refactor: rework cloud-init and communicator integration
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Robert Kaussow 2022-09-09 10:29:00 +02:00
parent 016f414b08
commit 1f5f4b3685
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
8 changed files with 160 additions and 80 deletions

View File

@ -41,8 +41,8 @@ If required, modify the configuration and scripts files.
Initialize packer and start a build.
```Shell
packer init rocky-9.0/
packer build rocky-9.0/
packer init rocky-9/
packer build rocky-9/
```
## License

View File

@ -0,0 +1,69 @@
users:
- default
disable_root: 0
ssh_pwauth: 0
mount_default_fields: [~, ~, 'auto', 'defaults,nofail,x-systemd.requires=cloud-init.service', '0', '2']
resize_rootfs_tmp: /dev
ssh_deletekeys: 1
ssh_genkeytypes: ['rsa', 'ecdsa', 'ed25519']
syslog_fix_perms: ~
disable_vmware_customization: false
cloud_init_modules:
- disk_setup
- migrator
- bootcmd
- write-files
- [ growpart, always ]
- [ resizefs, always ]
- set_hostname
- update_hostname
- [ update_etc_hosts, once-per-instance ]
- rsyslog
- users-groups
- ssh
cloud_config_modules:
- mounts
- locale
- set-passwords
- rh_subscription
- yum-add-repo
- package-update-upgrade-install
- timezone
- puppet
- chef
- salt-minion
- mcollective
- disable-ec2-metadata
- runcmd
cloud_final_modules:
- rightscale_userdata
- scripts-per-once
- scripts-per-boot
- scripts-per-instance
- scripts-user
- ssh-authkey-fingerprints
- keys-to-console
- phone-home
- final-message
- power-state-change
system_info:
default_user:
name: cloud-user
lock_passwd: true
gecos: Cloud User
groups: [adm, systemd-journal]
sudo: ["ALL=(ALL) NOPASSWD:ALL"]
shell: /bin/bash
distro: rhel
paths:
cloud_dir: /var/lib/cloud
templates_dir: /etc/cloud/templates
ssh_svcname: sshd
# vim:syntax=yaml

View File

@ -0,0 +1,9 @@
disable_root: 0
ssh_pwauth: 1
# Set the distro defaults
system_info:
default_user:
name: root
shell: /bin/bash
lock_passwd: false

View File

@ -1,6 +1,15 @@
### Installs from the first attached CD-ROM/DVD on the system.
### Install from the first attached CD-ROM/DVD on the system
cdrom
### Configure network information for target system and activate network devices in the installer environment (optional)
### --onboot enable device at a boot time
### --device device to be activated and / or configured with the network command
### --bootproto method to obtain networking configuration for device (default dhcp)
### --noipv6 disable IPv6 on this device
###
### network --bootproto=static --ip=172.16.11.200 --netmask=255.255.255.0 --gateway=172.16.11.200 --nameserver=172.16.11.4 --hostname centos-linux-8
network --bootproto=dhcp --device=link --activate --onboot=on
### Performs the kickstart installation in text mode.
### By default, kickstart installations are performed in graphical mode.
text
@ -14,18 +23,8 @@ lang ${vm_guest_os_language}
### Sets the default keyboard type for the system.
keyboard ${vm_guest_os_keyboard}
### Configure network information for target system and activate network devices in the installer environment (optional)
### --onboot enable device at a boot time
### --device device to be activated and / or configured with the network command
### --bootproto method to obtain networking configuration for device (default dhcp)
### --noipv6 disable IPv6 on this device
###
### network --bootproto=static --ip=172.16.11.200 --netmask=255.255.255.0 --gateway=172.16.11.200 --nameserver=172.16.11.4 --hostname centos-linux-8
network --bootproto=dhcp
### The selected profile will restrict root login.
### Add a user that can login and escalate privileges.
user --name=${build_username} --iscrypted --password=${build_password_encrypted} --groups=wheel
### Set initial root password
rootpw --iscrypted ${build_password_encrypted}
### Configure firewall settings for the system.
### --enabled reject incoming connections that are not in response to outbound requests
@ -58,9 +57,9 @@ clearpart --all --initlabel
### Modify partition sizes for the virtual machine hardware.
### Create primary system partitions.
part /boot --fstype xfs --size=1024 --label=BOOTFS
part /boot/efi --fstype vfat --size=1024 --label=EFIFS
part pv.01 --size=25 --grow
part /boot --fstype xfs --size=512 --label=BOOTFS
part /boot/efi --fstype vfat --size=512 --label=EFIFS
part pv.01 --size=19 --grow
### Create a logical volume management (LVM) group.
volgroup vg00 --pesize=4096 pv.01
@ -68,15 +67,15 @@ volgroup vg00 --pesize=4096 pv.01
### Modify logical volume sizes for the virtual machine hardware.
### Create logical volumes.
logvol swap --fstype swap --name=lv_swap --vgname=vg00 --size=2048 --label=SWAPFS
logvol / --fstype xfs --name=lv_root --vgname=vg00 --size=8000 --label=ROOTFS
logvol /home --fstype xfs --name=lv_home --vgname=vg00 --size=4000 --label=HOMEFS
logvol / --fstype xfs --name=lv_root --vgname=vg00 --size=6000 --label=ROOTFS
logvol /home --fstype xfs --name=lv_home --vgname=vg00 --size=3000 --label=HOMEFS
logvol /opt --fstype xfs --name=lv_opt --vgname=vg00 --size=1000 --label=OPTFS
logvol /tmp --fstype xfs --name=lv_tmp --vgname=vg00 --size=1000 --label=TMPFS --fsoptions="nosuid,noexec,nodev"
logvol /tmp --fstype xfs --name=lv_tmp --vgname=vg00 --size=512 --label=TMPFS --fsoptions="nosuid,noexec,nodev"
logvol /var --fstype xfs --name=lv_var --vgname=vg00 --size=2000 --label=VARFS --fsoptions="nosuid"
logvol /var/tmp --fstype xfs --name=lv_vartmp --vgname=vg00 --size=1000 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
logvol /var/www --fstype xfs --name=lv_www --vgname=vg00 --size=2000 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
logvol /var/tmp --fstype xfs --name=lv_vartmp --vgname=vg00 --size=512 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
logvol /var/www --fstype xfs --name=lv_www --vgname=vg00 --size=1000 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
logvol /var/log --fstype xfs --name=lv_log --vgname=vg00 --size=1000 --label=LOGFS --fsoptions="nosuid,noexec,nodev"
logvol /var/log/audit --fstype xfs --name=lv_audit --vgname=vg00 --size=1024 --label=AUDITFS --fsoptions="nosuid,noexec,nodev"
logvol /var/log/audit --fstype xfs --name=lv_audit --vgname=vg00 --size=512 --label=AUDITFS --fsoptions="nosuid,noexec,nodev"
### Modifies the default set of services that will run under the default runlevel.
services --enabled=NetworkManager,sshd,qemu-guest-agent
@ -98,6 +97,7 @@ curl
python3
python3-libselinux
qemu-guest-agent
jq
-aic94xx-firmware
-atmel-firmware
-b43-openfwwf
@ -136,9 +136,15 @@ dnf install -y cloud-init
dnf clean all
touch /etc/cloud/cloud-init.disabled
cat >/etc/cloud/cloud.cfg.d/90-proxmox.cfg <<EOF
${files_proxmox_default_init}
EOF
cat >/etc/cloud/cloud.cfg.d/93-proxmox.cfg <<EOF
${files_proxmox_init}
EOF
echo "Completed cloud-init step!"
echo "${build_username} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/${build_username}
sed -i "s/^.*requiretty/#Defaults requiretty/" /etc/sudoers
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
%end
### Reboot after the installation is complete.

View File

@ -10,13 +10,11 @@ vm_qemu_agent = true
proxmox_iso_pool = "local:iso"
proxmox_iso_file = "Rocky-9.0-x86_64-minimal.iso"
proxmox_template_description = "Rocky Linux 9.0 Template"
proxmox_template_name = "rocky-90-cloud"
proxmox_template_description = "Rocky Linux 9 Template"
proxmox_template_name = "rocky-9-cloud"
// Communicator Settings
communicator_port = 22
communicator_timeout = "30m"
// Provisioner Settings
scripts = ["scripts/rocky-9.x.sh"]
build_scripts = ["scripts/rocky-9.sh"]

View File

@ -12,20 +12,22 @@ locals {
buildtime = formatdate("YYYY-MM-DD hh:mm ZZZ", timestamp())
data_source_content = {
"/ks.cfg" = templatefile("${abspath(path.root)}/data/init.ks.pkrtpl.hcl", {
build_username = var.build_username
build_password_encrypted = var.build_password_encrypted
vm_guest_os_language = var.vm_guest_os_language
vm_guest_os_keyboard = var.vm_guest_os_keyboard
vm_guest_os_timezone = var.vm_guest_os_timezone
build_password_encrypted = var.build_password_encrypted
vm_guest_os_language = var.vm_guest_os_language
vm_guest_os_keyboard = var.vm_guest_os_keyboard
vm_guest_os_timezone = var.vm_guest_os_timezone
files_proxmox_default_init = file("${abspath(path.root)}/data/files/90-proxmox.cfg")
files_proxmox_init = file("${abspath(path.root)}/data/files/93-proxmox.cfg")
})
}
data_source_command = "inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ks.cfg"
}
source "proxmox-iso" "rocky-linux-90" {
source "proxmox-iso" "rocky-linux-9" {
// Proxmox Settings
proxmox_url = "${var.proxmox_url}"
node = "${var.proxmox_node}"
username = "${var.proxmox_username}"
token = "${var.proxmox_token}"
// Virtual Machine Settings
@ -70,23 +72,20 @@ source "proxmox-iso" "rocky-linux-90" {
// Communicator Settings and Credentials
communicator = "ssh"
ssh_username = "${var.build_username}"
ssh_username = "root"
ssh_password = "${var.build_password}"
ssh_port = "${var.communicator_port}"
ssh_timeout = "${var.communicator_timeout}"
proxmox_template_description = "${var.proxmox_template_description} on ${local.buildtime}"
proxmox_template_name = "${var.proxmox_template_name}"
unmount_iso = true
template_description = "${var.proxmox_template_description} on ${local.buildtime}"
template_name = "${var.proxmox_template_name}"
unmount_iso = true
}
build {
sources = ["source.proxmox-iso.rocky-linux-90"]
sources = ["source.proxmox-iso.rocky-linux-9"]
provisioner "shell" {
execute_command = "echo '${var.build_password}' | {{.Vars}} sudo -E -S sh -eux '{{.Path}}'"
scripts = formatlist("${path.cwd}/%s", var.scripts)
remote_folder = "/home/${var.build_username}"
scripts = formatlist("${path.cwd}/%s", var.build_scripts)
remote_folder = "/root"
}
}

View File

@ -13,6 +13,8 @@ variable "proxmox_iso_pool" {
variable "proxmox_url" {
type = string
description = "URL to the Proxmox API, including the full path."
sensitive = true
default = ""
}
variable "proxmox_node" {
@ -20,9 +22,18 @@ variable "proxmox_node" {
description = "Name of a node in the Proxmox cluster on which to start the virtual machine when it is created."
}
variable "proxmox_username" {
type = string
description = "The username must include the token id after an exclamation mark."
sensitive = true
default = ""
}
variable "proxmox_token" {
type = string
description = "Token for authenticating API calls."
sensitive = true
default = ""
}
variable "proxmox_storage_format" {
@ -111,7 +122,7 @@ variable "vm_mem_size" {
variable "vm_disk_size" {
type = string
description = "The size for the virtual disk."
default = "32G"
default = "20G"
}
variable "vm_disk_controller_type" {
@ -163,15 +174,9 @@ variable "vm_qemu_agent" {
}
// Communicator Settings and Credentials
variable "build_username" {
type = string
description = "The username to login to the guest operating system."
sensitive = true
}
variable "build_password" {
type = string
description = "The password to login to the guest operating system."
description = "The password to login the guest operating system."
sensitive = true
}
@ -181,10 +186,10 @@ variable "build_password_encrypted" {
sensitive = true
}
variable "communicator_port" {
type = number
description = "The port for the communicator protocol."
default = 22
variable "build_scripts" {
type = list(string)
description = "A list of scripts and their relative paths to transfer and execute."
default = []
}
variable "communicator_timeout" {
@ -192,10 +197,3 @@ variable "communicator_timeout" {
description = "The timeout for the communicator protocol."
default = "30m"
}
// Provisioner Settings
variable "scripts" {
type = list(string)
description = "A list of scripts and their relative paths to transfer and execute."
default = []
}

View File

@ -3,12 +3,11 @@ set -eo pipefail
#### Update system
echo '> Update packages ...'
dnf update -y
dnf clean all
dnf -y -q update
dnf -q clean all
### Cleans all audit logs. ###
### Cleans all audit logs
echo '> Cleaning all audit logs ...'
if [ -f /var/log/audit/audit.log ]; then
cat /dev/null >/var/log/audit/audit.log
fi
@ -21,40 +20,42 @@ if [ -f /var/log/lastlog ]; then
cat /dev/null >/var/log/lastlog
fi
### Cleans persistent udev rules. ###
### Cleans persistent udev rules
echo '> Cleaning persistent udev rules ...'
if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
rm /etc/udev/rules.d/70-persistent-net.rules
fi
### Clean the /tmp directories. ###
### Clean the /tmp directories
echo '> Cleaning /tmp directories ...'
rm -rf /tmp/*
rm -rf /var/tmp/*
rm -rf /var/cache/dnf/*
### Clean the SSH keys. ###
### Clean the SSH keys
echo '> Cleaning the SSH keys ...'
shred -u /etc/ssh/*_key /etc/ssh/*_key.pub
rm -f /etc/ssh/ssh_config.d/allow-root-ssh.conf
rm -rf /root/.ssh/authorized_keys
sed -i 's/PermitRootLogin yes/#PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
### Clean the machine-id. ###
### Clean the machine-id
echo '> Cleaning the machine-id ...'
truncate -s 0 /etc/machine-id
rm -f /var/lib/dbus/machine-id
mkdir -p /var/lib/dbus
ln -s /etc/machine-id /var/lib/dbus/machine-id
### Clean the shell history. ###
### Prepare cloud-init
echo '> Preparing cloud-init ...'
rm -f /etc/cloud/cloud-init.disabled
### Clean the shell history
echo '> Cleaning the shell history ...'
unset HISTFILE
history -cw
echo >~/.bash_history
rm -f /root/.bash_history
### Prepare cloud-init ###
echo '> Preparing cloud-init ...'
rm -f /etc/cloud/cloud-init.disabled
### Done. ###
### Done
echo '> Done.'