diff --git a/olam/block.yml b/olam/block.yml index 2d932cc..c49edca 100644 --- a/olam/block.yml +++ b/olam/block.yml @@ -10,6 +10,8 @@ block: - name: Create block volume oracle.oci.oci_blockstorage_volume: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" compartment_id: "{{ my_compartment_id }}" availability_domain: "{{ my_availability_domain }}" display_name: "blockvolume-{{ item.value.instance_name | default('instance-'~timestamp) }}" @@ -27,7 +29,9 @@ - name: Attach the block volume oracle.oci.oci_compute_volume_attachment: - instance_id: "{{ instance_id }}" + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" + instance_id: "{{ my_instance_id }}" type: paravirtualized volume_id: "{{ volume_id }}" compartment_id: "{{ my_compartment_id }}" diff --git a/olam/build.yml b/olam/build.yml index f990661..90ad735 100644 --- a/olam/build.yml +++ b/olam/build.yml @@ -1,11 +1,13 @@ --- -# Copyright (c) 2024 Oracle and/or its affiliates. +# Copyright (c) 2024 2025 Oracle and/or its affiliates. # This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. # The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) # See LICENSE.TXT for details. - name: Launch an instance oracle.oci.oci_compute_instance: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" availability_domain: "{{ my_availability_domain }}" compartment_id: "{{ my_compartment_id }}" display_name: "{{ item.value.instance_name | default('instance-'~timestamp) }}" @@ -50,16 +52,24 @@ - name: Set the compute instance id ansible.builtin.set_fact: - instance_id: "{{ result.instance.id }}" + my_instance_id: "{{ result.instance.id }}" + +- name: Add instance id to state file + ansible.builtin.lineinfile: + path: .ansible-state + line: "instance{{ ansible_loop.index0 + 1 }}_ocid: {{ my_instance_id }}" + mode: "0755" - name: Set the compute instance display_name ansible.builtin.set_fact: - instance_display_name: "{{ result.instance.display_name }}" + my_instance_display_name: "{{ result.instance.display_name }}" - name: Get the vnic attachment details of instance oracle.oci.oci_compute_vnic_attachment_facts: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" compartment_id: "{{ my_compartment_id }}" - instance_id: "{{ instance_id }}" + instance_id: "{{ my_instance_id }}" register: result retries: 10 delay: 30 @@ -67,6 +77,8 @@ - name: Get vnic details oracle.oci.oci_network_vnic_facts: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" id: "{{ result.vnic_attachments[0].vnic_id }}" register: result retries: 10 @@ -86,6 +98,7 @@ loop: "{{ query('sequence', 'start=1 end=' + (block_count) | string) }}" loop_control: extended: true + loop_var: blk_item vars: block_devices: - b @@ -97,36 +110,36 @@ - name: Print the public and private ip of the newly created instance ansible.builtin.debug: msg: - - "Instance name: {{ instance_display_name }}" + - "Instance name: {{ my_instance_display_name }}" - " public ip: {{ instance_public_ip }}" - " private ip: {{ instance_private_ip }}" when: debug_enabled - name: Add host to in-memory host file ansible.builtin.add_host: - name: "{{ instance_display_name }}" + name: "{{ my_instance_display_name }}" groups: "{{ item.value.type }}" ansible_user: opc ansible_private_key_file: "{{ lookup('env', 'HOME') + '/.ssh/' + private_key }}" ansible_ssh_common_args: "-o StrictHostKeyChecking=no" ansible_host: "{{ instance_public_ip }}" ansible_port: 22 - instance_ocid: "{{ instance_id }}" + instance_ocid: "{{ my_instance_id }}" - name: Create host ini file ansible.builtin.lineinfile: path: hosts - regexp: '^\[{{ host_group }}' - line: "[{{ host_group }}]" + regexp: '^\[{{ item.value.type }}' + line: "[{{ item.value.type }}]" create: true mode: "0664" delegate_to: localhost - loop: - - control - - execution - - db - loop_control: - loop_var: host_group + # loop: + # - control + # - execution + # - db + # loop_control: + # loop_var: host_group - name: Add host to ini host file ansible.builtin.lineinfile: @@ -143,7 +156,7 @@ mode: "664" delegate_to: localhost vars: - instance_name: "{{ instance_display_name }}" + instance_name: "{{ my_instance_display_name }}" instance_ansible_user: opc instance_ansible_private_key_file: "{{ lookup('env', 'HOME') + '/.ssh/' + private_key }}" instance_ansible_ssh_common_args: "-o StrictHostKeyChecking=no" diff --git a/olam/check_instance_available.yml b/olam/check_instance_available.yml new file mode 100644 index 0000000..47e694e --- /dev/null +++ b/olam/check_instance_available.yml @@ -0,0 +1,43 @@ +--- +# Copyright (c) 2024 2025 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Configure new instances + hosts: all:!localhost + gather_facts: false + vars_files: + - default_vars.yml + - oci_vars.yml + + tasks: + + - name: Wait for systems to become reachable and usable + ansible.builtin.wait_for_connection: + + # - name: Wait for systems to become reachable using ssh + # ansible.builtin.wait_for: + # port: 22 + # host: '{{ (ansible_ssh_host | default(ansible_host)) | default(inventory_hostname) }}' + # search_regex: OpenSSH + # delay: 10 + # timeout: 300 + + - name: Get a set of all available facts + ansible.builtin.setup: + + - name: Print in-memory inventory # noqa: run-once[task] + ansible.builtin.debug: + msg: "{{ groups['all'] }}" + delegate_to: localhost + run_once: true + when: debug_enabled + + - name: Print all variables/facts known for a host # noqa: run-once[task] + ansible.builtin.debug: + msg: "{{ hostvars[item] }}" + loop: "{{ groups['all'] | flatten(levels=1) }}" + delegate_to: localhost + run_once: true + when: debug_enabled diff --git a/olam/configure_passwordless_ssh.yml b/olam/configure_passwordless_ssh.yml new file mode 100644 index 0000000..97bafee --- /dev/null +++ b/olam/configure_passwordless_ssh.yml @@ -0,0 +1,85 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Configure passwordless ssh between hosts + hosts: all:!localhost:!remote + vars_files: + - default_vars.yml + - oci_vars.yml + + tasks: + + - name: Generate ssh keypair for user + community.crypto.openssh_keypair: + path: ~/.ssh/id_rsa + size: 2048 + comment: ol ssh keypair + become: true + become_user: "{{ username }}" + + - name: Fetch public key file + ansible.builtin.fetch: + src: "~/.ssh/id_rsa.pub" + dest: "buffer/{{ inventory_hostname }}-id_rsa.pub" + flat: true + become: true + become_user: "{{ username }}" + + - name: Copy public key to each destination + ansible.posix.authorized_key: + user: "{{ username }}" + state: present + key: "{{ lookup('file', 'buffer/{{ item }}-id_rsa.pub') }}" + # loop: "{{ groups['all'] | flatten(levels=1) }}" + loop: "{{ ansible_play_hosts_all | difference(['localhost']) }}" + become: true + + # - name: Copy public key to each destination for root + # ansible.posix.authorized_key: + # user: "root" + # state: present + # key: "{{ lookup('file', 'buffer/{{ item }}-id_rsa.pub') }}" + # loop: "{{ groups['all'] | flatten(levels=1) }}" + # become: true + + - name: Print hostvars for groups + ansible.builtin.debug: + msg: "{{ hostvars[item] }}" + # loop: "{{ groups['all'] | flatten(levels=1) }}" + loop: "{{ ansible_play_hosts_all | difference(['localhost']) }}" + when: debug_enabled + + - name: Print vcn subnet_domain_name + ansible.builtin.debug: + var: my_subnet1_domain_name + when: debug_enabled + + - name: Accept new ssh fingerprints + ansible.builtin.shell: | + ssh-keyscan -t ecdsa-sha2-nistp256 \ + {{ hostvars[item].ansible_hostname }},\ + {{ hostvars[item].ansible_default_ipv4.address }},\ + {{ hostvars[item].ansible_hostname + '.' + my_subnet_domain_name }} >> ~/.ssh/known_hosts + with_items: + # - "{{ groups['all'] }}" + "{{ ansible_play_hosts_all | difference(['localhost']) }}" + become: true + become_user: "{{ username }}" + register: result + changed_when: result.rc == 0 + + # - name: Accept new ssh fingerprints for root + # ansible.builtin.shell: | + # ssh-keyscan -t ecdsa-sha2-nistp256 \ + # {{ hostvars[item].ansible_hostname }},\ + # {{ hostvars[item].ansible_default_ipv4.address }},\ + # {{ hostvars[item].ansible_hostname + '.' + my_subnet1_domain_name }} >> ~/.ssh/known_hosts + # with_items: + # - "{{ groups['all'] }}" + # become: true + # become_user: "root" + # register: result + # changed_when: result.rc == 0 diff --git a/olam/convert_ansible_inventory.sh b/olam/convert_ansible_inventory.sh index 2a83dbc..932f34e 100644 --- a/olam/convert_ansible_inventory.sh +++ b/olam/convert_ansible_inventory.sh @@ -27,7 +27,7 @@ echo "" echo "[control:vars]" echo "node_type=control" -echo "peers=local_execution_group" +# echo "peers=local_execution_group" echo "" echo "[execution]" @@ -40,6 +40,7 @@ echo "" echo "[local_execution_group:vars]" echo "node_type=execution" +echo "peers=control" echo "" echo "[hop]" diff --git a/olam/create_instance.yml b/olam/create_instance.yml index 9cdd0de..0c124cb 100644 --- a/olam/create_instance.yml +++ b/olam/create_instance.yml @@ -26,21 +26,10 @@ instance_ocpus: 2 instance_memory: 32 private_key: "id_rsa" - ansible_python_interpreter: "{{ localhost_python_interpreter | default(omit) }}" debug_enabled: false tasks: - # - name: Check if state file exists - # ansible.builtin.stat: - # path: /tmp/ansible.state - # register: state_exists - - # - name: Fail if state file already exists - # ansible.builtin.fail: - # msg: "Exit instance creation as a state file already exists." - # when: hosts_exists.stat.exists - - name: Get location of oci_config ansible.builtin.set_fact: oci_config_file: "{{ lookup('env', 'HOME') + '/.oci/config' }}" @@ -60,6 +49,8 @@ - name: Get list availbility domains oracle.oci.oci_identity_availability_domain_facts: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" compartment_id: "{{ my_tenancy_id }}" region: "{{ my_region_id }}" register: result @@ -92,6 +83,18 @@ ansible.builtin.set_fact: my_compartment_id: "{{ compartment_id | default(env_lookup, true) | default(ini_lookup, true) }}" + - name: Create oci state file + ansible.builtin.file: + path: .ansible-state + state: touch + mode: "0755" + + - name: Add compartment id to state file + ansible.builtin.lineinfile: + path: .ansible-state + line: "compartment_ocid: {{ my_compartment_id }}" + mode: "0755" + - name: Print compartment id ansible.builtin.debug: msg: "{{ my_compartment_id }}" @@ -110,6 +113,8 @@ - name: Create a virtual cloud network oracle.oci.oci_network_vcn: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" compartment_id: "{{ my_compartment_id }}" display_name: "Linuxvirt Virtual Cloud Network" cidr_blocks: "10.0.0.0/16" @@ -123,8 +128,16 @@ ansible.builtin.set_fact: my_vcn_id: "{{ result.vcn.id }}" + - name: Add vcn id to state file + ansible.builtin.lineinfile: + path: .ansible-state + line: "vcn_ocid: {{ my_vcn_id }}" + mode: "0755" + - name: Create internet_gateway oracle.oci.oci_network_internet_gateway: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" compartment_id: "{{ my_compartment_id }}" vcn_id: "{{ my_vcn_id }}" is_enabled: true @@ -139,8 +152,16 @@ ansible.builtin.set_fact: my_internet_gateway_id: "{{ result.internet_gateway.id }}" + - name: Add internet_gateway id to state file + ansible.builtin.lineinfile: + path: .ansible-state + line: "internet_gateway_ocid: {{ my_internet_gateway_id }}" + mode: "0755" + - name: Create route_table oracle.oci.oci_network_route_table: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" compartment_id: "{{ my_compartment_id }}" vcn_id: "{{ my_vcn_id }}" display_name: "Linuxvirt Route Table" @@ -158,6 +179,12 @@ ansible.builtin.set_fact: my_rt_id: "{{ result.route_table.id }}" + - name: Add route table id to state file + ansible.builtin.lineinfile: + path: .ansible-state + line: "route_table_ocid: {{ my_rt_id }}" + mode: "0755" + - name: Create ingress rules yaml list ansible.builtin.template: src: ingress_security_rules.j2 @@ -192,6 +219,8 @@ - name: Create security_list oracle.oci.oci_network_security_list: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" display_name: "Linuxvirt Security List" compartment_id: "{{ my_compartment_id }}" vcn_id: "{{ my_vcn_id }}" @@ -206,8 +235,16 @@ ansible.builtin.set_fact: my_security_list_id: "{{ result.security_list.id }}" + - name: Add security list id to state file + ansible.builtin.lineinfile: + path: .ansible-state + line: "security_list_ocid: {{ my_security_list_id }}" + mode: "0755" + - name: Create subnet oracle.oci.oci_network_subnet: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" compartment_id: "{{ my_compartment_id }}" vcn_id: "{{ my_vcn_id }}" cidr_block: "{{ subnet_cidr_block }}" @@ -225,6 +262,12 @@ ansible.builtin.set_fact: my_subnet_id: "{{ result.subnet.id }}" + - name: Add public subnet id to state file + ansible.builtin.lineinfile: + path: .ansible-state + line: "subnet_ocid: {{ my_subnet_id }}" + mode: "0755" + - name: Set subnet domain_name ansible.builtin.set_fact: my_subnet_domain_name: "{{ result.subnet.subnet_domain_name }}" @@ -237,6 +280,8 @@ - name: Get image oracle.oci.oci_compute_image_facts: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" compartment_id: "{{ my_compartment_id }}" operating_system: "{{ os }}" operating_system_version: "{{ os_version }}" @@ -260,71 +305,21 @@ - name: Build an instance ansible.builtin.include_tasks: "build.yml" loop: "{{ lookup('dict', compute_instances, wantlist=True) }}" + loop_control: + extended: true -- name: Configure new instances - hosts: all - become: true - gather_facts: false - vars_files: - - default_vars.yml - - oci_vars.yml - vars: - username: "oracle" - user_default_password: "oracle" - private_key: "id_rsa" - debug_enabled: false - - tasks: +- name: Check if instances are available + ansible.builtin.import_playbook: "check_instance_available.yml" - - name: Wait for systems to become reachable - ansible.builtin.wait_for_connection: - vars: - python_version: "/usr/bin/python3" - ansible_python_interpreter: "{{ python_version if localhost_python_interpreter is defined | default(omit) }}" +- name: Setup and configure instance basics + ansible.builtin.import_playbook: "provision_instance_basics.yml" - - name: Get a set of all available facts - ansible.builtin.setup: +- name: Configure passwordless SSH + ansible.builtin.import_playbook: "configure_passwordless_ssh.yml" - - name: Print in-memory inventory - ansible.builtin.debug: - msg: "{{ groups['all'] }}" - delegate_to: localhost - when: - - debug_enabled - - inventory_hostname == ansible_play_hosts_all[0] - - - name: Print all variables/facts known for a host - ansible.builtin.debug: - msg: "{{ hostvars[item] }}" - loop: "{{ groups['all'] | flatten(levels=1) }}" - delegate_to: localhost - when: - - debug_enabled - - inventory_hostname == ansible_play_hosts_all[0] - - - name: Configure instance - ansible.builtin.include_tasks: "host_setup.yml" - when: >- - inventory_hostname in - groups['control']|default([]) - + groups['server']|default([]) - + groups['execution']|default([]) - + groups['db']|default([]) - - - name: Configure passwordless SSH - ansible.builtin.include_tasks: "passwordless_setup.yml" - when: passwordless_ssh - - - name: Install Oracle Linux Automation Engine - ansible.builtin.dnf: - name: - - ansible-core - state: present - retries: 5 - delay: 10 - when: - - inventory_hostname in groups['control']|default([]) - - use_olae_only +# - name: Install Oracle Linux Automation Engine +# ansible.builtin.import_playbook: "deploy_olae.yml" +# when: use_olae_only - name: Install Oracle Linux Automation Manager vars: @@ -357,11 +352,8 @@ when: use_olam_pah - name: Print instances - hosts: all + hosts: all:!localhost become: true - gather_facts: true - vars_files: - - oci_vars.yml tasks: @@ -380,48 +372,4 @@ Aborting at this stage requires manual removal of all cloud resources this playbook creates. - name: Terminate instances and delete OCI resources - hosts: localhost - vars_files: - - default_vars.yml - vars: - ansible_python_interpreter: "{{ localhost_python_interpreter | default(omit) }}" - - tasks: - - - name: Terminate the instances - oracle.oci.oci_compute_instance: - id: "{{ hostvars[item]['instance_ocid'] }}" - state: absent - loop: "{{ groups['all'] | flatten(levels=1) }}" - - - name: Delete the subnet - oracle.oci.oci_network_subnet: - id: "{{ my_subnet_id }}" - state: absent - - - name: Delete the security list - oracle.oci.oci_network_security_list: - id: "{{ my_security_list_id }}" - state: absent - - - name: Delete the route table - oracle.oci.oci_network_route_table: - id: "{{ my_rt_id }}" - state: absent - - - name: Delete the Internet Gateway - oracle.oci.oci_network_internet_gateway: - id: "{{ my_internet_gateway_id }}" - state: absent - - - name: Delete the VCN - oracle.oci.oci_network_vcn: - vcn_id: "{{ my_vcn_id }}" - state: absent - - - name: Remove artifacts - ansible.builtin.file: - state: absent - path: "{{ item }}" - loop: - - oci_vars.yml + ansible.builtin.import_playbook: "terminate_instance.yml" diff --git a/olam/default_vars.yml b/olam/default_vars.yml index c23ed73..bcec359 100644 --- a/olam/default_vars.yml +++ b/olam/default_vars.yml @@ -22,7 +22,7 @@ block_count: 1 update_all: false passwordless_ssh: false olam_type: single -use_olae_only: false +# use_olae_only: false use_olam_builder: false use_olam_pah: false add_pah_ports: false diff --git a/olam/deploy_olam_cluster.yml b/olam/deploy_olam_cluster.yml index 7f889c5..8f6dbe6 100644 --- a/olam/deploy_olam_cluster.yml +++ b/olam/deploy_olam_cluster.yml @@ -20,6 +20,14 @@ delay: 10 when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install Oracle EPEL repository + ansible.builtin.dnf: + name: oracle-epel-release-el9 + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + - name: Install version lock plugin ansible.builtin.dnf: name: python3-dnf-plugin-versionlock @@ -29,10 +37,20 @@ delay: 10 when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install version lock plugin + ansible.builtin.dnf: + name: python3-dnf-plugin-versionlock + enablerepo: ol9_developer_EPEL + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + - name: Version lock python3-click community.general.yum_versionlock: state: present name: python3-click + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Install additional packages for ansible ansible.builtin.dnf: @@ -46,6 +64,18 @@ delay: 10 when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install additional packages for ansible + ansible.builtin.dnf: + name: + - python3-psycopg2 + - python3-pyOpenSSL + - python3-pip + enablerepo: ol9_developer_EPEL + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + - name: Install pexpect ansible.builtin.pip: name: pexpect @@ -64,17 +94,16 @@ tasks: - - name: Enable the PostgreSQL 13 module stream + - name: Enable the PostgreSQL 16 module stream ansible.builtin.copy: dest: /etc/dnf/modules.d/postgresql.module content: | [postgresql] name=postgresql - stream=13 + stream=16 profiles= state=enabled mode: '0644' - when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Install the database ansible.builtin.dnf: @@ -158,7 +187,7 @@ name: postgresql state: restarted -- name: Configure OLAM 2.2 hosts +- name: Configure OLAM 2.3 hosts hosts: control,execution vars_files: - default_vars.yml @@ -168,7 +197,7 @@ - name: Install Oracle Linux Automation Manager repository ansible.builtin.dnf: - name: oraclelinux-automation-manager-release-el8-2.2 + name: oraclelinux-automation-manager-release-el8 state: present retries: 5 delay: 10 @@ -193,22 +222,47 @@ mode: '0644' when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - - name: Enable Oracle Linux Automation Manager 2.2 repository + - name: Disable Oracle Linux Automation Manager 2.2 repository community.general.ini_file: path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" section: ol8_automation2.2 option: enabled + value: "0" + mode: '0644' + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + + - name: Enable Oracle Linux Automation Manager 2.3 repository + community.general.ini_file: + path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" + section: ol8_automation2.3 + option: enabled value: "1" mode: '0644' when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install Oracle Linux Automation Manager repository + ansible.builtin.dnf: + name: oraclelinux-automation-manager-release-el9 + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + + - name: Enable Oracle Linux Automation Manager 2.3 repository + community.general.ini_file: + path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol9.repo" + section: ol9_automation2.3 + option: enabled + value: "1" + mode: '0644' + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + - name: Install Oracle Linux Automation Manager ansible.builtin.dnf: name: ol-automation-manager state: present retries: 5 delay: 10 - when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' environment: "{{ proxy_env }}" - name: Edit unixsocket in /etc/redis.conf @@ -217,6 +271,7 @@ regexp: '^unixsocket ' insertafter: '^# unixsocketperm ' line: unixsocket /var/run/redis/redis.sock + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Edit unixsocketperm in /etc/redis.conf ansible.builtin.lineinfile: @@ -224,6 +279,23 @@ regexp: '^unixsocketperm ' insertafter: '^unixsocket ' line: unixsocketperm 775 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + + - name: Edit unixsocket in /etc/redis/redis.conf + ansible.builtin.lineinfile: + path: /etc/redis/redis.conf + regexp: '^unixsocket ' + insertafter: '^# unixsocketperm ' + line: unixsocket /var/run/redis/redis.sock + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + + - name: Edit unixsocketperm in /etc/redis/redis.conf + ansible.builtin.lineinfile: + path: /etc/redis/redis.conf + regexp: '^unixsocketperm ' + insertafter: '^unixsocket ' + line: unixsocketperm 775 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' - name: Configure CLUSTER_HOST_ID setting ansible.builtin.copy: @@ -239,11 +311,23 @@ - name: Provision olam ansible container environment # noqa: syntax-check[unknown-module] containers.podman.podman_image: name: container-registry.oracle.com/oracle_linux_automation_manager/olam-ee - tag: 2.2 + tag: 2.3-ol8 become: true become_user: awx retries: 5 delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + environment: "{{ proxy_env }}" + + - name: Provision olam ansible container environment # noqa: syntax-check[unknown-module] + containers.podman.podman_image: + name: container-registry.oracle.com/oracle_linux_automation_manager/olam-ee + tag: 2.3-ol9 + become: true + become_user: awx + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' environment: "{{ proxy_env }}" - name: Generate an OpenSSL private key with a different size (2048 bits) @@ -409,6 +493,18 @@ when: - inventory_hostname in groups.execution - inventory_hostname not in groups.hop + + - name: Add tcp-peers for control nodes + ansible.builtin.lineinfile: + path: /etc/receptor/receptor.conf + insertbefore: '^- control-service:' + line: | + - tcp-peer: + address: {{ hostvars[item]['ansible_default_ipv4']['address'] }}:27199 + redial: true + with_inventory_hostnames: + - "{{ groups.control | difference([inventory_hostname]) | join(',') }}" + when: inventory_hostname in groups.control - name: Add tcp-peers if present ansible.builtin.lineinfile: @@ -432,6 +528,12 @@ msg: "{{command_output.stdout_lines}}" when: debug_enabled + - name: Enable and start receptor service + ansible.builtin.systemd: + name: receptor-awx + state: started + enabled: true + - name: Provision awx hosts: control[0] vars_files: @@ -505,7 +607,38 @@ tasks: - - name: Run awx-manage peers + - name: Add receptor address to each instance + ansible.builtin.shell: | + awx-manage add_receptor_address --instance={{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} --address={{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} --port=27199 --canonical + args: + executable: /bin/bash + become_user: awx + register: awx_receptor_address + delegate_to: "{{ groups['control'][0] }}" + + - name: Print to awx_receptor_address + ansible.builtin.debug: + msg: "{{awx_receptor_address}}" + when: debug_enabled + + - name: Add links between control nodes + ansible.builtin.shell: | + awx-manage register_peers {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} --peers {{ hostvars[item]['ansible_default_ipv4']['address'] }} + args: + executable: /bin/bash + become_user: awx + register: awx_control_peers + with_inventory_hostnames: + - "{{ groups.control | difference([inventory_hostname]) | join(',') }}" + when: inventory_hostname in groups['control'][0] + delegate_to: "{{ groups['control'][0] }}" + + - name: Print to awx_control_peers + ansible.builtin.debug: + msg: "{{awx_control_peers}}" + when: debug_enabled + + - name: Add links between receptor nodes ansible.builtin.shell: | awx-manage register_peers {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} --peers {{ hostvars[item]['ansible_default_ipv4']['address'] }} args: @@ -529,3 +662,14 @@ enabled: true with_items: - ol-automation-manager + + - name: Check if user is lingering + ansible.builtin.stat: + path: "/var/lib/systemd/linger/awx" + register: user_lingering + + - name: Enable lingering is needed + ansible.builtin.command: "loginctl enable-linger awx" + register: linger_result + changed_when: linger_result.rc == 0 + when: not user_lingering.stat.exists diff --git a/olam/deploy_olam_olae.yml b/olam/deploy_olam_olae.yml new file mode 100644 index 0000000..c6d6c98 --- /dev/null +++ b/olam/deploy_olam_olae.yml @@ -0,0 +1,22 @@ +--- +# Copyright (c) 2024 2025 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + + +- name: Install Oracle Linux Automation Engine + hosts: control + vars_files: + - default_vars.yml + become: true + + tasks: + + - name: Install ansible-core package + ansible.builtin.dnf: + name: + - ansible-core + state: present + retries: 5 + delay: 10 diff --git a/olam/deploy_olam_single.yml b/olam/deploy_olam_single.yml index 7ff0cf9..86a62a1 100644 --- a/olam/deploy_olam_single.yml +++ b/olam/deploy_olam_single.yml @@ -20,6 +20,14 @@ delay: 10 when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install Oracle EPEL repository + ansible.builtin.dnf: + name: oracle-epel-release-el9 + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + - name: Install version lock plugin ansible.builtin.dnf: name: python3-dnf-plugin-versionlock @@ -29,10 +37,20 @@ delay: 10 when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install version lock plugin + ansible.builtin.dnf: + name: python3-dnf-plugin-versionlock + enablerepo: ol9_developer_EPEL + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + - name: Version lock python3-click community.general.yum_versionlock: state: present name: python3-click + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Install additional packages for ansible ansible.builtin.dnf: @@ -45,6 +63,18 @@ retries: 5 delay: 10 when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + + - name: Install additional packages for ansible + ansible.builtin.dnf: + name: + - python3-psycopg2 + - python3-pyOpenSSL + - python3-pip + enablerepo: ol9_developer_EPEL + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' - name: Install pexpect using pip ansible.builtin.pip: @@ -52,17 +82,16 @@ # Install database - - name: Enable the PostgreSQL 13 module stream + - name: Enable the PostgreSQL 16 module stream ansible.builtin.copy: dest: /etc/dnf/modules.d/postgresql.module content: | [postgresql] name=postgresql - stream=13 + stream=16 profiles= state=enabled mode: '0644' - when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Install the database ansible.builtin.dnf: @@ -165,22 +194,47 @@ mode: '0644' when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - - name: Enable Oracle Linux Automation Manager 2.2 repository + - name: Disable Oracle Linux Automation Manager 2.2 repository community.general.ini_file: path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" section: ol8_automation2.2 option: enabled + value: "0" + mode: '0644' + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + + - name: Enable Oracle Linux Automation Manager 2.3 repository + community.general.ini_file: + path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" + section: ol8_automation2.3 + option: enabled value: "1" mode: '0644' when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install Oracle Linux Automation Manager repository + ansible.builtin.dnf: + name: oraclelinux-automation-manager-release-el9 + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + + - name: Enable Oracle Linux Automation Manager 2.3 repository + community.general.ini_file: + path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol9.repo" + section: ol9_automation2.3 + option: enabled + value: "1" + mode: '0644' + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + - name: Install Oracle Linux Automation Manager ansible.builtin.dnf: name: ol-automation-manager state: present retries: 5 delay: 10 - when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Edit unixsocket in /etc/redis.conf ansible.builtin.lineinfile: @@ -188,6 +242,7 @@ regexp: '^unixsocket ' insertafter: '^# unixsocketperm ' line: unixsocket /var/run/redis/redis.sock + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Edit unixsocketperm in /etc/redis.conf ansible.builtin.lineinfile: @@ -195,6 +250,23 @@ regexp: '^unixsocketperm ' insertafter: '^unixsocket ' line: unixsocketperm 775 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + + - name: Edit unixsocket in /etc/redis/redis.conf + ansible.builtin.lineinfile: + path: /etc/redis/redis.conf + regexp: '^unixsocket ' + insertafter: '^# unixsocketperm ' + line: unixsocket /var/run/redis/redis.sock + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + + - name: Edit unixsocketperm in /etc/redis/redis.conf + ansible.builtin.lineinfile: + path: /etc/redis/redis.conf + regexp: '^unixsocketperm ' + insertafter: '^unixsocket ' + line: unixsocketperm 775 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' - name: Configure CLUSTER_HOST_ID setting ansible.builtin.copy: @@ -227,9 +299,18 @@ - name: Provision olam ansible container environment # noqa: syntax-check[unknown-module] containers.podman.podman_image: name: container-registry.oracle.com/oracle_linux_automation_manager/olam-ee - tag: 2.2 + tag: 2.3-ol8 + become: true + become_user: awx + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + + - name: Provision olam ansible container environment # noqa: syntax-check[unknown-module] + containers.podman.podman_image: + name: container-registry.oracle.com/oracle_linux_automation_manager/olam-ee + tag: 2.3-ol9 become: true become_user: awx + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' - name: Check if awx provisioned ansible.builtin.stat: diff --git a/olam/deploy_olam_v1.yml b/olam/deploy_olam_v1.yml index 64ade5d..eca1fa4 100644 --- a/olam/deploy_olam_v1.yml +++ b/olam/deploy_olam_v1.yml @@ -83,6 +83,15 @@ mode: '0644' when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Disable Oracle Linux Automation Manager 2.3 repository + community.general.ini_file: + path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" + section: ol8_automation2.3 + option: enabled + value: "0" + mode: '0644' + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install Oracle Linux Automation Manager ansible.builtin.dnf: name: ol-automation-manager @@ -97,6 +106,7 @@ regexp: '^unixsocket ' insertafter: '^# unixsocketperm ' line: unixsocket /var/run/redis/redis.sock + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Edit unixsocketperm in /etc/redis.conf ansible.builtin.lineinfile: @@ -104,6 +114,7 @@ regexp: '^unixsocketperm ' insertafter: '^unixsocket ' line: unixsocketperm 775 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - name: Ensure postgresql data directory exists ansible.builtin.file: diff --git a/olam/host_setup.yml b/olam/host_setup.yml deleted file mode 100644 index cababf1..0000000 --- a/olam/host_setup.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- -# Copyright (c) 2024 Oracle and/or its affiliates. -# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. -# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) -# See LICENSE.TXT for details. - -- name: Run facts module to get latest information - ansible.builtin.setup: - -- name: Grow the root filesystem - ansible.builtin.shell: | - /usr/libexec/oci-growfs -y - become: true - register: result - changed_when: result.rc == 0 - -- name: Add user account with access to sudo - ansible.builtin.user: - name: "{{ username }}" - password: "{{ user_default_password | password_hash('sha512') }}" - comment: Ansible created user - groups: wheel - append: true - update_password: on_create - become: true - -- name: Set authorized key for user using local public key file - ansible.posix.authorized_key: - user: "{{ username }}" - state: present - key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/' + private_key + '.pub') }}" - become: true - -- name: Set user with passwordless sudo access - vars: - sudo_content: "{{ username }} ALL=(ALL:ALL) NOPASSWD: ALL" - ansible.builtin.lineinfile: - path: "/etc/sudoers.d/{{ username }}" - regexp: "{{ username }} ALL=" - line: "{{ sudo_content }}" - state: present - create: true - mode: "0644" - become: true - -- name: Create the ansible tmp directory if it does not exist - ansible.builtin.file: - path: ~/.ansible/tmp - state: directory - mode: '0700' - become: true - become_user: "{{ username }}" - -- name: Add locale settings to .bashrc - ansible.builtin.lineinfile: - dest: ~/.bashrc - line: "{{ item }}" - with_items: - - 'export LC_ALL="en_US.UTF-8"' - - 'export LC_CTYPE="en_US.UTF-8"' - become: true - become_user: "{{ username }}" - -# - name: Generate ssh keypair for user -# community.crypto.openssh_keypair: -# path: ~/.ssh/id_rsa -# size: 2048 -# comment: ocne ssh keypair -# become: true -# become_user: "{{ username }}" - -# - name: Fetch public key file from server -# ansible.builtin.fetch: -# src: "~/.ssh/id_rsa.pub" -# dest: "buffer/{{ inventory_hostname }}-id_rsa.pub" -# flat: true -# become: true -# become_user: "{{ username }}" - -# - name: Copy public key to each destination -# ansible.posix.authorized_key: -# user: "{{ username }}" -# state: present -# key: "{{ lookup('file', 'buffer/{{ item }}-id_rsa.pub') }}" -# loop: "{{ groups['all'] | flatten(levels=1) }}" -# become: true - -# - name: Print hostvars for groups -# ansible.builtin.debug: -# msg: "{{ hostvars[item] }}" -# loop: "{{ groups['all'] | flatten(levels=1) }}" -# when: debug_enabled - -# - name: Print vnc subnet_domain_name -# ansible.builtin.debug: -# var: my_subnet_domain_name -# when: debug_enabled - -# - name: Accept new ssh fingerprints -# ansible.builtin.shell: | -# ssh-keyscan -t ecdsa-sha2-nistp256 \ -# {{ hostvars[item].ansible_hostname }},\ -# {{ hostvars[item].ansible_default_ipv4.address }},\ -# {{ hostvars[item].ansible_hostname + '.' + my_subnet_domain_name }} >> ~/.ssh/known_hosts -# with_items: -# - "{{ groups['all'] }}" -# become: true -# become_user: "{{ username }}" -# register: result -# changed_when: result.rc == 0 - -- name: Configure firewall to log denied packets - ansible.builtin.command: - cmd: firewall-cmd --set-log-denied=all - when: debug_enabled - register: firewall_result - changed_when: firewall_result.rc == 0 - become: true - -# Check denied packets with "journalctl -x -e" or with "dmesg | grep -i REJECT" diff --git a/olam/passwordless_setup.yml b/olam/passwordless_setup.yml deleted file mode 100644 index 6a74644..0000000 --- a/olam/passwordless_setup.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -# Copyright (c) 2024 Oracle and/or its affiliates. -# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. -# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) -# See LICENSE.TXT for details. - -- name: Generate ssh keypair for user - community.crypto.openssh_keypair: - path: "~/.ssh/{{ private_key }}" - size: 2048 - comment: ol ssh keypair - become: true - become_user: "{{ username }}" - -- name: Fetch public key file from server - ansible.builtin.fetch: - src: "~/.ssh/{{ private_key }}.pub" - dest: "buffer/{{ inventory_hostname }}-{{ private_key }}.pub" - flat: true - become: true - become_user: "{{ username }}" - -- name: Copy public key to each destination - ansible.posix.authorized_key: - user: "{{ username }}" - state: present - key: "{{ lookup('file', 'buffer/{{ item }}-{{ private_key }}.pub') }}" - loop: "{{ groups['all'] | flatten(levels=1) }}" - become: true - -- name: Print hostvars for groups - ansible.builtin.debug: - msg: "{{ hostvars[item] }}" - loop: "{{ groups['all'] | flatten(levels=1) }}" - when: debug_enabled - -- name: Print vnc subnet_domain_name - ansible.builtin.debug: - var: my_subnet_domain_name - when: debug_enabled - -- name: Accept new ssh fingerprints - ansible.builtin.shell: | - ssh-keyscan -t ecdsa-sha2-nistp256 \ - {{ hostvars[item].ansible_hostname }},\ - {{ hostvars[item].ansible_default_ipv4.address }},\ - {{ hostvars[item].ansible_hostname + '.' + my_subnet_domain_name }} >> ~/.ssh/known_hosts - with_items: - - "{{ groups['all'] }}" - become: true - become_user: "{{ username }}" - register: result - changed_when: result.rc == 0 diff --git a/olam/provision_builder.yml b/olam/provision_builder.yml index 4cd4a2c..d85348d 100644 --- a/olam/provision_builder.yml +++ b/olam/provision_builder.yml @@ -13,7 +13,7 @@ tasks: - - name: Install Oracle Linux Automation Manager repository + - name: Install Oracle Linux Automation Manager repository on OL8 ansible.builtin.dnf: name: oraclelinux-automation-manager-release-el8 state: present @@ -21,7 +21,7 @@ delay: 10 when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - - name: Disable Oracle Linux Automation Manager 1.0 repository + - name: Disable Oracle Linux Automation Manager 1.0 repository on OL8 community.general.ini_file: path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" section: ol8_automation @@ -30,7 +30,7 @@ mode: '0644' when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - - name: Disable Oracle Linux Automation Manager 2.0 repository + - name: Disable Oracle Linux Automation Manager 2.0 repository on OL8 community.general.ini_file: path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" section: ol8_automation2 @@ -39,15 +39,52 @@ mode: '0644' when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - - name: Enable Oracle Linux Automation Manager 2.2 repository + - name: Disable Oracle Linux Automation Manager 2.2 repository on OL8 community.general.ini_file: path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" section: ol8_automation2.2 option: enabled + value: "0" + mode: '0644' + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + + - name: Enable Oracle Linux Automation Manager 2.3 repository on OL8 + community.general.ini_file: + path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol8.repo" + section: ol8_automation2.3 + option: enabled value: "1" mode: '0644' when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' + - name: Install Oracle Linux Automation Manager repository on OL9 + ansible.builtin.dnf: + name: oraclelinux-automation-manager-release-el9 + state: present + retries: 5 + delay: 10 + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + + - name: Enable Oracle Linux Automation Manager 2.3 repository on OL9 + community.general.ini_file: + path: "/etc/yum.repos.d/oraclelinux-automation-manager-ol9.repo" + section: ol9_automation2.3 + option: enabled + value: "1" + mode: '0644' + when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9' + + - name: Check if user is lingering + ansible.builtin.stat: + path: "/var/lib/systemd/linger/{{ username }}" + register: user_lingering + + - name: Enable lingering is needed + ansible.builtin.command: "loginctl enable-linger {{ username }}" + register: linger_result + changed_when: linger_result.rc == 0 + when: not user_lingering.stat.exists + - name: Install Oracle Linux Automation Manager Builder Utility ansible.builtin.dnf: name: @@ -56,11 +93,10 @@ state: present retries: 5 delay: 10 - when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8' - - name: Install Ansible Runner using pip + - name: Install Ansible Navigator using pip ansible.builtin.pip: - name: ansible-runner + name: ansible-navigator executable: pip3.11 - name: Create project directory @@ -104,9 +140,9 @@ become_user: "{{ username }}" - name: Create bindep.txt - ansible.builtin.file: - path: ~/my_custom_ee_project/bindep.txt - state: touch + ansible.builtin.template: + src: templates/bindep.txt.j2 + dest: ~/my_custom_ee_project/bindep.txt mode: '0644' become: true become_user: "{{ username }}" @@ -125,7 +161,7 @@ msg: "{{ builder_output.stdout }}" when: debug_enabled - - name: Create runner private_data_dir + - name: Create ansible project directory ansible.builtin.file: path: /tmp/private/project state: directory diff --git a/olam/provision_instance_basics.yml b/olam/provision_instance_basics.yml new file mode 100644 index 0000000..f91bcbb --- /dev/null +++ b/olam/provision_instance_basics.yml @@ -0,0 +1,77 @@ +--- +# Copyright (c) 2024 2025 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Provision instance basics + hosts: all:!localhost:!remote + vars_files: + - default_vars.yml + - oci_vars.yml + + tasks: + + - name: Grow the root filesystem + ansible.builtin.shell: | + /usr/libexec/oci-growfs -y + become: true + register: result + changed_when: result.rc == 0 + + - name: Add user account with access to sudo + ansible.builtin.user: + name: "{{ username }}" + password: "{{ user_default_password | password_hash('sha512') }}" + comment: Ansible created user + groups: wheel + append: true + update_password: on_create + become: true + + - name: Set authorized key for user using local public key file + ansible.posix.authorized_key: + user: "{{ username }}" + state: present + key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/' + private_key + '.pub') }}" + become: true + + - name: Set user with passwordless sudo access + vars: + sudo_content: "{{ username }} ALL=(ALL:ALL) NOPASSWD: ALL" + ansible.builtin.lineinfile: + path: "/etc/sudoers.d/{{ username }}" + regexp: "{{ username }} ALL=" + line: "{{ sudo_content }}" + state: present + create: true + mode: "0644" + become: true + + - name: Create the ansible tmp directory if it does not exist + ansible.builtin.file: + path: ~/.ansible/tmp + state: directory + mode: '0700' + become: true + become_user: "{{ username }}" + + - name: Add locale settings to .bashrc + ansible.builtin.lineinfile: + dest: ~/.bashrc + line: "{{ item }}" + with_items: + - 'export LC_ALL="en_US.UTF-8"' + - 'export LC_CTYPE="en_US.UTF-8"' + become: true + become_user: "{{ username }}" + + - name: Configure firewall to log denied packets + ansible.builtin.command: + cmd: firewall-cmd --set-log-denied=all + when: debug_enabled + register: firewall_result + changed_when: firewall_result.rc == 0 + become: true + + # Check denied packets with "journalctl -x -e" or with "dmesg | grep -i REJECT" diff --git a/olam/templates/bindep.txt.j2 b/olam/templates/bindep.txt.j2 new file mode 100644 index 0000000..4e45660 --- /dev/null +++ b/olam/templates/bindep.txt.j2 @@ -0,0 +1,10 @@ +gcc +libcurl-devel +libxml2-devel +{% if ansible_distribution_major_version == '8' %} +python3.11-devel +{% endif %} +{% if ansible_distribution_major_version == '9' %} +python3-devel +{% endif %} +openssl-devel diff --git a/olam/templates/execution_environment.yml.j2 b/olam/templates/execution_environment.yml.j2 index 975544d..37a039c 100644 --- a/olam/templates/execution_environment.yml.j2 +++ b/olam/templates/execution_environment.yml.j2 @@ -1,27 +1,35 @@ --- -version: 2 +version: 3 build_arg_defaults: - ANSIBLE_GALAXY_CLI_COLLECTION_OPTS: "--ignore-certs" - -ansible_config: 'ansible.cfg' + ANSIBLE_GALAXY_CLI_COLLECTION_OPTS: '--pre --ignore-certs' dependencies: + ansible_runner: + package_pip: ansible-runner galaxy: requirements.yml python: requirements.txt system: bindep.txt images: base_image: - name: container-registry.oracle.com/oracle_linux_automation_manager/olam-ee:2.2 - builder_image: - name: container-registry.oracle.com/oracle_linux_automation_manager/olam-builder:2.2 +{% if ansible_distribution_major_version == '8' %} + name: container-registry.oracle.com/oracle_linux_automation_manager/olam-ee:2.3-ol8 +{% endif %} +{% if ansible_distribution_major_version == '9' %} + name: container-registry.oracle.com/oracle_linux_automation_manager/olam-ee:2.3-ol9 +{% endif %} +additional_build_files: + - src: ansible.cfg + dest: configs + additional_build_steps: - prepend: | + prepend_galaxy: + - COPY _build/configs/ansible.cfg /etc/ansible/ansible.cfg + prepend_final: | RUN whoami RUN cat /etc/os-release - append: + append_final: - RUN echo This is a post-install command! - RUN ls -la /etc - diff --git a/olam/templates/requirements.txt.j2 b/olam/templates/requirements.txt.j2 index 6edba99..6f8d024 100644 --- a/olam/templates/requirements.txt.j2 +++ b/olam/templates/requirements.txt.j2 @@ -1,2 +1,3 @@ -setuptools -oci>=2.141.1 +requests>=2.4.2 +ovirt-engine-sdk-python>=4.6.2 +oci>=2.155.0 diff --git a/olam/templates/requirements.yml.j2 b/olam/templates/requirements.yml.j2 index 5f5e171..00d3924 100644 --- a/olam/templates/requirements.yml.j2 +++ b/olam/templates/requirements.yml.j2 @@ -1,6 +1,6 @@ --- collections: -- name: https://github.com/oracle/oci-ansible-collection.git - type: git - version: master +- name: oracle.oci + version: ">=5.5.0,<6.0.0" + type: galaxy - name: ovirt.ovirt diff --git a/olam/terminate_instance.yml b/olam/terminate_instance.yml new file mode 100644 index 0000000..c734675 --- /dev/null +++ b/olam/terminate_instance.yml @@ -0,0 +1,99 @@ +--- +# Copyright (c) 2024 2025 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Terminate instances and delete oci resources + hosts: localhost + vars_files: + - default_vars.yml + + tasks: + + - name: Check if ansible state file exists + ansible.builtin.stat: + path: .ansible-state + register: state_exists + + - name: Fail if ansible state file does not exist + ansible.builtin.fail: + msg: "Exit instance termination as an instance doesn't exist." + when: not state_exists.stat.exists + + - name: Read ansible.state file + ansible.builtin.set_fact: + ocid_state: "{{ lookup('file', '.ansible-state') | from_yaml }}" + + - name: Delete the instances + oracle.oci.oci_compute_instance: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" + id: "{{ item.value }}" + state: absent + loop: "{{ ocid_state | dict2items | selectattr('key', 'match', '^instance.*') }}" + + - name: Delete the subnet + oracle.oci.oci_network_subnet: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" + id: "{{ ocid_state.subnet_ocid }}" + state: absent + when: ocid_state.subnet_ocid is defined and ocid_state.subnet_ocid != '' + + - name: Delete the security list + oracle.oci.oci_network_security_list: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" + id: "{{ ocid_state.security_list_ocid }}" + state: absent + when: ocid_state.security_list_ocid is defined and ocid_state.security_list_ocid != '' + + - name: Delete the route table + oracle.oci.oci_network_route_table: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" + id: "{{ ocid_state.route_table_ocid }}" + state: absent + when: ocid_state.route_table_ocid is defined and ocid_state.route_table_ocid != '' + + - name: Delete the Service Gateway + oracle.oci.oci_network_service_gateway: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" + id: "{{ ocid_state.service_gateway_ocid }}" + state: absent + when: ocid_state.service_gateway_ocid is defined and ocid_state.service_gateway_ocid != '' + + - name: Delete the Internet Gateway + oracle.oci.oci_network_internet_gateway: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" + id: "{{ ocid_state.internet_gateway_ocid }}" + state: absent + when: ocid_state.internet_gateway_ocid is defined and ocid_state.internet_gateway_ocid != '' + + - name: Delete the VCN + oracle.oci.oci_network_vcn: + config_file_location: "{{ oci_config_file | default(omit) }}" + config_profile_name: "{{ oci_config_section | default(omit) }}" + vcn_id: "{{ ocid_state.vcn_ocid }}" + state: absent + when: ocid_state.vcn_ocid is defined and ocid_state.vcn_ocid != '' + + - name: Prompt user to confirm removal of artifacts + ansible.builtin.pause: + prompt: "Are you sure you want to remove these artifacts? (Y/N)" + echo: true + register: confirm_removal + + - name: Remove artifacts + ansible.builtin.file: + state: absent + path: "{{ item }}" + loop: + - oci_vars.yml + - buffer + - hosts + - .ansible-state + when: confirm_removal.user_input | lower in ['y', 'yes'] diff --git a/olam/update_all_rpms.yml b/olam/update_all_rpms.yml index 83144a9..9a9321b 100644 --- a/olam/update_all_rpms.yml +++ b/olam/update_all_rpms.yml @@ -5,7 +5,7 @@ # See LICENSE.TXT for details. - name: Install latest Oracle Linux packages - hosts: server + hosts: all:!localhost:!remote vars_files: - default_vars.yml become: true