From 4292020f5f2642c4d41b991ec27c7057f840be61 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Jun 29 2021 15:30:00 +0000 Subject: Some basic 'common' doc for new node init in infra Signed-off-by: Fabian Arrotin --- diff --git a/docs/buildsys/koji-cbs-sigs.md b/docs/buildsys/koji-cbs-sigs.md index 129bc95..3e20635 100644 --- a/docs/buildsys/koji-cbs-sigs.md +++ b/docs/buildsys/koji-cbs-sigs.md @@ -265,7 +265,7 @@ If external repo is already defined, we just need to add it to tags and no need ``` sig_tag="hyperscale8s-packages-main-el8-build" -externalrepo_name="centos8s-buildroot" +externalrepo_name="epel8" koji add-external-repo --mode bare --tag=${sig_tag} ${externalrepo_name} ``` diff --git a/docs/operations/deploy/common.md b/docs/operations/deploy/common.md index e69de29..bc7f495 100644 --- a/docs/operations/deploy/common.md +++ b/docs/operations/deploy/common.md @@ -0,0 +1,62 @@ +# Common Operations to initialize a node/service in CentOS infra + +Once the server (bare-metal, Virtual Machine - internal or EC2 instance- ) is deployed, we just need to add it to ansible inventory (probably already done already during `deploy` step so complete with the following information) + +Requirements: + + * Machine is reachable + * You have initial credentials (either already injected ssh key and sudo right or just other equivalent credentials) + * Access to required Ansible inventory + +## Adding node + +You first need to add the node into DNS (either internally or externally) so please have a look at the dedicated [DNS section](/infra/dns), and that means kicking the `role-bind.yml` or `role-unbound.yml` playbooks based on the need, and after having pushed the change to git. + +Once the node is available, we need *once* to initialize the node to confirm access and ssh host key/fingerprint and then sign it with our SSH CA. + +Let's start by first ensuring that we can log onto a node (in our example a EC2 instance): + +``` +ssh centos@artwork-1.dev.centos.org uptime +The authenticity of host 'artwork-1.dev.centos.org ()' can't be established. +ECDSA key fingerprint is SHA256:TFnZOT68OAkUQdTm1kCwoPxEN8d/4v/kqinsPcFD/04. +Are you sure you want to continue connecting (yes/no/[fingerprint])? yes +Warning: Permanently added 'artwork-1.dev.centos.org' (ECDSA) to the list of known hosts. + 09:41:48 up 7 min, 0 users, load average: 0.00, 0.06, 0.04 + +``` + +Now we can proceed with next steps. +Let's add the node in the correct Ansible inventory (like for example `CentOS-CI` or `CentOS-prod` or `CentOS-staging`, etc. + +We first need to ensure that usual `sysadmins` will be granted first the correct rights and we just need to add the node in ansible inventory first. +If you already know which roles you want to directly apply feel free to add into correct `[group_name]` in the inventory or just add it to `[unclassified]` first. +When done, we can just play manually (only once) some playbooks and from there machine will be automatically reconfigured when role/inventory is updated (see the Ansible section about this) + +``` +fqdn="artwork-1.dev.centos.org" +ansible-playbook playbooks/adhoc-grant-access.yml -u centos -l ${fqdn} # or add -k to ask for password if needed to inject ssh keys +``` + +Now that `sysadmins` have their keys injected (including yours), you can initialize the node , but it will create a temporary file that you can then copy into inventory for some gathered facts, so you can use `--extras-vars` just for this specific call + +``` +out_dir="/home/arrfab/ansible/out" +test -d ${out_dir} || mkdir -p ${out_dir} +ansible-playbook playbooks/adhoc-init-node.yml -l ${fqdn} --extra-vars "out_dir=${out_dir}" +cat ${out_dir}/${fqdn} >> inventory/host_vars/${fqdn} +``` + +The `adhoc-init-node.yml` will do the following : + + * (optional) retrieve the public IP and allow incoming connections from that new ip for some infra services restricted by iptables + * retrieve ssh host keys, sign these and push the signed + * retrieve locally some facts that can be used later for basic host_vars template + * play the `baseline` role (common for *all* nodes but with different settings, based on inventory + * (optional): play other roles that are tied to ansible inventory group membership (if you added the host already in some specific groups) + +If you configured correctl + +Now that machine is in ansible inventory, you can always add new role, based on group memberships, change settings through `group_vars` or `host_vars`, etc, so Ansible BAU + +