nicolas
/
red-hat-kiosk
mirror of https://github.com/nmasse-itix/red-hat-kiosk.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

rework the playbook

ca-cert-and-multi-ks
Nicolas Massé 2 years ago
parent
daf2ba7d3c
commit
8917adda20
21 changed files with 648 additions and 644 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      .gitignore
  2. 2
      ansible/.gitignore
  3. 147
      ansible/README.MD
  4. 5
      ansible/ansible.cfg
  5. 77
      ansible/bootstrap-ostree.yaml
  6. 252
      ansible/build.yaml
  7. 6
      ansible/files/edge-installer.toml
  8. 0
      ansible/files/minimal.toml
  9. 4
      ansible/group_vars/all/config.yaml
  10. 102
      ansible/playbooks/blueprint_preparation.yaml
  11. 80
      ansible/playbooks/build_RPMS.yaml
  12. 7
      ansible/playbooks/full_play.yaml
  13. 46
      ansible/playbooks/gen_iso_image.yaml
  14. 67
      ansible/playbooks/initial_ostree.yaml
  15. 66
      ansible/playbooks/kickstart.yaml
  16. 69
      ansible/playbooks/ostree_construction.yaml
  17. 71
      ansible/playbooks/repo_creation.yaml
  18. 148
      ansible/prerequisites.yaml
  19. 4
      ansible/requirements.yaml
  20. 88
      ansible/templates/kiosk.ks.j2
  21. 46
      ansible/templates/kiosk.toml.j2

3
.gitignore
View File

@ -1,4 +1 @@
ansible/inventory.yaml
.vscode .vscode
ansible/credentials.yaml
ansible/config.yaml

2
ansible/.gitignore
View File

@ -0,0 +1,2 @@
inventory.yaml
vault.yaml

147
ansible/README.MD
View File

@ -14,158 +14,41 @@ Microshift pre-requisites :
- RHEL 9.2 or 9.3 - RHEL 9.2 or 9.3
- LVM volume group (VG) with unused space - LVM volume group (VG) with unused space
## Install Pre-requisites ## Pre-requisites on the target machine
```sh ```sh
sudo subscription-manager register --username $RHN_LOGIN --auto-attach sudo subscription-manager register --username $RHN_LOGIN --auto-attach
sudo subscription-manager attach --pool=$RHN_POOL_ID sudo subscription-manager attach --pool=$RHN_POOL_ID
sudo dnf install -y osbuild-composer composer-cli cockpit-composer git firewalld python3-toml
sudo systemctl enable --now osbuild-composer.socket
sudo systemctl enable --now firewalld
sudo systemctl enable --now cockpit.socket
sudo systemctl restart osbuild-composer
sudo usermod -a -G weldr "$(id -un)"
``` ```
Check that **os-composer** is working. ## Ansible Config
```
$ source /etc/bash_completion.d/composer-cli
$ composer-cli status show
API server status:
Database version: 0
Database supported: true
Schema version: 0
API version: 1
Backend: osbuild-composer
Build: NEVRA:osbuild-composer-88.3-1.el9_3.x86_64
$ composer-cli sources list
appstream
baseos
```
## Create the container image
Install podman and buildah. Create a `inventory.yaml` file inside the ansible folder or define the inventory path inside the `ansible.cfg` file
```sh Update `config.yaml` in `ansible/group_vars/all/` to match your environment.
sudo dnf install -y podman buildah
```
Define the target image properties. Create an ansible vault named `vault.yaml` in `ansible/group_vars/all/` with the following content.
```sh ```yaml
REGISTRY="quay.io" blueprint_admin_password_hash: # Generate one with "mkpasswd -m bcrypt"
IMAGE_NAME="nmasse_itix/kiosk-app" kickstart_microshift_pull_secret: # Generate one on https://console.redhat.com/openshift/install/pull-secret
IMAGE_TAG="latest"
``` ```
Build and push the image to the registry. Install the required collections.
```sh ```sh
cd "$GIT_REPO_CLONE/application" ansible-galaxy collection install -r requirements.yaml
podman build -t localhost/kiosk-app:latest .
podman login "$REGISTRY"
podman tag localhost/kiosk-app:latest "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
podman push "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
``` ```
## Nginx configuration ## Prepare the target machine
Install and configure nginx.
```sh ```sh
sudo dnf install -y nginx ansible-playbook prerequisites.yaml
sudo systemctl enable --now nginx.service ansible-playbook bootstrap-ostree.yaml
sudo firewall-cmd --permanent --add-port={80/tcp,443/tcp}
sudo firewall-cmd --reload
sudo mkdir -p /var/www
sudo restorecon -Rv /var/www
sudo sed -i.${EPOCHREALTIME:-bak} 's|/usr/share/nginx/html|/var/www|g' /etc/nginx/nginx.conf
sudo systemctl restart nginx.service
``` ```
Find the IP address of the current server. ## Regular builds
```sh ```sh
MYIP="$(ip -4 -br addr show scope global | awk 'NR == 1 { split($3, parts, "/"); print parts[1]; }')" ansible-playbook build.yaml
```
## Ansible Config
Create a `inventory.yaml` file inside the ansible folder or define the inventory path inside the `ansible.cfg` file
Create a `config.yaml` file inside the ansible folder following this model:
```yaml
blueprint: #name of the blueprint you want to use from the ansible/bluprint folder. EXAMPLE blueprint: blueprint_example.toml
repo_location: #EXAMPLE repo_location: /opt/custom-rpms/
ADMIN_SSH_PUBLIC_KEY: # ssh-rsa AA...
ADMIN_PASSWORD:
MICROSHIFT_PULL_SECRET: # Generate one on https://console.redhat.com/openshift/install/pull-secret
```
## Run all the Ansible files
To run all of the ansible files, use the following command:
```
ansible-playbook playbooks/full_play.yaml
```
## Create the initial ostree repo
Add blueprint file into the blueprint folder or use the `blueprint_example.toml`
The blueprint use in this opperation is define in `config.yaml` as `blueprint:`
Create the initial ostree repo using `blueprint_example.toml` use the following command:
```
ansible-playbook playbooks/initial_ostree.yaml
``` ```
## Build the RPMS
To build RPM for kiosk-config, microshift-manifests and Google Chrome, run the `build_RPMS.yaml` playbook
```
ansible-playbook playbooks/build_RPMS.yaml
```
## Repository Creation
To build a repository containing the RPMS we created, run the `repo_creation.yaml` playbook
The directory where the repo is created is define in `config.yaml` as `repo_location:`
To start the build, run :
```
ansible-playbook playbooks/repo_creation.yaml
```
## Blueprint preparation
To work properly, this playbook needs the property `ADMIN_SSH_PUBLIC_KEY` and `ADMIN_PASSWORD` to be define in `config.yaml`
To start the build, run :
```
ansible-playbook playbooks/blueprint_preparation.yaml
```
## Ostree construction
Create the ostree image and add it to the ostree repository with `ref = rhel/9/x86_64/edge-kiosk` by using the following playbook :
```
ansible-playbook playbooks/ostree_construction.yaml
```
## Generate the Installer ISO image
Generate the ISO image of the installer by using the following playbook :
```
ansible-playbook playbooks/gen_iso_image.yaml
```
## Prepare & inject the Kickstart script
Prepare & inject the Kisckstart script and create the final kiosk.iso, use the followin playbook :
```
ansible-playbook playbooks/kickstart.yaml
```

5
ansible/ansible.cfg
View File

@ -1,2 +1,7 @@
[defaults] [defaults]
# Use the provided inventory
inventory = inventory.yaml inventory = inventory.yaml
# To get the vault password from the KDE Wallet
vault_identity_list = itix@/home/nmasse/local/bin/get-vault-password

77
ansible/bootstrap-ostree.yaml
View File

@ -0,0 +1,77 @@
- name: Create the initial ostree repo
hosts: all
become: false
tasks:
- name: Read blueprint
register: results
args:
executable: /usr/bin/python3
stdin: "{{ lookup('ansible.builtin.file', playbook_dir ~ '/files/minimal.toml') }}"
shell: |
import toml
import json
import sys
str=sys.stdin.read()
obj=toml.loads(str)
print(json.dumps(obj))
delegate_to: localhost
become: false
changed_when: false
- set_fact:
blueprint_name: '{{ blueprint_object.name }}'
vars:
blueprint_object: '{{ results.stdout | from_json }}'
- name: Push blueprint
infra.osbuild.push_blueprint:
blueprint: "{{ lookup('ansible.builtin.file', playbook_dir ~ '/files/minimal.toml') }}"
- name: Start ostree compose
infra.osbuild.start_compose:
blueprint: "{{ blueprint_name }}"
allow_duplicate: true
compose_type: edge-commit
timeout: "{{ compose_timeout }}"
register: builder_compose_start_out
- ansible.builtin.set_fact:
compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}"
- name: Wait for compose to finish
infra.osbuild.wait_compose:
compose_id: "{{ compose_id }}"
timeout: 3600
- ansible.builtin.tempfile:
state: directory
suffix: build
register: tmp
- name: Export the compose artifact
infra.osbuild.export_compose: # noqa only-builtins
compose_id: "{{ compose_id }}"
dest: "{{ tmp.path }}/{{ compose_id }}.tar"
- name: Clear directory /var/www/repo
ansible.builtin.file:
path: "{{ www_location }}/repo"
state: absent
- name: Extract compose artifact into /var/www/repo
ansible.builtin.unarchive:
src: "{{ tmp.path }}/{{ compose_id }}.tar"
dest: "{{ www_location }}"
remote_src: true
become: true
- name: Create an empty tree
ansible.builtin.file:
path: "{{ tmp.path }}/empty-tree"
mode: '0755'
state: directory
become: true
- name: Create an empty commit
ansible.builtin.shell: "ostree --repo={{ www_location }}/repo commit -b 'empty' --tree=dir={{ tmp.path }}/empty-tree"
become: true

252
ansible/build.yaml
View File

@ -0,0 +1,252 @@
- name: Build the Kiosk images
hosts: all
become: false
tasks:
- name: Checkout the git repo
ansible.builtin.git:
repo: 'https://github.com/nmasse-itix/red-hat-kiosk.git'
dest: "{{ ansible_user_dir }}/red-hat-kiosk"
update: yes
clone: yes
##
## RPM construction
##
- debug:
msg: "Starting RPM build..."
- name: Ensure ~/rpmbuild is a symbolic link
ansible.builtin.file:
src: "{{ ansible_user_dir }}/red-hat-kiosk/rpms"
dest: "{{ ansible_user_dir }}/rpmbuild"
state: link
- name: Build the kiosk-config RPMS
ansible.builtin.shell: |
spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/kiosk-config.spec
rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/kiosk-config.spec
- name: Build the microshift-manifests RPM
ansible.builtin.shell: |
spectool -g -R {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
rpmbuild -ba {{ ansible_user_dir }}/rpmbuild/SPECS/microshift-manifests.spec
- name: Ensure the VENDOR directory exists
ansible.builtin.file:
path: "{{ ansible_user_dir }}/rpmbuild/VENDOR"
state: directory
mode: '0755'
- name: Download Google Chrome RPM
ansible.builtin.get_url:
url: https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
dest: "{{ ansible_user_dir }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm"
- name: Rebuild the Google Chrome RPM
ansible.builtin.shell: |
set -Eeuo pipefail
rpmrebuild -s {{ ansible_user_dir }}/rpmbuild/SPECS/google-chrome-stable.spec -p {{ ansible_user_dir }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm
RPM=$(rpm -q {{ ansible_user_dir }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm)
mkdir -p {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/
rpm2cpio {{ ansible_user_dir }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm | cpio -idmv -D {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/
mv {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/opt/google/ {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/usr/bin/
cd {{ ansible_user_dir }}/rpmbuild/BUILDROOT/$RPM/usr/bin/
rm -f google-chrome-stable
ln -s google/chrome/google-chrome google-chrome-stable
ln -s google/chrome/google-chrome chrome
sed -i.${EPOCHREALTIME:-bak} 's|/opt/google|/usr/bin/google|g' {{ ansible_user_dir }}/rpmbuild/SPECS/google-chrome-stable.spec
rpmbuild -bb {{ ansible_user_dir }}/rpmbuild/SPECS/google-chrome-stable.spec
args:
executable: /bin/bash
register: rebuild_result
failed_when: rebuild_result.rc != 0
- name: Get built RPMS
ansible.builtin.find:
path: "{{ ansible_user_dir }}/rpmbuild/RPMS/x86_64/"
patterns: "*.rpm"
register: build_rpms
- name: Extract filenames from paths of built RPMs
ansible.builtin.set_fact:
rpm_filenames: "{{ build_rpms.files | map(attribute='path') | list }}"
- name: Copy RPMs to the repository location
ansible.builtin.copy:
src: '{{ item }}'
dest: "{{ repo_location }}"
owner: root
group: root
mode: '0644'
remote_src: yes
loop: '{{ rpm_filenames }}'
loop_control:
label: "{{ item | basename }}"
become: true
- name: Update the repository with createrepo
become: true
ansible.builtin.command:
cmd: "createrepo {{ repo_location }}"
- name: Clean dnf cache
become: true
ansible.builtin.command:
cmd: dnf clean all
##
## Ostree construction
##
- debug:
msg: "Starting ostree build..."
- name: Parse blueprint
register: results
args:
executable: /usr/bin/python3
stdin: "{{ lookup('ansible.builtin.template', 'kiosk.toml.j2') }}"
shell: |
import toml
import json
import sys
str=sys.stdin.read()
obj=toml.loads(str)
print(json.dumps(obj))
become: false
changed_when: false
- set_fact:
blueprint_name: '{{ blueprint_object.name }}'
vars:
blueprint_object: '{{ results.stdout | from_json }}'
- name: Push Blueprint
infra.osbuild.push_blueprint:
blueprint: "{{ lookup('ansible.builtin.template', 'kiosk.toml.j2') }}"
- name: Start ostree compose
infra.osbuild.start_compose:
blueprint: "{{ blueprint_name }}"
allow_duplicate: true
compose_type: edge-commit
ostree_ref: "rhel/9/{{ ansible_facts['userspace_architecture'] }}/edge-kiosk"
ostree_parent: "rhel/9/{{ ansible_facts['userspace_architecture'] }}/edge"
ostree_url: http://{{ ansible_default_ipv4.address }}/repo
timeout: "{{ compose_timeout }}"
register: builder_compose_start_out
- ansible.builtin.set_fact:
compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}"
- name: Wait for compose to finish
infra.osbuild.wait_compose:
compose_id: "{{ compose_id }}"
timeout: 3600
- ansible.builtin.tempfile:
state: directory
suffix: build
register: tmp
- name: Export the compose artifact
infra.osbuild.export_compose: # noqa only-builtins
compose_id: "{{ compose_id }}"
dest: "{{ tmp.path }}/{{ compose_id }}.tar"
- name: Create commit directory
ansible.builtin.file:
path: "{{ tmp.path }}/{{ compose_id }}"
mode: '0755'
state: directory
- name: Extract compose artifact
ansible.builtin.unarchive:
src: "{{ tmp.path }}/{{ compose_id }}.tar"
dest: "{{ tmp.path }}/{{ compose_id }}"
remote_src: true
- name: Pull local ostree repository
ansible.builtin.shell: ostree --repo={{ www_location }}/repo pull-local "{{ tmp.path }}/{{ compose_id }}/repo"
become: true
##
## ISO Construction
##
- debug:
msg: "Starting ISO build..."
- name: Read blueprint
register: results
args:
executable: /usr/bin/python3
stdin: "{{ lookup('ansible.builtin.file', playbook_dir ~ '/files/edge-installer.toml') }}"
shell: |
import toml
import json
import sys
str=sys.stdin.read()
obj=toml.loads(str)
print(json.dumps(obj))
delegate_to: localhost
become: false
changed_when: false
- set_fact:
blueprint_name: '{{ blueprint_object.name }}'
vars:
blueprint_object: '{{ results.stdout | from_json }}'
- name: Push blueprint
infra.osbuild.push_blueprint:
blueprint: "{{ lookup('ansible.builtin.file', playbook_dir ~ '/files/edge-installer.toml') }}"
- name: Start ostree compose
infra.osbuild.start_compose:
blueprint: "{{ blueprint_name }}"
allow_duplicate: true
compose_type: edge-installer
ostree_ref: empty
ostree_url: http://{{ ansible_default_ipv4.address }}/repo
timeout: "{{ compose_timeout }}"
register: builder_compose_start_out
- ansible.builtin.set_fact:
compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}"
- name: Wait for compose to finish
infra.osbuild.wait_compose:
compose_id: "{{ compose_id }}"
timeout: 3600
- ansible.builtin.tempfile:
state: directory
suffix: build
register: tmp
- name: Export the compose artifact
infra.osbuild.export_compose: # noqa only-builtins
compose_id: "{{ compose_id }}"
dest: "{{ tmp.path }}/{{ compose_id }}.iso"
- name: Create kiosk.ks from template
ansible.builtin.template:
src: "kiosk.ks.j2"
dest: "{{ tmp.path }}/kiosk.ks"
- name: Validate kiosk.ks using ksvalidator
ansible.builtin.command:
cmd: "ksvalidator {{ tmp.path }}/kiosk.ks"
- name: Create new kiosk.iso file
ansible.builtin.command:
cmd: "mkksiso -r 'inst.ks' --ks {{ tmp.path }}/kiosk.ks {{ tmp.path }}/{{ compose_id }}.iso {{ tmp.path }}/kiosk.iso"
- name: Copy new ISO to /var/www
copy:
src: "{{ tmp.path }}/kiosk.iso"
dest: "{{ www_location }}/kiosk.iso"
remote_src: true
become: true

6
ansible/files/edge-installer.toml
View File

@ -0,0 +1,6 @@
name = "edge-installer"
description = ""
version = "0.0.0"
modules = []
groups = []
packages = []

0
ansible/blueprints/blueprint_example.toml → ansible/files/minimal.toml
View File

4
ansible/group_vars/all/config.yaml
View File

@ -0,0 +1,4 @@
repo_location: /opt/custom-rpms
blueprint_admin_ssh_public_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFW62WJXI1ZCMfNA4w0dMpL0fsldhbEfULNGIUB0nQui nmasse@localhost.localdomain
www_location: /var/www
compose_timeout: 300

102
ansible/playbooks/blueprint_preparation.yaml
View File

@ -1,102 +0,0 @@
- name: Create the initial ostree repo
hosts: all
vars_files: ../credentials.yaml
tasks:
- name: Extract userspace architecture
ansible.builtin.set_fact:
userspace_arch: "{{ ansible_facts['userspace_architecture']}}"
- name: Enable required rhocp repositories using subscription-manager
become: true
ansible.builtin.command:
cmd: "sudo subscription-manager repos --enable rhocp-4.14-for-rhel-9-{{ userspace_arch }}-rpms --enable fast-datapath-for-rhel-9-{{ userspace_arch }}-rpms"
- name: Get information about the microshift package
ansible.builtin.command:
cmd: "dnf info microshift"
register: microshift_info
- name: Display microshift package information
ansible.builtin.debug:
var: microshift_info.stdout_lines
- name: Install mkpasswd and podman packages
become: true
ansible.builtin.dnf:
name:
- mkpasswd
- podman
state: present
- name: Generate bcrypt hash of the admin password
command: mkpasswd -m bcrypt "{{ ADMIN_PASSWORD }}"
register: admin_password_hash
changed_when: false
- name: Set admin password in kiosk.toml
ansible.builtin.lineinfile:
path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.toml"
regexp: '^password =.*$'
line: 'password = "{{ ADMIN_PASSWORD }}"'
backrefs: yes
- name: Set admin SSH public key in kiosk.toml
ansible.builtin.lineinfile:
path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.toml"
regexp: '^key =.*$'
line: 'key = "{{ ADMIN_SSH_PUBLIC_KEY }}"'
backrefs: yes
- name: Add custom packages source to composer
ansible.builtin.shell: |
echo "
check_gpg = false
check_ssl = false
id = 'custom'
name = 'custom packages for RHEL'
system = false
type = 'yum-baseurl'
url = 'file://{{ repo_location }}'
" | composer-cli sources add /dev/stdin
- name: Add RH OCP 4.14 source to composer
ansible.builtin.shell: |
echo "
id = 'rhocp-4.14'
name = 'Red Hat OpenShift Container Platform 4.14 for RHEL 9'
type = 'yum-baseurl'
url = 'https://cdn.redhat.com/content/dist/layered/rhel9/{{ ansible_architecture }}/rhocp/4.14/os'
check_gpg = true
check_ssl = true
system = false
rhsm = true
" | composer-cli sources add /dev/stdin
- name: Add Fast Datapath source to composer
ansible.builtin.shell: |
echo "
id = 'fast-datapath'
name = 'Fast Datapath for RHEL 9'
type = 'yum-baseurl'
url = 'https://cdn.redhat.com/content/dist/layered/rhel9/{{ ansible_architecture }}/fast-datapath/os'
check_gpg = true
check_ssl = true
system = false
rhsm = true
" | composer-cli sources add /dev/stdin
- name: Add EPEL source to composer
ansible.builtin.shell: |
echo "
id = 'epel'
name = 'Extra Packages for Enterprise Linux'
type = 'yum-baseurl'
url = 'http://mirror.in2p3.fr/pub/epel/9/Everything/{{ ansible_architecture }}/'
check_gpg = false
check_ssl = false
system = false
rhsm = false
" | composer-cli sources add /dev/stdin
- name: Push Blueprint
infra.osbuild.push_blueprint:
src: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.toml"

80
ansible/playbooks/build_RPMS.yaml
View File

@ -1,80 +0,0 @@
- name: Build the RPMS
hosts: all
tasks:
- name: Install EPEL release package
become: true
ansible.builtin.dnf:
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
state: present
disable_gpg_check: true
- name: Install software
become: true
ansible.builtin.dnf:
name:
- git
- rpm-build
- rpmdevtools
- rpmrebuild
state: present
- name: Install rpmrebuild
become: true
ansible.builtin.yum:
name: rpmrebuild
state: present
- name: Clear directory $HOME/rpmbuild
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/rpmbuild"
state: absent
- name: Clear symbolic link between
ansible.builtin.file:
src: "{{ ansible_env.HOME }}/red-hat-kiosk/rpms"
dest: "{{ ansible_env.HOME }}/rpmbuild"
state: link
- name: Build the kiosk-config RPMS
ansible.builtin.shell:
spectool -g -R $HOME/rpmbuild/SPECS/kiosk-config.spec |
rpmbuild -ba $HOME/rpmbuild/SPECS/kiosk-config.spec
- name: Build the microshift-manifests RPM
ansible.builtin.shell:
spectool -g -R $HOME/rpmbuild/SPECS/microshift-manifests.spec |
rpmbuild -ba $HOME/rpmbuild/SPECS/microshift-manifests.spec
- name: Ensure the VENDOR directory exists
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/rpmbuild/VENDOR"
state: directory
mode: '0755'
- name: Download Google Chrome RPM
ansible.builtin.get_url:
url: https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
dest: "{{ ansible_env.HOME }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm"
- name: Rebuild the Google Chrome RPM
ansible.builtin.shell: |
set -Eeuo pipefail
rpmrebuild -s {{ ansible_env.HOME }}/rpmbuild/SPECS/google-chrome-stable.spec -p {{ ansible_env.HOME }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm
RPM=$(rpm -q {{ ansible_env.HOME }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm)
mkdir -p {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/
rpm2cpio {{ ansible_env.HOME }}/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm | cpio -idmv -D {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/
mv {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/opt/google/ {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/usr/bin/
cd {{ ansible_env.HOME }}/rpmbuild/BUILDROOT/$RPM/usr/bin/
rm -f google-chrome-stable
ln -s google/chrome/google-chrome google-chrome-stable
ln -s google/chrome/google-chrome chrome
sed -i.${EPOCHREALTIME:-bak} 's|/opt/google|/usr/bin/google|g' {{ ansible_env.HOME }}/rpmbuild/SPECS/google-chrome-stable.spec
rpmbuild -bb {{ ansible_env.HOME }}/rpmbuild/SPECS/google-chrome-stable.spec
args:
executable: /bin/bash
register: rebuild_result
failed_when: rebuild_result.rc != 0
- name: Get build RMPS
ansible.builtin.find:
path: "{{ ansible_env.HOME }}/rpmbuild/RPMS/x86_64/"
register: build_rpms
- name: Extract filenames from paths of built RPMs
ansible.builtin.set_fact:
rpm_filenames: "{{ build_rpms.files | map(attribute='path') | map('basename') | list }}"
- name: List build RMPS
ansible.builtin.debug:
msg: "{{ rpm_filenames }}"

7
ansible/playbooks/full_play.yaml
View File

@ -1,7 +0,0 @@
---
- import_playbook: initial_ostree.yaml
- import_playbook: build_RPMS.yaml
- import_playbook: repo_creation.yaml
- import_playbook: ostree_construction.yaml
- import_playbook: gen_iso_image.yaml
- import_playbook: kickstart.yaml

46
ansible/playbooks/gen_iso_image.yaml
View File

@ -1,46 +0,0 @@
- name: Generate the Installer ISO image
hosts: all
vars_files: ../credentials.yaml
tasks:
- name: Clear /tmp/microshift_bluprint.toml
ansible.builtin.file:
path: /tmp/microshift_bluprint.toml
state: absent
- name: Create /tmp/microshift_bluprint.toml
ansible.builtin.file:
path: /tmp/microshift_bluprint.toml
state: touch
mode: "0755"
- name: Write blueprint content to /tmp/microshift_bluprint file
ansible.builtin.copy:
dest: "/tmp/microshift_blueprint.toml"
content: |
name = "microshift-installer"
description = ""
version = "0.0.0"
modules = []
groups = []
packages = []
become: true
- name: Push Blueprint
infra.osbuild.push_blueprint:
src: "/tmp/microshift_blueprint.toml"
- name: Start OSTree Compose
ansible.builtin.shell:
cmd: composer-cli compose start-ostree --url http://{{ ansible_default_ipv4.address }}/repo --ref empty microshift-installer edge-installer | awk '{print $2}'
register: build_id
- name: Wait for compose to finish
infra.osbuild.wait_compose:
compose_id: "{{build_id.stdout_lines | first}}"
timeout: 3600
- name: Export the compose artifact to /tmp/commit
infra.osbuild.export_compose: # noqa only-builtins
compose_id: "{{ build_id.stdout_lines | first }}"
dest: /{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/installer.iso

67
ansible/playbooks/initial_ostree.yaml
View File

@ -1,67 +0,0 @@
- name: Create the initial ostree repo
hosts: all
become: true
vars_files: ../config.yaml
tasks:
- name: Create Blueprint /tmp/blueprints repo
ansible.builtin.file:
path: /tmp/blueprints
mode: '0755'
state: directory
- name: Copy Blueprint file to /tmp/blueprints
ansible.builtin.copy:
src: "{{ playbook_dir }}/../blueprints/{{ blueprint }}"
dest: /tmp/blueprints/blueprint.toml
mode: '0755'
- name: Reading Blueprint file
ansible.builtin.slurp:
src: /tmp/blueprints/blueprint.toml
register: toml_file_content
- name: Getting Blueprint Name
ansible.builtin.shell: "echo '{{ toml_file_content.content | b64decode }}' | python -c 'import sys, toml; print(toml.loads(sys.stdin.read())[\"name\"])'"
register: blueprint_name
- name: Push Blueprint
infra.osbuild.push_blueprint:
src: "/tmp/blueprints/blueprint.toml"
- name: Start ostree compose
infra.osbuild.start_compose:
blueprint: "{{ blueprint_name.stdout }}"
allow_duplicate: true
register: builder_compose_start_out
- name: Wait for compose to finish
infra.osbuild.wait_compose:
compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}"
timeout: 3600
- name: Create /tmp/images repo
ansible.builtin.file:
path: /tmp/images/
mode: '0755'
state: directory
- name: Export the compose artifact to /tmp/images
infra.osbuild.export_compose: # noqa only-builtins
compose_id: "{{ builder_compose_start_out['result']['body']['build_id'] }}"
dest: /tmp/images/{{ builder_compose_start_out['result']['body']['build_id'] }}.tar
- name: Clear directory /var/www/repo
ansible.builtin.file:
path: /var/www/repo
state: absent
- name: Extract compose artifact into /var/www/repo
ansible.builtin.unarchive:
src: /tmp/images/{{ builder_compose_start_out['result']['body']['build_id'] }}.tar
dest: /var/www/
remote_src: true
- name: adding /var/www/repo to OSTree
ansible.builtin.shell: "ostree --repo=/var/www/repo refs"
- name: Create /tmp/empty-tree repo
ansible.builtin.file:
path: /tmp/empty-tree
mode: '0755'
state: directory
- name: optimizing OSTree
ansible.builtin.shell: "ostree --repo=/var/www/repo commit -b 'empty' --tree=dir=/tmp/empty-tree"
- name: adding /var/www/repo to OSTree
ansible.builtin.shell: "ostree --repo=/var/www/repo refs"
- name: Clear directory /tmp/images/
ansible.builtin.file:
path: /tmp/images/
state: absent

66
ansible/playbooks/kickstart.yaml
View File

@ -1,66 +0,0 @@
- name: Create kickstart
hosts: all
vars_files: ../config.yaml
tasks:
- name : Remove existing kiosk.ks
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks"
state: absent
- name : Remove existing kiosk.ios
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ios"
state: absent
- name: Copy fresh kiosk.ks
ansible.builtin.copy:
src: "{{ playbook_dir }}/../../imagebuilder/kiosk.ks"
dest: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks"
mode: '0755'
- name: Set repo adress
ansible.builtin.lineinfile:
path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks"
regexp: '--url=http://__MYIP__/repo'
line: 'ostreesetup --nogpg --osname=rhel --remote=edge --url=http://{{ ansible_default_ipv4.address }} --ref=rhel/9/x86_64/edge-kiosk'
backrefs: true
- name: Set MICROSHIFT_PULL_SECRET
ansible.builtin.lineinfile:
path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks"
regexp: '__MICROSHIFT_PULL_SECRET__'
line: "{{ MICROSHIFT_PULL_SECRET }}"
- name: Install lorax & pykickstart packages
become: true
ansible.builtin.dnf:
state: present
name:
- lorax
- pykickstart
- name: Validate kiosk.ks using ksvalidator
ansible.builtin.command:
cmd: "ksvalidator {{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks"
register: ksvalidator_output
ignore_errors: yes
- name: Output error message if ksvalidator fails
ansible.builtin.debug:
msg: "{{ ksvalidator_output.stderr_lines }}"
when: ksvalidator_output is failed
- name: Remove existing kiosk.ios
ansible.builtin.file:
path: "/{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.iso"
state: absent
- name: Create new kiosk.ios file
ansible.builtin.command:
cmd: "mkksiso -r 'inst.ks' --ks {{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.ks '{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/installer.iso' {{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/kiosk.iso"
register: mkksiso_output
- name: Remove installer.iso
ansible.builtin.file:
path: "{{ ansible_env.HOME }}/red-hat-kiosk/imagebuilder/installer.iso"
state: absent

69
ansible/playbooks/ostree_construction.yaml
View File

@ -1,69 +0,0 @@
- name: Create the initial ostree repo
hosts: all
vars_files: ../credentials.yaml
tasks:
- name: Solve dependencies for the blueprint
ansible.builtin.command: composer-cli blueprints depsolve kiosk
- name: Start OSTree Compose
ansible.builtin.shell:
cmd: composer-cli compose start-ostree kiosk edge-commit --url http://{{ ansible_default_ipv4.address }}/repo --ref "rhel/9/{{ ansible_architecture }}/edge-kiosk" --parent "rhel/9/{{ ansible_architecture }}/edge" | awk '{print $2}'
register: build_id
- name: Wait for compose to finish
infra.osbuild.wait_compose:
compose_id: "{{build_id.stdout_lines | first}}"
timeout: 3600
- name: Create /tmp/commit repo
ansible.builtin.file:
path: /tmp/commit/
mode: '0755'
state: directory
- name: Export the compose artifact to /tmp/commit
infra.osbuild.export_compose: # noqa only-builtins
compose_id: "{{ build_id.stdout_lines | first }}"
dest: /tmp/commit/{{ build_id.stdout_lines | first }}.tar
- name: Create /tmp/commit/ID repo
ansible.builtin.file:
path: /tmp/commit/{{ build_id.stdout_lines | first }}
mode: '0755'
state: directory
- name: Extract compose artifact into /tmp/commit/ID
ansible.builtin.unarchive:
src: /tmp/commit/{{ build_id.stdout_lines | first }}.tar
dest: /tmp/commit/{{ build_id.stdout_lines | first }}
remote_src: true
- name: Pull local ostree repository
become: true
ansible.builtin.shell: ostree --repo=/var/www/repo pull-local "/tmp/commit/{{ build_id.stdout_lines | first }}/repo"
- name: Clear /tmp/commit repo
ansible.builtin.file:
path: /tmp/commit/
state: absent
- name: config ostree ref
become: true
ansible.builtin.shell: ostree --repo=/var/www/repo refs
register: refs
- name: Print refs
ansible.builtin.debug:
var: refs.stdout_lines
- name: config ostree logs kiosk
become: true
ansible.builtin.shell: ostree --repo=/var/www/repo log rhel/9/{{ ansible_architecture }}/edge-kiosk
register: logs
- name: Print refs
ansible.builtin.debug:
var: logs.stdout_lines

71
ansible/playbooks/repo_creation.yaml
View File

@ -1,71 +0,0 @@
---
- name: Create a custom RPM repository
hosts: all
vars_files: ../config.yaml
tasks:
- name: Install createrepo package
become: true
ansible.builtin.dnf:
name: createrepo
state: present
- name: Clear the repository directory exists
become: true
ansible.builtin.file:
path: "{{ repo_location }}"
state: absent
- name: Old custom repo
become: true
ansible.builtin.file:
path: /etc/yum.repos.d/custom.repo
state: absent
- name: Ensure the repository directory exists
become: true
ansible.builtin.file:
path: "{{ repo_location }}"
state: directory
mode: '0755'
- name: Copy RPMs to the repository location
ansible.builtin.shell: sudo cp {{ ansible_env.HOME }}/rpmbuild/RPMS/x86_64/* {{ repo_location }}
- name: Initialize the repository with createrepo
become: true
ansible.builtin.command:
cmd: "createrepo {{ repo_location }}"
- name: Create custom repo file
become: true
ansible.builtin.lineinfile:
path: /etc/yum.repos.d/custom.repo
line: "{{ item }}"
create: true
mode: '0755'
loop:
- "[custom]"
- "name = Custom RPMS"
- "baseurl = file://{{ repo_location }}"
- "enabled = 1"
- "gpgcheck = 0"
- name: Clean dnf cache
become: true
ansible.builtin.command:
cmd: dnf clean all
- name: Verify packages are present
ansible.builtin.shell:
cmd: "sudo dnf list available --disablerepo='*' --enablerepo='custom' kiosk-config google-chrome-stable microshift-manifests"
register: package_info
ignore_errors: true
- name: Verify packages are present
become: true
ansible.builtin.shell:
cmd: "dnf config-manager --enable custom"
- name: Display package info output
ansible.builtin.debug:
var: package_info.stdout_lines

148
ansible/prerequisites.yaml
View File

@ -0,0 +1,148 @@
- name: Install prerequisites
hosts: all
become: true
tasks:
- community.general.rhsm_repository:
name:
- rhocp-4.14-for-rhel-9-{{ ansible_facts['userspace_architecture'] }}-rpms
- fast-datapath-for-rhel-9-{{ ansible_facts['userspace_architecture'] }}-rpms
state: enabled
- name: Install EPEL release package
become: true
ansible.builtin.dnf:
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
state: present
disable_gpg_check: true
- name: Install packages
ansible.builtin.dnf:
name:
- python3-toml
- createrepo
- git
- rpm-build
- rpmdevtools
- rpmrebuild
- mkpasswd
- podman
- buildah
- nginx
- lorax
- pykickstart
- osbuild-composer
- composer-cli
- cockpit-composer
- git
- firewalld
state: installed
- name: Start services
ansible.builtin.systemd:
name: "{{ item }}"
enabled: yes
state: started
loop:
- osbuild-composer.socket
- firewalld.service
- cockpit.socket
- nginx.service
- name: Adding ansible_user to the weldr group
ansible.builtin.user:
name: '{{ ansible_user | default(ansible_env.SUDO_USER) }}'
groups: weldr
append: yes
- name: Allow HTTP and HTTPS
ansible.posix.firewalld:
service: '{{ item }}'
permanent: true
immediate: true
state: enabled
loop:
- http
- https
- name: Ensure the ostree directory exists
become: true
ansible.builtin.file:
path: "{{ www_location }}"
state: directory
mode: '0755'
serole: object_r
setype: httpd_sys_content_t
seuser: system_u
- name: Configure nginx
lineinfile:
path: /etc/nginx/nginx.conf
line: "root {{ www_location }};"
regexp: "^\\s*root\\s+.*;"
- name: Restart nginx
ansible.builtin.systemd:
name: nginx.service
state: restarted
- name: Ensure the repository directory exists
become: true
ansible.builtin.file:
path: "{{ repo_location }}"
state: directory
mode: '0755'
- name: Update the repository with createrepo
become: true
ansible.builtin.command:
cmd: "createrepo {{ repo_location }}"
- name: Add custom repository
ansible.builtin.yum_repository:
name: custom
file: custom
description: Custom RPMS
baseurl: file://{{ repo_location }}
enabled: true
gpgcheck: false
- name: Add sources
infra.osbuild.repository: '{{ item }}'
loop:
- repo_name: custom packages for RHEL
type: yum-baseurl
base_url: file://{{ repo_location }}
check_gpg: false
check_ssl: false
rhsm: false
state: present
- repo_name: Red Hat OpenShift Container Platform 4.14 for RHEL 9
type: yum-baseurl
base_url: https://cdn.redhat.com/content/dist/layered/rhel9/{{ ansible_facts['userspace_architecture'] }}/rhocp/4.14/os
check_gpg: true
check_ssl: true
rhsm: true
state: present
- repo_name: Fast Datapath for RHEL 9
type: yum-baseurl
base_url: https://cdn.redhat.com/content/dist/layered/rhel9/{{ ansible_facts['userspace_architecture'] }}/fast-datapath/os
check_gpg: true
check_ssl: true
rhsm: true
state: present
- repo_name: Extra Packages for Enterprise Linux
type: yum-baseurl
base_url: http://mirror.in2p3.fr/pub/epel/9/Everything/{{ ansible_facts['userspace_architecture'] }}/
check_gpg: false
check_ssl: false
rhsm: false
state: present
loop_control:
label: '{{ item.repo_name }}'
- name: Install packages on the ansible controller
dnf:
name:
- python3-toml
state: installed
delegate_to: localhost

4
ansible/requirements.yaml
View File

@ -0,0 +1,4 @@
collections:
- infra.osbuild
- community.general
- ansible.posix

88
ansible/templates/kiosk.ks.j2
View File

@ -0,0 +1,88 @@
##
## Environment setup
##
# French I18n
lang fr_FR.UTF-8
# French keyboard layout
keyboard fr
# Timezone is UTC to avoid issue with DST
timezone UTC --utc
# Configure NTP
timesource --ntp-server=rhel.pool.ntp.org
# Which action to perform after install: poweroff or reboot
reboot
# Install mode: text (interactive installs) or cmdline (unattended installs)
text
##
## Storage configuration
##
# Clear the target disk
zerombr
# Remove existing partitions
clearpart --all --initlabel
# Automatically create partitions required by hardware platform
# and add a separate /boot partition
reqpart --add-boot
##
## Alternative partitioning on only one disk
## /dev/disk/by-path/pci-0000:00:12.0-ata-1 instead of sda when sda is taken by the usb stick
##
zerombr
clearpart --all --initlabel
reqpart --add-boot
part pv.01 --size=10240 --ondisk=/dev/disk/by-path/pci-0000:00:12.0-ata-1
volgroup system pv.01
logvol / --fstype="xfs" --size=1 --grow --name=root --vgname=system
part pv.02 --size=1 --grow --ondisk=/dev/disk/by-path/pci-0000:00:12.0-ata-1
volgroup data pv.02
##
## Network configuration
##
# Configure the first network device
network --bootproto=dhcp --device=enp1s0 --noipv6 --activate
# Configure hostname
network --hostname=kiosk.localdomain
##
## Ostree installation
##
# Use this line if creating an Edge Installer ISO that includes a local ostree commit
#ostreesetup --nogpg --osname=rhel --remote=edge --url=file:///run/install/repo/ostree/repo --ref=rhel/9/x86_64/edge
# Use this to fetch from a remote URL
ostreesetup --nogpg --osname=rhel --remote=edge --url=http://{{ ansible_default_ipv4.address }}/repo --ref=rhel/9/x86_64/edge-kiosk
##
## Post install scripts
##
%post --log=/var/log/anaconda/post-install.log --erroronfail
# Add the pull secret to CRI-O and set root user-only read/write permissions
cat > /etc/crio/openshift-pull-secret << 'EOF'
{{ kickstart_microshift_pull_secret }}
EOF
chmod 600 /etc/crio/openshift-pull-secret
# Configure the firewall with the mandatory rules for MicroShift
firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16
firewall-offline-cmd --zone=trusted --add-source=169.254.169.1
# Do not ask password for sudo
sed -i.post-install -e "s/^%wheel\tALL=(ALL)\tALL/%wheel ALL=(ALL) NOPASSWD: ALL/" /etc/sudoers
%end

46
ansible/templates/kiosk.toml.j2
View File

@ -0,0 +1,46 @@
name = "kiosk"
description = "Example Kiosk"
version = "0.0.8"
modules = []
groups = []
[[packages]]
name = "kiosk-config"
version = "*"
[[packages]]
name = "cockpit"
[[packages]]
name = "microshift-manifests"
version = "*"
[[packages]]
name = "cockpit-system"
[customizations]
hostname = "kiosk.local"
[customizations.services]
enabled = ["cockpit.socket", "sshd", "microshift"]
[customizations.timezone]
timezone = "Europe/Paris"
ntpservers = ["0.fr.pool.ntp.org", "1.fr.pool.ntp.org"]
[customizations.locale]
languages = ["fr_FR.UTF-8"]
keyboard = "fr"
#22 ssh / 9090 cockpit / 6443 microshift
[customizations.firewall]
ports = ["22:tcp", "30000:tcp", "9090:tcp", "6443:tcp"]
[[customizations.user]]
name = "admin"
description = "admin"
password = '{{ blueprint_admin_password_hash }}'
key = "{{ blueprint_admin_ssh_public_key }}"
home = "/home/admin/"
shell = "/usr/bin/bash"
groups = ["users", "wheel"]
Write Preview
Loading…
Cancel
Save