commit | 24bea20e9a098cf4a462a4b5d9dbabbea84f2ec6 | [log] [tgz] |
---|---|---|
author | Paul J. Davis <paul.joseph.davis@gmail.com> | Mon Dec 14 15:11:50 2020 -0600 |
committer | Paul J. Davis <paul.joseph.davis@gmail.com> | Mon Dec 14 15:11:50 2020 -0600 |
tree | 8e43806fc0c55fe8c9d0ff48ec52f5bcf622c75e | |
parent | dc63a8cd29401edb0b79761fcf88ac32fe3797d2 [diff] |
Ensure root account is locked Its locked by default but we might as well add the extra protection just in case.
This repository contains Ansible scripts for managing our VM testing infrastructure.
$ virtualenv venv $ source venv/bin/activate $ pip install -r requirements.txt
The basic steps to provisioning a new Jenkins agent node are:
./tools/gen-config
ansible-vault
host_vars/hostname.yml
fileansible-playbook ci_agents.yml
Node names should follow this pattern:
couchdb-worker-$arch-$osname-$zone-$node_id
I.e.:
couchdb-worker-x86-64-debian-dal-1-01
There should be a single bastion VM setup for each subnet. We just use the cheapest cx2-2x4 instance for these nodes so that we can jump to the other hosts.
Provisioning a bastion VM is much the same as for a ci_agent though should happen much more rarely. Currently the assumption is that each subnet has exactly one bastion. The ./tools/gen-config
script will complain if this assumption is violated so it should be obvious if we get this wrong. It will also complain if we have a subnet that is missing a bastion box.
The steps for provisioning a new bastion box are:
./tools/gen-config
ansible-playbook bastions.yml
Bastion names should follow this pattern:
couchdb-bastion-$arch-$osname-$zone-$node_id
I.e.,
couchdb-bastion-x86-64-debian-dal-1-01
./tools/gen-config
Create a ~/.couchdb-infra-cm.cfg
file that contains the following options:
[ibmcloud] api_key = <REDACTED>
The tools/gen-config
script can then be used to generate our production
inventory and ssh.cfg
configuration:
$ ./tools/gen-config
This script requires access to the https://cloud.ibm.com
account that hosts the VMs so not everyone will be able to run this script. However this is only important when provisioning new nodes. Modifying ansible scripts and apply changes to existing nodes can be done by any CouchDB PMC member that's been added to the CI nodes via this repository.
$ ansible-playbook bastions.yml $ ansible-playbook ci_agents.yml
$ ansible -i production ci_agents -a "sudo sv restart jenkins"
If you want to ssh directly to a node, you can do:
$ ssh -F ssh.cfg $hostname
I.e.,
$ ssh -F ssh.cfg couchdb-worker-x86-64-debian-dal-1-01