diff --git a/group_vars/tcbsd_plcs/vars.yml b/group_vars/tcbsd_plcs/vars.yml index e18d2ab..522a2d2 100644 --- a/group_vars/tcbsd_plcs/vars.yml +++ b/group_vars/tcbsd_plcs/vars.yml @@ -4,11 +4,23 @@ ansible_become: true ansible_become_method: doas ansible_python_interpreter: /usr/local/bin/python3 -# FreeBSD packages are no longer required, beckhoff added py39-lxml again. +# freebsd packages are the standard internet packages for bsd enable_freebsd_packages: false +# tcbsd packages are the latest packages for tcbsd from Beckhoff +enable_tcbsd_packages: false +# slac packages are a specific version-stamped mirror of tcbsd on the internal network +# this is required if you want control over your XAR version +enable_slac_packages: true -# psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks -use_psproxy: true +# fixed XAR ensures you set up the PLC with a known runtime +# this requires a pkg mirror +# fixed XAR version should never be defined in a group file, only in a host file, to ensure no surprise updates +set_fixed_xar: true +#fixed_xar_version: 4026.3.55 + +# psproxy is needed to get freebsd and tcbsd packages +use_psproxy: false +# an ntp config is needed to get any packages at all, psntp is the internal service at lcls use_psntp: true # Dynamic AMS net id = set AMS net id to ip addr .1.1 diff --git a/group_vars/tcbsd_vms/vars.yml b/group_vars/tcbsd_vms/vars.yml index 615a33a..458e6ca 100644 --- a/group_vars/tcbsd_vms/vars.yml +++ b/group_vars/tcbsd_vms/vars.yml @@ -5,11 +5,23 @@ ansible_become_method: doas ansible_become_password: 1 # TODO: vault ansible_python_interpreter: /usr/local/bin/python3 -# FreeBSD packages are no longer required, beckhoff added py39-lxml again. +# freebsd packages are the standard internet packages for bsd enable_freebsd_packages: false +# tcbsd packages are the latest packages for tcbsd from Beckhoff +enable_tcbsd_packages: true +# slac packages are a specific version-stamped mirror of tcbsd on the internal network +# this is required if you want control over your XAR version +enable_slac_packages: false -# psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks +# fixed XAR ensures you set up the PLC with a known runtime +# this requires a pkg mirror +# fixed XAR version should never be defined in a group file, only in a host file, to ensure no surprise updates +set_fixed_xar: false +#fixed_xar_version: 4026.3.55 + +# psproxy is needed to get freebsd and tcbsd packages use_psproxy: false +# an ntp config is needed to get any packages at all, psntp is the internal service at lcls use_psntp: false # Dynamic AMS net id = set AMS net id to ip addr .1.1 diff --git a/host_vars/plc-tmo-tmp-vac/vars.yml b/host_vars/plc-tmo-tmp-vac/vars.yml deleted file mode 100644 index 4e02f71..0000000 --- a/host_vars/plc-tmo-tmp-vac/vars.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- -ansible_host: plc-tmo-tmp-vac - -# Uncomment any setting below and change it to override a default setting. -#ansible_user: Administrator -#ansible_become: true -#ansible_become_method: doas -#ansible_python_interpreter: /usr/local/bin/python3 -# -## FreeBSD packages are no longer required, beckhoff added py39-lxml again. -#enable_freebsd_packages: false -# -## psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks -#use_psproxy: true -#use_psntp: true -# -## Dynamic AMS net id = set AMS net id to ip addr .1.1 -## Static AMS net id = set AMS net id to the value of tc_ams_net_id -#dynamic_ams: true -## tc_ams_net_id: 0.0.0.0.1.1 -# -## Extra user for non-admin activities -#create_user: true -#create_username: ecs-user -# -## set static IP on x000 (mac id 2) -#x000_set_static_ip: true -#x000_static_ip: 192.168.1.10 -# -## set static IP on x001 (mac id 1) -## Uses the DHCP assigned address, set statically -#x001_set_static_ip: false -# -## We can set the PLC's timezone, which is largely cosmetic -## See /usr/share/zoneinfo/ on the PLC for options -#set_plc_timezone: true -#plc_timezone: America/Los_Angeles -# -## This is the default of 32MB. Set to 67108864 for 64MB of router memory. -#tc_locked_memory_size_bytes: 33554432 -# -## Heap memory size is not specified by default. If you wish to change the -## default, set this to greater than 0 (e.g., 1024). This must be -## greater than the locked memory size for the router, above. -#tc_heap_memory_size_mb: 2048 -## Install and use bash in place of sh: -#tc_use_bash: true -## Install C/C++ development tools (approximately 1.8GB): -#tc_install_cpp_dev_tools: true -# -## Packages to install: -#tc_libraries: -## - TC31-OrderNo # Mapping of TwinCAT order numbers to TC/BSD package names -## - TC31-TcIoPtp # TcIoPtp | TC3 Precise Time Protocol -## - TC31-TcOsSys # TwinCAT runtime component TcOsSys.dll and TwinCAT license text -## - TC31-XAR # TwinCAT System Service -## - TC31-XAR-EtherCATSlave # TwinCAT EtherCATSlave driver -## - TCBSD-CrossBuildSDK # SDK for TC/BSD cross-compilation -## - TCBSD-Install-Scripts # TCBSD installer scripts -## - TF1810-PLC-HMI-Web # TF1810 | TC3 PLC HMI Web -## - TF2000-HMI-Server # TF2000-HMI-Server -## - TF3300-Scope-Server-IoT # -## - TF3500-Analytics-Logger # TF3500 | TC3 Analytics Logger -## - TF360x-Condition-Monitoring # TF360x | TC3 Condition Monitoring -## - TF3650-Power-Monitoring # TF3650 | TC3 Power Monitoring -## - TF3800-Machine-Learning # TF3800 | TC3 Machine Learning -## - TF5000-NC-PTP # TwinCAT NC PTP driver -## - TF5100-NCI # TF5100 | TC3 NC I -## - TF5210-CNC-E # TF5210 | TC3 CNC E -## - TF5850-XTS-Technology # TF5850 | XTS Technology -## - TF6000-ADS-Comm-Lib # TF6000 | TC3 ADS Communication Library -## - TF6100-OPC-UA-beta # TF6100 | TC3 OPC UA -## - TF6230-Parallel-Redundancy-Protocol # TF6230 | TC3 Parallel Redundancy Protocol -## - TF6250-Modbus-TCP # TF6250 | TC3 Modbus TCP -## - TF627x-PROFINET-RT # TwinCAT PROFINET RT driver -## - TF6280-EtherNetIP # This package was replaces by TF628x-EthernetIP -## - TF628x-EtherNetIP # TwinCAT EtherNet/IP driver -#- TF6310-TCP-IP # TF6310 | TC3 TCP/IP -## - TF6340-Serial-Communication-beta # TF6340 | TC3 Serial Communication -## - TF6420-Database-Server # TF6420 | TC3 Database Server -## - TF6421-XML-Server # TF6421 | TC3 XML Server -## - TF6620-S7-Comm # TF6620 | S7 Communication -## - TF8020-BACnet # TwinCAT BACnet driver -## - TF8310-Wind-Framework # TF8310 | TC3 Wind Framework -# -#tc_tools_packages: -# - TcAdsTool # TcAdsTool | Use the power of ADS from your command line -# - TcAmsLogger # TwinCAT ADS Monitor - AMS Logger -# # - TcBackup # Tools to easily create and restore full system backups -# # - TcBackup-Gui-Installer # Tools to easily create and restore full system backups -# # - TcCoreConf # TwinCAT CPU core configuration tool -# # - TcCppUtils2.0 # -# # - TcEventLoggerAdsProxy # TcEventLoggerAdsProxy -# # - TcImportCert # TcImportCert | Import TwinCAT OEM certificate data into TwinCAT registry -# # - TcPalDrv # TwinCAT PAL driver -# # - TcTypeSystem2.7 # -# # - TcTypeSystem2.8 # -# # - TcUsb # TwinCAT USB driver -# -#tc_packages_to_install: -# - git -# - vim -# - ripgrep -# -## Packages only available via pip can be installed using this. -## py39-pip will only be installed if you marked it here. -## As far as the security implications go: well, that's up to you! -#tc_install_pip_packages: -## - pytmc -## Uninstall pip after using it? -#tc_uninstall_pip: true -# -## Configure the following static routes (and only those): -## NOTE: if you don't want to run my arbitrary module, use this instead -## of tc_add_missing_static_routes below -#tc_set_fixed_static_routes: [] -# -## Alternatively, only add missing routes from the list: -#tc_add_missing_static_routes: [] diff --git a/host_vars/plc-tst-bsd1/vars.yml b/host_vars/plc-tst-bsd1/vars.yml index 02fe835..f2cf9e9 100644 --- a/host_vars/plc-tst-bsd1/vars.yml +++ b/host_vars/plc-tst-bsd1/vars.yml @@ -1,5 +1,6 @@ --- ansible_host: plc-tst-bsd1 +fixed_xar_version: 4026.3.55 # Uncomment any setting below and change it to override a default setting. #ansible_user: Administrator @@ -7,11 +8,23 @@ ansible_host: plc-tst-bsd1 #ansible_become_method: doas #ansible_python_interpreter: /usr/local/bin/python3 # -## FreeBSD packages are no longer required, beckhoff added py39-lxml again. +## freebsd packages are the standard internet packages for bsd #enable_freebsd_packages: false +## tcbsd packages are the latest packages for tcbsd from Beckhoff +#enable_tcbsd_packages: false +## slac packages are a specific version-stamped mirror of tcbsd on the internal network +## this is required if you want control over your XAR version +#enable_slac_packages: true # -## psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks -#use_psproxy: true +## fixed XAR ensures you set up the PLC with a known runtime +## this requires a pkg mirror +## fixed XAR version should never be defined in a group file, only in a host file, to ensure no surprise updates +#set_fixed_xar: true +##fixed_xar_version: 4026.3.55 +# +## psproxy is needed to get freebsd and tcbsd packages +#use_psproxy: false +## an ntp config is needed to get any packages at all, psntp is the internal service at lcls #use_psntp: true # ## Dynamic AMS net id = set AMS net id to ip addr .1.1 diff --git a/host_vars/plc-tst-bsd2/vars.yml b/host_vars/plc-tst-bsd2/vars.yml index 5952ba2..943e8b6 100644 --- a/host_vars/plc-tst-bsd2/vars.yml +++ b/host_vars/plc-tst-bsd2/vars.yml @@ -1,5 +1,6 @@ --- ansible_host: plc-tst-bsd2 +fixed_xar_version: 4026.3.55 # Uncomment any setting below and change it to override a default setting. #ansible_user: Administrator @@ -7,11 +8,23 @@ ansible_host: plc-tst-bsd2 #ansible_become_method: doas #ansible_python_interpreter: /usr/local/bin/python3 # -## FreeBSD packages are no longer required, beckhoff added py39-lxml again. +## freebsd packages are the standard internet packages for bsd #enable_freebsd_packages: false +## tcbsd packages are the latest packages for tcbsd from Beckhoff +#enable_tcbsd_packages: false +## slac packages are a specific version-stamped mirror of tcbsd on the internal network +## this is required if you want control over your XAR version +#enable_slac_packages: true # -## psproxy and psntp are currently needed to get bsd and package updates while on the lcls cds networks -#use_psproxy: true +## fixed XAR ensures you set up the PLC with a known runtime +## this requires a pkg mirror +## fixed XAR version should never be defined in a group file, only in a host file, to ensure no surprise updates +#set_fixed_xar: true +##fixed_xar_version: 4026.3.55 +# +## psproxy is needed to get freebsd and tcbsd packages +#use_psproxy: false +## an ntp config is needed to get any packages at all, psntp is the internal service at lcls #use_psntp: true # ## Dynamic AMS net id = set AMS net id to ip addr .1.1 diff --git a/scripts/make_vars.py b/scripts/make_vars.py index 0c61a20..6451472 100644 --- a/scripts/make_vars.py +++ b/scripts/make_vars.py @@ -64,6 +64,20 @@ def get_netid(hostname: str) -> str: return ipaddr + ".1.1" +def tcbsd_plcs_extra_vars() -> dict[str, str]: + """ + Assign a default static TwinCAT runtime (XAR) version for normal PLCs. + + This default to the "normal latest known working" that we use. + It should be kept static for a PLC until there is a good reason + to update it. + + The version number in this function should be updated when we decide + to support a new version. + """ + return {"fixed_xar_version": "4026.3.55"} + + def tcbsd_vms_extra_vars( hostname: str, ) -> dict[str, str]: @@ -93,7 +107,7 @@ def write_host_vars( fd.write("---\n") fd.write(f"ansible_host: {hostname}\n") for key, value in extra_vars.items(): - fd.write(f"{key}: {value}") + fd.write(f"{key}: {value}\n") fd.write( "\n" "# Uncomment any setting below and change it " @@ -113,7 +127,9 @@ def main(hostname: str) -> int: inventory_path=inventory_path, groups_path=groups_path, ) - if group == "tcbsd_vms": + if group == "tcbsd_plcs": + extra_vars = tcbsd_plcs_extra_vars() + elif group == "tcbsd_vms": extra_vars = tcbsd_vms_extra_vars(hostname) else: extra_vars = {} diff --git a/tcbsd-provision-playbook.yaml b/tcbsd-provision-playbook.yaml index b206c5c..74ee0d2 100644 --- a/tcbsd-provision-playbook.yaml +++ b/tcbsd-provision-playbook.yaml @@ -26,12 +26,63 @@ path: /usr/local/etc/pkg/repos/FreeBSD.conf state: absent + - name: Disable FreeBSD packages + when: not enable_freebsd_packages + ansible.builtin.template: + # Put in the file that disables FreeBSD packages + src: "./templates/usr/local/etc/pkg/repos/FreeBSD.conf" + dest: "/usr/local/etc/pkg/repos/FreeBSD.conf" + owner: root + group: wheel + mode: u=rw,g=r,o=r + + - name: Enable TcBSD packages + when: enable_tcbsd_packages + ansible.builtin.file: + path: /usr/local/etc/pkg/repos/FreeBSD.conf + state: absent + + - name: Disable TcBSD packages + when: not enable_tcbsd_packages + ansible.builtin.template: + # Put in the file that disables TcBSD packages + src: "./templates/usr/local/etc/pkg/repos/TCBSD.conf" + dest: "/usr/local/etc/pkg/repos/TCBSD.conf" + owner: root + group: wheel + mode: u=rw,g=r,o=r + + - name: Configure SLAC package mirror repo + when: enable_slac_packages + ansible.builtin.template: + # Make sure we can access the local mirror with fixed xar versions + src: "./templates/etc/pkg/SLAC.conf" + dest: "/etc/pkg/SLAC.conf" + owner: root + group: wheel + mode: u=rw,g=r,o=r + + - name: Enable SLAC package mirror + when: enable_slac_packages + ansible.builtin.file: + path: /usr/local/etc/pkg/repos/SLAC.conf + state: absent + + - name: Disable SLAC package mirror + when: not enable_slac_packages + ansible.builtin.template: + # Put in the file that disables SLAC packages + src: "./templates/usr/local/etc/pkg/repos/SLAC.conf" + dest: "/usr/local/etc/pkg/repos/SLAC.conf" + owner: root + group: wheel + mode: u=rw,g=r,o=r + - name: Setup psproxy - when: use_psproxy - register: psproxy_setup ansible.builtin.blockinfile: # Appending to this file lets us install packages from Beckhoff, etc. # By using psproxy as our http/https proxy + state: "{{ use_psproxy | ternary('present', 'absent') }}" dest: /usr/local/etc/pkg.conf block: | PKG_ENV { @@ -42,9 +93,9 @@ # We need NTP sync in order to install packages. # Use internal ntp servers - name: Setup psntp - when: use_psntp register: psntp_setup ansible.builtin.blockinfile: + state: "{{ use_psntp | ternary('present', 'absent') }}" dest: /etc/ntp.conf block: | disable monitor @@ -133,6 +184,23 @@ name: "{{ tc_packages_to_install }}" state: latest + # Note: this job runs even in check mode, to help us figure out if the xar install will happen. + - name: "Get available TwinCAT build" + when: set_fixed_xar + register: pkg_twincat_build + changed_when: false + check_mode: no + ansible.builtin.shell: + executable: /usr/local/bin/bash + cmd: pkg search TC31-XAR-{{ fixed_xar_version }} | cut -f 1 -d " " | cut -f 2 -d "_" + + - name: "Set fixed TwinCAT Runtime version ({{ fixed_xar_version | default('N/A') }})" + when: set_fixed_xar + register: xar_install + ansible.builtin.package: + name: "TC31-XAR-{{ fixed_xar_version }}_{{ pkg_twincat_build.stdout }}" + state: present + - name: Install TwinCAT tools ansible.builtin.package: name: "{{ tc_tools_packages }}" @@ -271,7 +339,7 @@ name: TcSystemService enabled: yes state: restarted - when: ams_net_id.changed or locked_memory_size.changed or heap_memory_size.changed + when: ams_net_id.changed or locked_memory_size.changed or heap_memory_size.changed or xar_install.changed # We use the second port as a LAN port with a known static IP # This makes it easy to use if we need it for e.g. doing service @@ -347,7 +415,7 @@ ansible.builtin.user: name: "{{ create_username }}" state: "{{ create_user | ternary('present', 'absent') }}" - shell: /usr/local/bin/bash' + shell: /usr/local/bin/bash # By default, only pubkey and keyboard interactive are enabled # Password access is useful for apps like pmpsdb_client diff --git a/templates/etc/pkg/SLAC.conf b/templates/etc/pkg/SLAC.conf new file mode 100644 index 0000000..37865ec --- /dev/null +++ b/templates/etc/pkg/SLAC.conf @@ -0,0 +1,6 @@ +SLAC: { + url: "https://sdfrepo.sdf.slac.stanford.edu/tcbsd/{{ ansible_facts['kernel'][:2] }}/{{ fixed_xar_version }}", + enabled: true, + signature_type: "fingerprints", + fingerprints: "/usr/share/keys/bhf-pkg" +} diff --git a/templates/usr/local/etc/pkg/repos/FreeBSD.conf b/templates/usr/local/etc/pkg/repos/FreeBSD.conf new file mode 100644 index 0000000..22521b5 --- /dev/null +++ b/templates/usr/local/etc/pkg/repos/FreeBSD.conf @@ -0,0 +1 @@ +FreeBSD: { enabled: no } diff --git a/templates/usr/local/etc/pkg/repos/SLAC.conf b/templates/usr/local/etc/pkg/repos/SLAC.conf new file mode 100644 index 0000000..d5303d7 --- /dev/null +++ b/templates/usr/local/etc/pkg/repos/SLAC.conf @@ -0,0 +1 @@ +SLAC: { enabled: no } diff --git a/templates/usr/local/etc/pkg/repos/TCBSD.conf b/templates/usr/local/etc/pkg/repos/TCBSD.conf new file mode 100644 index 0000000..5deae2f --- /dev/null +++ b/templates/usr/local/etc/pkg/repos/TCBSD.conf @@ -0,0 +1 @@ +TCBSD: { enabled: no }