diff --git a/.github/scripts/aws-delete-ci-resources.sh b/.github/scripts/aws-delete-ci-resources.sh index d2aab90f..01a0c522 100644 --- a/.github/scripts/aws-delete-ci-resources.sh +++ b/.github/scripts/aws-delete-ci-resources.sh @@ -9,12 +9,20 @@ REGION="eu-west-1" instance_ids=$(aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId' --region "$REGION" --output text) # Loop through each instance ID and terminate it for instance_id in $instance_ids; do - echo "Listing instance: $instance_name ($instance_id)" instance_name=$(aws ec2 describe-tags --filters "Name=resource-id,Values=$instance_id" "Name=key,Values=Name" --region "$REGION" --output=text | cut -f5) + echo "Listing instance: $instance_name ($instance_id)" if [[ $instance_name == *"packer"* ]] || [[ $instance_name == *"gh-ci"* ]]; then echo "--> Terminating instance: $instance_name ($instance_id)" aws ec2 terminate-instances --instance-ids "$instance_id" --region "$REGION" fi + + # Get SSH key name + ssh_key_name=$(aws ec2 describe-instances --instance-ids "$instance_id" --query 'Reservations[].Instances[].KeyName' --region "$REGION" --output text) + echo "Listing SSH key: $ssh_key_name" + if [[ $ssh_key_name == *"packer"* ]]; then + echo "--> Terminating instance: $ssh_key_name ($instance_id)" + aws ec2 terminate-instances --instance-ids "$instance_id" --region "$REGION" + fi done # List all EBS volume IDs and extract their IDs diff --git a/.github/scripts/azure-new-instance.sh b/.github/scripts/azure-new-instance.sh index fab55af4..1e687004 100755 --- a/.github/scripts/azure-new-instance.sh +++ b/.github/scripts/azure-new-instance.sh @@ -28,6 +28,7 @@ if [ "$TECHNO" = "tdx" ]; then --ssh-key-values "$SSH_PUB_KEY" else IMAGE_NAME="/subscriptions/e04f52be-d51f-43fe-95f8-d63a8fc91464/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/cosmian-vm-${DISTRIB}-${TECHNO}/versions/0.0.0" + IMAGE_NAME="/subscriptions/e04f52be-d51f-43fe-95f8-d63a8fc91464/resourceGroups/packer-snp/providers/Microsoft.Compute/galleries/cosmian_packer/images/base-image-${DISTRIB}-${TECHNO}/versions/0.1.5" if [ "$DISTRIB" = "ubuntu" ]; then # Ubuntu SEV @@ -53,3 +54,6 @@ else fi az vm open-port -g packer-snp -n "$NAME" --priority 100 --port 5555,443,22 + +HOST=$(az vm show -d -g packer-snp -n "$NAME" --query publicIps -o tsv) +echo "$HOST" diff --git a/.github/workflows/aws_ansible.yml b/.github/workflows/aws_ansible.yml index 90d60bfc..9c2433d9 100644 --- a/.github/workflows/aws_ansible.yml +++ b/.github/workflows/aws_ansible.yml @@ -114,7 +114,7 @@ jobs: for i in {1..1} do echo "Iteration: $i" - ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }} + ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u $SSH_USER --private-key="$HOME/packer.pem" -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} -e '{ "check_app_test_reboot": false, "check_cosmian_vm_test_reboot": false, "reboot_allowed": false }' --tags playbook-base-image,playbook-${{ inputs.product }},check-${{ inputs.product }} --skip-tags role-cleanup done - name: Stop and delete AWS instance diff --git a/.github/workflows/aws_base_image.yml b/.github/workflows/aws_base_image.yml index 7c8c365e..6687297c 100644 --- a/.github/workflows/aws_base_image.yml +++ b/.github/workflows/aws_base_image.yml @@ -54,6 +54,7 @@ jobs: - name: Packer build image env: + PACKER_GITHUB_API_TOKEN: ${{ secrets.PACKER_GITHUB_TOKEN }} IMAGE_NAME: ${{ steps.env.outputs.IMAGE_NAME }} run: | set -ex diff --git a/.github/workflows/aws_base_main.yml b/.github/workflows/aws_base_main.yml index ee98edfa..10b26912 100644 --- a/.github/workflows/aws_base_main.yml +++ b/.github/workflows/aws_base_main.yml @@ -22,4 +22,4 @@ jobs: techno: sev distrib: ${{ matrix.distrib }} product: ${{ matrix.product }} - base-version: 0.1.4 + base-version: 0.1.5 diff --git a/.github/workflows/aws_image.yml b/.github/workflows/aws_image.yml index b037f1e1..e90e3097 100644 --- a/.github/workflows/aws_image.yml +++ b/.github/workflows/aws_image.yml @@ -64,6 +64,7 @@ jobs: - name: Packer build image env: + PACKER_GITHUB_API_TOKEN: ${{ secrets.PACKER_GITHUB_TOKEN }} TIMESTAMP: ${{ steps.env.outputs.TIMESTAMP }} IMAGE_NAME: ${{ steps.env.outputs.IMAGE_NAME }} KMS_VERSION: ${{ inputs.kms-version }} diff --git a/.github/workflows/aws_main.yml b/.github/workflows/aws_main.yml index 9342cdd3..d6f83911 100644 --- a/.github/workflows/aws_main.yml +++ b/.github/workflows/aws_main.yml @@ -17,20 +17,19 @@ jobs: strategy: fail-fast: false matrix: - distrib: [ubuntu] + distrib: [ubuntu, rhel] product: [cosmian-vm] name: (AWS) ${{ matrix.product }} - ${{ matrix.distrib }} - SEV needs: - clean-resources secrets: inherit - uses: ./.github/workflows/aws_image.yml + uses: ./.github/workflows/aws_ansible.yml with: techno: sev distrib: ${{ matrix.distrib }} product: ${{ matrix.product }} kms-version: 4.16.0 ai-runner-version: 0.3.0 - base-version: 0.1.4 post-clean-resources: if: success() || cancelled() diff --git a/.github/workflows/azure_ansible.yml b/.github/workflows/azure_ansible.yml index 452947a0..2ea7925c 100644 --- a/.github/workflows/azure_ansible.yml +++ b/.github/workflows/azure_ansible.yml @@ -110,7 +110,7 @@ jobs: for i in {1..1} do echo "Iteration: $i" - ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} + ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup done - name: Stop and delete Azure instance diff --git a/.github/workflows/azure_base_main.yml b/.github/workflows/azure_base_main.yml index 5c675c59..7f30de55 100644 --- a/.github/workflows/azure_base_main.yml +++ b/.github/workflows/azure_base_main.yml @@ -26,6 +26,6 @@ jobs: techno: ${{ matrix.techno }} distrib: ${{ matrix.distrib }} product: ${{ matrix.product }} - base-version: 0.1.4 + base-version: 0.1.5 kms-version: 0.0.0 ai-runner-version: 0.0.0 diff --git a/.github/workflows/azure_packer_build.yml b/.github/workflows/azure_packer_build.yml index a32e812c..700c4978 100644 --- a/.github/workflows/azure_packer_build.yml +++ b/.github/workflows/azure_packer_build.yml @@ -50,6 +50,7 @@ jobs: - name: Packer build image env: + PACKER_GITHUB_API_TOKEN: ${{ secrets.PACKER_GITHUB_TOKEN }} CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} diff --git a/.github/workflows/gcp_ansible.yml b/.github/workflows/gcp_ansible.yml index 1270ad49..35954045 100644 --- a/.github/workflows/gcp_ansible.yml +++ b/.github/workflows/gcp_ansible.yml @@ -146,7 +146,7 @@ jobs: for i in {1..1} do echo "Iteration: $i" - ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} + ansible-playbook ${{ inputs.product }}-playbook.yml -i ${IP_ADDR}, -u cosmian -e cosmian_vm_version=$COSMIAN_VM_VERSION -e cosmian_kms_version=${{ inputs.kms-version }} -e cosmian_ai_runner_version=${{ inputs.ai-runner-version }} --skip-tags role-cleanup done - name: Stop and delete GCP instance diff --git a/.github/workflows/gcp_base_image.yml b/.github/workflows/gcp_base_image.yml index 6319553d..5b9da358 100644 --- a/.github/workflows/gcp_base_image.yml +++ b/.github/workflows/gcp_base_image.yml @@ -56,6 +56,7 @@ jobs: - name: Packer build image env: + PACKER_GITHUB_API_TOKEN: ${{ secrets.PACKER_GITHUB_TOKEN }} IMAGE_NAME: ${{ steps.env.outputs.IMAGE_NAME }} TECHNO: ${{ inputs.techno }} run: | diff --git a/.github/workflows/gcp_base_main.yml b/.github/workflows/gcp_base_main.yml index ed7733b3..0ccfbbe1 100644 --- a/.github/workflows/gcp_base_main.yml +++ b/.github/workflows/gcp_base_main.yml @@ -26,4 +26,4 @@ jobs: techno: ${{ matrix.techno }} distrib: ${{ matrix.distrib }} product: ${{ matrix.product }} - base-version: 0.1.4 + base-version: 0.1.5 diff --git a/.github/workflows/gcp_image.yml b/.github/workflows/gcp_image.yml index 480ce310..ac21f168 100644 --- a/.github/workflows/gcp_image.yml +++ b/.github/workflows/gcp_image.yml @@ -79,6 +79,7 @@ jobs: - name: Packer build image env: + PACKER_GITHUB_API_TOKEN: ${{ secrets.PACKER_GITHUB_TOKEN }} TIMESTAMP: ${{ steps.env.outputs.TIMESTAMP }} IMAGE_NAME: ${{ steps.env.outputs.IMAGE_NAME }} KMS_VERSION: ${{ inputs.kms-version }} diff --git a/.github/workflows/nightly_aws_main.yml b/.github/workflows/nightly_aws_main.yml index 38b27a2e..365e6a95 100644 --- a/.github/workflows/nightly_aws_main.yml +++ b/.github/workflows/nightly_aws_main.yml @@ -35,7 +35,7 @@ jobs: product: ${{ matrix.product }} kms-version: 4.16.0 ai-runner-version: 0.3.0 - base-version: 0.1.4 + base-version: 0.1.5 # Too many failures when rebooting EC2 # ansible: diff --git a/.github/workflows/nightly_azure_main.yml b/.github/workflows/nightly_azure_main.yml index dba82d64..b8b0e02f 100644 --- a/.github/workflows/nightly_azure_main.yml +++ b/.github/workflows/nightly_azure_main.yml @@ -18,7 +18,7 @@ jobs: fail-fast: false max-parallel: 3 matrix: - distrib: [ubuntu, rhel] + distrib: [rhel, ubuntu] product: [cosmian-vm, kms, ai-runner] techno: [sev, tdx] exclude: @@ -26,6 +26,8 @@ jobs: distrib: rhel - techno: tdx distrib: rhel + - product: ai-runner + techno: sev name: (AZURE) ${{ matrix.product }} - ${{ matrix.distrib }} - ${{ matrix.techno }} needs: - clean-resources @@ -37,7 +39,7 @@ jobs: product: ${{ matrix.product }} kms-version: 4.16.0 ai-runner-version: 0.3.0 - base-version: 0.1.4 + base-version: 0.1.5 ansible: if: startsWith(github.ref, 'refs/tags/') != true @@ -45,7 +47,7 @@ jobs: fail-fast: false max-parallel: 3 matrix: - distrib: [ubuntu, rhel] + distrib: [rhel, ubuntu] product: [cosmian-vm, kms, ai-runner] techno: [sev, tdx] exclude: @@ -53,6 +55,8 @@ jobs: distrib: rhel - techno: tdx distrib: rhel + - product: ai-runner + techno: sev name: (AZURE) ${{ matrix.product }} - ${{ matrix.distrib }} - ${{ matrix.techno }} needs: - clean-resources diff --git a/.github/workflows/nightly_clean.yml b/.github/workflows/nightly_clean.yml new file mode 100644 index 00000000..d2532067 --- /dev/null +++ b/.github/workflows/nightly_clean.yml @@ -0,0 +1,21 @@ +--- +name: Nightly clean cloud providers resources + +on: + schedule: + # every day at 0 AM + - cron: 00 0 * * * + workflow_dispatch: + +jobs: + azure: + uses: ./.github/workflows/azure_clean.yml + secrets: inherit + + gcp: + uses: ./.github/workflows/gcp_clean.yml + secrets: inherit + + aws: + uses: ./.github/workflows/aws_clean.yml + secrets: inherit diff --git a/.github/workflows/nightly_gcp_main.yml b/.github/workflows/nightly_gcp_main.yml index f2108960..1b389e7e 100644 --- a/.github/workflows/nightly_gcp_main.yml +++ b/.github/workflows/nightly_gcp_main.yml @@ -18,7 +18,7 @@ jobs: fail-fast: false max-parallel: 3 matrix: - distrib: [ubuntu, rhel] + distrib: [rhel, ubuntu] product: [cosmian-vm, kms, ai-runner] techno: [sev, tdx] exclude: @@ -26,6 +26,8 @@ jobs: distrib: rhel - techno: tdx distrib: rhel + - product: ai-runner + techno: sev include: - techno: sev machine-type: n2d-standard-2 @@ -55,7 +57,7 @@ jobs: product: ${{ matrix.product }} kms-version: 4.16.0 ai-runner-version: 0.3.0 - base-version: 0.1.4 + base-version: 0.1.5 ansible: if: startsWith(github.ref, 'refs/tags/') != true @@ -63,7 +65,7 @@ jobs: fail-fast: false max-parallel: 3 matrix: - distrib: [ubuntu, rhel] + distrib: [rhel, ubuntu] product: [cosmian-vm, kms, ai-runner] techno: [sev, tdx] exclude: @@ -71,6 +73,8 @@ jobs: distrib: rhel - techno: tdx distrib: rhel + - product: ai-runner + techno: sev include: - techno: sev machine-type: n2d-standard-2 diff --git a/.github/workflows/nightly_marketplaces.yml b/.github/workflows/nightly_marketplaces.yml index 49b61e03..f3763af4 100644 --- a/.github/workflows/nightly_marketplaces.yml +++ b/.github/workflows/nightly_marketplaces.yml @@ -8,7 +8,7 @@ on: - '**' # schedule: # # every day at 0 AM - # - cron: 00 0 * * * + # - cron: 00 1 * * * workflow_dispatch: jobs: diff --git a/CHANGELOG.md b/CHANGELOG.md index ab28bf86..b4266c16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ All notable changes to this project will be documented in this file. +## [1.2.3] - 2024-06-15 + +### Bug Fixes + +- Upgrade base image to 0.1.5: clean all authorized_keys and users ([#140](https://github.com/Cosmian/cosmian_vm/pull/140)) + ## [1.2.2] - 2024-06-13 ### Bug Fixes diff --git a/Cargo.lock b/Cargo.lock index 5ed42e36..0e34451b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -966,7 +966,7 @@ checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f" [[package]] name = "cosmian_certtool" -version = "1.2.2" +version = "1.2.3" dependencies = [ "acme-lib", "actix-files", @@ -985,7 +985,7 @@ dependencies = [ [[package]] name = "cosmian_vm" -version = "1.2.2" +version = "1.2.3" dependencies = [ "anyhow", "clap 4.5.4", @@ -1003,7 +1003,7 @@ dependencies = [ [[package]] name = "cosmian_vm_agent" -version = "1.2.2" +version = "1.2.3" dependencies = [ "actix-cors", "actix-http", @@ -1048,7 +1048,7 @@ dependencies = [ [[package]] name = "cosmian_vm_client" -version = "1.2.2" +version = "1.2.3" dependencies = [ "base64 0.22.1", "hex", @@ -1894,7 +1894,7 @@ dependencies = [ [[package]] name = "ima" -version = "1.2.2" +version = "1.2.3" dependencies = [ "bincode", "hex", diff --git a/Cargo.toml b/Cargo.toml index 17ee4d06..9fd17107 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,7 +9,7 @@ members = [ resolver = "2" [workspace.package] -version = "1.2.2" +version = "1.2.3" edition = "2021" license = "BUSL-1.1" license-file = "LICENSE" diff --git a/README.md b/README.md index aa053de4..84715fe1 100644 --- a/README.md +++ b/README.md @@ -46,13 +46,13 @@ Our client CLI [cosmian_vm](https://github.com/Cosmian/cosmian_vm/tree/main/crat - [Snapshot of the system](#snapshot-of-the-system) - [Verification of the remote instance](#verification-of-the-remote-instance) - [Cloud providers support](#cloud-providers-support) - - [Marketplace Image content](#marketplace-image-content) - - [Configuration file](#configuration-file) - - [First Cosmian VM launch](#first-cosmian-vm-launch) - - [Handle Cosmian VM status](#handle-cosmian-vm-status) - - [Usage](#usage) - - [Provide secrets without SSH access](#provide-secrets-without-ssh-access) -- [Other Cosmian Products base on Cosmian VM](#other-cosmian-products-base-on-cosmian-vm) + * [Marketplace Image content](#marketplace-image-content) + * [Configuration file](#configuration-file) + * [First Cosmian VM launch](#first-cosmian-vm-launch) + * [Handle Cosmian VM status](#handle-cosmian-vm-status) + * [Usage](#usage) + * [Provide secrets without SSH access](#provide-secrets-without-ssh-access) +- [Other Cosmian Products based on Cosmian VM](#other-cosmian-products-based-on-cosmian-vm) @@ -279,11 +279,12 @@ The `restart` subcommand can restart the application identified in `service_name cosmian_vm --url https://my_app.dev app restart ``` -## Other Cosmian Products base on Cosmian VM +## Other Cosmian Products based on Cosmian VM -| Cosmian VM | Cosmian KMS | Cosmian AI Runner | -| ---------- | ----------- | ----------------- | -| 1.2.2 | 4.16.0 | 0.3.0 | -| 1.2.1 | 4.16.0 | 0.3.0 | -| 1.2.0 | 4.16.0 | - | -| 1.1.2 | 4.15.0 | - | +| Base image | Cosmian VM | Cosmian KMS | Cosmian AI Runner | +| ---------- | ---------- | ----------- | ----------------- | +| 0.1.5 | 1.2.3 | 4.16.0 | 0.3.0 | +| 0.1.4 | 1.2.2 | 4.16.0 | 0.3.0 | +| 0.1.3 | 1.2.1 | 4.16.0 | 0.3.0 | +| | 1.2.0 | 4.16.0 | - | +| | 1.1.2 | 4.15.0 | - | diff --git a/ansible/README.md b/ansible/README.md index 4e724ce8..7d0c034a 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -4,6 +4,12 @@ ### Changelog +## [0.1.5] - 2024-06-15 + +- Clean RHEL/Ubuntu after builds: ([#140](https://github.com/Cosmian/cosmian_vm/pull/140)) + - clean all authorized_keys + - clean users + ## [0.1.4] - 2024-06-12 - RHEL: @@ -102,8 +108,8 @@ export USERNAME=cosmian export HOST=35.204.83.49 # Be sure to install deps: `pip install -r python_modules.txt` on your localhost cd ansible -ansible-playbook cosmian-vm-playbook.yml -i ${HOST}, -u $USERNAME -e cosmian_vm_version=1.2.2 -ansible-playbook kms-playbook.yml -i ${HOST}, -u $USERNAME -e cosmian_vm_version=1.2.2 -e cosmian_kms_version=4.16.0 +ansible-playbook cosmian-vm-playbook.yml -i ${HOST}, -u $USERNAME -e cosmian_vm_version=1.2.3 +ansible-playbook kms-playbook.yml -i ${HOST}, -u $USERNAME -e cosmian_vm_version=1.2.3 -e cosmian_kms_version=4.16.0 ``` The machine has been configured diff --git a/ansible/ai-runner-packer-playbook.yml b/ansible/ai-runner-packer-playbook.yml index 335ae057..9cf7df25 100644 --- a/ansible/ai-runner-packer-playbook.yml +++ b/ansible/ai-runner-packer-playbook.yml @@ -7,3 +7,5 @@ become: true roles: - ai_runner + - role: cleanup + tags: role-cleanup diff --git a/ansible/base-image-packer-playbook.yml b/ansible/base-image-packer-playbook.yml index 87c00266..9590e8b7 100644 --- a/ansible/base-image-packer-playbook.yml +++ b/ansible/base-image-packer-playbook.yml @@ -3,13 +3,14 @@ hosts: all become: true roles: - - role: configure_ima - tags: configure_ima + - role: upgrade + tags: role-upgrade - tpm - instance_configs # GCP only - intel - - upgrade - no_updates + - role: configure_ima + tags: role-configure-ima - name: Reboot after GRUB changes, Linux updates and TPM support installation hosts: all @@ -43,3 +44,10 @@ - name: Display Security updates ansible.builtin.debug: var: dnf_security_update + +- name: Clean base image + hosts: all + become: true + roles: + - role: cleanup + tags: role-cleanup diff --git a/ansible/cosmian-vm-packer-playbook.yml b/ansible/cosmian-vm-packer-playbook.yml index 751ec37e..1a3da22f 100644 --- a/ansible/cosmian-vm-packer-playbook.yml +++ b/ansible/cosmian-vm-packer-playbook.yml @@ -6,3 +6,5 @@ - check_cpu - role: cosmian_vm_agent tags: role_cosmian_vm_agent + - role: cleanup + tags: role-cleanup diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 75648ea9..b8e759be 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -1,5 +1,5 @@ --- -cosmian_vm_version: 1.2.2 +cosmian_vm_version: 1.2.3 cosmian_kms_version: 4.16.0 cosmian_ai_runner_version: 0.3.0 diff --git a/ansible/kms-packer-playbook.yml b/ansible/kms-packer-playbook.yml index bc1601bb..3ab19af1 100644 --- a/ansible/kms-packer-playbook.yml +++ b/ansible/kms-packer-playbook.yml @@ -7,3 +7,5 @@ become: true roles: - kms + - role: cleanup + tags: role-cleanup diff --git a/ansible/roles/cleanup/tasks/main.yml b/ansible/roles/cleanup/tasks/main.yml new file mode 100644 index 00000000..0d39b4ac --- /dev/null +++ b/ansible/roles/cleanup/tasks/main.yml @@ -0,0 +1,51 @@ +--- +# tasks file for ansible/roles/cleanup + +- name: Find all authorized_keys files + ansible.builtin.find: + paths: + - /home + - /root + recurse: true + patterns: authorized_keys + register: authorized_keys + +- name: Display authorized_keys + ansible.builtin.debug: + var: authorized_keys + +- name: Remove found authorized_keys files + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ authorized_keys.files }}" + when: authorized_keys.matched > 0 + +- name: Find all authorized_keys files + ansible.builtin.find: + paths: + - /home + - /root + recurse: true + patterns: authorized_keys + register: authorized_keys + +- name: Display authorized_keys authorized_keys + ansible.builtin.debug: + var: authorized_keys + +- name: Fail if authorized_keys files are found + ansible.builtin.fail: + msg: "authorized_keys files found in the system!" + when: authorized_keys.matched > 0 + +- name: List folders in /home + ansible.builtin.find: + paths: /home + file_type: directory + recurse: false + register: home_folders + +- name: Display home directories + ansible.builtin.debug: + var: home_folders diff --git a/ansible/roles/configure_ima/tasks/main.yml b/ansible/roles/configure_ima/tasks/main.yml index f5d06e3b..db4c5120 100644 --- a/ansible/roles/configure_ima/tasks/main.yml +++ b/ansible/roles/configure_ima/tasks/main.yml @@ -1,6 +1,9 @@ --- # tasks file for ansible/roles/configure_ima +- name: Gathering facts + ansible.builtin.gather_facts: + - name: Check OS distribution ansible.builtin.debug: var: ansible_distribution diff --git a/ansible/roles/no_updates/tasks/main.yml b/ansible/roles/no_updates/tasks/main.yml index 23a4920c..2b1cfe05 100644 --- a/ansible/roles/no_updates/tasks/main.yml +++ b/ansible/roles/no_updates/tasks/main.yml @@ -80,7 +80,7 @@ backup: true when: __dnf_automatic_conf.stat.exists - - name: Clean dnf metadata + - name: Clean DNF metadata ansible.builtin.command: dnf clean all register: cmd_output changed_when: cmd_output.rc != 0 diff --git a/ansible/roles/upgrade/tasks/main.yml b/ansible/roles/upgrade/tasks/main.yml index 59d93f2e..9eabda1f 100644 --- a/ansible/roles/upgrade/tasks/main.yml +++ b/ansible/roles/upgrade/tasks/main.yml @@ -2,6 +2,9 @@ # tasks file for upgrade +- name: Gathering facts + ansible.builtin.gather_facts: + - name: Update and upgrade apt packages when: ansible_distribution == 'Ubuntu' block: diff --git a/packer/aws.pkr.hcl b/packer/aws.pkr.hcl index bb4fe3b0..0847afa7 100644 --- a/packer/aws.pkr.hcl +++ b/packer/aws.pkr.hcl @@ -12,16 +12,17 @@ packer { } source "amazon-ebssurrogate" "TEMPLATE_DISTRIBUTION" { - source_ami = "TEMPLATE_SOURCE_AMI" - region = "eu-west-1" - ssh_username = "TEMPLATE_SSH_USERNAME" - ami_name = "TEMPLATE_IMAGE_NAME" - instance_type = "c6a.2xlarge" - ssh_timeout = "5m" - ami_virtualization_type = "hvm" - ena_support = true - tpm_support = "TEMPLATE_SUPPORT" - boot_mode = "uefi" + ssh_username = "TEMPLATE_SSH_USERNAME" + ssh_timeout = "5m" + ssh_clear_authorized_keys = true + source_ami = "TEMPLATE_SOURCE_AMI" + region = "eu-west-1" + ami_name = "TEMPLATE_IMAGE_NAME" + instance_type = "c6a.2xlarge" + ami_virtualization_type = "hvm" + ena_support = true + tpm_support = "TEMPLATE_SUPPORT" + boot_mode = "uefi" launch_block_device_mappings { volume_type = "gp3" diff --git a/packer/azure.pkr.hcl b/packer/azure.pkr.hcl index 3297b161..a6fb6015 100644 --- a/packer/azure.pkr.hcl +++ b/packer/azure.pkr.hcl @@ -12,6 +12,9 @@ packer { } source "azure-arm" "TEMPLATE_DISTRIBUTION" { + ssh_username = "packer" + ssh_timeout = "5m" + ssh_clear_authorized_keys = true client_id = "TEMPLATE_CLIENT_ID" tenant_id = "TEMPLATE_TENANT_ID" subscription_id = "TEMPLATE_SUBSCRIPTION_ID" diff --git a/packer/gcp.pkr.hcl b/packer/gcp.pkr.hcl index 79ff0ef9..1bf073fd 100644 --- a/packer/gcp.pkr.hcl +++ b/packer/gcp.pkr.hcl @@ -12,19 +12,20 @@ packer { } source "googlecompute" "TEMPLATE_GOOGLE_COMPUTE" { - project_id = "cosmian-dev" - source_image = "TEMPLATE_SOURCE_IMAGE" - source_image_family = "TEMPLATE_SOURCE_FAMILY" - zone = "europe-west4-a" - ssh_username = "root" - ssh_timeout = "5m" - image_name = "TEMPLATE_IMAGE_NAME" - image_guest_os_features = ["TEMPLATE_OS_FEATURES"] - network = "default" - subnetwork = "default" - tags = ["ssh"] - use_os_login = true - wait_to_add_ssh_keys = "60s" + ssh_username = "root" + ssh_timeout = "5m" + ssh_clear_authorized_keys = true + project_id = "cosmian-dev" + source_image = "TEMPLATE_SOURCE_IMAGE" + source_image_family = "TEMPLATE_SOURCE_FAMILY" + zone = "europe-west4-a" + image_name = "TEMPLATE_IMAGE_NAME" + image_guest_os_features = ["TEMPLATE_OS_FEATURES"] + network = "default" + subnetwork = "default" + tags = ["ssh"] + use_os_login = true + wait_to_add_ssh_keys = "60s" } build {