diff --git a/amazon-arm64-nix.pkr.hcl b/amazon-arm64-nix.pkr.hcl index 630ab7c99..a754eaacc 100644 --- a/amazon-arm64-nix.pkr.hcl +++ b/amazon-arm64-nix.pkr.hcl @@ -1,6 +1,6 @@ variable "ami" { type = string - default = "ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-server-*" + default = "ubuntu-minimal/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-minimal-*" } variable "profile" { diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml index 567398f5f..a16312849 100644 --- a/ansible/tasks/clean-build-dependencies.yml +++ b/ansible/tasks/clean-build-dependencies.yml @@ -1,7 +1,12 @@ +# IMPORTANT: Do NOT use autoremove: true in these tasks! +# Autoremove causes cascading removal of cloud-init and breaks SSH on the AMI. +# Autoremove is handled safely in 90-cleanup.sh after apt-mark protection. + - name: Remove build dependencies ansible.builtin.apt: - autoremove: true + autoremove: false pkg: + # Build tools installed by Ansible tasks - bison - build-essential - clang-11 @@ -9,13 +14,27 @@ - cpp - flex - g++ - - g++-10 - g++-9 + - g++-10 - gcc-10 - make - - manpages - - manpages-dev - ninja-build - patch - python2 + # Dev headers installed for compilation + - libc6-dev + - libcrypt-dev + - libevent-dev + - libpcre3-dev + - libssl-dev + - linux-headers-aws + - linux-libc-dev + - pkg-config + - pkgconf + - pkgconf-bin + - zlib1g-dev + # Security: credential handling + - sshpass + # Build tool leftovers + - ansible-core state: 'absent' diff --git a/scripts/90-cleanup-qemu.sh b/scripts/90-cleanup-qemu.sh index e6a585001..116d515cb 100644 --- a/scripts/90-cleanup-qemu.sh +++ b/scripts/90-cleanup-qemu.sh @@ -38,12 +38,25 @@ elif [ -n "$(command -v apt-get)" ]; then ansible \ snapd - add-apt-repository --yes --remove ppa:ansible/ansible + # Remove ansible PPA directly (software-properties-common may not be installed) + rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \ + /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true source /etc/os-release + # Protect critical runtime packages from autoremove apt-mark manual libevent-2.1-7t64 + # Ensure cloud-init and openssh-server are installed + # They may have been removed as dependencies during package cleanup + apt-get -y install --no-install-recommends cloud-init openssh-server + + # Protect SSH and cloud-init dependencies from autoremove + # Without these, the image won't be accessible via SSH after boot + apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \ + python3-yaml python3-oauthlib python3-configobj python3-requests \ + python3-urllib3 python3-certifi python3-chardet python3-idna || true + apt-get remove -y --purge ansible-core apport appstream bash-completion bcache-tools bind9-dnsutils bind9-host bind9-libs bolt btrfs-progs byobu command-not-found console-setup distro-info eject fonts-ubuntu-console friendly-recovery ftp fwupd gawk gdisk keyboard-configuration libvolume-key1 libssl-dev lvm2 lxd-agent-loader man-db mdadm modemmanager mtd-utils nano netcat-openbsd nfs-common ntfs-3g parted pastebinit screen strace thin-provisioning-tools tmux usb-modeswitch vim vim-runtime wget whiptail xfsprogs apt remove -y --purge libc6-dev linux-libc-dev libevent-dev libpcre3-dev libsystemd-dev packagekit multipath-tools unattended-upgrades plymouth gnupg open-vm-tools xauth lxd-installer publicsuffix libclang-cpp18 python3-twisted python-babel-localedata libicu74 python3-pygments fonts-dejavu* python3-botocore diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh index 644e5f7f6..6c566deab 100644 --- a/scripts/90-cleanup.sh +++ b/scripts/90-cleanup.sh @@ -1,62 +1,45 @@ #!/bin/bash - -# DigitalOcean Marketplace Image Validation Tool -# © 2021 DigitalOcean LLC. -# This code is licensed under Apache 2.0 license (see LICENSE.md for details) - set -o errexit -# Ensure /tmp exists and has the proper permissions before -# checking for security updates -# https://github.com/digitalocean/marketplace-partners/issues/94 +# Ensure /tmp exists and has proper permissions if [[ ! -d /tmp ]]; then mkdir /tmp fi chmod 1777 /tmp -if [ -n "$(command -v yum)" ]; then - yum update -y - yum clean all -elif [ -n "$(command -v apt-get)" ]; then - # Cleanup more packages - apt-get -y remove --purge \ - automake \ - autoconf \ - autotools-dev \ - cmake-data \ - cpp-9 \ - cpp-10 \ - gcc-9 \ - gcc-10 \ - git \ - git-man \ - ansible \ - libicu-dev \ - libcgal-dev \ - libgcc-9-dev \ - ansible - - add-apt-repository --yes --remove ppa:ansible/ansible +# Update system +if [ -n "$(command -v apt-get)" ]; then + # Remove ansible PPA directly (software-properties-common may not be installed) + rm -f /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.list \ + /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true - source /etc/os-release - apt-get -y update apt-get -y upgrade apt-get -y autoremove apt-get -y autoclean fi + +# Clean temp files rm -rf /tmp/* /var/tmp/* + +# Clear history history -c cat /dev/null > /root/.bash_history unset HISTFILE + +# Clean logs find /var/log -mtime -1 -type f -exec truncate -s 0 {} \; rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-???????? + +# Clean cloud-init for fresh start rm -rf /var/lib/cloud/instances/* + +# Remove SSH keys (cloud-init regenerates on boot) rm -f /root/.ssh/authorized_keys /etc/ssh/*key* touch /etc/ssh/revoked_keys chmod 600 /etc/ssh/revoked_keys -# Securely erase the unused portion of the filesystem +# Securely erase unused disk space GREEN='\033[0;32m' NC='\033[0m' printf "\n${GREEN}Writing zeros to the remaining disk space to securely @@ -67,11 +50,12 @@ The secure erase will complete successfully when you see:${NC} Beginning secure erase now\n" dd if=/dev/zero of=/zerofile & - PID=$! - while [ -d /proc/$PID ] - do - printf "." - sleep 5 - done +PID=$! +while [ -d /proc/$PID ]; do + printf "." + sleep 5 +done sync; rm /zerofile; sync -cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp + +cat /dev/null > /var/log/lastlog +cat /dev/null > /var/log/wtmp