Test dependencies

ansible/roles/providers/defaults/main.yml

@@ -0,0 +1,17 @@
+# Copyright 2021 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+networkd_dispatcher_download_url: "https://gitlab.com/craftyguy/networkd-dispatcher/-/archive/2.1/networkd-dispatcher-2.1.tar.bz2"
+packer_builder_type: ""
+build_target: "virt"

ansible/roles/providers/files/etc/azure/iptables

@@ -0,0 +1,8 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -m comment --comment "block traffic to 168.63.129.16 for cve-2021-27075" -j DROP
+-A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT
+-A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j DROP
+COMMIT

ansible/roles/providers/files/etc/cloud/cloud.cfg.d/05_logging.cfg

@@ -0,0 +1,67 @@
+## This yaml formated config file handles setting
+## logger information.  The values that are necessary to be set
+## are seen at the bottom.  The top '_log' are only used to remove
+## redundency in a syslog and fallback-to-file case.
+##
+## The 'log_cfgs' entry defines a list of logger configs
+## Each entry in the list is tried, and the first one that
+## works is used.  If a log_cfg list entry is an array, it will
+## be joined with '\n'.
+_log:
+ - &log_base |
+   [loggers]
+   keys=root,cloudinit
+   
+   [handlers]
+   keys=consoleHandler,cloudLogHandler
+   
+   [formatters]
+   keys=simpleFormatter,arg0Formatter
+   
+   [logger_root]
+   level=DEBUG
+   formatter=arg0Formatter
+   handlers=consoleHandler,cloudLogHandler
+   
+   [logger_cloudinit]
+   level=DEBUG
+   qualname=cloudinit
+   handlers=
+   propagate=1
+   
+   [handler_consoleHandler]
+   class=StreamHandler
+   level=WARNING
+   formatter=arg0Formatter
+   args=(sys.stderr,)
+   
+   [formatter_arg0Formatter]
+   format=%(asctime)s - %(filename)s[%(levelname)s]: %(message)s
+   
+   [formatter_simpleFormatter]
+   format=[CLOUDINIT]%(asctime)s - %(filename)s[%(levelname)s]: %(message)s
+ - &log_file |
+   [handler_cloudLogHandler]
+   class=FileHandler
+   level=DEBUG
+   formatter=arg0Formatter
+   args=('/var/log/cloud-init.log',)
+ - &log_syslog |
+   [handler_cloudLogHandler]
+   class=handlers.SysLogHandler
+   level=DEBUG
+   formatter=simpleFormatter
+   args=("/dev/log", handlers.SysLogHandler.LOG_USER)
+
+log_cfgs:
+# These will be joined into a string that defines the configuration
+ - [ *log_base, *log_syslog ]
+# These will be joined into a string that defines the configuration
+ - [ *log_base, *log_file ]
+# A file path can also be used
+# - /etc/log.conf
+
+# this tells cloud-init to redirect its stdout and stderr to
+# 'tee -a /var/log/cloud-init-output.log' so the user can see output
+# there without needing to look on the console.
+output: {all: '| python3 -c ''import sys,time;sys.stdout.write("".join(( " ".join((time.strftime("[%Y-%m-%d %H:%M:%S]", time.localtime()), line)) for line in sys.stdin )))'' | tee -a /var/log/cloud-init-output.log'}

ansible/roles/providers/files/etc/cloud/cloud.cfg.d/99_metadata.cfg

@@ -0,0 +1,2 @@
+disable-ec2-metadata: false
+datasource_list: [ Outscale ] 

ansible/roles/providers/files/etc/networkd-dispatcher/no-carrier.d/20-chrony.j2

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# This is a networkd-dispatcher script for chronyd to handle its NTP
+# sources. It sets the NTP sources online or offline when a network
+# interface is configured or removed. On DHCP change, chrony will
+# update its NTP sources passed from DHCP options.
+
+export LC_ALL=C
+
+DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
+
+clear_servers_from_dhcp() {
+    if [ -f "$DHCP_SERVER_FILE" ]; then
+        rm -f "$DHCP_SERVER_FILE"
+        {{ chrony_helper_dir }}/chrony-helper update-daemon || :
+    fi
+}
+
+if [ "$STATE" = "no-carrier" ]; then
+    clear_servers_from_dhcp
+    # The onoffline command tells chronyd to switch all sources to
+    # the online (routable) or offline (off) status according to the current network configuration.
+    chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0

ansible/roles/providers/files/etc/networkd-dispatcher/off.d/20-chrony.j2

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# This is a networkd-dispatcher script for chronyd to handle its NTP
+# sources. It sets the NTP sources online or offline when a network
+# interface is configured or removed. On DHCP change, chrony will
+# update its NTP sources passed from DHCP options.
+
+export LC_ALL=C
+
+DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
+
+clear_servers_from_dhcp() {
+    if [ -f "$DHCP_SERVER_FILE" ]; then
+        rm -f "$DHCP_SERVER_FILE"
+        {{ chrony_helper_dir }}/chrony-helper update-daemon || :
+    fi
+}
+
+if [ "$STATE" = "off" ]; then
+    clear_servers_from_dhcp
+    # The onoffline command tells chronyd to switch all sources to
+    # the online (routable) or offline (off) status according to the current network configuration.
+    chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0

ansible/roles/providers/files/etc/networkd-dispatcher/routable.d/20-chrony.j2

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# This is a networkd-dispatcher script for chronyd to handle its NTP
+# sources. It sets the NTP sources online or offline when a network
+# interface is configured or removed. On DHCP change, chrony will
+# update its NTP sources passed from DHCP options.
+
+export LC_ALL=C
+
+DHCP_SERVER_FILE={{ server_dir }}/chrony.servers.$IFACE
+
+add_servers_from_dhcp() {
+    if [ -f "$DHCP_SERVER_FILE" ]; then
+        rm -f "$DHCP_SERVER_FILE"
+    fi
+    echo "$json" | jq -r 'select(.NTP !=null) .NTP[]' >> $DHCP_SERVER_FILE
+    {{ chrony_helper_dir }}/chrony-helper update-daemon || :
+}
+
+if [ "$STATE" = "routable" ]; then
+    add_servers_from_dhcp
+    # The onoffline command tells chronyd to switch all sources to
+    # the online (routable) or offline (off) status according to the current network configuration.
+    chronyc onoffline > /dev/null 2>&1
+fi
+
+exit 0

ansible/roles/providers/files/etc/systemd/system/cloud-config.service.d/boot-order.conf

@@ -0,0 +1,3 @@
+[Unit]
+After=containerd.service
+Wants=containerd.service

ansible/roles/providers/files/etc/systemd/system/cloud-final.service.d/boot-order.conf

@@ -0,0 +1,3 @@
+[Unit]
+After=containerd.service
+Wants=containerd.service

ansible/roles/providers/files/etc/systemd/system/modify-cloud-init-cfg.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Modify cloud-init config
+After=cloud-final.service
+AssertFileIsExecutable=/usr/local/bin/modify-cloud-init-cfg.sh
+
+[Install]
+WantedBy=cloud-init.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/modify-cloud-init-cfg.sh
+SuccessExitStatus=0

ansible/roles/providers/files/etc/vmware-tools/tools.conf

@@ -0,0 +1,3 @@
+[guestinfo]
+exclude-nics=antrea-*,cali*,cilium*,lxc*,ovs-system,br*,flannel*,veth*,vxlan_sys_*,genev_sys_*,gre_sys_*,stt_sys_*,????????-??????
+

ansible/roles/providers/files/usr/lib/python3/dist-packages/cloudinit/feature_overrides.py

@@ -0,0 +1 @@
+ERROR_ON_USER_DATA_FAILURE = False

ansible/roles/providers/files/usr/libexec/chrony-helper

@@ -0,0 +1,251 @@
+#!/bin/bash
+# This script configures running chronyd to use NTP servers obtained from
+# DHCP and _ntp._udp DNS SRV records. Files with servers from DHCP are managed
+# externally (e.g. by a dhclient script). Files with servers from DNS SRV
+# records are updated here using the dig utility. The script can also list
+# and set static sources in the chronyd configuration file.
+
+chronyc=/usr/bin/chronyc
+chrony_conf=/etc/chrony.conf
+chrony_service=chronyd.service
+helper_dir=/var/run/chrony-helper
+added_servers_file=$helper_dir/added_servers
+
+network_sysconfig_file=/etc/sysconfig/network
+dhclient_servers_files=/var/lib/dhclient/chrony.servers.*
+dnssrv_servers_files=$helper_dir/dnssrv@*
+dnssrv_timer_prefix=chrony-dnssrv@
+
+chrony_command() {
+    $chronyc -a -n -m "$1"
+}
+
+is_running() {
+    chrony_command "tracking" &> /dev/null
+}
+
+is_update_needed() {
+    for file in $dhclient_servers_files $dnssrv_servers_files \
+            $added_servers_file; do
+        [ -e "$file" ] && return 0
+    done
+    return 1
+}
+
+update_daemon() {
+    local all_servers_with_args all_servers added_servers
+
+    if ! is_running; then
+        rm -f $added_servers_file
+        return 0
+    fi
+
+    all_servers_with_args=$(
+        cat $dhclient_servers_files $dnssrv_servers_files 2> /dev/null)
+
+    all_servers=$(
+        echo "$all_servers_with_args" |
+            while read server serverargs; do
+                echo "$server"
+            done | sort -u)
+    added_servers=$( (
+        cat $added_servers_file 2> /dev/null
+        echo "$all_servers_with_args" |
+            while read server serverargs; do
+                [ -z "$server" ] && continue
+                chrony_command "add server $server $serverargs" &> /dev/null &&
+                    echo "$server"
+            done) | sort -u)
+
+    comm -23 <(echo -n "$added_servers") <(echo -n "$all_servers") |
+        while read server; do
+            chrony_command "delete $server" &> /dev/null
+        done
+
+    added_servers=$(comm -12 <(echo -n "$added_servers") <(echo -n "$all_servers"))
+
+    [ -n "$added_servers" ] && echo "$added_servers" > $added_servers_file ||
+        rm -f $added_servers_file
+}
+
+get_dnssrv_servers() {
+    local name=$1
+
+    if ! command -v dig &> /dev/null; then
+        echo "Missing dig (DNS lookup utility)" >&2
+        return 1
+    fi
+
+    (
+        . $network_sysconfig_file &> /dev/null
+
+        output=$(dig "$name" srv +short +ndots=2 +search 2> /dev/null)
+        [ $? -ne 0 ] && return 0
+
+        echo "$output" | while read prio weight port target; do
+            server=${target%.}
+            [ -z "$server" ] && continue
+            echo "$server port $port ${NTPSERVERARGS:-iburst}"
+        done
+    )
+}
+
+check_dnssrv_name() {
+    local name=$1
+
+    if [ -z "$name" ]; then
+        echo "No DNS SRV name specified" >&2
+        return 1
+    fi
+
+    if [ "${name:0:9}" != _ntp._udp ]; then
+        echo "DNS SRV name $name doesn't start with _ntp._udp" >&2
+        return 1
+    fi
+}
+
+update_dnssrv_servers() {
+    local name=$1
+    local srv_file=$helper_dir/dnssrv@$name servers
+
+    check_dnssrv_name "$name" || return 1
+
+    servers=$(get_dnssrv_servers "$name")
+    [ -n "$servers" ] && echo "$servers" > "$srv_file" || rm -f "$srv_file"
+}
+
+set_dnssrv_timer() {
+    local state=$1 name=$2
+    local srv_file=$helper_dir/dnssrv@$name servers
+    local timer=$dnssrv_timer_prefix$(systemd-escape "$name").timer
+
+    check_dnssrv_name "$name" || return 1
+
+    if [ "$state" = enable ]; then
+        systemctl enable "$timer"
+        systemctl start "$timer"
+    elif [ "$state" = disable ]; then
+        systemctl stop "$timer"
+        systemctl disable "$timer"
+        rm -f "$srv_file"
+    fi
+}
+
+list_dnssrv_timers() {
+    systemctl --all --full -t timer list-units | grep "^$dnssrv_timer_prefix" | \
+            sed "s|^$dnssrv_timer_prefix\(.*\)\.timer.*|\1|" |
+        while read -r name; do
+            systemd-escape --unescape "$name"
+        done
+}
+
+prepare_helper_dir() {
+    mkdir -p $helper_dir
+    exec 100> $helper_dir/lock
+    if ! flock -w 20 100; then
+        echo "Failed to lock $helper_dir" >&2
+        return 1
+    fi
+}
+
+is_source_line() {
+    local pattern="^[ \t]*(server|pool|peer|refclock)[ \t]+[^ \t]+"
+    [[ "$1" =~ $pattern ]]
+}
+
+list_static_sources() {
+    while read line; do
+        is_source_line "$line" && echo "$line" || :
+    done < $chrony_conf
+}
+
+set_static_sources() {
+    local new_config tmp_conf
+
+    new_config=$(
+        sources=$(
+            while read line; do
+                is_source_line "$line" && echo "$line"
+            done)
+
+        while read line; do
+            if ! is_source_line "$line"; then
+                echo "$line"
+                continue
+            fi
+
+            tmp_sources=$(
+                local removed=0
+
+                echo "$sources" | while read line2; do
+                    [ "$removed" -ne 0 -o "$line" != "$line2" ] && \
+                        echo "$line2" || removed=1
+                done)
+
+            [ "$sources" == "$tmp_sources" ] && continue
+            sources=$tmp_sources
+            echo "$line"
+        done < $chrony_conf
+
+        echo "$sources"
+    )
+
+    tmp_conf=${chrony_conf}.tmp
+
+    cp -a $chrony_conf $tmp_conf &&
+        echo "$new_config" > $tmp_conf &&
+        mv $tmp_conf $chrony_conf || return 1
+
+    systemctl try-restart $chrony_service
+}
+
+print_help() {
+    echo "Usage: $0 COMMAND"
+    echo
+    echo "Commands:"
+    echo "	update-daemon"
+    echo "	update-dnssrv-servers NAME"
+    echo "	enable-dnssrv NAME"
+    echo "	disable-dnssrv NAME"
+    echo "	list-dnssrv"
+    echo "	list-static-sources"
+    echo "	set-static-sources < sources.list"
+    echo "	is-running"
+    echo "	command CHRONYC-COMMAND"
+}
+
+case "$1" in
+    update-daemon|add-dhclient-servers|remove-dhclient-servers)
+        is_update_needed || exit 0
+        prepare_helper_dir && update_daemon
+        ;;
+    update-dnssrv-servers)
+        prepare_helper_dir && update_dnssrv_servers "$2" && update_daemon
+        ;;
+    enable-dnssrv)
+        set_dnssrv_timer enable "$2"
+        ;;
+    disable-dnssrv)
+        set_dnssrv_timer disable "$2" && prepare_helper_dir && update_daemon
+        ;;
+    list-dnssrv)
+        list_dnssrv_timers
+        ;;
+    list-static-sources)
+        list_static_sources
+        ;;
+    set-static-sources)
+        set_static_sources
+        ;;
+    is-running)
+        is_running
+        ;;
+    command|forced-command)
+        chrony_command "$2"
+        ;;
+    *)
+        print_help
+        exit 2
+esac
+
+exit $?

ansible/roles/providers/files/usr/local/bin/modify-cloud-init-cfg.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i 's/preserve_hostname'":"' false/preserve_hostname'":"' true/' /etc/cloud/cloud.cfg

ansible/roles/providers/tasks/aws.yml

@@ -0,0 +1,74 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: upgrade pip to latest
+  pip:
+    name: pip
+    executable: pip3
+    state: latest
+
+- name: install aws clients
+  pip:
+    name: "{{ packages }}"
+    executable: pip3
+  vars:
+    packages:
+      - awscli
+  when: ansible_distribution != "Amazon"
+
+# Remove after https://github.com/aws/amazon-ssm-agent/issues/235 is fixed.
+- name: install aws agents RPM on Redhat distributions
+  package:
+    name: "{{ item }}"
+    state: present
+    disable_gpg_check: true
+  with_items:
+    - "{{ amazon_ssm_agent_rpm }}"
+  when:
+    - ansible_os_family == "RedHat"
+    - ansible_distribution != "Amazon"
+
+- name: install aws agents RPM
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - amazon-ssm-agent
+    - awscli
+  when: ansible_distribution == "Amazon"
+
+- name: Ensure ssm agent is running RPM
+  service:
+    name: amazon-ssm-agent
+    state: started
+    enabled: yes
+  when: ansible_os_family == "RedHat"
+
+- name: install aws agents Ubuntu
+  shell: snap install amazon-ssm-agent --classic
+  when: ansible_distribution == "Ubuntu"
+
+- name: Ensure ssm agent is running Ubuntu
+  service:
+    name: snap.amazon-ssm-agent.amazon-ssm-agent.service
+    state: started
+    enabled: yes
+  when: ansible_distribution == "Ubuntu"
+
+- name: Disable Hyper-V KVP protocol daemon on Ubuntu
+  systemd:
+    name: hv-kvp-daemon
+    state: stopped
+    enabled: false
+  when: ansible_os_family == "Debian"

ansible/roles/providers/tasks/azure.yml

@@ -0,0 +1,67 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- import_tasks: redhat.yml
+  when: ansible_os_family == "RedHat"
+
+- import_tasks: debian.yml
+  when: ansible_os_family == "Debian"
+
+- name: Configure PTP
+  lineinfile:
+    path: /etc/chrony/chrony.conf
+    create: yes
+    line: refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0
+
+- name: Ensure makestep parameter set as per Azure recommendation
+  lineinfile:
+    path: /etc/chrony/chrony.conf
+    regexp: '^makestep'
+    line: makestep 1.0 -1
+
+- name: Install iptables persistence
+  apt:
+    name: "{{ packages }}"
+    state: present
+    force_apt_get: yes
+  vars:
+    packages:
+      - iptables-persistent
+  when: ansible_os_family == "Debian"
+
+- name: Block traffic to 168.63.129.16 port 80 for cve-2021-27075
+  copy:
+    src: files/etc/azure/iptables
+    dest: /etc/iptables/rules.v4
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_os_family == "Debian"
+
+- name: Load iptable rules from file
+  community.general.iptables_state:
+    state: restored
+    path: /etc/iptables/rules.v4
+  when: ansible_os_family == "Debian"
+
+- name: Install netbase and nfs-common
+  apt:
+    name: "{{ packages }}"
+    state: present
+    force_apt_get: yes
+  vars:
+    packages:
+    - netbase
+    - nfs-common
+  when: ansible_os_family == "Debian"

ansible/roles/providers/tasks/cloudstack.yml

@@ -0,0 +1,39 @@
+# Copyright 2022 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Add CloudStack Datasource
+  copy:
+    dest: /etc/cloud/cloud.cfg.d/cloudstack.cfg
+    content: |-
+      datasource_list: ['CloudStack']
+      datasource:
+        CloudStack:
+          max_wait: 120
+          timeout: 50
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Run dracut cmd to regenerate initramfs with all drivers - needed when converting to different hypervisor templates
+  shell: dracut --force --no-hostonly
+  when: ansible_os_family == "RedHat"
+
+- name: Add draut cmd to regenerate initramfs with only necessary drivers on first boot
+  lineinfile:
+    state: present
+    path: /etc/cloud/cloud.cfg.d/cloudstack.cfg
+    line: |-
+      bootcmd:
+        - dracut --force
+  when: ansible_os_family == "RedHat"

ansible/roles/providers/tasks/debian.yml

@@ -0,0 +1,34 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: upgrade pip to latest
+  pip:
+    name: pip
+    executable: pip3
+    state: latest
+
+- name: upgrade pyOpenSSL and cryptography
+  pip:
+    name:
+      - pyOpenSSL==22.0.*
+      - cryptography==38.0.*
+    executable: pip3
+
+- name: install Azure clients
+  pip:
+    executable: pip3
+    name: "{{ packages }}"
+  vars:
+    packages:
+      - azure-cli

ansible/roles/providers/tasks/googlecompute.yml

@@ -0,0 +1,47 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Download gcloud SDK
+  get_url:
+    url:  https://sdk.cloud.google.com/
+    dest: /tmp/install-gcloud.sh
+    mode: 0700
+
+- name: Execute install-gcloud.sh
+  shell: bash -o errexit -o pipefail /tmp/install-gcloud.sh --disable-prompts --install-dir=/
+
+- name: Remove install-gcloud.sh
+  file:
+    path:  /tmp/install-gcloud.sh
+    state: absent
+
+- name: Find all files in /google-cloud-sdk/bin/
+  find:
+    paths: /google-cloud-sdk/bin/
+  register: find
+
+- name: Create symlinks to /bin
+  become: True
+  file:
+    src: "{{ item.path }}"
+    path: "/bin/{{ item.path | basename }}"
+    state: link
+  with_items: "{{ find.files }}"
+
+- name: Disable Hyper-V KVP protocol daemon on Ubuntu
+  systemd:
+    name: hv-kvp-daemon
+    state: stopped
+    enabled: false
+  when: ansible_os_family == "Debian"

ansible/roles/providers/tasks/main.yml

@@ -0,0 +1,120 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- include_tasks: aws.yml
+  when: packer_builder_type.startswith('amazon')
+
+- include_tasks: azure.yml
+  when: packer_builder_type.startswith('azure')
+
+- include_tasks: outscale.yml
+  when: packer_builder_type.startswith('outscale')
+
+- include_tasks: vmware.yml
+  when: packer_builder_type is search('vmware') or
+    packer_builder_type is search('vsphere')
+
+- include_tasks: googlecompute.yml
+  when: packer_builder_type.startswith('googlecompute')
+
+- include_tasks: oci.yml
+  when: packer_builder_type.startswith('oracle-oci')
+
+- include_tasks: qemu.yml
+  when: packer_builder_type is search('qemu') and
+    build_target is not search('raw')
+
+- include_tasks: cloudstack.yml
+  when: packer_builder_type is search('qemu') and
+    provider is defined and
+    provider is search('cloudstack')
+
+- include_tasks: raw.yml
+  when: packer_builder_type is search('qemu') and
+    build_target is search('raw')
+
+- include_tasks: nutanix.yml
+  when: packer_builder_type is search('nutanix')
+
+# Create a boot order configuration
+# b/w containerd and cloud final, cloud config services
+
+- name: Creates unit file directory for cloud-final
+  file:
+    path: /etc/systemd/system/cloud-final.service.d
+    state: directory
+
+- name: Create cloud-final boot order drop in file
+  copy:
+    dest: /etc/systemd/system/cloud-final.service.d/boot-order.conf
+    src: etc/systemd/system/cloud-final.service.d/boot-order.conf
+    owner: root
+    group: root
+    mode: "0755"
+
+- name: Creates unit file directory for cloud-config
+  file:
+    path: /etc/systemd/system/cloud-config.service.d
+    state: directory
+
+- name: Create cloud-final boot order drop in file
+  copy:
+    dest: /etc/systemd/system/cloud-config.service.d/boot-order.conf
+    src: etc/systemd/system/cloud-config.service.d/boot-order.conf
+    owner: root
+    group: root
+    mode: "0755"
+
+# Some OS might disable cloud-final service on boot (rhel 7).
+# Enable all cloud-init services on boot.
+- name: Make sure all cloud init services are enabled
+  service:
+    name: "{{ item }}"
+    enabled: yes
+  with_items:
+    - cloud-final
+    - cloud-config
+    - cloud-init
+    - cloud-init-local
+  when: ansible_os_family != "Flatcar"
+
+- name: Create cloud-init config file
+  copy:
+    src: files/etc/cloud/cloud.cfg.d/05_logging.cfg
+    dest: /etc/cloud/cloud.cfg.d/05_logging.cfg
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_os_family != "Flatcar"
+
+- name: set cloudinit feature flags
+  copy:
+    src: usr/lib/python3/dist-packages/cloudinit/feature_overrides.py
+    dest: /usr/lib/python3/dist-packages/cloudinit/feature_overrides.py
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_os_family == "Debian"
+
+- name: Ensure chrony is running
+  systemd:
+    enabled: yes
+    state: started
+    daemon_reload: yes
+    name: chronyd
+  when: (packer_builder_type.startswith('amazon') or
+    packer_builder_type.startswith('azure') or
+    packer_builder_type is search('vmware') or
+    packer_builder_type is search('vsphere')) and
+    ansible_os_family != "Flatcar"

ansible/roles/providers/tasks/nutanix.yml

@@ -0,0 +1,76 @@
+# Copyright 2020 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Install cloud-init packages
+  apt:
+    name: "{{ packages }}"
+    state: present
+    force_apt_get: yes
+  vars:
+    packages:
+      - cloud-init
+      - cloud-guest-utils
+      - cloud-initramfs-copymods
+      - cloud-initramfs-dyn-netconf
+  when: ansible_os_family == "Debian"
+
+- name: Install cloud-init packages
+  yum:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+      - cloud-init
+      - cloud-utils-growpart
+  when: ansible_os_family == "RedHat"
+
+- name: Install CSI prerequisites on Ubuntu
+  apt:
+    name: "{{ packages }}"
+    state: present
+    force_apt_get: yes
+  vars:
+    packages:
+      - nfs-common
+      - open-iscsi
+      - lvm2
+      - xfsprogs
+  when: ansible_os_family == "Debian"
+
+- name: Install CSI prerequisites on RedHat
+  yum:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+      - iscsi-initiator-utils
+      - nfs-utils
+      - lvm2
+      - xfsprogs
+  when: ansible_os_family == "RedHat"
+
+- name: Enable iSCSI initiator daemon on Ubuntu or RedHat
+  systemd:
+    name: iscsid
+    state: started
+    enabled: true
+  when: ansible_os_family == "Debian" or
+    ansible_os_family == "RedHat"
+
+- name: Disable Hyper-V KVP protocol daemon on Ubuntu
+  systemd:
+    name: hv-kvp-daemon
+    state: stopped
+    enabled: false
+  when: ansible_os_family == "Debian"

ansible/roles/providers/tasks/oci.yml

@@ -0,0 +1,34 @@
+# Copyright 2021 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Remove the default input reject all iptable rule
+  lineinfile:
+    path: /etc/iptables/rules.v4
+    state: absent
+    regexp: "-A INPUT -j REJECT --reject-with icmp-host-prohibited"
+  when: ansible_distribution == "Ubuntu"
+
+- name: Remove the default input reject all iptable rule
+  lineinfile:
+    path: /etc/iptables/rules.v4
+    state: absent
+    regexp: "-A FORWARD -j REJECT --reject-with icmp-host-prohibited"
+  when: ansible_distribution == "Ubuntu"
+
+- name: Disable firewalld service
+  systemd:
+    name: firewalld
+    state: stopped
+    enabled: false
+  when: ansible_distribution == "OracleLinux"

ansible/roles/providers/tasks/outscale.yml

@@ -0,0 +1,24 @@
+- name: Download cloud-int outscale package for Ubuntu
+  copy:
+    src: files/tmp/cloud-init_22.2-outscale.deb
+    dest: /tmp/cloud-init_22.2-outscale.deb
+    owner: root
+    group: root
+    mode: 0755
+  when: ansible_distribution == "Ubuntu"
+
+- name: Install cloud-init outscale package
+  apt:
+    deb: /tmp/cloud-init_22.2-outscale.deb
+    force: True
+    force_apt_get: True
+  when: ansible_distribution == "Ubuntu"
+
+- name: Change cloud-init metadata outscale config in Ubuntu
+  copy:
+    src: files/etc/cloud/cloud.cfg.d/99_metadata.cfg 
+    dest: /etc/cloud/cloud.cfg.d/99_metadata.cfg 
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_distribution == "Ubuntu"

ansible/roles/providers/tasks/qemu.yml

@@ -0,0 +1,49 @@
+# Copyright 2020 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Install cloud-init packages
+  apt:
+    name: "{{ packages }}"
+    state: present
+    force_apt_get: yes
+  vars:
+    packages:
+    - cloud-init
+    - cloud-guest-utils
+    - cloud-initramfs-copymods
+    - cloud-initramfs-dyn-netconf
+  when: ansible_os_family == "Debian"
+
+- name: Install cloud-init packages
+  yum:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - cloud-init
+    - cloud-utils-growpart
+  when: ansible_os_family == "RedHat"
+
+#- name: Unlock password
+#  replace:
+#    path: /etc/cloud/cloud.cfg
+#    regexp: '(?i)lock_passwd: True'
+#    replace: 'lock_passwd: False'
+
+- name: Disable Hyper-V KVP protocol daemon on Ubuntu
+  systemd:
+    name: hv-kvp-daemon
+    state: stopped
+    enabled: false
+  when: ansible_os_family == "Debian"

ansible/roles/providers/tasks/raw.yml

@@ -0,0 +1,57 @@
+# Copyright 2021 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Install cloud-init packages
+  apt:
+    name: "{{ packages }}"
+    state: present
+    force_apt_get: yes
+  vars:
+    packages:
+    - cloud-init
+    - cloud-guest-utils
+    - cloud-initramfs-copymods
+    - cloud-initramfs-dyn-netconf
+  when: ansible_os_family == "Debian"
+
+- name: Install cloud-init packages
+  yum:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - cloud-init
+    - cloud-utils-growpart
+  when: ansible_os_family == "RedHat"
+
+#- name: Unlock password
+#  replace:
+#    path: /etc/cloud/cloud.cfg
+#    regexp: '(?i)lock_passwd: True'
+#    replace: 'lock_passwd: False'
+
+- name: Symlink /usr/libexec/cloud-init to /usr/lib/cloud-init
+  file:
+    src:   /usr/libexec/cloud-init
+    dest:  /usr/lib/cloud-init
+    mode: 0777
+    state: link
+  when: ansible_os_family == "RedHat"
+
+- name: Disable Hyper-V KVP protocol daemon on Ubuntu
+  systemd:
+    name: hv-kvp-daemon
+    state: stopped
+    enabled: false
+  when: ansible_os_family == "Debian"

ansible/roles/providers/tasks/redhat.yml

@@ -0,0 +1,30 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: import the Microsoft repository key
+  command: rpm --import https://packages.microsoft.com/keys/microsoft.asc
+
+- name: Add the yum repository for the azure cli
+  yum_repository:
+    name: azure_cli
+    description: Azure CLI
+    baseurl: https://packages.microsoft.com/yumrepos/azure-cli
+    gpgkey: https://packages.microsoft.com/keys/microsoft.asc
+    gpgcheck: yes
+    enabled: yes
+
+- name: install Azure CLI
+  package:
+    name: azure-cli
+    state: present

ansible/roles/providers/tasks/vmware-photon.yml

@@ -0,0 +1,79 @@
+# Copyright 2021 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Install cloud-init and tools for VMware Photon OS
+  command: tdnf install {{ packages }} -y
+  vars:
+    packages: "cloud-init cloud-utils python3-netifaces"
+
+- name: Remove cloud-init /etc/cloud/cloud.cfg.d/99-disable-networking-config.cfg
+  file:
+    path: /etc/cloud/cloud.cfg.d/99-disable-networking-config.cfg
+    state: absent
+
+- name: Install networkd-dispatcher service (Download from source)
+  unarchive:
+    src: "{{ networkd_dispatcher_download_url }}"
+    dest: /tmp
+    remote_src: yes
+
+- name: Create needed directories
+  file:
+    path: "{{ item.dir }}"
+    state: directory
+  loop:
+    - { dir: /etc/conf.d }
+    - { dir: /etc/networkd-dispatcher/carrier.d }
+    - { dir: /etc/networkd-dispatcher/configured.d }
+    - { dir: /etc/networkd-dispatcher/configuring.d }
+    - { dir: /etc/networkd-dispatcher/degraded.d }
+    - { dir: /etc/networkd-dispatcher/dormant.d }
+    - { dir: /etc/networkd-dispatcher/no-carrier.d }
+    - { dir: /etc/networkd-dispatcher/off.d }
+    - { dir: /etc/networkd-dispatcher/routable.d }
+
+- name: Install networkd-dispatcher service (Move files)
+  command: mv "{{ item.src }}" "{{ item.dest }}"
+  loop:
+    - { src: /tmp/networkd-dispatcher-2.1/networkd-dispatcher, dest: /usr/bin }
+    - { src: /tmp/networkd-dispatcher-2.1/networkd-dispatcher.service, dest: /etc/systemd/system }
+    - { src: /tmp/networkd-dispatcher-2.1/networkd-dispatcher.conf, dest: /etc/conf.d }
+
+- name: Install networkd-dispatcher service (Run networkd-dispatcher)
+  systemd:
+    name: networkd-dispatcher
+    state: started
+    enabled: yes
+
+- name: Copy networkd-dispatcher scripts to add DHCP provided NTP servers
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: a+x
+  vars:
+    server_dir: "/var/lib/dhclient"
+    chrony_helper_dir: "/usr/libexec"
+  loop:
+    - { src: files/etc/networkd-dispatcher/routable.d/20-chrony.j2, dest: /etc/networkd-dispatcher/routable.d/20-chrony }
+    - { src: files/etc/networkd-dispatcher/off.d/20-chrony.j2, dest: /etc/networkd-dispatcher/off.d/20-chrony }
+    - { src: files/etc/networkd-dispatcher/no-carrier.d/20-chrony.j2, dest: /etc/networkd-dispatcher/no-carrier.d/20-chrony }
+
+- name: Copy chrony-helper script
+  copy:
+    src: files/usr/libexec/chrony-helper
+    dest: /usr/libexec/chrony-helper
+    owner: root
+    group: root
+    mode: a+x

ansible/roles/providers/tasks/vmware-redhat.yml

@@ -0,0 +1,51 @@
+# Copyright 2022 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Install cloud-init packages
+  yum:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - cloud-init
+    - cloud-utils-growpart
+    - python2-pip
+
+# pip on CentOS needs to be upgraded, but since it's still
+# Python 2.7, need < 21.0
+- name: Upgrade pip
+  pip:
+    name: pip<21.0
+    state: forcereinstall
+  when: ansible_distribution_major_version == '7'
+
+# Directly installing Guestinfo datasource is needed so long as
+# cloud-init is < 21.3
+- name: Download cloud-init datasource for VMware Guestinfo
+  get_url:
+    url:  '{{ guestinfo_datasource_script }}'
+    dest: /tmp/cloud-init-vmware.sh
+    mode: 0700
+
+- name: Execute cloud-init-vmware.sh
+  shell: bash -o errexit -o pipefail /tmp/cloud-init-vmware.sh
+  environment:
+    REPO_SLUG: '{{ guestinfo_datasource_slug }}'
+    GIT_REF:   '{{ guestinfo_datasource_ref }}'
+
+- name: Remove cloud-init-vmware.sh
+  file:
+    path:  /tmp/cloud-init-vmware.sh
+    state: absent

ansible/roles/providers/tasks/vmware-ubuntu.yml

@@ -0,0 +1,45 @@
+# Copyright 2021 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Install cloud-init packages
+  apt:
+    name: "{{ packages }}"
+    state: present
+    force_apt_get: yes
+  vars:
+    packages:
+    - cloud-init
+    - cloud-guest-utils
+    - cloud-initramfs-copymods
+    - cloud-initramfs-dyn-netconf
+
+- name: Disable Hyper-V KVP protocol daemon on Ubuntu
+  systemd:
+    name: hv-kvp-daemon
+    state: stopped
+    enabled: false
+
+- name: Copy networkd-dispatcher scripts to add DHCP provided NTP servers
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: a+x
+  vars:
+    server_dir: "/var/lib/dhcp"
+    chrony_helper_dir: "/usr/lib/chrony"
+  loop:
+    - { src: files/etc/networkd-dispatcher/routable.d/20-chrony.j2, dest: /etc/networkd-dispatcher/routable.d/20-chrony }
+    - { src: files/etc/networkd-dispatcher/off.d/20-chrony.j2, dest: /etc/networkd-dispatcher/off.d/20-chrony }
+    - { src: files/etc/networkd-dispatcher/no-carrier.d/20-chrony.j2, dest: /etc/networkd-dispatcher/no-carrier.d/20-chrony }

ansible/roles/providers/tasks/vmware.yml

@@ -0,0 +1,57 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- include_tasks: vmware-photon.yml
+  when: ansible_os_family == "VMware Photon OS"
+
+- include_tasks: vmware-ubuntu.yml
+  when: ansible_os_family == "Debian"
+
+- include_tasks: vmware-redhat.yml
+  when: ansible_os_family == "RedHat"
+
+- name: Create provider vmtools config drop-in file
+  copy:
+    src: files/etc/vmware-tools/tools.conf
+    dest: /etc/vmware-tools/tools.conf
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_os_family != "Flatcar"
+
+- name: Create service to modify cloud-init config
+  copy:
+    src: files/etc/systemd/system/modify-cloud-init-cfg.service
+    dest: /etc/systemd/system/modify-cloud-init-cfg.service
+    owner: root
+    group: root
+    mode: 0644
+  when: ansible_os_family != "Flatcar"
+
+- name: Copy cloud-init modification script
+  copy:
+    src: files/usr/local/bin/modify-cloud-init-cfg.sh
+    dest: /usr/local/bin/modify-cloud-init-cfg.sh
+    owner: root
+    group: root
+    mode: 0755
+  when: ansible_os_family != "Flatcar"
+
+- name: Enable modify-cloud-init-cfg.service
+  systemd:
+    name: modify-cloud-init-cfg.service
+    daemon_reload: yes
+    enabled: True
+    state: stopped
+  when: ansible_os_family != "Flatcar"