This repo contains the ansible playbooks to setup a Red Hat Enterprise Linux 9.2 image builder server. The image created is an edge installer image that will install AWS Greengrass .jar files and run them as a daemon on first boot.

References:

• Red Hat official documentation for RHEL OSTree
• Red Hat Device Edge introduction
• Image Builder quickstart bash scripts
• Ansible Collection for OSTree image management
• Upgrade and Rollback OSTree Edge demo

Active Red Hat Linux subscription Some VMs or baremetal servers

BEFORE running the playbooks, ensure the following is in place.

You need a subscribed Red Hat Enterprise Linux 9 system (minimal install is enough) with at least 2 vCPUs, 4 GB memory and 50 GB disk.

If you don't want to use root, be sure that the user has passwordless sudo access.

Your will need to:

• Install Ansible

laptop

dnf install -y ansible

• Download the infra.osbuild Ansible collection

laptop

ansible-galaxy collection install -f git+https://github.com/redhat-cop/infra.osbuild

• Modify the Ansible inventory file with your values

• Copy your public SSH key into the Image Builder system, so you can open passwordless SSH sessions with the user that you configured in your Ansible inventory. (double check .ssh and authorized_keys permissions in case you are still asked for password after copying the key).

laptop

ssh-copy-id <user>@<image builder IP>

• If you are using your laptop as hypervisor, be sure that you have at least 2 vCPU, 1.5GB memory and 20 GB disk free to create the Edge device VM (in addition the Image Builder VM that you should have already up and running).

The image builder will need several additional packages to be installed in order to successfully build the edge installer needed for greengrass.

Change into the AWSGG/playbooks directory and run the 00-prepare-systems.yml playbook

laptop

cd playbooks
ansible-playbook -vv 00-preparation-systems.yml

This will:

• install the infra.osbuild collections
• Install RPM packages required on the build server
• Enable cockpit and osbuild-composer services
• Create a custom repository with the PIP install files needed by greengrass

The 01-build-ostree-aws.yml role will create the image needed to install on each device. Run this role in the playbooks directory as follows:

laptop

ansible-playbook -vv 01-build-ostree-aws.yml

The last line printed will provide the link on where to download the iso from the build server. Something like http://.../demo_aws_greengrass/images/demo_aws_greengrass-custom-kernelarg.iso

The process executes the following tasks:

• Define names
• Set SSH keys
• Configure the image for kickstart kickoff
• Create http server for images
• Update kickstarts in pre-built image and publish to http server

Once the playbooks are done running, the iso is ready to be burned to a flashdrive using the dd command, or the Fedora Image Writer

NB: If using a VM for testing, ensure the machine has Firmware set to UEFI.

Boot the new device, ensuring it has network connectivity to the image builder server as well as internet in order to install the greengrass client. This should take about 3-5minutes to finish, depending on the device hardware and network speed.

The final device will have the root login and password defined as per the kickstart_greengrass.j2 file

The kickstart_greengrass.j2 file sets up users and builds the shel script used to install greengrass. Should additional items be needed in the script, it can be updated here and will automatically deploy upon the next installation.

Setting the root account's password can be done by replacing the value with the output from

python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

Download AWS certificates and copy them to /var/greengrass/v2/certificates

cat > /var/usrlocal/bin/pre-install-aws-certs.sh << EOF
#!/bin/bash

mkdir -p ~/environment/certificates

\#Copy certificates here

cd ~/environment/certificates
mv AmazonRootCA1.pem rootCA.pem
mv *-certificate.pem.crt certificate.pem
mv *-private.pem.key privateKey.pem
mv *-public.pem.key publicKey.pem

\# Create the destination dir and populate it
sudo mkdir -p /var/greengrass/v2/certificates
sudo chmod 755 /var/greengrass/v2/certificates
sudo cp -avr ~/certificates /var/greengrass/v2


EOF