automatic update + kiosk fix

2 years ago · c84a334163
4 changed files with 50 additions and 5 deletions
--- a/ansible/README.MD
+++ b/ansible/README.MD
@ -31,6 +31,7 @@ Create an ansible vault named `vault.yaml` in `ansible/group_vars/all/` with the

 ```yaml
 blueprint_admin_password_hash: # Generate one with "mkpasswd -m bcrypt"
+blueprint_kiosk_password_hash: # Generate one with "mkpasswd -m bcrypt"
 kickstart_microshift_pull_secret: # Generate one on https://console.redhat.com/openshift/install/pull-secret
 ```

--- a/ansible/build.yaml
+++ b/ansible/build.yaml
@ -14,6 +14,23 @@
        suffix: -build
      register: tmp

+    ##
+    ## Cleanup
+    ##
+
+    - name: Get all images for removal
+      ansible.builtin.command: /usr/bin/composer-cli compose list
+      register: builder_output
+      changed_when: false
+
+    - name: Remove each image by UUID
+      ansible.builtin.command: "/usr/bin/composer-cli compose delete {{ (item | split)[0] }}"
+      loop: "{{ builder_output.stdout_lines }}"
+      loop_control:
+        label: "{{ (item | split)[0] }}"
+      changed_when: true
+      when: (item | split)[0] != "ID"
+
    ##
    ## RPM construction
    ##
--- a/ansible/templates/kiosk.ks.j2
+++ b/ansible/templates/kiosk.ks.j2
@ -58,10 +58,6 @@ cat > /etc/crio/openshift-pull-secret << 'EOF'
 EOF
 chmod 600 /etc/crio/openshift-pull-secret

-# User creation in the ostree is now deprecated. Doing it in the Kickstart, then.
-groupadd -r kiosk
-useradd -r -N -g kiosk -d /home/kiosk -m kiosk
-
 # Configure the firewall with the mandatory rules for MicroShift
 firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16
 firewall-offline-cmd --zone=trusted --add-source=169.254.169.1
--- a/ansible/templates/kiosk.toml.j2
+++ b/ansible/templates/kiosk.toml.j2
@ -11,6 +11,9 @@ version = "*"
 [[packages]]
 name = "cockpit"

+[[packages]]
+name = "htop"
+
 [[packages]]
 name = "microshift-manifests"
 version = "*"
@ -22,7 +25,7 @@ name = "cockpit-system"
 hostname = "kiosk.local"

 [customizations.services]
-enabled = ["cockpit.socket", "sshd", "microshift"]
+enabled = ["cockpit.socket", "sshd", "microshift", "rpm-ostreed", "rpm-ostreed-automatic.timer"]

 [customizations.timezone]
 timezone = "Europe/Paris"
@ -36,6 +39,26 @@ keyboard = "fr"
 [customizations.firewall]
 ports = ["22:tcp", "30000:tcp", "9090:tcp", "6443:tcp"]

+##
+## Automatic updates
+##
+## This file is used by the rpm-ostreed service that is triggered by the
+## rpm-ostreed-automatic systemd timer:
+##
+##   [Timer]
+##   OnBootSec=1h           # 1 hour after boot
+##   OnUnitInactiveSec=1d   # 1 day after last check
+##
+## But you can trigger a check manually with:
+##
+##  sudo rpm-ostree upgrade --trigger-automatic-update-policy
+##
+[[customizations.files]]
+path = "/etc/rpm-ostreed.conf"
+data = """[Daemon]
+AutomaticUpdatePolicy=apply
+"""
+
 [[customizations.user]]
 name = "admin"
 description = "admin"
@ -44,3 +67,11 @@ key = "{{ blueprint_admin_ssh_public_key }}"
 home = "/home/admin/"
 shell = "/usr/bin/bash"
 groups = ["users", "wheel"]
+
+[[customizations.user]]
+name = "kiosk"
+description = "kiosk"
+password = '{{ blueprint_kiosk_password_hash }}'
+home = "/home/kiosk/"
+shell = "/bin/bash"
+