From da80ae50f1f5ad170b9b38ed4918e1fbc87d65cb Mon Sep 17 00:00:00 2001 From: Thanh Ha Date: Fri, 29 Dec 2017 14:45:24 -0500 Subject: [PATCH] Initial baseline image (Ansible) Create a baseline image using Ansible Playbooks. Considering using Ansible for our Job builds so why not also use it here for packer builds. Ansible seems to have support for the things our helper scripts do which allows us to get rid of them if we use Ansible. Each Ansible task also validates itself to make sure the commands run through, something we don't currently do and can better let us know when something goes wrong. Issue: RELENG-288 Depends-On: Ibf4e1ff13d93ad59eaea4a0582a4b77446870dc0 Change-Id: I96d1ec83cec82130d30a245c39b6ac8018f92428 Signed-off-by: Thanh Ha --- .gitignore | 2 + provision/baseline.yaml | 65 +++++++++++++++++++++++++ provision/install-base-pkgs-RedHat.yaml | 13 +++++ provision/install-base-pkgs-Ubuntu.yaml | 14 ++++++ provision/install-python.sh | 20 ++++++++ provision/rh-user_data.sh | 13 +++++ provision/system-reseal.yaml | 85 +++++++++++++++++++++++++++++++++ provision/ubuntu-user_data.sh | 13 +++++ templates/.gitignore | 2 + templates/builder.json.example | 57 ++++++++++++++++++++++ vars/centos-7.json | 6 +++ vars/ubuntu-16.04.json | 6 +++ 12 files changed, 296 insertions(+) create mode 100644 provision/baseline.yaml create mode 100644 provision/install-base-pkgs-RedHat.yaml create mode 100644 provision/install-base-pkgs-Ubuntu.yaml create mode 100644 provision/install-python.sh create mode 100644 provision/rh-user_data.sh create mode 100644 provision/system-reseal.yaml create mode 100644 provision/ubuntu-user_data.sh create mode 100644 templates/.gitignore create mode 100644 templates/builder.json.example create mode 100644 vars/centos-7.json create mode 100644 vars/ubuntu-16.04.json diff --git a/.gitignore b/.gitignore index 33defe4..60d1f4e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ .tox/ +cloud-env.json +*.retry diff --git a/provision/baseline.yaml b/provision/baseline.yaml new file mode 100644 index 0000000..84dde1b --- /dev/null +++ b/provision/baseline.yaml @@ -0,0 +1,65 @@ +--- +- hosts: all + become_user: root + become_method: sudo + + pre_tasks: + - include_role: name=system-update + + - name: Install base packages + include_tasks: '{{item}}' + with_first_found: + - 'install-base-pkgs-{{ansible_distribution}}.yaml' + - 'install-base-pkgs-{{ansible_os_family}}.yaml' + + - name: Setup SELINUX + selinux: + policy: targeted + state: enforcing + when: ansible_os_family == 'RedHat' + become: yes + + - name: Allow jenkins user sudo access + copy: + dest: /etc/sudoers.d/89-jenkins-user-defaults + content: | + Defaults:jenkins !requiretty + jenkins ALL = NOPASSWD: ALL + validate: /usr/sbin/visudo -cf %s + become: yes + + roles: + - lf-recommended-tools + - haveged-install + - java-install + - puppet-install + - python-install + - shellcheck-install + - sysstat-install + + post_tasks: + - name: Update /etc/nss-switch.conf to map hostname with IP + # Update /etc/nss-switch.conf to map hostname with IP instead of using `localhost` + # from /etc/hosts which is required by some of the Java API's to avoid + # Java UnknownHostException: "Name or service not known" error. + shell: sed -i "/^hosts:/s/$/ myhostname/" /etc/nsswitch.conf + become: yes + + - name: Disable periodic updates + block: + - name: Set all periodic update options to 0 + replace: + path: /etc/apt/apt.conf.d/10periodic + regexp: '1' + replace: '0' + - name: Disable unattended upgrades + lineinfile: + path: /etc/apt/apt.conf.d/10periodic + regexp: '^APT::Periodic::Unattended-Upgrade' + line: 'APT::Periodic::Unattended-Upgrade "0";' + create: yes + when: ansible_distribution == 'Ubuntu' + become: yes + + - name: System Reseal + include_tasks: system-reseal.yaml diff --git a/provision/install-base-pkgs-RedHat.yaml b/provision/install-base-pkgs-RedHat.yaml new file mode 100644 index 0000000..fdbcc5b --- /dev/null +++ b/provision/install-base-pkgs-RedHat.yaml @@ -0,0 +1,13 @@ +--- +- name: Install base packages + yum: + name: '{{pkg}}' + state: latest + with_items: + - '@base' + - '@development' + - yum-utils + - https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm + loop_control: + loop_var: pkg + become: yes diff --git a/provision/install-base-pkgs-Ubuntu.yaml b/provision/install-base-pkgs-Ubuntu.yaml new file mode 100644 index 0000000..dc023e9 --- /dev/null +++ b/provision/install-base-pkgs-Ubuntu.yaml @@ -0,0 +1,14 @@ +--- +- name: Install base packages + apt: + name: '{{pkg}}' + state: latest + with_items: + - build-essential + - devscripts + - dh-systemd + - equivs + - gdebi + loop_control: + loop_var: pkg + become: yes diff --git a/provision/install-python.sh b/provision/install-python.sh new file mode 100644 index 0000000..6ec0fdf --- /dev/null +++ b/provision/install-python.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2018 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +# vi: ts=4 sw=4 sts=4 et : + +# Ansible requires Python 2 so check availability and install as necessary. +if ! command -v /usr/bin/python; then + # Ubuntu 16.04 does not come with Python 2 by default. + if command -v apt; then + apt -y update + apt install -y python-minimal + fi +fi diff --git a/provision/rh-user_data.sh b/provision/rh-user_data.sh new file mode 100644 index 0000000..c7e19ee --- /dev/null +++ b/provision/rh-user_data.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2016 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +# vi: ts=4 sw=4 sts=4 et : + +/bin/sed -i 's/ requiretty/ !requiretty/' /etc/sudoers; diff --git a/provision/system-reseal.yaml b/provision/system-reseal.yaml new file mode 100644 index 0000000..4c3d3ce --- /dev/null +++ b/provision/system-reseal.yaml @@ -0,0 +1,85 @@ +--- +- name: System reseal + file: + path: '{{del}}' + state: absent + with_items: + - ~/.viminfo + - /etc/Pegasus/*.cnf + - /etc/Pegasus/*.crt + - /etc/Pegasus/*.csr + - /etc/Pegasus/*.pem + - /etc/Pegasus/*.srl + - /etc/ssh/ssh*key* + - /root/.ssh/* + - /root/anaconda-ks.cfg + - /root/anaconda-post.log + - /root/initial-setup-ks.cfg + - /root/install.log + - /root/install.log.syslog + - /tmp/* + - /var/cache/fontconfig/* + - /var/cache/gdm/* + - /var/cache/man/* + - /var/lib/AccountService/users/* + - /var/lib/cloud/* + - /var/lib/fprint/* + - /var/lib/logrotate.status + - /var/log/*.log* + - /var/log/BackupPC/LOG + - /var/log/ConsoleKit/* + - /var/log/anaconda.syslog + - /var/log/anaconda/* + - /var/log/apache2/*_log + - /var/log/apache2/*_log-* + - /var/log/apt/* + - /var/log/aptitude* + - /var/log/audit/* + - /var/log/btmp* + - /var/log/ceph/*.log + - /var/log/chrony/*.log + - /var/log/cron* + - /var/log/cups/*_log + - /var/log/debug* + - /var/log/dmesg* + - /var/log/exim4/* + - /var/log/faillog* + - /var/log/gdm/* + - /var/log/glusterfs/*glusterd.vol.log + - /var/log/glusterfs/glusterfs.log + - /var/log/httpd/*log + - /var/log/installer/* + - /var/log/jetty/jetty-console.log + - /var/log/journal/* + - /var/log/lastlog* + - /var/log/libvirt/libvirtd.log + - /var/log/libvirt/lxc/*.log + - /var/log/libvirt/qemu/*.log + - /var/log/libvirt/uml/*.log + - /var/log/lightdm/* + - /var/log/mail/* + - /var/log/maillog* + - /var/log/messages* + - /var/log/ntp + - /var/log/ntpstats/* + - /var/log/ppp/connect-errors + - /var/log/rhsm/* + - /var/log/sa/* + - /var/log/secure* + - /var/log/setroubleshoot/*.log + - /var/log/spooler* + - /var/log/squid/*.log + - /var/log/syslog* + - /var/log/tallylog* + - /var/log/tuned/tuned.log + - /var/log/wtmp* + - /var/named/data/named.run + loop_control: + loop_var: del + become: yes + +- name: Force system sync and sleep for 10 seconds + block: + - shell: sync + - pause: + seconds: 10 diff --git a/provision/ubuntu-user_data.sh b/provision/ubuntu-user_data.sh new file mode 100644 index 0000000..6dc5a00 --- /dev/null +++ b/provision/ubuntu-user_data.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2016 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +# vi: ts=4 sw=4 sts=4 et : + +# Nothing to do for Ubuntu specific provisioning diff --git a/templates/.gitignore b/templates/.gitignore new file mode 100644 index 0000000..d69d1a4 --- /dev/null +++ b/templates/.gitignore @@ -0,0 +1,2 @@ +*.json + diff --git a/templates/builder.json.example b/templates/builder.json.example new file mode 100644 index 0000000..ea9454a --- /dev/null +++ b/templates/builder.json.example @@ -0,0 +1,57 @@ +{ + "variables": { + "base_image": null, + "distro": null, + "cloud_auth_url": null, + "cloud_user": null, + "cloud_pass": null, + "cloud_network": null, + "cloud_tenant": null, + "cloud_user_data": null, + "ssh_user": null, + "ssh_proxy_host": "" + }, + "builders": [ + { + "name": "vexxhost", + "image_name": "ZZCI - {{user `distro`}} - builder - {{isotime \"20060102-1504\"}}", + "source_image_name": "{{user `base_image`}}", + "type": "openstack", + "identity_endpoint": "{{user `cloud_auth_url`}}", + "username": "{{user `cloud_user`}}", + "password": "{{user `cloud_pass`}}", + "tenant_name": "{{user `cloud_tenant`}}", + "domain_name": "Default", + "region": "ca-ymq-1", + "availability_zone": "ca-ymq-2", + "networks": [ + "{{user `cloud_network`}}" + ], + "user_data_file": "{{user `cloud_user_data`}}", + "ssh_username": "{{user `ssh_user`}}", + "ssh_proxy_host": "{{user `ssh_proxy_host`}}", + "flavor": "v1-standard-1", + "metadata": { + "ci_managed": "yes" + } + } + ], + "provisioners": [ + { + "type": "shell", + "scripts": [ + "provision/install-python.sh" + ], + "execute_command": "chmod +x {{ .Path }}; if [ \"$UID\" == \"0\" ]; then {{ .Vars }} '{{ .Path }}'; else {{ .Vars }} sudo -E '{{ .Path }}'; fi" + }, + { + "type": "ansible", + "playbook_file": "provision/baseline.yaml", + "ansible_env_vars": [ + "ANSIBLE_NOCOWS=1", + "ANSIBLE_ROLES_PATH=lf-ansible/roles", + "ANSIBLE_STDOUT_CALLBACK=debug" + ] + } + ] +} diff --git a/vars/centos-7.json b/vars/centos-7.json new file mode 100644 index 0000000..678a903 --- /dev/null +++ b/vars/centos-7.json @@ -0,0 +1,6 @@ +{ + "base_image": "LF - CentOS 7.1711 (2017-11-05)", + "distro": "CentOS 7", + "ssh_user": "centos", + "cloud_user_data": "provision/rh-user_data.sh" +} diff --git a/vars/ubuntu-16.04.json b/vars/ubuntu-16.04.json new file mode 100644 index 0000000..58a54d3 --- /dev/null +++ b/vars/ubuntu-16.04.json @@ -0,0 +1,6 @@ +{ + "base_image": "LF - Ubuntu 16.04 LTS (2017-12-01)", + "distro": "Ubuntu 16.04", + "ssh_user": "ubuntu", + "cloud_user_data": "provision/ubuntu-user_data.sh" +} -- 2.16.6