From fb64081777f2df4535578501827dc030ea40599e Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Thu, 20 Feb 2025 14:47:22 -0600 Subject: [PATCH 01/15] chore: refactor image publishing to new AWS ORG --- .github/test-infra/rke2-cluster/main.tf | 47 +++++++++----------- .github/test-infra/rke2-cluster/variables.tf | 12 ----- .github/workflows/publish-aws.yaml | 6 ++- packer/aws/aws.pkr.hcl | 2 + packer/aws/variables.pkr.hcl | 12 +++++ tasks/aws.yaml | 10 ++++- tasks/test.yaml | 20 ++------- 7 files changed, 51 insertions(+), 58 deletions(-) diff --git a/.github/test-infra/rke2-cluster/main.tf b/.github/test-infra/rke2-cluster/main.tf index 566db37..dc6b9ad 100644 --- a/.github/test-infra/rke2-cluster/main.tf +++ b/.github/test-infra/rke2-cluster/main.tf @@ -7,21 +7,14 @@ terraform { } } +# Just using the default VPC for testing data "aws_vpc" "vpc" { - filter { - name = "tag:Name" - values = [var.vpc_name] - } + default = true } data "aws_subnet" "test_subnet" { vpc_id = data.aws_vpc.vpc.id availability_zone = "${var.region}a" - - filter { - name = "tag:Name" - values = [var.subnet_name] - } } resource "random_password" "rke2_join_token" { @@ -41,14 +34,14 @@ resource "aws_key_pair" "example_key_pair" { } resource "aws_instance" "test_bootstrap_node" { - ami = var.ami_id - instance_type = var.control_plane_instance_type - key_name = aws_key_pair.example_key_pair.key_name - user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = "", AGENT_NODE = false, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) - subnet_id = data.aws_subnet.test_subnet.id + ami = var.ami_id + instance_type = var.control_plane_instance_type + key_name = aws_key_pair.example_key_pair.key_name + user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = "", AGENT_NODE = false, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) + subnet_id = data.aws_subnet.test_subnet.id user_data_replace_on_change = true - vpc_security_group_ids = [aws_security_group.test_node_sg.id] + vpc_security_group_ids = [aws_security_group.test_node_sg.id] associate_public_ip_address = true root_block_device { @@ -63,14 +56,14 @@ resource "aws_instance" "test_bootstrap_node" { resource "aws_instance" "test_control_plane_node" { count = var.control_plane_node_count - ami = var.ami_id - instance_type = var.control_plane_instance_type - key_name = aws_key_pair.example_key_pair.key_name - user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = aws_instance.test_bootstrap_node.private_ip, AGENT_NODE = false, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) - subnet_id = data.aws_subnet.test_subnet.id + ami = var.ami_id + instance_type = var.control_plane_instance_type + key_name = aws_key_pair.example_key_pair.key_name + user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = aws_instance.test_bootstrap_node.private_ip, AGENT_NODE = false, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) + subnet_id = data.aws_subnet.test_subnet.id user_data_replace_on_change = true - vpc_security_group_ids = [aws_security_group.test_node_sg.id] + vpc_security_group_ids = [aws_security_group.test_node_sg.id] associate_public_ip_address = true root_block_device { @@ -85,14 +78,14 @@ resource "aws_instance" "test_control_plane_node" { resource "aws_instance" "test_agent_node" { count = var.agent_node_count - ami = var.ami_id - instance_type = var.agent_instance_type - key_name = aws_key_pair.example_key_pair.key_name - user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = aws_instance.test_bootstrap_node.private_ip, AGENT_NODE = true, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) - subnet_id = data.aws_subnet.test_subnet.id + ami = var.ami_id + instance_type = var.agent_instance_type + key_name = aws_key_pair.example_key_pair.key_name + user_data = templatefile("${path.module}/scripts/user_data.sh", { BOOTSTRAP_IP = aws_instance.test_bootstrap_node.private_ip, AGENT_NODE = true, RKE2_JOIN_TOKEN = random_password.rke2_join_token.result, CLUSTER_SANS = var.cluster_hostname }) + subnet_id = data.aws_subnet.test_subnet.id user_data_replace_on_change = true - vpc_security_group_ids = [aws_security_group.test_node_sg.id] + vpc_security_group_ids = [aws_security_group.test_node_sg.id] associate_public_ip_address = true root_block_device { diff --git a/.github/test-infra/rke2-cluster/variables.tf b/.github/test-infra/rke2-cluster/variables.tf index c912017..2210a9e 100644 --- a/.github/test-infra/rke2-cluster/variables.tf +++ b/.github/test-infra/rke2-cluster/variables.tf @@ -1,15 +1,3 @@ -variable "vpc_name" { - type = string - description = "VPC ID to deploy into" - default = "uds-ci-commercial-*" -} - -variable "subnet_name" { - type = string - description = "Name of subnet to use for testing. Can use a wildcard as long as it only matches one subnet per az." - default = "uds-ci-commercial-*-public*" -} - variable "region" { type = string description = "Region to use for deployment" diff --git a/.github/workflows/publish-aws.yaml b/.github/workflows/publish-aws.yaml index 559a630..dd40433 100644 --- a/.github/workflows/publish-aws.yaml +++ b/.github/workflows/publish-aws.yaml @@ -35,9 +35,13 @@ jobs: if [ "${{ matrix.aws_env }}" == "commercial" ]; then echo "AWS_REGION=us-west-2" >> $GITHUB_ENV echo "AWS_ORG_ROLE_TO_ASSUME=${{ secrets.AWS_COMMERCIAL_ORG_ROLE_TO_ASSUME }}" >> $GITHUB_ENV + echo "AWS_OLD_CI_ACCOUNT_ID"=${{ secrets.AWS_OLD_COMMERCIAL_CI_ACCOUNT_ID }}" >> $GITHUB_ENV + echo "AWS_ORG_ARN"=${{ secrets.AWS_COMMERCIAL_ORG_ARN }}" >> $GITHUB_ENV elif [ "${{ matrix.aws_env }}" == "govcloud" ]; then echo "AWS_REGION=us-gov-west-1" >> $GITHUB_ENV echo "AWS_ORG_ROLE_TO_ASSUME=${{ secrets.AWS_GOVCLOUD_ORG_ROLE_TO_ASSUME }}" >> $GITHUB_ENV + echo "AWS_OLD_CI_ACCOUNT_ID"=${{ secrets.AWS_OLD_GOVCLOUD_CI_ACCOUNT_ID }}" >> $GITHUB_ENV + echo "AWS_ORG_ARN"=${{ secrets.AWS_GOVCLOUD_ORG_ARN }}" >> $GITHUB_ENV fi - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 @@ -56,7 +60,7 @@ jobs: tofu_wrapper: false tofu_version: 1.6.2 - name: Publish ${{ matrix.base }} ${{ matrix.rke2_version }} AMI - run: uds run --no-progress publish-ami-${{ matrix.base }} --set AWS_REGION=${{ env.AWS_REGION }} --set RKE2_VERSION=${{ matrix.rke2_version }} + run: uds run --no-progress publish-ami-${{ matrix.base }} --set AWS_REGION=${{ env.AWS_REGION }} --set RKE2_VERSION=${{ matrix.rke2_version }} --set AMI_USERS='[\"${{ env.AWS_OLD_CI_ACCOUNT_ID }}\"]' --set AWS_ORG_ARNS='[\"${{ env.AWS_ORG_ARN }}\"]' - name: Test ${{ matrix.base }} ${{ matrix.rke2_version }} AMI shell: bash -e -o pipefail {0} env: diff --git a/packer/aws/aws.pkr.hcl b/packer/aws/aws.pkr.hcl index 368051f..7ae9793 100644 --- a/packer/aws/aws.pkr.hcl +++ b/packer/aws/aws.pkr.hcl @@ -32,6 +32,8 @@ source "amazon-ebs" "base" { source_ami = data.amazon-ami.base-ami.id ami_groups = var.ami_groups skip_create_ami = var.skip_create_ami + ami_users = var.ami_users + ami_org_arns = var.ami_org_arns } build { diff --git a/packer/aws/variables.pkr.hcl b/packer/aws/variables.pkr.hcl index 92f3e64..1f7a8e5 100644 --- a/packer/aws/variables.pkr.hcl +++ b/packer/aws/variables.pkr.hcl @@ -60,3 +60,15 @@ variable "region" { description = "Region that AMI should be built in" default = "us-west-2" } + +variable "ami_users" { + type = list(string) + description = "A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it." + default = [] +} + +variable "ami_org_arns" { + type = list(string) + description = "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s). By default no organizations have permission to launch the AMI." + default = [] +} diff --git a/tasks/aws.yaml b/tasks/aws.yaml index 0079ab3..5537680 100644 --- a/tasks/aws.yaml +++ b/tasks/aws.yaml @@ -14,6 +14,12 @@ variables: - name: PUBLISH_GROUPS default: "[]" description: "List of groups to allow access to the AMI. Only supports '[]' or '[\"all\"]'" + - name: AWS_ORG_ARNS + default: "[]" + description: "A list of Amazon Resource Names (ARN) of AWS Organizations that have access to launch the resulting AMI(s). By default no organizations have permission to launch the AMI." + - name: AMI_USERS + default: "[]" + description: "A list of account IDs that have access to launch the resulting AMI(s). By default no additional users other than the user creating the AMI has permissions to launch it." - name: RKE2_VERSION default: "v1.29.10+rke2r1" description: "RKE2 version to build the AMI with" @@ -25,7 +31,7 @@ tasks: - cmd: | cd ${AWS_DIR} packer init . - packer build -var "ubuntu_pro_token=${UBUNTU_PRO_TOKEN}" --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "rke2_version=${RKE2_VERSION}" . + packer build -var "ubuntu_pro_token=${UBUNTU_PRO_TOKEN}" --var-file=ubuntu.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "aws_org_arns=${AWS_ORG_ARNS} -var "ami_users=${AMI_USERS} -var "rke2_version=${RKE2_VERSION}" . - name: publish-ami-rhel description: "Build and Publish the RHEL AMI for AWS" @@ -33,7 +39,7 @@ tasks: - cmd: | cd ${AWS_DIR} packer init . - packer build --var-file=rhel.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "rke2_version=${RKE2_VERSION}" . + packer build --var-file=rhel.pkrvars.hcl -var "region=${AWS_REGION}" -var "ami_regions=${PUBLISH_REGIONS}" -var "ami_groups=${PUBLISH_GROUPS}" -var "aws_org_arns=${AWS_ORG_ARNS} -var "ami_users=${AMI_USERS} -var "rke2_version=${RKE2_VERSION}" . - name: build-ami-ubuntu description: "Build the Ubuntu AMI for AWS" diff --git a/tasks/test.yaml b/tasks/test.yaml index 1429e48..642f04b 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -42,13 +42,9 @@ tasks: - cmd: | # Set variables based on whether we are in govcloud or commercial if [ "$AWS_REGION" = "us-gov-west-1" ]; then - state_bucket="uds-ci-govcloud-us-gov-west-1-tfstate" - vpc_name="uds-ci-govcloud-*" - subnet_name="uds-ci-govcloud-*-public*" + state_bucket="uds-tf-state-20250206161918002400000003" else - state_bucket="uds-aws-ci-commercial-us-west-2-5246-tfstate" - vpc_name="uds-ci-commercial-*" - subnet_name="uds-ci-commercial-*-public*" + state_bucket="uds-tf-state-20250206161747757600000003" fi root_dir=$(pwd) TEST_AMI_ID=$(jq -r '.builds[-1].artifact_id' ${AWS_DIR}/manifest.json | cut -d ":" -f2) @@ -58,7 +54,7 @@ tasks: -backend-config="bucket=${state_bucket}" \ -backend-config="key=tfstate/ci/install/${SHA}-packer-${DISTRO}-${RKE2_VERSION}-rke2-startup-script.tfstate" \ -backend-config="region=${AWS_REGION}" - tofu apply -var="region=${AWS_REGION}" -var="vpc_name=${vpc_name}" -var="subnet_name=${subnet_name}" -var="ami_id=${TEST_AMI_ID}" -var="rke2_version=${RKE2_VERSION}" -var-file="${DISTRO}.tfvars" -auto-approve + tofu apply -var="region=${AWS_REGION}" -var="ami_id=${TEST_AMI_ID}" -var="rke2_version=${RKE2_VERSION}" -var-file="${DISTRO}.tfvars" -auto-approve source ${root_dir}/${E2E_TEST_DIR}/scripts/get-kubeconfig.sh shell: darwin: "bash" @@ -82,18 +78,10 @@ tasks: description: "Destroy test infrastructure" actions: - cmd: | - # Set variables based on whether we are in govcloud or commercial - if [ "$AWS_REGION" = "us-gov-west-1" ]; then - vpc_name="uds-ci-govcloud-*" - subnet_name="uds-ci-govcloud-*-public*" - else - vpc_name="uds-ci-commercial-*" - subnet_name="uds-ci-commercial-*-public*" - fi TEST_AMI_ID=$(jq -r '.builds[-1].artifact_id' ${AWS_DIR}/manifest.json | cut -d ":" -f2) echo "TEST AMI: ${TEST_AMI_ID}" cd ${E2E_TEST_DIR}/rke2-cluster - tofu destroy -var="region=${AWS_REGION}" -var="vpc_name=${vpc_name}" -var="subnet_name=${subnet_name}" -var="ami_id=${TEST_AMI_ID}" -var="rke2_version=${RKE2_VERSION}" -var-file="${DISTRO}.tfvars" -auto-approve + tofu destroy -var="region=${AWS_REGION}" -var="ami_id=${TEST_AMI_ID}" -var="rke2_version=${RKE2_VERSION}" -var-file="${DISTRO}.tfvars" -auto-approve - name: cleanup-ami description: "Cleans up snapshots and AMIs previously published" From 66cd1b248e8784ba6c547438182e96adc4a5e6ab Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Thu, 20 Feb 2025 15:17:33 -0600 Subject: [PATCH 02/15] chore: update rhel ansible stig download --- packer/scripts/os-stig.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packer/scripts/os-stig.sh b/packer/scripts/os-stig.sh index c4589df..ab5cf33 100644 --- a/packer/scripts/os-stig.sh +++ b/packer/scripts/os-stig.sh @@ -10,9 +10,9 @@ mkdir -p /tmp/ansible && chmod 700 /tmp/ansible && cd /tmp/ansible if [[ $DISTRO == "rhel" ]]; then # Determine which stigs to apply based on RHEL version if [[ ${VERSION} -eq 9 ]] ; then - curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V1R2_STIG_Ansible.zip + curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V2R2_STIG_Ansible.zip elif [[ ${VERSION} -eq 8 ]]; then - curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG_Ansible.zip + curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R3_STIG_Ansible.zip else echo "Unrecognized RHEL version, exiting" exit 1 From c1165f33ad1fb1699d8c78ee83d6bd564a221869 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Thu, 20 Feb 2025 15:24:01 -0600 Subject: [PATCH 03/15] fix: correct os version stigs --- packer/scripts/os-stig.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packer/scripts/os-stig.sh b/packer/scripts/os-stig.sh index ab5cf33..8b5fc73 100644 --- a/packer/scripts/os-stig.sh +++ b/packer/scripts/os-stig.sh @@ -10,9 +10,9 @@ mkdir -p /tmp/ansible && chmod 700 /tmp/ansible && cd /tmp/ansible if [[ $DISTRO == "rhel" ]]; then # Determine which stigs to apply based on RHEL version if [[ ${VERSION} -eq 9 ]] ; then - curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V2R2_STIG_Ansible.zip - elif [[ ${VERSION} -eq 8 ]]; then curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R3_STIG_Ansible.zip + elif [[ ${VERSION} -eq 8 ]]; then + curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V2R2_STIG_Ansible.zip else echo "Unrecognized RHEL version, exiting" exit 1 From 0e6bca4487d789a9fdc24994280b0c741e2bde9d Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Thu, 20 Feb 2025 16:22:46 -0600 Subject: [PATCH 04/15] chore: update install-deps to get latest ansible --- packer/scripts/install-deps.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index de34665..44867a6 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -10,7 +10,10 @@ if [[ $DISTRO == "rhel" ]]; then VERSION=$( cat /etc/os-release | grep -Poi '^version="[0-9]+\.[0-9]+' | cut -d\" -f2 | cut -d. -f1 ) yum update -y && yum upgrade -y - yum install ansible unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils -y + yum install unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils python3 python3-pip -y + # Note: rhel yum install ansible provides outdated versions, using pip for most recent + python3 -m pip install --upgrade pip + python3 -m pip install --upgrade ansible # Install rke2 selinux policy if [[ ${VERSION} -eq 9 ]] ; then curl -LO "https://github.com/rancher/rke2-selinux/releases/download/v0.18.stable.1/rke2-selinux-0.18-1.el9.noarch.rpm" From d8dee7466020c7b0d847e8ce69153228b49c3ccd Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Thu, 20 Feb 2025 16:42:22 -0600 Subject: [PATCH 05/15] try: better pip --- packer/scripts/cleanup-deps.sh | 6 +++++- packer/scripts/install-deps.sh | 6 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index 22627ab..fc715bb 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -6,9 +6,13 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then - yum remove unzip ansible -y + yum remove unzip -y + pip3 uninstall -y ansible + yum remove -y python3-pip python-3 + # Install nfs-utils here since the STIG profile seems to uninstall it yum install nfs-utils -y + elif [[ $DISTRO == "ubuntu" ]]; then apt-get remove ansible unzip jq -y apt-get autoremove -y diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 44867a6..79a284f 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -11,9 +11,9 @@ if [[ $DISTRO == "rhel" ]]; then yum update -y && yum upgrade -y yum install unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils python3 python3-pip -y - # Note: rhel yum install ansible provides outdated versions, using pip for most recent - python3 -m pip install --upgrade pip - python3 -m pip install --upgrade ansible + # Note: 'rhel yum install' ansible provides outdated versions not compatible with new STIGS, using pip for most recent + pip3 install --upgrade pip + pip3 install --upgrade ansible # Install rke2 selinux policy if [[ ${VERSION} -eq 9 ]] ; then curl -LO "https://github.com/rancher/rke2-selinux/releases/download/v0.18.stable.1/rke2-selinux-0.18-1.el9.noarch.rpm" From ffa2283a68aec2f1944ea43a2594e207ff95b1a5 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Thu, 20 Feb 2025 16:59:28 -0600 Subject: [PATCH 06/15] try: epel repos instead of pip --- packer/scripts/cleanup-deps.sh | 6 +----- packer/scripts/install-deps.sh | 6 ++---- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index fc715bb..22627ab 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -6,13 +6,9 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then - yum remove unzip -y - pip3 uninstall -y ansible - yum remove -y python3-pip python-3 - + yum remove unzip ansible -y # Install nfs-utils here since the STIG profile seems to uninstall it yum install nfs-utils -y - elif [[ $DISTRO == "ubuntu" ]]; then apt-get remove ansible unzip jq -y apt-get autoremove -y diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 79a284f..9fd4f7d 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -10,10 +10,8 @@ if [[ $DISTRO == "rhel" ]]; then VERSION=$( cat /etc/os-release | grep -Poi '^version="[0-9]+\.[0-9]+' | cut -d\" -f2 | cut -d. -f1 ) yum update -y && yum upgrade -y - yum install unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils python3 python3-pip -y - # Note: 'rhel yum install' ansible provides outdated versions not compatible with new STIGS, using pip for most recent - pip3 install --upgrade pip - pip3 install --upgrade ansible + yum install -y epel-release + yum install unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils ansible -y # Install rke2 selinux policy if [[ ${VERSION} -eq 9 ]] ; then curl -LO "https://github.com/rancher/rke2-selinux/releases/download/v0.18.stable.1/rke2-selinux-0.18-1.el9.noarch.rpm" From f6557360865e943ae7ea40c754745af34515e4c8 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 08:52:27 -0600 Subject: [PATCH 07/15] try: pipx --- packer/scripts/cleanup-deps.sh | 4 +++- packer/scripts/install-deps.sh | 10 ++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index 22627ab..b965b84 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -6,7 +6,9 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then - yum remove unzip ansible -y + yum remove unzip -y + pipx uninstall ansible + yum remove pipx -y # Install nfs-utils here since the STIG profile seems to uninstall it yum install nfs-utils -y elif [[ $DISTRO == "ubuntu" ]]; then diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 9fd4f7d..2af7948 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -10,8 +10,14 @@ if [[ $DISTRO == "rhel" ]]; then VERSION=$( cat /etc/os-release | grep -Poi '^version="[0-9]+\.[0-9]+' | cut -d\" -f2 | cut -d. -f1 ) yum update -y && yum upgrade -y - yum install -y epel-release - yum install unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils ansible -y + yum install unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils -y + + # Install Ansible + # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pip + yum install pipx -y + pipx ensurepath + pipx install ansible + # Install rke2 selinux policy if [[ ${VERSION} -eq 9 ]] ; then curl -LO "https://github.com/rancher/rke2-selinux/releases/download/v0.18.stable.1/rke2-selinux-0.18-1.el9.noarch.rpm" From 2137a4c689d4665f8559d8413ab0bf852c954fb7 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 10:34:06 -0600 Subject: [PATCH 08/15] try: pipx again --- packer/scripts/cleanup-deps.sh | 6 ++++-- packer/scripts/install-deps.sh | 9 ++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index b965b84..4d81dd5 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -7,8 +7,10 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then yum remove unzip -y - pipx uninstall ansible - yum remove pipx -y + python3 -m pipx uninstall ansible + pip3 uninstall pipx + yum remove python3 python3-pip -y + # Install nfs-utils here since the STIG profile seems to uninstall it yum install nfs-utils -y elif [[ $DISTRO == "ubuntu" ]]; then diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 2af7948..9cd9cea 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -14,9 +14,12 @@ if [[ $DISTRO == "rhel" ]]; then # Install Ansible # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pip - yum install pipx -y - pipx ensurepath - pipx install ansible + yum install python3 python3-pip -y + + # Use pipx to install ansible and have it ready in the path + pip3 install pipx --upgrade + python3 -m pipx install ansible + python3 -m pipx ensurepath # Install rke2 selinux policy if [[ ${VERSION} -eq 9 ]] ; then From 2297912f300dbf65f72245e2ad22d661dab2ae45 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 10:55:46 -0600 Subject: [PATCH 09/15] try: pip3 --- packer/scripts/cleanup-deps.sh | 3 +-- packer/scripts/install-deps.sh | 8 +++----- packer/scripts/os-stig.sh | 3 +++ 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index 4d81dd5..7df6770 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -7,8 +7,7 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then yum remove unzip -y - python3 -m pipx uninstall ansible - pip3 uninstall pipx + pip3 uninstall ansible yum remove python3 python3-pip -y # Install nfs-utils here since the STIG profile seems to uninstall it diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 9cd9cea..f27d143 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -15,11 +15,9 @@ if [[ $DISTRO == "rhel" ]]; then # Install Ansible # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pip yum install python3 python3-pip -y - - # Use pipx to install ansible and have it ready in the path - pip3 install pipx --upgrade - python3 -m pipx install ansible - python3 -m pipx ensurepath + pip3 install ansible + # Temporarily add /usr/local/bin to PATH to ensure ansible is available + export PATH=$PATH:/usr/local/bin # Install rke2 selinux policy if [[ ${VERSION} -eq 9 ]] ; then diff --git a/packer/scripts/os-stig.sh b/packer/scripts/os-stig.sh index 8b5fc73..83d25e9 100644 --- a/packer/scripts/os-stig.sh +++ b/packer/scripts/os-stig.sh @@ -8,6 +8,9 @@ VERSION=$( cat /etc/os-release | grep -Poi '^version="[0-9]+\.[0-9]+' | cut -d\" # Pull Ansible STIGs from https://public.cyber.mil/stigs/supplemental-automation-content/ mkdir -p /tmp/ansible && chmod 700 /tmp/ansible && cd /tmp/ansible if [[ $DISTRO == "rhel" ]]; then + # Temporarily add /usr/local/bin to PATH to ensure ansible is available as it is installed via pip + export PATH=$PATH:/usr/local/bin + # Determine which stigs to apply based on RHEL version if [[ ${VERSION} -eq 9 ]] ; then curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R3_STIG_Ansible.zip From 01fa082cee2eef2e993c4ef9ff0dbae707b3a3e4 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 12:03:51 -0600 Subject: [PATCH 10/15] try: back to pipx --- packer/scripts/cleanup-deps.sh | 3 ++- packer/scripts/install-deps.sh | 6 ++++-- packer/scripts/os-stig.sh | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index 7df6770..b17bfae 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -7,7 +7,8 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then yum remove unzip -y - pip3 uninstall ansible + python3 -m pipx uninstall ansible + pip3 uninstall pipx -y yum remove python3 python3-pip -y # Install nfs-utils here since the STIG profile seems to uninstall it diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index f27d143..2986906 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -13,9 +13,11 @@ if [[ $DISTRO == "rhel" ]]; then yum install unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils -y # Install Ansible - # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pip + # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pipx yum install python3 python3-pip -y - pip3 install ansible + pip3 install pipx + python3 -m pipx ensurepath + python3 -m pipx install ansible # Temporarily add /usr/local/bin to PATH to ensure ansible is available export PATH=$PATH:/usr/local/bin diff --git a/packer/scripts/os-stig.sh b/packer/scripts/os-stig.sh index 83d25e9..1d6781a 100644 --- a/packer/scripts/os-stig.sh +++ b/packer/scripts/os-stig.sh @@ -8,7 +8,7 @@ VERSION=$( cat /etc/os-release | grep -Poi '^version="[0-9]+\.[0-9]+' | cut -d\" # Pull Ansible STIGs from https://public.cyber.mil/stigs/supplemental-automation-content/ mkdir -p /tmp/ansible && chmod 700 /tmp/ansible && cd /tmp/ansible if [[ $DISTRO == "rhel" ]]; then - # Temporarily add /usr/local/bin to PATH to ensure ansible is available as it is installed via pip + # Temporarily add /usr/local/bin to PATH to ensure ansible is available as it is installed via pipx export PATH=$PATH:/usr/local/bin # Determine which stigs to apply based on RHEL version From c51dc49250f47e7b4e0f5ec9ebec9efd98ee1b3f Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 12:12:40 -0600 Subject: [PATCH 11/15] try: python3.12 --- packer/scripts/cleanup-deps.sh | 5 ++--- packer/scripts/install-deps.sh | 6 ++---- packer/scripts/os-stig.sh | 2 +- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index b17bfae..8bae889 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -7,9 +7,8 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then yum remove unzip -y - python3 -m pipx uninstall ansible - pip3 uninstall pipx -y - yum remove python3 python3-pip -y + python3.12 -m pip uninstall ansible + yum remove python3.12 python3.12-pip -y # Install nfs-utils here since the STIG profile seems to uninstall it yum install nfs-utils -y diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 2986906..60ef6ce 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -14,10 +14,8 @@ if [[ $DISTRO == "rhel" ]]; then # Install Ansible # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pipx - yum install python3 python3-pip -y - pip3 install pipx - python3 -m pipx ensurepath - python3 -m pipx install ansible + yum install python3.12 python3.12-pip -y + python3.12 -m pip install --upgrade ansible # Temporarily add /usr/local/bin to PATH to ensure ansible is available export PATH=$PATH:/usr/local/bin diff --git a/packer/scripts/os-stig.sh b/packer/scripts/os-stig.sh index 1d6781a..83d25e9 100644 --- a/packer/scripts/os-stig.sh +++ b/packer/scripts/os-stig.sh @@ -8,7 +8,7 @@ VERSION=$( cat /etc/os-release | grep -Poi '^version="[0-9]+\.[0-9]+' | cut -d\" # Pull Ansible STIGs from https://public.cyber.mil/stigs/supplemental-automation-content/ mkdir -p /tmp/ansible && chmod 700 /tmp/ansible && cd /tmp/ansible if [[ $DISTRO == "rhel" ]]; then - # Temporarily add /usr/local/bin to PATH to ensure ansible is available as it is installed via pipx + # Temporarily add /usr/local/bin to PATH to ensure ansible is available as it is installed via pip export PATH=$PATH:/usr/local/bin # Determine which stigs to apply based on RHEL version From 2242fff316d1436a79e03214ca573767f8aa9fae Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 12:35:56 -0600 Subject: [PATCH 12/15] try: python 3.11 --- packer/scripts/cleanup-deps.sh | 4 ++-- packer/scripts/install-deps.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index 8bae889..b9f5f9a 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -7,8 +7,8 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then yum remove unzip -y - python3.12 -m pip uninstall ansible - yum remove python3.12 python3.12-pip -y + python3.11 -m pip uninstall ansible + yum remove python3.11 python3.11-pip -y # Install nfs-utils here since the STIG profile seems to uninstall it yum install nfs-utils -y diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 60ef6ce..47acd94 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -14,8 +14,8 @@ if [[ $DISTRO == "rhel" ]]; then # Install Ansible # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pipx - yum install python3.12 python3.12-pip -y - python3.12 -m pip install --upgrade ansible + yum install python3.11 python3.11-pip -y + python3.11 -m pip install --upgrade ansible # Temporarily add /usr/local/bin to PATH to ensure ansible is available export PATH=$PATH:/usr/local/bin From 6bc50d84f1e727db573ce646e3e5ed77f6f4fa87 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 13:19:35 -0600 Subject: [PATCH 13/15] try: python3.9 --- packer/scripts/cleanup-deps.sh | 4 ++-- packer/scripts/install-deps.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index b9f5f9a..08e409b 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -7,8 +7,8 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then yum remove unzip -y - python3.11 -m pip uninstall ansible - yum remove python3.11 python3.11-pip -y + python3.9 -m pip uninstall ansible + yum remove python3.9 python3.9-pip -y # Install nfs-utils here since the STIG profile seems to uninstall it yum install nfs-utils -y diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 47acd94..0d8988b 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -14,8 +14,8 @@ if [[ $DISTRO == "rhel" ]]; then # Install Ansible # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pipx - yum install python3.11 python3.11-pip -y - python3.11 -m pip install --upgrade ansible + yum install python3.9 python3.9-pip -y + python3.9 -m pip install --upgrade ansible # Temporarily add /usr/local/bin to PATH to ensure ansible is available export PATH=$PATH:/usr/local/bin From e838d6795a8d289490da97bddc7d7c6a4b30fd10 Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 13:43:23 -0600 Subject: [PATCH 14/15] chore: revert to base config --- packer/scripts/cleanup-deps.sh | 5 +---- packer/scripts/install-deps.sh | 10 +--------- packer/scripts/os-stig.sh | 7 ++----- 3 files changed, 4 insertions(+), 18 deletions(-) diff --git a/packer/scripts/cleanup-deps.sh b/packer/scripts/cleanup-deps.sh index 08e409b..22627ab 100644 --- a/packer/scripts/cleanup-deps.sh +++ b/packer/scripts/cleanup-deps.sh @@ -6,10 +6,7 @@ DISTRO=$( cat /etc/os-release | tr [:upper:] [:lower:] | grep -Poi '(ubuntu|rhel # Cleanup dependencies and utils that shouldn't be in final image if [[ $DISTRO == "rhel" ]]; then - yum remove unzip -y - python3.9 -m pip uninstall ansible - yum remove python3.9 python3.9-pip -y - + yum remove unzip ansible -y # Install nfs-utils here since the STIG profile seems to uninstall it yum install nfs-utils -y elif [[ $DISTRO == "ubuntu" ]]; then diff --git a/packer/scripts/install-deps.sh b/packer/scripts/install-deps.sh index 0d8988b..de34665 100644 --- a/packer/scripts/install-deps.sh +++ b/packer/scripts/install-deps.sh @@ -10,15 +10,7 @@ if [[ $DISTRO == "rhel" ]]; then VERSION=$( cat /etc/os-release | grep -Poi '^version="[0-9]+\.[0-9]+' | cut -d\" -f2 | cut -d. -f1 ) yum update -y && yum upgrade -y - yum install unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils -y - - # Install Ansible - # Note: Latest versions of ansible are not available in RHEL 8 or 9 repos, need to use pipx - yum install python3.9 python3.9-pip -y - python3.9 -m pip install --upgrade ansible - # Temporarily add /usr/local/bin to PATH to ensure ansible is available - export PATH=$PATH:/usr/local/bin - + yum install ansible unzip nfs-utils nfs4-acl-tools lvm2 iscsi-initiator-utils -y # Install rke2 selinux policy if [[ ${VERSION} -eq 9 ]] ; then curl -LO "https://github.com/rancher/rke2-selinux/releases/download/v0.18.stable.1/rke2-selinux-0.18-1.el9.noarch.rpm" diff --git a/packer/scripts/os-stig.sh b/packer/scripts/os-stig.sh index 83d25e9..c4589df 100644 --- a/packer/scripts/os-stig.sh +++ b/packer/scripts/os-stig.sh @@ -8,14 +8,11 @@ VERSION=$( cat /etc/os-release | grep -Poi '^version="[0-9]+\.[0-9]+' | cut -d\" # Pull Ansible STIGs from https://public.cyber.mil/stigs/supplemental-automation-content/ mkdir -p /tmp/ansible && chmod 700 /tmp/ansible && cd /tmp/ansible if [[ $DISTRO == "rhel" ]]; then - # Temporarily add /usr/local/bin to PATH to ensure ansible is available as it is installed via pip - export PATH=$PATH:/usr/local/bin - # Determine which stigs to apply based on RHEL version if [[ ${VERSION} -eq 9 ]] ; then - curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R3_STIG_Ansible.zip + curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V1R2_STIG_Ansible.zip elif [[ ${VERSION} -eq 8 ]]; then - curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V2R2_STIG_Ansible.zip + curl -L -o ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG_Ansible.zip else echo "Unrecognized RHEL version, exiting" exit 1 From b5f1af348eb2e3d6a129b08497e043d4d6d2829b Mon Sep 17 00:00:00 2001 From: Joel McCoy Date: Fri, 21 Feb 2025 15:12:45 -0600 Subject: [PATCH 15/15] chore: clarify comment --- .github/test-infra/rke2-cluster/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/test-infra/rke2-cluster/main.tf b/.github/test-infra/rke2-cluster/main.tf index dc6b9ad..6e4a8ab 100644 --- a/.github/test-infra/rke2-cluster/main.tf +++ b/.github/test-infra/rke2-cluster/main.tf @@ -7,7 +7,7 @@ terraform { } } -# Just using the default VPC for testing +# Use the default VPC data "aws_vpc" "vpc" { default = true }