feat: Update CentOS 7 to use signed kernel-plus module (#129)

* feat: Update CentOS 7 to use signed kernel-plus module * Apply suggestions from code review Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * Update CentOS 7 for optional signed kernel-plus module Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com>
2021-10-07 14:30:28 -05:00 · 2021-10-07 14:30:28 -05:00 · 4626475a9c
commit 4626475a9c
parent 692cce2f55
4 changed files with 78 additions and 17 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,10 @@ SPDX-License-Identifier: GPL-3.0-or-later
 Changelog
 ---------

+**8.2.0**
+
+- add support for `kernel-plus` for CentOS 7 (contribution by @john-p-potter)
+
 **8.1.0**

 - add Rocky Linux support
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -38,6 +38,22 @@ wireguard_ubuntu_update_cache: "true"
 # Set package cache valid time
 wireguard_ubuntu_cache_valid_time: "3600"

+#######################################
+# Settings only relevant for CentOS 7
+#######################################
+
+# Set wireguard_centos7_installation_method to "kernel-plus"
+# to use the kernel-plus kernel, which includes a built-in,
+# signed WireGuard module.
+# UTILIZING KERNEL-PLUS WILL PERFORM A SYSTEM REBOOT DURING SETUP!!
+#
+# The default of "standard" will use the standard kernel and 
+# the ELRepo module for WireGuard.
+wireguard_centos7_installation_method: "standard"
+
+# The default seconds to wait for machine to reboot and respond
+wireguard_centos7_kernel_plus_reboot_timeout: "600"
+
 # This is sensitive: encrypt it with a tool like Ansible Vault.
 # If not set, a new one is generated on a blank configuration.
 # wireguard_private_key:
--- a/meta/main.yml
+++ b/meta/main.yml
@ -5,7 +5,7 @@ galaxy_info:
  author: Robert Wimmer
  description: Installs Wireguard incl. systemd integration
  license: GPL-3.0-or-later
-  min_ansible_version: 2.5
+  min_ansible_version: 2.7
  role_name: ansible_role_wireguard
  namespace: githubixx
  platforms:
--- a/tasks/setup-centos-7.yml
+++ b/tasks/setup-centos-7.yml
@ -2,17 +2,28 @@
 # Copyright (C) 2020 Roman Danko
 # SPDX-License-Identifier: GPL-3.0-or-later

- name: (CentOS 7) Install EPEL & ELRepo repository
-  yum:
-    name:
-      - epel-release
-      - https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
-    update_cache: true
+- name: (CentOS 7) Tasks for standard kernel
+  block:
+    - name: (CentOS 7) Install EPEL & ELRepo repository
+      yum:
+        name:
+          - epel-release
+          - https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
+        update_cache: true

- name: (CentOS 7) Install yum-plugin-elrepo
-  yum:
-    name: yum-plugin-elrepo
-    update_cache: true
+    - name: (CentOS 7) Install yum-plugin-elrepo
+      yum:
+        name: yum-plugin-elrepo
+        update_cache: true
+
+    - name: (CentOS 7) Install WireGuard packages
+      yum:
+        name:
+          - "kmod-wireguard"
+          - "wireguard-tools"
+        state: present
+  when:
+    - wireguard_centos7_installation_method == "standard"

 - name: (CentOS 7) Ensure WireGuard DKMS package is removed
  yum:
@ -20,9 +31,39 @@
      - "wireguard-dkms"
    state: absent

- name: (CentOS 7) Install WireGuard packages
-  yum:
-    name:
-      - "kmod-wireguard"
-      - "wireguard-tools"
-    state: present
+- name: (CentOS 7) Tasks for kernel-plus
+  block:
+    - name: (CentOS 7) Install EPEL repository & yum utils
+      yum:
+        name:
+          - epel-release
+          - yum-utils
+        update_cache: true
+
+    - name: (CentOS 7) Enable CentosPlus repo
+      command: yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
+      changed_when: false
+
+    - name: (CentOS 7) Update to kernel-plus
+      replace:
+        path: /etc/sysconfig/kernel
+        regexp: '^DEFAULTKERNEL=kernel$'
+        replace: 'DEFAULTKERNEL=kernel-plus'
+
+    - name: (CentOS 7) Install WireGuard packages
+      yum:
+        name:
+          - "kernel-plus"
+          - "wireguard-tools"
+        state: present
+      register: centos7_yum_updates
+
+    - name: (CentOS 7) Reboot Instance to update kernel
+      reboot:
+        reboot_timeout: "{{ wireguard_centos7_kernel_plus_reboot_timeout }}"
+      when:
+        - centos7_yum_updates.changes is defined
+        - centos7_yum_updates.changes.installed|flatten|select('regex', '^kernel-plus$') is any
+
+  when:
+    - wireguard_centos7_installation_method == "kernel-plus"