From: Thanh Ha <thanh.ha@linuxfoundation.org>
Date: Fri, 29 Dec 2017 19:45:24 +0000 (-0500)
Subject: Initial baseline image (Ansible)
X-Git-Tag: v0.1.0~66
X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=da80ae50f1f5ad170b9b38ed4918e1fbc87d65cb;p=releng%2Fcommon-packer.git

Initial baseline image (Ansible)

Create a baseline image using Ansible Playbooks. Considering using
Ansible for our Job builds so why not also use it here for packer
builds.

Ansible seems to have support for the things our helper scripts do
which allows us to get rid of them if we use Ansible. Each Ansible
task also validates itself to make sure the commands run through,
something we don't currently do and can better let us know when
something goes wrong.

Issue: RELENG-288
Depends-On: Ibf4e1ff13d93ad59eaea4a0582a4b77446870dc0
Change-Id: I96d1ec83cec82130d30a245c39b6ac8018f92428
Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
---

diff --git a/.gitignore b/.gitignore
index 33defe4..60d1f4e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
 .tox/
+cloud-env.json
+*.retry
diff --git a/provision/baseline.yaml b/provision/baseline.yaml
new file mode 100644
index 0000000..84dde1b
--- /dev/null
+++ b/provision/baseline.yaml
@@ -0,0 +1,65 @@
+---
+- hosts: all
+  become_user: root
+  become_method: sudo
+
+  pre_tasks:
+    - include_role: name=system-update
+
+    - name: Install base packages
+      include_tasks: '{{item}}'
+      with_first_found:
+        - 'install-base-pkgs-{{ansible_distribution}}.yaml'
+        - 'install-base-pkgs-{{ansible_os_family}}.yaml'
+
+    - name: Setup SELINUX
+      selinux:
+        policy: targeted
+        state: enforcing
+      when: ansible_os_family == 'RedHat'
+      become: yes
+
+    - name: Allow jenkins user sudo access
+      copy:
+        dest: /etc/sudoers.d/89-jenkins-user-defaults
+        content: |
+          Defaults:jenkins !requiretty
+          jenkins ALL = NOPASSWD: ALL
+        validate: /usr/sbin/visudo -cf %s
+      become: yes
+
+  roles:
+    - lf-recommended-tools
+    - haveged-install
+    - java-install
+    - puppet-install
+    - python-install
+    - shellcheck-install
+    - sysstat-install
+
+  post_tasks:
+    - name: Update /etc/nss-switch.conf to map hostname with IP
+      # Update /etc/nss-switch.conf to map hostname with IP instead of using `localhost`
+      # from /etc/hosts which is required by some of the Java API's to avoid
+      # Java UnknownHostException: "Name or service not known" error.
+      shell: sed -i "/^hosts:/s/$/ myhostname/" /etc/nsswitch.conf
+      become: yes
+
+    - name: Disable periodic updates
+      block:
+        - name: Set all periodic update options to 0
+          replace:
+            path: /etc/apt/apt.conf.d/10periodic
+            regexp: '1'
+            replace: '0'
+        - name: Disable unattended upgrades
+          lineinfile:
+            path: /etc/apt/apt.conf.d/10periodic
+            regexp: '^APT::Periodic::Unattended-Upgrade'
+            line: 'APT::Periodic::Unattended-Upgrade "0";'
+            create: yes
+      when: ansible_distribution == 'Ubuntu'
+      become: yes
+
+    - name: System Reseal
+      include_tasks: system-reseal.yaml
diff --git a/provision/install-base-pkgs-RedHat.yaml b/provision/install-base-pkgs-RedHat.yaml
new file mode 100644
index 0000000..fdbcc5b
--- /dev/null
+++ b/provision/install-base-pkgs-RedHat.yaml
@@ -0,0 +1,13 @@
+---
+- name: Install base packages
+  yum:
+    name: '{{pkg}}'
+    state: latest
+  with_items:
+    - '@base'
+    - '@development'
+    - yum-utils
+    - https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
+  loop_control:
+    loop_var: pkg
+  become: yes
diff --git a/provision/install-base-pkgs-Ubuntu.yaml b/provision/install-base-pkgs-Ubuntu.yaml
new file mode 100644
index 0000000..dc023e9
--- /dev/null
+++ b/provision/install-base-pkgs-Ubuntu.yaml
@@ -0,0 +1,14 @@
+---
+- name: Install base packages
+  apt:
+    name: '{{pkg}}'
+    state: latest
+  with_items:
+    - build-essential
+    - devscripts
+    - dh-systemd
+    - equivs
+    - gdebi
+  loop_control:
+    loop_var: pkg
+  become: yes
diff --git a/provision/install-python.sh b/provision/install-python.sh
new file mode 100644
index 0000000..6ec0fdf
--- /dev/null
+++ b/provision/install-python.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2018 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+# vi: ts=4 sw=4 sts=4 et :
+
+# Ansible requires Python 2 so check availability and install as necessary.
+if ! command -v /usr/bin/python; then
+    # Ubuntu 16.04 does not come with Python 2 by default.
+    if command -v apt; then
+        apt -y update
+        apt install -y python-minimal
+    fi
+fi
diff --git a/provision/rh-user_data.sh b/provision/rh-user_data.sh
new file mode 100644
index 0000000..c7e19ee
--- /dev/null
+++ b/provision/rh-user_data.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2016 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+# vi: ts=4 sw=4 sts=4 et :
+
+/bin/sed -i 's/ requiretty/ !requiretty/' /etc/sudoers;
diff --git a/provision/system-reseal.yaml b/provision/system-reseal.yaml
new file mode 100644
index 0000000..4c3d3ce
--- /dev/null
+++ b/provision/system-reseal.yaml
@@ -0,0 +1,85 @@
+---
+- name: System reseal
+  file:
+    path: '{{del}}'
+    state: absent
+  with_items:
+    - ~/.viminfo
+    - /etc/Pegasus/*.cnf
+    - /etc/Pegasus/*.crt
+    - /etc/Pegasus/*.csr
+    - /etc/Pegasus/*.pem
+    - /etc/Pegasus/*.srl
+    - /etc/ssh/ssh*key*
+    - /root/.ssh/*
+    - /root/anaconda-ks.cfg
+    - /root/anaconda-post.log
+    - /root/initial-setup-ks.cfg
+    - /root/install.log
+    - /root/install.log.syslog
+    - /tmp/*
+    - /var/cache/fontconfig/*
+    - /var/cache/gdm/*
+    - /var/cache/man/*
+    - /var/lib/AccountService/users/*
+    - /var/lib/cloud/*
+    - /var/lib/fprint/*
+    - /var/lib/logrotate.status
+    - /var/log/*.log*
+    - /var/log/BackupPC/LOG
+    - /var/log/ConsoleKit/*
+    - /var/log/anaconda.syslog
+    - /var/log/anaconda/*
+    - /var/log/apache2/*_log
+    - /var/log/apache2/*_log-*
+    - /var/log/apt/*
+    - /var/log/aptitude*
+    - /var/log/audit/*
+    - /var/log/btmp*
+    - /var/log/ceph/*.log
+    - /var/log/chrony/*.log
+    - /var/log/cron*
+    - /var/log/cups/*_log
+    - /var/log/debug*
+    - /var/log/dmesg*
+    - /var/log/exim4/*
+    - /var/log/faillog*
+    - /var/log/gdm/*
+    - /var/log/glusterfs/*glusterd.vol.log
+    - /var/log/glusterfs/glusterfs.log
+    - /var/log/httpd/*log
+    - /var/log/installer/*
+    - /var/log/jetty/jetty-console.log
+    - /var/log/journal/*
+    - /var/log/lastlog*
+    - /var/log/libvirt/libvirtd.log
+    - /var/log/libvirt/lxc/*.log
+    - /var/log/libvirt/qemu/*.log
+    - /var/log/libvirt/uml/*.log
+    - /var/log/lightdm/*
+    - /var/log/mail/*
+    - /var/log/maillog*
+    - /var/log/messages*
+    - /var/log/ntp
+    - /var/log/ntpstats/*
+    - /var/log/ppp/connect-errors
+    - /var/log/rhsm/*
+    - /var/log/sa/*
+    - /var/log/secure*
+    - /var/log/setroubleshoot/*.log
+    - /var/log/spooler*
+    - /var/log/squid/*.log
+    - /var/log/syslog*
+    - /var/log/tallylog*
+    - /var/log/tuned/tuned.log
+    - /var/log/wtmp*
+    - /var/named/data/named.run
+  loop_control:
+    loop_var: del
+  become: yes
+
+- name: Force system sync and sleep for 10 seconds
+  block:
+    - shell: sync
+    - pause:
+        seconds: 10
diff --git a/provision/ubuntu-user_data.sh b/provision/ubuntu-user_data.sh
new file mode 100644
index 0000000..6dc5a00
--- /dev/null
+++ b/provision/ubuntu-user_data.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2016 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+# vi: ts=4 sw=4 sts=4 et :
+
+# Nothing to do for Ubuntu specific provisioning
diff --git a/templates/.gitignore b/templates/.gitignore
new file mode 100644
index 0000000..d69d1a4
--- /dev/null
+++ b/templates/.gitignore
@@ -0,0 +1,2 @@
+*.json
+
diff --git a/templates/builder.json.example b/templates/builder.json.example
new file mode 100644
index 0000000..ea9454a
--- /dev/null
+++ b/templates/builder.json.example
@@ -0,0 +1,57 @@
+{
+  "variables": {
+    "base_image": null,
+    "distro": null,
+    "cloud_auth_url": null,
+    "cloud_user": null,
+    "cloud_pass": null,
+    "cloud_network": null,
+    "cloud_tenant": null,
+    "cloud_user_data": null,
+    "ssh_user": null,
+    "ssh_proxy_host": ""
+  },
+  "builders": [
+    {
+      "name": "vexxhost",
+      "image_name": "ZZCI - {{user `distro`}} - builder - {{isotime \"20060102-1504\"}}",
+      "source_image_name": "{{user `base_image`}}",
+      "type": "openstack",
+      "identity_endpoint": "{{user `cloud_auth_url`}}",
+      "username": "{{user `cloud_user`}}",
+      "password": "{{user `cloud_pass`}}",
+      "tenant_name": "{{user `cloud_tenant`}}",
+      "domain_name": "Default",
+      "region": "ca-ymq-1",
+      "availability_zone": "ca-ymq-2",
+      "networks": [
+        "{{user `cloud_network`}}"
+      ],
+      "user_data_file": "{{user `cloud_user_data`}}",
+      "ssh_username": "{{user `ssh_user`}}",
+      "ssh_proxy_host": "{{user `ssh_proxy_host`}}",
+      "flavor": "v1-standard-1",
+      "metadata": {
+        "ci_managed": "yes"
+      }
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "scripts": [
+        "provision/install-python.sh"
+      ],
+      "execute_command": "chmod +x {{ .Path }}; if [ \"$UID\" == \"0\" ]; then {{ .Vars }} '{{ .Path }}'; else {{ .Vars }} sudo -E '{{ .Path }}'; fi"
+    },
+    {
+      "type": "ansible",
+      "playbook_file": "provision/baseline.yaml",
+      "ansible_env_vars": [
+        "ANSIBLE_NOCOWS=1",
+        "ANSIBLE_ROLES_PATH=lf-ansible/roles",
+        "ANSIBLE_STDOUT_CALLBACK=debug"
+      ]
+    }
+  ]
+}
diff --git a/vars/centos-7.json b/vars/centos-7.json
new file mode 100644
index 0000000..678a903
--- /dev/null
+++ b/vars/centos-7.json
@@ -0,0 +1,6 @@
+{
+  "base_image": "LF - CentOS 7.1711 (2017-11-05)",
+  "distro": "CentOS 7",
+  "ssh_user": "centos",
+  "cloud_user_data": "provision/rh-user_data.sh"
+}
diff --git a/vars/ubuntu-16.04.json b/vars/ubuntu-16.04.json
new file mode 100644
index 0000000..58a54d3
--- /dev/null
+++ b/vars/ubuntu-16.04.json
@@ -0,0 +1,6 @@
+{
+  "base_image": "LF - Ubuntu 16.04 LTS (2017-12-01)",
+  "distro": "Ubuntu 16.04",
+  "ssh_user": "ubuntu",
+  "cloud_user_data": "provision/ubuntu-user_data.sh"
+}