djpbessems/ClusterAPI.imageBuilder
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Test dependencies
Some checks failed
continuous-integration/drone Build is failing
Details

Browse Source
This commit is contained in:
Danny Bessems
2023-02-22 21:24:42 +01:00
commit f2b0a5e7c7
429 changed files with 20330 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.pyc

43
ansible/firstboot.yml Normal file
View File

@ -0,0 +1,43 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
become: yes
vars:
firstboot_custom_roles_pre: ""
firstboot_custom_roles_post: ""
tasks:
- include_role:
name: "{{ role }}"
loop: "{{ firstboot_custom_roles_pre.split() }}"
loop_control:
loop_var: role
when: firstboot_custom_roles_pre != ""
- include_role:
name: firstboot
- include_role:
name: "{{ role }}"
loop: "{{ firstboot_custom_roles_post.split() }}"
loop_control:
loop_var: role
when: firstboot_custom_roles_post != ""
environment:
http_proxy: "{{ http_proxy | default('') }}"
https_proxy: "{{ https_proxy | default('') }}"
no_proxy: "{{ no_proxy | default('') }}"
HTTP_PROXY: "{{ http_proxy | default('') }}"
HTTPS_PROXY: "{{ https_proxy | default('') }}"
NO_PROXY: "{{ no_proxy | default('') }}"

56
ansible/node.yml Normal file
View File

@ -0,0 +1,56 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
become: yes
vars:
node_custom_roles_pre: ""
node_custom_roles_post: ""
custom_role_names: ""
tasks:
- include_role:
name: "{{ role }}"
loop: "{{ node_custom_roles_pre.split() }}"
loop_control:
loop_var: role
when: node_custom_roles_pre != ""
- include_role:
name: node
- include_role:
name: providers
- include_role:
name: containerd
- include_role:
name: kubernetes
- include_role:
name: load_additional_components
when: load_additional_components | bool
- include_role:
name: "{{ role }}"
loop: "{{ custom_role_names.split() + node_custom_roles_post.split() }}"
loop_control:
loop_var: role
when: custom_role_names != "" or node_custom_roles_post != ""
- include_role:
name: sysprep
environment:
http_proxy: "{{ http_proxy | default('') }}"
https_proxy: "{{ https_proxy | default('') }}"
no_proxy: "{{ no_proxy | default('') }}"
HTTP_PROXY: "{{ http_proxy | default('') }}"
HTTPS_PROXY: "{{ https_proxy | default('') }}"
NO_PROXY: "{{ no_proxy | default('') }}"
PYTHONPATH: "{{ python_path }}"

32
ansible/python.yml Normal file
View File

@ -0,0 +1,32 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- hosts: all
# Gathering facts requires Python to be available, so it's a chicken and egg
# problem as this playbook installs Python.
gather_facts: no
become: yes
tasks:
- include_role:
name: python
environment:
http_proxy: "{{ http_proxy | default('') }}"
https_proxy: "{{ https_proxy | default('') }}"
no_proxy: "{{ no_proxy | default('') }}"
HTTP_PROXY: "{{ http_proxy | default('') }}"
HTTPS_PROXY: "{{ https_proxy | default('') }}"
NO_PROXY: "{{ no_proxy | default('') }}"
PYTHONPATH: "{{ python_path }}"

15
ansible/roles/containerd/defaults/main.yml Normal file
View File

@ -0,0 +1,15 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
containerd_config_file: "etc/containerd/config.toml"

18
ansible/roles/containerd/tasks/debian.yml Normal file
View File

@ -0,0 +1,18 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install libseccomp2 package
apt:
name: libseccomp2
state: present

169
ansible/roles/containerd/tasks/main.yml Normal file
View File

@ -0,0 +1,169 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: debian.yml
when: ansible_os_family == "Debian"
- import_tasks: redhat.yml
when: ansible_os_family == "RedHat"
- import_tasks: photon.yml
when: ansible_os_family == "VMware Photon OS"
# TODO(vincepri): Use deb/rpm packages once available.
# See https://github.com/containerd/containerd/issues/1508 for context.
- name: download containerd
get_url:
url: "{{ containerd_url }}"
checksum: "sha256:{{ containerd_sha256 }}"
dest: /tmp/containerd.tar.gz
mode: 0600
- name: download containerd-wasm-shims
get_url:
url: "{{ containerd_wasm_shims_url }}"
checksum: "sha256:{{ containerd_wasm_shims_sha256 }}"
dest: /tmp/containerd_wasm_shims.tar.gz
mode: 0600
when: containerd_wasm_shims_runtimes | length > 0
- name: Create a directory if it does not exist
file:
path: "{{ sysusr_prefix }}/bin"
state: directory
mode: 0755
# TODO(vincepri): This unpacks the entire tar in the root directory
# we should find a better way to check what's being unpacked and where.
- name: unpack containerd
unarchive:
remote_src: True
src: /tmp/containerd.tar.gz
dest: /
extra_opts:
- --no-overwrite-dir
when: ansible_os_family != "Flatcar"
# install containerd Wasm shims when the runtimes are not empty -- current known runtimes are 'slight' and 'spin'
# see: https://github.com/kubernetes-sigs/image-builder/pull/1037
- name: unpack containerd-wasm-shims
unarchive:
remote_src: True
src: /tmp/containerd_wasm_shims.tar.gz
dest: "{{ sysusr_prefix }}/bin"
extra_opts:
- --no-overwrite-dir
when: ansible_os_family != "Flatcar" and (containerd_wasm_shims_runtimes | length > 0)
- name: unpack containerd for Flatcar to /opt/bin
unarchive:
remote_src: True
src: /tmp/containerd.tar.gz
dest: /
extra_opts:
- --absolute-names
- --transform
- 's@usr@opt@'
- --transform
- 's@sbin@bin@'
- --transform
- 's@opt/local@opt@'
when: ansible_os_family == "Flatcar"
# install containerd Wasm shims when the runtimes are not empty -- current known runtimes are 'slight' and 'spin'
# see: https://github.com/kubernetes-sigs/image-builder/pull/1037
- name: unpack containerd-wasm-shims for Flatcar to /opt/bin
unarchive:
remote_src: True
src: /tmp/containerd_wasm_shims.tar.gz
dest: "{{ sysusr_prefix }}/bin"
extra_opts:
- --no-overwrite-dir
when: ansible_os_family == "Flatcar" and (containerd_wasm_shims_runtimes | length > 0)
# Remove /opt/cni directory, as we will install cni later
- name: delete /opt/cni directory
file:
path: /opt/cni
state: absent
# Remove /etc/cni directory, as we will configure cni later
- name: delete /etc/cni directory
file:
path: /etc/cni
state: absent
- name: Creates unit file directory
file:
path: /etc/systemd/system/containerd.service.d
state: directory
- name: Create systemd unit drop-in file for containerd to run from /opt/bin
template:
dest: /etc/systemd/system/containerd.service.d/10-opt-bin-custom.conf
src: etc/systemd/system/containerd-flatcar.conf
mode: 0600
when: ansible_os_family == "Flatcar"
- name: Create containerd memory pressure drop in file
template:
dest: /etc/systemd/system/containerd.service.d/memory-pressure.conf
src: etc/systemd/system/containerd.service.d/memory-pressure.conf
mode: 0644
- name: Create containerd max tasks drop in file
template:
dest: /etc/systemd/system/containerd.service.d/max-tasks.conf
src: etc/systemd/system/containerd.service.d/max-tasks.conf
mode: 0644
- name: Create containerd http proxy conf file if needed
template:
dest: /etc/systemd/system/containerd.service.d/http-proxy.conf
src: etc/systemd/system/containerd.service.d/http-proxy.conf
mode: 0644
when: http_proxy is defined or https_proxy is defined
- name: Creates containerd config directory
file:
path: /etc/containerd
state: directory
- name: Copy in containerd config file {{ containerd_config_file }}
template:
dest: /etc/containerd/config.toml
src: "{{ containerd_config_file }}"
mode: 0644
- name: Copy in crictl config
template:
dest: /etc/crictl.yaml
src: etc/crictl.yaml
- name: start containerd service
systemd:
name: containerd
daemon_reload: yes
enabled: True
state: restarted
- name: delete tarball
file:
path: /tmp/containerd.tar.gz
state: absent
- name: delete tarball
file:
path: /tmp/containerd_wasm_shims.tar.gz
state: absent

16
ansible/roles/containerd/tasks/photon.yml Normal file
View File

@ -0,0 +1,16 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install libseccomp package
command: tdnf install libseccomp -y

19
ansible/roles/containerd/tasks/redhat.yml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install libseccomp package
yum:
name: libseccomp
state: present
lock_timeout: 60

33
ansible/roles/containerd/templates/etc/containerd/config.toml Normal file
View File

@ -0,0 +1,33 @@
## template: jinja
# Use config version 2 to enable new configuration fields.
# Config file is parsed as version 1 by default.
version = 2
{% if 'imports' not in containerd_additional_settings | b64decode %}
imports = ["/etc/containerd/conf.d/*.toml"]
{% endif %}
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "{{ pause_image }}"
{% if kubernetes_semver is version('v1.21.0', '>=') %}
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
{% if 'spin' in containerd_wasm_shims_runtimes %}
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.spin]
runtime_type = "io.containerd.spin.v1"
{% endif %}
{% if 'slight' in containerd_wasm_shims_runtimes %}
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.slight]
runtime_type = "io.containerd.slight.v1"
{% endif %}
{% endif %}
{% if packer_builder_type.startswith('azure') %}
[plugins."io.containerd.grpc.v1.cri".registry.headers]
X-Meta-Source-Client = ["azure/capz"]
{% endif %}
{{containerd_additional_settings | b64decode}}

1
ansible/roles/containerd/templates/etc/crictl.yaml Normal file
View File

@ -0,0 +1 @@
runtime-endpoint: unix://{{ containerd_cri_socket }}

6
ansible/roles/containerd/templates/etc/systemd/system/containerd-flatcar.conf Normal file
View File

@ -0,0 +1,6 @@
[Service]
Environment=PATH=/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
ExecStartPre=mkdir -p /run/docker/libcontainerd
ExecStartPre=ln -fs /run/containerd/containerd.sock /run/docker/libcontainerd/docker-containerd.sock
ExecStart=
ExecStart=/opt/bin/containerd --config /etc/containerd/config.toml

10
ansible/roles/containerd/templates/etc/systemd/system/containerd.service.d/http-proxy.conf Normal file
View File

@ -0,0 +1,10 @@
[Service]
{% if http_proxy %}
Environment="HTTP_PROXY={{ http_proxy }}"
{% endif %}
{% if https_proxy %}
Environment="HTTPS_PROXY={{ https_proxy }}"
{% endif %}
{% if no_proxy %}
Environment="NO_PROXY={{ no_proxy }}"
{% endif %}

3
ansible/roles/containerd/templates/etc/systemd/system/containerd.service.d/max-tasks.conf Normal file
View File

@ -0,0 +1,3 @@
[Service]
# Do not limit the number of tasks that can be spawned by containerd
TasksMax=infinity

8
ansible/roles/containerd/templates/etc/systemd/system/containerd.service.d/memory-pressure.conf Normal file
View File

@ -0,0 +1,8 @@
[Service]
# Decreases the likelihood that containerd is killed due to memory
# pressure.
#
# Please see the following link for more information about the
# OOMScoreAdjust configuration property:
# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#OOMScoreAdjust=
OOMScoreAdjust=-999

2
ansible/roles/firstboot/README.md Normal file
View File

@ -0,0 +1,2 @@
This role is to be used for operating systems that require some operations
that require a reboot.

1
ansible/roles/firstboot/defaults Symbolic link
View File

@ -0,0 +1 @@
../node/defaults

26
ansible/roles/firstboot/meta/main.yml Normal file
View File

@ -0,0 +1,26 @@
# Copyright 2022 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
dependencies:
- role: setup
vars:
rpms: ""
debs: ""
when: ansible_os_family == "VMware Photon OS"
- role: setup
vars:
rpms: "{{ ( ( common_rpms + rh7_rpms + lookup('vars', 'common_' + build_target + '_rpms') ) if (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7') else ( common_rpms + rh8_rpms + lookup('vars', 'common_' + build_target + '_rpms') ) ) }}"
debs: "{{ common_debs + lookup('vars', 'common_' + build_target + '_debs') }}"
when: packer_builder_type is search('qemu')

19
ansible/roles/firstboot/tasks/main.yaml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include_tasks: photon.yml
when: ansible_os_family == "VMware Photon OS"
- include_tasks: qemu.yml
when: packer_builder_type is search('qemu')

24
ansible/roles/firstboot/tasks/photon.yml Normal file
View File

@ -0,0 +1,24 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# no-op task just to have something for the role to do. Right now
# all the work happens in the setup role
# - meta: noop
- name: Set transparent huge pages to madvise
lineinfile:
path: /boot/photon.cfg
backrefs: yes
regexp: "^(?!.*transparent_hugepage=madvise)(photon_cmdline.*)"
line: '\1 transparent_hugepage=madvise'

17
ansible/roles/firstboot/tasks/qemu.yml Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2022 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# no-op task just to have something for the role to do. Right now
# all the work happens in the setup role
- meta: noop

41
ansible/roles/kubernetes/defaults/main.yml Normal file
View File

@ -0,0 +1,41 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
kubernetes_goarch: "amd64"
kubernetes_bins:
- kubeadm
- kubectl
- kubelet
kubernetes_primary_imgs:
- kube-apiserver.tar
- kube-controller-manager.tar
- kube-scheduler.tar
- kube-proxy.tar
kubernetes_additional_imgs:
- pause.tar
- coredns.tar
- etcd.tar
kubernetes_load_additional_imgs: false
kubernetes_imgs: "{{ kubernetes_primary_imgs | union(kubernetes_additional_imgs) if kubernetes_load_additional_imgs | bool else kubernetes_primary_imgs }}"
kubernetes_cni_http_checksum: "sha1:{{ kubernetes_cni_http_source }}/{{ kubernetes_cni_semver }}/cni-plugins-{{ kubernetes_goarch }}-{{ kubernetes_cni_semver }}.tgz.sha1"
kubeadm_template: "etc/kubeadm.yml"
kubelet_extra_args: "--pod-infra-container-image={{ pause_image }}"

54
ansible/roles/kubernetes/tasks/crictl-url.yml Normal file
View File

@ -0,0 +1,54 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download crictl checksum
get_url:
url: "{{ crictl_sha256 }}"
dest: /tmp/crictl.tar.gz.sha256
mode: 0600
- name: Register checksum value for crictl
slurp:
src: /tmp/crictl.tar.gz.sha256
register: csum
- name: download crictl
vars:
sha256: "{{ csum['content'] | b64decode | trim }}"
get_url:
url: "{{ crictl_url }}"
checksum: "sha256:{{ sha256 }}"
dest: /tmp/crictl.tar.gz
mode: 0600
- name: Create "{{ sysusrlocal_prefix }}/bin" directory
file:
state: directory
path: "{{ sysusrlocal_prefix }}/bin"
mode: 0755
owner: root
group: root
- name: unpack crictl
unarchive:
remote_src: True
src: /tmp/crictl.tar.gz
dest: "{{ sysusrlocal_prefix }}/bin"
extra_opts:
- --no-overwrite-dir
- name: Remove crictl tarball
file:
state: absent
path: /tmp/crictl.tar.gz

36
ansible/roles/kubernetes/tasks/debian.yml Normal file
View File

@ -0,0 +1,36 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Add the Kubernetes repo key
apt_key:
url: "{{ kubernetes_deb_gpg_key }}"
state: present
- name: Add the Kubernetes repo
apt_repository:
repo: "deb {{ kubernetes_deb_repo }} main"
update_cache: True
state: present
mode: 0644
filename: kubernetes
- name: Install Kubernetes
apt:
name: "{{ packages }}"
vars:
packages:
- "kubelet={{ kubernetes_deb_version }}"
- "kubeadm={{ kubernetes_deb_version }}"
- "kubectl={{ kubernetes_deb_version }}"
- "kubernetes-cni={{ kubernetes_cni_deb_version }}"

29
ansible/roles/kubernetes/tasks/ecrpull.yml Normal file
View File

@ -0,0 +1,29 @@
# TODO: This task will be deprecated once https://github.com/containerd/cri/issues/1131 is fixed
- name: Create kubeadm config file
template:
dest: /etc/kubeadm.yml
src: etc/kubeadm.yml
mode: 0600
- name: Get images list
shell: 'kubeadm config images list --config /etc/kubeadm.yml'
register: images_list
- name: Log into ECR
command: >
aws ecr get-authorization-token
--registry-ids {{ kubernetes_container_registry.split('.')[0] }}
--region {{ kubernetes_container_registry.split('.')[3] }}
--output text
--query 'authorizationData[].authorizationToken'
register: credentials
- name: Pull images
command: "crictl pull --creds {{ credentials.stdout | b64decode }} {{ item }}"
loop: "{{ images_list.stdout_lines }}"
- name: Delete kubeadm config
file:
path: /etc/kubeadm.yml
state: absent
when: ansible_os_family != "Flatcar"

14
ansible/roles/kubernetes/tasks/kubeadmpull.yml Normal file
View File

@ -0,0 +1,14 @@
- name: Create kubeadm config file
template:
dest: /etc/kubeadm.yml
src: "{{ kubeadm_template }}"
mode: 0600
- name: Kubeadm pull images
shell: 'kubeadm config images pull --config /etc/kubeadm.yml --cri-socket {{ containerd_cri_socket }}'
- name: Delete kubeadm config
file:
path: /etc/kubeadm.yml
state: absent
when: ansible_os_family != "Flatcar"

75
ansible/roles/kubernetes/tasks/main.yml Normal file
View File

@ -0,0 +1,75 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: debian.yml
when: kubernetes_source_type == "pkg" and ansible_os_family == "Debian"
- import_tasks: redhat.yml
when: kubernetes_source_type == "pkg" and ansible_os_family == "RedHat"
- import_tasks: photon.yml
when: kubernetes_source_type == "pkg" and ansible_os_family == "VMware Photon OS"
- name: Symlink cri-tools
file:
src: "/usr/local/bin/{{ item }}"
dest: "/usr/bin/{{ item }}"
mode: 0777
state: link
force: yes
loop:
- ctr
- crictl
- critest
when: ansible_os_family != "Flatcar"
- import_tasks: url.yml
when: kubernetes_source_type == "http" and kubernetes_cni_source_type == "http"
# must include crictl-url.yml after installing containerd,
# as the cri-containerd tarball also includes crictl.
- import_tasks: crictl-url.yml
when: crictl_source_type == "http"
- name: Create kubelet default config file
template:
src: etc/sysconfig/kubelet
dest: "{{ '/etc/default/kubelet' if ansible_os_family == 'Debian' else '/etc/sysconfig/kubelet'}}"
owner: root
group: root
mode: 0644
- name: Enable kubelet service
systemd:
name: kubelet
daemon_reload: yes
enabled: True
state: stopped
- name: Create the Kubernetes version file
template:
dest: /etc/kubernetes-version
src: etc/kubernetes-version
mode: 0644
# TODO: This section will be deprecated once https://github.com/containerd/cri/issues/1131 is fixed. It is used to support ECR with containerd.
- name: Check if Kubernetes container registry is using Amazon ECR
set_fact:
ecr: '{{ kubernetes_container_registry is regex("^[0-9]{12}.dkr.ecr.[^.]+.amazonaws.com$") }}'
- import_tasks: kubeadmpull.yml
when: (kubernetes_source_type == "pkg" and ecr != true) or ansible_os_family == "Flatcar"
- import_tasks: ecrpull.yml
when: kubernetes_source_type != "http" and ecr == true

24
ansible/roles/kubernetes/tasks/photon.yml Normal file
View File

@ -0,0 +1,24 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Add the kubernetes repo
template:
dest: /etc/yum.repos.d/kubernetes.repo
src: etc/yum.repos.d/kubernetes.repo
mode: 0644
- name: Install Kubernetes
command: tdnf install {{ packages }} --nogpgcheck -y
vars:
packages: "kubelet-{{ kubernetes_rpm_version }} kubeadm-{{ kubernetes_rpm_version }} kubectl-{{ kubernetes_rpm_version }} kubernetes-cni-{{kubernetes_cni_rpm_version }}"

34
ansible/roles/kubernetes/tasks/redhat.yml Normal file
View File

@ -0,0 +1,34 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Add the Kubernetes repo
yum_repository:
name: kubernetes
description: the kubernetes yum repo
baseurl: "{{ kubernetes_rpm_repo }}"
gpgcheck: "{{ kubernetes_rpm_gpg_check }}"
gpgkey: "{{ kubernetes_rpm_gpg_key }}"
- name: Install Kubernetes
yum:
name: "{{ packages }}"
allow_downgrade: True
state: present
lock_timeout: 60
vars:
packages:
- "kubelet-{{ kubernetes_rpm_version }}"
- "kubeadm-{{ kubernetes_rpm_version }}"
- "kubectl-{{ kubernetes_rpm_version }}"
- "kubernetes-cni-{{kubernetes_cni_rpm_version }}"

115
ansible/roles/kubernetes/tasks/url.yml Normal file
View File

@ -0,0 +1,115 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Create CNI directory
file:
state: directory
path: /opt/cni/bin
mode: 0755
owner: root
group: root
- name: Download CNI tarball
get_url:
url: "{{ kubernetes_cni_http_source }}/{{ kubernetes_cni_semver }}/cni-plugins-linux-{{ kubernetes_goarch }}-{{ kubernetes_cni_semver }}.tgz"
checksum: "{{ kubernetes_cni_http_checksum }}"
dest: /tmp/cni.tar.gz
mode: 0755
owner: root
group: root
- name: Install CNI
unarchive:
remote_src: yes
dest: /opt/cni/bin
src: /tmp/cni.tar.gz
- name: Remove CNI tarball
file:
state: absent
path: /tmp/cni.tar.gz
- name: Download Kubernetes binaries
get_url:
url: "{{ kubernetes_http_source }}/{{ kubernetes_semver }}/bin/linux/{{ kubernetes_goarch }}/{{ item }}"
# TODO(akutz) Write a script to separately download the checksum
# and verify the associated file using the correct
# checksum file format
#checksum: "sha1:{{ kubernetes_http_source }}/bin/linux/amd64/{{ item }}.sha1"
dest: "{{ sysusr_prefix }}/bin/{{ item }}"
mode: 0755
owner: root
group: root
loop: "{{ kubernetes_bins }}"
- name: Download Kubernetes images
get_url:
url: "{{ kubernetes_http_source }}/{{ kubernetes_semver }}/bin/linux/{{ kubernetes_goarch }}/{{ item }}"
# TODO(akutz) Write a script to separately download the checksum
# and verify the associated file using the correct
# checksum file format
#checksum: "sha1:{{ kubernetes_http_source }}/bin/linux/amd64/{{ item }}.sha1"
dest: "/tmp/{{ item }}"
mode: 0600
loop: "{{ kubernetes_imgs }}"
- name: Load Kubernetes images
shell: 'CONTAINERD_NAMESPACE="k8s.io" {{ sysusr_prefix }}/bin/ctr --address={{ containerd_cri_socket }} images import /tmp/{{ item }}'
loop: "{{ kubernetes_imgs }}"
- name: Remove Kubernetes images
file:
state: absent
path: "/tmp/{{ item }}"
loop: "{{ kubernetes_imgs }}"
- name: Create Kubernetes manifests directory
file:
state: directory
path: /etc/kubernetes/manifests
mode: 0755
owner: root
group: root
- name: Create kubelet sysconfig directory
file:
state: directory
path: /etc/sysconfig
mode: 0755
owner: root
group: root
- name: Create kubelet drop-in directory
file:
state: directory
path: "{{ systemd_prefix }}/system/kubelet.service.d"
mode: 0755
owner: root
group: root
- name: Create kubelet kubeadm drop-in file
template:
src: usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
dest: "{{ systemd_prefix }}/system/kubelet.service.d/10-kubeadm.conf"
owner: root
group: root
mode: 0644
- name: Create kubelet systemd file
template:
src: usr/lib/systemd/system/kubelet.service
dest: "{{ systemd_prefix }}/system/kubelet.service"
owner: root
group: root
mode: 0644

11
ansible/roles/kubernetes/templates/etc/kubeadm.yml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
imageRepository: {{ kubernetes_container_registry }}
kubernetesVersion: {{ kubernetes_semver }}
dns:
imageRepository: {{ kubernetes_container_registry }}/coredns
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
nodeRegistration:
criSocket: {{ containerd_cri_socket }}

1
ansible/roles/kubernetes/templates/etc/kubernetes-version Normal file
View File

@ -0,0 +1 @@
{{ kubernetes_semver }}

1
ansible/roles/kubernetes/templates/etc/sysconfig/kubelet Normal file
View File

@ -0,0 +1 @@
KUBELET_EXTRA_ARGS={{ kubelet_extra_args }}

7
ansible/roles/kubernetes/templates/etc/yum.repos.d/kubernetes.repo Normal file
View File

@ -0,0 +1,7 @@
[kubernetes]
name=kubernetes
description=the kubernetes yum repo
baseurl={{ kubernetes_rpm_repo }}
gpgcheck={{ kubernetes_rpm_gpg_check }}
gpgkey={{ kubernetes_rpm_gpg_key }}
enabled=1

14
ansible/roles/kubernetes/templates/usr/lib/systemd/system/kubelet.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=https://kubernetes.io/docs/home/
Wants=network-online.target
After=network-online.target
[Service]
ExecStart={{ sysusr_prefix }}/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target

11
ansible/roles/kubernetes/templates/usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf Normal file
View File

@ -0,0 +1,11 @@
# Note: This dropin only works with kubeadm and kubelet v1.11+
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
EnvironmentFile=-/etc/sysconfig/kubelet
ExecStart=
ExecStart={{ sysusr_prefix }}/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS

22
ansible/roles/load_additional_components/defaults/main.yml Normal file
View File

@ -0,0 +1,22 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
additional_registry_images: ""
additional_registry_images_list: ""
additional_url_images: ""
additional_url_images_list: ""
additional_executables: ""
additional_executables_list: ""
additional_executables_destination_path: ""

22
ansible/roles/load_additional_components/tasks/executables.yml Normal file
View File

@ -0,0 +1,22 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download additional executables
get_url:
url: "{{ item }}"
dest: "{{ additional_executables_destination_path }}"
mode: 0711
loop: "{{ additional_executables_list.split(',') }}"
retries: 5
delay: 3

23
ansible/roles/load_additional_components/tasks/main.yml Normal file
View File

@ -0,0 +1,23 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: executables.yml
when: additional_executables | bool
- import_tasks: registry.yml
when: additional_registry_images | bool
- import_tasks: url.yml
when: additional_url_images | bool

19
ansible/roles/load_additional_components/tasks/registry.yml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Pull additional images from registry
shell: 'CONTAINERD_NAMESPACE="k8s.io" {{ sysusr_prefix }}/bin/ctr --address={{ containerd_cri_socket }} images pull {{ item }}'
loop: "{{ additional_registry_images_list.split(',') }}"
retries: 5
delay: 3

37
ansible/roles/load_additional_components/tasks/url.yml Normal file
View File

@ -0,0 +1,37 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Create temporary download dir
file:
path: /tmp/images
state: directory
- name: Download additional images from url
get_url:
url: "{{ item }}"
dest: "/tmp/images/"
mode: 0600
register: images
loop: "{{ additional_url_images_list.split(',') }}"
retries: 5
delay: 3
- name: Load additional images
shell: 'CONTAINERD_NAMESPACE="k8s.io" {{ sysusr_prefix }}/bin/ctr --address={{ containerd_cri_socket }} images import --no-unpack {{ item.dest }}'
loop: "{{ images.results }}"
- name: Remove downloaded files
file:
state: absent
path: "/tmp/images"

118
ansible/roles/node/defaults/main.yml Normal file
View File

@ -0,0 +1,118 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
common_rpms:
- audit
- ca-certificates
- conntrack-tools
- chrony
- curl
- jq
- python3-pip
- socat
- sysstat
- yum-utils
# Used for AmazonLinux-2 distributions
al2_rpms:
- ebtables
- python-netifaces
- python-requests
# Used for RedHat based distributions == 7 (ex. RHEL-7, CentOS-7 etc.)
rh7_rpms:
- ebtables
- python-netifaces
- python-requests
# Used for RedHat based distributions == 8 (ex. RHEL-8, RockyLinux-8 etc.)
rh8_rpms:
- nftables
- python3-netifaces
- python3-requests
common_debs:
- auditd
- apt-transport-https
- conntrack
- chrony
- curl
- ebtables
- jq
- gnupg
- libnetfilter-acct1
- libnetfilter-cttimeout1
- libnetfilter-log1
- python3-distutils
- python3-netifaces
- python3-pip
- socat
common_photon_rpms:
- audit
- apparmor-parser
- conntrack-tools
- chrony
- dbus-python3
- distrib-compat
- ebtables
- net-tools
- openssl-c_rehash
- python3-pygobject
- python3-pip
- rng-tools
- socat
- tar
- unzip
- curl
photon_3_rpms:
- python-netifaces
- python-requests
- jq
# Creating photon_4_rpms for adding future packages if needed.
# Since empty list errors out, jq is added.
photon_4_rpms:
- jq
common_virt_rpms:
- open-vm-tools
common_virt_debs:
- linux-cloud-tools-virtual
- linux-tools-virtual
- open-vm-tools
common_virt_photon_rpms:
- open-vm-tools
common_raw_rpms: []
common_raw_debs:
- linux-cloud-tools-generic
- linux-tools-generic
common_raw_photon_rpms: []
#photon does not have backward compatibility for legacy distro behavior for sysctl.conf by default
#as it uses systemd-sysctl. set this var so we can use for sysctl conf file value.
sysctl_conf_file: "{{ '/etc/sysctl.d/99-sysctl.conf' if ansible_os_family == 'VMware Photon OS' else '/etc/sysctl.conf' }}"
pause_image: "registry.k8s.io/pause:3.9"
containerd_additional_settings: null
leak_local_mdns_to_dns: false
build_target: "virt"
cloud_cfg_file: "/etc/cloud/cloud.cfg"
external_binary_path: "{{ '/opt/bin' if ansible_os_family == 'Flatcar' else '/usr/local/bin' }}"

10
ansible/roles/node/files/etc/audit/rules.d/containerd.rules Normal file
View File

@ -0,0 +1,10 @@
-w /var/lib/containerd/ -p rwxa -k containerd
-w /etc/containerd/ -p rwxa -k containerd
-w /etc/systemd/system/containerd.service -p rwxa -k containerd
-w /etc/systemd/system/containerd.service.d/ -p rwxa -k containerd
-w /run/containerd/ -p rwxa -k containerd
-w /usr/local/bin/containerd-shim -p rwxa -k containerd
-w /usr/local/bin/containerd-shim-runc-v1 -p rwxa -k containerd
-w /usr/local/bin/containerd-shim-runc-v2 -p rwxa -k containerd
-w /usr/local/sbin/runc -p rwxa -k containerd
-w /usr/local/bin/containerd -p rwxa -k containerd

10
ansible/roles/node/files/etc/audit/rules.d/containerd.rules-flatcar Normal file
View File

@ -0,0 +1,10 @@
-w /var/lib/containerd/ -p rwxa -k containerd
-w /etc/containerd/ -p rwxa -k containerd
-w /etc/systemd/system/containerd.service -p rwxa -k containerd
-w /etc/systemd/system/containerd.service.d/ -p rwxa -k containerd
-w /run/containerd/ -p rwxa -k containerd
-w /opt/bin/containerd-shim -p rwxa -k containerd
-w /opt/bin/containerd-shim-runc-v1 -p rwxa -k containerd
-w /opt/bin/containerd-shim-runc-v2 -p rwxa -k containerd
-w /opt/bin/runc -p rwxa -k containerd
-w /opt/bin/containerd -p rwxa -k containerd

38
ansible/roles/node/files/usr/local/bin/etcd-network-tuning.sh Executable file
View File

@ -0,0 +1,38 @@
#!/bin/bash
# Copyright 2022 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit # exits immediately on any unexpected error (does not bypass traps)
set -o nounset # will error if variables are used without first being defined
set -o pipefail # any non-zero exit code in a piped command causes the pipeline to fail with that code
trap on_exit ERR
on_exit() {
echo "Error setting etcd network tuning parameters for interface: ${DEV}" | systemd-cat -p emerg -t etcd-tuning
}
if [ "$#" -ne 1 ]; then
echo "Error: Usage: $0 <dev>" | systemd-cat -p emerg -t etcd-tuning
exit 1
fi
DEV=$1
echo "Setting etcd network tuning parameters for interface: ${DEV}" | systemd-cat -p info -t etcd-tuning
tc qdisc add dev ${DEV} root handle 1: prio bands 3
tc filter add dev ${DEV} parent 1: protocol ip prio 1 u32 match ip sport 2380 0xffff flowid 1:1
tc filter add dev ${DEV} parent 1: protocol ip prio 1 u32 match ip dport 2380 0xffff flowid 1:1
tc filter add dev ${DEV} parent 1: protocol ip prio 2 u32 match ip sport 2379 0xffff flowid 1:1
tc filter add dev ${DEV} parent 1: protocol ip prio 2 u32 match ip dport 2379 0xffff flowid 1:1

38
ansible/roles/node/meta/main.yml Normal file
View File

@ -0,0 +1,38 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
dependencies:
- role: setup
vars:
rpms: "{{ common_rpms + al2_rpms + lookup('vars', 'common_' + build_target + '_rpms') }}"
debs: "{{ common_debs }}"
when: ansible_distribution == "Amazon"
- role: setup
vars:
rpms: "{{ common_rpms }}"
debs: "{{ common_debs }}"
when: packer_builder_type == "oracle-oci" and ansible_architecture == "aarch64"
- role: setup
vars:
rpms: "{{ ( common_photon_rpms + photon_3_rpms + lookup('vars', 'common_' + build_target + '_photon_rpms') ) if (ansible_os_family == 'VMware Photon OS' and ansible_distribution_major_version == '3') else (common_photon_rpms + photon_4_rpms + lookup('vars', 'common_' + build_target + '_photon_rpms')) }}"
when: ansible_distribution == "VMware Photon OS"
- role: setup
vars:
rpms: "{{ ( ( common_rpms + rh7_rpms + lookup('vars', 'common_' + build_target + '_rpms') ) if (ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7') else ( common_rpms + rh8_rpms + lookup('vars', 'common_' + build_target + '_rpms') ) ) }}"
debs: "{{ common_debs + lookup('vars', 'common_' + build_target + '_debs') }}"
when: ansible_distribution != "VMware Photon OS" and ansible_distribution != "Amazon" and not (packer_builder_type == "oracle-oci" and ansible_architecture == "aarch64") and
not packer_builder_type is search('qemu')

28
ansible/roles/node/tasks/amazonLinux2.yml Normal file
View File

@ -0,0 +1,28 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Ensure sysstat is running and comes on at reboot
service:
name: sysstat
state: started
enabled: yes
# images need to be immutable once built
# https://aws.amazon.com/amazon-linux-ami/faqs/
- name: Disable security updates on boot
lineinfile:
path: "{{ cloud_cfg_file }}"
regexp: "^repo_upgrade: security"
line: 'repo_upgrade: none'

133
ansible/roles/node/tasks/main.yml Normal file
View File

@ -0,0 +1,133 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: photon.yml
when: ansible_os_family == "VMware Photon OS"
- import_tasks: amazonLinux2.yml
when: ansible_distribution == "Amazon"
# This is required until https://github.com/ansible/ansible/issues/77537 is fixed and used.
- name: Override Flatcar's OS family
set_fact:
ansible_os_family: Flatcar
when: ansible_os_family == "Flatcar Container Linux by Kinvolk"
tags:
- facts
- name: Ensure overlay module is present
modprobe:
name: overlay
state: present
- name: Ensure br_netfilter module is present
modprobe:
name: br_netfilter
state: present
- name: Persist required kernel modules
copy:
content: |
overlay
br_netfilter
dest: /etc/modules-load.d/kubernetes.conf
mode: 0644
- name: Set and persist kernel params
sysctl:
name: "{{ item.param }}"
value: "{{ item.val }}"
state: present
sysctl_set: yes
sysctl_file: "{{ sysctl_conf_file }}"
reload: yes
loop:
- { param: net.bridge.bridge-nf-call-iptables, val: 1 }
- { param: net.bridge.bridge-nf-call-ip6tables, val: 1 }
- { param: net.ipv4.ip_forward, val: 1 }
- { param: net.ipv6.conf.all.forwarding, val: 1 }
- { param: net.ipv6.conf.all.disable_ipv6, val: 0 }
- { param: net.ipv4.tcp_congestion_control, val: bbr }
- { param: vm.overcommit_memory, val: 1 }
- { param: kernel.panic, val: 10 }
- { param: kernel.panic_on_oops, val: 1 }
- name: Disable swap memory
shell: |
swapoff -a
when: ansible_memory_mb.swap.total != 0
- name: Edit fstab file to disable swap
shell: sed -ri '/\sswap\s/s/^#?/#/' /etc/fstab
when: ansible_memory_mb.swap.total != 0
- name: Disable conntrackd service
systemd:
name: conntrackd
state: stopped
enabled: false
when: ansible_os_family != "Debian" and ansible_os_family != "Flatcar"
- name: Ensure auditd is running and comes on at reboot
service:
name: auditd
state: started
enabled: yes
- name: configure auditd rules for containerd
copy:
src: etc/audit/rules.d/containerd.rules
dest: /etc/audit/rules.d/containerd.rules
owner: root
group: root
mode: 0644
when: ansible_os_family != "Flatcar"
- name: configure auditd rules for containerd (Flatcar)
copy:
src: etc/audit/rules.d/containerd.rules-flatcar
dest: /etc/audit/rules.d/containerd.rules
owner: root
group: root
mode: 0644
when: ansible_os_family == "Flatcar"
- name: Ensure reverse packet filtering is set as strict
sysctl:
name: net.ipv4.conf.all.rp_filter
value: "1"
state: present
sysctl_set: yes
reload: yes
when: ansible_distribution == "Ubuntu"
- name: Set transparent huge pages to madvise
lineinfile:
path: /etc/default/grub
backrefs: yes
regexp: "^(?!.*transparent_hugepage=madvise)(GRUB_CMDLINE_LINUX=.*)(\"$)"
line: '\1 transparent_hugepage=madvise"'
when: ansible_os_family == "RedHat"
- name: Copy udev etcd network tuning rules
template:
src: etc/udev/rules.d/90-etcd-tuning.rules
dest: /etc/udev/rules.d/90-etcd-tuning.rules
mode: 0744
- name: Copy etcd network tuning script
copy:
src: usr/local/bin/etcd-network-tuning.sh
dest: "{{ external_binary_path }}/etcd-network-tuning.sh"
mode: 0755

53
ansible/roles/node/tasks/photon.yml Normal file
View File

@ -0,0 +1,53 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Leak mDNS to DNS (cloud-init-nics) (enable .local domain lookups)
ini_file:
path: /etc/systemd/network/10-cloud-init-nics.network
section: Network
option: Domains
value: "~local"
when: leak_local_mdns_to_dns
- name: Leak mDNS to DNS (dhcp) (enable .local domain lookups)
ini_file:
path: /etc/systemd/network/99-dhcp-en.network
section: Network
option: Domains
value: "~local"
when: leak_local_mdns_to_dns
- name: Double TCP small queue limit to be the same as Ubuntu
sysctl:
name: net.ipv4.tcp_limit_output_bytes
value: "524288"
state: present
sysctl_set: yes
reload: yes
sysctl_file: "{{ sysctl_conf_file }}"
- name: Disable Apparmor service
systemd:
name: apparmor
daemon_reload: yes
enabled: false
state: stopped
- name: Disable Apparmor in kernel
lineinfile:
path: /boot/photon.cfg
backrefs: yes
regexp: "^(?!.*apparmor=0)(photon_cmdline.*)"
line: '\1 apparmor=0'

15
ansible/roles/node/templates/etc/udev/rules.d/90-etcd-tuning.rules Normal file
View File

@ -0,0 +1,15 @@
# Copyright 2022 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
ACTION=="add", SUBSYSTEM=="net", SUBSYSTEMS=="pci|xen|vmbus" RUN+="{{ external_binary_path }}/etcd-network-tuning.sh $name"

17
ansible/roles/providers/defaults/main.yml Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
networkd_dispatcher_download_url: "https://gitlab.com/craftyguy/networkd-dispatcher/-/archive/2.1/networkd-dispatcher-2.1.tar.bz2"
packer_builder_type: ""
build_target: "virt"

8
ansible/roles/providers/files/etc/azure/iptables Normal file
View File

@ -0,0 +1,8 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -m comment --comment "block traffic to 168.63.129.16 for cve-2021-27075" -j DROP
-A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT
-A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j DROP
COMMIT

67
ansible/roles/providers/files/etc/cloud/cloud.cfg.d/05_logging.cfg Normal file
View File

@ -0,0 +1,67 @@
## This yaml formated config file handles setting
## logger information. The values that are necessary to be set
## are seen at the bottom. The top '_log' are only used to remove
## redundency in a syslog and fallback-to-file case.
##
## The 'log_cfgs' entry defines a list of logger configs
## Each entry in the list is tried, and the first one that
## works is used. If a log_cfg list entry is an array, it will
## be joined with '\n'.
_log:
- &log_base |
[loggers]
keys=root,cloudinit
[handlers]
keys=consoleHandler,cloudLogHandler
[formatters]
keys=simpleFormatter,arg0Formatter
[logger_root]
level=DEBUG
formatter=arg0Formatter
handlers=consoleHandler,cloudLogHandler
[logger_cloudinit]
level=DEBUG
qualname=cloudinit
handlers=
propagate=1
[handler_consoleHandler]
class=StreamHandler
level=WARNING
formatter=arg0Formatter
args=(sys.stderr,)
[formatter_arg0Formatter]
format=%(asctime)s - %(filename)s[%(levelname)s]: %(message)s
[formatter_simpleFormatter]
format=[CLOUDINIT]%(asctime)s - %(filename)s[%(levelname)s]: %(message)s
- &log_file |
[handler_cloudLogHandler]
class=FileHandler
level=DEBUG
formatter=arg0Formatter
args=('/var/log/cloud-init.log',)
- &log_syslog |
[handler_cloudLogHandler]
class=handlers.SysLogHandler
level=DEBUG
formatter=simpleFormatter
args=("/dev/log", handlers.SysLogHandler.LOG_USER)
log_cfgs:
# These will be joined into a string that defines the configuration
- [ *log_base, *log_syslog ]
# These will be joined into a string that defines the configuration
- [ *log_base, *log_file ]
# A file path can also be used
# - /etc/log.conf
# this tells cloud-init to redirect its stdout and stderr to
# 'tee -a /var/log/cloud-init-output.log' so the user can see output
# there without needing to look on the console.
output: {all: '| python3 -c ''import sys,time;sys.stdout.write("".join(( " ".join((time.strftime("[%Y-%m-%d %H:%M:%S]", time.localtime()), line)) for line in sys.stdin )))'' | tee -a /var/log/cloud-init-output.log'}

2
ansible/roles/providers/files/etc/cloud/cloud.cfg.d/99_metadata.cfg Normal file
View File

@ -0,0 +1,2 @@
disable-ec2-metadata: false
datasource_list: [ Outscale ]

26
ansible/roles/providers/files/etc/networkd-dispatcher/no-carrier.d/20-chrony.j2 Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# This is a networkd-dispatcher script for chronyd to handle its NTP
# sources. It sets the NTP sources online or offline when a network
# interface is configured or removed. On DHCP change, chrony will
# update its NTP sources passed from DHCP options.
export LC_ALL=C
DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
clear_servers_from_dhcp() {
if [ -f "$DHCP_SERVER_FILE" ]; then
rm -f "$DHCP_SERVER_FILE"
{{ chrony_helper_dir }}/chrony-helper update-daemon || :
fi
}
if [ "$STATE" = "no-carrier" ]; then
clear_servers_from_dhcp
# The onoffline command tells chronyd to switch all sources to
# the online (routable) or offline (off) status according to the current network configuration.
chronyc onoffline > /dev/null 2>&1
fi
exit 0

26
ansible/roles/providers/files/etc/networkd-dispatcher/off.d/20-chrony.j2 Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
# This is a networkd-dispatcher script for chronyd to handle its NTP
# sources. It sets the NTP sources online or offline when a network
# interface is configured or removed. On DHCP change, chrony will
# update its NTP sources passed from DHCP options.
export LC_ALL=C
DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
clear_servers_from_dhcp() {
if [ -f "$DHCP_SERVER_FILE" ]; then
rm -f "$DHCP_SERVER_FILE"
{{ chrony_helper_dir }}/chrony-helper update-daemon || :
fi
}
if [ "$STATE" = "off" ]; then
clear_servers_from_dhcp
# The onoffline command tells chronyd to switch all sources to
# the online (routable) or offline (off) status according to the current network configuration.
chronyc onoffline > /dev/null 2>&1
fi
exit 0

27
ansible/roles/providers/files/etc/networkd-dispatcher/routable.d/20-chrony.j2 Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
# This is a networkd-dispatcher script for chronyd to handle its NTP
# sources. It sets the NTP sources online or offline when a network
# interface is configured or removed. On DHCP change, chrony will
# update its NTP sources passed from DHCP options.
export LC_ALL=C
DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
add_servers_from_dhcp() {
if [ -f "$DHCP_SERVER_FILE" ]; then
rm -f "$DHCP_SERVER_FILE"
fi
echo "$json" | jq -r 'select(.NTP !=null) .NTP[]' >> $DHCP_SERVER_FILE
{{ chrony_helper_dir }}/chrony-helper update-daemon || :
}
if [ "$STATE" = "routable" ]; then
add_servers_from_dhcp
# The onoffline command tells chronyd to switch all sources to
# the online (routable) or offline (off) status according to the current network configuration.
chronyc onoffline > /dev/null 2>&1
fi
exit 0

3
ansible/roles/providers/files/etc/systemd/system/cloud-config.service.d/boot-order.conf Normal file
View File

@ -0,0 +1,3 @@
[Unit]
After=containerd.service
Wants=containerd.service

3
ansible/roles/providers/files/etc/systemd/system/cloud-final.service.d/boot-order.conf Normal file
View File

@ -0,0 +1,3 @@
[Unit]
After=containerd.service
Wants=containerd.service

12
ansible/roles/providers/files/etc/systemd/system/modify-cloud-init-cfg.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Modify cloud-init config
After=cloud-final.service
AssertFileIsExecutable=/usr/local/bin/modify-cloud-init-cfg.sh
[Install]
WantedBy=cloud-init.target
[Service]
Type=simple
ExecStart=/usr/local/bin/modify-cloud-init-cfg.sh
SuccessExitStatus=0

3
ansible/roles/providers/files/etc/vmware-tools/tools.conf Normal file
View File

@ -0,0 +1,3 @@
[guestinfo]
exclude-nics=antrea-*,cali*,cilium*,lxc*,ovs-system,br*,flannel*,veth*,vxlan_sys_*,genev_sys_*,gre_sys_*,stt_sys_*,????????-??????

BIN
ansible/roles/providers/files/tmp/cloud-init_22.2-outscale.deb Normal file
View File

Binary file not shown.

1
ansible/roles/providers/files/usr/lib/python3/dist-packages/cloudinit/feature_overrides.py Normal file
View File

@ -0,0 +1 @@
ERROR_ON_USER_DATA_FAILURE = False

251
ansible/roles/providers/files/usr/libexec/chrony-helper Normal file
View File

@ -0,0 +1,251 @@
#!/bin/bash
# This script configures running chronyd to use NTP servers obtained from
# DHCP and _ntp._udp DNS SRV records. Files with servers from DHCP are managed
# externally (e.g. by a dhclient script). Files with servers from DNS SRV
# records are updated here using the dig utility. The script can also list
# and set static sources in the chronyd configuration file.
chronyc=/usr/bin/chronyc
chrony_conf=/etc/chrony.conf
chrony_service=chronyd.service
helper_dir=/var/run/chrony-helper
added_servers_file=$helper_dir/added_servers
network_sysconfig_file=/etc/sysconfig/network
dhclient_servers_files=/var/lib/dhclient/chrony.servers.*
dnssrv_servers_files=$helper_dir/dnssrv@*
dnssrv_timer_prefix=chrony-dnssrv@
chrony_command() {
$chronyc -a -n -m "$1"
}
is_running() {
chrony_command "tracking" &> /dev/null
}
is_update_needed() {
for file in $dhclient_servers_files $dnssrv_servers_files \
$added_servers_file; do
[ -e "$file" ] && return 0
done
return 1
}
update_daemon() {
local all_servers_with_args all_servers added_servers
if ! is_running; then
rm -f $added_servers_file
return 0
fi
all_servers_with_args=$(
cat $dhclient_servers_files $dnssrv_servers_files 2> /dev/null)
all_servers=$(
echo "$all_servers_with_args" |
while read server serverargs; do
echo "$server"
done | sort -u)
added_servers=$( (
cat $added_servers_file 2> /dev/null
echo "$all_servers_with_args" |
while read server serverargs; do
[ -z "$server" ] && continue
chrony_command "add server $server $serverargs" &> /dev/null &&
echo "$server"
done) | sort -u)
comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") |
while read server; do
chrony_command "delete $server" &> /dev/null
done
added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers"))
[ -n "$added_servers" ] && echo "$added_servers" > $added_servers_file ||
rm -f $added_servers_file
}
get_dnssrv_servers() {
local name=$1
if ! command -v dig &> /dev/null; then
echo "Missing dig (DNS lookup utility)" >&2
return 1
fi
(
. $network_sysconfig_file &> /dev/null
output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null)
[ $? -ne 0 ] && return 0
echo "$output" | while read prio weight port target; do
server=${target%.}
[ -z "$server" ] && continue
echo "$server port $port ${NTPSERVERARGS:-iburst}"
done
)
}
check_dnssrv_name() {
local name=$1
if [ -z "$name" ]; then
echo "No DNS SRV name specified" >&2
return 1
fi
if [ "${name:0:9}" != _ntp._udp ]; then
echo "DNS SRV name $name doesn't start with _ntp._udp" >&2
return 1
fi
}
update_dnssrv_servers() {
local name=$1
local srv_file=$helper_dir/dnssrv@$name servers
check_dnssrv_name "$name" || return 1
servers=$(get_dnssrv_servers "$name")
[ -n "$servers" ] && echo "$servers" > "$srv_file" || rm -f "$srv_file"
}
set_dnssrv_timer() {
local state=$1 name=$2
local srv_file=$helper_dir/dnssrv@$name servers
local timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer
check_dnssrv_name "$name" || return 1
if [ "$state" = enable ]; then
systemctl enable "$timer"
systemctl start "$timer"
elif [ "$state" = disable ]; then
systemctl stop "$timer"
systemctl disable "$timer"
rm -f "$srv_file"
fi
}
list_dnssrv_timers() {
systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \
sed "s|^$dnssrv_timer_prefix\(.*\)\.timer.*|\1|" |
while read -r name; do
systemd-escape --unescape "$name"
done
}
prepare_helper_dir() {
mkdir -p $helper_dir
exec 100> $helper_dir/lock
if ! flock -w 20 100; then
echo "Failed to lock $helper_dir" >&2
return 1
fi
}
is_source_line() {
local pattern="^[ \t]*(server|pool|peer|refclock)[ \t]+[^ \t]+"
[[ "$1" =~ $pattern ]]
}
list_static_sources() {
while read line; do
is_source_line "$line" && echo "$line" || :
done < $chrony_conf
}
set_static_sources() {
local new_config tmp_conf
new_config=$(
sources=$(
while read line; do
is_source_line "$line" && echo "$line"
done)
while read line; do
if ! is_source_line "$line"; then
echo "$line"
continue
fi
tmp_sources=$(
local removed=0
echo "$sources" | while read line2; do
[ "$removed" -ne 0 -o "$line" != "$line2" ] && \
echo "$line2" || removed=1
done)
[ "$sources" == "$tmp_sources" ] && continue
sources=$tmp_sources
echo "$line"
done < $chrony_conf
echo "$sources"
)
tmp_conf=${chrony_conf}.tmp
cp -a $chrony_conf $tmp_conf &&
echo "$new_config" > $tmp_conf &&
mv $tmp_conf $chrony_conf || return 1
systemctl try-restart $chrony_service
}
print_help() {
echo "Usage: $0 COMMAND"
echo
echo "Commands:"
echo " update-daemon"
echo " update-dnssrv-servers NAME"
echo " enable-dnssrv NAME"
echo " disable-dnssrv NAME"
echo " list-dnssrv"
echo " list-static-sources"
echo " set-static-sources < sources.list"
echo " is-running"
echo " command CHRONYC-COMMAND"
}
case "$1" in
update-daemon|add-dhclient-servers|remove-dhclient-servers)
is_update_needed || exit 0
prepare_helper_dir && update_daemon
;;
update-dnssrv-servers)
prepare_helper_dir && update_dnssrv_servers "$2" && update_daemon
;;
enable-dnssrv)
set_dnssrv_timer enable "$2"
;;
disable-dnssrv)
set_dnssrv_timer disable "$2" && prepare_helper_dir && update_daemon
;;
list-dnssrv)
list_dnssrv_timers
;;
list-static-sources)
list_static_sources
;;
set-static-sources)
set_static_sources
;;
is-running)
is_running
;;
command|forced-command)
chrony_command "$2"
;;
*)
print_help
exit 2
esac
exit $?

3
ansible/roles/providers/files/usr/local/bin/modify-cloud-init-cfg.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/bash
sed -i 's/preserve_hostname'":"' false/preserve_hostname'":"' true/' /etc/cloud/cloud.cfg

74
ansible/roles/providers/tasks/aws.yml Normal file
View File

@ -0,0 +1,74 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: upgrade pip to latest
pip:
name: pip
executable: pip3
state: latest
- name: install aws clients
pip:
name: "{{ packages }}"
executable: pip3
vars:
packages:
- awscli
when: ansible_distribution != "Amazon"
# Remove after https://github.com/aws/amazon-ssm-agent/issues/235 is fixed.
- name: install aws agents RPM on Redhat distributions
package:
name: "{{ item }}"
state: present
disable_gpg_check: true
with_items:
- "{{ amazon_ssm_agent_rpm }}"
when:
- ansible_os_family == "RedHat"
- ansible_distribution != "Amazon"
- name: install aws agents RPM
package:
name: "{{ item }}"
state: present
with_items:
- amazon-ssm-agent
- awscli
when: ansible_distribution == "Amazon"
- name: Ensure ssm agent is running RPM
service:
name: amazon-ssm-agent
state: started
enabled: yes
when: ansible_os_family == "RedHat"
- name: install aws agents Ubuntu
shell: snap install amazon-ssm-agent --classic
when: ansible_distribution == "Ubuntu"
- name: Ensure ssm agent is running Ubuntu
service:
name: snap.amazon-ssm-agent.amazon-ssm-agent.service
state: started
enabled: yes
when: ansible_distribution == "Ubuntu"
- name: Disable Hyper-V KVP protocol daemon on Ubuntu
systemd:
name: hv-kvp-daemon
state: stopped
enabled: false
when: ansible_os_family == "Debian"

67
ansible/roles/providers/tasks/azure.yml Normal file
View File

@ -0,0 +1,67 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: redhat.yml
when: ansible_os_family == "RedHat"
- import_tasks: debian.yml
when: ansible_os_family == "Debian"
- name: Configure PTP
lineinfile:
path: /etc/chrony/chrony.conf
create: yes
line: refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0
- name: Ensure makestep parameter set as per Azure recommendation
lineinfile:
path: /etc/chrony/chrony.conf
regexp: '^makestep'
line: makestep 1.0 -1
- name: Install iptables persistence
apt:
name: "{{ packages }}"
state: present
force_apt_get: yes
vars:
packages:
- iptables-persistent
when: ansible_os_family == "Debian"
- name: Block traffic to 168.63.129.16 port 80 for cve-2021-27075
copy:
src: files/etc/azure/iptables
dest: /etc/iptables/rules.v4
owner: root
group: root
mode: 0644
when: ansible_os_family == "Debian"
- name: Load iptable rules from file
community.general.iptables_state:
state: restored
path: /etc/iptables/rules.v4
when: ansible_os_family == "Debian"
- name: Install netbase and nfs-common
apt:
name: "{{ packages }}"
state: present
force_apt_get: yes
vars:
packages:
- netbase
- nfs-common
when: ansible_os_family == "Debian"

39
ansible/roles/providers/tasks/cloudstack.yml Normal file
View File

@ -0,0 +1,39 @@
# Copyright 2022 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Add CloudStack Datasource
copy:
dest: /etc/cloud/cloud.cfg.d/cloudstack.cfg
content: |-
datasource_list: ['CloudStack']
datasource:
CloudStack:
max_wait: 120
timeout: 50
owner: root
group: root
mode: 0644
- name: Run dracut cmd to regenerate initramfs with all drivers - needed when converting to different hypervisor templates
shell: dracut --force --no-hostonly
when: ansible_os_family == "RedHat"
- name: Add draut cmd to regenerate initramfs with only necessary drivers on first boot
lineinfile:
state: present
path: /etc/cloud/cloud.cfg.d/cloudstack.cfg
line: |-
bootcmd:
- dracut --force
when: ansible_os_family == "RedHat"

34
ansible/roles/providers/tasks/debian.yml Normal file
View File

@ -0,0 +1,34 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: upgrade pip to latest
pip:
name: pip
executable: pip3
state: latest
- name: upgrade pyOpenSSL and cryptography
pip:
name:
- pyOpenSSL==22.0.*
- cryptography==38.0.*
executable: pip3
- name: install Azure clients
pip:
executable: pip3
name: "{{ packages }}"
vars:
packages:
- azure-cli

47
ansible/roles/providers/tasks/googlecompute.yml Normal file
View File

@ -0,0 +1,47 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download gcloud SDK
get_url:
url: https://sdk.cloud.google.com/
dest: /tmp/install-gcloud.sh
mode: 0700
- name: Execute install-gcloud.sh
shell: bash -o errexit -o pipefail /tmp/install-gcloud.sh --disable-prompts --install-dir=/
- name: Remove install-gcloud.sh
file:
path: /tmp/install-gcloud.sh
state: absent
- name: Find all files in /google-cloud-sdk/bin/
find:
paths: /google-cloud-sdk/bin/
register: find
- name: Create symlinks to /bin
become: True
file:
src: "{{ item.path }}"
path: "/bin/{{ item.path | basename }}"
state: link
with_items: "{{ find.files }}"
- name: Disable Hyper-V KVP protocol daemon on Ubuntu
systemd:
name: hv-kvp-daemon
state: stopped
enabled: false
when: ansible_os_family == "Debian"

120
ansible/roles/providers/tasks/main.yml Normal file
View File

@ -0,0 +1,120 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- include_tasks: aws.yml
when: packer_builder_type.startswith('amazon')
- include_tasks: azure.yml
when: packer_builder_type.startswith('azure')
- include_tasks: outscale.yml
when: packer_builder_type.startswith('outscale')
- include_tasks: vmware.yml
when: packer_builder_type is search('vmware') or
packer_builder_type is search('vsphere')
- include_tasks: googlecompute.yml
when: packer_builder_type.startswith('googlecompute')
- include_tasks: oci.yml
when: packer_builder_type.startswith('oracle-oci')
- include_tasks: qemu.yml
when: packer_builder_type is search('qemu') and
build_target is not search('raw')
- include_tasks: cloudstack.yml
when: packer_builder_type is search('qemu') and
provider is defined and
provider is search('cloudstack')
- include_tasks: raw.yml
when: packer_builder_type is search('qemu') and
build_target is search('raw')
- include_tasks: nutanix.yml
when: packer_builder_type is search('nutanix')
# Create a boot order configuration
# b/w containerd and cloud final, cloud config services
- name: Creates unit file directory for cloud-final
file:
path: /etc/systemd/system/cloud-final.service.d
state: directory
- name: Create cloud-final boot order drop in file
copy:
dest: /etc/systemd/system/cloud-final.service.d/boot-order.conf
src: etc/systemd/system/cloud-final.service.d/boot-order.conf
owner: root
group: root
mode: "0755"
- name: Creates unit file directory for cloud-config
file:
path: /etc/systemd/system/cloud-config.service.d
state: directory
- name: Create cloud-final boot order drop in file
copy:
dest: /etc/systemd/system/cloud-config.service.d/boot-order.conf
src: etc/systemd/system/cloud-config.service.d/boot-order.conf
owner: root
group: root
mode: "0755"
# Some OS might disable cloud-final service on boot (rhel 7).
# Enable all cloud-init services on boot.
- name: Make sure all cloud init services are enabled
service:
name: "{{ item }}"
enabled: yes
with_items:
- cloud-final
- cloud-config
- cloud-init
- cloud-init-local
when: ansible_os_family != "Flatcar"
- name: Create cloud-init config file
copy:
src: files/etc/cloud/cloud.cfg.d/05_logging.cfg
dest: /etc/cloud/cloud.cfg.d/05_logging.cfg
owner: root
group: root
mode: 0644
when: ansible_os_family != "Flatcar"
- name: set cloudinit feature flags
copy:
src: usr/lib/python3/dist-packages/cloudinit/feature_overrides.py
dest: /usr/lib/python3/dist-packages/cloudinit/feature_overrides.py
owner: root
group: root
mode: 0644
when: ansible_os_family == "Debian"
- name: Ensure chrony is running
systemd:
enabled: yes
state: started
daemon_reload: yes
name: chronyd
when: (packer_builder_type.startswith('amazon') or
packer_builder_type.startswith('azure') or
packer_builder_type is search('vmware') or
packer_builder_type is search('vsphere')) and
ansible_os_family != "Flatcar"

76
ansible/roles/providers/tasks/nutanix.yml Normal file
View File

@ -0,0 +1,76 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install cloud-init packages
apt:
name: "{{ packages }}"
state: present
force_apt_get: yes
vars:
packages:
- cloud-init
- cloud-guest-utils
- cloud-initramfs-copymods
- cloud-initramfs-dyn-netconf
when: ansible_os_family == "Debian"
- name: Install cloud-init packages
yum:
name: "{{ packages }}"
state: present
vars:
packages:
- cloud-init
- cloud-utils-growpart
when: ansible_os_family == "RedHat"
- name: Install CSI prerequisites on Ubuntu
apt:
name: "{{ packages }}"
state: present
force_apt_get: yes
vars:
packages:
- nfs-common
- open-iscsi
- lvm2
- xfsprogs
when: ansible_os_family == "Debian"
- name: Install CSI prerequisites on RedHat
yum:
name: "{{ packages }}"
state: present
vars:
packages:
- iscsi-initiator-utils
- nfs-utils
- lvm2
- xfsprogs
when: ansible_os_family == "RedHat"
- name: Enable iSCSI initiator daemon on Ubuntu or RedHat
systemd:
name: iscsid
state: started
enabled: true
when: ansible_os_family == "Debian" or
ansible_os_family == "RedHat"
- name: Disable Hyper-V KVP protocol daemon on Ubuntu
systemd:
name: hv-kvp-daemon
state: stopped
enabled: false
when: ansible_os_family == "Debian"

34
ansible/roles/providers/tasks/oci.yml Normal file
View File

@ -0,0 +1,34 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Remove the default input reject all iptable rule
lineinfile:
path: /etc/iptables/rules.v4
state: absent
regexp: "-A INPUT -j REJECT --reject-with icmp-host-prohibited"
when: ansible_distribution == "Ubuntu"
- name: Remove the default input reject all iptable rule
lineinfile:
path: /etc/iptables/rules.v4
state: absent
regexp: "-A FORWARD -j REJECT --reject-with icmp-host-prohibited"
when: ansible_distribution == "Ubuntu"
- name: Disable firewalld service
systemd:
name: firewalld
state: stopped
enabled: false
when: ansible_distribution == "OracleLinux"

24
ansible/roles/providers/tasks/outscale.yml Normal file
View File

@ -0,0 +1,24 @@
- name: Download cloud-int outscale package for Ubuntu
copy:
src: files/tmp/cloud-init_22.2-outscale.deb
dest: /tmp/cloud-init_22.2-outscale.deb
owner: root
group: root
mode: 0755
when: ansible_distribution == "Ubuntu"
- name: Install cloud-init outscale package
apt:
deb: /tmp/cloud-init_22.2-outscale.deb
force: True
force_apt_get: True
when: ansible_distribution == "Ubuntu"
- name: Change cloud-init metadata outscale config in Ubuntu
copy:
src: files/etc/cloud/cloud.cfg.d/99_metadata.cfg
dest: /etc/cloud/cloud.cfg.d/99_metadata.cfg
owner: root
group: root
mode: 0644
when: ansible_distribution == "Ubuntu"

49
ansible/roles/providers/tasks/qemu.yml Normal file
View File

@ -0,0 +1,49 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install cloud-init packages
apt:
name: "{{ packages }}"
state: present
force_apt_get: yes
vars:
packages:
- cloud-init
- cloud-guest-utils
- cloud-initramfs-copymods
- cloud-initramfs-dyn-netconf
when: ansible_os_family == "Debian"
- name: Install cloud-init packages
yum:
name: "{{ packages }}"
state: present
vars:
packages:
- cloud-init
- cloud-utils-growpart
when: ansible_os_family == "RedHat"
#- name: Unlock password
# replace:
# path: /etc/cloud/cloud.cfg
# regexp: '(?i)lock_passwd: True'
# replace: 'lock_passwd: False'
- name: Disable Hyper-V KVP protocol daemon on Ubuntu
systemd:
name: hv-kvp-daemon
state: stopped
enabled: false
when: ansible_os_family == "Debian"

57
ansible/roles/providers/tasks/raw.yml Normal file
View File

@ -0,0 +1,57 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install cloud-init packages
apt:
name: "{{ packages }}"
state: present
force_apt_get: yes
vars:
packages:
- cloud-init
- cloud-guest-utils
- cloud-initramfs-copymods
- cloud-initramfs-dyn-netconf
when: ansible_os_family == "Debian"
- name: Install cloud-init packages
yum:
name: "{{ packages }}"
state: present
vars:
packages:
- cloud-init
- cloud-utils-growpart
when: ansible_os_family == "RedHat"
#- name: Unlock password
# replace:
# path: /etc/cloud/cloud.cfg
# regexp: '(?i)lock_passwd: True'
# replace: 'lock_passwd: False'
- name: Symlink /usr/libexec/cloud-init to /usr/lib/cloud-init
file:
src: /usr/libexec/cloud-init
dest: /usr/lib/cloud-init
mode: 0777
state: link
when: ansible_os_family == "RedHat"
- name: Disable Hyper-V KVP protocol daemon on Ubuntu
systemd:
name: hv-kvp-daemon
state: stopped
enabled: false
when: ansible_os_family == "Debian"

30
ansible/roles/providers/tasks/redhat.yml Normal file
View File

@ -0,0 +1,30 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: import the Microsoft repository key
command: rpm --import https://packages.microsoft.com/keys/microsoft.asc
- name: Add the yum repository for the azure cli
yum_repository:
name: azure_cli
description: Azure CLI
baseurl: https://packages.microsoft.com/yumrepos/azure-cli
gpgkey: https://packages.microsoft.com/keys/microsoft.asc
gpgcheck: yes
enabled: yes
- name: install Azure CLI
package:
name: azure-cli
state: present

79
ansible/roles/providers/tasks/vmware-photon.yml Normal file
View File

@ -0,0 +1,79 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install cloud-init and tools for VMware Photon OS
command: tdnf install {{ packages }} -y
vars:
packages: "cloud-init cloud-utils python3-netifaces"
- name: Remove cloud-init /etc/cloud/cloud.cfg.d/99-disable-networking-config.cfg
file:
path: /etc/cloud/cloud.cfg.d/99-disable-networking-config.cfg
state: absent
- name: Install networkd-dispatcher service (Download from source)
unarchive:
src: "{{ networkd_dispatcher_download_url }}"
dest: /tmp
remote_src: yes
- name: Create needed directories
file:
path: "{{ item.dir }}"
state: directory
loop:
- { dir: /etc/conf.d }
- { dir: /etc/networkd-dispatcher/carrier.d }
- { dir: /etc/networkd-dispatcher/configured.d }
- { dir: /etc/networkd-dispatcher/configuring.d }
- { dir: /etc/networkd-dispatcher/degraded.d }
- { dir: /etc/networkd-dispatcher/dormant.d }
- { dir: /etc/networkd-dispatcher/no-carrier.d }
- { dir: /etc/networkd-dispatcher/off.d }
- { dir: /etc/networkd-dispatcher/routable.d }
- name: Install networkd-dispatcher service (Move files)
command: mv "{{ item.src }}" "{{ item.dest }}"
loop:
- { src: /tmp/networkd-dispatcher-2.1/networkd-dispatcher, dest: /usr/bin }
- { src: /tmp/networkd-dispatcher-2.1/networkd-dispatcher.service, dest: /etc/systemd/system }
- { src: /tmp/networkd-dispatcher-2.1/networkd-dispatcher.conf, dest: /etc/conf.d }
- name: Install networkd-dispatcher service (Run networkd-dispatcher)
systemd:
name: networkd-dispatcher
state: started
enabled: yes
- name: Copy networkd-dispatcher scripts to add DHCP provided NTP servers
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: a+x
vars:
server_dir: "/var/lib/dhclient"
chrony_helper_dir: "/usr/libexec"
loop:
- { src: files/etc/networkd-dispatcher/routable.d/20-chrony.j2, dest: /etc/networkd-dispatcher/routable.d/20-chrony }
- { src: files/etc/networkd-dispatcher/off.d/20-chrony.j2, dest: /etc/networkd-dispatcher/off.d/20-chrony }
- { src: files/etc/networkd-dispatcher/no-carrier.d/20-chrony.j2, dest: /etc/networkd-dispatcher/no-carrier.d/20-chrony }
- name: Copy chrony-helper script
copy:
src: files/usr/libexec/chrony-helper
dest: /usr/libexec/chrony-helper
owner: root
group: root
mode: a+x

51
ansible/roles/providers/tasks/vmware-redhat.yml Normal file
View File

@ -0,0 +1,51 @@
# Copyright 2022 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install cloud-init packages
yum:
name: "{{ packages }}"
state: present
vars:
packages:
- cloud-init
- cloud-utils-growpart
- python2-pip
# pip on CentOS needs to be upgraded, but since it's still
# Python 2.7, need < 21.0
- name: Upgrade pip
pip:
name: pip<21.0
state: forcereinstall
when: ansible_distribution_major_version == '7'
# Directly installing Guestinfo datasource is needed so long as
# cloud-init is < 21.3
- name: Download cloud-init datasource for VMware Guestinfo
get_url:
url: '{{ guestinfo_datasource_script }}'
dest: /tmp/cloud-init-vmware.sh
mode: 0700
- name: Execute cloud-init-vmware.sh
shell: bash -o errexit -o pipefail /tmp/cloud-init-vmware.sh
environment:
REPO_SLUG: '{{ guestinfo_datasource_slug }}'
GIT_REF: '{{ guestinfo_datasource_ref }}'
- name: Remove cloud-init-vmware.sh
file:
path: /tmp/cloud-init-vmware.sh
state: absent

45
ansible/roles/providers/tasks/vmware-ubuntu.yml Normal file
View File

@ -0,0 +1,45 @@
# Copyright 2021 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Install cloud-init packages
apt:
name: "{{ packages }}"
state: present
force_apt_get: yes
vars:
packages:
- cloud-init
- cloud-guest-utils
- cloud-initramfs-copymods
- cloud-initramfs-dyn-netconf
- name: Disable Hyper-V KVP protocol daemon on Ubuntu
systemd:
name: hv-kvp-daemon
state: stopped
enabled: false
- name: Copy networkd-dispatcher scripts to add DHCP provided NTP servers
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: a+x
vars:
server_dir: "/var/lib/dhcp"
chrony_helper_dir: "/usr/lib/chrony"
loop:
- { src: files/etc/networkd-dispatcher/routable.d/20-chrony.j2, dest: /etc/networkd-dispatcher/routable.d/20-chrony }
- { src: files/etc/networkd-dispatcher/off.d/20-chrony.j2, dest: /etc/networkd-dispatcher/off.d/20-chrony }
- { src: files/etc/networkd-dispatcher/no-carrier.d/20-chrony.j2, dest: /etc/networkd-dispatcher/no-carrier.d/20-chrony }

57
ansible/roles/providers/tasks/vmware.yml Normal file
View File

@ -0,0 +1,57 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- include_tasks: vmware-photon.yml
when: ansible_os_family == "VMware Photon OS"
- include_tasks: vmware-ubuntu.yml
when: ansible_os_family == "Debian"
- include_tasks: vmware-redhat.yml
when: ansible_os_family == "RedHat"
- name: Create provider vmtools config drop-in file
copy:
src: files/etc/vmware-tools/tools.conf
dest: /etc/vmware-tools/tools.conf
owner: root
group: root
mode: 0644
when: ansible_os_family != "Flatcar"
- name: Create service to modify cloud-init config
copy:
src: files/etc/systemd/system/modify-cloud-init-cfg.service
dest: /etc/systemd/system/modify-cloud-init-cfg.service
owner: root
group: root
mode: 0644
when: ansible_os_family != "Flatcar"
- name: Copy cloud-init modification script
copy:
src: files/usr/local/bin/modify-cloud-init-cfg.sh
dest: /usr/local/bin/modify-cloud-init-cfg.sh
owner: root
group: root
mode: 0755
when: ansible_os_family != "Flatcar"
- name: Enable modify-cloud-init-cfg.service
systemd:
name: modify-cloud-init-cfg.service
daemon_reload: yes
enabled: True
state: stopped
when: ansible_os_family != "Flatcar"

19
ansible/roles/python/defaults/main.yml Normal file
View File

@ -0,0 +1,19 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
pypy_python_version: "3.6"
pypy_version: "7.2.0"
pypy_download_path: "/tmp/pypy.tar.bz2"
pypy_install_path: "/opt"

30
ansible/roles/python/tasks/flatcar.yml Normal file
View File

@ -0,0 +1,30 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Check if pypy is installed
raw: "[ -f {{ pypy_install_path }}/pypy/bin/pypy ] && echo 'true' || echo 'false'"
register: pypy_installed
- name: Install pypy
block:
- name: Download pypy archive
raw: "curl https://github.com/squeaky-pl/portable-pypy/releases/download/pypy{{ pypy_python_version }}-{{ pypy_version }}/pypy{{ pypy_python_version }}-{{ pypy_version }}-linux_x86_64-portable.tar.bz2 -L --output {{ pypy_download_path }}"
- name: Extract archive
raw: "tar -xjf {{ pypy_download_path }} -C {{ pypy_install_path }}"
- name: Rename pypy folder
raw: "mv {{ pypy_install_path }}/pypy{{ pypy_python_version }}-{{ pypy_version }}-linux_x86_64-portable/ {{ pypy_install_path }}/pypy"
- name: Delete downloaded archive
raw: "rm -f {{ pypy_download_path }}"
when:
- pypy_installed.stdout_lines[0] == "false"

22
ansible/roles/python/tasks/main.yml Normal file
View File

@ -0,0 +1,22 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Get distribution name from lsb-release
raw: "grep DISTRIB_ID /etc/lsb-release || echo '/etc/lsb-release not found'"
register: distrib_id
- include_tasks: flatcar.yml
# We can't use ansible_os_family fact here for consistency, as facts gathering
# is disabled in the playbook which includes this role. See playbook for more details.
when: distrib_id.stdout_lines[0] is search("Flatcar")

27
ansible/roles/setup/defaults/main.yml Normal file
View File

@ -0,0 +1,27 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
debs: ""
extra_debs: ""
pinned_debs: []
redhat_epel_rpm: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
epel_rpm_gpg_key: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7"
rpms: ""
extra_rpms: ""
disable_public_repos: false
external_binary_path: "{{ '/opt/bin' if ansible_os_family == 'Flatcar' else '/usr/local/bin' }}"
extra_repos: ""
pip_conf_file: ""

3
ansible/roles/setup/files/etc/systemd/system-environment-generators/10-flatcar-path Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
. /etc/profile
echo "PATH=$PATH"

11
ansible/roles/setup/files/etc/systemd/system/usr-libexec.mount Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Kubernetes flex volume plugin directory
[Mount]
What=overlay
Where=/usr/libexec
Type=overlay
Options=lowerdir=/usr/libexec,workdir=/opt/libexec.work,upperdir=/opt/libexec
[Install]
WantedBy=multi-user.target

28
ansible/roles/setup/tasks/bootstrap-flatcar.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Flatcar ships without Python installed
- name: Check if bootstrap is needed
raw: stat /opt/bin/.bootstrapped
register: need_bootstrap
environment: {}
failed_when: false
changed_when: false
tags:
- facts
- name: Set the ansible_python_interpreter fact
set_fact:
ansible_python_interpreter: "{{ external_binary_path }}/python"
tags:
- facts
# Some tasks are not compatible with Flatcar, so to centralize and deduplicate the logic of checking
# if we run on Flatcar, we define it here.
#
# This is required until https://github.com/ansible/ansible/issues/77537 is fixed and used.
- name: Override Flatcar's OS family
set_fact:
ansible_os_family: Flatcar
when: ansible_os_family == "Flatcar Container Linux by Kinvolk"
tags:
- facts

105
ansible/roles/setup/tasks/debian.yml Normal file
View File

@ -0,0 +1,105 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Put templated sources.list in place
template:
src: etc/apt/sources.list.j2
dest: /etc/apt/sources.list
mode: 0644
# OCI Base images have the required apt sources list embedded inside the image, adding the sources list
# from this repo leads to build failures(especially in Arm), hence ignoring the step.
when: packer_builder_type != "oracle-oci"
- name: Put templated apt.conf.d/90proxy in place when defined
template:
src: etc/apt/apt.conf.d/90proxy
dest: /etc/apt/apt.conf.d/90proxy
mode: 0644
when: http_proxy is defined or https_proxy is defined
- name: Ensure cloud-final is in a running state
service:
name: cloud-final
state: started
check_mode: yes
register: cloudfinalstatus
until: cloudfinalstatus.status.ActiveState == "active"
retries: 5
delay: 10
when: packer_builder_type == "oracle-oci" and extra_repos != ""
- name: Find existing repo files
find:
depth: 1
paths:
- /etc/apt
- /etc/apt/sources.list.d
patterns: '*.list'
register: repo_files
when: disable_public_repos|bool
- name: Disable repos
command: "mv {{ item.path }} {{ item.path }}.disabled"
loop: "{{ repo_files.files }}"
when: disable_public_repos|bool
- name: Install extra repos
copy:
src: "{{ item }}"
dest: "/etc/apt/sources.list.d/{{ item | basename }}"
mode: 0644
loop: "{{ extra_repos.split() }}"
when: extra_repos != ""
- name: perform a dist-upgrade
apt:
force_apt_get: True
update_cache: True
upgrade: dist
register: apt_lock_status
until: apt_lock_status is not failed
retries: 5
delay: 10
- name: install baseline dependencies
apt:
force_apt_get: True
update_cache: True
name: "{{ debs }}"
state: latest
register: apt_lock_status
until: apt_lock_status is not failed
retries: 5
delay: 10
- name: install extra debs
apt:
force_apt_get: True
name: "{{ extra_debs.split() }}"
state: latest
register: apt_lock_status
until: apt_lock_status is not failed
retries: 5
delay: 10
- name: install pinned debs
apt:
force_apt_get: True
name: "{{ pinned_debs }}"
state: present
force: yes
register: apt_lock_status
until: apt_lock_status is not failed
retries: 5
delay: 10

55
ansible/roles/setup/tasks/flatcar.yml Normal file
View File

@ -0,0 +1,55 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- include_tasks: bootstrap-flatcar.yml
- name: Create /opt/libexec overlay directories
file:
path: "{{ item }}"
state: directory
with_items:
- /opt/libexec
- /opt/libexec.work
- name: Create usr-libexec.mount unit
copy:
src: etc/systemd/system/usr-libexec.mount
dest: /etc/systemd/system/usr-libexec.mount
owner: root
group: root
mode: "0644"
- name: Enable usr-libexec.mount unit
systemd:
daemon_reload: yes
enabled: yes
name: usr-libexec.mount
- name: Create system-environment-generators directory
file:
path: /etc/systemd/system-environment-generators
state: directory
- name: Add env generator that includes system PATH on service path
copy:
src: etc/systemd/system-environment-generators/10-flatcar-path
dest: /etc/systemd/system-environment-generators/10-flatcar-path
owner: root
group: root
mode: "0755"
- name: Enable systemd-timesyncd unit
systemd:
enabled: yes
name: systemd-timesyncd.service

36
ansible/roles/setup/tasks/main.yml Normal file
View File

@ -0,0 +1,36 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: debian.yml
when: ansible_os_family == "Debian"
- import_tasks: flatcar.yml
# This task overrides ansible_os_family to "Flatcar" as a workaround for
# regression between Flatcar and Ansible, so rest of the code can use just
# "Flatcar" for comparison, which is the correct value.
when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
- import_tasks: redhat.yml
when: ansible_os_family == "RedHat"
- import_tasks: photon.yml
when: ansible_os_family == "VMware Photon OS"
# Copy in pip config file when defined
- name: Install pip config file
copy:
src: "{{ pip_conf_file }}"
dest: /etc/pip.conf
mode: 0644
when: pip_conf_file != ""

61
ansible/roles/setup/tasks/photon.yml Normal file
View File

@ -0,0 +1,61 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: add bash_profile
template:
dest: /home/builder/.bash_profile
src: photon_bash_profile
mode: 0600
owner: builder
group: builder
- import_tasks: rpm_repos.yml
- name: Perform a tdnf distro-sync
command: tdnf distro-sync -y --refresh
register: distro
changed_when: '"Nothing to do" not in distro.stderr'
- name: Concatenate the Photon RPMs
set_fact:
photon_rpms: "{{ rpms | join(' ') }}"
- name: install baseline dependencies
command: tdnf install {{ photon_rpms }} -y
when: photon_rpms != ""
- name: install extra RPMs
command: tdnf install {{ extra_rpms }} -y
when: extra_rpms != ""
# Default size of 1G is insufficient when downloading additional components
- name: Increase tmpfs size
mount:
path: /tmp
src: "tmpfs"
fstype: tmpfs
opts: "size=5G"
state: remounted
- name: reset iptables rules input
replace:
path: /etc/systemd/scripts/ip4save
regexp: 'INPUT DROP'
replace: 'INPUT ACCEPT'
- name: reset ip6tables rules input
replace:
path: /etc/systemd/scripts/ip6save
regexp: 'INPUT DROP'
replace: 'INPUT ACCEPT'

54
ansible/roles/setup/tasks/redhat.yml Normal file
View File

@ -0,0 +1,54 @@
# Copyright 2018 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: RHEL subscription
redhat_subscription:
state: present
username: "{{ lookup('env', 'RHSM_USER') }}"
password: "{{ lookup('env', 'RHSM_PASS') }}"
auto_attach: true
when: ansible_distribution == "RedHat"
- name: import epel gpg key
rpm_key:
state: present
key: "{{ epel_rpm_gpg_key }}"
when: epel_rpm_gpg_key != ""
- name: add epel repo
yum:
name: "{{ redhat_epel_rpm }}"
state: present
lock_timeout: 60
when: redhat_epel_rpm != ""
- import_tasks: rpm_repos.yml
- name: perform a yum update
yum:
name: '*'
state: latest
lock_timeout: 60
- name: install baseline dependencies
yum:
name: "{{ rpms }}"
state: present
lock_timeout: 60
- name: install extra rpms
yum:
name: "{{ extra_rpms.split() }}"
state: present
lock_timeout: 60

34
ansible/roles/setup/tasks/rpm_repos.yml Normal file
View File

@ -0,0 +1,34 @@
# Copyright 2020 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Find existing repo files
find:
depth: 1
paths: /etc/yum.repos.d
patterns: '*.repo'
register: repo_files
when: disable_public_repos|bool
- name: Disable repos
command: "mv {{ item.path }} {{ item.path }}.disabled"
loop: "{{ repo_files.files }}"
when: disable_public_repos|bool
- name: Install extra repos
copy:
src: "{{ item }}"
dest: "/etc/yum.repos.d/{{ item | basename }}"
mode: 0644
loop: "{{ extra_repos.split() }}"
when: extra_repos != ""

8
ansible/roles/setup/templates/etc/apt/apt.conf.d/90proxy Normal file
View File

@ -0,0 +1,8 @@
Acquire {
{% if http_proxy %}
http::Proxy "{{ http_proxy }}";
{% endif %}
{% if https_proxy %}
https::Proxy "{{ https_proxy }}";
{% endif %}
}

4
ansible/roles/setup/templates/etc/apt/sources.list.j2 Normal file
View File

@ -0,0 +1,4 @@
deb http://us.archive.ubuntu.com/ubuntu {{ ansible_distribution_release }} main restricted universe
deb http://us.archive.ubuntu.com/ubuntu {{ ansible_distribution_release }}-updates main restricted universe
deb http://us.archive.ubuntu.com/ubuntu {{ ansible_distribution_release }}-backports main restricted universe
deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe

2
ansible/roles/setup/templates/photon_bash_profile Normal file
View File

@ -0,0 +1,2 @@
PATH=$PATH:/usr/sbin:/usr/local/sbin
export PATH

17
ansible/roles/sysprep/defaults/main.yml Normal file
View File

@ -0,0 +1,17 @@
# Copyright 2019 The Kubernetes Authors.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
extra_repos: ""
pip_conf_file: ""
remove_extra_repos: false

2
ansible/roles/sysprep/files/etc/hosts Normal file
View File

@ -0,0 +1,2 @@
127.0.0.1 localhost localhost.local
::1 localhost ip6-localhost ip6-loopback

7
ansible/roles/sysprep/files/etc/netplan/51-kubevirt-netplan.yaml Normal file
View File

@ -0,0 +1,7 @@
network:
version: 2
ethernets:
id0:
match:
name: enp*s*
dhcp4: true

Some files were not shown because too many files have changed in this diff Show More