.gitlab-ci.yml

@@ -113,7 +113,7 @@ workflow:
 build_http_proxy_image:
   stage: build
   environment:
-    name: $ENV
+    name: build
   tags:
     - build
   variables:
@@ -126,7 +126,7 @@ build_http_proxy_image:
 build_ssh_proxy_image:
   stage: build
   environment:
-    name: $ENV
+    name: build
   tags:
     - build
   variables:
@@ -165,7 +165,7 @@ build_ssh_proxy_image:
 build_login_image:
   stage: build
   environment:
-    name: $ENV
+    name: build
   tags:
     - build
   <<: *build_login_image_template
@@ -173,6 +173,46 @@ build_login_image:
     - if: $PIPELINE_TARGET == "build" && $BUILD_TARGET == "login"
       when: always
 
+build_ood_image:
+  stage: build
+  environment:
+    name: build
+  tags:
+    - build
+  script:
+    - *update_ansible_repo
+    - *get_ansible_files
+    # packer vars for job env
+    - export PKR_VAR_flavor="${OOD_BUILD_FLAVOR:-$PKR_VAR_flavor}"
+    - export PKR_VAR_build_instance_name="${BUILD_TARGET}-${EXT_REPO_HEAD}"
+    - export PKR_VAR_image_date_suffix=false
+    - export PKR_VAR_image_name="${BUILD_TARGET}-${BUILD_DATE}"
+    - |
+      if [ $ENV = 'knightly' ] || [ $ENV = 'prod' ]; then
+        curl --header "PRIVATE-TOKEN: ${ANSIBLE_VAR_TOKEN}" \
+        "${CI_API_V4_URL}/projects/2836/repository/files/knightly/raw?ref=main" \
+        -o CRI_XCBC/group_vars/$ENV
+        sed -i -E "s/(lts_access_key: ).*/\1\"${AWS_ACCESS_KEY_ID}\"/" CRI_XCBC/group_vars/$ENV
+        sed -i -E "s/(lts_secret_key: ).*/\1\"${AWS_SECRET_ACCESS_KEY}\"/" CRI_XCBC/group_vars/$ENV
+        sed -i -E "s/(user_register_app_key: ).*/\1\"${SELF_REG_APP_KEY}\"/" CRI_XCBC/group_vars/$ENV
+        sed -i -E "s/(celery_user_password: ).*/\1\"${CELERY_PASSWD}\"/" CRI_XCBC/group_vars/$ENV
+        sed -i -E "s|(ssh_pub_key: ).*|\1\"{{ lookup('file', '${SSH_PUB_KEY}') }}\"|" CRI_XCBC/group_vars/$ENV
+      fi
+    # packer commands
+    - packer init openstack-ood
+    - packer validate openstack-ood
+    - packer build -machine-readable openstack-ood | tee ood_build.log
+    - export BUILT_OOD_IMAGE_ID=$(grep 'Image:' ood_build.log | awk '{print $4}')
+    - echo BUILT_OOD_IMAGE_ID=${BUILT_OOD_IMAGE_ID} | tee -a $CI_PROJECT_DIR/image.env
+    # set image properties with repo state
+    - openstack image set --property EXT_PR_SRC_REPO=${EXT_PR_SRC_REPO} --property EXT_PR_SRC_BRANCH_SHA=${EXT_PR_SRC_BRANCH_SHA} --property EXT_PR_TARGET_REPO=${EXT_PR_TARGET_REPO} --property EXT_PR_TARGET_BRANCH_SHA=${EXT_PR_TARGET_BRANCH_SHA} --property PACKER_IMAGE_HEAD=${CI_COMMIT_SHORT_SHA} ${BUILT_OOD_IMAGE_ID}
+  artifacts:
+    reports:
+      dotenv: image.env
+  rules:
+    - if: $PIPELINE_TARGET == "build" && $BUILD_TARGET == "ood"
+      when: always
+
 deploy_http_proxy_node:
   stage: deploy
   environment:
@@ -206,10 +246,12 @@ deploy_http_proxy_node:
       export cmd="openstack server create"
       cmd+=" -c id -f value --image $HTTP_PROXY_IMAGE_ID"
       cmd+=" --flavor $INSTANCE_FLAVOR"
-      cmd+=" --network $PROXY_NETWORK"
-      cmd+=" --security-group webserver_sec_group"
-      cmd+=" --security-group allow-ssh"
+      for security_group in ${SECURITY_GROUP_LIST[@]};
+      do
+        cmd+=" --security-group $security_group"
+      done
       cmd+=" --user-data user_data.txt"
+      if [ -n "$PROXY_NETWORK" ];then cmd+=" --network $PROXY_NETWORK"; fi
       if [ -n "$HTTP_PROXY_PORT" ];then cmd+=" --port $HTTP_PROXY_PORT"; fi
       cmd+=" --wait $HTTP_PROXY_INSTANCE_NAME"
     - export HTTP_PROXY_INSTANCE_ID=$(bash -c "$cmd")
@@ -257,9 +299,12 @@ deploy_ssh_proxy_node:
       export cmd="openstack server create"
       cmd+=" -c id -f value --image $SSH_PROXY_IMAGE_ID"
       cmd+=" --flavor $INSTANCE_FLAVOR"
-      cmd+=" --network $PROXY_NETWORK"
-      cmd+=" --security-group allow-ssh"
+      for security_group in ${SECURITY_GROUP_LIST[@]};
+      do
+        cmd+=" --security-group $security_group"
+      done
       cmd+=" --user-data user_data.txt"
+      if [ -n "$PROXY_NETWORK" ];then cmd+=" --network $PROXY_NETWORK"; fi
       if [ -n "$SSH_PROXY_PORT" ];then cmd+=" --port $SSH_PROXY_PORT"; fi
       cmd+=" --wait $SSH_PROXY_INSTANCE_NAME"
     - export SSH_PROXY_INSTANCE_ID=$(bash -c "$cmd")
@@ -308,9 +353,12 @@ deploy_login_node:
       export cmd="openstack server create"
       cmd+=" -c id -f value --image $LOGIN_IMAGE_ID"
       cmd+=" --flavor $INSTANCE_FLAVOR"
-      cmd+=" --network $INSTANCE_NETWORK"
-      cmd+=" --security-group allow-ssh"
+      for security_group in ${SECURITY_GROUP_LIST[@]};
+      do
+        cmd+=" --security-group $security_group"
+      done
       cmd+=" --user-data user_data.txt"
+      if [ -n "$INSTANCE_NETWORK" ];then cmd+=" --network $INSTANCE_NETWORK"; fi
       if [ -n "$LOGIN_PORT" ];then cmd+=" --port $LOGIN_PORT"; fi
       cmd+=" --wait $LOGIN_INSTANCE_NAME"
     - export LOGIN_INSTANCE_ID=$(bash -c "$cmd")

ansible/cluster.yml

@@ -13,3 +13,4 @@
     - { name: 'rsyslog_config', tags: 'rsyslog_config', when: enable_rsyslog_config }
     - { name: 'rewrite_map', tags: 'rewrite_map', when: enable_rewrite_map }
     - { name: 'fail2ban', tags: 'fail2ban', when: enable_fail2ban }
+    - { name: 'install_node_exporter', tags: 'install_node_exporter', when: enable_node_exporter }

ansible/group_vars/all

@@ -52,7 +52,7 @@
   sshpiper_dest_dir: "/opt/sshpiper"
 
 # rsyslog
-  enable_rsyslog_config: false
+  enable_rsyslog_config: true
   rsyslog_target: "*.* @master:514"
 
 # ssl certs
@@ -81,3 +81,11 @@
   findtime: 600
   bantime: 1200
   fail2ban_white_list: "127.0.0.1/8"
+
+# Node Exporter
+  enable_node_exporter: false
+  node_exporter_ver: "1.8.2"
+  node_exporter_filename: "node_exporter-{{ node_exporter_ver }}.linux-amd64"
+  node_exporter_user: node_exporter
+  node_exporter_group: node_exporter
+  node_exporter_port: 9100

ansible/ood.yml

@@ -6,6 +6,3 @@
     - { name: 'fix_centos_repo', tags: 'fix_centos_repo' }
     - { name: 'install_packages', tags: 'install_packages' }
     - { name: 'install_zsh', tags: 'install_zsh' }
-
-- name: Setup node for use as a virtual cheaha node
-  ansible.builtin.import_playbook: cheaha.yml

ansible/roles/install_node_exporter/tasks/main.yaml

+---
+- name: Download node_exporter binary
+  ansible.builtin.get_url:
+    url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_ver }}/{{ node_exporter_filename }}.tar.gz"
+    dest: "/tmp/{{ node_exporter_filename }}.tar.gz"
+
+- name: Extract node_exporter
+  ansible.builtin.unarchive:
+    src: "/tmp/{{ node_exporter_filename }}.tar.gz"
+    dest: "/tmp"
+    remote_src: yes
+
+- name: Create system group for user account {{ node_exporter_group }}
+  ansible.builtin.group:
+    name: "{{ node_exporter_group }}"
+    system: true
+    state: present
+
+- name: Create system user account {{ node_exporter_user }}
+  ansible.builtin.user:
+    name: "{{ node_exporter_user }}"
+    comment: Prometheus node_exporter system account
+    group: "{{ node_exporter_group }}"
+    system: true
+    home: /var/lib/node_exporter
+    create_home: false
+    shell: /sbin/nologin
+    state: present
+
+- name: Copy node_exporter binary
+  ansible.builtin.copy:
+    src: "/tmp/{{ node_exporter_filename }}/node_exporter"
+    dest: /usr/local/bin/node_exporter
+    remote_src: yes
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy systemd unit file
+  ansible.builtin.template:
+    src: node_exporter.service.j2
+    dest: /etc/systemd/system/node_exporter.service
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Clean up /tmp
+  ansible.builtin.file:
+    path: "/tmp/{{ item }}"
+    state: absent
+  loop:
+    - "{{ node_exporter_filename }}.tar.gz"
+    - "{{ node_exporter_filename }}"
+
+- name: Restart node_exporter service
+  ansible.builtin.systemd:
+    daemon_reload: yes
+    name: node_exporter
+    state: restarted
+    enabled: true
+
+- name: Collect facts about system services
+  ansible.builtin.service_facts:
+
+- name: Configure firewalld to allow prometheus
+  ansible.posix.firewalld:
+    port: "{{ node_exporter_port }}/tcp"
+    zone: public
+    state: enabled
+    permanent: true
+  when:
+    - "'firewalld.service' in ansible_facts.services"
+    - ansible_facts.services["firewalld.service"].state == "running"
+
+- name: Enable and start firewalld
+  ansible.builtin.service:
+    name: firewalld
+    enabled: true
+    state: restarted
+  when:
+    - "'firewalld.service' in ansible_facts.services"
+    - ansible_facts.services["firewalld.service"].state == "running"

ansible/roles/install_node_exporter/templates/node_exporter.service.j2

+[Unit]
+Description=Node Exporter
+After=network.target
+
+[Service]
+User={{ node_exporter_user }}
+Group={{ node_exporter_group }}
+Type=simple
+ExecStart=/usr/local/bin/node_exporter --web.listen-address=:{{ node_exporter_port }} --collector.filesystem.mount-points-exclude "^/(dev|proc|run/user/.+|run/credentials/.+|sys|var/lib/docker/.+)($|/)" --collector.filesystem.fs-types-exclude "^(autofs|binfmt_misc|bpf|cgroup|tmpfs|sunrpc|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$"
+
+[Install]
+WantedBy=multi-user.target

openstack-ood/nodeimage.pkr.hcl

@@ -57,4 +57,13 @@ build {
       "--extra-vars", "${var.extra_vars}"
     ]
   }
+
+  provisioner "shell" {
+    inline = [
+      "sudo yum install -y libselinux-python3 python3 python3-pip tmux vim git bash-completion curl wget unzip",
+      "sudo python3 -m pip install --upgrade pip",
+      "sudo pip3 install s3cmd==2.3.0 ansible==4.10.0 python-openstackclient==5.8.0"
+    ]
+  }
+
 }

openstack-ood/variables.pkr.hcl

 variable "root_ssh_key" {
   type        = string
+  default     = ""
   description = "The root key to use for ssh"
 }