bfdc69b90e
A long long time ago we globally removed snapd. Then we started to use it to install kubectl so snapd was added back to things. Then we stopped using kubectl snaps relying on openshift tooling instead. When we did that we removed the removal of snapd. This means that new servers come with snapd and don't get it removed. In theory this is a safe change because nothing we deploy should be relying on snaps. However, I'm not entirely sure how to audit that to be 100% sure. We should probably try to double check this a bit more before deploying it. Change-Id: I0441bda5beb018eb0a85dcdefa7f54c0c2d7ade4
98 lines
2.4 KiB
YAML
98 lines
2.4 KiB
YAML
- name: Disable install of additional recommends and suggests packages
|
|
copy:
|
|
mode: 0444
|
|
src: 95disable-recommends
|
|
dest: /etc/apt/apt.conf.d/
|
|
owner: root
|
|
group: root
|
|
|
|
# NOTE(ianw) There are ordering issues with this. Hopefully when
|
|
# we're bionic only we can just remove ntp
|
|
- name: Install NTP
|
|
when: ansible_distribution_version is version('18.04', '<')
|
|
block:
|
|
- name: Install ntp
|
|
package:
|
|
name: ntp
|
|
state: present
|
|
|
|
- name: Ensure NTP service is running
|
|
service:
|
|
name: ntp
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Remove ntp and run timesyncd
|
|
when: ansible_distribution_version is version('18.04', '>=')
|
|
block:
|
|
- name: Remove ntp
|
|
package:
|
|
name: ntp
|
|
state: absent
|
|
|
|
- name: Ensure systemd-timesyncd is running
|
|
service:
|
|
name: systemd-timesyncd
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Remove packages that make no sense for our servers
|
|
package:
|
|
name:
|
|
- apport
|
|
- whoopsie
|
|
- popularity-contest
|
|
- lxd
|
|
- lxd-client
|
|
- cloud-init
|
|
- open-vm-tools
|
|
- snapd
|
|
state: absent
|
|
|
|
- name: Get rid of extra depends
|
|
command: apt-get autoremove -y
|
|
|
|
- name: Configure file limits
|
|
copy:
|
|
mode: 0644
|
|
src: debian_limits.conf
|
|
dest: /etc/security/limits.d/60-nofile-limit.conf
|
|
|
|
# The next two files share a source file. Different packages manage
|
|
# each of these and we do not want them to get out of sync with each
|
|
# other as that can impact the configuration that apt sees based on
|
|
# priority rules. We address this by making the two files have the same
|
|
# content.
|
|
- name: Install apt-daily 10periodic file for unattended-upgrades
|
|
copy:
|
|
mode: 0444
|
|
src: XYperiodic-updates
|
|
dest: /etc/apt/apt.conf.d/10periodic
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Install 20auto-upgrades file for unattended-upgrades
|
|
copy:
|
|
mode: 0444
|
|
src: XYperiodic-updates
|
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Install 50unattended-upgrades file for unattended-upgrades
|
|
copy:
|
|
mode: 0444
|
|
src: 50unattended-upgrades
|
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Ensure required build packages for non-wheel architectures
|
|
apt:
|
|
update_cache: yes
|
|
name:
|
|
- libffi-dev
|
|
- libssl-dev
|
|
- build-essential
|
|
when: ansible_architecture == 'aarch64'
|