packer: import image-builder-packer repository

/templates/packer now contains a copy of image-builder-packer repository
as of b8a4b45f93890090de24e3d043e2d958948fc3c5

Changes:
- LICENSE file was dropped (it was redundant)
- README file was dropped (no longer needed)
- GitHub workflows were removed (will be replaced by schutzbot)
- RPMs were removed (they were huge, will be installed in a different way)

Signed-off-by: Ondřej Budai <ondrej@budai.cz>

templates/packer/ansible/playbook.yml

@@ -0,0 +1,7 @@
+# Ansible playbook for configuring our AWS images.
+---
+
+- hosts: all
+  become: yes
+  roles:
+    - common

templates/packer/ansible/roles/common/files/RH-IT-Root-CA.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENDCCAxygAwIBAgIJANunI0D662cnMA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD
+VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
+Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQgSVQx
+GzAZBgNVBAMMElJlZCBIYXQgSVQgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5m
+b3NlY0ByZWRoYXQuY29tMCAXDTE1MDcwNjE3MzgxMVoYDzIwNTUwNjI2MTczODEx
+WjCBpTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD
+VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApS
+ZWQgSGF0IElUMRswGQYDVQQDDBJSZWQgSGF0IElUIFJvb3QgQ0ExITAfBgkqhkiG
+9w0BCQEWEmluZm9zZWNAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALQt9OJQh6GC5LT1g80qNh0u50BQ4sZ/yZ8aETxt+5lnPVX6MHKz
+bfwI6nO1aMG6j9bSw+6UUyPBHP796+FT/pTS+K0wsDV7c9XvHoxJBJJU38cdLkI2
+c/i7lDqTfTcfLL2nyUBd2fQDk1B0fxrskhGIIZ3ifP1Ps4ltTkv8hRSob3VtNqSo
+GxkKfvD2PKjTPxDPWYyruy9irLZioMffi3i/gCut0ZWtAyO3MVH5qWF/enKwgPES
+X9po+TdCvRB/RUObBaM761EcrLSM1GqHNueSfqnho3AjLQ6dBnPWlo638Zm1VebK
+BELyhkLWMSFkKwDmne0jQ02Y4g075vCKvCsCAwEAAaNjMGEwHQYDVR0OBBYEFH7R
+4yC+UehIIPeuL8Zqw3PzbgcZMB8GA1UdIwQYMBaAFH7R4yC+UehIIPeuL8Zqw3Pz
+bgcZMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
+CwUAA4IBAQBDNvD2Vm9sA5A9AlOJR8+en5Xz9hXcxJB5phxcZQ8jFoG04Vshvd0e
+LEnUrMcfFgIZ4njMKTQCM4ZFUPAieyLx4f52HuDopp3e5JyIMfW+KFcNIpKwCsak
+oSoKtIUOsUJK7qBVZxcrIyeQV2qcYOeZhtS5wBqIwOAhFwlCET7Ze58QHmS48slj
+S9K0JAcps2xdnGu0fkzhSQxY8GPQNFTlr6rYld5+ID/hHeS76gq0YG3q6RLWRkHf
+4eTkRjivAlExrFzKcljC4axKQlnOvVAzz+Gm32U0xPBF4ByePVxCJUHw1TsyTmel
+RxNEp7yHoXcwn+fXna+t5JWh1gxUZty3
+-----END CERTIFICATE-----

templates/packer/ansible/roles/common/files/forward-to-console.conf

@@ -0,0 +1,3 @@
+[Journal]
+ForwardToConsole=yes
+MaxLevelConsole=6

templates/packer/ansible/roles/common/files/monit_scripts/pozorbot_alert

@@ -0,0 +1,18 @@
+#!/bin/bash
+# Send alerts to pozorbot.
+# Monit's environment variables are documented here:
+# https://mmonit.com/monit/documentation/monit.html#ENVIRONMENT
+
+# Get AWS instance profile name.
+INSTANCE_PROFILE=$(curl -Ls http://169.254.169.254/latest/meta-data/iam/security-credentials)
+
+# Determine if we should use staging/stable SQS endpoint.
+SQS_ENDPOINT=staging
+if [[ $INSTANCE_PROFILE =~ stable ]]; then
+  SQS_ENDPOINT=stable
+fi
+
+QUEUE_URL=https://queue.amazonaws.com/933752197999/image-builder-pozorbot-${SQS_ENDPOINT}
+MESSAGE="${MONIT_EVENT} for ${MONIT_SERVICE} on ${MONIT_HOST} at ${MONIT_DATE}"
+RESULT=$(aws sqs send-message --queue-url $QUEUE_URL --message-body "${MESSAGE}")
+echo $RESULT

templates/packer/ansible/roles/common/files/monit_scripts/verify_worker_connection

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Verifies that a composer worker can reach its composer server.
+
+# Get the hostname of the composer instance.
+COMPOSER_HOST=$(grep -Eo "[a-z0-9\.]+.composer.[a-z0-9\.]+" /etc/hosts)
+
+# Exit now if this is not a worker.
+if [[ -z "${COMPOSER_HOST}" ]]; then
+  echo "Not a worker. Skipping check."
+  exit 2
+fi
+
+# Test a connection to composer.
+CONNECTION_TEST=$(
+  curl -s --connect-timeout 5 \
+    --cert /etc/osbuild-composer/worker-crt.pem \
+    --key /etc/osbuild-composer/worker-key.pem \
+    --cacert /etc/osbuild-composer/ca-crt.pem \
+    https://${COMPOSER_HOST}:8700/api/worker/v1/status
+)
+
+if [[ $CONNECTION_TEST =~ OK ]]; then
+  echo "Connection to ${COMPOSER_HOST} succeeded."
+  exit 0
+fi
+
+echo "Connection to ${COMPOSER_HOST} failed."
+exit 1

templates/packer/ansible/roles/common/files/osbuild-composer-override.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/libexec/osbuild-composer/osbuild-composer -verbose

templates/packer/ansible/roles/common/tasks/certificates.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Deploy Red Hat Root CA certificate.
+  copy:
+    src: RH-IT-Root-CA.crt
+    dest: /etc/pki/ca-trust/source/anchors/RH-IT-Root-CA.crt
+
+- name: Update trusted CA certificate bundle
+  command: update-ca-trust

templates/packer/ansible/roles/common/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+# Install various software packages.
+- include_tasks: packages.yml
+
+# Set systemd/journald overrides
+- include_tasks: systemd.yml
+
+# Deploy certificates.
+- include_tasks: certificates.yml
+
+# Configure monitoring.
+- include_tasks: monitoring.yml
+
+- name: Ensure SELinux contexts are updated
+  command: restorecon -Rv /etc

templates/packer/ansible/roles/common/tasks/monitoring.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Deploy monit configuration
+  template:
+    src: monitrc.j2
+    dest: /etc/monitrc
+    mode: "0600"
+    owner: root
+    group: root
+
+- name: Create directory for monit scripts
+  file:
+    path: /opt/monit
+    state: directory
+
+- name: Deploy monit scripts
+  copy:
+    src: "monit_scripts/{{ item }}"
+    dest: /opt/monit/
+    mode: "0755"
+    owner: root
+    group: root
+  loop:
+    - pozorbot_alert
+    - verify_worker_connection

templates/packer/ansible/roles/common/tasks/packages.yml

@@ -0,0 +1,82 @@
+---
+
+- name: Add osbuild-composer repository
+  yum_repository:
+    name: "composer"
+    description: "osbuild-composer commit {{ COMPOSER_COMMIT }}"
+    baseurl: "http://osbuild-composer-repos.s3.amazonaws.com/osbuild-composer/rhel-8-cdn/x86_64/{{ COMPOSER_COMMIT }}"
+    enabled: yes
+    gpgcheck: no
+    priority: "5"
+
+- name: Add osbuild repository
+  yum_repository:
+    name: "osbuild"
+    description: "osbuild commit {{ OSBUILD_COMMIT }}"
+    baseurl: "http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com/osbuild/rhel-8-cdn/x86_64/{{ OSBUILD_COMMIT }}"
+    enabled: yes
+    gpgcheck: no
+    priority: "5"
+
+- name: Upgrade all packages
+  package:
+    name: "*"
+    state: latest
+  register: result
+  retries: 5
+  until: result is success
+
+- name: Install required packages
+  package:
+    name:
+      - jq
+      - osbuild-composer
+      - unzip
+  register: result
+  retries: 5
+  until: result is success
+
+- name: Upload customized RPMs
+  copy:
+    src: "{{ item }}"
+    dest: /tmp
+  with_fileglob:
+    - "{{ playbook_dir }}/roles/common/files/*.rpm"
+  register: copied_rpms
+
+- name: Install copied RPMs
+  package:
+    name: "{{ copied_rpms.results | map(attribute='dest') | list }}"
+    disable_gpg_check: yes
+    state: present
+
+- name: Remove copied RPMs
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop: "{{ copied_rpms.results | map(attribute='dest') | list }}"
+
+- name: Download AWS CLI installer
+  get_url:
+    url: https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
+    dest: /tmp/awscli.zip
+  register: result
+  retries: 5
+  until: result is success
+
+- name: Unpack AWS CLI installer
+  unarchive:
+    src: /tmp/awscli.zip
+    dest: /tmp
+    remote_src: yes
+
+- name: Run AWS installer
+  command: /tmp/aws/install
+
+- name: Cleanup AWS installer
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /tmp/awscli.zip
+    - /tmp/aws

templates/packer/ansible/roles/common/tasks/systemd.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Create systemd override directory for osbuild-composer
+  file:
+    path: /etc/systemd/system/osbuild-composer.service.d/
+    state: directory
+
+- name: Override osbuild-composer to enable access logging
+  copy:
+    src: osbuild-composer-override.conf
+    dest: /etc/systemd/system/osbuild-composer.service.d/override.conf
+
+- name: Create journald override directory
+  file:
+    path: /etc/systemd/journald.conf.d
+    state: directory
+
+- name: Add journald override to forward messages to the console
+  copy:
+    src: forward-to-console.conf
+    dest: /etc/systemd/journald.conf.d/forward-to-console.conf

templates/packer/ansible/roles/common/templates/monitrc.j2

@@ -0,0 +1,60 @@
+{% set pozorbot_script = "/opt/monit/pozorbot_alert" -%}
+# Monit configuration for Image Builder in AWS.
+# Docs: https://mmonit.com/monit/documentation/monit.html
+
+# Check every 30 seconds and log to syslog.
+set daemon 30
+set log syslog
+
+# Allow access via ssh tunnel to see the monit console.
+set httpd port 2812 and
+    use address localhost
+    allow admin:monit
+
+# Verify that we're not eating all the memory on the instance.
+CHECK SYSTEM $HOST
+  if memory usage > 75%
+    for 5 cycles
+    then exec {{ pozorbot_script }}
+    else if succeeded then exec {{ pozorbot_script }}
+
+# Ensure the root filesystem isn't full.
+CHECK FILESYSTEM root PATH /
+  if space usage > 80%
+    for 5 times
+    within 15 cycles
+    then exec {{ pozorbot_script }}
+    else if succeeded then exec {{ pozorbot_script }}
+
+# Ensure the osbuild-composer filesystem isn't full.
+CHECK FILESYSTEM composer_persistent PATH /var/lib/osbuild-composer
+  if space usage > 80%
+    for 5 times
+    within 15 cycles
+    then exec {{ pozorbot_script }}
+    else if succeeded then exec {{ pozorbot_script }}
+
+# Check to see if we can reach cdn.redhat.com.
+# NOTE(mhayden): We will always get a 403 here because of client certs.
+CHECK HOST rhel_cdn WITH ADDRESS cdn.redhat.com
+  if failed
+    ping
+    then exec {{ pozorbot_script }}
+    else if succeeded then exec {{ pozorbot_script }}
+  if failed
+    port 443
+    protocol https
+    status = 403
+    with ssl options { CACERTIFICATEFILE: /etc/rhsm/ca/redhat-uep.pem }
+    then exec {{ pozorbot_script }}
+    else if succeeded then exec {{ pozorbot_script }}
+
+# Check for a valid connection to a composer server (valid for workers only).
+CHECK PROGRAM verify_worker_connection WITH PATH /opt/monit/verify_worker_connection
+  # A worker can't talk to its composer.
+  if status == 1
+    then exec {{ pozorbot_script }}
+    else if succeeded then exec {{ pozorbot_script }}
+  # This is not a worker.
+  if status == 2
+    then UNMONITOR

templates/packer/composer.pkr.hcl

@@ -0,0 +1,62 @@
+source "amazon-ebs" "image_builder" {
+
+  # AWS settings.
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+  region = var.region
+
+  # Use a static RHEL Cloud Access Image.
+  source_ami          = "ami-0b0af3577fe5e3532"
+
+  # Remove previous image before making the new one.
+  force_deregister = true
+  force_delete_snapshot = true
+
+  # Ensure that the EBS snapshot used for the AMI meets our requirements.
+  launch_block_device_mappings {
+    delete_on_termination = "true"
+    device_name           = "/dev/sda1"
+    volume_size           = 25
+    volume_type           = "gp2"
+  }
+
+  # Apply tags to the instance that is building our image.
+  run_tags = {
+    AppCode = "IMGB-001"
+    Name = "packer-builder-for-${local.ami_full_name}"
+    composer_commit = "${var.composer_commit}"
+    osbuild_commit = "${var.osbuild_commit}"
+    imagebuilder_packer_commit = "${var.imagebuilder_packer_sha}"
+  }
+
+  # Apply tags to the resulting AMI/EBS snapshot.
+  tags = {
+    AppCode = "IMGB-001"
+    Name = "${local.ami_full_name}"
+    composer_commit = "${var.composer_commit}"
+    osbuild_commit = "${var.osbuild_commit}"
+    imagebuilder_packer_commit = "${var.imagebuilder_packer_sha}"
+  }
+
+  # Set a name for the resulting AMI.
+  ami_name = "${local.ami_full_name}"
+
+  # Network configuration for the instance building our image.
+  associate_public_ip_address = true
+  security_group_ids = ["sg-04bbbb35"]
+  ssh_interface = "public_ip"
+  ssh_username = "ec2-user"
+  instance_type = "c5.large"
+}
+
+build {
+  sources = ["source.amazon-ebs.image_builder"]
+
+  provisioner "ansible" {
+    playbook_file = "ansible/playbook.yml"
+    extra_arguments = [
+      "-e", "COMPOSER_COMMIT=${var.composer_commit}",
+      "-e", "OSBUILD_COMMIT=${var.osbuild_commit}",
+    ]
+  }
+}

templates/packer/locals.pkr.hcl

@@ -0,0 +1,8 @@
+# Packer's HCL syntax doesn't have the same timestamp as the old Packer
+# version.
+locals {
+    timestamp = regex_replace(timestamp(), "[- TZ:]", "")
+
+    ami_name_append_pr = "testing-only"
+    ami_full_name = "${var.ami_name}-${var.append_timestamp ? local.timestamp : local.ami_name_append_pr}"
+}

templates/packer/variables.pkr.hcl

@@ -0,0 +1,40 @@
+##############################################################################
+## VARIABLES THAT ARE SAFE TO CHANGE 🤔
+
+# Git SHA for the composer commit to include in the image.
+variable "composer_commit" {
+  type    = string
+  default = "b075cac9e3d4a283918dbefa66cce46d372e3835"
+}
+
+# Git SHA for the osbuild commit to include in the image.
+variable "osbuild_commit" {
+  type    = string
+  default = "f7bf23fabaae6027b1e1147b27870d90d4b1911f"
+}
+
+##############################################################################
+## VARIABLES THAT PROBABLY SHOULD NOT BE CHANGED 😬
+
+# AWS account configuration.
+variable "aws_access_key" { type = string }
+variable "aws_secret_key" { type = string }
+variable "region" {
+  type    = string
+  default = "us-east-1"
+}
+
+# Automatically set by environment variables in GitHub Actions.
+variable "imagebuilder_packer_sha" { type = string }
+
+# Default name for images (will have timestamp appended by default).
+variable "ami_name" {
+  type = string
+  default = "imagebuilder-service-image"
+}
+
+# Set to True to append a timestamp to the AMI name.
+variable "append_timestamp" {
+  type = bool
+  default = true
+}