From 7711dbe85d4862fde4592ee2f213e9523ca3e509 Mon Sep 17 00:00:00 2001 From: Rich Braun Date: Thu, 30 Apr 2026 13:49:09 -0700 Subject: [PATCH 1/2] SYS-687 ansible updates for Ubuntu 26.04 --- ansible/fileserver-setup.yml | 2 +- ansible/roles/docker_node/defaults/main.yml | 7 +-- .../roles/fileserver/tasks/instantlinux.yml | 1 + .../roles/fileserver/templates/smb.conf.j2 | 2 - ansible/roles/kubernetes/defaults/main.yml | 2 +- ansible/roles/kubernetes/tasks/join.yml | 5 ++ .../mythfrontend/tasks/debian/packages.yml | 60 ++++++++++++++----- .../mythfrontend/tasks/vars/resolute.yml | 2 + ansible/roles/network/defaults/main.yml | 1 + ansible/roles/network/tasks/netplan.yml | 3 +- ansible/roles/ntp/defaults/main.yml | 4 +- ansible/roles/ntp/tasks/main.yml | 26 +++++++- ansible/roles/ntp/templates/ntp.toml.j2 | 26 ++++++++ 13 files changed, 111 insertions(+), 30 deletions(-) create mode 100644 ansible/roles/mythfrontend/tasks/vars/resolute.yml create mode 100644 ansible/roles/ntp/templates/ntp.toml.j2 diff --git a/ansible/fileserver-setup.yml b/ansible/fileserver-setup.yml index 31b8441d..7bb0b9ea 100644 --- a/ansible/fileserver-setup.yml +++ b/ansible/fileserver-setup.yml @@ -15,5 +15,5 @@ - { role: monitoring_agent, tags: nagios } - { role: bind9, tags: bind9 } - { role: ntp, tags: ntp } - - { role: fileserver, tags: fileserver } - { role: volumes, tags: volumes } + - { role: fileserver, tags: fileserver } diff --git a/ansible/roles/docker_node/defaults/main.yml b/ansible/roles/docker_node/defaults/main.yml index 285b16d4..78f7b3b3 100644 --- a/ansible/roles/docker_node/defaults/main.yml +++ b/ansible/roles/docker_node/defaults/main.yml @@ -5,7 +5,7 @@ docker_defaults: apt_repo: key: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 package_name: docker-ce - package_ver: 5:29.2.0-1~ubuntu.24.04~noble + package_ver: 5:29.4.1-1~ubuntu.26.04~resolute repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable url: https://download.docker.com/linux/ubuntu/gpg certs: @@ -31,10 +31,6 @@ docker_defaults: max-file: "3" min-api-version: "1.43" storage-driver: overlay2 - # storage-opts: - # - dm.thinpooldev=/dev/mapper/{{ thinpool_vg_alt }}-thinpool - # - dm.use_deferred_removal=false - # - dm.use_deferred_deletion=false tls: True tlscacert: /root/certs/ca-root.pem tlscert: /root/certs/docker-tls-cert.pem @@ -70,6 +66,7 @@ ubuntu_packages: - jq - libpam-google-authenticator - rsync + - ssh-askpass - snmpd - thin-provisioning-tools - uuid-runtime diff --git a/ansible/roles/fileserver/tasks/instantlinux.yml b/ansible/roles/fileserver/tasks/instantlinux.yml index 0ae6550a..d69fd296 100644 --- a/ansible/roles/fileserver/tasks/instantlinux.yml +++ b/ansible/roles/fileserver/tasks/instantlinux.yml @@ -4,6 +4,7 @@ repo: 'https://git.instantlinux.net/richb/instantlinux.git/' dest: /opt/instantlinux update: no + ignore_errors: true - name: Link to usr/lib/ilinux file: diff --git a/ansible/roles/fileserver/templates/smb.conf.j2 b/ansible/roles/fileserver/templates/smb.conf.j2 index e47d454d..e754aa23 100644 --- a/ansible/roles/fileserver/templates/smb.conf.j2 +++ b/ansible/roles/fileserver/templates/smb.conf.j2 @@ -1,9 +1,7 @@ {{ ansible_managed | comment }} [global] bind interfaces only = yes - domain logons = No domain master = No - encrypt passwords = Yes interfaces = {{ samba.interfaces | join(' ') }} log level = {{ samba.log_level }} logon drive = {{ samba.logon_drive }}: diff --git a/ansible/roles/kubernetes/defaults/main.yml b/ansible/roles/kubernetes/defaults/main.yml index 5dcc807d..f075bda0 100644 --- a/ansible/roles/kubernetes/defaults/main.yml +++ b/ansible/roles/kubernetes/defaults/main.yml @@ -31,7 +31,7 @@ k8s_defaults: name: kubelet state: restarted service_network: 10.96.0.0/12 - version: 1.35.3 + version: 1.35.4 coredns_version: v1.13.1 cni_version: 1.8.0 k8s_override: {} diff --git a/ansible/roles/kubernetes/tasks/join.yml b/ansible/roles/kubernetes/tasks/join.yml index 80f9a8ba..68aa45b7 100644 --- a/ansible/roles/kubernetes/tasks/join.yml +++ b/ansible/roles/kubernetes/tasks/join.yml @@ -1,4 +1,6 @@ --- +# TODO: invoke token create on master to generate token and cert hash + - name: Set kubeadm configuration ansible.builtin.copy: dest: /etc/kubernetes/kubeadm-config.yaml @@ -10,6 +12,8 @@ # Discover host IP rather than service vip, misleading error is: # "could not find a JWS signature in the cluster-info ConfigMap" apiServerEndpoint: "{{ k8s.cplane_hostip }}:6443" + caCertHashes: + - "manually copy from token create --print-join-command" token: "{{ vault_k8s.join_token }}" unsafeSkipCAVerification: True nodeRegistration: @@ -25,6 +29,7 @@ register: reset_cluster when: not kubeadm_ca.stat.exists +# This will fail because of stale token and hash values - name: Join to Kubernetes cluster command: kubeadm join --config /etc/kubernetes/kubeadm-config.yaml register: join_cluster diff --git a/ansible/roles/mythfrontend/tasks/debian/packages.yml b/ansible/roles/mythfrontend/tasks/debian/packages.yml index f6307487..661f8742 100644 --- a/ansible/roles/mythfrontend/tasks/debian/packages.yml +++ b/ansible/roles/mythfrontend/tasks/debian/packages.yml @@ -2,32 +2,60 @@ # packages-ubuntu.yml - name: Add the mythtv repo - ansible.builtin.apt_repository: - repo: ppa:mythbuntu/{{ mythtv_version }} + ansible.builtin.deb822_repository: + name: mythbuntu + components: [ main ] + suites: "{{ ansible_distribution_release }}" + types: [ deb ] + uris: https://ppa.launchpadcontent.net/mythbuntu/{{ mythtv_version }}/ubuntu + signed_by: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x517f4b7559621884dcd9c61960af0ee633670609 + register: repo1 -- name: Import repository keys for additional repos - apt_key: - id: "{{ item.value }}" - keyserver: keyserver.ubuntu.com - with_dict: "{{ ubuntu_apt_keys }}" +- name: Add the graphics drivers repo + ansible.builtin.deb822_repository: + name: graphics + components: [ main ] + suites: "{{ ansible_distribution_release }}" + types: [ deb ] + uris: https://ppa.launchpadcontent.net/graphics-drivers/ppa/ubuntu + signed_by: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x2388FF3BE10A76F638F80723FCAE110B1118213C + register: repo2 -- name: Ensure repositories available - apt_repository: - repo: "{{ item }}" - filename: ubuntu - with_items: "{{ ubuntu_repos }}" +- name: Add the google chrome repo + ansible.builtin.deb822_repository: + name: chrome + components: [ main ] + suites: stable + types: [ deb ] + uris: https://dl.google.com/linux/chrome/deb/ + signed_by: https://dl.google.com/linux/linux_signing_key.pub + register: repo3 + +- name: Ensure ubuntu distro sources are available + ansible.builtin.deb822_repository: + name: ubuntu + components: [ main, restricted, universe, multiverse ] + suites: + - "{{ansible_distribution_release }}" + - "{{ansible_distribution_release }}-updates" + - "{{ansible_distribution_release }}-backports" + - "{{ansible_distribution_release }}-security" + types: [ deb ] + uris: http://mirrors.accretive-networks.net/ubuntu/ + signed_by: /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg + register: repo4 - name: Update repository sources - apt: + ansible.builtin.apt: update_cache: yes - cache_valid_time: 86400 + when: repo1.changed or repo2.changed or repo3.changed or repo4.changed - name: Install system packages - apt: + ansible.builtin.apt: name: "{{ ubuntu_packages }}" - name: Remove akonadi-dependent packages - apt: + ansible.builtin.apt: autoremove: yes name: - akonadi-server diff --git a/ansible/roles/mythfrontend/tasks/vars/resolute.yml b/ansible/roles/mythfrontend/tasks/vars/resolute.yml new file mode 100644 index 00000000..c4164350 --- /dev/null +++ b/ansible/roles/mythfrontend/tasks/vars/resolute.yml @@ -0,0 +1,2 @@ +--- +x11_config_path: /usr/share/X11/xorg.conf.d diff --git a/ansible/roles/network/defaults/main.yml b/ansible/roles/network/defaults/main.yml index c257f750..98cccaf0 100644 --- a/ansible/roles/network/defaults/main.yml +++ b/ansible/roles/network/defaults/main.yml @@ -15,6 +15,7 @@ network_defaults: mode: dhcp nameservers: "{{ hostvars[inventory_hostname]['ansible_dns']['nameservers'] }}" netmask: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['netmask'] }}" + optional: false routes: - to: default via: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['gateway'] }}" diff --git a/ansible/roles/network/tasks/netplan.yml b/ansible/roles/network/tasks/netplan.yml index 55164d27..f605a97a 100644 --- a/ansible/roles/network/tasks/netplan.yml +++ b/ansible/roles/network/tasks/netplan.yml @@ -5,7 +5,8 @@ {'network': {'ethernets': {network.interface: { 'addresses': network.addresses, 'dhcp4': False, - 'gateway4': network.gateway, + 'optional': network.optional, + 'routes': network.routes, 'nameservers': { 'search': ansible_dns.search, 'addresses': network.nameservers}}}}}, diff --git a/ansible/roles/ntp/defaults/main.yml b/ansible/roles/ntp/defaults/main.yml index 51fa852a..7e2681aa 100644 --- a/ansible/roles/ntp/defaults/main.yml +++ b/ansible/roles/ntp/defaults/main.yml @@ -12,11 +12,11 @@ ntp_defaults: - 2.pool.ntp.org service: enabled: yes - name: "{{ 'ntp' if ansible_os_family == 'Debian' else 'ntpd' }}" + name: "{{ 'ntpd-rs' if ansible_os_family == 'Debian' else 'ntpd' }}" state: restarted ntp_override: {} ntp: "{{ ntp_defaults | combine(ntp_override) }}" ubuntu_packages: - - ntp + - ntpd-rs diff --git a/ansible/roles/ntp/tasks/main.yml b/ansible/roles/ntp/tasks/main.yml index a5b7c46b..c454c3d1 100644 --- a/ansible/roles/ntp/tasks/main.yml +++ b/ansible/roles/ntp/tasks/main.yml @@ -31,9 +31,31 @@ dest: /etc/ntpsec/ntp.conf src: ntp.conf.j2 notify: Restart ntpd - when: ntp.service.enabled and ansible_distribution_version >= '24.04' + when: ntp.service.enabled and ansible_distribution_version == '24.04' + +- name: Override directory for ntp-rs systemd unit file + file: + dest: /etc/systemd/system/ntpd-rs.service.d + state: directory + when: ntp.service.enabled and ansible_distribution_version >= '26.04' + +- name: Allow ntp-rs to bind on port 123 + copy: + dest: /etc/systemd/system/ntpd-rs.service.d/override.conf + content: | + [Service] + AmbientCapabilities=CAP_SYS_TIME CAP_NET_BIND_SERVICE + when: ntp.service.enabled and ansible_distribution_version >= '26.04' + +- name: ntp-rs config + ansible.builtin.template: + dest: /etc/ntpd-rs/ntp.toml + src: ntp.toml.j2 + notify: Restart ntpd + when: ntp.service.enabled and ansible_distribution_version >= '26.04' - name: NTP service - ansible.builtin.service: + ansible.builtin.systemd: enabled: "{{ ntp.service.enabled }}" name: "{{ ntp.service.name }}" + daemon_reload: yes diff --git a/ansible/roles/ntp/templates/ntp.toml.j2 b/ansible/roles/ntp/templates/ntp.toml.j2 new file mode 100644 index 00000000..75ed6b98 --- /dev/null +++ b/ansible/roles/ntp/templates/ntp.toml.j2 @@ -0,0 +1,26 @@ +{{ ansible_managed | comment }} +[observability] +log-level = "info" +observation-path = "/var/run/ntpd-rs/observe" + +{% if 'servers' in ntp %} +{% for server in ntp.servers %} +[[source]] +mode = "server" +address = "{{ server }}" +{% endfor %} +{% endif %} +{% if 'pool' in ntp %} +{% for server in ntp.pool %} +[[source]] +mode = "pool" +address = "{{ server }}" +count = 4 +{% endfor %} +{% endif %} + +[[server]] +listen = "0.0.0.0:123" + +[synchronization] +single-step-panic-threshold = 1800 From ff6b3c3d46b01cd6cf194ed6ef520bf1d0644a7e Mon Sep 17 00:00:00 2001 From: Rich Braun Date: Thu, 30 Apr 2026 13:52:15 -0700 Subject: [PATCH 2/2] SYS-687 wip --- ansible/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/requirements.txt b/ansible/requirements.txt index ec9f69a2..0fa8429a 100644 --- a/ansible/requirements.txt +++ b/ansible/requirements.txt @@ -1,3 +1,3 @@ ansible==12.3.0 ansible-lint==26.1.1 -pip==26.0 +pip==26.1