# Copyright 2019 The Kubernetes Authors. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - import_tasks: debian.yml when: ansible_os_family == "Debian" - import_tasks: flatcar.yml when: ansible_os_family == "Flatcar" - import_tasks: redhat.yml when: ansible_os_family == "RedHat" - import_tasks: photon.yml when: ansible_os_family == "VMware Photon OS" - name: Remove containerd http proxy conf file if needed file: path: /etc/systemd/system/containerd.service.d/http-proxy.conf state: absent when: http_proxy is defined or https_proxy is defined - name: Remove pip conf file if needed file: path: /etc/pip.conf state: absent when: remove_extra_repos and pip_conf_file != "" - name: Truncate machine id file: state: "{{ item.state }}" path: "{{ item.path }}" owner: root group: root mode: "{{ item.mode }}" loop: - { path: /etc/machine-id, state: absent, mode: "{{ machine_id_mode }}" } - { path: /etc/machine-id, state: touch, mode: "{{ machine_id_mode }}" } when: ansible_os_family != "Flatcar" - name: Truncate hostname file file: state: "{{ item.state }}" path: "{{ item.path }}" owner: root group: root mode: "{{ item.mode }}" loop: - { path: /etc/hostname, state: absent, mode: "0644" } - { path: /etc/hostname, state: touch, mode: "0644" } - name: Set hostname hostname: name: localhost.local when: ansible_os_family != "VMware Photon OS" and ansible_os_family != "Flatcar" and packer_build_name != "nutanix" - name: Reset hosts file copy: src: files/etc/hosts dest: /etc/hosts owner: root group: root mode: "0644" - name: Truncate audit logs file: state: "{{ item.state }}" path: "{{ item.path }}" owner: root group: utmp mode: "{{ item.mode }}" loop: - { path: /var/log/wtmp, state: absent, mode: "0664" } - { path: /var/log/lastlog, state: absent, mode: "{{ last_log_mode }}" } - { path: /var/log/wtmp, state: touch, mode: "0664" } - { path: /var/log/lastlog, state: touch, mode: "{{ last_log_mode }}" } - name: Remove cloud-init lib dir and logs file: state: absent path: "{{ item }}" loop: - /var/lib/cloud - /var/log/cloud-init.log - /var/log/cloud-init-output.log - /var/run/cloud-init # A shallow search in /tmp and /var/tmp is used to declare which files or # directories will be removed as part of resetting temp space. The reason # a state absent->directory task isn't used is because Ansible's own data # directory on the remote host(s) is /tmp/.ansible. Thus, by removing /tmp, # Ansible can no longer access the remote host. - name: Find temp files find: depth: 1 file_type: any paths: - /tmp - /var/tmp pattern: '*' register: temp_files - name: Reset temp space file: state: absent path: "{{ item.path }}" loop: "{{ temp_files.files }}" - name: Find netplan files find: depth: 1 file_type: any paths: - /lib/netplan - /etc/netplan - /run/netplan pattern: '*.yaml' register: netplan_files - name: Delete netplan files file: state: absent path: "{{ item.path }}" loop: "{{ netplan_files.files }}" when: netplan_files.files is defined and (netplan_files.files|length>0) - name: Create netplan for KubeVirt vars: kubevirt: "{{ lookup('env', 'KUBEVIRT') }}" copy: src: files/etc/netplan/51-kubevirt-netplan.yaml dest: /etc/netplan/51-kubevirt-netplan.yaml mode: "0644" when: ansible_os_family == "Debian" and kubevirt == "true" - name: Find SSH host keys find: path: /etc/ssh pattern: 'ssh_host_*' register: ssh_host_keys - name: Remove SSH host keys file: state: absent path: "{{ item.path }}" loop: "{{ ssh_host_keys.files }}" - name: Remove SSH authorized users file: state: absent path: "{{ item.path }}" loop: - { path: /root/.ssh/authorized_keys } - { path: "/home/{{ ansible_env.SUDO_USER | default(ansible_user_id) }}/.ssh/authorized_keys" } when: ansible_os_family != "Flatcar" - name: Remove SSH authorized users for Flatcar file: state: absent path: "{{ item.path }}" loop: - { path: /root/.ssh/authorized_keys } when: ansible_os_family == "Flatcar" - name: Truncate all remaining log files in /var/log shell: cmd: | find /var/log -type f -iname '*.log' | xargs truncate -s 0 when: ansible_os_family != "Flatcar" - name: Delete all logrotated log zips shell: cmd: | find /var/log -type f -name '*.gz' -exec rm {} + when: ansible_os_family != "Flatcar" - name: Remove swapfile file: state: "{{ item.state }}" path: "{{ item.path }}" loop: - { path: /swapfile, state: absent } - { path: /mnt/resource/swapfile, state: absent } when: ansible_memory_mb.swap.total != 0 - name: Truncate shell history file: state: absent path: "{{ item.path }}" loop: - { path: /root/.bash_history } - { path: "/home/{{ ansible_env.SUDO_USER | default(ansible_user_id) }}/.bash_history" } - name: Rotate journalctl to archive logs shell: cmd: | journalctl --rotate when: not ( ansible_os_family == "RedHat" and ansible_distribution_major_version|int <= 7 ) - name: Remove archived journalctl logs shell: cmd: | journalctl -m --vacuum-time=1s - name: Ensure ignition runs on next boot file: state: touch path: /boot/flatcar/first_boot owner: root group: root when: ansible_os_family == "Flatcar" - name: Remove any default Ignition files used by Packer file: state: absent path: /usr/share/oem/config.ign when: ansible_os_family == "Flatcar" - name: start ssh systemd: name: ssh enabled: yes when: ansible_os_family == "Debian"