# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- # tasks file for ready-ubuntu ### Verify OS is approved (Ubuntu only at this point). Saves the pre-checks later - name: Fail if not running on Ubuntu 18.04 or 20.04 fail: msg: "This playbook can only run on Ubuntu 18.04 or 20.04. Using {{ ansible_distribution }}:{{ ansible_distribution_version }}" when: (ansible_distribution != "Ubuntu") or (ansible_distribution_version != '18.04' and ansible_distribution_version != '20.04') tags: - verify-os - name: Get kernel version command: 'uname -r' register: uname_result - name: Save kernel verson to a variable set_fact: uname_r: '{{ uname_result.stdout }}' # TODO Audit this list of dependencies and split into "development" and "production" (not everything is needed for production) - name: Install dependencies used in provisioning apt: pkg: - apt-transport-https - ca-certificates - net-tools - nmap - curl - wget - gnupg-agent - software-properties-common - network-manager - vlan - logrotate - unattended-upgrades - apt-listchanges - nfs-common # This is needed for Robin - linux-modules-extra-{{ uname_r }} state: present update_cache: yes tags: - update-dependencies #### Stop and disable apparmor - name: Stop apparmor systemd: state: stopped name: apparmor tags: - remove - name: Disable apparmor systemd: name: apparmor enabled: no tags: - remove #### Disable ufw - name: Disable wfw command: ufw disable register: ufw tags: - remove - name: Show output for firewall stopping debug: msg: "{{ ufw.stdout }}" tags: - remove ## Create the user that builds and communicates across cluster machines - name: Create a user for ABM Control ansible.builtin.user: name: "{{ abm_install_user }}" shell: /bin/bash groups: "sudo" append: yes generate_ssh_key: yes ssh_key_bits: 2048 ssh_key_file: .ssh/{{ ssh_key_name }} tags: - abm-install - abm-user ## Setup password less SSH into same box - name: "Place ssh config with no-host-check turned on" template: src: ssh-config.j2 dest: "{{ ssh_user_home }}/config" group: "{{ abm_install_user }}" owner: "{{ abm_install_user }}" tags: - abm-install - abm-user ### Add the new user to the no-password sudoers list - name: Add user to sudoers list template: src: sudoers.j2 dest: "/etc/sudoers.d/{{ abm_install_user }}" tags: - abm-install - abm-user ## TODO: This does not allow for multiple cnucs to be setup at one time ## TODO: This also does not skip non cnucs - name: "SSH Key access to other nodes" include: setup-ssh-pub-key-access.yaml tags: - abm-install - abm-ssh # Copy over the vxlan status verify script - name: Copy VXLAN status script template: src: vxlan-status-check.sh.j2 dest: "/var/vxlan-status-check.sh" mode: '0755' # read/write/execute owner, everyone else read/execute when: - is_cloud_resource is defined - is_cloud_resource == True tags: - network-vxlan - ubuntu-setup - name: get version shell: "docker -v | cut -d ' ' -f 3 | cut -d ',' -f 1" register: docker_version tags: - docker - name: "Setup docker on host machine" include: setup-docker-apt.yaml when: ( docker_version.stdout == "" or docker_version.stdout is version('20.9.0', '<') ) tags: - docker - name: "Setup VLAN Interfaces on Physical Hosts" include: setup-vlan-interfaces.yaml when: - (setup_vlan == true) and (is_cloud_resource is undefined or is_cloud_resource == false) tags: - vlan-setup - name: ensure logrotate is in /etc/cron.hourly file: src: /etc/cron.daily/logrotate dest: /etc/cron.hourly/logrotate state: link force: yes mode: 0755 # the file needs to be excutable tags: - logrotate-setup - ubuntu-setup - name: ensure logrotate is in /etc/cron.hourly file: src: /etc/cron.daily/logrotate dest: /etc/cron.hourly/logrotate state: link force: yes mode: 0755 # the file needs to be excutable tags: - logrotate-setup - ubuntu-setup - name: check hourly logrotate status shell: | IS_HOURLY=$(run-parts --test /etc/cron.hourly) TEST_FOR="/etc/cron.hourly/logrotate" if [[ "${IS_HOURLY}" != *"${TEST_FOR}"* ]]; then exit 1 # Fail if hourly is not setup fi register: hourly_check failed_when: hourly_check.rc != 0 changed_when: False tags: - logrotate-setup - ubuntu-setup #### Install kernel module for Robin - name: Generate modules.dep command: depmod -a tags: - robin - name: Load tcm_loop kernel module modprobe: name: tcm_loop state: present tags: - robin - name: Check if tcm_loop kernel module is loaded shell: "lsmod | grep tcm" register: tcm_exists failed_when: tcm_exists.rc != 0