From c9df5dcce462af13685236bf7a1d4dd896b1406b Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 10 Jul 2020 23:42:23 +0200 Subject: major refactoring of installer roles --- chaos-at-home/ch-atlas.yml | 5 ++- chaos-at-home/ch-gnocchi.yml | 4 +- common/usb-install.yml | 3 +- dan/sk-2019vm.yml | 2 +- dan/sk-tomnext.yml | 2 +- inventory/group_vars/kvmhosts/main.yml | 2 +- roles/installer/debian/base/defaults/main.yml | 12 ------ roles/installer/debian/base/filter_plugins/main.py | 27 ------------- roles/installer/debian/base/tasks/main.yml | 43 ++++++-------------- .../installer/debian/base/tasks/verify-debian.yml | 46 ---------------------- .../installer/debian/base/tasks/verify-ubuntu.yml | 35 ---------------- roles/installer/debian/base/vars/main.yml | 13 ------ roles/installer/debian/fetch/defaults/main.yml | 12 ++++++ .../installer/debian/fetch/filter_plugins/main.py | 27 +++++++++++++ roles/installer/debian/fetch/tasks/main.yml | 35 ++++++++++++++++ .../installer/debian/fetch/tasks/verify-debian.yml | 46 ++++++++++++++++++++++ .../installer/debian/fetch/tasks/verify-ubuntu.yml | 35 ++++++++++++++++ roles/installer/debian/fetch/vars/main.yml | 13 ++++++ roles/installer/debian/preseed/tasks/main.yml | 2 +- roles/installer/debian/usb/tasks/main.yml | 2 +- roles/installer/openbsd/autoinstall/tasks/main.yml | 2 +- roles/installer/openbsd/base/defaults/main.yml | 6 --- roles/installer/openbsd/base/tasks/main.yml | 34 ---------------- roles/installer/openbsd/base/vars/main.yml | 7 ---- roles/installer/openbsd/fetch/defaults/main.yml | 6 +++ roles/installer/openbsd/fetch/tasks/main.yml | 34 ++++++++++++++++ roles/installer/openbsd/fetch/vars/main.yml | 7 ++++ roles/vm/define/templates/libvirt-domain.xml.j2 | 2 +- roles/vm/host/tasks/main.yml | 4 +- roles/vm/install/tasks/installer-debian.yml | 20 ++++++++++ roles/vm/install/tasks/installer-openbsd.yml | 16 ++++++++ roles/vm/install/tasks/main.yml | 18 +-------- 32 files changed, 283 insertions(+), 239 deletions(-) delete mode 100644 roles/installer/debian/base/defaults/main.yml delete mode 100644 roles/installer/debian/base/filter_plugins/main.py delete mode 100644 roles/installer/debian/base/tasks/verify-debian.yml delete mode 100644 roles/installer/debian/base/tasks/verify-ubuntu.yml delete mode 100644 roles/installer/debian/base/vars/main.yml create mode 100644 roles/installer/debian/fetch/defaults/main.yml create mode 100644 roles/installer/debian/fetch/filter_plugins/main.py create mode 100644 roles/installer/debian/fetch/tasks/main.yml create mode 100644 roles/installer/debian/fetch/tasks/verify-debian.yml create mode 100644 roles/installer/debian/fetch/tasks/verify-ubuntu.yml create mode 100644 roles/installer/debian/fetch/vars/main.yml delete mode 100644 roles/installer/openbsd/base/defaults/main.yml delete mode 100644 roles/installer/openbsd/base/vars/main.yml create mode 100644 roles/installer/openbsd/fetch/defaults/main.yml create mode 100644 roles/installer/openbsd/fetch/tasks/main.yml create mode 100644 roles/installer/openbsd/fetch/vars/main.yml create mode 100644 roles/vm/install/tasks/installer-debian.yml create mode 100644 roles/vm/install/tasks/installer-openbsd.yml diff --git a/chaos-at-home/ch-atlas.yml b/chaos-at-home/ch-atlas.yml index fe76af09..34fa1141 100644 --- a/chaos-at-home/ch-atlas.yml +++ b/chaos-at-home/ch-atlas.yml @@ -5,4 +5,7 @@ - role: core/sshd - role: core/zsh - role: vm/host -# - role: installer/debian/base + ## gpg on this host is too old to open the keyrings. + ## to work around this problem the files have been manually converted + ## applying the role would break this again!! + # - role: installer/debian/base diff --git a/chaos-at-home/ch-gnocchi.yml b/chaos-at-home/ch-gnocchi.yml index 27a01839..fd519bfd 100644 --- a/chaos-at-home/ch-gnocchi.yml +++ b/chaos-at-home/ch-gnocchi.yml @@ -8,8 +8,8 @@ - role: core/zsh - role: core/cpu-microcode - role: vm/host -# - role: installer/debian/base -# - role: installer/openbsd/base + - role: installer/debian/base + - role: installer/openbsd/base post_tasks: # you need to reboot for changes to take effect - name: install network interface config diff --git a/common/usb-install.yml b/common/usb-install.yml index 27633c15..1776f75b 100644 --- a/common/usb-install.yml +++ b/common/usb-install.yml @@ -11,7 +11,8 @@ roles: - role: installer/debian/usb - installer_path: "{{ global_cache_dir }}/debian-installer" + installer_base_path: "{{ global_cache_dir }}/debian-installer" + installer_keyrings_path: "{{ global_files_dir }}/common/keyrings" post_tasks: - name: Make the USB disk bootable diff --git a/dan/sk-2019vm.yml b/dan/sk-2019vm.yml index a50c1ca1..8859a3c2 100644 --- a/dan/sk-2019vm.yml +++ b/dan/sk-2019vm.yml @@ -13,7 +13,7 @@ - role: apt-repo/spreadspace - role: zfs/sanoid - role: vm/host -# - role: installer/debian/base + - role: installer/debian/base tasks: - name: install post-boot script copy: diff --git a/dan/sk-tomnext.yml b/dan/sk-tomnext.yml index 23c181e7..b6c3b95a 100644 --- a/dan/sk-tomnext.yml +++ b/dan/sk-tomnext.yml @@ -13,7 +13,7 @@ - role: apt-repo/spreadspace - role: zfs/sanoid - role: vm/host -# - role: installer/debian/base + - role: installer/debian/base tasks: - name: install post-boot script copy: diff --git a/inventory/group_vars/kvmhosts/main.yml b/inventory/group_vars/kvmhosts/main.yml index 917b41eb..36a5be1d 100644 --- a/inventory/group_vars/kvmhosts/main.yml +++ b/inventory/group_vars/kvmhosts/main.yml @@ -1,2 +1,2 @@ --- -installer_path: /srv/installer +installer_base_path: /srv/installer diff --git a/roles/installer/debian/base/defaults/main.yml b/roles/installer/debian/base/defaults/main.yml deleted file mode 100644 index eebc59bf..00000000 --- a/roles/installer/debian/base/defaults/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# debian_installer_distro: debian -# debian_installer_codename: buster -debian_installer_arch: amd64 -# debian_installer_variant: netboot - -debian_installer_force_download: no -debian_installer_url: -# debian: "https://debian.ffgraz.net/debian" -# ubuntu: "https://debian.ffgraz.net/ubuntu" - debian: "http://deb.debian.org/debian" - ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/base/filter_plugins/main.py b/roles/installer/debian/base/filter_plugins/main.py deleted file mode 100644 index 298e7efd..00000000 --- a/roles/installer/debian/base/filter_plugins/main.py +++ /dev/null @@ -1,27 +0,0 @@ -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - -from ansible import errors - - -def di_images_path(data): - try: - if data[0] != 'ubuntu': - return 'images' - - if data[1] in ['xenial', 'bionic']: - return 'images' - - return 'legacy-images' - except Exception as e: - raise errors.AnsibleFilterError("mountpoint_exists(): %s" % str(e)) - - -class FilterModule(object): - - filter_map = { - 'di_images_path': di_images_path, - } - - def filters(self): - return self.filter_map diff --git a/roles/installer/debian/base/tasks/main.yml b/roles/installer/debian/base/tasks/main.yml index 65110c91..119b3670 100644 --- a/roles/installer/debian/base/tasks/main.yml +++ b/roles/installer/debian/base/tasks/main.yml @@ -1,35 +1,18 @@ --- -- name: prepare directories for installer files +- name: prepare directory keyrings file: - name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + name: "{{ installer_base_path }}/keyrings" state: directory -- name: download and verify installer files - block: - - name: fetch and verify installer checksums - include_tasks: "verify-{{ install_distro }}.yml" +- name: copy debian keyring files + loop: "{{ lookup('fileglob', global_files_dir+'/common/keyrings/debian-*.gpg', wantlist=True) }}" + loop_control: + label: "{{ item | basename }}" + copy: + src: "{{ item }}" + dest: "{{ installer_base_path }}/keyrings/{{ item | basename }}" - - name: download installer kernel image - get_url: - url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" - checksum: "{{ debian_installer_kernel_checksum }}" - force: "{{ debian_installer_force_download }}" - mode: 0644 - - - name: download installer initrd.gz - get_url: - url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" - checksum: "{{ debian_installer_initrd_checksum }}" - force: "{{ debian_installer_force_download }}" - mode: 0644 - - rescue: - - name: remove all downloaded files - file: - name: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" - state: absent - - - fail: - msg: "download/verification of installer files failed" +- name: copy ubuntu keyring file + copy: + src: "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg" + dest: "{{ installer_base_path }}/keyrings/ubuntu-archive.gpg" diff --git a/roles/installer/debian/base/tasks/verify-debian.yml b/roles/installer/debian/base/tasks/verify-debian.yml deleted file mode 100644 index 5a890b1d..00000000 --- a/roles/installer/debian/base/tasks/verify-debian.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: download Release and Signature file - loop: - - Release - - Release.gpg - get_url: - url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" - -- name: verfiy signature of Release file - command: >- - gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null - --keyring "{{ global_files_dir }}/common/keyrings/debian-{{ install_codename }}.gpg" - --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" - "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" - changed_when: False - register: debian_installer_gpg_result - -- debug: - var: debian_installer_gpg_result.stderr_lines - -- name: extract checksum file hash from Release file - command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" - changed_when: false - register: debian_installer_inrelease_sha256 - -- name: download SHA256SUMS - get_url: - url: "{{ debian_installer_base_url }}/SHA256SUMS" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" - -- name: extract kernel image hash from SHA256SUMS - command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: false - register: debian_installer_sha256sums_kernel - -- name: extract inital ramdisk hash from SHA256SUMS - command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: false - register: debian_installer_sha256sums_initrd - -- name: set checksum variables - set_fact: - debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" - debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/base/tasks/verify-ubuntu.yml b/roles/installer/debian/base/tasks/verify-ubuntu.yml deleted file mode 100644 index f2b75492..00000000 --- a/roles/installer/debian/base/tasks/verify-ubuntu.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: download SHA256SUMS and signature file - loop: - - SHA256SUMS - - SHA256SUMS.gpg - get_url: - url: "{{ debian_installer_base_url }}/{{ item }}" - dest: "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" - -- name: verfiy signature of SHA256SUMS.gpg file - command: >- - gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null - --keyring "{{ global_files_dir }}/common/keyrings/ubuntu-archive.gpg" - --verify "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" - "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: False - register: debian_installer_gpg_result - -- debug: - var: debian_installer_gpg_result.stderr_lines - -- name: extract kernel image hash from SHA256SUMS - command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: false - register: debian_installer_sha256sums_kernel - -- name: extract inital ramdisk hash from SHA256SUMS - command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" - changed_when: false - register: debian_installer_sha256sums_initrd - -- name: set checksum variables - set_fact: - debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" - debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/base/vars/main.yml b/roles/installer/debian/base/vars/main.yml deleted file mode 100644 index 404b571a..00000000 --- a/roles/installer/debian/base/vars/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}" - -_debian_installer_variant_path_: - netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}" - hd-media: "hd-media" - -_debian_installer_variant_kernel_image_name_: - netboot: "linux" - hd-media: "vmlinuz" - -debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}" -debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}" diff --git a/roles/installer/debian/fetch/defaults/main.yml b/roles/installer/debian/fetch/defaults/main.yml new file mode 100644 index 00000000..eebc59bf --- /dev/null +++ b/roles/installer/debian/fetch/defaults/main.yml @@ -0,0 +1,12 @@ +--- +# debian_installer_distro: debian +# debian_installer_codename: buster +debian_installer_arch: amd64 +# debian_installer_variant: netboot + +debian_installer_force_download: no +debian_installer_url: +# debian: "https://debian.ffgraz.net/debian" +# ubuntu: "https://debian.ffgraz.net/ubuntu" + debian: "http://deb.debian.org/debian" + ubuntu: "http://archive.ubuntu.com/ubuntu" diff --git a/roles/installer/debian/fetch/filter_plugins/main.py b/roles/installer/debian/fetch/filter_plugins/main.py new file mode 100644 index 00000000..298e7efd --- /dev/null +++ b/roles/installer/debian/fetch/filter_plugins/main.py @@ -0,0 +1,27 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible import errors + + +def di_images_path(data): + try: + if data[0] != 'ubuntu': + return 'images' + + if data[1] in ['xenial', 'bionic']: + return 'images' + + return 'legacy-images' + except Exception as e: + raise errors.AnsibleFilterError("mountpoint_exists(): %s" % str(e)) + + +class FilterModule(object): + + filter_map = { + 'di_images_path': di_images_path, + } + + def filters(self): + return self.filter_map diff --git a/roles/installer/debian/fetch/tasks/main.yml b/roles/installer/debian/fetch/tasks/main.yml new file mode 100644 index 00000000..dc87655f --- /dev/null +++ b/roles/installer/debian/fetch/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: prepare directories for installer files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: directory + +- name: download and verify installer files + block: + - name: fetch and verify installer checksums + include_tasks: "verify-{{ install_distro }}.yml" + + - name: download installer kernel image + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ debian_installer_variant_kernal_image_name }}" + checksum: "{{ debian_installer_kernel_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + - name: download installer initrd.gz + get_url: + url: "{{ debian_installer_base_url }}/{{ debian_installer_variant_path }}/initrd.gz" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/initrd.gz" + checksum: "{{ debian_installer_initrd_checksum }}" + force: "{{ debian_installer_force_download }}" + mode: 0644 + + rescue: + - name: remove all downloaded files + file: + name: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}" + state: absent + + - fail: + msg: "download/verification of installer files failed" diff --git a/roles/installer/debian/fetch/tasks/verify-debian.yml b/roles/installer/debian/fetch/tasks/verify-debian.yml new file mode 100644 index 00000000..6846451d --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-debian.yml @@ -0,0 +1,46 @@ +--- +- name: download Release and Signature file + loop: + - Release + - Release.gpg + get_url: + url: "{{ debian_installer_base_url | dirname | dirname | dirname | dirname }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of Release file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/debian-{{ install_codename }}.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract checksum file hash from Release file + command: grep -E "^ [0-9a-z]{64} .* main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}/SHA256SUMS$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/Release" + changed_when: false + register: debian_installer_inrelease_sha256 + +- name: download SHA256SUMS + get_url: + url: "{{ debian_installer_base_url }}/SHA256SUMS" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + checksum: "sha256:{{ (debian_installer_inrelease_sha256.stdout | trim).split(' ') | first }}" + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/tasks/verify-ubuntu.yml b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml new file mode 100644 index 00000000..e7cff3ae --- /dev/null +++ b/roles/installer/debian/fetch/tasks/verify-ubuntu.yml @@ -0,0 +1,35 @@ +--- +- name: download SHA256SUMS and signature file + loop: + - SHA256SUMS + - SHA256SUMS.gpg + get_url: + url: "{{ debian_installer_base_url }}/{{ item }}" + dest: "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/{{ item }}" + +- name: verfiy signature of SHA256SUMS.gpg file + command: >- + gpg --no-options --trust-model always --no-default-keyring --secret-keyring /dev/null + --keyring "{{ installer_keyrings_path | default(installer_base_path+'/keyrings') }}/ubuntu-archive.gpg" + --verify "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS.gpg" + "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: False + register: debian_installer_gpg_result + +- debug: + var: debian_installer_gpg_result.stderr_lines + +- name: extract kernel image hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/{{ debian_installer_variant_kernal_image_name }}$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_kernel + +- name: extract inital ramdisk hash from SHA256SUMS + command: grep -E "^[0-9a-z]{64}\s+(./)?{{ debian_installer_variant_path }}/initrd.gz$" "{{ installer_base_path }}/{{ debian_installer_distro }}-{{ debian_installer_codename }}/{{ debian_installer_arch }}-{{ debian_installer_variant }}/SHA256SUMS" + changed_when: false + register: debian_installer_sha256sums_initrd + +- name: set checksum variables + set_fact: + debian_installer_kernel_checksum: "sha256:{{ debian_installer_sha256sums_kernel.stdout.split(' ') | first }}" + debian_installer_initrd_checksum: "sha256:{{ debian_installer_sha256sums_initrd.stdout.split(' ') | first }}" diff --git a/roles/installer/debian/fetch/vars/main.yml b/roles/installer/debian/fetch/vars/main.yml new file mode 100644 index 00000000..404b571a --- /dev/null +++ b/roles/installer/debian/fetch/vars/main.yml @@ -0,0 +1,13 @@ +--- +debian_installer_base_url: "{{ debian_installer_url[debian_installer_distro] }}/dists/{{ debian_installer_codename }}/main/installer-{{ debian_installer_arch }}/current/{{ [debian_installer_distro, debian_installer_codename] | di_images_path }}" + +_debian_installer_variant_path_: + netboot: "netboot/{{ debian_installer_distro }}-installer/{{ debian_installer_arch }}" + hd-media: "hd-media" + +_debian_installer_variant_kernel_image_name_: + netboot: "linux" + hd-media: "vmlinuz" + +debian_installer_variant_path: "{{ _debian_installer_variant_path_[debian_installer_variant] }}" +debian_installer_variant_kernal_image_name: "{{ _debian_installer_variant_kernel_image_name_[debian_installer_variant] }}" diff --git a/roles/installer/debian/preseed/tasks/main.yml b/roles/installer/debian/preseed/tasks/main.yml index 3dd106e3..f0dc56cd 100644 --- a/roles/installer/debian/preseed/tasks/main.yml +++ b/roles/installer/debian/preseed/tasks/main.yml @@ -2,7 +2,7 @@ - name: Copy initramfs into position copy: remote_src: yes - src: "{{ installer_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-{{ debian_installer_variant }}/initrd.gz" + src: "{{ installer_base_path | mandatory }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-{{ debian_installer_variant }}/initrd.gz" dest: "{{ preseed_tmpdir }}/initrd.preseed.gz" - name: Generate preseed file diff --git a/roles/installer/debian/usb/tasks/main.yml b/roles/installer/debian/usb/tasks/main.yml index 4ff03611..478e0d33 100644 --- a/roles/installer/debian/usb/tasks/main.yml +++ b/roles/installer/debian/usb/tasks/main.yml @@ -17,7 +17,7 @@ debian_installer_arch: "{{ install.arch | default('amd64') }}" debian_installer_variant: netboot import_role: - role: installer/debian/base + role: installer/debian/fetch - name: Create temporary workdir tempfile: diff --git a/roles/installer/openbsd/autoinstall/tasks/main.yml b/roles/installer/openbsd/autoinstall/tasks/main.yml index b8e88b53..86f543ee 100644 --- a/roles/installer/openbsd/autoinstall/tasks/main.yml +++ b/roles/installer/openbsd/autoinstall/tasks/main.yml @@ -29,7 +29,7 @@ - "INSTALL.{{ obsd_autoinstall_arch }}" - "{{ obsd_autoinstall_file_sets | product([obsd_autoinstall_version_short+'.tgz']) | map('join') | list }}" iso_extract: - image: "{{ installer_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso" + image: "{{ installer_base_path }}/openbsd-{{ obsd_autoinstall_version }}/{{ obsd_autoinstall_arch }}/install{{ obsd_autoinstall_version | replace('.', '') }}.iso" dest: "{{ obsd_autoinstall_tmpdir }}/files" files: "{{ [obsd_autoinstall_version+'/'+obsd_autoinstall_arch+'/'] | product(installer_files | flatten) | map('join') | list }}" diff --git a/roles/installer/openbsd/base/defaults/main.yml b/roles/installer/openbsd/base/defaults/main.yml deleted file mode 100644 index eeeaf2d0..00000000 --- a/roles/installer/openbsd/base/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# openbsd_installer_version: 6.7 -openbsd_installer_arch: amd64 - -openbsd_installer_force_download: no -openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/base/tasks/main.yml b/roles/installer/openbsd/base/tasks/main.yml index df3db107..412f3680 100644 --- a/roles/installer/openbsd/base/tasks/main.yml +++ b/roles/installer/openbsd/base/tasks/main.yml @@ -5,37 +5,3 @@ - genisoimage - signify-openbsd state: present - -- name: prepare directories for installer iso files - file: - name: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" - state: directory - -- name: download installer iso files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -- name: download signed sha256 files - get_url: - url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" - mode: 0644 - force: "{{ openbsd_installer_force_download }}" - -- name: create signing key files - copy: - content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" - dest: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" - -- name: verfiy downloaded iso files - command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" - args: - chdir: "{{ installer_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" - changed_when: false - register: openbsd_installer_signify_result - -- debug: - var: openbsd_installer_signify_result.stdout_lines diff --git a/roles/installer/openbsd/base/vars/main.yml b/roles/installer/openbsd/base/vars/main.yml deleted file mode 100644 index dad9f064..00000000 --- a/roles/installer/openbsd/base/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}" - -openbsd_installer_signing_keys: - "6.7": | - untrusted comment: openbsd 6.7 base public key - RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj diff --git a/roles/installer/openbsd/fetch/defaults/main.yml b/roles/installer/openbsd/fetch/defaults/main.yml new file mode 100644 index 00000000..eeeaf2d0 --- /dev/null +++ b/roles/installer/openbsd/fetch/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# openbsd_installer_version: 6.7 +openbsd_installer_arch: amd64 + +openbsd_installer_force_download: no +openbsd_installer_url: "https://cdn.openbsd.org/pub/OpenBSD" diff --git a/roles/installer/openbsd/fetch/tasks/main.yml b/roles/installer/openbsd/fetch/tasks/main.yml new file mode 100644 index 00000000..0ab9070c --- /dev/null +++ b/roles/installer/openbsd/fetch/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: prepare directories for installer iso files + file: + name: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + state: directory + +- name: download installer iso files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/install{{ openbsd_installer_version_short }}.iso" + mode: 0644 + force: "{{ openbsd_installer_force_download }}" + +- name: download signed sha256 files + get_url: + url: "{{ openbsd_installer_url }}/{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}/SHA256.sig" + mode: 0644 + force: "{{ openbsd_installer_force_download }}" + +- name: create signing key files + copy: + content: "{{ openbsd_installer_signing_keys[openbsd_installer_version] }}" + dest: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/openbsd-{{ openbsd_installer_version_short }}-base.pub" + +- name: verfiy downloaded iso files + command: "signify-openbsd -Cp ../openbsd-{{ openbsd_installer_version_short }}-base.pub -x SHA256.sig install{{ openbsd_installer_version_short }}.iso" + args: + chdir: "{{ installer_base_path }}/openbsd-{{ openbsd_installer_version }}/{{ openbsd_installer_arch }}" + changed_when: false + register: openbsd_installer_signify_result + +- debug: + var: openbsd_installer_signify_result.stdout_lines diff --git a/roles/installer/openbsd/fetch/vars/main.yml b/roles/installer/openbsd/fetch/vars/main.yml new file mode 100644 index 00000000..dad9f064 --- /dev/null +++ b/roles/installer/openbsd/fetch/vars/main.yml @@ -0,0 +1,7 @@ +--- +openbsd_installer_version_short: "{{ openbsd_installer_version | replace('.', '') }}" + +openbsd_installer_signing_keys: + "6.7": | + untrusted comment: openbsd 6.7 base public key + RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj diff --git a/roles/vm/define/templates/libvirt-domain.xml.j2 b/roles/vm/define/templates/libvirt-domain.xml.j2 index c4c9e52a..5af12c00 100644 --- a/roles/vm/define/templates/libvirt-domain.xml.j2 +++ b/roles/vm/define/templates/libvirt-domain.xml.j2 @@ -7,7 +7,7 @@ hvm {% if vm_define_installer %} {% if install_distro == 'debian' or install_distro == 'ubuntu' %} - {{ installer_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}/linux + {{ installer_base_path }}/{{ install_distro }}-{{ install_codename }}/{{ hostvars[install_hostname].install_cooked.arch | default('amd64') }}-netboot/linux {{ preseed_tmpdir }}/initrd.preseed.gz console=ttyS0,115200n8 DEBCONF_DEBUG=5 diff --git a/roles/vm/host/tasks/main.yml b/roles/vm/host/tasks/main.yml index 390016a2..4c29970d 100644 --- a/roles/vm/host/tasks/main.yml +++ b/roles/vm/host/tasks/main.yml @@ -43,11 +43,11 @@ - name: mount filesytem mount: src: "/dev/mapper/{{ installer_lvm.vg | replace('-', '--') }}-{{ installer_lvm.lv | replace('-', '--') }}" - path: "{{ installer_path }}" + path: "{{ installer_base_path }}" fstype: "{{ installer_lvm.fs }}" state: mounted - name: make sure installer directory exists file: - name: "{{ installer_path }}" + name: "{{ installer_base_path }}" state: directory diff --git a/roles/vm/install/tasks/installer-debian.yml b/roles/vm/install/tasks/installer-debian.yml new file mode 100644 index 00000000..29aae48f --- /dev/null +++ b/roles/vm/install/tasks/installer-debian.yml @@ -0,0 +1,20 @@ +--- +- name: fetch debian installer files + vars: + debian_installer_distro: "{{ install_distro }}" + debian_installer_codename: "{{ install_codename }}" + debian_installer_arch: "{{ install_cooked.arch | default('amd64') }}" + debian_installer_variant: netboot + import_role: + name: installer/debian/fetch + +- name: generate host specific initial ramdisk + vars: + ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" + preseed_tmpdir: "{{ tmpdir.path }}" + preseed_virtual_machine: yes + preseed_force_net_ifnames_policy: path + preseed_no_netplan: yes + install_interface: enp1s1 + import_role: + name: installer/debian/preseed diff --git a/roles/vm/install/tasks/installer-openbsd.yml b/roles/vm/install/tasks/installer-openbsd.yml new file mode 100644 index 00000000..f3802afd --- /dev/null +++ b/roles/vm/install/tasks/installer-openbsd.yml @@ -0,0 +1,16 @@ +--- +- name: fetch openbsd installer files + vars: + openbsd_installer_version: "{{ install_codename }}" + openbsd_installer_arch: "{{ install_cooked.arch | default('amd64') }}" + import_role: + name: installer/openbsd/fetch + +- name: generate host specific autoinstall iso + vars: + ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" + obsd_autoinstall_tmpdir: "{{ tmpdir.path }}" + obsd_autoinstall_serial_device: com0 + install_interface: vio0 + import_role: + name: installer/openbsd/autoinstall diff --git a/roles/vm/install/tasks/main.yml b/roles/vm/install/tasks/main.yml index 6b8f9ca7..7f102beb 100644 --- a/roles/vm/install/tasks/main.yml +++ b/roles/vm/install/tasks/main.yml @@ -35,24 +35,10 @@ register: tmpdir - when: install_distro in ['debian', 'ubuntu'] - vars: - ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" - preseed_tmpdir: "{{ tmpdir.path }}" - preseed_virtual_machine: yes - preseed_force_net_ifnames_policy: path - preseed_no_netplan: yes - install_interface: enp1s1 - import_role: - name: installer/debian/preseed + import_tasks: installer-debian.yml - when: install_distro in ['openbsd'] - vars: - ssh_keys_root: "{{ hostvars[install_hostname].ssh_keys_root }}" - obsd_autoinstall_tmpdir: "{{ tmpdir.path }}" - obsd_autoinstall_serial_device: com0 - install_interface: vio0 - import_role: - name: installer/openbsd/autoinstall + import_tasks: installer-openbsd.yml - name: Make installer workdir readable by qemu acl: -- cgit v1.2.3