Add ansible provisioner to Linux builds (#117)

re: #54
- Adds the`ansible` provisioner for preparation of **Linux** builds.
   - Updates guest operating system.
   - Adds additional packages.
   - Adds CA certificate to trust authority.
- Removes use of the `file` provisioner for certificates.
- Removes Ansible steps from scripts (more to follow).
- Updates the README.md.
- Requires Ansible 2.9 or higher on the system running Packer.
- Cleanup of `build.sh`.

README.md

@@ -58,18 +58,22 @@ The following builds are available:
 **Operating Systems**:
 * Ubuntu Server 20.04 LTS
 * macOS Big Sur (Intel)
-* Microsoft Windows Server 2019
 
     > Operating systems and versions tested with the repository examples.
 
 **Additional Software Packages**:
 * [Git][download-git] command line tools.
+  - Ubuntu: `apt-get install git`
+  - macOS: `brew install git` 
+* [Ansible][ansible-docs] 2.9 or higher.
+  - Ubuntu: `apt-get install ansible`
+  - macOS: `brew install ansible`
 * A command-line .iso creator. Packer will use one of the following:
-  - **xorriso** (Ubuntu: `apt-get install xorriso`)
-  - **mkisofs** (Ubuntu: `apt-get install mkisofs`)
-  - **hdiutil** (macOS)
-  - **oscdimg** (Windows: requires Windows ADK)
-* Coreutils (macOS `brew install coreutils`)
+  - **xorriso** on Ubuntu: `apt-get install xorriso`
+  - **mkisofs** on Ubuntu: `apt-get install mkisofs`
+  - **hdiutil** on macOS: native
+* Coreutils 
+  - macOS: `brew install coreutils`
 
 **Platform**:
 * VMware Cloud Foundation 4.2 or higher, or
@@ -97,6 +101,24 @@ The directory structure of the repository.
 ├── LICENSE
 ├── NOTICE
 ├── README.md
+├── ansible
+│   ├── roles
+│   │   └── <role>
+│   │       ├── defaults
+│   │       │   └── main.yml
+│   │       ├── files
+│   │       │   └── root-ca.p7b.example
+│   │       ├── handlers
+│   │       │   └── main.yml
+│   │       ├── meta
+│   │       │   └── main.yml
+│   │       ├── tasks
+│   │       │   └── main.yml
+│   │       │   └── *.yml
+│   │       └── vars
+│   │           └── main.yml
+│   ├── ansible.cfg
+│   └── main.yml
 ├── builds
 │   ├── ansible.pkvars.hcl.example
 │   ├── build.pkvars.hcl.example
@@ -105,19 +127,18 @@ The directory structure of the repository.
 │   ├── rhsm.pkvars.hcl.example
 │   ├── vsphere.pkvars.hcl.example
 │   ├── linux
-│   │   └── distribution-version
+│   │   └── <distribution-version>
 │   │       ├── *.pkr.hcl
 │   │       ├── *.auto.pkrvars.hcl
 │   │       └── data
 │   │           └── ks.pkrtpl.hcl
 │   └── windows
-│       └── version
+│       └── <version>
 │           ├── *.pkr.hcl
 │           ├── *.auto.pkrvars.hcl
 │           └── data
 │               └── autounattend.pkrtpl.hcl
 ├── certificates
-│   ├── root-ca.crt.example
 │   └── root-ca.p7b.example
 ├── manifests
 └── scripts
@@ -127,10 +148,13 @@ The directory structure of the repository.
         └── *.ps1
 ```
 The files are distributed in the following directories.
-* **`builds`** - contains the build templates, variables, and configuration files.
-* **`scripts`** - contains scripts that are used to initialize and prepare the machine image builds.
-* **`certificates`** - contains the Trusted Root Authority certificates.
-* **`manifests`** - manifests created after the completion of each build.
+* **`ansible`** - contains the Ansible roles to initialize and prepare the machine image build.
+* **`builds`** - contains the templates, variables, and configuration files for the machine image build.
+* **`scripts`** - contains the scripts to initialize and prepare the machine image build.
+* **`certificates`** - contains the Trusted Root Authority certificates for Windows build.
+* **`manifests`** - manifests created after the completion of the machine image build.
+
+> **NOTE**: The project is transitioning to use Ansible instead of scripts, where possible.
 
 ### Step 2 - Download the Guest Operating Systems ISOs
 
@@ -370,7 +394,7 @@ rhsm_username = "rainpole"
 rhsm_password = "<plaintext_password>"
 ```
 
-These variables are **only** used if you are performing a Red Hat Enterprise Linux Server build to register the image with Red Hat Subscription Manager and run a `sudo dnf update -y` within the shell provisioner. Before the build completes, the machine image is unregistered from Red Hat Subscription Manager.
+These variables are **only** used if you are performing a Red Hat Enterprise Linux Server build and are used to register the image with Red Hat Subscription Manager during the build for system updates and package installation. Before the build completes, the machine image is unregistered from Red Hat Subscription Manager.
 
 #### **vSphere Variables**
 
@@ -464,15 +488,15 @@ By default, each unattended file set the **Product Key** to use the [KMS client
 
 ### Step 5 - Configure Certificates
 
-Save a copy of your Root Certificate Authority certificate to `/certificates` in `.crt` and `.p7b` formats.
-
-These files are copied to the guest operating systems with a Packer file provisioner; after which, the a shell provisioner adds the certificate to the Trusted Certificate Authority of the guest operating system.
+Save a copy of your Root Certificate Authority certificate to the following in `.crt` and `.p7b` formats.
+- `/ansible/roles/base/files` for Linux machine images.
+- `/certificates` for Windows machine images.
 
->**NOTE**: If you do not wish to install the certificates on the guest operating systems, comment or remove the portion of the associated script in the `/scripts` directory and the file provisioner from the `prk.hcl` file for each build. If you need to add an intermediate certificate, add the certificate to `/certificates` and update the shell provisioner scripts in the `scripts` directory with your requirements.
+These files are copied to the guest operating systems and added the certificate to the Trusted Certificate Authority of the guest operating system. Linux distributions uses the Ansible provisioner, but Windows still uses the shell provisioner at this time.
 
 ## Build
 
-Start a pre-defined build by running the build script (`./build.sh`). The script presents a menu the which simply calls Packer and the respective build(s).
+Start a build by running the build script (`./build.sh`). The script presents a menu the which simply calls Packer and the respective build(s).
 
 Example: Menu for `./build.sh`.
 ```
@@ -541,7 +565,7 @@ rainpole@macos windows-server-2022> packer build -force \
 ```
 Happy building!!!
 
- -- Your friends at rainpole.io.
+ -- Your friends at github.com/rainpole.
 
 ## Troubleshoot
 
@@ -558,6 +582,7 @@ Happy building!!!
 
 [//]: Links
 
+[ansible-docs]: https://docs.ansible.com
 [cloud-init]: https://cloudinit.readthedocs.io/en/latest/
 [credits-maher-alasfar-twitter]: https://twitter.com/vmwarelab
 [credits-maher-alasfar-github]: https://github.com/vmwarelab/cloud-init-scripts

ansible/ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+command_warnings = false
+display_skipped_hosts = false
+ansible_python_interpreter = /usr/bin/python3

ansible/main.yml

@@ -0,0 +1,14 @@
+---
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+- hosts: all
+  debugger: never
+  gather_facts: yes
+  become: yes
+  become_method: sudo
+  roles:
+    - base

ansible/roles/base/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# Defaults for base.

ansible/roles/base/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+- name: Ubuntu - Updating the certificate authority trust.
+  shell: update-ca-certificates
+
+- name: RedHat - Updating the certificate authority trust.
+  shell: update-ca-trust extract
+
+- name: VMware Photon OS - Updating the certificate authority trust.
+  shell: rehash_ca_certificates.sh

ansible/roles/base/meta/main.yml

@@ -0,0 +1 @@
+dependencies: []

ansible/roles/base/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+- name: Prepare {{ ansible_facts['distribution'] }} distribution.
+  include_tasks: "{{ ansible_facts['distribution'] | lower }}.yml"         
+  when: ansible_facts['distribution'] == 'Ubuntu'
+
+- name: Prepare {{ ansible_facts['distribution'] }} distribution.
+  ### Generalized since Rocky Linux and AlmaLinux do not report `os_family` as `RedHat` in some versions of Ansible.
+  include_tasks: "redhat.yml"
+  when: ansible_facts['distribution'] in ['RedHat', 'CentOS', 'Rocky', 'AlmaLinux']
+
+- name: Prepare {{ ansible_facts['os_family'] }} distribution.
+  include_tasks: "{{ ansible_facts['lsb']['codename'] | lower }}.yml"
+  when: ansible_facts['os_family'] == 'VMware Photon OS'

ansible/roles/base/tasks/photon.yml

@@ -0,0 +1,44 @@
+---
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+- name: "{{ ansible_facts['distribution'] }} - Updating the guest operating system."
+  command: "{{item}}"
+  with_items:
+    ### ----------------------------------------------- ###
+    ### Required due to a bug in VMware Photon OS 4.0.  ###
+    - tdnf -y remove minimal
+    - rpm -e --noscripts systemd-udev-247.3-1.ph4
+    ### ----------------------------------------------- ###
+    - tdnf clean all
+    - tdnf makecache
+    - tdnf -y update
+  args:
+    warn: false
+
+- name: "{{ ansible_facts['distribution'] }} - Installing additional packages."
+  command: |
+    tdnf -y install \
+    minimal \
+    logrotate \
+    wget \
+    git \
+    unzip \
+    tar \
+    jq \
+    parted \
+    openssl-c_rehash
+  args:
+    warn: false
+
+- name: "{{ ansible_facts['distribution'] }} - Importing Certificate Authority certificates."
+  copy:
+    src: root-ca.crt
+    dest: /etc/ssl/certs/root-ca.pem
+    owner: root
+    group: root
+    mode: 0644
+  notify: "{{ ansible_facts['distribution'] }} - Updating the certificate authority trust."

ansible/roles/base/tasks/redhat.yml

@@ -0,0 +1,68 @@
+---
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+### Red Hat Enterprise Linux
+
+- name: Red Hat Subscription Manager Status
+  shell: subscription-manager refresh
+  when: ansible_facts['distribution'] == 'RedHat'
+
+### Red Hat Enterprise Linux >= 8 and Derivative Distributions
+
+- name: "{{ ansible_facts['distribution'] }} - Updating the guest operating system."
+  dnf:
+    name: "*"
+    state: latest
+    update_cache: yes
+  when: ansible_facts['distribution_major_version'] >= "8"
+
+- name: "{{ ansible_facts['distribution'] }} - Installing additional packages."
+  dnf:
+    name:
+      - curl
+      - wget
+      - git
+      - vim
+      - net-tools
+      - unzip
+      - ca-certificates
+    state: latest
+  when: ansible_facts['distribution_major_version'] >= "8"
+
+### Red Hat Enterprise Linux <= 7 and Derivative Distributions
+
+- name: "{{ ansible_facts['distribution'] }} - Updating the guest operating system."
+  yum:
+    name: "*"
+    state: latest
+    update_cache: yes
+  when: 
+  - ansible_facts['distribution_major_version'] <= "7"
+
+- name: "{{ ansible_facts['distribution'] }} - Installing additional packages."
+  yum:
+    name:
+      - curl
+      - wget
+      - git
+      - vim
+      - net-tools
+      - unzip
+      - ca-certificates
+    state: latest
+  when: ansible_facts['distribution_major_version'] <= "7"
+
+### Red Hat Enterprise Linux and Derivative Distributions
+
+- name: "{{ ansible_facts['distribution'] }} - Importing Certificate Authority certificates."
+  copy:
+    src: root-ca.crt
+    dest: /etc/pki/ca-trust/source/anchors/root-ca.crt
+    owner: root
+    group: root
+    mode: 0644
+  notify: RedHat - Updating the certificate authority trust.

ansible/roles/base/tasks/ubuntu.yml

@@ -0,0 +1,34 @@
+---
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+- name: "{{ ansible_facts['distribution'] }} - Updating the guest operating system."
+  apt:
+    name: "*"
+    state: latest
+    update_cache: yes
+    force_apt_get: true
+
+- name: "{{ ansible_facts['distribution'] }} - Installing additional packages."
+  apt:
+    name:
+      - bash-completion
+      - curl
+      - wget
+      - git
+      - net-tools
+      - unzip
+      - ca-certificates
+    state: latest
+
+- name: "{{ ansible_facts['distribution'] }} - Importing Certificate Authority certificates."
+  copy:
+    src: root-ca.crt
+    dest: /usr/local/share/ca-certificates/
+    owner: root
+    group: root
+    mode: 0644
+  notify: "{{ ansible_facts['distribution'] }} - Updating the certificate authority trust."

ansible/roles/base/vars/main.yml

@@ -0,0 +1,8 @@
+---
+
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# vars for base