This document provides detailed explanations of all configuration files and modifiable options in the CloudStack Ansible automation project.
Defines server IP addresses and SSH connection information.
| Option | Required | Description | Example |
|---|---|---|---|
ansible_host |
Required | IP address of each node | 10.10.0.10 |
ansible_user |
Required | SSH connection username | root |
ansible_python_interpreter |
Optional | Python interpreter path | /usr/bin/python3 |
Example:
[management]
cloudstack-mgmt ansible_host=10.10.0.10
[database]
cloudstack-db ansible_host=10.10.0.11
[kvm-hosts]
kvm-host-01 ansible_host=10.10.0.21
kvm-host-02 ansible_host=10.10.0.22
[cloudstack:vars]
ansible_user=root
ansible_python_interpreter=/usr/bin/python3Common settings applied to all nodes.
| Option | Required | Description | Example |
|---|---|---|---|
public_network_cidr |
Required | Public network CIDR (externally accessible) | 10.10.0.0/24 |
management_network_cidr |
Required | Management network CIDR (internal communication only) | 10.15.0.0/24 |
management_bridge |
Optional | Management network bridge name | cloudbr0 |
public_bridge |
Optional | Public network bridge name | cloudbr1 |
Important: Bridge names will be used as Traffic Labels during Zone configuration.
| Option | Required | Description | Default |
|---|---|---|---|
timezone |
Optional | System timezone | Asia/Seoul |
| Option | Required | Description | Default |
|---|---|---|---|
dns_servers |
Optional | DNS server list | [168.126.63.1, 8.8.8.8] |
ntp_servers |
Optional | NTP server list | [0.pool.ntp.org, 1.pool.ntp.org] |
| Option | Required | Description | Default |
|---|---|---|---|
configure_firewall |
Optional | Whether to configure firewall | true |
selinux_state |
Optional | SELinux state (CentOS/RHEL only) | permissive |
Example:
# Network CIDR configuration (Required)
public_network_cidr: "10.10.0.0/24"
management_network_cidr: "10.15.0.0/24"
# Network bridge names (Optional)
management_bridge: "cloudbr0"
public_bridge: "cloudbr1"
# System configuration (Optional)
timezone: "Asia/Seoul"
# DNS servers (Optional)
dns_servers:
- 168.126.63.1
- 8.8.8.8
# NTP servers (Optional)
ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
# Firewall configuration (Optional)
configure_firewall: true
# SELinux configuration (Optional)
selinux_state: permissiveStores passwords and sensitive information. Encryption with Ansible Vault is recommended.
| Option | Required | Description | Example |
|---|---|---|---|
vault_mysql_root_password |
Required | MySQL root account password | SecureMySQL!123 |
vault_cloudstack_db_password |
Required | CloudStack database password | CloudDB!456 |
vault_root_password |
Optional | System root user password for KVM hosts | YourSecureRootPassword123! |
Example:
vault_mysql_root_password: "SecureMySQL!123"
vault_cloudstack_db_password: "CloudDB!456"
vault_root_password: "YourSecureRootPassword123!"Important:
vault_root_passwordis the plaintext password for the system root user on KVM hosts. It will be automatically hashed when applied. This is required for CloudStack Management Server to manage KVM hosts via SSH.
Encryption Method:
# Encrypt file
ansible-vault encrypt group_vars/all/vault.yml
# Edit encrypted file
ansible-vault edit group_vars/all/vault.yml
# Decrypt file
ansible-vault decrypt group_vars/all/vault.ymlManagement Server related configuration.
| Option | Required | Description | Example |
|---|---|---|---|
nfs_server |
Required | NFS server IP address | 10.10.0.12 |
nfs_export_path |
Optional | NFS export base path | /export |
nfs_secondary_path |
Required | Secondary Storage NFS path | /export/secondary |
nfs_primary_path |
Required | Primary Storage NFS path | /export/primary |
| Option | Required | Description | Default |
|---|---|---|---|
secondary_storage_mount_path |
Optional | Secondary Storage mount path | /mnt/secondary |
mount_secondary_storage |
Optional | Whether to mount Secondary Storage | true |
nfs_mount_options |
Optional | NFS mount options | defaults |
| Option | Required | Description | Default |
|---|---|---|---|
force_template_install |
Optional | Force template reinstallation | false |
| Option | Description | Default |
|---|---|---|
management_server_ip |
Management Server IP (auto-configured) | {{ ansible_host }} |
cloudstack_management_memory |
Management Server memory (MB) | 4096 |
cloudstack_management_port |
Management Server port | 8080 |
db_host |
Database server IP (auto-configured) | {{ hostvars[groups['database'][0]]['ansible_host'] }} |
db_port |
Database port | 3306 |
cloudstack_db_password |
CloudStack DB password (vault linked) | {{ vault_cloudstack_db_password }} |
mysql_root_password |
MySQL root password (vault linked) | {{ vault_mysql_root_password }} |
Example:
# NFS Server Configuration (Required)
nfs_server: "10.10.0.12"
nfs_export_path: "/export"
nfs_secondary_path: "/export/secondary"
nfs_primary_path: "/export/primary"
# Secondary Storage Mount Configuration (Optional)
secondary_storage_mount_path: "/mnt/secondary"
mount_secondary_storage: true
nfs_mount_options: "defaults"
# SystemVM Template Configuration (Optional)
force_template_install: false
#####################
# Do Not Modify Below
#####################
# Management Server Configuration
management_server_ip: "{{ ansible_host }}"
# CloudStack UI Configuration
cloudstack_management_memory: 4096
cloudstack_management_port: 8080
# Database Connection Information
db_host: "{{ hostvars[groups['database'][0]]['ansible_host'] }}"
db_port: 3306
# CloudStack Database Password
cloudstack_db_password: "{{ vault_cloudstack_db_password }}"
mysql_root_password: "{{ vault_mysql_root_password }}"Database server related configuration. Generally does not need modification.
KVM Hypervisor related configuration.
| Option | Required | Description | Default |
|---|---|---|---|
root_password_hash |
Optional | System root user password (auto-hashed from vault) | {{ vault_root_password | password_hash('sha512') }} |
Important: The
root_password_hashis automatically generated fromvault_root_passwordin vault.yml. CloudStack Management Server requires root SSH access to manage KVM hosts. Simply setvault_root_passwordin vault.yml, and it will be automatically hashed and applied.
How to set root password:
-
Edit vault.yml and set the plaintext password:
vi inventory/group_vars/all/vault.yml
vault_root_password: "YourSecureRootPassword123!"
-
The password will be automatically hashed when the playbook runs using the
password_hashfilter. -
Optionally, encrypt vault.yml for security:
ansible-vault encrypt inventory/group_vars/all/vault.yml
| Option | Description | Default |
|---|---|---|
enable_root_ssh |
Enable root SSH login | true |
libvirt_listen_tcp |
Enable libvirt TCP listening | true |
libvirt_tcp_port |
Libvirt TCP port | 16509 |
configure_iptables_forward |
Configure iptables FORWARD policy | true |
primary_storage_type |
Primary storage type | nfs |
hypervisor_type |
Hypervisor type | kvm |
Ansible execution configuration file. Generally does not need modification.
Ansible variables are applied in the following priority order (highest first):
- Command line options (
-eor--extra-vars) group_vars/all/vault.yml(encrypted variables)group_vars/[group]/(group-specific variables)group_vars/all/all.yml(common variables)- Role defaults (
roles/*/defaults/main.yml)
-
Edit vault.yml and add
vault_root_password:vi inventory/group_vars/all/vault.yml
vault_root_password: "YourSecureRootPassword123!"
-
The password will be automatically hashed and applied to KVM hosts when you run the playbook.
-
Verify the password was set:
# Try SSH login to KVM host ssh root@<kvm-host-ip>
Why is this needed? CloudStack Management Server requires root SSH access to manage KVM hosts (add hosts, manage VMs, configure networking, etc.).
Yes, it's possible. Use the same IP in inventory/hosts:
[management]
cloudstack-all ansible_host=10.10.0.10
[database]
cloudstack-all ansible_host=10.10.0.10Yes, but you must use the same bridge names as Traffic Labels during Zone configuration.
- Main Guide: README.md
- CloudStack Official Documentation: https://docs.cloudstack.apache.org/