fix: do not remove ssh

samrose · samrose · commit 22e313db3405 · 2026-02-03T23:30:21.000-05:00
diff --git a/ansible/tasks/clean-build-dependencies.yml b/ansible/tasks/clean-build-dependencies.yml
@@ -1,3 +1,10 @@
+# Protect packages that SSH and cloud-init depend on from autoremove
+# These must be marked as manually installed BEFORE any autoremove runs
+- name: Mark SSH and cloud-init dependencies as manually installed
+  ansible.builtin.shell: |
+    apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 python3-yaml python3-oauthlib python3-configobj || true
+  changed_when: false
+
 - name: Remove build dependencies
   ansible.builtin.apt:
     autoremove: true
@@ -25,9 +32,10 @@
 # - Dev packages provide headers for building exploits
 # - salt-minion is a remote management agent (large attack surface)
 # - sshpass stores credentials in plaintext
+# NOTE: autoremove disabled here to prevent cascading removal of cloud-init deps
 - name: Remove high-security-risk packages
   ansible.builtin.apt:
-    autoremove: true
+    autoremove: false
     pkg:
       # Compiler toolchain (gcc-14-base kept - libgcc-s1 runtime depends on it)
       - binutils
@@ -56,3 +64,10 @@
       # Build tool leftovers
       - ansible-core
     state: 'absent'
+
+# Run a final autoremove to clean up any remaining orphaned packages
+# This runs after apt-mark manual, so cloud-init deps are protected
+- name: Clean up orphaned packages
+  ansible.builtin.apt:
+    autoremove: true
+  changed_when: false
diff --git a/scripts/90-cleanup-qemu.sh b/scripts/90-cleanup-qemu.sh
@@ -44,8 +44,15 @@ elif [ -n "$(command -v apt-get)" ]; then
 
   source /etc/os-release
 
+  # Protect critical runtime packages from autoremove
   apt-mark manual libevent-2.1-7t64
 
+  # Protect SSH and cloud-init dependencies from autoremove
+  # Without these, the image won't be accessible via SSH after boot
+  apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \
+    python3-yaml python3-oauthlib python3-configobj python3-requests \
+    python3-urllib3 python3-certifi python3-chardet python3-idna || true
+
   apt-get remove -y --purge ansible-core apport appstream bash-completion bcache-tools bind9-dnsutils bind9-host bind9-libs bolt btrfs-progs byobu command-not-found console-setup distro-info eject fonts-ubuntu-console friendly-recovery ftp fwupd gawk gdisk keyboard-configuration libvolume-key1 libssl-dev lvm2 lxd-agent-loader man-db mdadm modemmanager mtd-utils nano netcat-openbsd nfs-common ntfs-3g parted pastebinit screen strace thin-provisioning-tools tmux usb-modeswitch vim vim-runtime wget whiptail xfsprogs
 
   apt remove -y --purge libc6-dev linux-libc-dev libevent-dev libpcre3-dev libsystemd-dev packagekit multipath-tools unattended-upgrades plymouth gnupg open-vm-tools xauth lxd-installer publicsuffix libclang-cpp18 python3-twisted python-babel-localedata libicu74 python3-pygments fonts-dejavu* python3-botocore
diff --git a/scripts/90-cleanup.sh b/scripts/90-cleanup.sh
@@ -41,9 +41,16 @@ elif [ -n "$(command -v apt-get)" ]; then
         /etc/apt/sources.list.d/ansible-ubuntu-ansible-*.sources 2>/dev/null || true
 
   source /etc/os-release
-  
+
   apt-get -y update
   apt-get -y upgrade
+
+  # Protect SSH and cloud-init dependencies from autoremove
+  # Without these, the AMI won't be accessible via SSH after boot
+  apt-mark manual openssh-server cloud-init python3-systemd python3-jinja2 \
+    python3-yaml python3-oauthlib python3-configobj python3-requests \
+    python3-urllib3 python3-certifi python3-chardet python3-idna || true
+
   apt-get -y autoremove
   apt-get -y autoclean
 fi
