Add rhel 10 support, combine workers+workers_gpu, remove jenkins, remove rhel 8 #111
Open
gsaudade99 wants to merge 90 commits intopxefrom
Open
Add rhel 10 support, combine workers+workers_gpu, remove jenkins, remove rhel 8 #111gsaudade99 wants to merge 90 commits intopxefrom
gsaudade99 wants to merge 90 commits intopxefrom
Conversation
| @@ -1,5 +1,5 @@ | |||
| --- | |||
| - hosts: generic | |||
| - hosts: all | |||
Contributor
There was a problem hiding this comment.
I would like to keep the old, explicit structure, where you could also decide to not use generic, I remember there was a discussion about this with @domgz
Contributor
There was a problem hiding this comment.
I'd also prefer to keep generic here.
Suggested change
| - hosts: all | |
| - hosts: generic |
Using all would also make it more difficult to implement ADR #3.
| path: /usr/bin/python3 | ||
| link: /usr/bin/python | ||
| - name: Set SELINUX to permissive | ||
| - name: Put SELinux in permissive mode, logging actions that would be blocked. |
Contributor
There was a problem hiding this comment.
Would be nice to keep it enabled at some point.. I would relly like to try an enabled image, but I could imagine this to be a separate playbook, like internal and you can select it in Jenkins parameters.
Co-authored-by: Mira <86979912+mira-miracoli@users.noreply.github.com>
Co-authored-by: Mira <86979912+mira-miracoli@users.noreply.github.com>
Co-authored-by: Mira <86979912+mira-miracoli@users.noreply.github.com>
| @@ -105,31 +77,32 @@ | |||
| - mountd | |||
| - name: Open Port for HTCondor | |||
Contributor
There was a problem hiding this comment.
This is part of the role, I would remove it
https://github.com/usegalaxy-eu/ansible-htcondor-grycap/blob/33ea3aafd9c5d33a1063534e0604631696c052f9/tasks/main.yml#L100
Comment on lines
206
to
297
| @@ -282,16 +294,15 @@ def assemble_name(self): | |||
| https://github.com/usegalaxy-eu/vgcn/issues/78 | |||
| """ | |||
| provisioning = self.provisioning.copy() | |||
| if "generic" not in self.provisioning: | |||
| provisioning.insert(0, "!generic") | |||
| name = [ | |||
Contributor
There was a problem hiding this comment.
The way we name and choose playbooks to apply was defined here
#78
Sorry, I should have said that before.
mira-miracoli
changed the title
Contributor
|
The PR looks very thorough and I like that you cleaned up various unused and old files! Otherwise I am happy with it, thanks – this looks like a lot of work! |
domgz
reviewed
May 6, 2026
Comment on lines
+152
to
+156
|
|
||
| # Devsec | ||
| # Forsing group owenership to root. The role is for some reason trying to change it to "ssh_keys" | ||
| # and this does not aligne with the base Rocky10 image | ||
| ssh_host_keys_group: root |
Contributor
There was a problem hiding this comment.
Suggested change
| # Devsec | |
| # Forsing group owenership to root. The role is for some reason trying to change it to "ssh_keys" | |
| # and this does not aligne with the base Rocky10 image | |
| ssh_host_keys_group: root |
I have removed the that code and tried this playbook.
---
- hosts: all
vars:
...
pre_tasks:
...
roles:
- role: usegalaxy_eu.handy.os_setup
vars:
enable_create_user: true
enable_powertools: true
enable_install_software: true
enable_grub: true
enable_kernel_5: "{{ true if (ansible_facts['distribution_major_version'] < '9') else false }}"
- geerlingguy.repo-epel # Install EPEL
- usegalaxy-eu.autoupdates # keep all of our packages up to date REMOVED until latest kernel is supported in dnbd3
- usegalaxy-eu.dynmotd
- influxdata.chrony
- usegalaxy-eu.telegraf
- devsec.hardening.ssh_hardening
post_tasks:
- name: Get owner and group for SSH host keys
ansible.builtin.stat:
path: "{{ item }}"
loop:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_ecdsa_key
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_rsa_key.pub
- /etc/ssh/ssh_host_ecdsa_key.pub
- /etc/ssh/ssh_host_ed25519_key.pub
register: ssh_host_keys_stat
- name: Debug SSH host key ownership
ansible.builtin.debug:
var: ssh_host_keys_statAnd I am getting gid 0 and uid 0 for the host keys.
...
==> qemu.rockylinux-10-latest-x86_64: TASK [Get owner and group for SSH host keys] ***********************************
/==> qemu.rockylinux-10-latest-x86_64: ok: [default] => (item=/etc/ssh/ssh_host_rsa_key)
==> qemu.rockylinux-10-latest-x86_64: ok: [default] => (item=/etc/ssh/ssh_host_ecdsa_key)
==> qemu.rockylinux-10-latest-x86_64: ok: [default] => (item=/etc/ssh/ssh_host_ed25519_key)
==> qemu.rockylinux-10-latest-x86_64: ok: [default] => (item=/etc/ssh/ssh_host_rsa_key.pub)
==> qemu.rockylinux-10-latest-x86_64: ok: [default] => (item=/etc/ssh/ssh_host_ecdsa_key.pub)
==> qemu.rockylinux-10-latest-x86_64: ok: [default] => (item=/etc/ssh/ssh_host_ed25519_key.pub)
==> qemu.rockylinux-10-latest-x86_64:
==> qemu.rockylinux-10-latest-x86_64: TASK [Debug SSH host key ownership] ********************************************
==> qemu.rockylinux-10-latest-x86_64: ok: [default] => {
==> qemu.rockylinux-10-latest-x86_64: "ssh_host_keys_stat": {
==> qemu.rockylinux-10-latest-x86_64: "changed": false,
==> qemu.rockylinux-10-latest-x86_64: "msg": "All items completed",
==> qemu.rockylinux-10-latest-x86_64: "results": [
==> qemu.rockylinux-10-latest-x86_64: {
==> qemu.rockylinux-10-latest-x86_64: "ansible_loop_var": "item",
==> qemu.rockylinux-10-latest-x86_64: "changed": false,
==> qemu.rockylinux-10-latest-x86_64: "failed": false,
==> qemu.rockylinux-10-latest-x86_64: "invocation": {
==> qemu.rockylinux-10-latest-x86_64: "module_args": {
==> qemu.rockylinux-10-latest-x86_64: "checksum_algorithm": "sha1",
==> qemu.rockylinux-10-latest-x86_64: "follow": false,
==> qemu.rockylinux-10-latest-x86_64: "get_attributes": true,
==> qemu.rockylinux-10-latest-x86_64: "get_checksum": true,
==> qemu.rockylinux-10-latest-x86_64: "get_md5": false,
==> qemu.rockylinux-10-latest-x86_64: "get_mime": true,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_rsa_key"
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: "item": "/etc/ssh/ssh_host_rsa_key",
==> qemu.rockylinux-10-latest-x86_64: "stat": {
==> qemu.rockylinux-10-latest-x86_64: "atime": 1778054939.9575148,
==> qemu.rockylinux-10-latest-x86_64: "attr_flags": "",
==> qemu.rockylinux-10-latest-x86_64: "attributes": [],
==> qemu.rockylinux-10-latest-x86_64: "block_size": 4096,
==> qemu.rockylinux-10-latest-x86_64: "blocks": 8,
==> qemu.rockylinux-10-latest-x86_64: "charset": "us-ascii",
==> qemu.rockylinux-10-latest-x86_64: "checksum": "37e34fcb68dcb80d73c8f3a63b4efcb6de651ee1",
==> qemu.rockylinux-10-latest-x86_64: "ctime": 1778054939.9515145,
==> qemu.rockylinux-10-latest-x86_64: "dev": 64515,
==> qemu.rockylinux-10-latest-x86_64: "device_type": 0,
==> qemu.rockylinux-10-latest-x86_64: "executable": false,
==> qemu.rockylinux-10-latest-x86_64: "exists": true,
==> qemu.rockylinux-10-latest-x86_64: "gid": 0,
==> qemu.rockylinux-10-latest-x86_64: "gr_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "inode": 942038,
==> qemu.rockylinux-10-latest-x86_64: "isblk": false,
==> qemu.rockylinux-10-latest-x86_64: "ischr": false,
==> qemu.rockylinux-10-latest-x86_64: "isdir": false,
==> qemu.rockylinux-10-latest-x86_64: "isfifo": false,
==> qemu.rockylinux-10-latest-x86_64: "isgid": false,
==> qemu.rockylinux-10-latest-x86_64: "islnk": false,
==> qemu.rockylinux-10-latest-x86_64: "isreg": true,
==> qemu.rockylinux-10-latest-x86_64: "issock": false,
==> qemu.rockylinux-10-latest-x86_64: "isuid": false,
==> qemu.rockylinux-10-latest-x86_64: "mimetype": "text/plain",
==> qemu.rockylinux-10-latest-x86_64: "mode": "0600",
==> qemu.rockylinux-10-latest-x86_64: "mtime": 1778054939.9325144,
==> qemu.rockylinux-10-latest-x86_64: "nlink": 1,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_rsa_key",
==> qemu.rockylinux-10-latest-x86_64: "pw_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "readable": true,
==> qemu.rockylinux-10-latest-x86_64: "rgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "roth": false,
==> qemu.rockylinux-10-latest-x86_64: "rusr": true,
==> qemu.rockylinux-10-latest-x86_64: "size": 3357,
==> qemu.rockylinux-10-latest-x86_64: "uid": 0,
==> qemu.rockylinux-10-latest-x86_64: "version": "3402224769",
==> qemu.rockylinux-10-latest-x86_64: "wgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "woth": false,
==> qemu.rockylinux-10-latest-x86_64: "writeable": true,
==> qemu.rockylinux-10-latest-x86_64: "wusr": true,
==> qemu.rockylinux-10-latest-x86_64: "xgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "xoth": false,
==> qemu.rockylinux-10-latest-x86_64: "xusr": false
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: {
==> qemu.rockylinux-10-latest-x86_64: "ansible_loop_var": "item",
==> qemu.rockylinux-10-latest-x86_64: "changed": false,
==> qemu.rockylinux-10-latest-x86_64: "failed": false,
==> qemu.rockylinux-10-latest-x86_64: "invocation": {
==> qemu.rockylinux-10-latest-x86_64: "module_args": {
==> qemu.rockylinux-10-latest-x86_64: "checksum_algorithm": "sha1",
==> qemu.rockylinux-10-latest-x86_64: "follow": false,
==> qemu.rockylinux-10-latest-x86_64: "get_attributes": true,
==> qemu.rockylinux-10-latest-x86_64: "get_checksum": true,
==> qemu.rockylinux-10-latest-x86_64: "get_md5": false,
==> qemu.rockylinux-10-latest-x86_64: "get_mime": true,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_ecdsa_key"
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: "item": "/etc/ssh/ssh_host_ecdsa_key",
==> qemu.rockylinux-10-latest-x86_64: "stat": {
==> qemu.rockylinux-10-latest-x86_64: "atime": 1777991022.4215162,
==> qemu.rockylinux-10-latest-x86_64: "attr_flags": "",
==> qemu.rockylinux-10-latest-x86_64: "attributes": [],
==> qemu.rockylinux-10-latest-x86_64: "block_size": 4096,
==> qemu.rockylinux-10-latest-x86_64: "blocks": 8,
==> qemu.rockylinux-10-latest-x86_64: "charset": "us-ascii",
==> qemu.rockylinux-10-latest-x86_64: "checksum": "6a71119fe4bb0c3ae6167a2ef3c82feda6b75764",
==> qemu.rockylinux-10-latest-x86_64: "ctime": 1777991021.334,
==> qemu.rockylinux-10-latest-x86_64: "dev": 64515,
==> qemu.rockylinux-10-latest-x86_64: "device_type": 0,
==> qemu.rockylinux-10-latest-x86_64: "executable": false,
==> qemu.rockylinux-10-latest-x86_64: "exists": true,
==> qemu.rockylinux-10-latest-x86_64: "gid": 0,
==> qemu.rockylinux-10-latest-x86_64: "gr_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "inode": 8696936,
==> qemu.rockylinux-10-latest-x86_64: "isblk": false,
==> qemu.rockylinux-10-latest-x86_64: "ischr": false,
==> qemu.rockylinux-10-latest-x86_64: "isdir": false,
==> qemu.rockylinux-10-latest-x86_64: "isfifo": false,
==> qemu.rockylinux-10-latest-x86_64: "isgid": false,
==> qemu.rockylinux-10-latest-x86_64: "islnk": false,
==> qemu.rockylinux-10-latest-x86_64: "isreg": true,
==> qemu.rockylinux-10-latest-x86_64: "issock": false,
==> qemu.rockylinux-10-latest-x86_64: "isuid": false,
==> qemu.rockylinux-10-latest-x86_64: "mimetype": "text/plain",
==> qemu.rockylinux-10-latest-x86_64: "mode": "0600",
==> qemu.rockylinux-10-latest-x86_64: "mtime": 1777991021.327,
==> qemu.rockylinux-10-latest-x86_64: "nlink": 1,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_ecdsa_key",
==> qemu.rockylinux-10-latest-x86_64: "pw_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "readable": true,
==> qemu.rockylinux-10-latest-x86_64: "rgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "roth": false,
==> qemu.rockylinux-10-latest-x86_64: "rusr": true,
==> qemu.rockylinux-10-latest-x86_64: "size": 480,
==> qemu.rockylinux-10-latest-x86_64: "uid": 0,
==> qemu.rockylinux-10-latest-x86_64: "version": "1112327632",
==> qemu.rockylinux-10-latest-x86_64: "wgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "woth": false,
==> qemu.rockylinux-10-latest-x86_64: "writeable": true,
==> qemu.rockylinux-10-latest-x86_64: "wusr": true,
==> qemu.rockylinux-10-latest-x86_64: "xgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "xoth": false,
==> qemu.rockylinux-10-latest-x86_64: "xusr": false
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: {
==> qemu.rockylinux-10-latest-x86_64: "ansible_loop_var": "item",
==> qemu.rockylinux-10-latest-x86_64: "changed": false,
==> qemu.rockylinux-10-latest-x86_64: "failed": false,
==> qemu.rockylinux-10-latest-x86_64: "invocation": {
==> qemu.rockylinux-10-latest-x86_64: "module_args": {
==> qemu.rockylinux-10-latest-x86_64: "checksum_algorithm": "sha1",
==> qemu.rockylinux-10-latest-x86_64: "follow": false,
==> qemu.rockylinux-10-latest-x86_64: "get_attributes": true,
==> qemu.rockylinux-10-latest-x86_64: "get_checksum": true,
-==> qemu.rockylinux-10-latest-x86_64: "get_md5": false,
==> qemu.rockylinux-10-latest-x86_64: "get_mime": true,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_ed25519_key"
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: "item": "/etc/ssh/ssh_host_ed25519_key",
==> qemu.rockylinux-10-latest-x86_64: "stat": {
==> qemu.rockylinux-10-latest-x86_64: "atime": 1777991022.4225163,
==> qemu.rockylinux-10-latest-x86_64: "attr_flags": "",
==> qemu.rockylinux-10-latest-x86_64: "attributes": [],
==> qemu.rockylinux-10-latest-x86_64: "block_size": 4096,
==> qemu.rockylinux-10-latest-x86_64: "blocks": 8,
==> qemu.rockylinux-10-latest-x86_64: "charset": "us-ascii",
==> qemu.rockylinux-10-latest-x86_64: "checksum": "b4411b6781fed0fbf1630460a1052ec7f2a3301a",
==> qemu.rockylinux-10-latest-x86_64: "ctime": 1777991021.334,
==> qemu.rockylinux-10-latest-x86_64: "dev": 64515,
==> qemu.rockylinux-10-latest-x86_64: "device_type": 0,
==> qemu.rockylinux-10-latest-x86_64: "executable": false,
==> qemu.rockylinux-10-latest-x86_64: "exists": true,
==> qemu.rockylinux-10-latest-x86_64: "gid": 0,
==> qemu.rockylinux-10-latest-x86_64: "gr_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "inode": 8696938,
==> qemu.rockylinux-10-latest-x86_64: "isblk": false,
==> qemu.rockylinux-10-latest-x86_64: "ischr": false,
==> qemu.rockylinux-10-latest-x86_64: "isdir": false,
==> qemu.rockylinux-10-latest-x86_64: "isfifo": false,
==> qemu.rockylinux-10-latest-x86_64: "isgid": false,
==> qemu.rockylinux-10-latest-x86_64: "islnk": false,
==> qemu.rockylinux-10-latest-x86_64: "isreg": true,
==> qemu.rockylinux-10-latest-x86_64: "issock": false,
==> qemu.rockylinux-10-latest-x86_64: "isuid": false,
==> qemu.rockylinux-10-latest-x86_64: "mimetype": "text/plain",
==> qemu.rockylinux-10-latest-x86_64: "mode": "0600",
==> qemu.rockylinux-10-latest-x86_64: "mtime": 1777991021.33,
==> qemu.rockylinux-10-latest-x86_64: "nlink": 1,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_ed25519_key",
==> qemu.rockylinux-10-latest-x86_64: "pw_name": "root",
==> qemu.rockylinux-10-latest-x86_64: [WARNING]: Could not match supplied host pattern, ignoring: workers
==> qemu.rockylinux-10-latest-x86_64: "readable": true,
==> qemu.rockylinux-10-latest-x86_64: "rgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "roth": false,
==> qemu.rockylinux-10-latest-x86_64: "rusr": true,
==> qemu.rockylinux-10-latest-x86_64: "size": 387,
==> qemu.rockylinux-10-latest-x86_64: "uid": 0,
==> qemu.rockylinux-10-latest-x86_64: "version": "3201095473",
==> qemu.rockylinux-10-latest-x86_64: "wgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "woth": false,
==> qemu.rockylinux-10-latest-x86_64: "writeable": true,
==> qemu.rockylinux-10-latest-x86_64: "wusr": true,
==> qemu.rockylinux-10-latest-x86_64: "xgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "xoth": false,
==> qemu.rockylinux-10-latest-x86_64: "xusr": false
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: {
==> qemu.rockylinux-10-latest-x86_64: "ansible_loop_var": "item",
==> qemu.rockylinux-10-latest-x86_64: "changed": false,
==> qemu.rockylinux-10-latest-x86_64: "failed": false,
==> qemu.rockylinux-10-latest-x86_64: "invocation": {
==> qemu.rockylinux-10-latest-x86_64: "module_args": {
==> qemu.rockylinux-10-latest-x86_64: "checksum_algorithm": "sha1",
==> qemu.rockylinux-10-latest-x86_64: "follow": false,
==> qemu.rockylinux-10-latest-x86_64: "get_attributes": true,
==> qemu.rockylinux-10-latest-x86_64: "get_checksum": true,
==> qemu.rockylinux-10-latest-x86_64: "get_md5": false,
==> qemu.rockylinux-10-latest-x86_64: "get_mime": true,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_rsa_key.pub"
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: "item": "/etc/ssh/ssh_host_rsa_key.pub",
==> qemu.rockylinux-10-latest-x86_64: "stat": {
==> qemu.rockylinux-10-latest-x86_64: "atime": 1778054939.9575148,
==> qemu.rockylinux-10-latest-x86_64: "attr_flags": "",
==> qemu.rockylinux-10-latest-x86_64: "attributes": [],
==> qemu.rockylinux-10-latest-x86_64: "block_size": 4096,
==> qemu.rockylinux-10-latest-x86_64: "blocks": 8,
==> qemu.rockylinux-10-latest-x86_64: "charset": "us-ascii",
==> qemu.rockylinux-10-latest-x86_64: "checksum": "22f1fd46799bd2226d4431abd96149c3d542bca6",
==> qemu.rockylinux-10-latest-x86_64: "ctime": 1778054939.9515145,
==> qemu.rockylinux-10-latest-x86_64: "dev": 64515,
==> qemu.rockylinux-10-latest-x86_64: "device_type": 0,
==> qemu.rockylinux-10-latest-x86_64: "executable": false,
==> qemu.rockylinux-10-latest-x86_64: "exists": true,
==> qemu.rockylinux-10-latest-x86_64: "gid": 0,
==> qemu.rockylinux-10-latest-x86_64: "gr_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "inode": 942039,
==> qemu.rockylinux-10-latest-x86_64: "isblk": false,
==> qemu.rockylinux-10-latest-x86_64: "ischr": false,
==> qemu.rockylinux-10-latest-x86_64: "isdir": false,
==> qemu.rockylinux-10-latest-x86_64: "isfifo": false,
==> qemu.rockylinux-10-latest-x86_64: "isgid": false,
==> qemu.rockylinux-10-latest-x86_64: "islnk": false,
==> qemu.rockylinux-10-latest-x86_64: "isreg": true,
==> qemu.rockylinux-10-latest-x86_64: "issock": false,
==> qemu.rockylinux-10-latest-x86_64: "isuid": false,
==> qemu.rockylinux-10-latest-x86_64: "mimetype": "text/plain",
==> qemu.rockylinux-10-latest-x86_64: "mode": "0644",
==> qemu.rockylinux-10-latest-x86_64: "mtime": 1778054939.9325144,
==> qemu.rockylinux-10-latest-x86_64: "nlink": 1,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_rsa_key.pub",
==> qemu.rockylinux-10-latest-x86_64: "pw_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "readable": true,
==> qemu.rockylinux-10-latest-x86_64: "rgrp": true,
==> qemu.rockylinux-10-latest-x86_64: "roth": true,
==> qemu.rockylinux-10-latest-x86_64: "rusr": true,
==> qemu.rockylinux-10-latest-x86_64: "size": 726,
==> qemu.rockylinux-10-latest-x86_64: "uid": 0,
==> qemu.rockylinux-10-latest-x86_64: "version": "4285418125",
==> qemu.rockylinux-10-latest-x86_64: "wgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "woth": false,
==> qemu.rockylinux-10-latest-x86_64: "writeable": true,
==> qemu.rockylinux-10-latest-x86_64: "wusr": true,
==> qemu.rockylinux-10-latest-x86_64: "xgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "xoth": false,
==> qemu.rockylinux-10-latest-x86_64: "xusr": false
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: {
==> qemu.rockylinux-10-latest-x86_64: "ansible_loop_var": "item",
==> qemu.rockylinux-10-latest-x86_64: "changed": false,
==> qemu.rockylinux-10-latest-x86_64: "failed": false,
==> qemu.rockylinux-10-latest-x86_64: "invocation": {
==> qemu.rockylinux-10-latest-x86_64: "module_args": {
==> qemu.rockylinux-10-latest-x86_64: "checksum_algorithm": "sha1",
==> qemu.rockylinux-10-latest-x86_64: "follow": false,
==> qemu.rockylinux-10-latest-x86_64: "get_attributes": true,
==> qemu.rockylinux-10-latest-x86_64: "get_checksum": true,
==> qemu.rockylinux-10-latest-x86_64: "get_md5": false,
==> qemu.rockylinux-10-latest-x86_64: "get_mime": true,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_ecdsa_key.pub"
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: "item": "/etc/ssh/ssh_host_ecdsa_key.pub",
==> qemu.rockylinux-10-latest-x86_64: "stat": {
==> qemu.rockylinux-10-latest-x86_64: "atime": 1777991022.4215162,
==> qemu.rockylinux-10-latest-x86_64: "attr_flags": "",
==> qemu.rockylinux-10-latest-x86_64: "attributes": [],
==> qemu.rockylinux-10-latest-x86_64: "block_size": 4096,
==> qemu.rockylinux-10-latest-x86_64: "blocks": 8,
==> qemu.rockylinux-10-latest-x86_64: "charset": "us-ascii",
==> qemu.rockylinux-10-latest-x86_64: "checksum": "a7c785014a90d323f57e2470160b15663ab61dd6",
==> qemu.rockylinux-10-latest-x86_64: "ctime": 1777991021.337,
==> qemu.rockylinux-10-latest-x86_64: "dev": 64515,
==> qemu.rockylinux-10-latest-x86_64: "device_type": 0,
==> qemu.rockylinux-10-latest-x86_64: "executable": false,
==> qemu.rockylinux-10-latest-x86_64: "exists": true,
==> qemu.rockylinux-10-latest-x86_64: "gid": 0,
==> qemu.rockylinux-10-latest-x86_64: "gr_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "inode": 8696937,
==> qemu.rockylinux-10-latest-x86_64: "isblk": false,
==> qemu.rockylinux-10-latest-x86_64: "ischr": false,
==> qemu.rockylinux-10-latest-x86_64: "isdir": false,
==> qemu.rockylinux-10-latest-x86_64: "isfifo": false,
==> qemu.rockylinux-10-latest-x86_64: "isgid": false,
==> qemu.rockylinux-10-latest-x86_64: "islnk": false,
==> qemu.rockylinux-10-latest-x86_64: "isreg": true,
==> qemu.rockylinux-10-latest-x86_64: "issock": false,
==> qemu.rockylinux-10-latest-x86_64: "isuid": false,
==> qemu.rockylinux-10-latest-x86_64: "mimetype": "text/plain",
==> qemu.rockylinux-10-latest-x86_64: "mode": "0644",
==> qemu.rockylinux-10-latest-x86_64: "mtime": 1777991021.327,
==> qemu.rockylinux-10-latest-x86_64: "nlink": 1,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_ecdsa_key.pub",
==> qemu.rockylinux-10-latest-x86_64: "pw_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "readable": true,
==> qemu.rockylinux-10-latest-x86_64: "rgrp": true,
==> qemu.rockylinux-10-latest-x86_64: "roth": true,
==> qemu.rockylinux-10-latest-x86_64: "rusr": true,
==> qemu.rockylinux-10-latest-x86_64: "size": 162,
==> qemu.rockylinux-10-latest-x86_64: "uid": 0,
==> qemu.rockylinux-10-latest-x86_64: "version": "3386923094",
==> qemu.rockylinux-10-latest-x86_64: "wgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "woth": false,
==> qemu.rockylinux-10-latest-x86_64: "writeable": true,
==> qemu.rockylinux-10-latest-x86_64: "wusr": true,
==> qemu.rockylinux-10-latest-x86_64: "xgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "xoth": false,
==> qemu.rockylinux-10-latest-x86_64: "xusr": false
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: {
==> qemu.rockylinux-10-latest-x86_64: "ansible_loop_var": "item",
==> qemu.rockylinux-10-latest-x86_64: "changed": false,
==> qemu.rockylinux-10-latest-x86_64: "failed": false,
==> qemu.rockylinux-10-latest-x86_64: "invocation": {
==> qemu.rockylinux-10-latest-x86_64: "module_args": {
==> qemu.rockylinux-10-latest-x86_64: "checksum_algorithm": "sha1",
==> qemu.rockylinux-10-latest-x86_64: "follow": false,
==> qemu.rockylinux-10-latest-x86_64: "get_attributes": true,
==> qemu.rockylinux-10-latest-x86_64: "get_checksum": true,
==> qemu.rockylinux-10-latest-x86_64: "get_md5": false,
==> qemu.rockylinux-10-latest-x86_64: "get_mime": true,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_ed25519_key.pub"
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: },
==> qemu.rockylinux-10-latest-x86_64: "item": "/etc/ssh/ssh_host_ed25519_key.pub",
==> qemu.rockylinux-10-latest-x86_64: "stat": {
==> qemu.rockylinux-10-latest-x86_64: "atime": 1777991022.4225163,
==> qemu.rockylinux-10-latest-x86_64: "attr_flags": "",
==> qemu.rockylinux-10-latest-x86_64: "attributes": [],
==> qemu.rockylinux-10-latest-x86_64: "block_size": 4096,
==> qemu.rockylinux-10-latest-x86_64: "blocks": 8,
==> qemu.rockylinux-10-latest-x86_64: "charset": "us-ascii",
==> qemu.rockylinux-10-latest-x86_64: "checksum": "f7e6b5239e08632a94a19bd170895648db17e48d",
==> qemu.rockylinux-10-latest-x86_64: "ctime": 1777991021.336,
==> qemu.rockylinux-10-latest-x86_64: "dev": 64515,
==> qemu.rockylinux-10-latest-x86_64: "device_type": 0,
\==> qemu.rockylinux-10-latest-x86_64: "executable": false,
==> qemu.rockylinux-10-latest-x86_64: "exists": true,
==> qemu.rockylinux-10-latest-x86_64: "gid": 0,
==> qemu.rockylinux-10-latest-x86_64: "gr_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "inode": 8696939,
==> qemu.rockylinux-10-latest-x86_64: "isblk": false,
==> qemu.rockylinux-10-latest-x86_64: "ischr": false,
==> qemu.rockylinux-10-latest-x86_64: "isdir": false,
==> qemu.rockylinux-10-latest-x86_64: "isfifo": false,
==> qemu.rockylinux-10-latest-x86_64: "isgid": false,
==> qemu.rockylinux-10-latest-x86_64: "islnk": false,
==> qemu.rockylinux-10-latest-x86_64: "isreg": true,
==> qemu.rockylinux-10-latest-x86_64: "issock": false,
==> qemu.rockylinux-10-latest-x86_64: "isuid": false,
==> qemu.rockylinux-10-latest-x86_64: "mimetype": "text/plain",
==> qemu.rockylinux-10-latest-x86_64: "mode": "0644",
==> qemu.rockylinux-10-latest-x86_64: "mtime": 1777991021.33,
==> qemu.rockylinux-10-latest-x86_64: "nlink": 1,
==> qemu.rockylinux-10-latest-x86_64: "path": "/etc/ssh/ssh_host_ed25519_key.pub",
==> qemu.rockylinux-10-latest-x86_64: "pw_name": "root",
==> qemu.rockylinux-10-latest-x86_64: "readable": true,
==> qemu.rockylinux-10-latest-x86_64: "rgrp": true,
==> qemu.rockylinux-10-latest-x86_64: "roth": true,
==> qemu.rockylinux-10-latest-x86_64: "rusr": true,
==> qemu.rockylinux-10-latest-x86_64: "size": 82,
==> qemu.rockylinux-10-latest-x86_64: "uid": 0,
==> qemu.rockylinux-10-latest-x86_64: "version": "2826168267",
==> qemu.rockylinux-10-latest-x86_64: "wgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "woth": false,
==> qemu.rockylinux-10-latest-x86_64: "writeable": true,
==> qemu.rockylinux-10-latest-x86_64: "wusr": true,
==> qemu.rockylinux-10-latest-x86_64: "xgrp": false,
==> qemu.rockylinux-10-latest-x86_64: "xoth": false,
==> qemu.rockylinux-10-latest-x86_64: "xusr": false
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: ],
==> qemu.rockylinux-10-latest-x86_64: "skipped": false
==> qemu.rockylinux-10-latest-x86_64: }
==> qemu.rockylinux-10-latest-x86_64: }
...
Author
There was a problem hiding this comment.
Now that I puzzle it, this might be SELinux. Have you tried with it already disabled?
Contributor
There was a problem hiding this comment.
I was reviewing the rest of the PR and found this.
Maybe that line had something to do with the discrepance before it was modified?
domgz
reviewed
May 6, 2026
domgz
reviewed
May 6, 2026
domgz
reviewed
May 6, 2026
domgz
reviewed
May 6, 2026
domgz
reviewed
May 6, 2026
| %post --erroronfail | ||
| grubby --update-kernel=ALL --args="console=ttyS0,115200n8 console=tty0" | ||
|
|
||
| cat > /etc/ssh/sshd_config.d/01-permit-root.conf <<EOF |
Contributor
There was a problem hiding this comment.
Is this file deleted later? Otherwise I'd keep the previous mechanism that edits /etc/ssh/sshd_config. If the file stays there, the SSH hardening roles won't be able to revert these changes.
Contributor
There was a problem hiding this comment.
$ cat /etc/ssh/sshd_config.d/01-permit-root.conf
PermitRootLogin yes
PasswordAuthentication yes
from a recent build; good find!
Author
There was a problem hiding this comment.
I think this is required sense the provisioning needs to connect to the VM with root login and password?
We could then add a task to remove this file tho
Contributor
There was a problem hiding this comment.
That's right, it is required.
We could then add a task to remove this file tho
That's also my point, that this file is a security liability and should be removed before the build is complete.
domgz
reviewed
May 6, 2026
domgz
reviewed
May 6, 2026
Comment on lines
+28
to
+31
| name = "rockylinux-10-latest-x86_64" | ||
| vm_name = "rockylinux-10-latest-x86_64" | ||
| iso_url = "https://download.rockylinux.org/pub/rocky/10/isos/x86_64/Rocky-10-latest-x86_64-boot.iso" | ||
| iso_checksum = "sha256:18543988d9a1a5632d142c3dc288136dcc48ab71628f92ebcd40ada7f4ecd110" |
Contributor
There was a problem hiding this comment.
The little problem with using latest is that the CI will break periodically.
While the fix is easy (update the checksum), it's a sure source of annoyance. When I wrote this file, I used pinned minor versions because the checksum stays constant but still dnf upgrade (in the shell provisioner you've defined later) upgrades the minor version, so the end result is the same (latest version).
Contributor
There was a problem hiding this comment.
so the end result is the same (latest version).
But then there is nothing really we can do or do you suggest a fix?
Contributor
There was a problem hiding this comment.
so the end result is the same (latest version).
But then there is nothing really we can do or do you suggest a fix?
The suggestion would be using a point release iso such as https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.1-x86_64-boot.iso, after running dnf update it should become latest.
domgz
reviewed
May 6, 2026
Comment on lines
+27
to
+35
| # From vgcn-infrastrucure playbook: | ||
| # - name: Copy Cvmfs Telemetry Listener | ||
| # ansible.builtin.template: | ||
| # src: telegraf-cvmfs-listener.conf.j2 | ||
| # dest: "{{ telegraf_agent_config_path }}/telegraf.d/cvmfs-listener.conf" | ||
| # mode: "0640" | ||
| # owner: telegraf | ||
| # group: telegraf | ||
| # no_log: true |
Contributor
There was a problem hiding this comment.
Suggested change
| # From vgcn-infrastrucure playbook: | |
| # - name: Copy Cvmfs Telemetry Listener | |
| # ansible.builtin.template: | |
| # src: telegraf-cvmfs-listener.conf.j2 | |
| # dest: "{{ telegraf_agent_config_path }}/telegraf.d/cvmfs-listener.conf" | |
| # mode: "0640" | |
| # owner: telegraf | |
| # group: telegraf | |
| # no_log: true |
I guess this was a temporary change to test that it works?
domgz
reviewed
May 6, 2026
Comment on lines
60
to
66
| tasks: | ||
| - ansible.builtin.include_role: | ||
| name: cloudinit | ||
| when: "not ('pxe' in group_names or 'kvm' in group_names)" | ||
| when: "'cloud' in group_names" | ||
| - ansible.builtin.include_role: | ||
| name: cloudinit-pxe | ||
| when: "'pxe' in group_names" |
Contributor
There was a problem hiding this comment.
I don't think it's worth changing it if things are working, but still I wanted to comment that this whole block seems to be a bit misplaced.
Shouldn't cloudinit-pxe be part of the pxe.yml playbook? Also I guess it'd make sense to move cloudinit to generic (with the "cloud" group names check).
But let's not touch it now if it works, this is very minor.
domgz
reviewed
May 6, 2026
Comment on lines
+1
to
+3
| [[inputs.socket_listener]] | ||
| service_address = "udp://:8092" | ||
| data_format = "influx" |
Contributor
There was a problem hiding this comment.
I see this is related to https://github.com/usegalaxy-eu/vgcn/pull/111/changes#r3194315139.
Should that code then be commented out or not? Should this file belong to vgcn-infrastructure-playbook or here?
Author
There was a problem hiding this comment.
I commented out because of when trying to build a image for copy-fail. On Rocky 9 I'm getting this error:
qemu.rockylinux-9-latest-x86_64: TASK [Copy Cvmfs Telemetry Listener] *******************************************
qemu.rockylinux-9-latest-x86_64: fatal: [default]: FAILED! => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result"}
https://build.galaxyproject.eu/job/usegalaxy-eu/job/VGCN-Image-Build/287/consoleText
I actually didn't test this again. TODO tasks for sure.
domgz
reviewed
May 6, 2026
Comment on lines
1
to
+10
| $ANSIBLE_VAULT;1.1;AES256 | ||
| 61623735323130376266363635363062346261376636313363636531636162323231316161383766 | ||
| 6435643438663633303763653535353465336261656436620a666639353539383530353661616634 | ||
| 62386638363131616132663963393033346534613365366437333736323234623935346266636162 | ||
| 6262633366356438310a326362623464353033656137613235396665346364306431306430336563 | ||
| 39323463666164663162623939333138636631353432616236323431373662303665306435343030 | ||
| 61373065313834386436656333363737393037326164623331373066386237623638613962376366 | ||
| 38623965663337313532366162313361626231626439643831333363666431313635643933343634 | ||
| 36643839333539353039 | ||
| 37633630633562326663353439376330363065643036633862646666643933376464633835653138 | ||
| 3932343163656239313837666662336161366633666335610a323230663130626561663337636131 | ||
| 39316138333164363039383536313332363133396534613639313134396633613037386133373933 | ||
| 6161626632363261360a616538316564363963356235653364656161353361663364373638383736 | ||
| 61623034633461636539653539326166626136656335346665643635383130333565336438386139 | ||
| 66633037643662613538323831313938326533633064386639656265313135336261303066363038 | ||
| 62616630353263353033333234623364383664363939376431383361313565363861333566333834 | ||
| 34306565643161313535626632326466623634666638613731353762616564343435396461633539 | ||
| 33333035336337353933383831646338663134663930633134363837356632376331 |
Contributor
There was a problem hiding this comment.
kvm_root_password is duplicated. It is also defined in secret_group_vars/kvm.yml (where it belongs?!).
domgz
reviewed
May 6, 2026
domgz
reviewed
May 6, 2026
Comment on lines
46
to
+47
| java_packages: | ||
| - java-11-openjdk | ||
| - java-11-openjdk-devel | ||
| - java-21-openjdk |
Contributor
There was a problem hiding this comment.
Actually we should be able to remove java_packages all together, right @mira-miracoli? Isn't this variable meant for geerlingguy.java and that in turn meant for Jenkins?
Co-authored-by: José Manuel Domínguez <43052541+domgz@users.noreply.github.com>
Co-authored-by: Mira <86979912+mira-miracoli@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
created a new option "delivery" that mutual exclusively selects between pxe, kvm, cloud or nothing.
Notable changes:
deliverythat mutual exclusively selects between pxe, kvm, cloud or nothing.sshd hardeningat delivery level, meaning that we making the role call when the playbook pxe, kvm and cloud are called. This is because we might want to permit root login for kvm hosts in order to provisioning them later, or we might want to disable it entirely for pxe and cloud builds (cloudinit or pxe boot).remap_userrole fromhandyosentirely (further discuss can be added here)