Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade the base AMI to Fedora 41 #129

Draft
wants to merge 27 commits into
base: develop
Choose a base branch
from
Draft

Upgrade the base AMI to Fedora 41 #129

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
f8e25d9
Upgrade the base AMI to Fedora 40
jsf9k May 15, 2024
8cecee1
Temporarily use a non-default branch of cisagov/ansible-role-persist-…
jsf9k May 22, 2024
1613852
Temporarily use a non-default branch of cisagov/ansible-role-cloudwat…
jsf9k May 22, 2024
1176a30
Temporarily use a non-default branch of cisagov/ansible-role-hardening-2
jsf9k May 28, 2024
bfb61f6
Bump version from 0.9.5 to 0.10.0
jsf9k May 31, 2024
49e90d8
Bump version from 0.10.0 to 0.10.0-rc.1
jsf9k May 31, 2024
8ee168b
Revert to using the default branch of cisagov/ansible-role-hardening-2
jsf9k May 31, 2024
4091bae
Revert to using the default branch of cisagov/ansible-role-cloudwatch…
jsf9k Jun 20, 2024
df7baad
Revert to using the default branch of cisagov/ansible-role-persist-jo…
jsf9k Jun 20, 2024
2bc0a40
Correct base AMI references
jsf9k Sep 24, 2024
be2ca3b
Add ansible as a dependency for the ansible-lint pre-commit hook
jsf9k Sep 24, 2024
a3aef58
Bump version from 0.10.0-rc.1 to 0.10.0-rc.2
jsf9k Oct 21, 2024
fce70ba
Upgrade to Fedora 41
jsf9k Oct 29, 2024
4bca549
Temporarily use a non-default branch of cisagov/ansible-role-upgrade
jsf9k Nov 12, 2024
5a440e7
Add shell provisioner to install python3-libdnf5
jsf9k Nov 12, 2024
497b372
Remove needless chmod +x commands
jsf9k Nov 12, 2024
08da8e3
Add the --quiet flag to the dnf5 command
jsf9k Nov 12, 2024
9f9a272
Temporarily use a non-default branch of cisagov/ansible-role-automate…
jsf9k Nov 12, 2024
403e261
Revert to using the default branch of cisagov/ansible-role-upgrade
jsf9k Nov 13, 2024
0eac742
Bump version from 0.10.0-rc.2 to 0.10.0-rc.3
jsf9k Nov 13, 2024
0a9bea8
Revert to using the default branch of cisagov/ansible-role-automated-…
jsf9k Nov 13, 2024
1a1542c
Bump version from 0.10.0-rc.3 to 0.10.0-rc.4
jsf9k Nov 15, 2024
506fd8e
Leave the fedora user in place
jsf9k Nov 17, 2024
55e21e4
Bump version from 0.10.0-rc.4 to 0.10.0-rc.5
jsf9k Nov 17, 2024
5705ef1
Do not run shell provisioners via bash before hardening
jsf9k Nov 17, 2024
8f8da10
Merge remote-tracking branch 'origin/develop' into improvement/upgrad…
jsf9k Jan 3, 2025
02c8582
Bump version from 0.10.0-rc.5 to 0.10.0-rc.6
jsf9k Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,9 @@ repos:
# It is also a good idea to go ahead and upgrade to version
# 10 since version 9 is going EOL at the end of November:
# https://endoflife.date/ansible
#
# This project uses community.general.ufw, which is packaged
# into ansible, so it requires this dependency.
- ansible>=10,<11
# ansible-core 2.16.3 through 2.16.6 suffer from the bug
# discussed in ansible/ansible#82702, which breaks any
Expand Down
6 changes: 3 additions & 3 deletions ami_arm64.pkr.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ source "amazon-ebs" "arm64" {
region = var.build_region
region_kms_key_ids = var.region_kms_keys
skip_create_ami = var.skip_create_ami
source_ami = data.amazon-ami.fedora_39_arm64.id
source_ami = data.amazon-ami.fedora_41_arm64.id
ssh_username = "fedora"
subnet_filter {
filters = {
Expand All @@ -25,9 +25,9 @@ source "amazon-ebs" "arm64" {
tags = {
Application = "FreeIPA server"
Architecture = "arm64"
Base_AMI_Name = data.amazon-ami.fedora_39_arm64.name
Base_AMI_Name = data.amazon-ami.fedora_41_arm64.name
GitHub_Release_URL = var.release_url
OS_Version = "Fedora 39"
OS_Version = "Fedora 41"
Pre_Release = var.is_prerelease
Release = var.release_tag
Team = "VM Fusion - Development"
Expand Down
6 changes: 3 additions & 3 deletions ami_x86_64.pkr.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ source "amazon-ebs" "x86_64" {
region = var.build_region
region_kms_key_ids = var.region_kms_keys
skip_create_ami = var.skip_create_ami
source_ami = data.amazon-ami.fedora_39_x86_64.id
source_ami = data.amazon-ami.fedora_41_x86_64.id
ssh_username = "fedora"
subnet_filter {
filters = {
Expand All @@ -25,9 +25,9 @@ source "amazon-ebs" "x86_64" {
tags = {
Application = "FreeIPA server"
Architecture = "x86_64"
Base_AMI_Name = data.amazon-ami.fedora_39_x86_64.name
Base_AMI_Name = data.amazon-ami.fedora_41_x86_64.name
GitHub_Release_URL = var.release_url
OS_Version = "Fedora 39"
OS_Version = "Fedora 41"
Pre_Release = var.is_prerelease
Release = var.release_tag
Team = "VM Fusion - Development"
Expand Down
8 changes: 4 additions & 4 deletions base_amis.pkr.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
data "amazon-ami" "fedora_39_arm64" {
data "amazon-ami" "fedora_41_arm64" {
filters = {
architecture = "arm64"
name = "Fedora-Cloud-Base-39-*aarch64-hvm-*-gp3-*"
name = "Fedora-Cloud-Base-AmazonEC2.aarch64-41-*"
root-device-type = "ebs"
virtualization-type = "hvm"
}
Expand All @@ -10,10 +10,10 @@ data "amazon-ami" "fedora_39_arm64" {
region = var.build_region
}

data "amazon-ami" "fedora_39_x86_64" {
data "amazon-ami" "fedora_41_x86_64" {
filters = {
architecture = "x86_64"
name = "Fedora-Cloud-Base-39-*x86_64-hvm-*-gp3-*"
name = "Fedora-Cloud-Base-AmazonEC2.x86_64-41-*"
root-device-type = "ebs"
virtualization-type = "hvm"
}
Expand Down
16 changes: 15 additions & 1 deletion build.pkr.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,20 @@ build {
"source.amazon-ebs.x86_64",
]

# This is necessary because the base AMI we use does not come with
# the python3-libdnf5 package preinstalled. Since Ansible detects
# dnf5 as the package manage on Fedora 41 and above, this package
# must be installed before Ansible can be run.
provisioner "shell" {
execute_command = "chmod +x {{ .Path }}; sudo env {{ .Vars }} {{ .Path }} ; rm -f {{ .Path }}"
inline = ["dnf5 --assumeyes --quiet --refresh install python3-libdnf5"]
}

provisioner "shell" {
execute_command = "chmod +x {{ .Path }}; sudo env {{ .Vars }} {{ .Path }} ; rm -f {{ .Path }}"
inline = ["echo daspasswort | passwd fedora --stdin"]
}

provisioner "ansible" {
playbook_file = "ansible/upgrade.yml"
use_proxy = false
Expand All @@ -30,6 +44,6 @@ build {
# noexec bit set on it.
execute_command = "chmod +x {{ .Path }}; sudo env {{ .Vars }} bash {{ .Path }} ; rm -f {{ .Path }}"
skip_clean = true
inline = ["update-crypto-policies --set DEFAULT", "sed -i '/^users:/ {N; s/users:.*/users: []/g}' /etc/cloud/cloud.cfg", "rm --force /etc/sudoers.d/90-cloud-init-users", "rm --force /root/.ssh/authorized_keys", "/usr/sbin/userdel --remove --force fedora"]
inline = ["update-crypto-policies --set DEFAULT", "sed -i '/^users:/ {N; s/users:.*/users: []/g}' /etc/cloud/cloud.cfg", "rm --force /etc/sudoers.d/90-cloud-init-users", "rm --force /root/.ssh/authorized_keys"] # , "/usr/sbin/userdel --remove --force fedora"]
}
}
2 changes: 1 addition & 1 deletion version.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.9.5
0.10.0-rc.6
Loading