├── test ├── test-app │ ├── requirements.txt │ ├── inventory │ ├── test-playbook.yaml │ ├── test-oc-playbook.yaml │ ├── id_rsa.pub │ ├── local-test.yaml │ ├── id_rsa │ └── ansible.cfg └── run ├── system-container ├── exports │ ├── tmpfiles.template │ ├── service.template │ ├── manifest.json │ └── config.json.template └── README.md ├── user_setup ├── Makefile ├── .s2i └── bin │ ├── usage │ ├── save-artifacts │ ├── run │ └── assemble ├── .travis.yml ├── jenkins ├── openshift │ └── pipeline.yaml ├── jobs │ ├── credPipelineJob.groovy │ └── orgFolderJob.groovy ├── README.md ├── configuration │ ├── org.jenkinsci.plugins.workflow.libs.GlobalLibraries.xml │ └── jobs │ │ └── seed │ │ └── config.xml └── plugins.txt ├── examples ├── Dockerfile.simple ├── sample-job.yaml ├── Dockerfile.advanced ├── build-template.yaml ├── README.md └── build-openshift-ansible.yaml ├── .cccp.yml ├── src └── com │ └── redhat │ └── Utils.groovy ├── Dockerfile ├── Dockerfile.rhel7 ├── Jenkinsfile ├── README.md └── LICENSE /test/test-app/requirements.txt: -------------------------------------------------------------------------------- 1 | boto 2 | -------------------------------------------------------------------------------- /test/test-app/inventory: -------------------------------------------------------------------------------- 1 | [local-test] 2 | localhost 3 | -------------------------------------------------------------------------------- /system-container/exports/tmpfiles.template: -------------------------------------------------------------------------------- 1 | d $VAR_LIB_PLAYBOOK2IMAGE - - - - - 2 | f $VAR_LOG_ANSIBLE_LOG - - - - - 3 | -------------------------------------------------------------------------------- /system-container/exports/service.template: -------------------------------------------------------------------------------- 1 | [Service] 2 | ExecStart=$EXEC_START 3 | ExecStop=-$EXEC_STOP 4 | Restart=no 5 | WorkingDirectory=$DESTDIR 6 | Type=oneshot 7 | -------------------------------------------------------------------------------- /user_setup: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -x 3 | chown -R ${USER_UID}:0 ${APP_ROOT} 4 | chmod -R g+rw ${APP_ROOT} /etc/passwd 5 | find ${APP_ROOT} -type d -exec chmod g+x {} + 6 | -------------------------------------------------------------------------------- /test/test-app/test-playbook.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Hello Ansible - quick start 3 | hosts: local-test 4 | 5 | tasks: 6 | - name: Hello server 7 | shell: date 8 | -------------------------------------------------------------------------------- /test/test-app/test-oc-playbook.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Hello Ansible - quick start 3 | hosts: local-test 4 | 5 | tasks: 6 | - name: Hello server 7 | shell: oc version 8 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | 2 | IMAGE_NAME = playbook2image 3 | 4 | build: 5 | docker build -t $(IMAGE_NAME) . 6 | 7 | .PHONY: test 8 | test: 9 | docker build -t $(IMAGE_NAME)-candidate . 10 | IMAGE_NAME=$(IMAGE_NAME)-candidate test/run 11 | -------------------------------------------------------------------------------- /.s2i/bin/usage: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | cat < playbook2image 9 | 10 | You can then run the resulting image via: 11 | docker run 12 | EOF 13 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | sudo: required 2 | 3 | services: 4 | - docker 5 | 6 | before_install: 7 | - curl -L -o s2i.tar.gz https://github.com/openshift/source-to-image/releases/download/v1.1.2/source-to-image-v1.1.2-5732fdd-linux-386.tar.gz 8 | - tar -xzvf s2i.tar.gz 9 | - export PATH=$PATH:$PWD/ 10 | - docker pull docker.io/openshift/base-centos7 11 | 12 | script: 13 | - make test 14 | -------------------------------------------------------------------------------- /system-container/exports/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.0", 3 | "defaultValues": { 4 | "OPTS": "", 5 | "VAR_LIB_PLAYBOOK2IMAGE" : "/var/lib/playbook2image", 6 | "VAR_LOG_ANSIBLE_LOG": "/var/log/ansible.log", 7 | "SSH_ROOT": "/root/.ssh", 8 | "PLAYBOOK_FILE": "playbooks/main.yml", 9 | "INVENTORY_FILE": "/dev/null" 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /test/test-app/id_rsa.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCodMR4Ch8ulX2Sx6tCEzFEILV6ecWOWgkrUPh4BeeVX1dNNkCod6Ry8D6ngL3j8MbpJe8WsSYdETP6D5HTy+Rrad3XO78VlIU9DfUZ4XZcF6jlgKzQ1KsALZvB+TnTH/Nm1fW3OUujhhMeqSuKMVuFA5fS7jYdW5zMhxUxrwSp5gSxdJTEof3NqMFr/W7p1rUSCDbMa5WtB4l68Wvm1pdJ6w9g4oZNbP9YbA1YX/qty6Le/mGys1qojhBLQ3WWsOsU+UdsoWQLz6KXCc0ScNxC+1CtkCzq+ncndc6Tti8TK92DBBqMWrdgbyNZs9EKqgjWG/AXT3JEaEI7zEvtm8aZ aweiteka@fedwork 2 | -------------------------------------------------------------------------------- /jenkins/openshift/pipeline.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: BuildConfig 4 | metadata: 5 | name: "createcred-pipeline" 6 | spec: 7 | source: 8 | type: "Git" 9 | git: 10 | uri: "https://github.com/openshift/playbook2image" 11 | ref: "master" 12 | strategy: 13 | type: "JenkinsPipeline" 14 | jenkinsPipelineStrategy: 15 | jenkinsfilePath: jenkins/jobs/credPipelineJob.groovy 16 | -------------------------------------------------------------------------------- /.s2i/bin/save-artifacts: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | # 3 | # S2I save-artifacts script for the 'playbook2image' image. 4 | # The save-artifacts script streams a tar archive to standard output. 5 | # The archive contains the files and folders you want to re-use in the next build. 6 | # 7 | # For more information see the documentation: 8 | # https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md 9 | # 10 | # tar cf - 11 | -------------------------------------------------------------------------------- /test/test-app/local-test.yaml: -------------------------------------------------------------------------------- 1 | $ANSIBLE_VAULT;1.1;AES256 2 | 38353634663936633739386361653737373263393765333464373636303231666531393435646233 3 | 3866356665343131393532333037353439653839326133320a366165383066373835313938316364 4 | 62666139343430356330636363336332326663336661313766393963633132666561393737396438 5 | 6231306566626464350a623765376464306565616231363835656437346339386135343130313664 6 | 36663838633533316335623334363163353933336362626461323634353533336135 7 | -------------------------------------------------------------------------------- /jenkins/jobs/credPipelineJob.groovy: -------------------------------------------------------------------------------- 1 | #!groovy 2 | 3 | @Library('Utils') 4 | import com.redhat.* 5 | 6 | node { 7 | def id = null 8 | def utils = new Utils() 9 | 10 | stage('OpenShift -> Jenkins credentials') { 11 | openshift.withCluster() { 12 | def secret = openshift.selector( "secret/github" ).object() 13 | id = utils.createCredentialsFromOpenShift(secret, "github") 14 | } 15 | } 16 | stage('Run Seed Job') { 17 | build job: 'seed', parameters: [[$class: 'StringParameterValue', name: 'CRED_ID', value: id]] 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /examples/Dockerfile.simple: -------------------------------------------------------------------------------- 1 | # An simple Dockerfile example to package playbooks as docker image 2 | # 3 | # If using OpenShift, consider using the platform's source2image build instead. 4 | # If your playbooks have dependencies that must be packaged into the image at 5 | # build time see the Dockerfile.advanced example 6 | 7 | FROM docker.io/aweiteka/playbook2image:latest 8 | 9 | # Add your playbook and associated roles, filters, etc 10 | ADD YOUR_PLAYBOOK ${APP_HOME} 11 | 12 | # Containers from the built image should invoke the default "run" script 13 | # provided by the base image 14 | CMD ["/usr/libexec/s2i/run"] 15 | -------------------------------------------------------------------------------- /.cccp.yml: -------------------------------------------------------------------------------- 1 | # This is for the purpose of building containers on the CentOS Community Container 2 | # Pipeline. The containers are built, tested and delivered to registry.centos.org and 3 | # lifecycled as well. A corresponding entry must exist in the container index itself, 4 | # located at https://github.com/CentOS/container-index/tree/master/index.d 5 | # You can know more at the following links: 6 | # * https://github.com/CentOS/container-pipeline-service/blob/master/README.md 7 | # * https://github.com/CentOS/container-index/blob/master/README.md 8 | # * https://wiki.centos.org/ContainerPipeline 9 | job-id: playbook2image 10 | -------------------------------------------------------------------------------- /jenkins/jobs/orgFolderJob.groovy: -------------------------------------------------------------------------------- 1 | #!groovy 2 | 3 | organizationFolder('aweiteka') { 4 | description('This contains branch source jobs for GitHub') 5 | displayName('aweiteka') 6 | orphanedItemStrategy { 7 | discardOldItems { 8 | daysToKeep(0) 9 | numToKeep(0) 10 | } 11 | } 12 | organizations { 13 | github { 14 | apiUri('https://api.github.com') 15 | repoOwner('aweiteka') 16 | scanCredentialsId("${CRED_ID}") 17 | pattern('playbook2image') 18 | checkoutCredentialsId("${CRED_ID}") 19 | buildOriginBranch(true) 20 | buildOriginBranchWithPR(true) 21 | buildOriginPRMerge(false) 22 | buildOriginPRHead(false) 23 | buildForkPRMerge(true) 24 | buildForkPRHead(false) 25 | } 26 | } 27 | triggers { 28 | periodic(10) 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /jenkins/README.md: -------------------------------------------------------------------------------- 1 | # Deploying Jenkins to test playbook2image 2 | 3 | 1. Create project 4 | 5 | oc new-project p2i-ci 6 | 7 | 1. Using a browser, create a Github token at this URL: https://github.com/settings/tokens/new?scopes=repo,read:user,user:email 8 | 1. Copy the token and create a basic auth secret in OpenShift 9 | 10 | oc secrets new-basicauth github --username=GH_USERNAME --password=GH_TOKEN 11 | 12 | 1. Build a Jenkins master container image with the required plugins. We use OpenShift's source-to-image build to install the plugins listed in the jenkins/plugins.txt file. 13 | 14 | oc new-build openshift/jenkins~https://github.com/openshift/playbook2image \ 15 | --context-dir='jenkins' --name='jenkins' 16 | 1. Deploy the jenkins server 17 | 18 | oc process openshift//jenkins-ephemeral \ 19 | NAMESPACE=p2i-ci MEMORY_LIMIT=2Gi | oc create -f - 20 | 21 | 1. Create the OpenShift pipeline 22 | 23 | oc create -f jenkins/openshift/pipeline.yaml 24 | -------------------------------------------------------------------------------- /src/com/redhat/Utils.groovy: -------------------------------------------------------------------------------- 1 | #!groovy 2 | package com.redhat 3 | 4 | import com.cloudbees.groovy.cps.NonCPS 5 | import com.cloudbees.plugins.credentials.impl.*; 6 | import com.cloudbees.plugins.credentials.*; 7 | import com.cloudbees.plugins.credentials.domains.*; 8 | 9 | 10 | @NonCPS 11 | String createCredentialsFromOpenShift(HashMap secret, String id) { 12 | String username = new String(secret.data.username.decodeBase64()) 13 | String password = new String(secret.data.password.decodeBase64()) 14 | 15 | return createCredentials(id, username, password, "secret from openshift") 16 | } 17 | 18 | 19 | @NonCPS 20 | String createCredentials(String id = null, String username, String password, String description) { 21 | 22 | if( id == null ) { 23 | id = java.util.UUID.randomUUID().toString() 24 | } 25 | 26 | 27 | Credentials c = (Credentials) new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL, id, description, username, password) 28 | 29 | SystemCredentialsProvider.getInstance().getStore().addCredentials(Domain.global(), c) 30 | 31 | return id 32 | } 33 | -------------------------------------------------------------------------------- /examples/sample-job.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: playbook-job 6 | spec: 7 | parallelism: 1 8 | completions: 1 9 | template: 10 | metadata: 11 | name: playbook-job 12 | labels: 13 | app: playbook-job 14 | spec: 15 | containers: 16 | - name: playbook-job 17 | # imagestream or internal/external registry 18 | image: 172.30.114.236:5000/some_project/atomic-host-tests 19 | env: 20 | - name: PLAYBOOK_FILE 21 | value: playbooks/main.yaml 22 | - name: INVENTORY_URL 23 | value: http://example.com/myhosts 24 | - name: ANSIBLE_PRIVATE_KEY_FILE 25 | value: /opt/app-root/src/.ssh/id_rsa/ssh-privatekey 26 | - name: ANSIBLE_HOST_KEY_CHECKING 27 | value: "False" 28 | # options to ansible-playbook https://linux.die.net/man/1/ansible-playbook 29 | - name: OPTS 30 | value: "-vvv" 31 | volumeMounts: 32 | - name: sshkey 33 | mountPath: /opt/app-root/src/.ssh/id_rsa 34 | volumes: 35 | - name: sshkey 36 | secret: 37 | secretName: sshkey 38 | restartPolicy: Never 39 | -------------------------------------------------------------------------------- /jenkins/configuration/org.jenkinsci.plugins.workflow.libs.GlobalLibraries.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Utils 6 | 7 | 8 | 44c97d51-cf48-4690-b645-72e0bc32773e 9 | SAME 10 | aweiteka 11 | playbook2image 12 | * 13 | 14 | true 15 | true 16 | false 17 | false 18 | true 19 | false 20 | 21 | 22 | master 23 | false 24 | true 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /jenkins/plugins.txt: -------------------------------------------------------------------------------- 1 | ace-editor 2 | blueocean 3 | blueocean-autofavorite 4 | blueocean-commons 5 | blueocean-config 6 | blueocean-dashboard 7 | blueocean-display-url 8 | blueocean-github-pipeline 9 | blueocean-git-pipeline 10 | blueocean-i18n 11 | blueocean-events 12 | blueocean-jwt 13 | blueocean-personalization 14 | blueocean-pipeline-api-impl 15 | blueocean-rest 16 | blueocean-rest-impl 17 | blueocean-web 18 | display-url-api 19 | durable-task 20 | git-server 21 | handlebars 22 | icon-shim 23 | jquery-detached 24 | junit 25 | kubernetes:0.10 26 | mailer 27 | mapdb-api 28 | matrix-auth 29 | matrix-project 30 | mercurial 31 | momentjs 32 | multiple-scms 33 | openshift-login 34 | openshift-pipeline 35 | openshift-sync 36 | pipeline-build-step 37 | pipeline-graph-analysis 38 | pipeline-input-step 39 | pipeline-rest-api 40 | pipeline-stage-step 41 | pipeline-stage-view 42 | pipeline-utility-steps 43 | plain-credentials 44 | script-security 45 | ssh-credentials 46 | structs 47 | subversion 48 | workflow-aggregator 49 | workflow-cps 50 | workflow-basic-steps 51 | workflow-cps-global-lib 52 | cloudbees-folder 53 | workflow-durable-task-step 54 | workflow-job 55 | workflow-multibranch 56 | workflow-remote-loader 57 | workflow-scm-step 58 | workflow-step-api 59 | bouncycastle-api 60 | openshift-client 61 | credentials 62 | ansicolor 63 | github-api 64 | branch-api 65 | token-macro 66 | scm-api 67 | github 68 | github-branch-source 69 | git-client 70 | git 71 | workflow-support 72 | workflow-api 73 | pipeline-github-lib 74 | github-organization-folder 75 | job-dsl 76 | -------------------------------------------------------------------------------- /test/test-app/id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAqHTEeAofLpV9kserQhMxRCC1ennFjloJK1D4eAXnlV9XTTZA 3 | qHekcvA+p4C94/DG6SXvFrEmHREz+g+R08vka2nd1zu/FZSFPQ31GeF2XBeo5YCs 4 | 0NSrAC2bwfk50x/zZtX1tzlLo4YTHqkrijFbhQOX0u42HVuczIcVMa8EqeYEsXSU 5 | xKH9zajBa/1u6da1Egg2zGuVrQeJevFr5taXSesPYOKGTWz/WGwNWF/6rcui3v5h 6 | srNaqI4QS0N1lrDrFPlHbKFkC8+ilwnNEnDcQvtQrZAs6vp3J3XOk7YvEyvdgwQa 7 | jFq3YG8jWbPRCqoI1hvwF09yRGhCO8xL7ZvGmQIDAQABAoIBAAE54FgzUqjHI8PW 8 | ujNf6mLhjhCXJE31780l6LkO6fGXYQ5Jz8yqGkNP5lTXxgoLrZby1LuojGt3vZYb 9 | WOdeu4ngmmG/qJNiolmgaWFH19GxxmPtPNTER35X1qNhyf70Y5QjCIfN3fQRvL/j 10 | YVK/Kzhbn1ZEr5YlHY4Liabz7CfEZsx0VfNiyxpZXHpgAEYnfUpRtCNaJud0IIA1 11 | QBFYk9D8iCV5h3VWLZPHvkwcmgiAeBF9zAPn9W6+Emv92kUxNymkcX2roPI+x6Cj 12 | fIqvcIbZsheeSxfnyobd577P6MzQWd2LIB1HDLrMekKT7xbhzKdmyzm5oxF6kxkS 13 | wtv0D5ECgYEA0NMHqwJR6H7D3hsuKMMm6+FZD6CBeYx7voAuesZ2CXAmUr6u9Lhv 14 | ITGK903lvAFyt0hbWT+QpzH1vtDo22Pze5xkEeAkw/NLm+t4qSdRCsI3iAfNzD3C 15 | SunV92jxt2q1aiNQvNbD2isDQ6G+wpAiAvp1nJude/AowS1Q1HHajD0CgYEAzoMd 16 | zXbG9y1ezxAmZ+ELUiX0I+vkmv9BN79SoE2mPIIZ/7dOcGEgzHascvc2AfjS+qMN 17 | j9q68ETy7igX6ZqYwAzri1uVhMrX0VBE1XhIfikqUmhetV3aBT8ApwRPrXmwlcdJ 18 | SRlTPNIF3ybyjTxV0sPLjsbnveos8nyUMMs6PY0CgYEAuM8Kqj2TX79QePB1GX4c 19 | pAT7XOkfrQK3QREQEXgyXofyYqh/DfVr5GSEJ/m4p3pgm/RdY87tpgqBAi7A5ei/ 20 | Q1ZU+bz0zLY04/ixAILbJjpcCvddGrRNjx8DTcKCqWC2zQgUHAu1qQ8IBILQ4D/O 21 | 2fPuwnq2FUmlx9DjCCD62cECgYEAu1wj9txziaBFKzGo1ohLoB1FEi4buzAouG5B 22 | haTNVIppEiL57GWCv15P+QImosVgjPrP/BrjjcfQa5g+kbesLFnMfiP6VH9ALOxZ 23 | dx9pDeVFO3zrqDrc6fOOIPl9XJNSTaF/8O0kIsMdhqcsWk1KRC1VilUVva0vWFUE 24 | kfxf+6UCgYAixg5+ra2FYBtcvmiJ9XGA+GtmEo28ep+CgYR2BCTA3d/AsaqZT8EF 25 | EsOX5cLMqYYJtDWnIA82Ey95pMLNl7UbSYyl2o9YSt7k9veqsWyie2mvUl++vWmZ 26 | 676Hn+eejg6vDfElVEa6ZPPj37GJ7ONJSkpyiTIHUYa6XGgemCVphw== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # playbook2image 2 | FROM openshift/base-centos7 3 | 4 | MAINTAINER OpenShift Team 5 | 6 | # TODO: Rename the builder environment variable to inform users about application you provide them 7 | # ENV BUILDER_VERSION 1.0 8 | 9 | LABEL io.k8s.description="Ansible playbook to image builder" \ 10 | io.k8s.display-name="playbook2image" \ 11 | io.openshift.tags="builder,ansible,playbook" \ 12 | url="https://github.com/openshift/playbook2image/blob/master/README.md" \ 13 | name="openshift/playbook2image" \ 14 | summary="Ansible playbook to image builder" \ 15 | description="Base image to to ship Ansible playbooks as self-executing container image." \ 16 | atomic.run="once" \ 17 | vcs-url="https://github.com/openshift/playbook2image" \ 18 | vcs-type="git" \ 19 | version="alpha" 20 | 21 | # ansible and pip are in EPEL 22 | RUN yum install -y epel-release && yum clean all -y 23 | 24 | RUN yum install -y --setopt=tsflags=nodocs ansible python-pip python-devel && yum clean all -y 25 | 26 | # TODO (optional): Copy the builder files into /opt/app-root 27 | #COPY .// /opt/app-root/ 28 | 29 | COPY ./.s2i/bin/ /usr/libexec/s2i 30 | COPY user_setup /tmp 31 | COPY system-container/exports /exports 32 | ADD README.md /help.1 33 | 34 | ENV APP_ROOT=/opt/app-root 35 | ENV USER_NAME=default \ 36 | USER_UID=1001 \ 37 | APP_HOME=${APP_ROOT}/src \ 38 | PATH=$PATH:${APP_ROOT}/bin 39 | RUN mkdir -p ${APP_HOME} ${APP_ROOT}/etc ${APP_ROOT}/bin 40 | RUN chmod -R ug+x ${APP_ROOT}/bin ${APP_ROOT}/etc /tmp/user_setup && \ 41 | /tmp/user_setup 42 | 43 | # This default user is created in the openshift/base-centos7 image 44 | USER ${USER_UID} 45 | 46 | RUN sed "s@${USER_NAME}:x:${USER_UID}:0@${USER_NAME}:x:\${USER_ID}:\${GROUP_ID}@g" /etc/passwd > ${APP_ROOT}/etc/passwd.template 47 | CMD ["/usr/libexec/s2i/usage"] 48 | -------------------------------------------------------------------------------- /.s2i/bin/run: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | # 3 | # S2I run script for the 'playbook2image' image. 4 | # The run script executes the server that runs your application. 5 | # 6 | # For more information see the documentation: 7 | # https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md 8 | # 9 | 10 | 11 | # SOURCE and HOME DIRECTORY: /opt/app-root/src 12 | 13 | #set -x 14 | USER_ID=$(id -u) 15 | GROUP_ID=$(id -g) 16 | if [[ ${USER_ID} -ne 0 ]]; then 17 | sed "s@${USER_NAME}:x:\${USER_ID}:\${GROUP_ID}@${USER_NAME}:x:${USER_ID}:${GROUP_ID}@g" \ 18 | ${APP_ROOT}/etc/passwd.template > /etc/passwd 19 | fi 20 | 21 | INVENTORY="$(mktemp)" 22 | if [[ -v INVENTORY_FILE ]]; then 23 | # If the pointed inventory has execute/search perms we can assume it 24 | # contains a dynamic inventory and we use it directly. 25 | # Otherwise we make a copy so that ALLOW_ANSIBLE_CONNECTION_LOCAL below 26 | # does not attempt to modify the original 27 | if [[ -x ${INVENTORY_FILE} ]]; then 28 | INVENTORY="${INVENTORY_FILE}" 29 | else 30 | cp ${INVENTORY_FILE} ${INVENTORY} 31 | fi 32 | elif [[ -v INVENTORY_URL ]]; then 33 | curl -o ${INVENTORY} ${INVENTORY_URL} 34 | elif [[ -v DYNAMIC_SCRIPT_URL ]]; then 35 | curl -o ${INVENTORY} ${DYNAMIC_SCRIPT_URL} 36 | chmod 755 ${INVENTORY} 37 | else 38 | echo "One of INVENTORY_FILE, INVENTORY_URL or DYNAMIC_SCRIPT_URL must be provided" 39 | exit 1 40 | fi 41 | INVENTORY_ARG="-i ${INVENTORY}" 42 | 43 | if [[ "$ALLOW_ANSIBLE_CONNECTION_LOCAL" = false ]]; then 44 | sed -i s/ansible_connection=local// ${INVENTORY} 45 | fi 46 | 47 | if [[ -v VAULT_PASS ]]; then 48 | VAULT_PASS_FILE=.vaultpass 49 | echo ${VAULT_PASS} > ${VAULT_PASS_FILE} 50 | VAULT_PASS_ARG="--vault-password-file ${VAULT_PASS_FILE}" 51 | fi 52 | 53 | WORK_DIR=${WORK_DIR:-${APP_HOME}} 54 | 55 | cd ${WORK_DIR} 56 | ansible-playbook ${INVENTORY_ARG} ${VAULT_PASS_ARG} ${OPTS} ${PLAYBOOK_FILE} 57 | #set +x 58 | -------------------------------------------------------------------------------- /.s2i/bin/assemble: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | # 3 | # S2I assemble script for the 'playbook2image' image. 4 | # The 'assemble' script builds your application source so that it is ready to run. 5 | # 6 | # For more information refer to the documentation: 7 | # https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md 8 | # 9 | 10 | if [[ "$1" == "-h" ]]; then 11 | # If the 'playbook2image' assemble script is executed with '-h' flag, 12 | # print the usage. 13 | exec /usr/libexec/s2i/usage 14 | fi 15 | 16 | # Restore artifacts from the previous build (if they exist). 17 | # 18 | if [ "$(ls /tmp/artifacts/ 2>/dev/null)" ]; then 19 | echo "---> Restoring build artifacts..." 20 | mv /tmp/artifacts/. ./ 21 | fi 22 | 23 | echo "---> Installing application source..." 24 | cp -Rf /tmp/src/. ./ 25 | 26 | echo "---> Building application from source..." 27 | # pre-create PYTHONUSERBASE/lib/*, otherwise pip creates it with mode 0700 28 | # which prevents containers with arbitrary UIDs to access local packages 29 | mkdir -p ${HOME}/.local/lib/python2.7/site-packages 30 | if [[ -v PYTHON_REQUIREMENTS ]]; then 31 | pip install --no-cache-dir -r ${PYTHON_REQUIREMENTS} 32 | elif [[ -e requirements.txt ]]; then 33 | pip install --no-cache-dir --user -r requirements.txt 34 | fi 35 | 36 | if [[ -v INSTALL_OC ]]; then 37 | pip install --no-cache-dir --user requests 38 | echo "---> Installing 'oc' binary..." 39 | TMPDIR=$(mktemp -d) 40 | cd ${TMPDIR} 41 | OC_BINARY_URL=$(python -c "import requests;releases = requests.get('https://api.github.com/repos/openshift/origin/releases').json();print [s for s in [r for r in releases if not r['prerelease'] and '1.4' in r['name']][0]['assets'] if 'linux-64' in s['browser_download_url']][0]['browser_download_url']") 42 | curl -L ${OC_BINARY_URL} -o openshift-client.tar.gz 43 | OC_PATH=`tar -tzf openshift-client.tar.gz |grep oc` 44 | tar -xzf openshift-client.tar.gz ${OC_PATH} 45 | cp ${OC_PATH} ${APP_ROOT}/bin/oc 46 | cd .. 47 | rm -rf ${TMPDIR} 48 | fi 49 | -------------------------------------------------------------------------------- /examples/Dockerfile.advanced: -------------------------------------------------------------------------------- 1 | # A Dockerfile to package playbooks as a docker image 2 | # 3 | # This example includes additional steps during the image build process 4 | # to add external dependencies: Python modules and the "oc" client binary 5 | # 6 | # If you only need to package simple self-contained playbooks without 7 | # external dependencies take a look at Dockerfile.simple 8 | # 9 | # If using OpenShift, consider using the platform's source2image build instead 10 | 11 | FROM docker.io/aweiteka/playbook2image:latest 12 | 13 | # There are two approaches to customize the built image and include 14 | # additional requirements/dependencies: use the built-in "assemble" script 15 | # or a fully custom build 16 | 17 | # ------------------------------------------------------------------------- 18 | # Option 1: using "assemble" 19 | # 20 | # The playbook2image's "assemble" script provides functionality to install 21 | # dependencies. 22 | # 23 | # This example will install the "oc" client binary and the Python modules 24 | # specified in the "requirements.txt" from YOUR_PLAYBOOK's top dir. 25 | # 26 | # The "assemble" script expects the playbooks to be placed in /tmp/src: 27 | ADD YOUR_PLAYBOOK /tmp/src 28 | 29 | ENV INSTALL_OC=true 30 | 31 | # If you don't have a "requirements.txt", or if you want to overrideit, you 32 | # can also specify Python dependencies via the "PYTHON_REQUIREMENTS" 33 | # environment variable with the list of required modules: 34 | #ENV PYTHON_REQUIREMENTS="PyYAML pyOpenSSL" 35 | 36 | RUN /usr/libexec/s2i/assemble 37 | 38 | # ------------------------------------------------------------------------- 39 | # Option 2: custom build 40 | # 41 | # Here, instead of placing the plabyooks in /tmp/src and settings to run 42 | # the "assemble" script we put the playbooks directly into their final 43 | # location and run commands to install extra dependencies: 44 | # 45 | #ADD YOUR_PLAYBOOK ${APP_HOME} 46 | #ADD your_dynamic_inventory_script.py requirements.txt ${APP_HOME} 47 | #RUN pip install -r ${APP_HOME}/requirements.txt 48 | 49 | # ------------------------------------------------------------------------- 50 | # In any case, containers from the built image should invoke the default 51 | # "run" script provided by the base image 52 | CMD ["/usr/libexec/s2i/run"] 53 | -------------------------------------------------------------------------------- /jenkins/configuration/jobs/seed/config.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | true 6 | 7 | 8 | 9 | 10 | CRED_ID 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 2 19 | 20 | 21 | https://github.com/openshift/playbook2image 22 | 23 | 24 | 25 | 26 | master 27 | 28 | 29 | false 30 | 31 | 32 | 33 | true 34 | false 35 | false 36 | false 37 | 38 | false 39 | 40 | 41 | jenkins/jobs/orgFolderJob.groovy 42 | false 43 | false 44 | false 45 | false 46 | false 47 | IGNORE 48 | IGNORE 49 | JENKINS_ROOT 50 | 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /Dockerfile.rhel7: -------------------------------------------------------------------------------- 1 | # playbook2image 2 | FROM rhscl/python-27-rhel7:2.7 3 | 4 | MAINTAINER OpenShift Team 5 | 6 | # TODO: Rename the builder environment variable to inform users about application you provide them 7 | # ENV BUILDER_VERSION 1.0 8 | 9 | LABEL io.k8s.description="Ansible playbook to image builder" \ 10 | io.k8s.display-name="playbook2image" \ 11 | io.openshift.tags="builder,ansible,playbook" \ 12 | io.openshift.expose-services="" \ 13 | url="https://github.com/openshift/playbook2image/blob/master/README.md" \ 14 | name="openshift3/playbook2image" \ 15 | summary="Ansible playbook to image builder" \ 16 | description="Base image to to ship Ansible playbooks as self-executing container image." \ 17 | atomic.run="once" \ 18 | com.redhat.component="playbook2image-docker" \ 19 | vcs-url="https://github.com/openshift/playbook2image" \ 20 | vcs-type="git" \ 21 | version="0.0.1" 22 | 23 | # Install Ansible. 24 | # 25 | # The default Dockerfile also installs 'pip' and 'python-devel' so that the 26 | # builder image can install Python dependencies if the playbooks need them. In 27 | # the productized version these are provided by the python-27-rhel7 base image, 28 | # and dependencies should be packaged and installed with yum instead 29 | USER root 30 | 31 | # To use a subscription inside container yum command has to be run first (before 32 | # yum-config-manager) https://access.redhat.com/solutions/1443553 33 | RUN yum repolist > /dev/null && \ 34 | yum-config-manager --enable rhel-7-server-ose-3.6-rpms && \ 35 | yum install -y --setopt=tsflags=nodocs ansible && \ 36 | yum clean all -y 37 | 38 | COPY ./.s2i/bin/ /usr/libexec/s2i 39 | COPY user_setup /tmp 40 | COPY system-container/exports /exports 41 | 42 | ENV APP_ROOT=/opt/app-root 43 | ENV USER_NAME=default \ 44 | USER_UID=1001 \ 45 | APP_HOME=${APP_ROOT}/src \ 46 | HOME=${APP_ROOT}/src \ 47 | PATH=$PATH:${APP_ROOT}/bin 48 | 49 | RUN mkdir -p ${APP_HOME} ${APP_ROOT}/etc ${APP_ROOT}/bin 50 | RUN chmod -R ug+x ${APP_ROOT}/bin ${APP_ROOT}/etc /tmp/user_setup && \ 51 | /tmp/user_setup 52 | 53 | # Back to the UID used in the base image 54 | USER ${USER_UID} 55 | 56 | RUN sed "s@${USER_NAME}:x:${USER_UID}:0@${USER_NAME}:x:\${USER_ID}:\${GROUP_ID}@g" /etc/passwd > ${APP_ROOT}/etc/passwd.template 57 | 58 | WORKDIR ${APP_HOME} 59 | 60 | CMD ["/usr/libexec/s2i/usage"] 61 | -------------------------------------------------------------------------------- /examples/build-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Template 4 | metadata: 5 | creationTimestamp: null 6 | name: playbook2image 7 | annotations: 8 | description: > 9 | Source-to-Image (S2I) builder image for packaging Ansible playbooks 10 | as a self-executing container 11 | tags: "ansible,s2i,builder" 12 | labels: 13 | template: playbook2image 14 | objects: 15 | - apiVersion: v1 16 | kind: BuildConfig 17 | metadata: 18 | name: ${NAME} 19 | annotations: 20 | description: > 21 | Source-to-Image (S2I) builder image for packaging Ansible playbooks 22 | as a self-executing container 23 | tags: "builder,ansible,ansible-playbook,s2i" 24 | iconClass: "icon-ansible" 25 | labels: 26 | template: playbook2image 27 | name: ${NAME} 28 | spec: 29 | output: 30 | to: 31 | kind: ImageStreamTag 32 | name: ${NAME}:${TAG} 33 | postCommit: {} 34 | resources: {} 35 | runPolicy: Serial 36 | source: 37 | git: 38 | uri: ${PLAYBOOK_REPOSITORY_URL} 39 | type: Git 40 | strategy: 41 | sourceStrategy: 42 | from: 43 | kind: DockerImage 44 | name: ${BUILD_IMAGE} 45 | type: Source 46 | triggers: 47 | - github: 48 | secret: ${GITHUB_WEBHOOK_SECRET} 49 | type: GitHub 50 | - generic: 51 | secret: ${GENERIC_WEBHOOK_SECRET} 52 | type: Generic 53 | - type: ConfigChange 54 | status: 55 | lastVersion: 0 56 | - kind: ImageStream 57 | apiVersion: v1 58 | metadata: 59 | name: ${NAME} 60 | spec: {} 61 | parameters: 62 | - name: PLAYBOOK_REPOSITORY_URL 63 | description: The URL of the playbook repository 64 | required: true 65 | - name: NAME 66 | description: Name of the new image 67 | required: true 68 | - name: TAG 69 | description: Tag for the new image, e.g. latest 70 | value: latest 71 | - name: BUILD_IMAGE 72 | description: Base build image 73 | value: docker.io/aweiteka/playbook2image:latest 74 | - name: GITHUB_WEBHOOK_SECRET 75 | description: A secret string used to configure the GitHub webhook 76 | generate: expression 77 | from: "[a-zA-Z0-9]{40}" 78 | message: "... The GitHub webhook secret is ${GITHUB_WEBHOOK_SECRET} ..." 79 | - name: GENERIC_WEBHOOK_SECRET 80 | description: A secret string used to configure the generic webhook 81 | generate: expression 82 | from: "[a-zA-Z0-9]{40}" 83 | message: "... The generic webhook secret is ${GENERIC_WEBHOOK_SECRET} ..." 84 | -------------------------------------------------------------------------------- /examples/README.md: -------------------------------------------------------------------------------- 1 | # Examples of playbook2image usage 2 | 3 | This directory contains a few examples of how to use playbook2image. 4 | 5 | - [build-openshift-ansible.yaml](build-openshift-ansible.yaml) is an example [template](https://docs.openshift.org/latest/dev_guide/templates.html) for a [build configuration](https://docs.openshift.org/latest/dev_guide/builds.html) and its supporting image streams whose purpose is to use `plabyook2image` to build a containerized version of [openshift-ansible](https://github.com/openshift/openshift-ansible) (the OpenShift installer code) inside OpenShift itself. You can use it like this: 6 | 7 | oc create -f build-openshift-ansible.yaml # This imports the template 8 | oc new-app openshift-ansible # This instantiates the template 9 | oc describe imagestream openshift-ansible # To see details of the built image 10 | 11 | - [build-template.yaml](build-template.yaml) is an [OpenShift template](https://docs.openshift.org/latest/dev_guide/templates.html) to build the `playbook2image` image itself inside OpenShift: 12 | 13 | oc create -f build-template.yaml # This imports the template 14 | oc new-app playbook2image # This instantiates the template 15 | 16 | - [Dockerfile.simple](Dockerfile.simple) is an example of a very simple `Dockerfile` to build an image that packages a playbook `docker build` using `playbook2image` as a base. 17 | 18 | - [Dockerfile.advanced](Dockerfile.advanced) is a more elaborate `Dockerfile` example that installs additional dependencies needed to run the packaged playbooks. See the Build section of the [README](../README.md) for details on the various options to build images. 19 | 20 | - [sample-job.yaml](sample-job.yaml) is an example [Job spec](https://docs.openshift.org/latest/dev_guide/jobs.html) to run a playbook as a one-time Job in OpenShift/Kubernetes. The Job expects a [Secret](https://docs.openshift.org/latest/dev_guide/secrets.html) named `sshkey` with an attribute named `ssh-privatekey` that contains the ssh key to connect to hosts. See the Run section of the [README](../README.md) for details on the various options to run images. 21 | 22 | The [openshift-ansible](https://github.com/openshift/openshift-ansible) repository (OpenShift's installation and configuration tooling) uses `playbook2image` as a base to create its container image. The repository contains some additional examples that illustrate how to build and use an image using `playbook2image`. See the [README_CONTAINER_IMAGE.md](https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINER_IMAGE.md), the [Dockerfile](https://github.com/openshift/openshift-ansible/blob/master/Dockerfile) in the repo and some additional [openshift-ansible container usage examples](https://github.com/openshift/openshift-ansible/tree/master/examples). 23 | -------------------------------------------------------------------------------- /Jenkinsfile: -------------------------------------------------------------------------------- 1 | #!groovy 2 | 3 | // vim: ft=groovy 4 | 5 | properties([disableConcurrentBuilds()]) 6 | 7 | node { 8 | def source = "" 9 | if (env.CHANGE_URL) { 10 | 11 | def newBuild = null 12 | def changeUrl = env.CHANGE_URL 13 | 14 | // Query the github repo api to return the clone_url and the ref (branch name) 15 | def githubUri = changeUrl.replaceAll("github.com/", "api.github.com/repos/") 16 | githubUri = githubUri.replaceAll("pull", "pulls") 17 | withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: "github" , usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']]) { 18 | sh("curl -u ${env.USERNAME}:${env.PASSWORD} -o ${env.WORKSPACE}/github.json ${githubUri}") 19 | } 20 | def pull = readJSON file: 'github.json' 21 | 22 | if (pull.head.repo == null) { 23 | error("Unable to read GitHub JSON file") 24 | } 25 | 26 | openshift.withCluster() { 27 | openshift.withProject() { 28 | try { 29 | // use oc new-build to build the image using the clone_url and ref 30 | newBuild = openshift.newBuild("${pull.head.repo.clone_url}#${pull.head.ref}") 31 | echo "newBuild created: ${newBuild.count()} objects : ${newBuild.names()}" 32 | def builds = newBuild.narrow("bc").related("builds") 33 | 34 | timeout(10) { 35 | builds.watch { 36 | if (it.count() == 0) { 37 | return false 38 | } 39 | echo "Detected new builds created by buildconfig: ${it.names()}" 40 | return true 41 | } 42 | builds.untilEach(1) { 43 | return it.object().status.phase == "Complete" 44 | } 45 | } 46 | } 47 | finally { 48 | if (newBuild) { 49 | def result = newBuild.narrow("bc").logs() 50 | echo "Result of logs operation:" 51 | echo " status: ${result.status}" 52 | echo " stderr: ${result.err}" 53 | echo " number of actions to fulfill: ${result.actions.size()}" 54 | echo " first action executed: ${result.actions[0].cmd}" 55 | 56 | if (result.status != 0) { 57 | echo "${result.out}" 58 | error("Image Build Failed") 59 | } 60 | // After built we do not need the BuildConfig or the ImageStream 61 | newBuild.delete() 62 | } 63 | } 64 | } 65 | } 66 | } 67 | } 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /examples/build-openshift-ansible.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: "Template" 3 | apiVersion: "v1" 4 | metadata: 5 | name: "openshift-ansible" 6 | annotations: 7 | description: > 8 | Template for a build configuration and image streams to create a 9 | containerized image of openshift-ansible using OpenShift 10 | tags: "openshift-ansible" 11 | labels: 12 | template: openshift-ansible 13 | objects: 14 | - 15 | kind: "BuildConfig" 16 | apiVersion: "v1" 17 | metadata: 18 | name: "${NAME}" 19 | annotations: 20 | description: "Defines how to build the image" 21 | spec: 22 | triggers: 23 | - 24 | type: "GitHub" 25 | github: 26 | secret: "${GITHUB_WEBHOOK_SECRET}" 27 | - 28 | type: "Generic" 29 | generic: 30 | secret: "${GENERIC_WEBHOOK_SECRET}" 31 | - 32 | type: "ConfigChange" 33 | - 34 | type: "ImageChange" 35 | source: 36 | type: "Git" 37 | git: 38 | uri: "${SOURCE_REPO_URL}" 39 | ref: "${SOURCE_REPO_REF}" 40 | contextDir: "${SOURCE_CONTEXT}" 41 | strategy: 42 | type: "Source" 43 | sourceStrategy: 44 | from: 45 | kind: "ImageStreamTag" 46 | name: "${BASE_IMAGESTREAM}:latest" 47 | output: 48 | to: 49 | kind: "ImageStreamTag" 50 | name: "${NAME}:latest" 51 | - 52 | kind: "ImageStream" 53 | apiVersion: "v1" 54 | metadata: 55 | name: "${NAME}" 56 | annotations: 57 | description: "Tracks the built image" 58 | - 59 | kind: "ImageStream" 60 | apiVersion: "v1" 61 | metadata: 62 | name: "${BASE_IMAGESTREAM}" 63 | annotations: 64 | description: "Base image used to build ${NAME}" 65 | spec: 66 | tags: 67 | - 68 | name: "latest" 69 | from: 70 | kind: "DockerImage" 71 | name: "${BASE_IMAGE}" 72 | parameters: 73 | - 74 | name: "NAME" 75 | displayName: "Name" 76 | description: "The name of the generated build config and image stream." 77 | required: true 78 | value: "openshift-ansible" 79 | - 80 | name: "BASE_IMAGE" 81 | displayName: "Base image" 82 | description: "Base image to use for the source build." 83 | required: true 84 | value: "docker.io/aweiteka/playbook2image" 85 | - 86 | name: "BASE_IMAGESTREAM" 87 | displayName: "Base imageStream" 88 | description: "Image stream to track the base image for the build." 89 | required: true 90 | value: "playbook2image" 91 | - 92 | name: "SOURCE_REPO_URL" 93 | displayName: "Git Repository URL" 94 | description: "The URL of the repository with your application source code." 95 | required: true 96 | value: "https://github.com/openshift/openshift-ansible.git" 97 | - 98 | name: "SOURCE_REPO_REF" 99 | displayName: "Git Reference" 100 | description: "Set this to a branch name, tag or other ref of your repository if you are not using the default branch." 101 | - 102 | name: "SOURCE_CONTEXT" 103 | displayName: "Context Directory" 104 | description: "Set this to the relative path to your project if it is not in the root of your repository." 105 | - 106 | name: "GITHUB_WEBHOOK_SECRET" 107 | displayName: "GitHub Webhook Secret" 108 | description: "A secret string used to configure the GitHub webhook." 109 | generate: "expression" 110 | from: "[a-zA-Z0-9]{40}" 111 | - 112 | name: "GENERIC_WEBHOOK_SECRET" 113 | displayName: "Generic Webhook Secret" 114 | description: "A secret string used to configure the Generic webhook." 115 | generate: "expression" 116 | from: "[a-zA-Z0-9]{40}" 117 | -------------------------------------------------------------------------------- /system-container/README.md: -------------------------------------------------------------------------------- 1 | # System Container support 2 | 3 | A system container is run with runC instead of Docker and it is managed using 4 | the [atomic](https://github.com/projectatomic/atomic/) tool. As it doesn't 5 | require the Docker daemon to run, a container that makes changes to the Docker 6 | daemon's configuration/status can be run on a sytem that is itself a target/part 7 | of the inventory. 8 | 9 | Therefore, if the playbook(s) that are packaged into the image manipulate the 10 | container runtime configuration/status (potentially stopping running containers) 11 | and the system where the container will run is part of the inventory (i.e. you 12 | want the playbooks to alter configuration/status of the container engine in the 13 | same system where the playbook is being run inside a container), then you might 14 | want to run the container/playbook as a system container to prevent the changes 15 | performed by the playbook from killing the container that is running the 16 | playbook itself. 17 | 18 | The files under [`exports/`](exports/) are needed to run the the built images as 19 | an [Atomic system container](http://www.projectatomic.io/blog/2016/09/intro-to-system-containers/): 20 | 21 | * `config.json.template` is the configuration file to run the runC container. 22 | 23 | * `manifest.json` defines various settings for the system container, such as the 24 | default values to use for the installation. 25 | 26 | * `service.template` is the template for the systemd service. 27 | 28 | * `tmpfiles.template` is the template for systemd-tmpfiles. 29 | 30 | The base playbook2image container image already contains all the required files 31 | to run as a system container, so no specific action needs to be taken to build a 32 | system container-ready image based on playbook2image. 33 | 34 | Once a container image is built to package your playbooks you can import it into 35 | the OSTree storage with: 36 | 37 | atomic pull --storage ostree docker:my/image:latest 38 | 39 | where `my/image:latest` is the name and tag of the image you built. See the main 40 | [README](../README.md) for more details about building a container image using 41 | playbook2image. 42 | 43 | ## Running an image as a System Container 44 | 45 | To run the playbook `myplaybook.yml` from `myimage` as a system container: 46 | 47 | ```sh 48 | atomic install --system \ 49 | --set INVENTORY_FILE=$(pwd)/myinventory \ 50 | --set PLAYBOOK_FILE=myplaybook.yml \ 51 | myimage 52 | ``` 53 | 54 | This command actually will perform 3 steps: install, interactively run, and 55 | finally uninstall the image as a system container. This is thanks to the 56 | `atomic.run="once"` label in the image. 57 | 58 | ### Older versions of atomic 59 | 60 | *NOTE:* the `atomic.run="once"` functionality was added to the `atomic` tool in 61 | [PR 952](https://github.com/projectatomic/atomic/pull/952). If you are using an 62 | older version of the `atomic` command that does not include that functionality, 63 | the `atomic install` command above will only install the image but not run it 64 | or clean up automatically. 65 | 66 | On older versions of `atomic`, after running the `atomic install ...` command 67 | above you will have to manually request systemd to run a container with it: 68 | 69 | systemctl start myimage 70 | 71 | and finally clean up when it's done: 72 | 73 | atomic uninstall myimage 74 | 75 | Note that with that approach the container is run by systemd and you will not 76 | get feedback from Ansible during the playbook's execution: the `systemctl start` 77 | command above will trigger the container/playbook execution, but the `systemctl` 78 | command itself will not show the output of Ansible while the playbook runs. You 79 | will have to search for that output on the logs generated by the systemd unit 80 | e.g. using `journalctl`. 81 | 82 | ## Environment variables 83 | 84 | * See the [main README](../README.md) for details about 85 | `INVENTORY_FILE`,`PLAYBOOK_FILE` and `OPTS` 86 | 87 | * `VAR_LIB_PLAYBOOK2IMAGE` (optional) If the playbooks need additional files 88 | then they can use the path `/var/lib/playbook2image` in the container. This is 89 | bind mounted from the host. The source directory in the host can be specified 90 | via the `VAR_LIB_PLAYBOOK2IMAGE` environment variable, which defaults to 91 | `/var/lib/playbook2image` (i.e. the same path in the host and in the 92 | container). 93 | 94 | * `VAR_LOG_ANSIBLE_LOG` (default: `/var/log/ansible.log`) points to the log file 95 | where playbook execution will be logged. 96 | 97 | * `SSH_ROOT` (default: `/root/.ssh`) points to the ssh client configuration 98 | (including ssh keys). 99 | 100 | ## Known limitations 101 | 102 | Initially, system containers can only use a single static `INVENTORY_FILE`. 103 | -------------------------------------------------------------------------------- /test/run: -------------------------------------------------------------------------------- 1 | 2 | #!/bin/bash 3 | # 4 | # The 'run' performs a simple test that verifies the S2I image. 5 | # The main focus here is to exercise the S2I scripts. 6 | # 7 | # For more information see the documentation: 8 | # https://github.com/openshift/source-to-image/blob/master/docs/builder_image.md 9 | # 10 | # IMAGE_NAME specifies a name of the candidate image used for testing. 11 | # The image has to be available before this script is executed. 12 | # 13 | IMAGE_NAME=${IMAGE_NAME-playbook2image-candidate} 14 | 15 | # Determining system utility executables (darwin compatibility check) 16 | READLINK_EXEC="readlink" 17 | MKTEMP_EXEC="mktemp" 18 | if (echo "$OSTYPE" | egrep -qs 'darwin'); then 19 | ! type -a "greadlink" &>"/dev/null" || READLINK_EXEC="greadlink" 20 | ! type -a "gmktemp" &>"/dev/null" || MKTEMP_EXEC="gmktemp" 21 | fi 22 | 23 | test_dir="$($READLINK_EXEC -zf $(dirname "${BASH_SOURCE[0]}"))" 24 | image_dir=$($READLINK_EXEC -zf ${test_dir}/..) 25 | scripts_url="file://${image_dir}/.s2i/bin" 26 | cid_file=$($MKTEMP_EXEC -u --suffix=.cid) 27 | 28 | # Since we built the candidate image locally, we don't want S2I to attempt to pull 29 | # it from Docker hub 30 | s2i_args="--pull-policy=never --loglevel=2" 31 | 32 | # Port the image exposes service to be tested 33 | test_port=8080 34 | 35 | image_exists() { 36 | docker inspect $1 &>/dev/null 37 | } 38 | 39 | container_exists() { 40 | image_exists $(cat $cid_file) 41 | } 42 | 43 | container_ip() { 44 | docker inspect --format="{{ .NetworkSettings.IPAddress }}" $(cat $cid_file) 45 | } 46 | 47 | run_s2i_build() { 48 | s2i build --incremental=true ${s2i_args} file://${test_dir}/test-app ${IMAGE_NAME} ${IMAGE_NAME}-testapp 49 | } 50 | 51 | run_s2i_oc_build() { 52 | s2i build --incremental=true ${s2i_args} -e INSTALL_OC=true file://${test_dir}/test-app ${IMAGE_NAME} ${IMAGE_NAME}-testapp-oc 53 | } 54 | 55 | prepare() { 56 | if ! image_exists ${IMAGE_NAME}; then 57 | echo "ERROR: The image ${IMAGE_NAME} must exist before this script is executed." 58 | exit 1 59 | fi 60 | # s2i build requires the application is a valid 'Git' repository 61 | pushd ${test_dir}/test-app >/dev/null 62 | git init 63 | git config user.email "build@localhost" && git config user.name "builder" 64 | git add -A && git commit -m "Sample commit" 65 | popd >/dev/null 66 | run_s2i_build 67 | } 68 | 69 | run_test_application() { 70 | #docker run --rm --cidfile=${cid_file} -e ANSIBLE_HOST_KEY_CHECKING=False -e OPTS="-vvv --become --private-key id_rsa" -e INVENTORY_FILE=inventory -e PLAYBOOK_FILE=test-playbook.yaml ${IMAGE_NAME}-testapp 71 | docker run --rm --cidfile=${cid_file} -e ANSIBLE_HOST_KEY_CHECKING=False -e OPTS="-vvv -u 1001 --connection local" -e INVENTORY_FILE=inventory -e PLAYBOOK_FILE=test-playbook.yaml ${IMAGE_NAME}-testapp 72 | } 73 | 74 | run_test_oc_application() { 75 | #docker run --rm --cidfile=${cid_file} -e ANSIBLE_HOST_KEY_CHECKING=False -e OPTS="-vvv --become --private-key id_rsa" -e INVENTORY_FILE=inventory -e PLAYBOOK_FILE=test-playbook.yaml ${IMAGE_NAME}-testapp 76 | docker run --rm --cidfile=${cid_file} -e ANSIBLE_HOST_KEY_CHECKING=False -e OPTS="-vvv -u 1001 --connection local" -e INVENTORY_FILE=inventory -e PLAYBOOK_FILE=test-oc-playbook.yaml ${IMAGE_NAME}-testapp-oc 77 | } 78 | 79 | cleanup() { 80 | if [ -f $cid_file ]; then 81 | if container_exists; then 82 | docker stop $(cat $cid_file) 83 | fi 84 | fi 85 | if image_exists ${IMAGE_NAME}-testapp; then 86 | docker rmi ${IMAGE_NAME}-testapp 87 | fi 88 | if image_exists ${IMAGE_NAME}-testapp-oc; then 89 | docker rmi ${IMAGE_NAME}-testapp-oc 90 | fi 91 | rm ${cid_file} 92 | } 93 | 94 | check_result() { 95 | local result="$1" 96 | if [[ "$result" != "0" ]]; then 97 | echo "S2I image '${IMAGE_NAME}' test FAILED (exit code: ${result})" 98 | cleanup 99 | exit $result 100 | fi 101 | } 102 | 103 | wait_for_cid() { 104 | local max_attempts=10 105 | local sleep_time=1 106 | local attempt=1 107 | local result=1 108 | while [ $attempt -le $max_attempts ]; do 109 | [ -f $cid_file ] && break 110 | echo "Waiting for container to start..." 111 | attempt=$(( $attempt + 1 )) 112 | sleep $sleep_time 113 | done 114 | } 115 | 116 | test_usage() { 117 | echo "Testing 's2i usage'..." 118 | s2i usage ${s2i_args} ${IMAGE_NAME} &>/dev/null 119 | } 120 | 121 | test_connection() { 122 | echo "Testing HTTP connection..." 123 | local max_attempts=10 124 | local sleep_time=1 125 | local attempt=1 126 | local result=1 127 | while [ $attempt -le $max_attempts ]; do 128 | echo "Sending GET request to http://$(container_ip):${test_port}/" 129 | if (echo "$OSTYPE" | egrep -qs 'darwin'); then 130 | echo "Warning for OSX users: if you can't access the container's IP $(container_ip) directly (because you use boot2docker for example)" 131 | echo "you should run the curl command in a container, for example using:" 132 | echo "docker run --rm -it sequenceiq/alpine-curl curl -s -w %{http_code} -o /dev/null http://$(container_ip):${test_port}/" 133 | fi 134 | response_code=$(curl -s -w %{http_code} -o /dev/null http://$(container_ip):${test_port}/) 135 | status=$? 136 | if [ $status -eq 0 ]; then 137 | if [ $response_code -eq 200 ]; then 138 | result=0 139 | fi 140 | break 141 | fi 142 | attempt=$(( $attempt + 1 )) 143 | sleep $sleep_time 144 | done 145 | return $result 146 | } 147 | 148 | # Build the application image twice to ensure the 'save-artifacts' and 149 | # 'restore-artifacts' scripts are working properly 150 | prepare 151 | run_s2i_build 152 | check_result $? 153 | 154 | # Verify the 'usage' script is working properly 155 | test_usage 156 | check_result $? 157 | 158 | # since this is not a long-running container we don't want to run this in the background 159 | #run_test_application & 160 | run_test_application 161 | check_result $? 162 | 163 | # Wait for the container to write its CID file 164 | wait_for_cid 165 | 166 | # for this application we're not exposing a service so this isn't relevant 167 | #test_connection 168 | #check_result $? 169 | 170 | cleanup 171 | 172 | run_s2i_oc_build 173 | check_result $? 174 | 175 | run_test_oc_application 176 | check_result $? 177 | 178 | cleanup 179 | 180 | -------------------------------------------------------------------------------- /system-container/exports/config.json.template: -------------------------------------------------------------------------------- 1 | { 2 | "ociVersion": "1.0.0", 3 | "platform": { 4 | "os": "linux", 5 | "arch": "amd64" 6 | }, 7 | "process": { 8 | "terminal": false, 9 | "consoleSize": { 10 | "height": 0, 11 | "width": 0 12 | }, 13 | "user": { 14 | "uid": 0, 15 | "gid": 0 16 | }, 17 | "args": [ 18 | "/usr/libexec/s2i/run" 19 | ], 20 | "env": [ 21 | "PATH=/usr/sbin:/usr/bin:/sbin:/bin:/opt/app-root/bin", 22 | "TERM=xterm", 23 | "OPTS=$OPTS", 24 | "PLAYBOOK_FILE=$PLAYBOOK_FILE" 25 | ], 26 | "cwd": "/opt/app-root/src/", 27 | "rlimits": [ 28 | { 29 | "type": "RLIMIT_NOFILE", 30 | "hard": 1024, 31 | "soft": 1024 32 | } 33 | ], 34 | "noNewPrivileges": true 35 | }, 36 | "root": { 37 | "path": "rootfs", 38 | "readonly": true 39 | }, 40 | "mounts": [ 41 | { 42 | "destination": "/proc", 43 | "type": "proc", 44 | "source": "proc" 45 | }, 46 | { 47 | "destination": "/dev", 48 | "type": "tmpfs", 49 | "source": "tmpfs", 50 | "options": [ 51 | "nosuid", 52 | "strictatime", 53 | "mode=755", 54 | "size=65536k" 55 | ] 56 | }, 57 | { 58 | "destination": "/dev/pts", 59 | "type": "devpts", 60 | "source": "devpts", 61 | "options": [ 62 | "nosuid", 63 | "noexec", 64 | "newinstance", 65 | "ptmxmode=0666", 66 | "mode=0620", 67 | "gid=5" 68 | ] 69 | }, 70 | { 71 | "destination": "/dev/shm", 72 | "type": "tmpfs", 73 | "source": "shm", 74 | "options": [ 75 | "nosuid", 76 | "noexec", 77 | "nodev", 78 | "mode=1777", 79 | "size=65536k" 80 | ] 81 | }, 82 | { 83 | "destination": "/dev/mqueue", 84 | "type": "mqueue", 85 | "source": "mqueue", 86 | "options": [ 87 | "nosuid", 88 | "noexec", 89 | "nodev" 90 | ] 91 | }, 92 | { 93 | "destination": "/sys", 94 | "type": "sysfs", 95 | "source": "sysfs", 96 | "options": [ 97 | "nosuid", 98 | "noexec", 99 | "nodev", 100 | "ro" 101 | ] 102 | }, 103 | { 104 | "type": "bind", 105 | "source": "$SSH_ROOT", 106 | "destination": "/opt/app-root/src/.ssh", 107 | "options": [ 108 | "bind", 109 | "rw", 110 | "mode=755" 111 | ] 112 | }, 113 | { 114 | "type": "bind", 115 | "source": "$SSH_ROOT", 116 | "destination": "/root/.ssh", 117 | "options": [ 118 | "bind", 119 | "rw", 120 | "mode=755" 121 | ] 122 | }, 123 | { 124 | "type": "bind", 125 | "source": "$VAR_LIB_PLAYBOOK2IMAGE", 126 | "destination": "/var/lib/playbook2image", 127 | "options": [ 128 | "bind", 129 | "rw", 130 | "mode=755" 131 | ] 132 | }, 133 | { 134 | "type": "bind", 135 | "source": "$VAR_LOG_ANSIBLE_LOG", 136 | "destination": "/var/log/ansible.log", 137 | "options": [ 138 | "bind", 139 | "rw", 140 | "mode=755" 141 | ] 142 | }, 143 | { 144 | "destination": "/root/.ansible", 145 | "type": "tmpfs", 146 | "source": "tmpfs", 147 | "options": [ 148 | "nosuid", 149 | "strictatime", 150 | "mode=755" 151 | ] 152 | }, 153 | { 154 | "destination": "/tmp", 155 | "type": "tmpfs", 156 | "source": "tmpfs", 157 | "options": [ 158 | "nosuid", 159 | "strictatime", 160 | "mode=755" 161 | ] 162 | }, 163 | { 164 | "type": "bind", 165 | "source": "$INVENTORY_FILE", 166 | "destination": "/etc/ansible/hosts", 167 | "options": [ 168 | "bind", 169 | "rw", 170 | "mode=755" 171 | ] 172 | }, 173 | { 174 | "destination": "/etc/resolv.conf", 175 | "type": "bind", 176 | "source": "/etc/resolv.conf", 177 | "options": [ 178 | "ro", 179 | "rbind", 180 | "rprivate" 181 | ] 182 | }, 183 | { 184 | "destination": "/sys/fs/cgroup", 185 | "type": "cgroup", 186 | "source": "cgroup", 187 | "options": [ 188 | "nosuid", 189 | "noexec", 190 | "nodev", 191 | "relatime", 192 | "ro" 193 | ] 194 | } 195 | ], 196 | "hooks": { 197 | 198 | }, 199 | "linux": { 200 | "resources": { 201 | "devices": [ 202 | { 203 | "allow": false, 204 | "access": "rwm" 205 | } 206 | ] 207 | }, 208 | "namespaces": [ 209 | { 210 | "type": "pid" 211 | }, 212 | { 213 | "type": "mount" 214 | } 215 | ], 216 | "maskedPaths": [ 217 | "/proc/kcore", 218 | "/proc/latency_stats", 219 | "/proc/timer_list", 220 | "/proc/timer_stats", 221 | "/proc/sched_debug", 222 | "/sys/firmware" 223 | ], 224 | "readonlyPaths": [ 225 | "/proc/asound", 226 | "/proc/bus", 227 | "/proc/fs", 228 | "/proc/irq", 229 | "/proc/sys", 230 | "/proc/sysrq-trigger" 231 | ] 232 | } 233 | } 234 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Playbook To Image 2 | 3 | A [Source-to-Image (S2I)](https://docs.openshift.org/latest/architecture/core_concepts/builds_and_image_streams.html#source-build) builder image for packaging Ansible playbooks as a self-executing container. 4 | 5 | ## Usage 6 | 7 | Prerequisites: an OpenShiftv3 cluster or [s2i binary](https://github.com/openshift/source-to-image/releases) 8 | 9 | In this workflow we build a new image with our playbook, setup secrets (private ssh key, for example) and create a job to run our playbook image. 10 | 11 | 1. **Build**: Add your playbook to the image. This will create a new image with your playbook sourcecode 12 | * Using OpenShift. In this example we instruct the build script to install the OpenShift CLI so it's available from our playbook: 13 | 14 | oc new-build -e INSTALL_OC=true \ 15 | docker.io/aweiteka/playbook2image~https://github.com/PLAYBOOK/REPO.git 16 | * Using docker: 17 | 1. Using the [example Dockerfile](examples/Dockerfile.example), create a Dockerfile in the playbook repository. 18 | 1. Build the image 19 | 20 | docker build -t IMAGE_NAME . -f Dockerfile.example 21 | * Using s2i CLI tool: 22 | 23 | sudo s2i build https://github.com/PLAYBOOK/REPO.git docker.io/aweiteka/playbook2image NEW_PLAYBOOK_IMAGE_NAME 24 | 1. **Run**: as an [OpenShift Job](https://docs.openshift.org/latest/dev_guide/jobs.html) or with docker via command line 25 | * Using OpenShift: 26 | 1. Create a secret for our ssh private key 27 | 28 | oc secrets new-sshauth sshkey --ssh-privatekey=$HOME/.ssh/id_rsa 29 | 1. Create a new job. Download the [sample-job.yaml](https://raw.githubusercontent.com/openshift/playbook2image/master/examples/sample-job.yaml) file, edit and create the job. 30 | 31 | oc create -f sample-job.yaml 32 | * Using Docker (example command): 33 | 34 | sudo docker run \ 35 | -v ~/.ssh/id_rsa:/opt/app-root/src/.ssh/id_rsa \ 36 | -e OPTS="--become --user cloud-user" \ 37 | -e PLAYBOOK_FILE=PATH_TO_PLAYBOOK \ 38 | -e INVENTORY_URL=URL \ 39 | IMAGE_FROM_BUILD_STEP 40 | 41 | * To run it as a system container see the [README.md](system-container/README.md) under `system-container` for details about why would you want to do this and how to do it. 42 | 43 | ### Runtime Environment Variable Options 44 | 45 | A container run from a *playbook2image* image needs at least these configured options: 46 | 47 | 1. An **inventory**. You *must* specify it using one of these three options: `INVENTORY_FILE` to point to a local path inside the container, `INVENTORY_URL` to download a static inventory file, or `DYNAMIC_SCRIPT_URL` to download a dynamic inventory script. 48 | 1. A **playbook** to run, set via `PLAYBOOK_FILE`. 49 | 1. **ssh keys** mounted into the container (by default these should be in `/opt/app-root/src/.ssh`). 50 | 51 | Below is a list of available options. Ansible itself also allows its [configuration to be controlled via environment variables](http://docs.ansible.com/ansible/intro_configuration.html#environmental-configuration) and some of these are specially relevant for *playbook2image*'s use case so they are also highligted here (starting with `ANSIBLE_*`): 52 | 53 | **`INVENTORY_FILE`** 54 | 55 | Path to the location of the inventory file within the container. It can be a relative path pointing to an inventory provided in the source, or an absolute path to an inventory mounted in the container via a volume. 56 | 57 | **`INVENTORY_URL`** 58 | 59 | URL to inventory file. This is downloaded into the container. 60 | 61 | **`DYNAMIC_SCRIPT_URL`** 62 | 63 | URL to dynamic inventory script. This is downloaded into the container. If the dynamic inventory script is python see **PYTHON_REQUIREMENTS**. 64 | 65 | **`PLAYBOOK_FILE`** 66 | 67 | Relative path to playbook file relative to project source. This is mounted in the container at **/opt/app-root/src/PLAYBOOK_FILE**. 68 | 69 | **`ALLOW_ANSIBLE_CONNECTION_LOCAL`** (optional) 70 | 71 | If set to *false* all `ansible_connection=local` settings in the inventory will be removed. This can help when you want to use an existing inventory file that uses *local* connections to a host: it is likely that an *ssh* connection is a better fit when running from a container. 72 | 73 | **`PYTHON_REQUIREMENTS`** (optional, default 'requirements.txt') 74 | 75 | Relative path to python dependency requirements.txt file to support dynamic inventory script. 76 | 77 | **`ANSIBLE_PRIVATE_KEY_FILE`** (optional, e.g. '/opt/app-root/src/.ssh/id_rsa/ssh-privatekey') 78 | 79 | Container path to mounted private SSH key. For OpenShift this must match the secret volumeMount (see mountPath in [sample-job.yaml](examples/sample-job.yaml)). For docker this must match the bindmount container path, e.g. `-v ~/.ssh/id_rsa:/opt/app-root/src/.ssh/id_rsa`. 80 | 81 | **`OPTS`** (optional) 82 | 83 | List of options appended to ansible-playbook command. An example of commonly used options: 84 | 85 | ``` 86 | OPTS="-vvv --become --user cloud-user" 87 | ``` 88 | 89 | **`VAULT_PASS`** (optional) 90 | 91 | ansible-vault passphrase for decrypting files. This is written to a file and used to decrypt ansible-vault files. 92 | 93 | **`ANSIBLE_HOST_KEY_CHECKING=False`** 94 | 95 | Disable host key checking. See [documentation](http://docs.ansible.com/ansible/intro_getting_started.html#host-key-checking) 96 | 97 | **`WORK_DIR`** (optional) 98 | 99 | If not specified `ansible-playbook` will run from `${APP_HOME}` 100 | directory (`/opt/app-root/src`) where the target repository is mounted. 101 | When relative or absolute path is specified in `WORK_DIR`, `ansible-playbook` 102 | will be launched from `WORK_DIR` directory. That might come in handy for 103 | example if you have roles or `ansible.cfg` in non-root of the repository. 104 | 105 | ### Build time Environment Variable Options 106 | 107 | These options are passed in when building the application (e.g. `oc new-build` or `docker build` or `s2i`) 108 | 109 | `INSTALL_OC` (optional) 110 | 111 | If specified during build (e.g. `oc new-build -e INSTALL_OC=true ...`) the `oc` 112 | [OpenShift client](https://docs.openshift.org/latest/cli_reference/index.html) 113 | binary is downloaded and installed into the resulting image. 114 | 115 | ## Contribute 116 | 117 | **S2I project documentation** 118 | 119 | * [OpenShift docs](https://docs.openshift.org/latest/creating_images/s2i.html) 120 | 121 | * [Creating S2I images blog post](https://blog.openshift.com/create-s2i-builder-image/) 122 | 123 | To run tests you will need to [install the s2i binary](https://github.com/openshift/source-to-image#installation). 124 | 125 | **Running tests** 126 | 127 | ``` 128 | sudo make test 129 | ``` 130 | -------------------------------------------------------------------------------- /test/test-app/ansible.cfg: -------------------------------------------------------------------------------- 1 | # config file for ansible -- http://ansible.com/ 2 | # ============================================== 3 | 4 | # nearly all parameters can be overridden in ansible-playbook 5 | # or with command line flags. ansible will read ANSIBLE_CONFIG, 6 | # ansible.cfg in the current working directory, .ansible.cfg in 7 | # the home directory or /etc/ansible/ansible.cfg, whichever it 8 | # finds first 9 | 10 | [defaults] 11 | 12 | # some basic default values... 13 | 14 | #inventory = /etc/ansible/hosts 15 | #library = /usr/share/my_modules/ 16 | #remote_tmp = $HOME/.ansible/tmp 17 | #local_tmp = $HOME/.ansible/tmp 18 | #forks = 5 19 | #poll_interval = 15 20 | #sudo_user = root 21 | #ask_sudo_pass = True 22 | #ask_pass = True 23 | #transport = smart 24 | #remote_port = 22 25 | #module_lang = C 26 | #module_set_locale = True 27 | 28 | # plays will gather facts by default, which contain information about 29 | # the remote system. 30 | # 31 | # smart - gather by default, but don't regather if already gathered 32 | # implicit - gather by default, turn off with gather_facts: False 33 | # explicit - do not gather by default, must say gather_facts: True 34 | #gathering = implicit 35 | 36 | # by default retrieve all facts subsets 37 | # all - gather all subsets 38 | # network - gather min and network facts 39 | # hardware - gather hardware facts (longest facts to retrieve) 40 | # virtual - gather min and virtual facts 41 | # facter - import facts from facter 42 | # ohai - import facts from ohai 43 | # You can combine them using comma (ex: network,virtual) 44 | # You can negate them using ! (ex: !hardware,!facter,!ohai) 45 | # A minimal set of facts is always gathered. 46 | #gather_subset = all 47 | 48 | # additional paths to search for roles in, colon separated 49 | #roles_path = /etc/ansible/roles 50 | 51 | # uncomment this to disable SSH key host checking 52 | #host_key_checking = False 53 | 54 | # change the default callback 55 | #stdout_callback = skippy 56 | # enable additional callbacks 57 | #callback_whitelist = timer, mail 58 | 59 | # Determine whether includes in tasks and handlers are "static" by 60 | # default. As of 2.0, includes are dynamic by default. Setting these 61 | # values to True will make includes behave more like they did in the 62 | # 1.x versions. 63 | #task_includes_static = True 64 | #handler_includes_static = True 65 | 66 | # change this for alternative sudo implementations 67 | #sudo_exe = sudo 68 | 69 | # What flags to pass to sudo 70 | # WARNING: leaving out the defaults might create unexpected behaviours 71 | #sudo_flags = -H -S -n 72 | 73 | # SSH timeout 74 | #timeout = 10 75 | 76 | # default user to use for playbooks if user is not specified 77 | # (/usr/bin/ansible will use current user as default) 78 | #remote_user = root 79 | 80 | # logging is off by default unless this path is defined 81 | # if so defined, consider logrotate 82 | #log_path = /var/log/ansible.log 83 | 84 | # default module name for /usr/bin/ansible 85 | #module_name = command 86 | 87 | # use this shell for commands executed under sudo 88 | # you may need to change this to bin/bash in rare instances 89 | # if sudo is constrained 90 | #executable = /bin/sh 91 | 92 | # if inventory variables overlap, does the higher precedence one win 93 | # or are hash values merged together? The default is 'replace' but 94 | # this can also be set to 'merge'. 95 | #hash_behaviour = replace 96 | 97 | # by default, variables from roles will be visible in the global variable 98 | # scope. To prevent this, the following option can be enabled, and only 99 | # tasks and handlers within the role will see the variables there 100 | #private_role_vars = yes 101 | 102 | # list any Jinja2 extensions to enable here: 103 | #jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n 104 | 105 | # if set, always use this private key file for authentication, same as 106 | # if passing --private-key to ansible or ansible-playbook 107 | #private_key_file = /path/to/file 108 | 109 | # If set, configures the path to the Vault password file as an alternative to 110 | # specifying --vault-password-file on the command line. 111 | #vault_password_file = /path/to/vault_password_file 112 | 113 | # format of string {{ ansible_managed }} available within Jinja2 114 | # templates indicates to users editing templates files will be replaced. 115 | # replacing {file}, {host} and {uid} and strftime codes with proper values. 116 | #ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} 117 | # This short version is better used in templates as it won't flag the file as changed every run. 118 | #ansible_managed = Ansible managed: {file} on {host} 119 | 120 | # by default, ansible-playbook will display "Skipping [host]" if it determines a task 121 | # should not be run on a host. Set this to "False" if you don't want to see these "Skipping" 122 | # messages. NOTE: the task header will still be shown regardless of whether or not the 123 | # task is skipped. 124 | #display_skipped_hosts = True 125 | 126 | # by default, if a task in a playbook does not include a name: field then 127 | # ansible-playbook will construct a header that includes the task's action but 128 | # not the task's args. This is a security feature because ansible cannot know 129 | # if the *module* considers an argument to be no_log at the time that the 130 | # header is printed. If your environment doesn't have a problem securing 131 | # stdout from ansible-playbook (or you have manually specified no_log in your 132 | # playbook on all of the tasks where you have secret information) then you can 133 | # safely set this to True to get more informative messages. 134 | #display_args_to_stdout = False 135 | 136 | # by default (as of 1.3), Ansible will raise errors when attempting to dereference 137 | # Jinja2 variables that are not set in templates or action lines. Uncomment this line 138 | # to revert the behavior to pre-1.3. 139 | #error_on_undefined_vars = False 140 | 141 | # by default (as of 1.6), Ansible may display warnings based on the configuration of the 142 | # system running ansible itself. This may include warnings about 3rd party packages or 143 | # other conditions that should be resolved if possible. 144 | # to disable these warnings, set the following value to False: 145 | #system_warnings = True 146 | 147 | # by default (as of 1.4), Ansible may display deprecation warnings for language 148 | # features that should no longer be used and will be removed in future versions. 149 | # to disable these warnings, set the following value to False: 150 | #deprecation_warnings = True 151 | 152 | # (as of 1.8), Ansible can optionally warn when usage of the shell and 153 | # command module appear to be simplified by using a default Ansible module 154 | # instead. These warnings can be silenced by adjusting the following 155 | # setting or adding warn=yes or warn=no to the end of the command line 156 | # parameter string. This will for example suggest using the git module 157 | # instead of shelling out to the git command. 158 | # command_warnings = False 159 | 160 | 161 | # set plugin path directories here, separate with colons 162 | #action_plugins = /usr/share/ansible/plugins/action 163 | #callback_plugins = /usr/share/ansible/plugins/callback 164 | #connection_plugins = /usr/share/ansible/plugins/connection 165 | #lookup_plugins = /usr/share/ansible/plugins/lookup 166 | #vars_plugins = /usr/share/ansible/plugins/vars 167 | #filter_plugins = /usr/share/ansible/plugins/filter 168 | #test_plugins = /usr/share/ansible/plugins/test 169 | #strategy_plugins = /usr/share/ansible/plugins/strategy 170 | 171 | # by default callbacks are not loaded for /bin/ansible, enable this if you 172 | # want, for example, a notification or logging callback to also apply to 173 | # /bin/ansible runs 174 | #bin_ansible_callbacks = False 175 | 176 | 177 | # don't like cows? that's unfortunate. 178 | # set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 179 | #nocows = 1 180 | 181 | # set which cowsay stencil you'd like to use by default. When set to 'random', 182 | # a random stencil will be selected for each task. The selection will be filtered 183 | # against the `cow_whitelist` option below. 184 | #cow_selection = default 185 | #cow_selection = random 186 | 187 | # when using the 'random' option for cowsay, stencils will be restricted to this list. 188 | # it should be formatted as a comma-separated list with no spaces between names. 189 | # NOTE: line continuations here are for formatting purposes only, as the INI parser 190 | # in python does not support them. 191 | #cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\ 192 | # hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\ 193 | # stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www 194 | 195 | # don't like colors either? 196 | # set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 197 | #nocolor = 1 198 | 199 | # if set to a persistent type (not 'memory', for example 'redis') fact values 200 | # from previous runs in Ansible will be stored. This may be useful when 201 | # wanting to use, for example, IP information from one group of servers 202 | # without having to talk to them in the same playbook run to get their 203 | # current IP information. 204 | #fact_caching = memory 205 | 206 | 207 | # retry files 208 | # When a playbook fails by default a .retry file will be created in ~/ 209 | # You can disable this feature by setting retry_files_enabled to False 210 | # and you can change the location of the files by setting retry_files_save_path 211 | 212 | #retry_files_enabled = False 213 | #retry_files_save_path = ~/.ansible-retry 214 | 215 | # squash actions 216 | # Ansible can optimise actions that call modules with list parameters 217 | # when looping. Instead of calling the module once per with_ item, the 218 | # module is called once with all items at once. Currently this only works 219 | # under limited circumstances, and only with parameters named 'name'. 220 | #squash_actions = apk,apt,dnf,package,pacman,pkgng,yum,zypper 221 | 222 | # prevents logging of task data, off by default 223 | #no_log = False 224 | 225 | # prevents logging of tasks, but only on the targets, data is still logged on the master/controller 226 | #no_target_syslog = False 227 | 228 | # controls whether Ansible will raise an error or warning if a task has no 229 | # choice but to create world readable temporary files to execute a module on 230 | # the remote machine. This option is False by default for security. Users may 231 | # turn this on to have behaviour more like Ansible prior to 2.1.x. See 232 | # https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user 233 | # for more secure ways to fix this than enabling this option. 234 | #allow_world_readable_tmpfiles = False 235 | 236 | # controls the compression level of variables sent to 237 | # worker processes. At the default of 0, no compression 238 | # is used. This value must be an integer from 0 to 9. 239 | #var_compression_level = 9 240 | 241 | # controls what compression method is used for new-style ansible modules when 242 | # they are sent to the remote system. The compression types depend on having 243 | # support compiled into both the controller's python and the client's python. 244 | # The names should match with the python Zipfile compression types: 245 | # * ZIP_STORED (no compression. available everywhere) 246 | # * ZIP_DEFLATED (uses zlib, the default) 247 | # These values may be set per host via the ansible_module_compression inventory 248 | # variable 249 | #module_compression = 'ZIP_DEFLATED' 250 | 251 | # This controls the cutoff point (in bytes) on --diff for files 252 | # set to 0 for unlimited (RAM may suffer!). 253 | #max_diff_size = 1048576 254 | 255 | [privilege_escalation] 256 | #become=True 257 | #become_method=sudo 258 | #become_user=root 259 | #become_ask_pass=False 260 | 261 | [paramiko_connection] 262 | 263 | # uncomment this line to cause the paramiko connection plugin to not record new host 264 | # keys encountered. Increases performance on new host additions. Setting works independently of the 265 | # host key checking setting above. 266 | #record_host_keys=False 267 | 268 | # by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this 269 | # line to disable this behaviour. 270 | #pty=False 271 | 272 | [ssh_connection] 273 | 274 | # ssh arguments to use 275 | # Leaving off ControlPersist will result in poor performance, so use 276 | # paramiko on older platforms rather than removing it 277 | #ssh_args = -o ControlMaster=auto -o ControlPersist=60s 278 | 279 | # The path to use for the ControlPath sockets. This defaults to 280 | # "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with 281 | # very long hostnames or very long path names (caused by long user names or 282 | # deeply nested home directories) this can exceed the character limit on 283 | # file socket names (108 characters for most platforms). In that case, you 284 | # may wish to shorten the string below. 285 | # 286 | # Example: 287 | # control_path = %(directory)s/%%h-%%r 288 | #control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r 289 | control_path = %(directory)s/ansible-ssh-%%C 290 | 291 | # Enabling pipelining reduces the number of SSH operations required to 292 | # execute a module on the remote server. This can result in a significant 293 | # performance improvement when enabled, however when using "sudo:" you must 294 | # first disable 'requiretty' in /etc/sudoers 295 | # 296 | # By default, this option is disabled to preserve compatibility with 297 | # sudoers configurations that have requiretty (the default on many distros). 298 | # 299 | #pipelining = False 300 | 301 | # if True, make ansible use scp if the connection type is ssh 302 | # (default is sftp) 303 | #scp_if_ssh = True 304 | 305 | # if False, sftp will not use batch mode to transfer files. This may cause some 306 | # types of file transfer failures impossible to catch however, and should 307 | # only be disabled if your sftp version has problems with batch mode 308 | #sftp_batch_mode = False 309 | 310 | [accelerate] 311 | #accelerate_port = 5099 312 | #accelerate_timeout = 30 313 | #accelerate_connect_timeout = 5.0 314 | 315 | # The daemon timeout is measured in minutes. This time is measured 316 | # from the last activity to the accelerate daemon. 317 | #accelerate_daemon_timeout = 30 318 | 319 | # If set to yes, accelerate_multi_key will allow multiple 320 | # private keys to be uploaded to it, though each user must 321 | # have access to the system via SSH to add a new key. The default 322 | # is "no". 323 | #accelerate_multi_key = yes 324 | 325 | [selinux] 326 | # file systems that require special treatment when dealing with security context 327 | # the default behaviour that copies the existing context or uses the user default 328 | # needs to be changed to use the file system dependent context. 329 | #special_context_filesystems=nfs,vboxsf,fuse,ramfs 330 | 331 | # Set this to yes to allow libvirt_lxc connections to work without SELinux. 332 | #libvirt_lxc_noseclabel = yes 333 | 334 | [colors] 335 | #highlight = white 336 | #verbose = blue 337 | #warn = bright purple 338 | #error = red 339 | #debug = dark gray 340 | #deprecate = purple 341 | #skip = cyan 342 | #unreachable = red 343 | #ok = green 344 | #changed = yellow 345 | #diff_add = green 346 | #diff_remove = red 347 | #diff_lines = cyan 348 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | {one line to give the program's name and a brief idea of what it does.} 635 | Copyright (C) {year} {name of author} 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | {project} Copyright (C) {year} {fullname} 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | --------------------------------------------------------------------------------