diff --git a/ol/build.yml b/ol/build.yml index 597d5c6..410f528 100644 --- a/ol/build.yml +++ b/ol/build.yml @@ -80,7 +80,7 @@ - name: Add block storage to an instance ansible.builtin.include_tasks: "block.yml" - loop: "{{ query('sequence', 'start=1 end='+(block_count)|string) }}" + loop: "{{ query('sequence', 'start=1 end=' + (block_count) | string) }}" loop_control: extended: true vars: diff --git a/ol/host_setup.yml b/ol/host_setup.yml index bcb15b9..5a77316 100644 --- a/ol/host_setup.yml +++ b/ol/host_setup.yml @@ -43,7 +43,7 @@ become: true register: result changed_when: result.rc == 0 - + - name: Add user account with access to sudo ansible.builtin.user: name: "{{ username }}" diff --git a/ol/passwordless_setup.yml b/ol/passwordless_setup.yml index 70e0c45..33a1b1c 100644 --- a/ol/passwordless_setup.yml +++ b/ol/passwordless_setup.yml @@ -8,7 +8,7 @@ community.crypto.openssh_keypair: path: ~/.ssh/id_rsa size: 2048 - comment: ocne ssh keypair + comment: ol ssh keypair become: true become_user: "{{ username }}" diff --git a/olam/block.yml b/olam/block.yml new file mode 100644 index 0000000..2d932cc --- /dev/null +++ b/olam/block.yml @@ -0,0 +1,39 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Add block volumes to the instance + when: + - add_block_storage + block: + - name: Create block volume + oracle.oci.oci_blockstorage_volume: + compartment_id: "{{ my_compartment_id }}" + availability_domain: "{{ my_availability_domain }}" + display_name: "blockvolume-{{ item.value.instance_name | default('instance-'~timestamp) }}" + size_in_gbs: "{{ block_volume_size_in_gbs }}" + register: result + vars: + timestamp: "{{ now().strftime('%Y%m%d-%H%M%S') }}" + retries: 10 + delay: 30 + until: result is not failed + + - name: Set the block volume id + ansible.builtin.set_fact: + volume_id: "{{ result.volume.id }}" + + - name: Attach the block volume + oracle.oci.oci_compute_volume_attachment: + instance_id: "{{ instance_id }}" + type: paravirtualized + volume_id: "{{ volume_id }}" + compartment_id: "{{ my_compartment_id }}" + device: "/dev/oracleoci/oraclevd{{ block_devices[ansible_loop.index0] }}" + is_read_only: false + is_shareable: false + retries: 10 + delay: 30 + until: result is not failed diff --git a/olam/build.yaml b/olam/build.yml similarity index 65% rename from olam/build.yaml rename to olam/build.yml index c6b3f29..77d7dad 100644 --- a/olam/build.yaml +++ b/olam/build.yml @@ -5,39 +5,45 @@ # See LICENSE.TXT for details. - name: Launch an instance - oci_compute_instance: + oracle.oci.oci_compute_instance: availability_domain: "{{ my_availability_domain }}" compartment_id: "{{ my_compartment_id }}" - name: "{{ item.value.instance_name | default('instance-'~timestamp) }}" - image_id: "{{ ol_image_id }}" + display_name: "{{ item.value.instance_name | default('instance-'~timestamp) }}" + source_details: + image_id: "{{ ol_image_id }}" + source_type: image + boot_volume_size_in_gbs: "{{ item.value.boot_volume_size_in_gbs | default(50) | int }}" shape: "{{ instance_shape }}" shape_config: ocpus: "{{ instance_ocpus }}" memory_in_gbs: "{{ instance_memory }}" create_vnic_details: assign_public_ip: true + display_name: "{{ item.value.instance_name | default('instance-'~timestamp) }}-vnic" hostname_label: "{{ item.value.instance_name | default('instance-'~timestamp) }}" subnet_id: "{{ my_subnet_id }}" + hostname_label: "{{ item.value.instance_name | default('instance-'~timestamp) }}" metadata: - ssh_authorized_keys: "{{ lookup('file', lookup('env','HOME') + '/.ssh/' + private_key + '.pub' ) }}" + ssh_authorized_keys: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/' + private_key + '.pub') }}" agent_config: is_monitoring_disabled: false is_management_disabled: false are_all_plugins_disabled: false plugins_config: - - - name: "OS Management Service Agent" - desired_state: DISABLED + - + name: "OS Management Service Agent" + desired_state: DISABLED + key_by: [compartment_id, availability_domain, display_name] register: result vars: timestamp: "{{ now().strftime('%Y%m%d-%H%M%S') }}" retries: 10 delay: 30 until: result is not failed - + - name: Print instance details ansible.builtin.debug: - msg: + msg: - "Launched a new instance:" - "{{ result }}" when: debug_enabled @@ -51,15 +57,21 @@ instance_display_name: "{{ result.instance.display_name }}" - name: Get the vnic attachment details of instance - oci_compute_vnic_attachment_facts: + oracle.oci.oci_compute_vnic_attachment_facts: compartment_id: "{{ my_compartment_id }}" instance_id: "{{ instance_id }}" register: result + retries: 10 + delay: 30 + until: result is not failed - name: Get vnic details - oci_network_vnic_facts: + oracle.oci.oci_network_vnic_facts: id: "{{ result.vnic_attachments[0].vnic_id }}" register: result + retries: 10 + delay: 30 + until: result is not failed - name: Set the instance private ip address ansible.builtin.set_fact: @@ -69,27 +81,34 @@ ansible.builtin.set_fact: instance_public_ip: "{{ result.vnic.public_ip }}" +- name: Add block storage to an instance + ansible.builtin.include_tasks: "block.yml" + loop: "{{ query('sequence', 'start=1 end=' + (block_count) | string) }}" + loop_control: + extended: true + vars: + block_devices: + - b + - c + - d + - e + - f + - name: Print the public and private ip of the newly created instance ansible.builtin.debug: - msg: + msg: - "Instance name: {{ instance_display_name }}" - " public ip: {{ instance_public_ip }}" - " private ip: {{ instance_private_ip }}" when: debug_enabled - + - name: Add host to in-memory host file ansible.builtin.add_host: name: "{{ instance_display_name }}" - groups: "in_memory" + groups: "{{ item.value.type }}" ansible_user: opc - ansible_ssh_private_key_file: "{{ lookup('env','HOME') + '/.ssh/' + private_key }}" + ansible_private_key_file: "{{ lookup('env', 'HOME') + '/.ssh/' + private_key }}" ansible_ssh_common_args: "-o StrictHostKeyChecking=no" ansible_host: "{{ instance_public_ip }}" ansible_port: 22 instance_ocid: "{{ instance_id }}" - -# - name: Add instance to the state file -# ansible.builtin.lineinfile: -# path: /tmp/ansible.state -# line: "id{{ groups['in_memory'].index(instance_display_name) }}: {{ instance_id }}" -# create: true diff --git a/olam/create_instance.yml b/olam/create_instance.yml new file mode 100644 index 0000000..b86a69d --- /dev/null +++ b/olam/create_instance.yml @@ -0,0 +1,384 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Gather facts and create instances + hosts: localhost + vars_files: + - default_vars.yml + vars: + oci_config_section: DEFAULT + ad_placement: 1 + compartment_name: + compartment_id: + compute_instances: + 1: + instance_name: "ol-node-01" + type: "control" + 2: + instance_name: "ol-node-02" + type: "remote" + os: "Oracle Linux" + os_version: "8" + instance_shape: "VM.Standard.E4.Flex" + instance_ocpus: 2 + instance_memory: 32 + private_key: "id_rsa" + ansible_python_interpreter: "{{ localhost_python_interpreter | default(omit) }}" + debug_enabled: false + + tasks: + + # - name: Check if state file exists + # ansible.builtin.stat: + # path: /tmp/ansible.state + # register: state_exists + + # - name: Fail if state file already exists + # ansible.builtin.fail: + # msg: "Exit instance creation as a state file already exists." + # when: hosts_exists.stat.exists + + - name: Get location of oci_config + ansible.builtin.set_fact: + oci_config_file: "{{ lookup('env', 'HOME') + '/.oci/config' }}" + + - name: Get tenancy ocid + ansible.builtin.set_fact: + my_tenancy_id: "{{ lookup('ini', 'tenancy section={{ oci_config_section }} file={{ oci_config_file }}') }}" + + - name: Get region id + ansible.builtin.set_fact: + my_region_id: "{{ lookup('ini', 'region section={{ oci_config_section }} file={{ oci_config_file }}') }}" + + - name: Print regions selected + ansible.builtin.debug: + msg: "{{ my_region_id }}" + when: debug_enabled + + - name: Get list availbility domains + oracle.oci.oci_identity_availability_domain_facts: + compartment_id: "{{ my_tenancy_id }}" + region: "{{ my_region_id }}" + register: result + retries: 10 + delay: 30 + until: result is not failed + + - name: Print availability domains + ansible.builtin.debug: + msg: "{{ result }}" + when: debug_enabled + + - name: Set list of availability domains + ansible.builtin.set_fact: + availability_domains: "{{ result.availability_domains }}" + + - name: Set to availability domain from list + ansible.builtin.set_fact: + my_availability_domain: "{{ availability_domains[(lookup('ansible.builtin.vars', 'ad_placement') | int) - 1].name }}" + + - name: Print availability domain ad_placement + ansible.builtin.debug: + msg: "{{ my_availability_domain }}" + when: debug_enabled + + - name: Get compartment id from .oci/config or env OCI_COMPARTMENT_OCID + vars: + env_lookup: "{{ lookup('ansible.builtin.env', 'OCI_COMPARMENT_OCID') }}" + ini_lookup: "{{ lookup('ini', 'compartment-id section={{ oci_config_section }} file={{ oci_config_file }}') }}" + ansible.builtin.set_fact: + my_compartment_id: "{{ compartment_id | default(env_lookup, true) | default(ini_lookup, true) }}" + + - name: Print compartment id + ansible.builtin.debug: + msg: "{{ my_compartment_id }}" + when: debug_enabled + + - name: Fail when compartment_id is not defined + ansible.builtin.fail: + msg: "Variable for compartment_id is not defined." + when: my_compartment_id is not defined + + - name: Generate random hex string + vars: + hex_chars: '0123456789abcdef' + ansible.builtin.set_fact: + vcn_code: "{{ query('community.general.random_string', upper=false, lower=false, override_special=hex_chars, numbers=false) }}" + + - name: Create a virtual cloud network + oracle.oci.oci_network_vcn: + compartment_id: "{{ my_compartment_id }}" + display_name: "Linuxvirt Virtual Cloud Network" + cidr_blocks: "10.0.0.0/16" + dns_label: "vcn" + register: result + retries: 10 + delay: 30 + until: result is not failed + + - name: Set vcn id + ansible.builtin.set_fact: + my_vcn_id: "{{ result.vcn.id }}" + + - name: Create internet_gateway + oracle.oci.oci_network_internet_gateway: + compartment_id: "{{ my_compartment_id }}" + vcn_id: "{{ my_vcn_id }}" + is_enabled: true + display_name: "Linuxvirt Internet Gateway" + state: 'present' + register: result + retries: 10 + delay: 30 + until: result is not failed + + - name: Set internet gateway id + ansible.builtin.set_fact: + my_internet_gateway_id: "{{ result.internet_gateway.id }}" + + - name: Create route_table + oracle.oci.oci_network_route_table: + compartment_id: "{{ my_compartment_id }}" + vcn_id: "{{ my_vcn_id }}" + display_name: "Linuxvirt Route Table" + route_rules: + - network_entity_id: "{{ my_internet_gateway_id }}" + cidr_block: "0.0.0.0/0" + destination_type: CIDR_BLOCK + state: 'present' + register: result + retries: 10 + delay: 30 + until: result is not failed + + - name: Set route table id + ansible.builtin.set_fact: + my_rt_id: "{{ result.route_table.id }}" + + - name: Create ingress rules yaml list + ansible.builtin.template: + src: ingress_security_rules.j2 + dest: /tmp/instance_ingress_security_rules.yaml + mode: "0664" + + - name: Create egress rules yaml list + ansible.builtin.template: + src: egress_security_rules.j2 + dest: /tmp/instance_egress_security_rules.yaml + mode: "0664" + + - name: Load the variables defined in the ingress rules yaml list + ansible.builtin.include_vars: + file: /tmp/instance_ingress_security_rules.yaml + name: loaded_ingress + + - name: Print loaded_ingress + ansible.builtin.debug: + msg: "loaded ingress is {{ loaded_ingress }}" + when: debug_enabled + + - name: Load the variables defined in the egress rules yaml list + ansible.builtin.include_vars: + file: /tmp/instance_egress_security_rules.yaml + name: loaded_egress + + - name: Print loaded_egress + ansible.builtin.debug: + msg: "loaded egress is {{ loaded_egress }}" + when: debug_enabled + + - name: Create security_list + oracle.oci.oci_network_security_list: + display_name: "Linuxvirt Security List" + compartment_id: "{{ my_compartment_id }}" + vcn_id: "{{ my_vcn_id }}" + ingress_security_rules: "{{ loaded_ingress.instance_ingress_security_rules }}" + egress_security_rules: "{{ loaded_egress.instance_egress_security_rules }}" + register: result + retries: 10 + delay: 30 + until: result is not failed + + - name: Set security list id + ansible.builtin.set_fact: + my_security_list_id: "{{ result.security_list.id }}" + + - name: Create subnet + oracle.oci.oci_network_subnet: + compartment_id: "{{ my_compartment_id }}" + vcn_id: "{{ my_vcn_id }}" + cidr_block: "{{ subnet_cidr_block }}" + display_name: "Linuxvirt Subnet" + prohibit_public_ip_on_vnic: false + route_table_id: "{{ my_rt_id }}" + security_list_ids: "{{ my_security_list_id }}" + dns_label: "lv" + register: result + retries: 10 + delay: 30 + until: result is not failed + + - name: Set subnet id + ansible.builtin.set_fact: + my_subnet_id: "{{ result.subnet.id }}" + + - name: Set subnet domain_name + ansible.builtin.set_fact: + my_subnet_domain_name: "{{ result.subnet.subnet_domain_name }}" + + - name: Set oci vars file + ansible.builtin.template: + src: oci_vars.j2 + dest: oci_vars.yml + mode: "0664" + + - name: Get image + oracle.oci.oci_compute_image_facts: + compartment_id: "{{ my_compartment_id }}" + operating_system: "{{ os }}" + operating_system_version: "{{ os_version }}" + shape: "{{ instance_shape }}" + sort_by: TIMECREATED + sort_order: DESC + register: result + retries: 10 + delay: 30 + until: result is not failed + + - name: Print image list + ansible.builtin.debug: + var: result + when: debug_enabled + + - name: Set compute image id + ansible.builtin.set_fact: + ol_image_id: "{{ result.images[0].id }}" + + - name: Build an instance + ansible.builtin.include_tasks: "build.yml" + loop: "{{ lookup('dict', compute_instances, wantlist=True) }}" + +- name: Configure new instances + hosts: all + gather_facts: false + vars_files: + - default_vars.yml + - oci_vars.yml + vars: + username: "oracle" + user_default_password: "oracle" + private_key: "id_rsa" + debug_enabled: false + + tasks: + + - name: Wait for systems to become reachable + ansible.builtin.wait_for_connection: + vars: + python_version: "/usr/bin/python3" + ansible_python_interpreter: "{{ python_version if localhost_python_interpreter is defined | default(omit) }}" + + - name: Get a set of all available facts + ansible.builtin.setup: + + - name: Print in-memory inventory + ansible.builtin.debug: + msg: "{{ groups['all'] }}" + delegate_to: localhost + when: + - debug_enabled + - inventory_hostname == ansible_play_hosts_all[0] + + - name: Print all variables/facts known for a host + ansible.builtin.debug: + msg: "{{ hostvars[item] }}" + loop: "{{ groups['all'] | flatten(levels=1) }}" + delegate_to: localhost + when: + - debug_enabled + - inventory_hostname == ansible_play_hosts_all[0] + + - name: Configure instance + ansible.builtin.include_tasks: "host_setup.yml" + when: inventory_hostname in groups['control'] + + - name: Configure passwordless SSH + ansible.builtin.include_tasks: "olam_passwordless_setup.yml" + when: passwordless_ssh + +- name: Update all rpm packages + ansible.builtin.import_playbook: update_all_rpms.yml + when: update_all + +- name: Print instances + hosts: all + become: true + gather_facts: true + vars_files: + - oci_vars.yml + + tasks: + + - name: Print instance details + ansible.builtin.debug: + msg: + - "Instance details:" + - " name: {{ hostvars[inventory_hostname]['ansible_hostname'] }}" + - " public ip: {{ hostvars[inventory_hostname]['ansible_host'] }}" + - " private ip: {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" + + - name: Pause play to interact with the servers + ansible.builtin.pause: + prompt: | + Playbook paused... hit to continue or then to abort. + Aborting at this stage requires manual removal of all cloud resources this playbook creates. + +- name: Terminate instances and delete OCI resources + hosts: localhost + vars_files: + - default_vars.yml + vars: + ansible_python_interpreter: "{{ localhost_python_interpreter | default(omit) }}" + + tasks: + + - name: Terminate the instances + oracle.oci.oci_compute_instance: + id: "{{ hostvars[item]['instance_ocid'] }}" + state: absent + loop: "{{ groups['all'] | flatten(levels=1) }}" + + - name: Delete the subnet + oracle.oci.oci_network_subnet: + id: "{{ my_subnet_id }}" + state: absent + + - name: Delete the security list + oracle.oci.oci_network_security_list: + id: "{{ my_security_list_id }}" + state: absent + + - name: Delete the route table + oracle.oci.oci_network_route_table: + id: "{{ my_rt_id }}" + state: absent + + - name: Delete the Internet Gateway + oracle.oci.oci_network_internet_gateway: + id: "{{ my_internet_gateway_id }}" + state: absent + + - name: Delete the VCN + oracle.oci.oci_network_vcn: + vcn_id: "{{ my_vcn_id }}" + state: absent + + - name: Remove artifacts + ansible.builtin.file: + state: absent + path: "{{ item }}" + loop: + - oci_vars.yml diff --git a/olam/create_instance.yaml b/olam/create_instance_1.yml similarity index 100% rename from olam/create_instance.yaml rename to olam/create_instance_1.yml diff --git a/olam/default_vars.yml b/olam/default_vars.yml new file mode 100644 index 0000000..b2fe46e --- /dev/null +++ b/olam/default_vars.yml @@ -0,0 +1,22 @@ +compute_instances: + 1: + instance_name: "olam" + type: "control" + boot_volume_size_in_gbs: 50 +os: "Oracle Linux" +os_version: "8" +instance_shape: "VM.Standard.E4.Flex" +instance_ocpus: 2 +instance_memory: 32 +subnet_cidr_block: "10.0.0.48/28" + +username: "oracle" +usergroup: "{{ username }}" +user_default_password: "oracle" +debug_enabled: false +add_block_storage: false +block_volume_size_in_gbs: 50 +block_count: 1 + +update_all: false +passwordless_ssh: true \ No newline at end of file diff --git a/olam/deploy-olam-tasks.yaml b/olam/deploy-olam-tasks.yml similarity index 100% rename from olam/deploy-olam-tasks.yaml rename to olam/deploy-olam-tasks.yml diff --git a/olam/get_facts.yaml b/olam/get_facts.yml similarity index 54% rename from olam/get_facts.yaml rename to olam/get_facts.yml index 3ea5a94..bf3a8af 100644 --- a/olam/get_facts.yaml +++ b/olam/get_facts.yml @@ -10,16 +10,16 @@ tasks: - - name: Get minimum set of available facts - ansible.builtin.setup: - gather_subset: - - 'min' - register: min_facts + - name: Get minimum set of available facts + ansible.builtin.setup: + gather_subset: + - 'min' + register: min_facts - - name: Print minimum set of facts - ansible.builtin.debug: - msg: "{{ min_facts }}" + - name: Print minimum set of facts + ansible.builtin.debug: + msg: "{{ min_facts }}" - - name: Print system date - ansible.builtin.debug: - var: ansible_date_time.date + - name: Print system date + ansible.builtin.debug: + var: ansible_date_time.date diff --git a/olam/host_setup.yml b/olam/host_setup.yml new file mode 100644 index 0000000..cababf1 --- /dev/null +++ b/olam/host_setup.yml @@ -0,0 +1,120 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Run facts module to get latest information + ansible.builtin.setup: + +- name: Grow the root filesystem + ansible.builtin.shell: | + /usr/libexec/oci-growfs -y + become: true + register: result + changed_when: result.rc == 0 + +- name: Add user account with access to sudo + ansible.builtin.user: + name: "{{ username }}" + password: "{{ user_default_password | password_hash('sha512') }}" + comment: Ansible created user + groups: wheel + append: true + update_password: on_create + become: true + +- name: Set authorized key for user using local public key file + ansible.posix.authorized_key: + user: "{{ username }}" + state: present + key: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/' + private_key + '.pub') }}" + become: true + +- name: Set user with passwordless sudo access + vars: + sudo_content: "{{ username }} ALL=(ALL:ALL) NOPASSWD: ALL" + ansible.builtin.lineinfile: + path: "/etc/sudoers.d/{{ username }}" + regexp: "{{ username }} ALL=" + line: "{{ sudo_content }}" + state: present + create: true + mode: "0644" + become: true + +- name: Create the ansible tmp directory if it does not exist + ansible.builtin.file: + path: ~/.ansible/tmp + state: directory + mode: '0700' + become: true + become_user: "{{ username }}" + +- name: Add locale settings to .bashrc + ansible.builtin.lineinfile: + dest: ~/.bashrc + line: "{{ item }}" + with_items: + - 'export LC_ALL="en_US.UTF-8"' + - 'export LC_CTYPE="en_US.UTF-8"' + become: true + become_user: "{{ username }}" + +# - name: Generate ssh keypair for user +# community.crypto.openssh_keypair: +# path: ~/.ssh/id_rsa +# size: 2048 +# comment: ocne ssh keypair +# become: true +# become_user: "{{ username }}" + +# - name: Fetch public key file from server +# ansible.builtin.fetch: +# src: "~/.ssh/id_rsa.pub" +# dest: "buffer/{{ inventory_hostname }}-id_rsa.pub" +# flat: true +# become: true +# become_user: "{{ username }}" + +# - name: Copy public key to each destination +# ansible.posix.authorized_key: +# user: "{{ username }}" +# state: present +# key: "{{ lookup('file', 'buffer/{{ item }}-id_rsa.pub') }}" +# loop: "{{ groups['all'] | flatten(levels=1) }}" +# become: true + +# - name: Print hostvars for groups +# ansible.builtin.debug: +# msg: "{{ hostvars[item] }}" +# loop: "{{ groups['all'] | flatten(levels=1) }}" +# when: debug_enabled + +# - name: Print vnc subnet_domain_name +# ansible.builtin.debug: +# var: my_subnet_domain_name +# when: debug_enabled + +# - name: Accept new ssh fingerprints +# ansible.builtin.shell: | +# ssh-keyscan -t ecdsa-sha2-nistp256 \ +# {{ hostvars[item].ansible_hostname }},\ +# {{ hostvars[item].ansible_default_ipv4.address }},\ +# {{ hostvars[item].ansible_hostname + '.' + my_subnet_domain_name }} >> ~/.ssh/known_hosts +# with_items: +# - "{{ groups['all'] }}" +# become: true +# become_user: "{{ username }}" +# register: result +# changed_when: result.rc == 0 + +- name: Configure firewall to log denied packets + ansible.builtin.command: + cmd: firewall-cmd --set-log-denied=all + when: debug_enabled + register: firewall_result + changed_when: firewall_result.rc == 0 + become: true + +# Check denied packets with "journalctl -x -e" or with "dmesg | grep -i REJECT" diff --git a/olam/olam_passwordless_setup.yml b/olam/olam_passwordless_setup.yml new file mode 100644 index 0000000..d44f842 --- /dev/null +++ b/olam/olam_passwordless_setup.yml @@ -0,0 +1,52 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Generate ssh keypair for ol-control-node + community.crypto.openssh_keypair: + path: ~/.ssh/id_rsa + size: 2048 + comment: olam ssh keypair + become: true + become_user: "{{ username }}" + when: inventory_hostname in groups['control'] + +- name: Fetch public key file from ol-control-node + ansible.builtin.fetch: + src: "~/.ssh/id_rsa.pub" + dest: "buffer/{{ inventory_hostname }}-id_rsa.pub" + flat: true + become: true + become_user: "{{ username }}" + when: inventory_hostname in groups['control'] + +- name: Copy public key to ol-host + ansible.posix.authorized_key: + user: opc + state: present + key: "{{ lookup('file', 'buffer/{{ item }}-id_rsa.pub') }}" + loop: "{{ groups['control'] | flatten(levels=1) }}" + become: true + when: inventory_hostname in groups['remote'] + +- name: Print hostvars for groups + ansible.builtin.debug: + msg: "{{ hostvars[item] }}" + loop: "{{ groups['all'] | flatten(levels=1) }}" + when: debug_enabled + +- name: Accept new ssh fingerprints + ansible.builtin.shell: | + ssh-keyscan -t ecdsa-sha2-nistp256 \ + {{ hostvars[item].ansible_hostname }},\ + {{ hostvars[item].ansible_default_ipv4.address }},\ + {{ hostvars[item].ansible_hostname + '.' + my_subnet_domain_name }} >> ~/.ssh/known_hosts + with_items: + - "{{ groups['remote'] }}" + become: true + become_user: "{{ username }}" + register: result + changed_when: result.rc == 0 + when: inventory_hostname in groups['control'] diff --git a/olam/requirements.yaml b/olam/requirements.yml similarity index 88% rename from olam/requirements.yaml rename to olam/requirements.yml index c6c0774..fa329b2 100644 --- a/olam/requirements.yaml +++ b/olam/requirements.yml @@ -24,5 +24,9 @@ collections: version: main - name: https://github.com/ansible-collections/community.crypto.git + type: git + version: main + + - name: https://github.com/ansible-collections/community.libvirt.git type: git version: main \ No newline at end of file diff --git a/olam/templates/egress_security_rules.j2 b/olam/templates/egress_security_rules.j2 new file mode 100644 index 0000000..f89f2e6 --- /dev/null +++ b/olam/templates/egress_security_rules.j2 @@ -0,0 +1,9 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +instance_egress_security_rules: + - destination: "0.0.0.0/0" + protocol: 6 \ No newline at end of file diff --git a/olam/templates/ingress_security_rules.j2 b/olam/templates/ingress_security_rules.j2 new file mode 100644 index 0000000..db769f6 --- /dev/null +++ b/olam/templates/ingress_security_rules.j2 @@ -0,0 +1,14 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +instance_ingress_security_rules: + # Allow incoming SSH connections + - source: "0.0.0.0/0" + protocol: 6 + tcp_options: + destination_port_range: + max: 22 + min: 22 \ No newline at end of file diff --git a/olam/templates/oci_vars.j2 b/olam/templates/oci_vars.j2 new file mode 100644 index 0000000..0a4dd0a --- /dev/null +++ b/olam/templates/oci_vars.j2 @@ -0,0 +1,10 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +my_compartment_id: {{ my_compartment_id }} +my_vcn_id: {{ my_vcn_id }} +my_subnet_id: {{ my_subnet_id }} +my_subnet_domain_name: {{ my_subnet_domain_name }} \ No newline at end of file diff --git a/olam/update_all_rpms.yml b/olam/update_all_rpms.yml new file mode 100644 index 0000000..d83e466 --- /dev/null +++ b/olam/update_all_rpms.yml @@ -0,0 +1,37 @@ +--- +# Copyright (c) 2024 Oracle and/or its affiliates. +# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0. +# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl) +# See LICENSE.TXT for details. + +- name: Install latest Oracle Linux packages + hosts: server + vars_files: + - default_vars.yml + become: true + + tasks: + + - name: Update all Oracle Linux packages + ansible.builtin.dnf: + name: "*" + state: latest + update_only: true + when: ansible_distribution == 'OracleLinux' + + - name: Check if a reboot is required + ansible.builtin.command: /usr/bin/needs-restarting -r + register: reboot_required + ignore_errors: true + changed_when: false + failed_when: reboot_required.rc == 2 + when: ansible_distribution == 'OracleLinux' + + - name: Print reboot is required + ansible.builtin.debug: + var: reboot_required + when: debug_enabled + + - name: Reboot (if needed) to apply latest kernel and updates + ansible.builtin.reboot: + when: ansible_distribution == 'OracleLinux' and reboot_required.rc == 1