From 4b8f838589ae9f362905e4cb107f6a8322cb02f3 Mon Sep 17 00:00:00 2001
From: Kalibh Halford <kalibh.halford@stfc.ac.uk>
Date: Tue, 18 Nov 2025 13:50:35 +0000
Subject: [PATCH 1/2] ENH: Add quattor role

Create a new role to install quattor onto the image. This will allow it
to be managed by Aquilon. This is a separate role as only certain images
need this installed.
---
 os_builders/quattor.yml                       |  4 +
 os_builders/roles/quattor/defaults/main.yaml  |  1 +
 .../quattor/files/99-set-aquilon-profile.cfg  | 20 +++++
 os_builders/roles/quattor/tasks/main.yaml     | 77 +++++++++++++++++++
 4 files changed, 102 insertions(+)
 create mode 100644 os_builders/quattor.yml
 create mode 100644 os_builders/roles/quattor/defaults/main.yaml
 create mode 100644 os_builders/roles/quattor/files/99-set-aquilon-profile.cfg
 create mode 100644 os_builders/roles/quattor/tasks/main.yaml

diff --git a/os_builders/quattor.yml b/os_builders/quattor.yml
new file mode 100644
index 00000000..72866cae
--- /dev/null
+++ b/os_builders/quattor.yml
@@ -0,0 +1,4 @@
+- name: Install Quattor Onto STFC Cloud User Image
+  hosts: all
+  roles:
+    - role: quattor
diff --git a/os_builders/roles/quattor/defaults/main.yaml b/os_builders/roles/quattor/defaults/main.yaml
new file mode 100644
index 00000000..f1306fad
--- /dev/null
+++ b/os_builders/roles/quattor/defaults/main.yaml
@@ -0,0 +1 @@
+quattor_version: 24.10.0
diff --git a/os_builders/roles/quattor/files/99-set-aquilon-profile.cfg b/os_builders/roles/quattor/files/99-set-aquilon-profile.cfg
new file mode 100644
index 00000000..c58f05fe
--- /dev/null
+++ b/os_builders/roles/quattor/files/99-set-aquilon-profile.cfg
@@ -0,0 +1,20 @@
+## template: jinja
+#cloud-config
+write_files:
+- path: /etc/ccm.conf
+  content: |
+    ca_dir /etc/grid-security/certificates/
+    cache_root /var/lib/ccm
+    debug 0
+    force 0
+    get_timeout 30
+    lock_retries 3
+    lock_wait 30
+    profile https://aquilon.gridpp.rl.ac.uk/profiles/host-{{ ds.ec2_metadata.local_ipv4 | replace(".","-") }}.nubes.stfc.ac.uk.json
+    profile_failover http://aquilon.gridpp.rl.ac.uk/profiles/host-{{ ds.ec2_metadata.local_ipv4 | replace(".","-") }}.nubes.stfc.ac.uk.json
+    retrieve_retries 3
+    retrieve_wait 30
+    world_readable 0
+  owner: 'root:root'
+  permissions: '0644'
+  defer: true
\ No newline at end of file
diff --git a/os_builders/roles/quattor/tasks/main.yaml b/os_builders/roles/quattor/tasks/main.yaml
new file mode 100644
index 00000000..3548bf7b
--- /dev/null
+++ b/os_builders/roles/quattor/tasks/main.yaml
@@ -0,0 +1,77 @@
+- name: Add EPEL repository
+  ansible.builtin.yum_repository:
+    name: epel-{{ ansible_facts.distribution_major_version }}-x86_64
+    description: "EPEL {{ ansible_facts.distribution_major_version }} Repository"
+    baseurl: "http://mirrors.gridpp.rl.ac.uk/current/epel-{{ ansible_facts.distribution_major_version }}-x86_64/RPMS.base/"
+    enabled: true
+    gpgcheck: false
+    state: present
+  become: true
+
+- name: Add Powertools repository
+  ansible.builtin.yum_repository:
+    name: rocky-{{ ansible_facts.distribution_major_version }}x-x86_64-powertools
+    description: Rocky Mirror powertools
+    baseurl: "http://mirrors.gridpp.rl.ac.uk/current/rocky-{{ ansible_facts.distribution_major_version }}-x86_64/RPMS.powertools/"
+    enabled: true
+    gpgcheck: true
+    state: present
+    module_hotfixes: true
+  become: true
+
+- name: Add Rocky mirror repositories crb
+  ansible.builtin.yum_repository:
+    name: rocky-{{ ansible_facts.distribution_major_version }}x-x86_64-crb
+    description: Rocky Mirror crb
+    baseurl: "http://mirrors.gridpp.rl.ac.uk/current/rocky-{{ ansible_facts.distribution_major_version }}-x86_64/RPMS.crb/"
+    enabled: true
+    gpgcheck: true
+    state: present
+    module_hotfixes: true
+  become: true
+  when: ansible_facts.distribution_major_version == '9'
+
+- name: Add Rocky mirror repositories
+  ansible.builtin.yum_repository:
+    name: rocky-{{ ansible_facts.distribution_major_version }}x-x86_64-{{ item }}
+    description: Rocky Mirror {{ item }}
+    baseurl: "http://mirrors.gridpp.rl.ac.uk/current/rocky-{{ ansible_facts.distribution_major_version }}-x86_64/RPMS.{{ item }}/"
+    enabled: true
+    gpgcheck: true
+    state: present
+    module_hotfixes: true
+  with_items:
+    - appstream
+    - extras
+    - os
+  become: true
+
+
+- name: Add Quattor repositories
+  ansible.builtin.yum_repository:
+    name: "{{ item }}"
+    description: "{{ item }} Repository"
+    baseurl: "http://mirrors.gridpp.rl.ac.uk/live/quattor-noarch/RPMS.{{ item }}/"
+    enabled: true
+    gpgcheck: false
+    state: present
+  become: true
+  loop:
+    - externals-el{{ ansible_facts.distribution_major_version }}
+    - quattor-{{ quattor_version }}-el{{ ansible_facts.distribution_major_version }}
+
+- name: Install packages
+  ansible.builtin.yum:
+    name:
+      - ncm-ncd
+      - ncm-spma
+  become: true
+
+- name: Create cloud-init config to run the script
+  ansible.builtin.copy:
+    src: 99-set-aquilon-profile.cfg
+    dest: /etc/cloud/cloud.cfg.d/
+    owner: root
+    group: root
+    mode: "0644"
+  become: true

From ae5c3ae1efc2ec137b24c0b27896028fda52f325 Mon Sep 17 00:00:00 2001
From: Kalibh Halford <kalibh.halford@stfc.ac.uk>
Date: Wed, 3 Jun 2026 09:22:08 +0100
Subject: [PATCH 2/2] ENH: Add AQ images

This adds new builders for rocky-8-aq and rocky-9-aq.

This updates the metadata to become a local variable that we can
reference on each image and merge additional properties too such as the
AQ properties.

Adds a new provisioner to run the quattor.yml playbook on only the AQ
images.
---
 os_builders/CHANGELOG     |  1 +
 os_builders/build.pkr.hcl | 60 ++++++++++++++++++++++++++++++++-------
 2 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/os_builders/CHANGELOG b/os_builders/CHANGELOG
index f339dd01..a20d3a4c 100644
--- a/os_builders/CHANGELOG
+++ b/os_builders/CHANGELOG
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added:
+- Added new builders for Rocky 8 and 9 AQ images. [#148](https://github.com/stfc/cloud-image-builders/pull/148)
 
 ### Changed:
 
diff --git a/os_builders/build.pkr.hcl b/os_builders/build.pkr.hcl
index 19cc958e..32f6f094 100644
--- a/os_builders/build.pkr.hcl
+++ b/os_builders/build.pkr.hcl
@@ -13,16 +13,6 @@ packer {
 
 locals {
   date_suffix = "${formatdate("YYYY-MM-DD", timestamp())}"
-}
-
-source "openstack" "builder" {
-  domain_name       = "Default"
-  flavor            = "l6.c2"
-  security_groups   = ["default"]
-  networks          = ["fa2f5ebe-d0e0-4465-9637-e9461de443f1"]  # Dev OpenStack Network ID
-  image_visibility  = "private"
-  ssh_timeout       = "20m"
-  image_min_disk    = "20"
   metadata = {
     "hw_machine_type" : "q35",
     "hw_disk_bus" : "scsi",
@@ -39,6 +29,24 @@ source "openstack" "builder" {
     "hw_firmware_type" : "bios",
     "image_builder_version": "0.1.0"
   }
+  aq_metadata = {
+    "AQ_ARCHETYPE": "cloud",
+    "AQ_DOMAIN": "prod_cloud",
+    "aq_managed": "true",
+    "AQ_OS": "rocky",
+    "AQ_OSNAME": "rocky",
+    "AQ_PERSONALITY": "nubesvms",
+  }
+}
+
+source "openstack" "builder" {
+  domain_name       = "Default"
+  flavor            = "l6.c2"
+  security_groups   = ["default"]
+  networks          = ["fa2f5ebe-d0e0-4465-9637-e9461de443f1"]  # Dev OpenStack Network ID
+  image_visibility  = "private"
+  ssh_timeout       = "20m"
+  image_min_disk    = "20"
 }
 
 build {
@@ -47,24 +55,28 @@ build {
     image_name                = "ubuntu-jammy-22.04-nogui-${ local.date_suffix }"
     ssh_username              = "ubuntu"
     external_source_image_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img"
+    metadata = local.metadata
   }
   source "openstack.builder" {
     name                      = "ubuntu-noble"
     image_name                = "ubuntu-noble-24.04-nogui-${ local.date_suffix }"
     ssh_username              = "ubuntu"
     external_source_image_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img"
+    metadata = local.metadata
   }
   source "openstack.builder" {
     name = "rocky-8"
     image_name = "rocky-8-nogui-${ local.date_suffix }"
     ssh_username = "rocky"
-    external_source_image_url = "https://www.mirrorservice.org/sites/download.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-GenericCloud-Base.latest.x86_64.qcow2"    
+    external_source_image_url = "https://www.mirrorservice.org/sites/download.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-GenericCloud-Base.latest.x86_64.qcow2"
+    metadata = local.metadata
   }
     source "openstack.builder" {
     name = "rocky-9"
     image_name = "rocky-9-nogui-${ local.date_suffix }"
     ssh_username = "rocky"
     external_source_image_url = "https://www.mirrorservice.org/sites/download.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud-Base.latest.x86_64.qcow2"
+    metadata = local.metadata
   }
 
   source "openstack.builder" {
@@ -72,18 +84,35 @@ build {
     external_source_image_url = "https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_f0dc9cb312144d0aa44037c9149d2513/azimuth-images/ubuntu-jammy-desktop-251029-1115.qcow2"
     image_name                = "azimuth-workstation-${ local.date_suffix }"
     ssh_username              = "ubuntu"
+    metadata = local.metadata
   }
   source "openstack.builder" {
     name                      = "azimuth-rstudio"
     external_source_image_url = "https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_f0dc9cb312144d0aa44037c9149d2513/azimuth-images/ubuntu-jammy-linux-rstudio-251029-1117.qcow2"
     image_name                = "azimuth-rstudio-${ local.date_suffix }"
     ssh_username              = "ubuntu"
+    metadata = local.metadata
   }
   source "openstack.builder" {
     name                      = "azimuth-jupyter-repo2docker"
     external_source_image_url = "https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_f0dc9cb312144d0aa44037c9149d2513/azimuth-images/ubuntu-jammy-jupyter-repo2docker-251029-1115.qcow2"
     image_name                = "azimuth-jupyter-repo2docker-${ local.date_suffix }"
     ssh_username              = "ubuntu"
+    metadata = local.metadata
+  }
+  source "openstack.builder" {
+    name = "rocky-8-aq"
+    image_name = "rocky-8-aq-${ local.date_suffix }"
+    ssh_username = "rocky"
+    external_source_image_url = "https://www.mirrorservice.org/sites/download.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-GenericCloud-Base.latest.x86_64.qcow2"
+    metadata                  = merge(local.metadata, local.aq_metadata, {"AQ_OSVERSION": "8"})
+  }
+    source "openstack.builder" {
+    name = "rocky-9-aq"
+    image_name = "rocky-9-aq-${ local.date_suffix }"
+    ssh_username = "rocky"
+    external_source_image_url = "https://www.mirrorservice.org/sites/download.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud-Base.latest.x86_64.qcow2"
+    metadata                  = merge(local.metadata, local.aq_metadata, {"AQ_OSVERSION": "9"})
   }
 
   sources = ["openstack.builder"]
@@ -97,5 +126,14 @@ build {
       "--scp-extra-args", "'-O'",
     ]
   }
+  provisioner "ansible" {
+    only = ["openstack.rocky-8-aq", "openstack.rocky-9-aq"]
+    user          = "${build.User}"
+    playbook_file = "quattor.yml"
+    extra_arguments = [
+      # Still required for Rocky 8 and 9
+      "--scp-extra-args", "'-O'",
+    ]
+  }
 }