67 lines
2.2 KiB
ReStructuredText
67 lines
2.2 KiB
ReStructuredText
:title: Bridge
|
|
|
|
.. _bridge:
|
|
|
|
Bridge
|
|
######
|
|
|
|
Bridge is a bastion host that is the starting point for ops operations in
|
|
OpenTelekomCloudEco. It is the server from which Ansible is run, and contains
|
|
decrypted secure information such as passwords. The bridge server contains all
|
|
of the ansible playbooks as well as the scripts to create new servers.
|
|
|
|
Sensitive information like passwords is stored encrypted in the private git and
|
|
are pulled by the bridge host on a cron basis.
|
|
|
|
At a Glance
|
|
===========
|
|
|
|
:Projects:
|
|
* https://ansible.com/
|
|
:Bugs:
|
|
:Resources:
|
|
|
|
Ansible Hosts
|
|
-------------
|
|
In OTC Eco, all host configuration is done via ansible playbooks.
|
|
|
|
Adding a node
|
|
-------------
|
|
|
|
In principle hosts in the inventory (``inventory/base/hosts.yaml``) contain
|
|
required variables so that playbooks are able to provision the infrastructure.
|
|
This is not yet implemented for all hosts/systems.
|
|
|
|
.. _running-ansible-on-nodes:
|
|
|
|
Running Ansible on Nodes
|
|
------------------------
|
|
|
|
Each service that has been migrated fully to Ansible has its own playbook in
|
|
:git_file:`playbooks` named ``service_{ service_name }.yaml``.
|
|
|
|
Because the playbooks are normally run by zuul, to run them manually, first run
|
|
the utility ``disable-ansible`` as root. That will touch the file
|
|
``/home/zuul/DISABLE-ANSIBLE``. We use the utility to avoid mistyping the
|
|
lockfile name. Then make sure no jobs are currently executing ansible. Ensure
|
|
that ``/home/zuul/src/github.com/opentelekomcloud-infra/system-config`` is in
|
|
the appropriate state, then run:
|
|
|
|
.. code-block:: bash
|
|
|
|
cd /home/zuul/src/github.com/opentelekomcloud-infra/system-config
|
|
ansible-playbook --limit="$HOST:localhost" playbooks/service-$SERVICE.yaml
|
|
|
|
as root, where `$HOST` is the host you want to run puppet on.
|
|
The `:localhost` is important as some of the plays depend on performing a task
|
|
on the localhost before continuing to the host in question, and without it in
|
|
the limit section, the tasks for the host will have undefined values.
|
|
|
|
When done, don't forget to remove ``/home/zuul/DISABLE-ANSIBLE``
|
|
|
|
Disabling Ansible on Nodes
|
|
--------------------------
|
|
|
|
In the case of needing to disable the running of ansible on a node, it's a
|
|
simple matter of adding an entry to the ansible inventory "disabled" group.
|