Merge pull request #1 from RSE-Cambridge/feat/add-broadcom-driver-to-…

…linux-common

Feat/add broadcom driver to linux common

.github/workflows/build_test_images.yaml

@@ -88,7 +88,7 @@ jobs:
         run: sudo guestmount -a ${{ steps.publish-image.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.publish-image.outputs.image-name }}'
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.17.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: fs
           scan-ref: "./${{ steps.publish-image.outputs.image-name }}"
@@ -104,7 +104,7 @@ jobs:
           category: "${{ matrix.name }}"
 
       - name: Fail if scan has CRITICAL vulnerabilities
-        uses: aquasecurity/trivy-action@0.16.1
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: fs
           scan-ref: "./${{ steps.publish-image.outputs.image-name }}"

.github/workflows/pr.yaml

@@ -15,8 +15,8 @@ jobs:
   fail_on_remote:
     runs-on: ubuntu-latest
     steps:
-      - name: PR must be from a branch in the azimuth-cloud/azimuth-images repo
-        run: exit ${{ github.repository == 'azimuth-cloud/azimuth-images' && '0' || '1' }}
+      - name: PR must be from a branch in the RSE-Cambridge/azimuth-images repo
+        run: exit ${{ github.repository == 'RSE-Cambridge/azimuth-images' && '0' || '1' }}
 
   # Build, publish and test the images
   build_test_images:

ansible/jupyter-repo2docker.yml

@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - jupyter-repo2docker

ansible/kubernetes.yml

@@ -3,6 +3,6 @@
 - hosts: all
   become: yes
   roles:
-    - linux-volumes-by-tag
+    - linux-common
 
 - import_playbook: ../vendor/image-builder/images/capi/ansible/node.yml

ansible/linux-rdp-gateway.yml

@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-rdp-gateway

ansible/linux-rstudio.yml

@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-rstudio

ansible/linux-webconsole.yml

@@ -3,4 +3,5 @@
 - hosts: all
   become: yes
   roles:
+    - linux-common
     - linux-webconsole

ansible/roles/jupyter-repo2docker/tasks/main.yml

@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml

ansible/roles/linux-broadcom/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+  - name: Install pre-requisites
+    ansible.builtin.apt:
+      pkg:
+        - dctrl-tools
+        - gcc-12
+        - cpp-12
+        - libgcc-12-dev
+        - libasan8
+        - libtsan2
+        - dkms
+      state: latest    
+
+  - name: Install the broadcom driver for NetXtreme-E Ethernet
+    ansible.builtin.apt:
+      deb: https://object.arcus.openstack.hpc.cam.ac.uk/swift/v1/AUTH_7ac3c0a502cd46c783b2128116165566/bcom-nxe-drivers/netxtreme-peer-mem-dkms_229.2.49.0_all.deb
+      state: present

ansible/roles/linux-common/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Update apt cache
+  apt:
+    update_cache: true
+  when: ansible_os_family == "Debian"
+
+- name: Ensure up-to-date CA certificates
+  package:
+    name: ca-certificates
+    state: latest
+
+# Required for become to an unprivileged user to work
+# Using the apt module seems to work more reliably than package :-/
+- name: Install ACL package
+  apt:
+    update_cache: true
+    name: acl
+    state: present
+  when: ansible_os_family == "Debian"
+
+# Enables the ansible-init system, but does not install any default playbooks
+- include_role:
+    name: azimuth_cloud.image_utils.linux_ansible_init
+
+# Enables volumes to be referred to by tag for setting up mounts in cloud-config
+- include_role:
+    name: linux-volumes-by-tag
+
+# Install the Broadcom network driver for NetXtreme-E Ethernet
+- include_role:
+    name: linux-broadcom

ansible/roles/linux-rdp-gateway/tasks/main.yml

@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml

ansible/roles/linux-rstudio/tasks/main.yml

@@ -1,27 +1,5 @@
 ---
 
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: yes
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml

ansible/roles/linux-webconsole/tasks/main.yml

@@ -17,25 +17,6 @@
     - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
     - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
 
-- name: Update apt cache
-  apt:
-    update_cache: true
-  when: ansible_os_family == "Debian"
-
-- name: Ensure up-to-date CA certificates
-  package:
-    name: ca-certificates
-    state: latest
-
-# Required for become to an unprivileged user to work
-# Using the apt module seems to work more reliably than package :-/
-- name: Install ACL package
-  apt:
-    update_cache: true
-    name: acl
-    state: present
-  when: ansible_os_family == "Debian"
-
 - name: Add apptainer repository
   apt_repository:
     repo: 'ppa:apptainer/ppa'
@@ -51,9 +32,6 @@
     - include_tasks: vnc_server.yml
   when: desktop_enabled is defined and desktop_enabled
 
-- include_role:
-    name: azimuth_cloud.image_utils.linux_ansible_init
-
 - include_role: 
     name: linux-podman
     tasks_from: install.yml

bin/publish-image

@@ -21,7 +21,7 @@ cosign sign-blob "${IMAGE_NAME}.qcow2" --bundle "${IMAGE_NAME}.cosign.bundle" -y
 # test the bundle works validates
 cosign verify-blob "${IMAGE_NAME}.qcow2" --bundle "${IMAGE_NAME}.cosign.bundle" \
   --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
-  --certificate-identity-regexp="https://github.com/azimuth-cloud/azimuth-images/.github/.*"
+  --certificate-identity-regexp="https://github.com/RSE-Cambridge/azimuth-images/.github/.*"
 
 # Upload the compressed image to S3
 cat <<EOF > ~/.s3cfg

vars/arcus/common.json

@@ -1,5 +1,5 @@
 {
-  "network": "97ed78b5-156c-441c-9fcb-5a26c8a4ed26",
-  "flavor": "vm.azimuth.ci.ec1.medium",
+  "network": "5e8d514a-1943-42e4-a757-6c533c343ece",
+  "flavor": "vm.v1.small",
   "volume_type": "arcus-ceph01-rbd"
 }

vars/arcus/linux.json

@@ -1,3 +1,3 @@
 {
-  "security_groups": ["default", "ssh-anywhere"]
+  "security_groups": ["default", "external"]
 }