Infrastructure ansible migration

From FedoraProject

Jump to: navigation, search
Important.png
THIS IS A DRAFT
PLEASE EDIT AND ADD HELPFUL CONSTRUCTIVE POINTS

Contents

Introduction

Fedora infrastructure is moving from it's puppet setup to one using ansible. This migration is already under way. This page attempts to collect issues and ideas around the migration and how to move it forward in a secure, safe way.

Completed items

  • ssh-agent setup on lockbox01 and key added to (almost) all hosts.
  • Private ansible git repo for passwords and such.
  • A number of machines migrated: cloud instances, all builders, some releng, all arm boxes, mirrorlist servers
  • logging available via scripts/logview and daily report of plays run mailed to sysadmin-logs

New instance creation

  • add to dns
  • add any needed 2fa or vpn keys
  • add to inventory (list group or add to existing group)
  • add to inventory/host_vars/FQDN
  • add to inventory/group_vars/groupname
  • add tasks/virt_instance_create.yml task to top of group/host playbook to create the instance
  • run playbook and instance will be allocated and installed and setup and playbook run on it.

Short term items

  • Disable/remove func. Should be ready to do.
  • way for non sysadmin-main to run playbooks/commands.
    • Looking into rbac wrapper script around ansible-playbook to start with.
  • way to trigger runs from commits.
    • will need a git hook of some kind.
  • better use of roles
    • need to look at our tasks and playbooks and see what would be better moved to roles.
  • concrete way to handle stg vs prod
    • Right now we only have a staging variable. Would be nice to keep playbooks more in sync/use same playbook.
  • concrete way to handle hotfixes/patches
    • hotfix task could work
    • would be nice if we had a way to just commit patches (so we could more easily roll back too)

Medium term

  • setup backup02 agent
    • in case lockbox01 is down/unreachable.

Long term / ideas container

  • fireball mode (or whatever it ends up being upstream)
  • nagios integration. Add host and have nagios setup without doing anything.
  • scripts for common tasks:
    • Hosted project setup
    • clean denyhosts entries