add base for packer and ansible (#25)

Signed-off-by: Vince Prignano <vince@vincepri.com>

.gitignore

@@ -12,4 +12,7 @@
 *.out
 
 # Vendor director
-vendor
+vendor
+
+# Ansible
+*.retry

images/README.md

@@ -0,0 +1,125 @@
+# Building Images
+
+This directory contains tooling for building base images for use as nodes in Kubernetes Clusters. [Packer](https://www.packer.io) is used for building these images.
+
+## Prerequisites
+
+### Prerequisites for all images
+
+- [Packer](https://www.packer.io/docs/installation.html)
+- [Ansible](http://docs.ansible.com/ansible/latest/intro_installation.html) version >= 2.4.0.0
+
+### Prerequisites for Amazon Web Services
+
+- An AWS account
+- The AWS CLI installed and configured
+
+## Building Images
+
+### Build Variables
+
+The following variables can be overriden when building images using the `-var` option when calling `packer build`:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| kubernetes_version | 1.11.2-00 | Kubernetes Version to install |
+| kubernetes_cni_version | 0.6.0-00 | CNI Version to install |
+
+For example, to build all images for use with Kubernetes 1.11.2 for build version 1:
+
+```sh
+packer build -var kubernetes_version=1.11.2-00
+```
+
+There are additional variables that may be set that affect the behavior of specific builds or packer post-processors. `packer inspect packer.json` will list all available variables and their default values.
+
+### Limiting Images to Build
+
+If packer build is run without specifying which images to build, then it will attempt to build all configured images. `packer inspect packer.json` will list the configured builders. The `--only` option can be specified when running `packer build` to limit the images built.
+
+For example, to build only the Ubuntu image:
+
+```sh
+packer build --only=ami-ubuntu packer.json
+```
+
+### Required Permissions to Build the AWS AMIs
+
+The [Packer documentation for the Amazon AMI builder](https://www.packer.io/docs/builders/amazon.html) supplies a suggested set of minimum permissions.
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [{
+      "Effect": "Allow",
+      "Action" : [
+        "ec2:AttachVolume",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:CopyImage",
+        "ec2:CreateImage",
+        "ec2:CreateKeypair",
+        "ec2:CreateSecurityGroup",
+        "ec2:CreateSnapshot",
+        "ec2:CreateTags",
+        "ec2:CreateVolume",
+        "ec2:DeleteKeyPair",
+        "ec2:DeleteSecurityGroup",
+        "ec2:DeleteSnapshot",
+        "ec2:DeleteVolume",
+        "ec2:DeregisterImage",
+        "ec2:DescribeImageAttribute",
+        "ec2:DescribeImages",
+        "ec2:DescribeInstances",
+        "ec2:DescribeRegions",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ec2:DetachVolume",
+        "ec2:GetPasswordData",
+        "ec2:ModifyImageAttribute",
+        "ec2:ModifyInstanceAttribute",
+        "ec2:ModifySnapshotAttribute",
+        "ec2:RegisterImage",
+        "ec2:RunInstances",
+        "ec2:StopInstances",
+        "ec2:TerminateInstances"
+      ],
+      "Resource" : "*"
+  }]
+}
+```
+
+### Building the AMIs
+
+Building images requires setting additional variables not set by default. The `base-images-us-east-1.json` file is provided as an example.
+
+To build both the Ubuntu and CentOS AMIs:
+
+```sh
+packer build -var-file base-images-us-east-1.json packer.json
+```
+
+By default images are copied to all available AWS regions. The list can be obtained running:
+```sh
+aws ec2 describe-regions --query "Regions[].{Name:RegionName}" --output text | paste -sd "," -
+```
+
+To limit the regions, provide the `ami_regions` variable as a comma-delimited list of AWS regions. 
+
+For example, to build all images in us-east-1 and copy only to us-west-2:
+```sh
+packer build -var-file base-images-us-east-1.json -var ami_regions='us-west-2'
+```
+
+## Testing Images
+
+Connect remotely to an instance created from the image and run the Node Conformance tests using the following commands:
+
+```sh
+wget https://dl.k8s.io/$(< /etc/kubernetes_community_ami_version)/kubernetes-test.tar.gz
+tar -zxvf kubernetes-test.tar.gz kubernetes/platforms/linux/amd64
+cd kubernetes/platforms/linux/amd64
+sudo ./ginkgo --nodes=8 --flakeAttempts=2 --focus="\[Conformance\]" --skip="\[Flaky\]|\[Serial\]|\[sig-network\]|Container Lifecycle Hook" ./e2e_node.test -- --k8s-bin-dir=/usr/bin
+```

images/ansible/ansible.cfg

@@ -0,0 +1,17 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[default]
+filter_plugins = ./filter_plugins
+retry_files_enabled = False

images/ansible/filter_plugins/kube.py

@@ -0,0 +1,44 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import re
+
+class FilterModule(object):
+
+    def filters(self):
+        return {
+            'kube_platform_version': self.kube_platform_version,
+        }
+
+    def kube_platform_version(self, version, platform):
+        if version == "latest":
+            return version
+
+        match = re.match('(\d+\.\d+.\d+)\-(\d+)', version)
+        if not match:
+            raise Exception("Version '%s' does not appear to be a "
+                            "kubernetes version." % version)
+        sub = match.groups(1)[1]
+        if len(sub) == 1:
+            if platform.lower() == "debian":
+                return "%s-%s" % (match.groups(1)[0], '{:02d}'.format(sub))
+            else:
+                return version
+        if len(sub) == 2:
+            if platform.lower() == "redhat":
+                return "%s-%s" % (match.groups(1)[0], int(sub))
+            else:
+                return version
+
+        raise Exception("Could not parse kubernetes version")

images/ansible/playbook.yml

@@ -0,0 +1,22 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- hosts: all
+  become: yes
+  roles:
+    - role: common
+    - role: containerd
+    - role: kubernetes
+    - role: providers
+    - role: packer-cleanup

images/ansible/roles/common/defaults/main.yml

@@ -0,0 +1,37 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+common_rpms:
+- yum-utils
+- python2-pip
+- python-requests
+- ebtables
+- socat
+- ntp
+- jq
+- nfs-utils
+common_extra_rpms: []
+common_debs:
+- openssh-client
+- openssh-server
+- apt-transport-https
+- python-pip
+- python-requests
+- ebtables
+- socat
+- ntp
+- jq
+- nfs-client
+common_extra_debs: []
+common_redhat_epel_rpm: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"

images/ansible/roles/common/tasks/debian.yml

@@ -0,0 +1,38 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: update apt cache
+  apt:
+    force_apt_get: True
+    update_cache: True
+    cache_valid_time: 3600
+
+- name: perform a dist-upgrade
+  apt:
+    force_apt_get: True
+    upgrade: dist
+
+- name: install baseline dependencies
+  apt:
+    force_apt_get: True
+    name: "{{ item }}"
+    state: latest
+  with_items: "{{ common_debs }}"
+
+- name: install extra debs
+  apt:
+    force_apt_get: True
+    name: "{{ item }}"
+    state: latest
+  with_items: "{{ common_extra_debs }}"

images/ansible/roles/common/tasks/main.yml

@@ -0,0 +1,48 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- import_tasks: debian.yml
+  when: ansible_os_family == "Debian"
+
+- import_tasks: redhat.yml
+  when: ansible_os_family == "RedHat"
+
+- modprobe:
+    name: overlay
+    state: present
+
+- modprobe:
+    name: br_netfilter
+    state: present
+
+- sysctl:
+    name: net.ipv4.ip_forward
+    value: 1
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+- sysctl:
+    name: net.bridge.bridge-nf-call-iptables
+    value: 1
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+- sysctl:
+    name: net.bridge.bridge-nf-call-ip6tables
+    value: 1
+    state: present
+    sysctl_set: yes
+    reload: yes

images/ansible/roles/common/tasks/redhat.yml

@@ -0,0 +1,32 @@
+# Copyright 2018 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: add epel repo
+  yum:
+    name: "{{ common_redhat_epel_rpm }}"
+
+- name: perform a yum update
+  yum:
+    name: '*'
+    state: latest
+
+- name: install baseline dependencies
+  yum:
+    name: "{{ item }}"
+  with_items: "{{ common_rpms }}"
+
+- name: install extra rpms
+  yum:
+    name: "{{ item }}"
+  with_items: "{{ common_extra_rpms }}"