After reboot, all mounted: `df -h | grep vg_system`
### SSH Security
- [ ] GSSAPI disabled: `sudo sshd -T | grep gssapiauthentication` shows "no"
- [ ] GSSAPI cleanup disabled: `sudo sshd -T | grep gssapicleanupcredentials` shows "no"
- [ ] Root login disabled: `sudo sshd -T | grep permitrootlogin` shows "no"
- [ ] Password auth disabled: `sudo sshd -T | grep passwordauthentication` shows "no"
- [ ] Key-based auth works: SSH connection successful
### Security Features
- [ ] Firewall enabled: `sudo ufw status` (Debian) or `sudo firewall-cmd --state` (RHEL)
- [ ] Audit daemon running: `systemctl status auditd`
- [ ] Time sync active: `chronyc tracking`
- [ ] SELinux enforcing (RHEL): `getenforce` shows "Enforcing"
### System Health
- [ ] Cloud-init complete: `cloud-init status` shows "done"
- [ ] System updated: Package updates applied during cloud-init
- [ ] No errors in logs: Check `/var/log/cloud-init-output.log`
- [ ] Swap active: `free -h | grep Swap` shows non-zero
## Cleanup After Testing
### Delete Test VM
```bash
# Stop and remove test VM
ssh grokbox "virsh destroy test-lvm-vm"
ssh grokbox "virsh undefine test-lvm-vm --remove-all-storage"
# Verify removal
ssh grokbox "virsh list --all | grep test-lvm-vm"
# Should return nothing
```
### Clean Test Files
```bash
# On hypervisor, remove any temporary files
ssh grokbox "rm -f /tmp/cloud-init-test-lvm-vm/*"
ssh grokbox "rm -f /tmp/*-CHECKSUM"
```
## Testing Different Distributions
### Test Debian Family
```bash
# Debian 12
ansible-playbook plays/test-deploy-linux-vm-role.yml \
-e "deploy_linux_vm_os_distribution=debian-12" \
-e "deploy_linux_vm_name=test-debian12"
# Ubuntu 22.04
ansible-playbook plays/test-deploy-linux-vm-role.yml \
-e "deploy_linux_vm_os_distribution=ubuntu-22.04" \
-e "deploy_linux_vm_name=test-ubuntu22"
```
### Test RHEL Family
```bash
# AlmaLinux 9
ansible-playbook plays/test-deploy-linux-vm-role.yml \
-e "deploy_linux_vm_os_distribution=almalinux-9" \
-e "deploy_linux_vm_name=test-alma9"
# Rocky Linux 9
ansible-playbook plays/test-deploy-linux-vm-role.yml \
-e "deploy_linux_vm_os_distribution=rocky-9" \
-e "deploy_linux_vm_name=test-rocky9"
```
## Troubleshooting Tests
### Test Fails at Pre-flight
```bash
# Check if test VM already exists
ssh grokbox "virsh list --all | grep test-lvm-vm"
# If exists, delete it
ssh grokbox "virsh destroy test-lvm-vm"
ssh grokbox "virsh undefine test-lvm-vm --remove-all-storage"
# Re-run test
ansible-playbook plays/test-deploy-linux-vm-role.yml
```
### LVM Configuration Fails
```bash
# Check if second disk is attached
ssh grokbox "virsh domblklist test-lvm-vm"
# Should show both:
# - test-lvm-vm.qcow2 (primary)
# - test-lvm-vm-lvm.qcow2 (LVM disk)
# Verify disk visibility on VM
ssh -J grokbox ansible@<VM_IP> "lsblk"
# Should show vda (20G) and vdb (30G)
```
### SSH Connection Issues
```bash
# Check VM is running
ssh grokbox "virsh list | grep test-lvm-vm"
# Get IP again
ssh grokbox "virsh domifaddr test-lvm-vm"
# Test with verbose SSH
ssh -vvv -J grokbox ansible@<VM_IP>
# Check SSH service on VM (via console)
ssh grokbox "virsh console test-lvm-vm"
```
### GSSAPI Still Enabled
```bash
# Check SSH config file was created
ssh -J grokbox ansible@<VM_IP> "ls -la /etc/ssh/sshd_config.d/"
# View security config
ssh -J grokbox ansible@<VM_IP> "cat /etc/ssh/sshd_config.d/99-security.conf"
# Restart SSH service
ssh -J grokbox ansible@<VM_IP> "sudo systemctl restart sshd"
# Test again
ssh -J grokbox ansible@<VM_IP> "sudo sshd -T | grep gssapi"
```
## Continuous Testing
### Automated Test Suite
Create a test script for continuous validation:
```bash
#!/bin/bash
# test-role.sh
DISTRIBUTIONS=(
"debian-12"
"ubuntu-22.04"
"almalinux-9"
"rocky-9"
)
for distro in "${DISTRIBUTIONS[@]}"; do
echo "Testing $distro..."
ansible-playbook plays/test-deploy-linux-vm-role.yml \
-e "deploy_linux_vm_os_distribution=$distro" \
-e "deploy_linux_vm_name=test-$distro"
if [ $? -eq 0 ]; then
echo "$distro test PASSED"
# Cleanup
ssh grokbox "virsh destroy test-$distro && virsh undefine test-$distro --remove-all-storage"
else
echo "$distro test FAILED"
exit 1
fi
done
echo "All tests completed successfully!"
```
## Expected Test Output
Successful test execution should show:
```
PLAY [Test Deploy Linux VM Role] ***********************************
TASK [Gathering Facts] *********************************************
ok: [grokbox]
...
TASK [deploy_linux_vm : Display LVM configuration summary] ********
ok: [grokbox] => {
"msg": [
"=== LVM Configuration Complete ===",
"Volume Group: vg_system",
"Physical Volume: /dev/vdb (30GB)",
"Logical Volumes: 8",
"",
"⚠️ IMPORTANT: VM needs reboot to use new mounts",
"After reboot, LVM volumes will be mounted automatically"
]
}
TASK [Display test completion message] *****************************
ok: [grokbox] => {
"msg": [
"╔════════════════════════════════════════════════════════════════╗",
"║ Role Test Completed Successfully ║",
"╚════════════════════════════════════════════════════════════════╝",
"",
"VM deployed with:",
" ✓ LVM Configuration (CLAUDE.md compliant)",
" ✓ SSH Hardening (GSSAPI disabled)",
" ✓ Security Features (Firewall, Audit, Auto-updates)",
" ✓ Multi-distribution support",
"",
"Next steps:",
" 1. SSH to VM: ssh -J grokbox ansible@192.168.122.X",
" 2. Verify GSSAPI: sudo sshd -T | grep -i gssapi",
" 3. Check LVM: sudo vgs && sudo lvs",
" 4. Reboot for LVM: sudo reboot",
" 5. After reboot verify: df -h && lsblk"
]
}
PLAY RECAP *********************************************************
grokbox: ok=X changed=Y unreachable=0 failed=0 skipped=Z
```
## Test Documentation
This test validates:
1. **Role Structure**: Proper task organization and variable handling
2. **Multi-Distribution**: Works across Debian, Ubuntu, RHEL families
3. **LVM Implementation**: Creates CLAUDE.md compliant LVM layout
4. **SSH Security**: GSSAPI disabled, key-only authentication
5. **Security Hardening**: Firewall, SELinux/AppArmor, audit daemon
6. **Cloud-Init**: Proper provisioning and package installation
7. **Idempotency**: Can be re-run without errors
## Related Documentation
- Role README: `roles/deploy_linux_vm/README.md`
- Role cheatsheet: `cheatsheets/deploy-linux-vm-role.md`
- CLAUDE.md: Infrastructure requirements
- Test playbook: `plays/test-deploy-linux-vm-role.yml`
## Support
For test failures:
- Check playbook output for specific error messages
- Review role tasks: `roles/deploy_linux_vm/tasks/`
- Check VM logs: `/var/log/cloud-init-output.log`
- Verify hypervisor resources: disk space, memory
- Consult role README for detailed troubleshooting
Reference in New Issue View Git Blame Copy Permalink