more dns-ification work
diff --git a/roles/config-virt/handlers/main.yml b/roles/config-virt/handlers/main.yml
new file mode 100644
index 0000000..d3708e6
--- /dev/null
+++ b/roles/config-virt/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+# roles/juju-setup/handlers/tasks.yml
+
+- name: recreate default network
+ command: virsh net-destroy default ; virsh net-start default
+
+- name: reload libvirt-bin
+ service:
+ name=libvirt-bin
+ state=restarted
+
+- name: run qemu hook
+ command: /etc/libvirt/hooks/qemu start start
+
+
diff --git a/roles/config-virt/tasks/main.yml b/roles/config-virt/tasks/main.yml
new file mode 100644
index 0000000..76f14ae
--- /dev/null
+++ b/roles/config-virt/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+# roles/config-virt/main/tasks.yml
+
+- name: Get ubuntu image for uvtool
+ command: uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily \
+ release={{ ansible_distribution_release }} arch=amd64
+
+- name: Have libvirt enable port forwarding to VM's
+ become: yes
+ template:
+ src={{ item }}.j2
+ dest=/etc/libvirt/hooks/{{ item }}
+ mode=0755 owner=root
+ with_items:
+ - daemon
+ - qemu
+ notify:
+ - reload libvirt-bin
+ - run qemu hook
+
+- name: configure libvirt mgmtbr network DHCP range and IP assignments
+ virt_net:
+ command=define
+ name=default
+ xml='{{ lookup("template", "default.xml.j2") }}'
+ autostart=yes
+ state=active
+
diff --git a/roles/config-virt/templates/daemon.j2 b/roles/config-virt/templates/daemon.j2
new file mode 100644
index 0000000..c79bf4a
--- /dev/null
+++ b/roles/config-virt/templates/daemon.j2
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+SHELL="/bin/bash"
+
+NIC=$( route|grep default|awk '{print $NF}' )
+
+NAME="${1}"
+OP="${2}"
+SUBOP="${3}"
+ARGS="${4}"
+
+add_port_fwd_rule() {
+ DPORT=$1
+ VMIP=$2
+ TOPORT=$3
+
+ iptables -t nat -C PREROUTING -p tcp -i $NIC --dport $DPORT -j DNAT --to-destination $VMIP:$TOPORT
+ if [ "$?" -ne 0 ]
+ then
+ iptables -t nat -A PREROUTING -p tcp -i $NIC --dport $DPORT -j DNAT --to-destination $VMIP:$TOPORT
+ fi
+}
+
+if [ "$OP" = "start" ] || [ "$OP" = "reload" ]
+then
+ iptables -t nat -F
+
+{% for vm in head_vm_list -%}
+{% if vm.forwarded_ports is defined -%}
+{% for port in vm.forwarded_ports -%}
+ add_port_fwd_rule {{ port.ext }} "{{ mgmtbr_prefix }}.{{ vm.ipv4_last_octet }}" {{ port.int }}
+{% endfor -%}
+{% endif -%}
+{% endfor -%}
+
+ # Also flush the filter table before rules re-added
+ iptables -F
+fi
+
diff --git a/roles/config-virt/templates/default.xml.j2 b/roles/config-virt/templates/default.xml.j2
new file mode 100644
index 0000000..5183aca
--- /dev/null
+++ b/roles/config-virt/templates/default.xml.j2
@@ -0,0 +1,19 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <domain name="{{ site_suffix }}" localonly="no"/>
+ <dns>
+{% for ns in dns_servers %}
+ <forwarder addr="{{ ns }}"/>
+{% endfor %}
+ </dns>
+ <ip address="{{ mgmtbr_prefix }}.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="{{ mgmtbr_prefix }}.2" end="{{ mgmtbr_prefix }}.254"/>
+{% for vm in head_vm_list %}
+ <host name='{{ vm.name }}' ip='{{ mgmtbr_prefix }}.{{ vm.ipv4_last_octet }}'/>
+{% endfor %}
+ </dhcp>
+ </ip>
+</network>
diff --git a/roles/config-virt/templates/qemu.j2 b/roles/config-virt/templates/qemu.j2
new file mode 100644
index 0000000..1c947f9
--- /dev/null
+++ b/roles/config-virt/templates/qemu.j2
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+SHELL="/bin/bash"
+
+NIC=$( route|grep default|awk '{print $NF}' )
+PORTAL=$( dig +short portal.opencloud.us | tail -1 )
+
+NAME="${1}"
+OP="${2}"
+SUBOP="${3}"
+ARGS="${4}"
+
+add_rule() {
+ CHAIN=$1
+ ARGS=$2
+ iptables -C $CHAIN $ARGS
+ if [ "$?" -ne 0 ]
+ then
+ iptables -I $CHAIN 1 $ARGS
+ fi
+}
+
+add_local_access_rules() {
+ SUBNET=$( ip addr show $NIC|grep "inet "|awk '{print $2}' )
+ PRIVATENET=$( ip addr show virbr0|grep "inet "|awk '{print $2}' )
+ add_rule "FORWARD" "-s $SUBNET -j ACCEPT"
+ # Don't NAT traffic from service VMs destined to the local subnet
+ add_rule "POSTROUTING" "-t nat -s $PRIVATENET -d $SUBNET -j RETURN"
+}
+
+add_portal_access_rules() {
+ add_rule "FORWARD" "-s $PORTAL -j ACCEPT"
+}
+
+add_web_access_rules() {
+ add_rule "FORWARD" "-p tcp --dport 80 -j ACCEPT"
+}
+
+if [ "$OP" = "start" ]
+then
+ add_local_access_rules
+ add_portal_access_rules
+ add_web_access_rules
+fi