Ansible KVM Router Lab Part 1

date: 2021-10-16

Introduction

This is a multi-part series of blog posts for building a router lab automatically using a series of bash scripts and ansible.

This achieves the ability to quickly set up a router lab for the purposes of experimenting with iptables, or whatever else you want to use for routing or firewalls.

This is also, for myself, an opportunity to learn ansible.

In Ansible KVM Router Lab Part 2, I break down the script build_vms.bash.

In Ansible KVM Router Lab Part 3, I explain define_bridge_networks.bash and shutdown_vms.bash scripts which are used to construct the lab.

In Ansible KVM Router Lab Part 4, I explain connect_vms_to_bridges.bash, start_vms.bash, and rebuild_known_hosts.bash scripts which are used to construct the lab.

In Ansible KVM Router Lab Part 5, I explain the ansible playbook tasks used to finish building the lab.

In Ansible KVM Router Lab Part 6, I explain disconnect_vms_from_bridges.bash, undefine_and_remove_vms.bash, and remove_bridge_networks which are used to destroy the lab.

Networking

I begin by setting up a new network in libvirt, which will serve as an out-of-band network for connecting to the lab virtual machines. This is covered in a previous blog post.

Overview

The lab consists of seven virtual machines.

I begin by creating a base Debian 11 virtual machine called dnet by connecting to my physical server using virt-manager.

After creating a base virtual machine, the next step is to create a clone from which to work. I call this machine dcon.

The client clones consist of 5 virtual machines named dnetone through dnetfive. Once set up, all five virtual machines are reachable through the out-of-band network.

But there are also two bridge networks connecting the client clones to each other. The first and second clones are connected to each other on the upper bridge network, with the first clone acting as a router for the second. The second, third, fourth, and fifth clones are connected to each other on the lower bridge network, with the second clone acting as a router for the third, fourth, and fifth clones. Traffic from the second clone will go through the first clone to reach the internet, and traffic from the third, fourth, and fifth clones will go through the second clone and then through the first clone to reach the internet.

DHCP is handled by dnsmasq on the first clone and the second clone.

Resources

For ansible I used the ansible documentation.

This blog post by Brian Linkletter is also really helpful.

Control Node Setup

• Create a control node by cloning the base virtual machine.

  virt-clone --original dnet --name dcon --auto-clone
  

• Configure ansible host file

  # ~/.ansible.cfg
  [defaults]
  inventory = ~/router-lab/ansible/hosts.yml
  

• Setup bashrc

  # ~/.bashrc
  export LIBVIRT_DEFAULT_URI="qemu+ssh://<user>@<server>/system"
  
  alias ansible-pb=anspb
  anspb() {
    ANS_DIR=~/router-lab/ansible/playbooks;
    echo Changing to "${ANS_DIR}" and executing: ansible-playbook "${@}"
    (cd $ANS_DIR || exit ; ansible-playbook "${@}")
  }
  

• configure Vim or similar for editing bash and python
• install apps

  apt install ansible ansible-lint libvirt-clients
  apt install --no-install-recommends virtinst
  

  The control node needs root ssh access to the base virtual machine so that it will have root ssh access to the clones.

To Be Continued

In the next blog post, Ansible KVM Router Lab Part 2, I begin breaking down the bash scripts which build out the lab, beginning with build_vms.bash.