Test dependencies

ansible/roles/sysprep/defaults/main.yml

@@ -0,0 +1,17 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+extra_repos: ""
+pip_conf_file: ""
+remove_extra_repos: false

ansible/roles/sysprep/files/etc/hosts

@@ -0,0 +1,2 @@
+127.0.0.1      localhost localhost.local
+::1	       localhost ip6-localhost ip6-loopback

ansible/roles/sysprep/files/etc/netplan/51-kubevirt-netplan.yaml

@@ -0,0 +1,7 @@
+network:
+  version: 2
+  ethernets:
+    id0:
+      match:
+        name: enp*s*
+      dhcp4: true

ansible/roles/sysprep/tasks/debian.yml

@@ -0,0 +1,95 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Define file modes
+  set_fact:
+    last_log_mode:   "0664"
+    machine_id_mode: "0644"
+
+- name: apt-mark all installed packages
+  shell: dpkg-query -f '${binary:Package}\n' -W | xargs apt-mark hold
+
+- name: Remove extra repos
+  file:
+    path: "/etc/apt/sources.list.d/{{ item | basename }}"
+    state: absent
+  loop: "{{ extra_repos.split() }}"
+  when: remove_extra_repos and extra_repos != ""
+
+- name: Find disabled repo files
+  find:
+    depth: 1
+    paths:
+      - /etc/apt
+      - /etc/apt/sources.list.d
+    patterns: '*.list.disabled'
+  register: repo_files
+  when: disable_public_repos|default(false)|bool and reenable_public_repos|default(true)|bool
+
+- name: Enable repos
+  command: "mv {{ item.path }} {{ item.path | regex_replace('.disabled') }}"
+  loop: "{{ repo_files.files }}"
+  when: disable_public_repos|default(false)|bool and reenable_public_repos|default(true)|bool
+
+- name: Remove templated apt.conf.d/90proxy used for http(s)_proxy support
+  file:
+    path: etc/apt/apt.conf.d/90proxy
+    state: absent
+  when: http_proxy is defined or https_proxy is defined
+
+- name: Stop auditing
+  service:
+    name: rsyslog
+    state: stopped
+
+- name: Remove apt package caches
+  apt:
+    autoclean: yes
+    autoremove: yes
+    force_apt_get: yes
+
+- name: Remove apt package lists
+  file:
+    state: "{{ item.state }}"
+    path: "{{ item.path }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop:
+  - { path: /var/lib/apt/lists, state: absent,    mode: "0755" }
+  - { path: /var/lib/apt/lists, state: directory, mode: "0755" }
+
+- name: Disable apt-daily services
+  systemd:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop:
+  - apt-daily.timer
+  - apt-daily-upgrade.timer
+
+- name: Get installed packages
+  package_facts:
+
+- name: Disable unattended upgrades if installed
+  systemd:
+    name: unattended-upgrades
+    state: stopped
+    enabled: false
+  when: "'unattended-upgrades' in ansible_facts.packages"
+
+- name: Reset network interface IDs
+  file:
+    state: absent
+    path: /etc/udev/rules.d/70-persistent-net.rules

ansible/roles/sysprep/tasks/flatcar.yml

@@ -0,0 +1,57 @@
+# Copyright 2020 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Define file modes
+  set_fact:
+    last_log_mode:   "0644"
+    machine_id_mode: "0444"
+
+- name: Invalidate the machine-id file for systemd to reevaluate presets
+  file:
+    path: /etc/machine-id
+    state: absent
+
+- name: Stop and mask update-engine to freeze the image version
+  systemd:
+    name: update-engine
+    state: stopped
+    enabled: no
+    masked: yes
+
+- name: Stop and mask the locksmith reboot manager since it depends on update-engine
+  systemd:
+    name: locksmithd
+    state: stopped
+    enabled: no
+    masked: yes
+
+- name: Mask docker
+  systemd:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+    masked: yes
+  with_items:
+  - docker.socket
+  - docker.service
+
+- name: Set cgroup v1 to match the cgroupfs driver in containerd and kubelet
+  shell: |
+    echo 'set linux_append="$linux_append systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller"' >> /usr/share/oem/grub.cfg
+  when: kubernetes_semver is version('v1.21.0', '<')
+
+- name: Set oem_id in grub
+  shell: |
+    echo 'set oem_id="{{oem_id}}"' >> /usr/share/oem/grub.cfg
+  when: (oem_id is defined) and (oem_id != "")

ansible/roles/sysprep/tasks/main.yml

@@ -0,0 +1,234 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- import_tasks: debian.yml
+  when: ansible_os_family == "Debian"
+
+- import_tasks: flatcar.yml
+  when: ansible_os_family == "Flatcar"
+
+- import_tasks: redhat.yml
+  when: ansible_os_family == "RedHat"
+
+- import_tasks: photon.yml
+  when: ansible_os_family == "VMware Photon OS"
+
+- name: Remove containerd http proxy conf file if needed
+  file:
+    path: /etc/systemd/system/containerd.service.d/http-proxy.conf
+    state: absent
+  when: http_proxy is defined or https_proxy is defined
+
+- name: Remove pip conf file if needed
+  file:
+    path: /etc/pip.conf
+    state: absent
+  when: remove_extra_repos and pip_conf_file != ""
+
+- name: Truncate machine id
+  file:
+    state: "{{ item.state }}"
+    path: "{{ item.path }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop:
+  - { path: /etc/machine-id, state: absent, mode: "{{ machine_id_mode }}" }
+  - { path: /etc/machine-id, state: touch,  mode: "{{ machine_id_mode }}" }
+  when: ansible_os_family != "Flatcar"
+
+- name: Truncate hostname file
+  file:
+    state: "{{ item.state }}"
+    path: "{{ item.path }}"
+    owner: root
+    group: root
+    mode: "{{ item.mode }}"
+  loop:
+  - { path: /etc/hostname, state: absent, mode: "0644" }
+  - { path: /etc/hostname, state: touch,  mode: "0644" }
+
+- name: Set hostname
+  hostname:
+    name: localhost.local
+  when: ansible_os_family != "VMware Photon OS" and ansible_os_family != "Flatcar" and packer_build_name != "nutanix"
+
+- name: Reset hosts file
+  copy:
+    src: files/etc/hosts
+    dest: /etc/hosts
+    owner: root
+    group: root
+    mode: "0644"
+
+- name: Truncate audit logs
+  file:
+    state: "{{ item.state }}"
+    path: "{{ item.path }}"
+    owner: root
+    group: utmp
+    mode: "{{ item.mode }}"
+  loop:
+  - { path: /var/log/wtmp,    state: absent, mode: "0664" }
+  - { path: /var/log/lastlog, state: absent, mode: "{{ last_log_mode }}" }
+  - { path: /var/log/wtmp,    state: touch,  mode: "0664" }
+  - { path: /var/log/lastlog, state: touch,  mode: "{{ last_log_mode }}" }
+
+- name: Remove cloud-init lib dir and logs
+  file:
+    state: absent
+    path: "{{ item }}"
+  loop:
+  - /var/lib/cloud
+  - /var/log/cloud-init.log
+  - /var/log/cloud-init-output.log
+  - /var/run/cloud-init
+
+# A shallow search in /tmp and /var/tmp is used to declare which files or
+# directories will be removed as part of resetting temp space. The reason
+# a state absent->directory task isn't used is because Ansible's own data
+# directory on the remote host(s) is /tmp/.ansible. Thus, by removing /tmp,
+# Ansible can no longer access the remote host.
+- name: Find temp files
+  find:
+    depth: 1
+    file_type: any
+    paths:
+    - /tmp
+    - /var/tmp
+    pattern: '*'
+  register: temp_files
+
+- name: Reset temp space
+  file:
+    state: absent
+    path: "{{ item.path }}"
+  loop: "{{ temp_files.files }}"
+
+- name: Find netplan files
+  find:
+    depth: 1
+    file_type: any
+    paths:
+    - /lib/netplan
+    - /etc/netplan
+    - /run/netplan
+    pattern: '*.yaml'
+  register: netplan_files
+
+- name: Delete netplan files
+  file:
+    state: absent
+    path: "{{ item.path }}"
+  loop: "{{ netplan_files.files }}"
+  when: netplan_files.files is defined and (netplan_files.files|length>0)
+
+- name: Create netplan for KubeVirt
+  vars:
+    kubevirt: "{{ lookup('env', 'KUBEVIRT') }}"
+  copy:
+    src: files/etc/netplan/51-kubevirt-netplan.yaml
+    dest: /etc/netplan/51-kubevirt-netplan.yaml
+    mode: "0644"
+  when: ansible_os_family == "Debian" and kubevirt == "true"
+
+- name: Find SSH host keys
+  find:
+    path: /etc/ssh
+    pattern: 'ssh_host_*'
+  register: ssh_host_keys
+
+- name: Remove SSH host keys
+  file:
+    state: absent
+    path: "{{ item.path }}"
+  loop: "{{ ssh_host_keys.files }}"
+
+- name: Remove SSH authorized users
+  file:
+    state: absent
+    path: "{{ item.path }}"
+  loop:
+  - { path: /root/.ssh/authorized_keys }
+  - { path: "/home/{{ ansible_env.SUDO_USER | default(ansible_user_id) }}/.ssh/authorized_keys" }
+  when: ansible_os_family != "Flatcar"
+
+- name: Remove SSH authorized users for Flatcar
+  file:
+    state: absent
+    path: "{{ item.path }}"
+  loop:
+  - { path: /root/.ssh/authorized_keys }
+  when: ansible_os_family == "Flatcar"
+
+
+- name: Truncate all remaining log files in /var/log
+  shell:
+    cmd: |
+      find /var/log -type f -iname '*.log' | xargs truncate -s 0
+  when: ansible_os_family != "Flatcar"
+
+- name: Delete all logrotated log zips
+  shell:
+    cmd: |
+      find /var/log -type f -name '*.gz' -exec rm {} +
+  when: ansible_os_family != "Flatcar"
+
+- name: Remove swapfile
+  file:
+    state: "{{ item.state }}"
+    path: "{{ item.path }}"
+  loop:
+  - { path: /swapfile, state: absent }
+  - { path: /mnt/resource/swapfile, state: absent }
+  when: ansible_memory_mb.swap.total != 0
+
+- name: Truncate shell history
+  file:
+    state: absent
+    path: "{{ item.path }}"
+  loop:
+  - { path: /root/.bash_history }
+  - { path: "/home/{{ ansible_env.SUDO_USER | default(ansible_user_id) }}/.bash_history" }
+
+- name: Rotate journalctl to archive logs
+  shell:
+    cmd: |
+      journalctl --rotate
+  when: not ( ansible_os_family == "RedHat" and ansible_distribution_major_version|int <= 7 )
+
+- name: Remove archived journalctl logs
+  shell:
+    cmd: |
+      journalctl -m --vacuum-time=1s
+
+- name: Ensure ignition runs on next boot
+  file:
+    state: touch
+    path: /boot/flatcar/first_boot
+    owner: root
+    group: root
+  when: ansible_os_family == "Flatcar"
+
+- name: Remove any default Ignition files used by Packer
+  file:
+    state: absent
+    path: /usr/share/oem/config.ign
+  when: ansible_os_family == "Flatcar"
+
+- name: start ssh
+  systemd:
+    name: ssh
+    enabled: yes
+  when: ansible_os_family == "Debian"

ansible/roles/sysprep/tasks/photon.yml

@@ -0,0 +1,50 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Define file modes
+  set_fact:
+    last_log_mode:   "0644"
+    machine_id_mode: "0444"
+
+- name: set hostname
+  command: hostnamectl set-hostname localhost.local
+
+- name: Remove the kickstart log
+  file:
+    state: absent
+    path: /root/anaconda-ks.cfg
+
+- name: Get installed packages
+  shell: tdnf list installed | cut -d ' ' -f 1
+  register: packages
+
+- name: create a package list
+  set_fact:
+    package_list: "{{ packages.stdout_lines | join(' ') }}"
+
+- name: exclude packages from upgrade
+  lineinfile:
+    path: /etc/tdnf/tdnf.conf
+    regexp: '^excludepkgs='
+    line: excludepkgs={{ package_list }}
+
+- import_tasks: rpm_repos.yml
+
+- name: Remove tdnf package caches
+  command: /usr/bin/tdnf -y clean all
+
+- name: Lock root account
+  user:
+    name: root
+    password_lock: yes

ansible/roles/sysprep/tasks/redhat.yml

@@ -0,0 +1,79 @@
+# Copyright 2019 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Define file modes
+  set_fact:
+    last_log_mode:   "0644"
+    machine_id_mode: "0444"
+
+- name: Get installed packages
+  package_facts:
+
+- name: create the package list
+  set_fact:
+    package_list: "{{ ansible_facts.packages.keys() | join(' ') }}"
+
+- name: exclude the packages from upgrades
+  lineinfile:
+    path: /etc/yum.conf
+    regexp: '^exclude='
+    line: exclude={{ package_list }}
+
+- import_tasks: rpm_repos.yml
+
+# Oracle Linux does not have temp-disk-swapfile service
+- name: Disable swap service and ensure it is masked
+  systemd:
+    name: temp-disk-swapfile
+    enabled: no
+    masked: yes
+  when: ansible_memory_mb.swap.total != 0 and ansible_distribution_major_version|int <= 7
+
+- name: Disable swap service and ensure it is masked on RHEL 8
+  systemd:
+    name: swap.target
+    enabled: no
+    masked: yes
+  when: ansible_memory_mb.swap.total != 0 and ansible_distribution_major_version|int == 8
+
+- name: Remove RHEL subscription
+  block:
+    - name: enable repo mgmt with subscription-manager
+      command: subscription-manager config --rhsm.manage_repos=1
+    - name: Remove subscriptions
+      rhsm_repository:
+        name: '*'
+        state: absent
+    - name: Unregister system
+      redhat_subscription:
+        state: absent
+    - name: clean local subscription data
+      command: subscription-manager clean
+  when: ansible_distribution == "RedHat"
+
+- name: Remove yum package caches
+  yum:
+    autoremove: yes
+    lock_timeout: 60
+
+- name: Remove yum package lists
+  command: /usr/bin/yum -y clean all
+
+- name: Reset network interface IDs
+  shell: sed -i '/^\(HWADDR\|UUID\)=/d' /etc/sysconfig/network-scripts/ifcfg-*
+
+- name: Remove the kickstart log
+  file:
+    state: absent
+    path: /root/anaconda-ks.cfg

ansible/roles/sysprep/tasks/rpm_repos.yml

@@ -0,0 +1,33 @@
+# Copyright 2020 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: Remove extra repos
+  file:
+    path: "/etc/yum.repos.d/{{ item | basename }}"
+    state: absent
+  loop: "{{ extra_repos.split() }}"
+  when: remove_extra_repos and extra_repos != ""
+
+- name: Find disabled repo files
+  find:
+    depth: 1
+    paths: /etc/yum.repos.d
+    patterns: '*.repo.disabled'
+  register: repo_files
+  when: disable_public_repos|default(false)|bool and reenable_public_repos|default(true)|bool
+
+- name: Enable repos
+  command: "mv {{ item.path }} {{ item.path | regex_replace('.disabled') }}"
+  loop: "{{ repo_files.files }}"
+  when: disable_public_repos|default(false)|bool and reenable_public_repos|default(true)|bool