Blame docs/operations/deploy/common.md

429202
# Common Operations to initialize a node/service in CentOS infra
429202
429202
Once the server (bare-metal, Virtual Machine - internal or EC2 instance- ) is deployed, we just need to add it to ansible inventory (probably already done already during `deploy` step so complete with the following information)
429202
429202
Requirements:
429202
429202
  * Machine is reachable
429202
  * You have initial credentials (either already injected ssh key and sudo right or just other equivalent credentials)
429202
  * Access to required Ansible inventory 
429202
429202
## Adding node
429202
6d98f4
You first need to add the node into DNS (either internally or externally) so please have a look at the dedicated [DNS section](../../infra/dns.md), and that means kicking the `role-bind.yml` or `role-unbound.yml` playbooks based on the need, and after having pushed the change to git.
429202
429202
Once the node is available, we need *once* to initialize the node to confirm access and ssh host key/fingerprint and then sign it with our SSH CA.
429202
429202
Let's start by first ensuring that we can log onto a node (in our example a EC2 instance):
429202
429202
```
429202
ssh centos@artwork-1.dev.centos.org uptime
429202
The authenticity of host 'artwork-1.dev.centos.org (<no hostip for proxy command>)' can't be established.
429202
ECDSA key fingerprint is SHA256:TFnZOT68OAkUQdTm1kCwoPxEN8d/4v/kqinsPcFD/04.
429202
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
429202
Warning: Permanently added 'artwork-1.dev.centos.org' (ECDSA) to the list of known hosts.
429202
 09:41:48 up 7 min,  0 users,  load average: 0.00, 0.06, 0.04
429202
429202
```
429202
09ef13
!!! tip
09ef13
    it's also possible to *not* do the ssh host key checking, but not adviced, by using `ANSIBLE_HOST_KEY_CHECKING=False` env variable in front of the first playbook execution in the next steps. As said, it's possible and should *eventually* only be used for .dev. or .stg. environment, and on just provisioned instances (non public) like Virtual Machines
09ef13
09ef13
429202
Now we can proceed with next steps.
429202
Let's add the node in the correct Ansible inventory (like for example `CentOS-CI` or `CentOS-prod` or `CentOS-staging`, etc.
429202
429202
We first need to ensure that usual `sysadmins` will be granted first the correct rights and we just need to add the node in ansible inventory first.
429202
If you already know which roles you want to directly apply feel free to add into correct `[group_name]` in the inventory or just add it to `[unclassified]` first.
429202
When done, we can just play manually (only once) some playbooks and from there machine will be automatically reconfigured when role/inventory is updated (see the Ansible section about this)
429202
429202
```
429202
fqdn="artwork-1.dev.centos.org"
429202
ansible-playbook playbooks/adhoc-grant-access.yml -u centos -l ${fqdn} # or add -k to ask for password if needed to inject ssh keys
429202
``` 
429202
429202
Now that `sysadmins` have their keys injected (including yours), you can initialize the node , but it will create a temporary file that you can then copy into inventory for some gathered facts, so you can use `--extras-vars` just for this specific call
429202
429202
```
429202
out_dir="/home/arrfab/ansible/out"
429202
test -d ${out_dir} || mkdir -p ${out_dir}
429202
ansible-playbook playbooks/adhoc-init-node.yml -l ${fqdn} --extra-vars "out_dir=${out_dir}"
429202
cat ${out_dir}/${fqdn} >> inventory/host_vars/${fqdn}
429202
```
429202
429202
The `adhoc-init-node.yml` will do the following : 
429202
429202
  * (optional) retrieve the public IP and allow incoming connections from that new ip for some infra services restricted by iptables
429202
  * retrieve ssh host keys, sign these and push the signed 
6d98f4
  * retrieve locally some facts that can be used later for basic `host_vars` template
429202
  * play the `baseline` role (common for *all* nodes but with different settings, based on inventory
dc7015
    * if that's a RHEL host, either point to internal mirror, or RH CDN (based on `rhel_host_use_cdn` variable/boolean in ansible)
429202
  * (optional): play other roles that are tied to ansible inventory group membership (if you added the host already in some specific groups) 
429202
429202
429202
Now that machine is in ansible inventory, you can always add new role, based on group memberships, change settings through `group_vars` or `host_vars`, etc, so Ansible BAU
429202
4985a1
!!! note
4985a1
    For sponsored nodes, ensure that you define a root password that is unique and set it. Don't forget to reflect it (normally not needed anymore) in `ansible/inventory/host_vars/<host>` with `root_password` (all git-crypted and/or ansible-vault crypted depending on the inventory). You can use something like `pwgen` tool or even just `openssl rand -base64 24` (as an example)