ember-ami-builder/main.yml at main · epam/ember-ami-builder · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# This Ansible playbook is used for preparing base AMI for Ember testing
# and is intended to be executed by AWS EC2 Image Builder.
#
# Supported base OS are Amazon Linux 2/2023 and RockyLinux.
# RHEL and its other derivates are probably supported, but not tested.

- name: AMI preparation
  hosts: 127.0.0.1
  gather_facts: true
  connection: local
  become: true
  vars:
    kernel_boot_params: "transparent_hugepage=never intel_pstate=disable intel_idle.max_cstate=0 processor.max_cstate=0 mce=ignore_ce nosoftlockup=0 audit=0 idle=poll nmi_watchdog=0 mitigations=off isolcpus=10-23,34-47 nohz_full=10-23,34-47 rcu_nocbs=10-23,34-47 selinux=0"
  tasks:
    - name: Re-build kernel for Amazon Linux 2
      include_tasks: kernel.yml
      vars:
        build_dir: "/tmp/linux"
        kernel_prefix: "tickless"
        build_packages:
          - "@Development tools"
          - "ncurses-devel"
          - "bison"
          - "flex"
          - "elfutils-libelf-devel"
          - "openssl-devel"
          - "dwarves"
      when: (ansible_facts["distribution"] == "Amazon" and ansible_facts["distribution_version"] == "2")

    - name: Add Docker repo for Rocky Linux / RHEL
      yum_repository:
        name: Docker
        description: Docker CE repo
        baseurl: https://download.docker.com/linux/centos/$releasever/$basearch/stable
      when: (ansible_facts["distribution"] == "Rocky") or
            (ansible_facts["distribution"] == "RedHat")

    - name: Install Docker (Amazon Linux)
      package:
        name: docker
        state: installed
      when: ansible_facts["distribution"] == "Amazon"

    - name: Install Docker (Rocky Linux / RHEL)
      dnf:
        name: "{{ item }}"
        state: installed
        disable_gpg_check: true
      loop:
        - docker-ce
        - docker-ce-cli
        - containerd.io
      when: (ansible_facts["distribution"] == "Rocky") or
            (ansible_facts["distribution"] == "RedHat")

    - name: Enable Docker service
      service:
        name: docker
        enabled: true

    # It's hard to get default non-root user when running under AWS Image Builder
    - name: Add ec2-user user to docker group
      user:
        name: ec2-user
        groups: docker
        append: yes
      when: (ansible_facts["distribution"] == "Amazon") or
            (ansible_facts["distribution"] == "RedHat")

    - name: Add rocky user to docker group
      user:
        name: rocky
        groups: docker
        append: yes
      when: ansible_facts["distribution"] == "Rocky"

    - name: Install tuned
      package:
        name: tuned
        state: installed

    - name: Enable tuned service
      service:
        name: tuned
        enabled: true
        state: started

    - name: Set tuned profile
      command: "tuned-adm --async profile latency-performance"

    - name: Disable unused services (Amazon Linux 2)
      service:
        name: "{{ item }}"
        enabled: false
      loop:
        - auditd
        - rngd
        - mdmonitor
        - dmraid-activation
        - lvm2-monitor
        - postfix
      when: (ansible_facts["distribution"] == "Amazon" and ansible_facts["distribution_version"] == "2")

    - name: Disable unused services (Amazon Linux 2023)
      service:
        name: "{{ item }}"
        enabled: false
      loop:
        - auditd
        - rngd
        - selinux-autorelabel-mark
        - sssd
        - sssd-kcm
      when: (ansible_facts["distribution"] == "Amazon" and ansible_facts["distribution_version"] == "2023")

    - name: Disable unused services (Rocky Linux)
      service:
        name: "{{ item }}"
        enabled: false
      loop:
        - auditd
        - rngd
        - selinux-autorelabel-mark
        - sssd
        - sssd-kcm
        - mdmonitor
      when: (ansible_facts["distribution"] == "Rocky")

    - name: Disable unused services (RHEL)
      service:
        name: "{{ item }}"
        enabled: false
      loop:
        - auditd
        - selinux-autorelabel-mark
        - sssd
        - sssd-kcm
        - firewalld
        - atd
        - lvm2-monitor
        - mdmonitor
        - dbus-org.freedesktop.nm-dispatcher
        - import-state
        - kdump
        - NetworkManager-dispatcher
        - NetworkManager-wait-online
        - nis-domainname
        - vdo
        - multipathd
        - iscsi
        - iscsi-onboot
        - nvmefc-boot-connections
        - dbus-org.freedesktop.timedate1
        - timedatex
        - loadmodules
      when: (ansible_facts["distribution"] == "RedHat")

    - name: Set kernel parameters via sysctl
      sysctl:
        name: "{{ item.name }}"
        value: "{{ item.value }}"
        sysctl_file: "/etc/sysctl.d/01-ember.conf"
      loop:
        - { name: 'net.core.rmem_max', value: '2097152' }
        - { name: 'net.core.wmem_max', value: '2097152' }
        - { name: 'vm.stat_interval', value: '3600' }
        - { name: 'vm.mmap_min_addr', value: '4096' }

    - name: Add boot kernel parameters
      command: "grubby --update-kernel=ALL --args=\"{{ kernel_boot_params }}\""