diff --git a/cluster-api/versions/v1_33.json b/cluster-api/versions/v1_33.json index 6323e432..5e13a949 100644 --- a/cluster-api/versions/v1_33.json +++ b/cluster-api/versions/v1_33.json @@ -1,5 +1,5 @@ { "kubernetes_series": "v1.33", - "kubernetes_semver": "v1.33.10", - "kubernetes_deb_version": "1.33.10-1.1" -} \ No newline at end of file + "kubernetes_semver": "v1.33.12", + "kubernetes_deb_version": "1.33.12-1.1" +} diff --git a/cluster-api/versions/v1_34.json b/cluster-api/versions/v1_34.json index 5327d7bd..644dcf3a 100644 --- a/cluster-api/versions/v1_34.json +++ b/cluster-api/versions/v1_34.json @@ -1,5 +1,5 @@ { "kubernetes_series": "v1.34", - "kubernetes_semver": "v1.34.6", - "kubernetes_deb_version": "1.34.6-1.1" -} \ No newline at end of file + "kubernetes_semver": "v1.34.8", + "kubernetes_deb_version": "1.34.8-1.1" +} diff --git a/os_builders/rename_images.sh b/os_builders/rename_images.sh old mode 100644 new mode 100755 diff --git a/os_builders/requirements.txt b/os_builders/requirements.txt index b7de100c..0e9a27c9 100644 --- a/os_builders/requirements.txt +++ b/os_builders/requirements.txt @@ -1,5 +1,4 @@ -# Newer Ansible versions do not support the Python 3.6 interpreter used by Rocky 8 -ansible==9.13.0 -ansible-core==2.16.16 +ansible==11.13.0 +ansible-core==2.18.16 # The most compatible OpenStack CLI version with OpenStack Yoga python-openstackclient==5.8.0 diff --git a/os_builders/roles/image_fixes/tasks/nvidia-pci.yml b/os_builders/roles/image_fixes/tasks/nvidia-pci.yml index 202a6e35..cfa90d1f 100644 --- a/os_builders/roles/image_fixes/tasks/nvidia-pci.yml +++ b/os_builders/roles/image_fixes/tasks/nvidia-pci.yml @@ -9,39 +9,39 @@ # https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1849563/comments/16 - name: Ensure grub command line has 'pci=nocrs,realloc' for NVIDIA PCI BAR fix - when: ansible_os_family == "Debian" + when: ansible_facts['os_family'] == "Debian" become: true block: - - name: Ensure grub2-common is installed for default grub file - ansible.builtin.apt: - name: grub2-common - state: present - update_cache: yes - - name: Restore default grub file - # As we incrementally build images theres a mixture of grub files with some subtle bugs - # we should restore the default file to ensure we have a clean base to work from - # then use the /etc/default/grub.d/ to add our custom settings - ansible.builtin.copy: - src: /usr/share/grub/default/grub - dest: /etc/default/grub - remote_src: true - owner: root - group: root - mode: '0644' + - name: Ensure grub2-common is installed for default grub file + ansible.builtin.apt: + name: grub2-common + state: present + update_cache: yes + - name: Restore default grub file + # As we incrementally build images theres a mixture of grub files with some subtle bugs + # we should restore the default file to ensure we have a clean base to work from + # then use the /etc/default/grub.d/ to add our custom settings + ansible.builtin.copy: + src: /usr/share/grub/default/grub + dest: /etc/default/grub + remote_src: true + owner: root + group: root + mode: "0644" - - name: Ensure pcie=nocrs,realloc is in the grub cmdline - ansible.builtin.copy: - # Need to be higher than 50 to override the cloud image default settings from Canonical - # which discards any GRUB cmdline settings in 50-cloudimg-settings.cfg - dest: /etc/default/grub.d/60-nvidia-pci-bar.cfg - content: | - # Added to fix NVIDIA PCI BAR I/O region error on OVMF firmware - # This file is managed by the STFC Cloud Team - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT pcie=nocrs,realloc" - owner: root - group: root - mode: '0644' - register: grub_updated + - name: Ensure pcie=nocrs,realloc is in the grub cmdline + ansible.builtin.copy: + # Need to be higher than 50 to override the cloud image default settings from Canonical + # which discards any GRUB cmdline settings in 50-cloudimg-settings.cfg + dest: /etc/default/grub.d/60-nvidia-pci-bar.cfg + content: | + # Added to fix NVIDIA PCI BAR I/O region error on OVMF firmware + # This file is managed by the STFC Cloud Team + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT pcie=nocrs,realloc" + owner: root + group: root + mode: "0644" + register: grub_updated - name: Check if machine supports UEFI boot become: true @@ -64,20 +64,19 @@ register: in_container - name: Update grub configuration - when: ansible_os_family == "Debian" and in_container.stdout != "0::/" + when: ansible_facts['os_family'] == "Debian" and in_container.stdout != "0::/" become: true block: - - name: Update grub configuration for Debian BIOS boot - ansible.builtin.command: "grub-mkconfig -o /boot/grub/grub.cfg" - when: grub_updated.changed and bios_dir.stat.exists + - name: Update grub configuration for Debian BIOS boot + ansible.builtin.command: "grub-mkconfig -o /boot/grub/grub.cfg" + when: grub_updated.changed and bios_dir.stat.exists - - name: Update grub configuration for Debian UEFI boot - ansible.builtin.command: "grub-mkconfig -o /boot/efi/EFI/{{ ansible_distribution | lower }}/grub.cfg" - when: grub_updated.changed and efi_dir.stat.exists + - name: Update grub configuration for Debian UEFI boot + ansible.builtin.command: "grub-mkconfig -o /boot/efi/EFI/{{ ansible_facts['distribution'] | lower }}/grub.cfg" + when: grub_updated.changed and efi_dir.stat.exists - name: Update grub configuration for RedHat based systems become: true # We could be on EFI or BIOS so need to find the correct grub config location ansible.builtin.shell: 'grub2-mkconfig -o "$(readlink -e /etc/grub2.conf)"' - when: grub_updated.changed and ansible_os_family == "RedHat" and in_container.stdout != "0::/" - \ No newline at end of file + when: grub_updated.changed and ansible_facts['os_family'] == "RedHat" and in_container.stdout != "0::/" diff --git a/os_builders/roles/nubes_bootcontext/tasks/main.yml b/os_builders/roles/nubes_bootcontext/tasks/main.yml index b0d3baec..9b9f1eea 100644 --- a/os_builders/roles/nubes_bootcontext/tasks/main.yml +++ b/os_builders/roles/nubes_bootcontext/tasks/main.yml @@ -7,7 +7,7 @@ name: dnsutils state: present update_cache: true - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true - name: Copy in nubes-bootcontext script diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_old_kernels.yml b/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_old_kernels.yml index 244b5eee..8e2fe923 100644 --- a/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_old_kernels.yml +++ b/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_old_kernels.yml @@ -4,7 +4,7 @@ shell: "dpkg --list | egrep -i 'linux-image|linux-headers|linux-modules' | cut -d ' ' -f 3 | grep -v $(uname -r) | grep -v 'linux-headers-generic' | grep -v 'linux-headers-virtual' | grep -v 'linux-image-virtual' | xargs apt-get remove -y" become: true when: ( ansible_facts.packages['linux-image'] | length > 1) - when: ansible_distribution == "Ubuntu" and "linux-image" in ansible_facts.packages + when: ansible_facts['distribution'] == "Ubuntu" and "linux-image" in ansible_facts.packages - name: Cleanup old kernels Rocky block: @@ -12,4 +12,4 @@ command: cmd: "dnf remove --oldinstallonly kernel -y" when: ( ansible_facts.packages['kernel'] | length > 1) - when: ansible_distribution == "Rocky" and "kernel" in ansible_facts.packages + when: ansible_facts['distribution'] == "Rocky" and "kernel" in ansible_facts.packages diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_packages.yml b/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_packages.yml index 75c7cb30..6339f6a2 100644 --- a/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_packages.yml +++ b/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_packages.yml @@ -10,9 +10,9 @@ - name: clean yum/dnf command: yum clean all - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - name: clean apt cache ansible.builtin.apt: clean: yes - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_quattor.yml b/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_quattor.yml index c4393074..cc571c8b 100644 --- a/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_quattor.yml +++ b/os_builders/roles/prep_vm_post_reboot/tasks/cleanup_quattor.yml @@ -22,4 +22,4 @@ ansible.builtin.command: cmd: "systemctl stop ncm-cdispd.service" when: ccm_conf_exists - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/clear_audit_log.yml b/os_builders/roles/prep_vm_post_reboot/tasks/clear_audit_log.yml index d7e6a025..abc3f73e 100644 --- a/os_builders/roles/prep_vm_post_reboot/tasks/clear_audit_log.yml +++ b/os_builders/roles/prep_vm_post_reboot/tasks/clear_audit_log.yml @@ -2,7 +2,7 @@ block: - name: Clear Audit log shell: "/bin/cat /dev/null > /var/log/audit/audit.log" - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - name: Clear Audit log shell: "/bin/cat /dev/null > /var/log/wtmp" @@ -11,4 +11,4 @@ block: - name: Clear Audit log shell: "/bin/cat /dev/null > /var/log/auth.log" - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/logrotate.yml b/os_builders/roles/prep_vm_post_reboot/tasks/logrotate.yml index f368224a..07c603a1 100644 --- a/os_builders/roles/prep_vm_post_reboot/tasks/logrotate.yml +++ b/os_builders/roles/prep_vm_post_reboot/tasks/logrotate.yml @@ -2,14 +2,13 @@ file: path: "/etc/logrotate.d/btmp" state: absent - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - name: Remove duplicate /etc/logrotate.d/wtmp file: path: "/etc/logrotate.d/wtmp" state: absent - when: ansible_distribution == "Rocky" - + when: ansible_facts['distribution'] == "Rocky" - name: Clear Audit log shell: "sudo logrotate -f /etc/logrotate.conf" diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/main.yml b/os_builders/roles/prep_vm_post_reboot/tasks/main.yml index 3aaebd1b..bf0bc2bc 100644 --- a/os_builders/roles/prep_vm_post_reboot/tasks/main.yml +++ b/os_builders/roles/prep_vm_post_reboot/tasks/main.yml @@ -2,7 +2,7 @@ - include_tasks: get_package_facts.yml - include_tasks: run_quattor.yml - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - include_tasks: get_package_facts.yml - include_tasks: cleanout_tmp.yml - include_tasks: cleanout_rc_directories.yml @@ -11,7 +11,7 @@ - include_tasks: set_locale.yml - include_tasks: wazuh.yml - include_tasks: cleanup_quattor.yml - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - include_tasks: run_pakiti.yml - include_tasks: cleanup_users.yml - include_tasks: cleanup_old_kernels.yml diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/run_quattor.yml b/os_builders/roles/prep_vm_post_reboot/tasks/run_quattor.yml index 933b8dde..eb052758 100644 --- a/os_builders/roles/prep_vm_post_reboot/tasks/run_quattor.yml +++ b/os_builders/roles/prep_vm_post_reboot/tasks/run_quattor.yml @@ -1,4 +1,4 @@ - name: run quattor shell: "sudo quattor-fetch && sudo quattor-configure --all --verbose" ignore_errors: true - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" diff --git a/os_builders/roles/prep_vm_post_reboot/tasks/set_locale.yml b/os_builders/roles/prep_vm_post_reboot/tasks/set_locale.yml index a82ed42a..9fbe4a28 100644 --- a/os_builders/roles/prep_vm_post_reboot/tasks/set_locale.yml +++ b/os_builders/roles/prep_vm_post_reboot/tasks/set_locale.yml @@ -41,13 +41,11 @@ - name: Set locale keymap command: localectl set-keymap gb - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - name: Set locale keymap command: loadkeys uk - when: ansible_distribution == "Ubuntu" - - + when: ansible_facts['distribution'] == "Ubuntu" # - name: Set locale x11 keymap # command: localeclt set-x11-keymap gb -# when: ansible_distribution == "Rocky" +# when: ansible_facts['distribution'] == "Rocky" diff --git a/os_builders/roles/tidy_image/tasks/cleanup_old_kernels.yml b/os_builders/roles/tidy_image/tasks/cleanup_old_kernels.yml index f7f66a86..0dd26604 100644 --- a/os_builders/roles/tidy_image/tasks/cleanup_old_kernels.yml +++ b/os_builders/roles/tidy_image/tasks/cleanup_old_kernels.yml @@ -4,7 +4,7 @@ shell: "dpkg --list | egrep -i 'linux-image|linux-headers|linux-modules' | cut -d ' ' -f 3 | grep -v $(uname -r) | grep -v 'linux-headers-generic' | grep -v 'linux-headers-virtual' | grep -v 'linux-image-virtual' | xargs apt-get remove -y" become: true when: ( ansible_facts.packages['linux-image'] | length > 1) - when: ansible_distribution == "Ubuntu" and "linux-image" in ansible_facts.packages + when: ansible_facts['distribution'] == "Ubuntu" and "linux-image" in ansible_facts.packages - name: Cleanup old kernels Rocky block: @@ -13,4 +13,4 @@ cmd: "dnf remove --oldinstallonly kernel -y" when: ( ansible_facts.packages['kernel'] | length > 1) become: true - when: ansible_distribution == "Rocky" and "kernel" in ansible_facts.packages + when: ansible_facts['distribution'] == "Rocky" and "kernel" in ansible_facts.packages diff --git a/os_builders/roles/tidy_image/tasks/cleanup_packages.yml b/os_builders/roles/tidy_image/tasks/cleanup_packages.yml index 5ac5fe0e..0f2648c5 100644 --- a/os_builders/roles/tidy_image/tasks/cleanup_packages.yml +++ b/os_builders/roles/tidy_image/tasks/cleanup_packages.yml @@ -12,11 +12,11 @@ - name: clean yum/dnf command: yum clean all - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true - name: clean apt cache ansible.builtin.apt: clean: yes - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" become: true diff --git a/os_builders/roles/tidy_image/tasks/cleanup_quattor.yml b/os_builders/roles/tidy_image/tasks/cleanup_quattor.yml index ee394a56..7d90bd7d 100644 --- a/os_builders/roles/tidy_image/tasks/cleanup_quattor.yml +++ b/os_builders/roles/tidy_image/tasks/cleanup_quattor.yml @@ -22,5 +22,5 @@ ansible.builtin.command: cmd: "systemctl stop ncm-cdispd.service" when: ccm_conf_exists.stat.exists - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true diff --git a/os_builders/roles/tidy_image/tasks/clear_audit_log.yml b/os_builders/roles/tidy_image/tasks/clear_audit_log.yml index edbc81d7..b001f17b 100644 --- a/os_builders/roles/tidy_image/tasks/clear_audit_log.yml +++ b/os_builders/roles/tidy_image/tasks/clear_audit_log.yml @@ -3,7 +3,7 @@ - name: Clear Audit log shell: "/bin/cat /dev/null > /var/log/audit/audit.log" ignore_errors: true - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true - name: Clear Audit log @@ -14,5 +14,5 @@ block: - name: Clear Audit log shell: "/bin/cat /dev/null > /var/log/auth.log" - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" become: true diff --git a/os_builders/roles/tidy_image/tasks/logrotate.yml b/os_builders/roles/tidy_image/tasks/logrotate.yml index 5231cb64..68d8c3c5 100644 --- a/os_builders/roles/tidy_image/tasks/logrotate.yml +++ b/os_builders/roles/tidy_image/tasks/logrotate.yml @@ -2,17 +2,16 @@ file: path: "/etc/logrotate.d/btmp" state: absent - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true - name: Remove duplicate /etc/logrotate.d/wtmp file: path: "/etc/logrotate.d/wtmp" state: absent - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true - - name: Clear Audit log shell: "logrotate -f /etc/logrotate.conf" become: true diff --git a/os_builders/roles/tidy_image/tasks/main.yml b/os_builders/roles/tidy_image/tasks/main.yml index b63cb022..bfaef33c 100644 --- a/os_builders/roles/tidy_image/tasks/main.yml +++ b/os_builders/roles/tidy_image/tasks/main.yml @@ -18,7 +18,7 @@ - include_tasks: get_package_facts.yml - include_tasks: run_quattor.yml - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - include_tasks: get_package_facts.yml - include_tasks: cleanout_tmp.yml - include_tasks: cleanout_rc_directories.yml @@ -26,7 +26,7 @@ - include_tasks: set_locale.yml - include_tasks: wazuh.yml - include_tasks: cleanup_quattor.yml - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - include_tasks: run_pakiti.yml - include_tasks: cleanup_users.yml - include_tasks: cleanup_old_kernels.yml diff --git a/os_builders/roles/tidy_image/tasks/run_quattor.yml b/os_builders/roles/tidy_image/tasks/run_quattor.yml index 2f74ecb1..60d33f4d 100644 --- a/os_builders/roles/tidy_image/tasks/run_quattor.yml +++ b/os_builders/roles/tidy_image/tasks/run_quattor.yml @@ -1,5 +1,5 @@ - name: run quattor shell: "quattor-fetch && quattor-configure --all --verbose" ignore_errors: true - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true diff --git a/os_builders/roles/tidy_image/tasks/set_locale.yml b/os_builders/roles/tidy_image/tasks/set_locale.yml index 628756ae..97309c1a 100644 --- a/os_builders/roles/tidy_image/tasks/set_locale.yml +++ b/os_builders/roles/tidy_image/tasks/set_locale.yml @@ -54,15 +54,13 @@ - name: Set locale keymap command: localectl set-keymap gb - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true when: in_container - # - name: Set locale keymap # command: loadkeys uk -# when: ansible_distribution == "Ubuntu" - +# when: ansible_facts['distribution'] == "Ubuntu" # - name: Set locale x11 keymap # command: localeclt set-x11-keymap gb -# when: ansible_distribution == "Rocky" +# when: ansible_facts['distribution'] == "Rocky" diff --git a/os_builders/roles/vm_baseline/tasks/add_user_security.yml b/os_builders/roles/vm_baseline/tasks/add_user_security.yml index 58cdce16..b9ca4d5d 100644 --- a/os_builders/roles/vm_baseline/tasks/add_user_security.yml +++ b/os_builders/roles/vm_baseline/tasks/add_user_security.yml @@ -4,7 +4,7 @@ state: present update_cache: true become: true - when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version == "22" + when: ansible_facts['distribution'] == "Ubuntu" and ansible_facts["distribution_major_version"]== "22" - name: Install pwquality on Ubuntu 24.04 ansible.builtin.apt: @@ -12,11 +12,11 @@ state: present update_cache: true become: true - when: ansible_distribution == "Ubuntu" and ansible_distribution_major_version == "24" + when: ansible_facts['distribution'] == "Ubuntu" and ansible_facts["distribution_major_version"]== "24" - name: Update pam-auth ansible.builtin.command: pam-auth-update --enable capability systemd unix pwquality - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" become: true - name: Copy over pwquality.conf @@ -25,5 +25,5 @@ dest: /etc/security/pwquality.conf owner: root group: root - mode: '0644' + mode: "0644" become: true diff --git a/os_builders/roles/vm_baseline/tasks/cron.yml b/os_builders/roles/vm_baseline/tasks/cron.yml index 0fc6bf31..16cf0e25 100644 --- a/os_builders/roles/vm_baseline/tasks/cron.yml +++ b/os_builders/roles/vm_baseline/tasks/cron.yml @@ -1,15 +1,14 @@ - - name: Install cron on Ubuntu apt: name: "cron" state: present update_cache: yes - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" become: true - name: Install cron on RL yum: name: "cronie" state: present - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true diff --git a/os_builders/roles/vm_baseline/tasks/disable_selinux.yml b/os_builders/roles/vm_baseline/tasks/disable_selinux.yml index dd7422f3..aa1aa2c3 100644 --- a/os_builders/roles/vm_baseline/tasks/disable_selinux.yml +++ b/os_builders/roles/vm_baseline/tasks/disable_selinux.yml @@ -5,5 +5,5 @@ line: SELINUX=permissive state: present create: true - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true \ No newline at end of file diff --git a/os_builders/roles/vm_baseline/tasks/locale.yml b/os_builders/roles/vm_baseline/tasks/locale.yml index 8ffb1192..531ee988 100644 --- a/os_builders/roles/vm_baseline/tasks/locale.yml +++ b/os_builders/roles/vm_baseline/tasks/locale.yml @@ -5,7 +5,7 @@ state: present update_cache: true become: true - when: ansible_os_family == "Debian" + when: ansible_facts['os_family'] == "Debian" - name: Install locales on RedHat ansible.builtin.dnf: @@ -14,5 +14,4 @@ - glibc-langpack-en state: present become: true - when: ansible_os_family == "RedHat" - \ No newline at end of file + when: ansible_facts['os_family'] == "RedHat" diff --git a/os_builders/roles/vm_baseline/tasks/pakiti.yml b/os_builders/roles/vm_baseline/tasks/pakiti.yml index 85d09462..1c6728fc 100644 --- a/os_builders/roles/vm_baseline/tasks/pakiti.yml +++ b/os_builders/roles/vm_baseline/tasks/pakiti.yml @@ -35,7 +35,7 @@ - name: Update apt-cache apt: update_cache: yes - when: ansible_distribution == "Ubuntu" and 'pakiti-client' not in ansible_facts.packages + when: ansible_facts['distribution'] == "Ubuntu" and 'pakiti-client' not in ansible_facts.packages become: true - name: Install Pakiti on RL @@ -43,7 +43,7 @@ name: "/tmp/pakiti-client-2.1.4-3.RAL.noarch.rpm" state: present disable_gpg_check: true - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true - name: Ensure pakiti config directory exists @@ -55,7 +55,6 @@ mode: 0644 become: true - - name: Copy pakiti config file copy: src: "etc/pakiti2/pakiti2-client.conf" diff --git a/os_builders/roles/vm_baseline/tasks/qemu-guest-agent.yml b/os_builders/roles/vm_baseline/tasks/qemu-guest-agent.yml index bfc7f4d3..c63b4647 100644 --- a/os_builders/roles/vm_baseline/tasks/qemu-guest-agent.yml +++ b/os_builders/roles/vm_baseline/tasks/qemu-guest-agent.yml @@ -3,18 +3,18 @@ name: qemu-guest-agent state: present update_cache: yes - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" become: true - name: Install Qemu Guest Agent on RL yum: name: "qemu-guest-agent" state: present - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" become: true - name: Enable Qemu Guest Agent ansible.builtin.systemd_service: name: qemu-guest-agent.service enabled: true - become: true \ No newline at end of file + become: true diff --git a/os_builders/roles/vm_baseline/tasks/ukescienceca.yml b/os_builders/roles/vm_baseline/tasks/ukescienceca.yml index 0eba0c67..f85ecbcd 100644 --- a/os_builders/roles/vm_baseline/tasks/ukescienceca.yml +++ b/os_builders/roles/vm_baseline/tasks/ukescienceca.yml @@ -1,7 +1,7 @@ - name: Install UK eScience CA ansible.builtin.include_tasks: ukscienceca/install_ukscienceca_ubuntu.yml - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" - name: Install UK eScience Root CA on RL ansible.builtin.include_tasks: ukscienceca/install_ukscienceca_rocky.yml - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" diff --git a/os_builders/roles/vm_baseline/tasks/update.yml b/os_builders/roles/vm_baseline/tasks/update.yml index 43b79a18..154be6c0 100644 --- a/os_builders/roles/vm_baseline/tasks/update.yml +++ b/os_builders/roles/vm_baseline/tasks/update.yml @@ -1,14 +1,14 @@ - name: Error for unknown distributions fail: - msg: "Unknown distribution {{ ansible_distribution }}" - when: ansible_distribution != "Rocky" and ansible_distribution != "Ubuntu" + msg: "Unknown distribution {{ ansible_facts['distribution'] }}" + when: ansible_facts['distribution'] != "Rocky" and ansible_facts['distribution'] != "Ubuntu" - name: Install system updates for RL systems yum: name: "*" state: latest update_cache: yes - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" register: result until: result is not failed retries: 5 @@ -21,7 +21,7 @@ update_cache: yes autoremove: yes autoclean: yes - when: ansible_distribution == 'Ubuntu' + when: ansible_facts['distribution'] == 'Ubuntu' register: result until: result is not failed retries: 5 @@ -34,4 +34,4 @@ - name: print IP debug: - msg: "{{ my_hostname }}" \ No newline at end of file + msg: "{{ my_hostname }}" diff --git a/os_builders/roles/vm_baseline/tasks/wazuh.yml b/os_builders/roles/vm_baseline/tasks/wazuh.yml index a24102ed..8b4b09d4 100644 --- a/os_builders/roles/vm_baseline/tasks/wazuh.yml +++ b/os_builders/roles/vm_baseline/tasks/wazuh.yml @@ -2,117 +2,117 @@ ansible.builtin.apt: name: python3-pip state: present - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" become: true - name: Install wazuh on Ubuntu ansible.builtin.include_tasks: wazuh/install_wazuh_ubuntu.yml - when: ansible_distribution == "Ubuntu" + when: ansible_facts['distribution'] == "Ubuntu" - name: Install python3 on Rocky8 for Wazuh ansible.builtin.package: name: python3 state: present update_cache: true - when: ansible_distribution == "Rocky" and ansible_distribution_major_version == "8" + when: ansible_facts['distribution'] == "Rocky" and ansible_facts["distribution_major_version"]== "8" become: true - name: Install wazuh on Rocky ansible.builtin.include_tasks: wazuh/install_wazuh_rocky.yml - when: ansible_distribution == "Rocky" + when: ansible_facts['distribution'] == "Rocky" - name: configure wazuh-agent block: - - name: build wazuh groups list - set_fact: - wazuh_groups: - - "default" - - "cloud" - - "{{ ansible_distribution | lower }}" - - "{{ ansible_facts['os_family'] | lower}}" - - name: build wazuh extra json - set_fact: - wazuh_extra_json: - groups: "{{ wazuh_groups }}" - labels: - image_build_date: "{{ ansible_date_time.iso8601 }}" - - - name: Ensure wazuh-agent extra directory exists - file: - path: "/var/ossec/etc/extra" - state: directory - owner: root - group: root - mode: 0644 - - - name: write out wazuh extra config - copy: - dest: /var/ossec/etc/extra/01-ansible-baseline.json - content: "{{ wazuh_extra_json }}" - - - name: Copy wazuh client enrichment script - copy: - src: "wazuh/enrich-wazuh-agent.py" - dest: "/var/ossec/bin/enrich-wazuh-agent.py" - owner: root - group: wazuh - mode: 0754 - - - name: Ensure wazuh-agent drop in config directory exists - file: - path: "/etc/systemd/system/wazuh-agent.service.d" - state: directory - owner: root - group: root - mode: 0644 - - - name: Copy wazuh drop in unit - copy: - src: "wazuh/preexec.conf" - dest: "/etc/systemd/system/wazuh-agent.service.d/preexec.conf" - owner: root - group: root - mode: 0644 - - - name: Copy wazuh config template - copy: - src: "wazuh/ossec.template" - dest: "/var/ossec/etc/ossec.template" - owner: root - group: wazuh - mode: 0754 - - - name: Copy wazuh local internal config - copy: - src: "wazuh/local_internal_options.conf" - dest: "/var/ossec/etc/local_internal_options.conf" - owner: root - group: wazuh - mode: 0750 - - - name: Update template file with groups - replace: - path: "/var/ossec/etc/ossec.template" - regexp: 'AGENT_GROUPS' - replace: "{{ wazuh_groups | join(',') }}" - - - name: Enable wazuh-agent service - become: true - ansible.builtin.command: - cmd: "systemctl enable wazuh-agent.service" - ignore_errors: true - - - name: get service facts - ansible.builtin.service_facts: - - - name: Stop wazuh-agent service - become: true - ansible.builtin.command: - cmd: "systemctl stop wazuh-agent.service" - ignore_errors: true - - - name: Clean Wazuh agent history - file: - path: "/var/ossec/etc/client.keys" - state: absent - become: true \ No newline at end of file + - name: build wazuh groups list + set_fact: + wazuh_groups: + - "default" + - "cloud" + - "{{ ansible_facts['distribution'] | lower }}" + - "{{ ansible_facts['os_family'] | lower}}" + - name: build wazuh extra json + set_fact: + wazuh_extra_json: + groups: "{{ wazuh_groups }}" + labels: + image_build_date: "{{ ansible_facts.date_time.iso8601 }}" + + - name: Ensure wazuh-agent extra directory exists + file: + path: "/var/ossec/etc/extra" + state: directory + owner: root + group: root + mode: 0644 + + - name: write out wazuh extra config + copy: + dest: /var/ossec/etc/extra/01-ansible-baseline.json + content: "{{ wazuh_extra_json }}" + + - name: Copy wazuh client enrichment script + copy: + src: "wazuh/enrich-wazuh-agent.py" + dest: "/var/ossec/bin/enrich-wazuh-agent.py" + owner: root + group: wazuh + mode: 0754 + + - name: Ensure wazuh-agent drop in config directory exists + file: + path: "/etc/systemd/system/wazuh-agent.service.d" + state: directory + owner: root + group: root + mode: 0644 + + - name: Copy wazuh drop in unit + copy: + src: "wazuh/preexec.conf" + dest: "/etc/systemd/system/wazuh-agent.service.d/preexec.conf" + owner: root + group: root + mode: 0644 + + - name: Copy wazuh config template + copy: + src: "wazuh/ossec.template" + dest: "/var/ossec/etc/ossec.template" + owner: root + group: wazuh + mode: 0754 + + - name: Copy wazuh local internal config + copy: + src: "wazuh/local_internal_options.conf" + dest: "/var/ossec/etc/local_internal_options.conf" + owner: root + group: wazuh + mode: 0750 + + - name: Update template file with groups + replace: + path: "/var/ossec/etc/ossec.template" + regexp: "AGENT_GROUPS" + replace: "{{ wazuh_groups | join(',') }}" + + - name: Enable wazuh-agent service + become: true + ansible.builtin.command: + cmd: "systemctl enable wazuh-agent.service" + ignore_errors: true + + - name: get service facts + ansible.builtin.service_facts: + + - name: Stop wazuh-agent service + become: true + ansible.builtin.command: + cmd: "systemctl stop wazuh-agent.service" + ignore_errors: true + + - name: Clean Wazuh agent history + file: + path: "/var/ossec/etc/client.keys" + state: absent + become: true