tools/ansible/build-compute-image.yml

   1 #!/usr/bin/env ansible-playbook
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: Apache-2.0
   5
   6 - name: Load Arvados configuration
   7   hosts: default
   8   tasks:
   9     - name: Load Arvados configuration file
  10       delegate_to: localhost
  11       ansible.builtin.include_vars:
  12         name: arvados_config
  13         file: "{{ arvados_config_file }}"
  14     - name: Load Arvados cluster configuration
  15       ansible.builtin.set_fact:
  16         arvados_cluster: "{{ arvados_config.Clusters[arvados_cluster_id] }}"
  17       failed_when: arvados_cluster is undefined
  18     - name: Get Crunch dispatch public key
  19       when: arvados_cluster.Containers.DispatchPrivateKey is defined and arvados_cluster.Containers.DispatchPrivateKey is truthy
  20       delegate_to: localhost
  21       block:
  22         # `ssh-keygen` supports reading stdin for some operations with `-f -`,
  23         # but `-y` is not one of those operations as of April 2025.
  24         # We MUST have the dispatch private key in a file with correct
  25         # permissions for `ssh-keygen -y -f` to read.
  26         - name: Prepare tempfile for dispatch private key
  27           ansible.builtin.tempfile:
  28             suffix: ".key"
  29           register: key_tempfile
  30
  31         # Try to parse DispatchPrivateKey as a URL.
  32         # If it's recognized as a file: URL, copy that path to the tempfile.
  33         # Otherwise, expect it's the private key,
  34         # and write that content directly to the tempfile.
  35         - name: Save dispatch private key to tempfile
  36           vars:
  37             key_url: "{{ arvados_cluster.Containers.DispatchPrivateKey | urlsplit }}"
  38           ansible.builtin.copy:
  39             src: "{{ key_url.path if key_url.scheme == 'file' else omit }}"
  40             content: "{{ arvados_cluster.Containers.DispatchPrivateKey|regex_replace('\\n?$', '\\n') if key_url.scheme != 'file' else omit }}"
  41             dest: "{{ key_tempfile.path }}"
  42             mode: 0600
  43
  44         - name: Derive dispatch public key
  45           ansible.builtin.command:
  46             argv:
  47               - ssh-keygen
  48               - "-y"
  49               - "-f"
  50               - "{{ key_tempfile.path }}"
  51           register: compute_dispatch_ssh_keygen
  52
  53       always:
  54         - name: Remove dispatch private key tempfile
  55           when: key_tempfile is defined
  56           ansible.builtin.file:
  57             path: "{{ key_tempfile.path }}"
  58             state: absent
  59
  60 - name: Set up compute node base distribution
  61   # `default` is the name that the Packer Ansible plugin assigns to the
  62   # instance used to create the image.
  63   hosts: default
  64   tasks:
  65     - name: Bootstrap packages required for Ansible
  66       become: yes
  67       ansible.builtin.raw: "apt-get -o DPkg::Lock::Timeout=300 -qy {{ item }}"
  68       loop:
  69         - update
  70         - install gnupg python3-apt python3-debian xz-utils
  71     - ansible.builtin.include_role:
  72         name: arvados_apt
  73     - name: List linux-image packages pre-upgrade
  74       ansible.builtin.shell:
  75         cmd: |
  76           dpkg-query --list "linux-image-[1-9]*-$(dpkg --print-architecture)" |
  77           awk '($1 ~ /^[irp][HUFWti]$/) { print $2; }'
  78       register: linux_image_preupgrade
  79     - name: apt update if needed
  80       ansible.builtin.meta: flush_handlers
  81     - name: Upgrade packages
  82       become: yes
  83       ansible.builtin.apt:
  84         upgrade: true
  85     - name: Remove unwanted packages
  86       become: yes
  87       ansible.builtin.apt:
  88         state: absent
  89         purge: true
  90         name:
  91           - unattended-upgrades
  92     - name: List linux-image packages post-upgrade
  93       ansible.builtin.shell:
  94         cmd: |
  95           dpkg-query --list "linux-image-[1-9]*-$(dpkg --print-architecture)" |
  96           awk '($1 ~ /^[irp][HUFWti]$/) { print $2; }'
  97       register: linux_image_postupgrade
  98     # Rebooting now accomplishes a few things: it means we can remove the old
  99     # linux-image afterward, and the `ansible_kernel` fact will reflect what
 100     # the image will boot into when used.
 101     - name: Reboot into new kernel
 102       when: "linux_image_preupgrade.stdout != linux_image_postupgrade.stdout"
 103       become: yes
 104       ansible.builtin.reboot: {}
 105     - name: Remove old kernel(s)
 106       when: "linux_image_preupgrade.stdout != linux_image_postupgrade.stdout"
 107       become: yes
 108       ansible.builtin.apt:
 109         state: absent
 110         purge: true
 111         name: "{{ linux_image_preupgrade.stdout_lines }}"
 112
 113 - name: Install compute node software
 114   hosts: default
 115   tasks:
 116     - ansible.builtin.include_role:
 117         name: compute_encrypt_tmp
 118     - ansible.builtin.include_role:
 119         name: arvados_compute
 120     - ansible.builtin.include_role:
 121         name: compute_docker
 122       when: "arvados_cluster.Containers.RuntimeEngine == 'docker'"
 123     - ansible.builtin.include_role:
 124         name: compute_user
 125
 126     - name: Configure DNS
 127       become: yes
 128       ansible.builtin.lineinfile:
 129         path: /etc/dhcp/dhclient.conf
 130         regexp: "^[# ]*prepend +domain-name-servers "
 131         line: "prepend domain-name-servers {{ dns_resolver }};"
 132       when: dns_resolver is defined
 133
 134     - name: Clean apt packages
 135       become: yes
 136       ansible.builtin.apt:
 137         autoremove: true
 138         clean: true