From 09bbc4058c287db52b65935c27bf8dfecc129b57 Mon Sep 17 00:00:00 2001
From: Kevin Cernekee <cernekee@chromium.org>
Date: Sun, 6 Nov 2016 09:40:07 -0800
Subject: [PATCH 1/2] Add missing tags in common playbook

If the common playbook is invoked with the "cloud" tag, non-cloud
tasks will be skipped.  On GCE this causes "Install tools" to be skipped,
apparmor-utils is not installed, and then the "Enforcing ipsec with
apparmor" step fails.
---
 roles/common/tasks/main.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 4b6e2ee..9cdb88d 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -2,9 +2,13 @@
 
 - name: Gather Facts
   setup:
+  tags:
+    - always
 
 - name: Install software updates
   apt: update_cache=yes upgrade=dist
+  tags:
+    - cloud
 
 - name: Check if reboot is required
   shell: >
@@ -43,6 +47,8 @@
   with_items:
     - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
     - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
+  tags:
+    - cloud
 
 - name: Install tools
   apt: name="{{ item }}" state=latest
@@ -55,24 +61,36 @@
     - sendmail
     - iptables-persistent
     - cgroup-tools
+  tags:
+    - always
 
 - name: Loopback for services configured
   template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
   notify:
     - restart loopback
+  tags:
+    - always
 
 - name: Loopback included into the network config
   lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
   notify:
     - restart loopback
+  tags:
+    - always
 
 - meta: flush_handlers
+  tags:
+    - always
 
 - name: Enable packet forwarding for IPv4
   sysctl: name="{{ item }}" value=1
   with_items:
     - net.ipv4.ip_forward
     - net.ipv4.conf.all.forwarding
+  tags:
+    - always
 
 - name: Enable packet forwarding for IPv6
   sysctl: name=net.ipv6.conf.all.forwarding value=1
+  tags:
+    - always

From 433389c0aba2dde05470e589e84c90bd8d59ae87 Mon Sep 17 00:00:00 2001
From: Kevin Cernekee <cernekee@chromium.org>
Date: Sun, 6 Nov 2016 09:42:58 -0800
Subject: [PATCH 2/2] Use /var/run/reboot-required to determine if a restart is
 needed

The current check only looks to see if a new kernel was installed.
---
 roles/common/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 9cdb88d..a5730ac 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -12,7 +12,7 @@
 
 - name: Check if reboot is required
   shell: >
-    if [[ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]]; then echo "required"; else echo "no"; fi
+    if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
   args:
     executable: /bin/bash
   register: reboot_required