[EDGEPOD-186] Add Ansible playbook for Aether Edge

Change-Id: I71d73a5a4fdf7e5ccf12df924597af6ab90a68b4
diff --git a/aether-playbook/roles/k8s/defaults/main.yml b/aether-playbook/roles/k8s/defaults/main.yml
new file mode 100644
index 0000000..6132d2f
--- /dev/null
+++ b/aether-playbook/roles/k8s/defaults/main.yml
@@ -0,0 +1,32 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+ntp_enabled: true
+ntp_servers:
+  - time1.google.com
+  - time2.google.com
+ntp_timezone: Etc/UTC
+
+etc_hosts_entries:
+  - ip: 10.168.0.200
+    name: registry.central.aetherproject.net
+  - ip: 10.168.0.3
+    name: rancher.central.aetherproject.net
+
+docker_daemon_options:
+  insecure-registries:
+    - registry.central.aetherproject.net
+
+docker_version: 18.06.3~ce~3-0~ubuntu
diff --git a/aether-playbook/roles/k8s/handlers/main.yml b/aether-playbook/roles/k8s/handlers/main.yml
new file mode 100644
index 0000000..cd20f52
--- /dev/null
+++ b/aether-playbook/roles/k8s/handlers/main.yml
@@ -0,0 +1,20 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: restart ntp
+  systemd: name=ntp state=restarted
+
+- name: restart docker
+  systemd: name=docker state=restarted
diff --git a/aether-playbook/roles/k8s/tasks/docker.yml b/aether-playbook/roles/k8s/tasks/docker.yml
new file mode 100644
index 0000000..7d90bbb
--- /dev/null
+++ b/aether-playbook/roles/k8s/tasks/docker.yml
@@ -0,0 +1,70 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+- name: Install dependencies for Docker
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - software-properties-common
+    state: present
+  tags: docker
+
+- name: Add Docker GPG key
+  shell: |
+    curl -sSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+  args:
+    warn: false
+  tags: docker
+
+- name: Add Docker repository
+  shell: |
+    add-apt-repository \
+     "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+     $(lsb_release -cs) \
+     stable"
+  args:
+    warn: false
+  tags: docker
+
+- name: Install Docker CE
+  apt:
+    name: docker-ce={{ docker_version }}
+    state: present
+    update_cache: yes
+  tags: docker
+
+- name: Add current user to "docker" group
+  user:
+    name: "{{ ansible_user }}"
+    groups: docker
+    append: true
+  tags: docker
+
+- name: Configure Docker daemon options
+  copy:
+    dest: /etc/docker/daemon.json
+    content: "{{ docker_daemon_options | to_json }}"
+  register: docker_register_options
+  notify: restart docker
+  tags: docker
+
+- name: Reload systemd daemon
+  systemd:
+    daemon_reload: true
+  when: docker_register_options is changed
+  tags: docker
diff --git a/aether-playbook/roles/k8s/tasks/k8s.yml b/aether-playbook/roles/k8s/tasks/k8s.yml
new file mode 100644
index 0000000..1561d1a
--- /dev/null
+++ b/aether-playbook/roles/k8s/tasks/k8s.yml
@@ -0,0 +1,48 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Initialize k8s role
+  set_fact:
+    k8s_roles: ""
+  tags: k8s
+
+- name: Add k8s master role
+  set_fact:
+    k8s_roles: "{{ k8s_roles }} --etcd --controlplane"
+  when: "'kube-master' in group_names"
+  tags: k8s
+
+- name: Add k8s worker role
+  set_fact:
+    k8s_roles: "{{ k8s_roles }} --worker"
+  when: "'kube-worker' in group_names"
+  tags: k8s
+
+- name: Print k8s roles
+  debug:
+    msg: k8s_roles {{ k8s_roles }}
+  tags: k8s
+
+- name: Install k8s
+  command: >-
+    docker run -d --privileged --restart=unless-stopped --net=host
+    --volume /etc/kubernetes:/etc/kubernetes
+    --volume /var/run:/var/run
+    rancher/rancher-agent:v2.3.3
+    --server https://rancher.central.aetherproject.net
+    --token {{ rancher_cluster_token }}
+    --ca-checksum {{ rancher_ca_checksum }}
+    {{ k8s_roles }}
+  tags: k8s
diff --git a/aether-playbook/roles/k8s/tasks/main.yml b/aether-playbook/roles/k8s/tasks/main.yml
new file mode 100644
index 0000000..0a357a6
--- /dev/null
+++ b/aether-playbook/roles/k8s/tasks/main.yml
@@ -0,0 +1,26 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- include_tasks: pre-install.yml
+  tags:
+    - etc-hosts
+    - ntp
+    - swapoff
+
+- include_tasks: docker.yml
+  tags: docker
+
+- include_tasks: k8s.yml
+  tags: k8s
diff --git a/aether-playbook/roles/k8s/tasks/pre-install.yml b/aether-playbook/roles/k8s/tasks/pre-install.yml
new file mode 100644
index 0000000..b0b2bfa
--- /dev/null
+++ b/aether-playbook/roles/k8s/tasks/pre-install.yml
@@ -0,0 +1,70 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Run "apt update"
+  apt:
+    update_cache: yes
+
+- name: Install ntp
+  apt: name=ntp state=present
+  when: ntp_enabled | bool
+  tags: ntp
+
+- name: Configure ntp file
+  template: src=etc/ntp.conf.j2 dest=/etc/ntp.conf
+  when: ntp_enabled | bool
+  notify: restart ntp
+  tags: ntp
+
+- name: Start the ntp service
+  service: name=ntp state=started enabled=yes
+  when: ntp_enabled | bool
+  tags: ntp
+
+- name: Set timezone to {{ ntp_timezone }}
+  timezone:
+    name: "{{ ntp_timezone }}"
+  when: ntp_enabled | bool
+  tags: ntp
+
+- name: Remove swapfile from /etc/fstab
+  mount:
+    name: "{{ item }}"
+    fstype: swap
+    state: absent
+  with_items:
+    - swap
+    - none
+  tags: swapoff
+
+- name: Check if swap is enabled
+  command: /sbin/swapon -s
+  register: swapon
+  changed_when: no
+  tags: swapoff
+
+- name: Disable swap
+  command: /sbin/swapoff -a
+  when: swapon.stdout
+  tags: swapoff
+
+- name: Add internal service domains to /etc/hosts
+  become: yes
+  lineinfile:
+    path: /etc/hosts
+    line: "{{ item['ip'] }}\t\t{{ item['name'] }}"
+    state: present
+  with_items: "{{ etc_hosts_entries }}"
+  tags: etc-hosts
diff --git a/aether-playbook/roles/k8s/templates/etc/ntp.conf.j2 b/aether-playbook/roles/k8s/templates/etc/ntp.conf.j2
new file mode 100644
index 0000000..0c46ff1
--- /dev/null
+++ b/aether-playbook/roles/k8s/templates/etc/ntp.conf.j2
@@ -0,0 +1,27 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# {{ ansible_managed }}
+
+# For more information about this file, see the man pages
+# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
+
+driftfile /var/lib/ntp/drift
+
+restrict 127.0.0.1
+restrict -6 ::1
+
+{% for i in ntp_servers %}
+server {{ i }}
+{% endfor %}
diff --git a/aether-playbook/roles/reset/tasks/main.yml b/aether-playbook/roles/reset/tasks/main.yml
new file mode 100644
index 0000000..ffb8922
--- /dev/null
+++ b/aether-playbook/roles/reset/tasks/main.yml
@@ -0,0 +1,48 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Remove containers
+  shell: |
+    docker stop $(docker ps -aq)
+    docker system prune -f
+    docker volume rm $(docker volume ls -q)
+    docker image rm $(docker image ls -q)
+  register: remove_all_containers
+  retries: 4
+  delay: 5
+  until: remove_all_containers.rc == 0
+  tags: k8s
+
+- name: Remove directories
+  file:
+    path: "{{ item }}"
+    state: absent
+  ignore_errors: yes
+  with_items:
+    - /etc/kubernetes
+    - /etc/cni
+    - /opt/cni
+    - /opt/rke
+    - /run/secrets/kubernetes.io
+    - /run/calico
+    - /var/lib/calico
+    - /var/lib/etcd
+    - /var/lib/cni
+    - /var/lib/kubelet
+    - /var/lib/rancher/rke/log
+    - /var/log/containers
+    - /var/log/pods
+    - /var/run/calico
+  tags: k8s
diff --git a/aether-playbook/roles/router/defaults/main.yml b/aether-playbook/roles/router/defaults/main.yml
new file mode 100644
index 0000000..6af6545
--- /dev/null
+++ b/aether-playbook/roles/router/defaults/main.yml
@@ -0,0 +1,22 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+router_type: linux
+netplan_config_file: /etc/netplan/sgi-s1u-gateway.yaml
+
+# Provide below to run the playbook
+#sgi_gateway_ip:
+#s1u_gateway_ip:
+#sgi_s1u_gateway_iface:
diff --git a/aether-playbook/roles/router/linux/handlers/main.yml b/aether-playbook/roles/router/linux/handlers/main.yml
new file mode 100644
index 0000000..6408d79
--- /dev/null
+++ b/aether-playbook/roles/router/linux/handlers/main.yml
@@ -0,0 +1,20 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: netplan generate
+  command: netplan generate
+
+- name: netplan apply
+  command: netplan apply
diff --git a/aether-playbook/roles/router/linux/tasks/main.yml b/aether-playbook/roles/router/linux/tasks/main.yml
new file mode 100644
index 0000000..c37bca1
--- /dev/null
+++ b/aether-playbook/roles/router/linux/tasks/main.yml
@@ -0,0 +1,56 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Create netplan config file for SGI network gateway
+  template:
+    src: etc/netplan/sgi-s1u-gateway.yaml.j2
+    dest: "{{ netplan_config_file }}"
+  notify:
+    - netplan generate
+    - netplan apply
+  tags: router
+
+- name: Install iptables-persistent
+  apt:
+    name: iptables-persistent
+    state: present
+    update_cache: yes
+  tags: router
+
+- name: Ensure ip_forward enabled
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+  tags: router
+
+- name: Set default forwarding policy to ACCEPT
+  iptables:
+    chain: FORWARD
+    policy: ACCEPT
+  tags: router
+
+- name: Add SNAT
+  iptables:
+    table: nat
+    chain: POSTROUTING
+    out_interface: "{{ ansible_default_ipv4.interface }}"
+    jump: MASQUERADE
+  tags: router
+
+- name: Save iptables v4 rules
+  shell: iptables-save > /etc/iptables/rules.v4
+  tags: router
diff --git a/aether-playbook/roles/router/linux/templates/etc/netplan/sgi-s1u-gateway.yaml.j2 b/aether-playbook/roles/router/linux/templates/etc/netplan/sgi-s1u-gateway.yaml.j2
new file mode 100644
index 0000000..7c6cef7
--- /dev/null
+++ b/aether-playbook/roles/router/linux/templates/etc/netplan/sgi-s1u-gateway.yaml.j2
@@ -0,0 +1,26 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+network:
+  version: 2
+  renderer: networkd
+  ethernets:
+    {{ sgi_s1u_gateway_iface }}:
+      addresses:
+        - {{ sgi_gateway_ip }}
+        - {{ s1u_gateway_ip }}
+      routes:
+        - to: {{ ue_pool }}
+          via: {{ spgwu_sgi_ip }}
diff --git a/aether-playbook/roles/router/meta/main.yml b/aether-playbook/roles/router/meta/main.yml
new file mode 100644
index 0000000..3c4fe58
--- /dev/null
+++ b/aether-playbook/roles/router/meta/main.yml
@@ -0,0 +1,23 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+  - role: router/linux
+    when:
+      - router_type == 'linux'
+
+#  - role: router/vyos
+#    when:
+#      - router_type == 'vyos'
diff --git a/aether-playbook/roles/sriov-dpdk/defaults/main.yml b/aether-playbook/roles/sriov-dpdk/defaults/main.yml
new file mode 100644
index 0000000..c40b02c
--- /dev/null
+++ b/aether-playbook/roles/sriov-dpdk/defaults/main.yml
@@ -0,0 +1,17 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+# Provide SRIOV PF name for UPF to run the playbook
+#upf_sriov_pf:
diff --git a/aether-playbook/roles/sriov-dpdk/tasks/main.yml b/aether-playbook/roles/sriov-dpdk/tasks/main.yml
new file mode 100644
index 0000000..7b70b0f
--- /dev/null
+++ b/aether-playbook/roles/sriov-dpdk/tasks/main.yml
@@ -0,0 +1,108 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+# Fail if VT-d is not enabled
+- name: Ensure VT-d is enabled in BIOS
+  shell: "dmesg | grep DMAR-IR"
+  register: check_vt_d
+  changed_when: check_vt_d.rc != 0
+  failed_when: check_vt_d.rc != 0
+  tags: sriov-dpdk
+
+- name: Add kernel boot parameters to the grub for SRIOV
+  lineinfile:
+    dest: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX="(?!.* {{ item.regex }})(.*)"'
+    line: 'GRUB_CMDLINE_LINUX="\1 {{ item.context }}"'
+    state: present
+    backrefs: yes
+  loop:
+    - { regex: 'intel_iommu=on', context: 'intel_iommu=on' }
+    - { regex: 'hugepagesz=', context: 'hugepagesz=1G default_hugepagesz=1G hugepages=32' }
+  register: grub
+  tags: sriov-dpdk
+
+- name: Update grub
+  command: update-grub
+  when: grub.changed
+  register: update_grub
+  tags: sriov-dpdk
+
+- name: Load vfio_pci module to the kernel
+  modprobe:
+    name: vfio_pci
+    state: present
+  tags: sriov-dpdk
+
+- name: Set the vfio_pci module to load on boot
+  lineinfile:
+    dest: /etc/modules-load.d/vfio_pci.conf
+    create: yes
+    regexp: "^vfio_pci"
+    line: "vfio_pci"
+  tags: sriov-dpdk
+
+- name: Check VFIO bind devices for DPDK
+  shell: "ls -l /dev/vfio | wc -l"
+  register: check_dpdk_bind
+  changed_when: check_dpdk_bind.stdout | int < 4
+  tags: sriov-dpdk
+
+- name: Create SRIOV-DPDK service
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - { src: 'usr/bin/sriov.sh.j2', dest: '/usr/bin/sriov.sh', mode: 'a+x' }
+    - { src: 'etc/systemd/system/sriov.service.j2', dest: '/etc/systemd/system/sriov.service', mode: 644 }
+  register: bind_dpdk
+  when: check_dpdk_bind.stdout | int < 4
+  tags: sriov-dpdk
+
+- name: Enable SRIOV-DPDK service
+  systemd:
+    name: sriov
+    daemon_reload: true
+    enabled: yes
+  when: bind_dpdk.changed
+  tags: sriov-dpdk
+
+- name: Reboot machine
+  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+  async: 1
+  poll: 0
+  ignore_errors: true
+  when: update_grub.changed or bind_dpdk.changed
+  tags: sriov-dpdk
+
+- name: Wait for server to restart successfully
+  wait_for:
+    host: "{{ ansible_host }}"
+    search_regex: "OpenSSH"
+    port: 22
+    timeout: 300
+    connect_timeout: 50
+    delay: 5
+  delegate_to: localhost
+  become: false
+  tags: sriov-dpdk
+
+- name: Ensure enough VFIO bind devices
+  shell: "ls -l /dev/vfio | wc -l"
+  register: confirm_dpdk_bind
+  changed_when: confirm_dpdk_bind.stdout | int < 4
+  failed_when: confirm_dpdk_bind.stdout | int < 4
+  tags: sriov-dpdk
diff --git a/aether-playbook/roles/sriov-dpdk/templates/etc/systemd/system/sriov.service.j2 b/aether-playbook/roles/sriov-dpdk/templates/etc/systemd/system/sriov.service.j2
new file mode 100644
index 0000000..7a73d88
--- /dev/null
+++ b/aether-playbook/roles/sriov-dpdk/templates/etc/systemd/system/sriov.service.j2
@@ -0,0 +1,25 @@
+# Copyright 2020-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# {{ ansible_managed }}
+
+[Unit]
+Description=Create VFs on {{ upf_sriov_pf }}
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/sriov.sh {{ upf_sriov_pf }}
+
+[Install]
+WantedBy=default.target
diff --git a/aether-playbook/roles/sriov-dpdk/templates/usr/bin/sriov.sh.j2 b/aether-playbook/roles/sriov-dpdk/templates/usr/bin/sriov.sh.j2
new file mode 100644
index 0000000..6b2a8e6
--- /dev/null
+++ b/aether-playbook/roles/sriov-dpdk/templates/usr/bin/sriov.sh.j2
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Copyright (c) 2019 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# copied from https://github.com/clearlinux/cloud-native-setup/blob/master/clr-k8s-examples/9-multi-network/systemd/sriov.sh
+
+set -o errexit
+set -o pipefail
+set -o nounset
+set -x
+
+setup_pf() {
+	local pf=$1
+	local num_vfs
+
+	echo "Resetting PF $pf"
+	echo 0 | tee /sys/class/net/"$pf"/device/sriov_numvfs
+	num_vfs=$(cat /sys/class/net/"$pf"/device/sriov_totalvfs)
+	echo "Enabling $num_vfs VFs for $pf"
+	echo "$num_vfs" | tee /sys/class/net/"$pf"/device/sriov_numvfs
+	ip link set "$pf" up
+	sleep 1
+}
+
+vfio_bind() {
+	local pf=$1
+	local pfpci
+	local num_vfs
+
+	pfpci=$(readlink /sys/devices/pci*/*/*/net/"$pf"/device | awk '{print substr($1,10)}')
+	num_vfs=$(cat /sys/class/net/"$pf"/device/sriov_numvfs)
+
+	local vfpci
+	local mac
+	for ((idx = 0; idx < num_vfs; idx++)); do
+                #Some drivers does not support state change of VF
+		#ip link set dev $pf vf $idx state enable
+
+		local vfn="virtfn$idx"
+		# shellcheck disable=SC2012
+		vfpci=$(ls -l /sys/devices/pci*/*/"$pfpci" | awk -v vfn=$vfn 'vfn==$9 {print substr($11,4)}')
+		# Capture and set MAC of the VF before unbinding from linux, for later use in CNI
+		mac=$(cat /sys/bus/pci*/*/"$vfpci"/net/*/address)
+		ip link set dev "$pf" vf $idx mac "$mac"
+		# Bind VF to vfio-pci
+		echo "$vfpci" >/sys/bus/pci*/*/"$vfpci"/driver/unbind
+		echo "vfio-pci" >/sys/devices/pci*/*/"$vfpci"/driver_override
+		echo "$vfpci" >/sys/bus/pci/drivers/vfio-pci/bind
+	done
+}
+
+for pf in "$@"; do
+	setup_pf "$pf"
+        vfio_bind "$pf"
+done