From b6ab0fe77aac364bf6db0f05289770e6d033a28d Mon Sep 17 00:00:00 2001
From: Ihor Solodrai <ihor.solodrai@linux.dev>
Date: Fri, 5 Jun 2026 13:57:10 -0700
Subject: [PATCH] ansible: drop Amazon Linux 2 / RedHat support after Ubuntu
 migration

The AWS bare-metal runner fleet has been migrated from Amazon Linux 2
(RedHat family) to Ubuntu 24.04, and AL2 is decommissioned. Every host is
now Debian family (Ubuntu EC2 and s390x LinuxONE both use the apt path), so
the RedHat/Amazon-conditional code is unreachable. Remove it and collapse
the now single-OS base role.

- base: delete the RedHat task/vars files and the ansible_os_family include
  dispatch; fold the package list (incl. docker.io) into defaults and inline
  the Debian tasks into tasks/main.yml.
- runner: drop the "Install docker pip on Amazon Linux" task and the
  tautological `ansible_os_family == 'Debian'` guard; simplify the EC2
  instance-id block to `ansible_system_vendor == 'Amazon EC2'`.
- docs: base README is now Debian-only; ansible README install uses apt.

amazon.aws (ec2_metadata_facts) and community.docker (docker_login) are
still required and kept. The qemu-user-static role is left unchanged: it
remains live on the s390x hosts (registers binfmt_misc handlers).

Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
---
 ansible/README.md                         |  2 +-
 ansible/roles/base/README.md              | 10 +--
 ansible/roles/base/defaults/main.yml      |  3 +-
 ansible/roles/base/tasks/main.yml         | 79 +++++++++++++++++++++--
 ansible/roles/base/tasks/setup-Debian.yml | 76 ----------------------
 ansible/roles/base/tasks/setup-RedHat.yml | 14 ----
 ansible/roles/base/vars/Debian.yml        |  4 --
 ansible/roles/base/vars/RedHat.yml        |  5 --
 ansible/roles/runner/tasks/main.yml       | 28 +++-----
 9 files changed, 89 insertions(+), 132 deletions(-)
 delete mode 100644 ansible/roles/base/tasks/setup-Debian.yml
 delete mode 100644 ansible/roles/base/tasks/setup-RedHat.yml
 delete mode 100644 ansible/roles/base/vars/Debian.yml
 delete mode 100644 ansible/roles/base/vars/RedHat.yml

diff --git a/ansible/README.md b/ansible/README.md
index 34a0d2d0..6164fdb5 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -1,7 +1,7 @@
 ## Install `ansible`
 
 ```
-sudo dnf install -y ansible
+sudo apt install -y ansible
 ```
 
 
diff --git a/ansible/roles/base/README.md b/ansible/roles/base/README.md
index 4fb6a40d..2638bb61 100644
--- a/ansible/roles/base/README.md
+++ b/ansible/roles/base/README.md
@@ -2,13 +2,13 @@
 
 ## Description
 
-This role is used to install basic packages that may be required by any deployment.
+This role installs the basic packages required by any deployment on our
+Debian-family (Ubuntu / s390x LinuxONE) hosts, starts docker, and performs
+common host setup (disabling auditd, and configuring swap on s390x).
 
-Some default packages that apply to both RedHat based and Debian based is set in [defaults/main.yml](defaults/main.yml) file.
+The package list lives in [defaults/main.yml](defaults/main.yml).
 
-Each specific distro that has different package name has a file under [vars/](vars/) with a list of packages (example: `docker.io` for Debian, `podman-docker` for RedHat).
-
-It also provides handler that can be useful to any other roles, such as
+It also provides handlers that can be useful to any other roles, such as
 - `"reset systemd failed"`: runs `systemctl reset-failed`
 - `"reload systemd daemon"`: essentially runs `systemctl daemon-reload`
 
diff --git a/ansible/roles/base/defaults/main.yml b/ansible/roles/base/defaults/main.yml
index 27916c82..d77edaf9 100644
--- a/ansible/roles/base/defaults/main.yml
+++ b/ansible/roles/base/defaults/main.yml
@@ -1,10 +1,11 @@
 ---
-__base_packages:
+base_packages:
   - curl
   - git
   - jq
   - python3-pip
   - vim
+  - docker.io
 
 # swap config for s390x
 swap_file_path: /swapfile
diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml
index 9cb70421..bb510d54 100644
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@@ -1,9 +1,76 @@
 ---
-- name: Include OS-specific variables.
-  include_vars: "{{ ansible_os_family }}.yml"
+- name: Install base packages
+  become: true
+  apt:
+    state: present
+    name: "{{ base_packages }}"
+    update_cache: yes
+    lock_timeout: 300
+  register: base_packages_install
+  until: base_packages_install is succeeded
+  retries: 30
+  delay: 10
+  tags: [install]
 
-- name: Build package list
-  set_fact:
-    base_packages: "{{ __base_packages + __base_distro_packages }}"
+- name: Start docker
+  become: true
+  service:
+    name: docker
+    state: started
+    enabled: true
 
-- include_tasks: "setup-{{ ansible_os_family }}.yml"
+- name: Gather the package facts
+  ansible.builtin.package_facts:
+
+# Auditd is spamming the logs when the workers are busy.
+# Disable for now
+- name: Disable auditd
+  become: true
+  ansible.builtin.systemd:
+    name: auditd
+    state: stopped
+    enabled: no
+    masked: yes
+  when: "'auditd' in ansible_facts.packages"
+
+- name: Set up swap space on s390x
+  when: ansible_architecture == "s390x"
+  block:
+    - name: Check if swap file exists
+      ansible.builtin.stat:
+        path: "{{ swap_file_path }}"
+      register: swap_file
+
+    - name: Create swap file
+      become: true
+      ansible.builtin.command:
+        cmd: "fallocate -l {{ swap_file_size }} {{ swap_file_path }}"
+        creates: "{{ swap_file_path }}"
+      when: not swap_file.stat.exists
+
+    - name: Set swap file permissions
+      become: true
+      ansible.builtin.file:
+        path: "{{ swap_file_path }}"
+        mode: "0600"
+
+    - name: Make swap file
+      become: true
+      ansible.builtin.command:
+        cmd: "mkswap {{ swap_file_path }}"
+      when: not swap_file.stat.exists
+
+    - name: Enable swap file
+      become: true
+      ansible.builtin.command:
+        cmd: "swapon {{ swap_file_path }}"
+      register: swapon_result
+      changed_when: swapon_result.rc == 0
+      failed_when: false
+
+    - name: Add swap to fstab
+      become: true
+      ansible.builtin.lineinfile:
+        path: /etc/fstab
+        line: "{{ swap_file_path }} none swap sw 0 0"
+        state: present
diff --git a/ansible/roles/base/tasks/setup-Debian.yml b/ansible/roles/base/tasks/setup-Debian.yml
deleted file mode 100644
index bb510d54..00000000
--- a/ansible/roles/base/tasks/setup-Debian.yml
+++ /dev/null
@@ -1,76 +0,0 @@
----
-- name: Install base packages
-  become: true
-  apt:
-    state: present
-    name: "{{ base_packages }}"
-    update_cache: yes
-    lock_timeout: 300
-  register: base_packages_install
-  until: base_packages_install is succeeded
-  retries: 30
-  delay: 10
-  tags: [install]
-
-- name: Start docker
-  become: true
-  service:
-    name: docker
-    state: started
-    enabled: true
-
-- name: Gather the package facts
-  ansible.builtin.package_facts:
-
-# Auditd is spamming the logs when the workers are busy.
-# Disable for now
-- name: Disable auditd
-  become: true
-  ansible.builtin.systemd:
-    name: auditd
-    state: stopped
-    enabled: no
-    masked: yes
-  when: "'auditd' in ansible_facts.packages"
-
-- name: Set up swap space on s390x
-  when: ansible_architecture == "s390x"
-  block:
-    - name: Check if swap file exists
-      ansible.builtin.stat:
-        path: "{{ swap_file_path }}"
-      register: swap_file
-
-    - name: Create swap file
-      become: true
-      ansible.builtin.command:
-        cmd: "fallocate -l {{ swap_file_size }} {{ swap_file_path }}"
-        creates: "{{ swap_file_path }}"
-      when: not swap_file.stat.exists
-
-    - name: Set swap file permissions
-      become: true
-      ansible.builtin.file:
-        path: "{{ swap_file_path }}"
-        mode: "0600"
-
-    - name: Make swap file
-      become: true
-      ansible.builtin.command:
-        cmd: "mkswap {{ swap_file_path }}"
-      when: not swap_file.stat.exists
-
-    - name: Enable swap file
-      become: true
-      ansible.builtin.command:
-        cmd: "swapon {{ swap_file_path }}"
-      register: swapon_result
-      changed_when: swapon_result.rc == 0
-      failed_when: false
-
-    - name: Add swap to fstab
-      become: true
-      ansible.builtin.lineinfile:
-        path: /etc/fstab
-        line: "{{ swap_file_path }} none swap sw 0 0"
-        state: present
diff --git a/ansible/roles/base/tasks/setup-RedHat.yml b/ansible/roles/base/tasks/setup-RedHat.yml
deleted file mode 100644
index 047cb65b..00000000
--- a/ansible/roles/base/tasks/setup-RedHat.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-- name: Install base packages
-  become: true
-  package:
-    state: present
-    name: "{{ base_packages }}"
-    update_cache: yes
-  tags: [install]
-
-- name: Start docker
-  become: true
-  service:
-    name: docker
-    state: started
\ No newline at end of file
diff --git a/ansible/roles/base/vars/Debian.yml b/ansible/roles/base/vars/Debian.yml
deleted file mode 100644
index 75bcdf68..00000000
--- a/ansible/roles/base/vars/Debian.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-
-__base_distro_packages:
-  - docker.io
diff --git a/ansible/roles/base/vars/RedHat.yml b/ansible/roles/base/vars/RedHat.yml
deleted file mode 100644
index 285ed85c..00000000
--- a/ansible/roles/base/vars/RedHat.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-
-__base_distro_packages:
-  - "{{ 'podman-docker' if ansible_distribution != 'Amazon' else 'docker' }}"
-
diff --git a/ansible/roles/runner/tasks/main.yml b/ansible/roles/runner/tasks/main.yml
index 0e151f8e..c90757e0 100644
--- a/ansible/roles/runner/tasks/main.yml
+++ b/ansible/roles/runner/tasks/main.yml
@@ -1,18 +1,7 @@
 ---
 
-# Used by ansible modules later
-- name: Install docker pip on Amazon Linux
-  become: yes
-  ansible.builtin.pip:
-    name:
-      # AL2 python's version is compiled against openssl 1.0, urllib3>=2.0 needs openssl 1.1.1
-      - urllib3<2.0
-      - docker
-    extra_args: --user
-    executable: pip3
-  when: ansible_distribution == 'Amazon'
-
-- name: Install python3-docker on Ubuntu
+# Used by ansible modules later (docker_login)
+- name: Install python3-docker
   become: yes
   ansible.builtin.apt:
     state: present
@@ -23,7 +12,6 @@
   until: python3_docker_install is succeeded
   retries: 30
   delay: 10
-  when: ansible_os_family == 'Debian'
 
 - name: Create runner directory
   become: yes
@@ -80,11 +68,11 @@
   set_fact:
     runner_name_prefix: "{{ '%s-' | format(runner_prefix) if runner_prefix }}{{ ansible_hostname }}"
 
-# On EC2 hosts (Amazon Linux metal and Ubuntu metal alike) we override the runner_name_prefix
-# with the ec2's instance ID for stable, collision-free runner names. Non-EC2 hosts (e.g. s390x
-# LinuxONE, vendor "IBM") are skipped so we never block on the 169.254.169.254 metadata endpoint.
-# If amazon.aws is missing or the metadata endpoint is unreachable, `ignore_errors` lets us fall
-# back to the hostname-based prefix set above.
+# On EC2 hosts we override the runner_name_prefix with the ec2's instance ID for stable,
+# collision-free runner names. Non-EC2 hosts (e.g. s390x LinuxONE, vendor "IBM") are skipped so
+# we never block on the 169.254.169.254 metadata endpoint. If amazon.aws is missing or the
+# metadata endpoint is unreachable, `ignore_errors` lets us fall back to the hostname-based
+# prefix set above.
 - name: Set runner_name_prefix to instance ID for EC2 hosts
   block:
     - name: Load ec2 metadata facts
@@ -93,7 +81,7 @@
     - name: Set runner name prefix with instance ID
       set_fact:
         runner_name_prefix: "{{ '%s-' | format(runner_prefix) if runner_prefix }}{{ ansible_ec2_instance_id }}"
-  when: ansible_system_vendor == 'Amazon EC2' or ansible_distribution == 'Amazon'
+  when: ansible_system_vendor == 'Amazon EC2'
   ignore_errors: yes
 
 - name: Generate runner env