Add Ansible roles for Linux; address project chores (vmware-samples#156)

**Linux machine images**: - Adds Ansible roles (`users`, `configure`, and `clean`) for Linux machine image builds. [vmware-samples#54](vmware-samples#54) - Updates GHA to ignore Ansible since the linter errors on a required configuration. **Windows machine images**: - Condenses Windows machine image scripts. **Chores**: - Updates to minimum Packer version to `v1.7.10`. - Updates to minimum Terraform version to `v1.1.5`. - Resolve linter issue on` CODE_OF_CONDUCT.md`. - Update dates in `LICENSE` and `NOTICE` to 2022. - Simplifies terms or phrases in `build.sh`, `config.sh`, and `set-envvars.sh`
robertzakrocki · Feb 7, 2022 · 12d5c48 · 12d5c48
1 parent f80292a
commit 12d5c48
Show file tree

Hide file tree

Showing 86 changed files with 518 additions and 1,537 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml
@@ -58,7 +58,7 @@ body:
  attributes:
  label: HashiCorp Packer
  description: Please provide the HashiCorp Packer version.
- placeholder: 1.7.9
+ placeholder: 1.7.10
  validations:
  required: true
  - type: input

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -22,4 +22,5 @@ jobs:
  VALIDATE_ALL_CODEBASE: true
  DEFAULT_BRANCH: "main"
  DISABLE_ERRORS: false
+ VALIDATE_ANSIBLE: false
  VALIDATE_TERRAGRUNT: false
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -2,10 +2,8 @@
 
 ## Our Pledge
 
-We as members, contributors, and leaders pledge to make participation in the project and our community a harassment-free
-experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics,
-gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance,
-race, religion, or sexual identity and orientation.
+We as members, contributors, and leaders pledge to make participation in the project and our community a harassment-free experience for everyone,
+regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
 
 We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
 
@@ -81,4 +79,4 @@ Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcem
 [contributor-covenant-faq]: https://www.contributor-covenant.org/faq
 [contributor-covenant-translations]: https://www.contributor-covenant.org/translations
 
-For answers to common questions about this code of conduct, see the [FAQ][contributor-covenant-faq] and its [translations][contributor-covenant-translations].
+For answers to common questions about this code of conduct, see the [FAQ][contributor-covenant-faq] and its [translations][contributor-covenant-translations].
diff --git a/LICENSE b/LICENSE
@@ -1,4 +1,4 @@
-Copyright 2020-2021 VMware, Inc. All Rights Reserved.
+Copyright 2020-2022 VMware, Inc. All Rights Reserved.
 
 The BSD-2 license (the "License") set forth below applies to all parts of the project. You may not use this file except in compliance with the License.
 

diff --git a/NOTICE b/NOTICE
@@ -1,4 +1,4 @@
-Copyright 2020-2021 VMware, Inc. All Rights Reserved.
+Copyright 2020-2022 VMware, Inc. All Rights Reserved.
 
 This product is licensed to you under the BSD-2 license (the "License"). You may not use this product except in compliance with the BSD-2 License.
 

diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 <img alt="Last Commit" src="https://img.shields.io/github/last-commit/vmware-samples/packer-examples-for-vsphere?style=for-the-badge&logo=github"> [<img alt="The Changelog" src="https://img.shields.io/badge/The%20Changelog-Read-blue?style=for-the-badge&logo=github">](CHANGELOG.md) [<img alt="Open in Visual Studio Code" src="https://img.shields.io/badge/Visual%20Studio%20Code-Open-blue?style=for-the-badge&logo=visualstudiocode">](https://open.vscode.dev/vmware-samples/packer-examples-for-vsphere)
 <br/>
 <img alt="VMware vSphere 7.0 Update 2+" src="https://img.shields.io/badge/VMware%20vSphere-7.0%20Update%202+-blue?style=for-the-badge">
-<img alt="Packer 1.7.9+" src="https://img.shields.io/badge/HashiCorp%20Packer-1.7.9+-blue?style=for-the-badge&logo=packer">
+<img alt="Packer 1.7.10+" src="https://img.shields.io/badge/HashiCorp%20Packer-1.7.10+-blue?style=for-the-badge&logo=packer">
 <img alt="Ansible 2.9+" src="https://img.shields.io/badge/Ansible-2.9+-blue?style=for-the-badge&logo=ansible">
 
 ## Table of Contents
@@ -53,7 +53,7 @@ The following builds are available:
 ## Requirements
 
 **Packer**:
-* HashiCorp [Packer][packer-install] 1.7.9 or higher.
+* HashiCorp [Packer][packer-install] 1.7.10 or higher.
 * HashiCorp [Packer Plugin for VMware vSphere][packer-plugin-vsphere] (`vsphere-iso`) 1.0.3 or higher.
 * [Packer Plugin for Windows Updates][packer-plugin-windows-update] 0.14.0 or higher - a community plugin for HashiCorp Packer.
 
@@ -84,7 +84,7 @@ The following software packages must be installed on the Packer host:
  - macOS: `brew install --cask docker`
 * Coreutils
  - macOS: `brew install coreutils`
-* HashiCorp [Terraform][terraform-install] 1.1.3 or higher.
+* HashiCorp [Terraform][terraform-install] 1.1.5 or higher.
  - Ubuntu:
  - `sudo apt-get update && sudo apt-get install -y gnupg software-properties-common curl`
  - `curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -`
@@ -164,8 +164,6 @@ The directory structure of the repository.
 │ └── root-ca.cer.example
 ├── manifests
 ├── scripts
-│ ├── linux
-│ │ └── *.sh
 │ └── windows
 │ └── *.ps1
 └── terraform
@@ -174,14 +172,14 @@ The directory structure of the repository.
 ```
 
 The files are distributed in the following directories.
-* **`ansible`** - contains the Ansible roles to initialize and prepare the machine image build.
+* **`ansible`** - contains the Ansible roles to prepare a Linux machine image build.
 * **`builds`** - contains the templates, variables, and configuration files for the machine image build.
-* **`scripts`** - contains the scripts to initialize and prepare the machine image build.
-* **`certificates`** - contains the Trusted Root Authority certificates for Windows build.
+* **`scripts`** - contains the scripts to initialize and prepare a Windows machine image build.
+* **`certificates`** - contains the Trusted Root Authority certificates for a Windows machine image build.
 * **`manifests`** - manifests created after the completion of the machine image build.
-* **`manifests`** - contains example Terraform plans to test machine image builds.
+* **`terraform`** - contains example Terraform plans to test machine image builds.
 
-> **NOTE**: The project is transitioning to use Ansible instead of scripts, where possible.
+> **NOTE**: The project is transitioning to use Ansible role instead of scripts, where possible.
 
 ### Step 2 - Download the Guest Operating Systems ISOs
 
@@ -405,7 +403,7 @@ Your public key has been saved in /Users/rainpole/.ssh/id_ecdsa.pub.
 The content of the public key, `build_key`, is added the key to the `.ssh/authorized_keys` file of the `build_username` on the guest operating system.
 
 >**WARNING**: Replace the default public keys and passwords.
->By default, both Public Key Authentication and Password Authentication are enabled for Linux distributions. If you wish to disable Password Authentication and only use Public Key Authentication, comment or remove the portion of the associated script in the `scripts` directory.
+>By default, both Public Key Authentication and Password Authentication are enabled for Linux distributions. If you wish to disable Password Authentication and only use Public Key Authentication, comment or remove the portion of the associated Ansible `configure` role.
 
 ##### Ansible Variables
 
@@ -560,17 +558,17 @@ Edit the `*.auto.pkvars.hcl` file in each `builds/<type>/<build>` folder to conf
   >**Note**: All `variables.auto.pkvars.hcl` default to using the [VMware Paravirtual SCSI controller][vmware-pvscsi] and the [VMXNET 3][vmware-vmxnet3] network card device types.
 
 
-### Step 5 - Modify the Configurations and Scripts (Optional)
+### Step 5 - Modify the Configurations (Optional)
 
-If required, modify the configuration and scripts files, for the Linux distributions and Microsoft Windows.
+If required, modify the configuration files for the Linux distributions and Microsoft Windows.
 
-#### Linux Distribution Kickstart and Scripts
+#### Linux Distribution Kickstart and Ansible Roles
 
-Username and password variables are passed into the kickstart or cloud-init files for each Linux distribution as Packer template files (`.pkrtpl.hcl`) to generate these on-demand.
+Username and password variables are passed into the kickstart or cloud-init files for each Linux distribution as Packer template files (`.pkrtpl.hcl`) to generate these on-demand. Ansible roles are then used to configure the Linux machine image builds.
 
 #### Microsoft Windows Unattended amd Scripts
 
-Variables are passed into the [Microsoft Windows][microsoft-windows-unattend] unattend files (`autounattend.xml`) as Packer template files (`autounattend.pkrtpl.hcl`) to generate these on-demand.
+Variables are passed into the [Microsoft Windows][microsoft-windows-unattend] unattend files (`autounattend.xml`) as Packer template files (`autounattend.pkrtpl.hcl`) to generate these on-demand. A PowerShell script is then used to configure the Linux machine image builds.
 
 By default, each unattended file is set to use the [KMS client setup keys][microsoft-kms] as the **Product Key**.
 
@@ -645,10 +643,6 @@ Happy building!!!
 * Read [Debugging Packer Builds][packer-debug].
 
 ## Credits
-* Maher AlAsfar [@vmwarelab][credits-maher-alasfar-twitter]
-
- [Linux][credits-maher-alasfar-github] Bash scripting hints.
-
 * Owen Reynolds [@OVDamn][credits-owen-reynolds-twitter]
 
  [VMware Tools for Windows][credits-owen-reynolds-github] installation PowerShell script.
@@ -657,8 +651,6 @@ Happy building!!!
 
 [ansible-docs]: https://docs.ansible.com
 [cloud-init]: https://cloudinit.readthedocs.io/en/latest/
-[credits-maher-alasfar-twitter]: https://twitter.com/vmwarelab
-[credits-maher-alasfar-github]: https://github.com/vmwarelab/cloud-init-scripts
 [credits-owen-reynolds-twitter]: https://twitter.com/OVDamn
 [credits-owen-reynolds-github]: https://github.com/getvpro/Build-Packer/blob/master/Scripts/Install-VMTools.ps1
 [download-git]: https://git-scm.com/downloads
@@ -671,7 +663,7 @@ Happy building!!!
 [download-linux-redhat-server-7]: https://access.redhat.com/downloads/content/69/
 [download-linux-rocky-server-8]: https://download.rockylinux.org/pub/rocky/8/isos/x86_64/
 [download-linux-ubuntu-server-18-04-lts]: http:https://cdimage.ubuntu.com/ubuntu/releases/18.04.5/release/
-[download-linux-ubuntu-server-20-04-lts]: https://releases.ubuntu.com/20.04.1/
+[download-linux-ubuntu-server-20-04-lts]: https://releases.ubuntu.com/20.04/
 [hashicorp]: https://www.hashicorp.com/
 [iso]: https://en.wikipedia.org/wiki/ISO_image
 [microsoft-kms]: https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys

diff --git a/ansible/main.yml b/ansible/main.yml
@@ -7,3 +7,6 @@
  hosts: all
  roles:
  - base
+ - users
+ - configure
+ - clean
diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml
@@ -1,10 +1,10 @@
 ---
-- name: "Prepare {{ ansible_facts['distribution'] }} distribution."
+- name: "Prepare {{ ansible_facts['distribution'] }} guest operating system."
  include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
  when: "ansible_facts['distribution'] == 'Ubuntu'"
-- name: "Prepare {{ ansible_facts['distribution'] }} distribution."
+- name: "Prepare {{ ansible_facts['distribution'] }} guest operating system."
  include_tasks: redhat.yml
  when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux']"
-- name: "Prepare {{ ansible_facts['os_family'] }} distribution."
+- name: "Prepare {{ ansible_facts['os_family'] }} guest operating system."
  include_tasks: "{{ ansible_facts['lsb']['codename'] | lower }}.yml"
  when: "ansible_facts['os_family'] == 'VMware Photon OS'"
diff --git a/ansible/roles/base/tasks/redhat.yml b/ansible/roles/base/tasks/redhat.yml
@@ -1,5 +1,5 @@
 ---
-- name: "Red Hat Subscription Manager Status"
+- name: "Checking Red Hat Subscription Manager status."
  shell: "subscription-manager refresh"
  when: "ansible_facts['distribution'] == 'RedHat'"
 - name: "Updating the guest operating system."

diff --git a/ansible/roles/clean/tasks/main.yml b/ansible/roles/clean/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: "Prepare {{ ansible_facts['distribution'] }} guest operating system."
+ include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
+ when: "ansible_facts['distribution'] == 'Ubuntu'"
+- name: "Prepare {{ ansible_facts['distribution'] }} guest operating system."
+ include_tasks: redhat.yml
+ when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux']"
+- name: "Prepare {{ ansible_facts['os_family'] }} guest operating system."
+ include_tasks: "{{ ansible_facts['lsb']['codename'] | lower }}.yml"
+ when: "ansible_facts['os_family'] == 'VMware Photon OS'"
diff --git a/ansible/roles/clean/tasks/photon.yml b/ansible/roles/clean/tasks/photon.yml
@@ -0,0 +1,29 @@
+---
+- name: "Cleaning tdnf cache."
+ shell: |
+ tdnf clean all
+ args:
+ warn: false
+- name: "Cleaning log files."
+ shell: |
+ find /var/log -type f -delete
+ rm -rf /var/log/journal/*
+ args:
+ warn: false
+- name: "Cleaning SSH host keys."
+ shell: |
+ rm -f /etc/ssh/ssh_host_*
+ args:
+ warn: false
+- name: "Cleaning the machine-id."
+ shell: |
+ truncate -s 0 /etc/machine-id
+ rm /var/lib/dbus/machine-id
+ ln -s /etc/machine-id /var/lib/dbus/machine-id
+ args:
+ warn: false
+- name: "Cleaning the shell history."
+ shell: |
+ history -c
+ args:
+ warn: false
diff --git a/ansible/roles/clean/tasks/redhat.yml b/ansible/roles/clean/tasks/redhat.yml
@@ -0,0 +1,59 @@
+---
+- name: "Cleaning all audit logs."
+ shell: |
+ if [ -f /var/log/audit/audit.log ]; then
+ cat /dev/null > /var/log/audit/audit.log
+ fi
+ if [ -f /var/log/wtmp ]; then
+ cat /dev/null > /var/log/wtmp
+ fi
+ if [ -f /var/log/lastlog ]; then
+ cat /dev/null > /var/log/lastlog
+ fi
+ args:
+ warn: false
+- name: "Cleaning persistent udev rules."
+ shell: |
+ if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
+ rm /etc/udev/rules.d/70-persistent-net.rules
+ fi
+ args:
+ warn: false
+- name: "Cleaning the /tmp directories"
+ shell: |
+ rm -rf /tmp/*
+ rm -rf /var/tmp/*
+ rm -rf /var/cache/dnf/*
+ args:
+ warn: false
+- name: "Cleaning the Red Hat Subscription Manager logs."
+ shell: |
+ rm -rf /var/log/rhsm/*
+ when: "ansible_facts['distribution'] == 'RedHat'"
+ args:
+ warn: false
+- name: "Cleaning the SSH host keys."
+ shell: |
+ rm -f /etc/ssh/ssh_host_*
+ args:
+ warn: false
+- name: "Cleaning the machine-id."
+ shell: |
+ truncate -s 0 /etc/machine-id
+ rm /var/lib/dbus/machine-id
+ ln -s /etc/machine-id /var/lib/dbus/machine-id
+ args:
+ warn: false
+- name: "Cleaning the shell history."
+ shell: |
+ unset HISTFILE
+ history -cw
+ echo > ~/.bash_history
+ rm -fr /root/.bash_history
+ args:
+ warn: false
+- name: "Running a sync."
+ shell: |
+ sync && sync
+ args:
+ warn: false
diff --git a/ansible/roles/clean/tasks/ubuntu.yml b/ansible/roles/clean/tasks/ubuntu.yml
@@ -0,0 +1,47 @@
+---
+- name: "Cleaning all audit logs."
+ shell: |
+ if [ -f /var/log/audit/audit.log ]; then
+ cat /dev/null > /var/log/audit/audit.log
+ fi
+ if [ -f /var/log/wtmp ]; then
+ cat /dev/null > /var/log/wtmp
+ fi
+ if [ -f /var/log/lastlog ]; then
+ cat /dev/null > /var/log/lastlog
+ fi
+ args:
+ warn: false
+- name: "Cleaning persistent udev rules."
+ shell: |
+ if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
+ rm /etc/udev/rules.d/70-persistent-net.rules
+ fi
+ args:
+ warn: false
+- name: "Cleaning the /tmp directories"
+ shell: |
+ rm -rf /tmp/*
+ rm -rf /var/tmp/*
+ args:
+ warn: false
+- name: "Cleaning the SSH host keys."
+ shell: |
+ rm -f /etc/ssh/ssh_host_*
+ args:
+ warn: false
+- name: "Cleaning the machine-id."
+ shell: |
+ truncate -s 0 /etc/machine-id
+ rm /var/lib/dbus/machine-id
+ ln -s /etc/machine-id /var/lib/dbus/machine-id
+ args:
+ warn: false
+- name: "Cleaning the shell history."
+ shell: |
+ unset HISTFILE
+ history -cw
+ echo > ~/.bash_history
+ rm -fr /root/.bash_history
+ args:
+ warn: false
diff --git a/ansible/roles/configure/tasks/main.yml b/ansible/roles/configure/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: "Prepare {{ ansible_facts['distribution'] }} guest operating system."
+ include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"
+ when: "ansible_facts['distribution'] == 'Ubuntu'"
+- name: "Prepare {{ ansible_facts['distribution'] }} ansible_facts['os_family']."
+ include_tasks: redhat.yml
+ when: "ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux']"
+- name: "Prepare {{ ansible_facts['os_family'] }} guest operating system."
+ include_tasks: "{{ ansible_facts['lsb']['codename'] | lower }}.yml"
+ when: "ansible_facts['os_family'] == 'VMware Photon OS'"
+
diff --git a/ansible/roles/configure/tasks/photon.yml b/ansible/roles/configure/tasks/photon.yml
@@ -0,0 +1,17 @@
+---
+- name: "Configure SSH for Public Key Authentication."
+ shell: |
+ sudo sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
+ sudo sed -i 's/.*PubkeyAuthentication.*/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
+ args:
+ warn: false
+- name: "Setting hostname to localhost."
+ shell: |
+ hostnamectl set-hostname localhost
+ args:
+ warn: false
+- name: "Disable IPv6."
+ shell: |
+ sudo echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
+ args:
+ warn: false