radiasoft / ansible-conf Goto Github PK

Docker has deprecated container links for container networks.

Given the deprecation we should stop using links. We should try to leverage the software defined networking features as much as possible. We might be able to close more ports with this feature.

Abstract as much as possible into roles, so that is is easy to configure single host playbooks (#32).

Required by: #22 #32

Reference.

Write a new ansible role that will configure an MPI slave, using docker.

Required by #37.

Limit playbooks to configure one host at a time, e.g. hosts: <hostname>. Depends on #31.

It seems that in Ansible 2.1.0 the docker_container module has a bug, such that when some parameters are passed the module will always recreate the container. The culprit seems to be volumes.

Depends on #10 and #17.

Start nginx serving a simple page on port 80 and 443 (SSL). Nginx should run on the NFS server.

In order to make jupyterhub and jupyterhub_nfs better suited for reusability, the should set their firewall settings and the values should be provided by the roles.

Ensure servers have the proper timezone

Requires #35 to be complete.

Required by #38.

Update READMEs for Ansible, Vagrant, Terraform.

Research the use user namespaces with docker.

Figure out how stable it is with Centos 7 since it is considered a technology preview feature.

Use the groovy API for configuration, see.

Required by #38.

Create role to disable services known to be superfluous.

SELinux will stop an nginx proxy from doing any traffic forwarding by default. Exceptions need to be configured within SELinux, and the current approach within ansible is very hacky: 1d899ca

Need to provide a better approach, either with an ansible module or with a bash script.

Ensure that logs generated by docker container are rotated.

Because we map the Jenkins uid within the container to the uidwithin the host, we have a situation, where Jenkins executes as a user that does not exist in /etc/passwd, which triggers:

fatal: unable to look up current user in the passwd file: no such user

    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1723)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1459)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:63)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:314)
    at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:797)
    ... 8 more

GitHub has been notified of this commit’s build result

This happens, because git is trying to figure out the user name and email, for commits. One possibility is setting GIT_COMMITTER_NAME and GIT_COMMITTER_EMAIL environment variables. A better solution is to try to pass those settings to Jenkins somehow (The pipeline plugin does not seem to provide that).

Figure out how to organize the Ansible Master.

• standard location to SSL certs
• find a way to overload main nginx.conf
• conf.d
• How to keep TLS settings up to date

Part of #32.

Start the database once during setup, before the service starts.

Reference:

    - init:
        env:
          - [ POSTGRES_PASSWORD, {{ pillar.postgresql_jupyterhub.admin_pass }} ]
          - [ JPY_PSQL_PASSWORD, {{ pillar.jupyterhub.db_pass }} ]
        cmd: bash /radia-init.sh

• Need ip address
• Update named

Prepare the AWS deployed image, as done with Vagrant.

• Generate SSH keys for coordinator.
• Mount the .ssh directory inside the Jupyter container with the keys.
• Configure ssh to ignore host keys

Required by #37.

Currently the jupyterhub_nfs roles configures the jupyterhub nfs shares and the jupyterhub nginx proxy. I think we might want to split them into different roles that could be applied to the same server.

Manage users and keys for access, as required by Ansible.

Use radiasoft/postgresql-jupyterhub, run it as service.

Leverage the jupyterhub and jupyterhub_nfs roles to configure a single machine that will work as a JupyterHub provider and master of the MPI cluster.

How to adapt the current sensible configuration to configure our production servers.

Depends on #19, #31, #32, #33.

Backup it up to NFS. Use the backup to setup new deployments.

Allow remote clients to configure docker; do not use the unix socket.

Right now for convenience the rs_channel is automatically populated according to the group you are provisioning. We should a channel variable per role, e.g. jupyter_channel.

Ensure all required configuration is available before provisioning slave hosts. Store all the information in an NFS share.

Required by #38.

This is with systemctl on fedora cloud. @elventear I'm not too concerned right now but wanted to note this was happening so we don't lose it.

Sep 29 02:14:12 ip-10-14-2-5.ec2.internal systemd[1]: celery-sirepo.service: Unit entered failed state.
Sep 29 02:14:12 ip-10-14-2-5.ec2.internal systemd[1]: celery-sirepo.service: Failed with result 'exit-code'.
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal systemd[1]: celery-sirepo.service: Service hold-off time over, scheduling restart.
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal systemd[1]: Started Celery Sirepo.
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal systemd[1]: Starting Celery Sirepo...
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal docker[1874]: /usr/bin/docker: Error response from daemon: Conflict. The name "/celery-sirepo" is already in use by container a3be7
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal docker[1874]: See '/usr/bin/docker run --help'.
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal systemd[1]: celery-sirepo.service: Main process exited, code=exited, status=125/n/a
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal docker[1878]: celery-sirepo
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal systemd[1]: celery-sirepo.service: Unit entered failed state.
Sep 29 02:14:23 ip-10-14-2-5.ec2.internal systemd[1]: celery-sirepo.service: Failed with result 'exit-code'.
Sep 29 02:14:33 ip-10-14-2-5.ec2.internal systemd[1]: celery-sirepo.service: Service hold-off time over, scheduling restart.
Sep 29 02:14:33 ip-10-14-2-5.ec2.internal systemd[1]: Started Celery Sirepo.
Sep 29 02:14:33 ip-10-14-2-5.ec2.internal systemd[1]: Starting Celery Sirepo...
Sep 29 02:14:33 ip-10-14-2-5.ec2.internal docker[1885]: /usr/bin/docker: Error response from daemon: Conflict. The name "/celery-sirepo" is already in use by container a3be7