summaryrefslogtreecommitdiffstats
path: root/nodepool/elements/virt-customize/fedora-29-cloud.yaml
blob: b1247938a58da619a9ce24f2942fdd88f98e97b8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
---
- name: Build a fedora cloud image suitable for Zuul
  hosts: localhost
  vars:
    image_url: https://download.fedoraproject.org/pub/fedora/linux/releases/29/Cloud/x86_64/images/Fedora-Cloud-Base-29-1.2.x86_64.qcow2
    image_checksum: "sha256:a30549d620bf6bf41d30a9a58626e59dfa70bb011fd7d50f6c4511ad2e479a39"
    image_cache_file: "/var/cache/nodepool/Fedora-Cloud-Base-29-1.2.x86_64.qcow2"
    image_cache_dir: "/var/cache/nodepool"
    image_tmp_dir: "/var/tmp/{{ image_output | basename }}"
    extra_packages:
      # For validate-host and prepare-workspace
      - traceroute
      - iproute
      - git
      - rsync
      # Extra system tools
      - pigz
      - bridge-utils
      - wget
      - unzip
      # Basic CI tools
      - make
      - gcc
      - patch
      # RPM building tools
      - redhat-lsb-core
      - redhat-rpm-config
      - rpm-build
      - rpm-sign
      - rpmlint
      - createrepo
      - gnupg2
      - expect
      # Devel libraries
      - libffi-devel
      - libpcap-devel
      - libseccomp-devel
      - libxml2-devel
      - libxslt-devel
      - mariadb-devel
      - openldap-devel
      - openssl-devel
      - python2-devel
      - python3-devel
      - readline-devel
      - ruby-devel
      - systemd-devel
      - zlib-devel
      # Python
      - PyYAML
      - python-virtualenv
      - python-six
      # For add-build-sshkey
      - python-libselinux
  tasks:
    - name: Ensure libvirt is started
      service:
        name: libvirtd
        state: started

    - name: Check if image is already downloaded
      stat:
        path: "{{ image_cache_file }}"
      register: _image_cache_file_stat

    - name: Download if checksum doesn't match
      get_url:
        url: "{{ image_url }}"
        dest: "{{ image_cache_file }}"
        checksum: "{{ image_checksum }}"
      when: not _image_cache_file_stat.stat.exists

    - block:
        - name: Update the cache
          command: "virt-customize -m 1024 -a {{ image_cache_file }} --update"
      rescue:
        - name: Drop the cache
          file:
            path: "{{ image_cache_file }}"
            state: absent
        - fail: msg="Please retry"

    - name: Customize the image for zuul ci
      block:
        - name: Create tmp directory
          file:
            path: "{{ image_tmp_dir }}"
            state: directory
            mode: 0755

        - name: Set filename copy fact
          set_fact:
            image_file: "{{ image_tmp_dir }}/{{ image_cache_file | basename }}"

        - name: Copy the image
          copy:
            src: "{{ image_cache_file }}"
            dest: "{{ image_file }}"
            remote_src: true
            mode: 0644

        - name: Prepare the sudoers file
          copy:
            content: |
              Defaults    !requiretty
              zuul-worker ALL=(ALL) NOPASSWD:ALL
            dest: "{{ image_tmp_dir }}/zuul"

        - name: Prepare the authorized_keys file
          copy:
            src: /var/lib/nodepool/.ssh/zuul_rsa.pub
            dest: "{{ image_tmp_dir }}/authorized_keys"
            remote_src: true

        - name: Prepare sshd_config file
          copy:
            content: |
              HostKey /etc/ssh/ssh_host_rsa_key
              HostKey /etc/ssh/ssh_host_ecdsa_key
              HostKey /etc/ssh/ssh_host_ed25519_key
              KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
              Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
              MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
              SyslogFacility AUTHPRIV
              AuthorizedKeysFile .ssh/authorized_keys
              PasswordAuthentication no
              ChallengeResponseAuthentication no
              GSSAPIAuthentication no
              GSSAPICleanupCredentials no
              UsePAM yes
              X11Forwarding no
              UseDNS no
              AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
              AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
              AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
              AcceptEnv XMODIFIERS
              Subsystem sftp  /usr/libexec/openssh/sftp-server
            dest: "{{ image_tmp_dir }}/sshd_config"

        - name: Customize the image
          command: >-
            virt-customize -m 1024 -a {{ image_file }}
            {# Ensure zuul user exists #}
            --run-command 'adduser -m zuul-worker'
            {# Setup authorized_keys #}
            --mkdir '/home/zuul-worker/.ssh'
            --chmod '0700:/home/zuul-worker/.ssh'
            --copy-in '{{ image_tmp_dir }}/authorized_keys:/home/zuul-worker/.ssh/'
            --chmod '0600:/home/zuul-worker/.ssh/authorized_keys'
            --run-command 'chown -R zuul-worker:zuul-worker /home/zuul-worker/.ssh/'
            {# Setup sudoers file #}
            --copy-in '{{ image_tmp_dir }}/zuul:/etc/sudoers.d/'
            --chmod '0440:/etc/sudoers.d/zuul'
            {# Setup sshd_config file #}
            --copy-in '{{ image_tmp_dir }}/sshd_config:/etc/ssh/'
            --chmod '0600:/etc/ssh/sshd_config'
            {# Install extra packages #}
            --install '{{ extra_packages | join(',') }}'
            {# Disable IPv6 because rdo-cloud does not route v6 #}
            --append-line '/etc/sysctl.conf:net.ipv6.conf.all.disable_ipv6 = 1'
            --append-line '/etc/sysctl.conf:net.ipv6.conf.default.disable_ipv6 = 1'
            --append-line '/etc/sysconfig/network:IPV6INIT=no'
            --append-line '/etc/sysconfig/network:IPV6_AUTOCONF=no'
            --append-line '/etc/sysconfig/network:IPV6_DEFROUTE=no'
            {# Ensure yum is only resolve using ipv4 #}
            --append-line '/etc/yum.conf:ip_resolve=4'
            {# Ensure selinux labels are correct #}
            --selinux-relabel

        - name: Create raw file
          command: "qemu-img convert -O raw {{ image_file }} {{ image_output }}.raw"
          when: raw_type | default(False) | bool

        - name: Create qcow file
          command: "mv {{ image_file }} {{ image_output }}.qcow2"
          when: qcow2_type | default(False) | bool

      always:
        - name: Remove tmp directory
          file:
            path: "{{ image_tmp_dir }}"
            state: absent