Pxe toucheup #3
Pxe toucheup #3
Conversation
roles/apt/templates/30apt-proxy.j2
Outdated
| @@ -1,2 +1,2 @@ | |||
| // {{ ansible_managed }} | |||
| Acquire::http::Proxy "{{ apt_proxy }}"; | |||
| Acquire::http::Proxy "http://{{ inventory_hostname }}:8000/"; | |||
There was a problem hiding this comment.
I can't see how that's correct. Not every machine runs an apt proxy.
There was a problem hiding this comment.
The file doesn't exit if there is no proxy
38 - name: setup apt proxy
39 template:
40 src: templates/30apt-proxy.j2
41 dest: /etc/apt/apt.conf.d/30apt-proxy
42 when: apt_proxy != ""
There was a problem hiding this comment.
42 when: apt_proxy != ""
but that isn't right.
There was a problem hiding this comment.
What I'm getting at is, inventory_hostname is the local machine's hostname. So every machine will be pointing at itself as an APT proxy. That can't be right.
There was a problem hiding this comment.
Ohh... right. Hmm....
I am used to all these files living on the pxe server as static files.
I was thinking ansible creates the static file on the pxe server and then the other machines pull a copy.
but that isn't how things work here.
this bit is
31 # d-i puts the apt config in apt.conf, but we prefer a .d file
d-i puts the correct value in apt.conf, how about we just leave it there?
or patch d-i :p
| dhcp-authoritative | ||
| enable-tftp | ||
| tftp-root=/srv/tftp | ||
| no-hosts |
There was a problem hiding this comment.
If we're using our static hosts stuff, then we'll probably want to serve those over DNS too. wouldn't we?
There was a problem hiding this comment.
that's a bit of a contradiction. or redundancy. it is either addressing a case that will never exist, or addressing the case where things are broken. If /etc/hosts is in place, then we don't need dns.
however, even with static, dns can serve everything by putting a 2nd almost copy of the data in a file. almost = different IP for $server
I like putting the name:IP data in it's own file that is just for the dns, not also /etc/hosts.
Mainly because of waning $server:IP to be defined as something other than 127.0.1.1 like it is in /etc/hosts.
There was a problem hiding this comment.
or redundancy
That. You saw how it was useful at LCA, when we didn't have a global network, yet. Things still worked inside rooms. And we could ssh into things by hostname, because there was DNS with this stuff in it.
however, even with static, dns can serve everything by putting a 2nd almost copy of the data in a file. almost = different IP for $server
Sure. But we can just solve all of this by changing the server's IP in its own /etc/hosts.
There was a problem hiding this comment.
changing the server's IP in its own /etc/hosts
I went down that path and got angry :p
d-i builds this:
juser@dc10b:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 dc10b
is ...1.1 needed?
I made a task using lineinfile but my code kept adding additional "ip \t host" lines each time I re-ran. so I switched to not using etc/hosts and using a separate file for dnsmasq and was happy.
I have mixed feelings about dnsmasq using etc/hosts.
give me the ansible to just solve all of this and I'll give it a whirl
There was a problem hiding this comment.
dns can serve everything ...
Let's do that.
This only effects the dhcp server. it separates the dns config from the servers etc/hosts, andI am ok with that.
replacing "127.0.1.1 dc10b" is too hard for me, and I don't see much benefit.
There was a problem hiding this comment.
I still don't like this change, I find it useful to be able to ssh into machines by hostname, on the video network.
| # fsid=X is needed for XFS filesystems with 64bit inodes | ||
| /srv/{{ nfs_server }}/veyepar {{ eth_local_ip_address|default(ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) }}(ro,async,no_subtree_check,fsid=0) | ||
| /srv/{{ nfs_server }}/video {{ eth_local_ip_address|default(ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) }}(rw,sync,no_subtree_check,fsid=1) | ||
| {% if eth_local_ip_address is defined %} |
There was a problem hiding this comment.
Surely it'll always be defined?
There was a problem hiding this comment.
I was trying to duplicate what the old code was doing:
{{ eth_local_ip_address|default(...
which made me wonder what the point was.
There was a problem hiding this comment.
Ah, yeah. I probably didn't realise there was a default defined.
roles/tftp-server/defaults/main.yml
Outdated
| netboot_image: https://deb.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/netboot.tar.gz | ||
| late_command_url: https://anonscm.debian.org/cgit/debconf-video/ansible.git/plain/setup_ansible.sh | ||
| # late_command_url: https://anonscm.debian.org/cgit/debconf-video/ansible.git/plain/setup_ansible.sh | ||
| late_command_url: http://{{ inventory_hostname }}/lc/late.sh |
There was a problem hiding this comment.
We could use TFTP, and avoid having to setup a web server
There was a problem hiding this comment.
I find tftp harder to do R&D
wget is so much easier to use and read later than the curl command needed for tftp.
| # We clone our ansible repository and copy the ansible config files | ||
|
|
||
| git clone https://anonscm.debian.org/git/debconf-video/ansible.git /root/debconf-ansible | ||
| git clone https://github.com/xfxf/lca2017-av.git /root/lca2017-av |
There was a problem hiding this comment.
That, obviously, can't be committed.
There was a problem hiding this comment.
ah right..
I knew something wasn't quite right, but thought I was doing the equivalent thing just changing the host from github to local box.
but the whole late_command.sh name/url was a config option, and now that is gone.
Hmm...
| tftp-root=/srv/tftp | ||
| no-hosts | ||
| host-record={{ inventory_hostname }},{{ eth_local_ip_address }} | ||
|
|
roles/tftp-server/tasks/main.yml
Outdated
| line: \1 auto=true interface=auto url=tftp://10.20.0.1/preseed.cfg \2 | ||
| line: \1 auto=true interface=auto url=http://{{ inventory_hostname }} \2 | ||
| with_items: "{{ menus.files }}" | ||
|
|
| d-i mirror/http/directory string /ubuntu | ||
| {% endif %} | ||
| d-i mirror/http/proxy string {{ apt_proxy }} | ||
| d-i mirror/http/proxy string{% if apt_proxy %}http://{{ inventory_hostname }}:8000/{% endif %} |
There was a problem hiding this comment.
apt_proxy is now boolean?
There was a problem hiding this comment.
correct.
I don't think you can reference inventory_hostname in the inventory/group_vars/all.yml
|
|
||
| # Individual additional packages to install | ||
| d-i pkgsel/include string openssh-server curl | ||
| d-i pkgsel/include string openssh-server curl python python3 |
There was a problem hiding this comment.
for ansible. not sure if it wanted v2 or 3.
moved from late_command.sh apt install python
I think it is a safe assumption that we:
want the box ready for ansible. (all cases)
may not use late_command.sh (some cases)
There was a problem hiding this comment.
Ansible has dependencies declared, you don't need to do this.
There was a problem hiding this comment.
I think you are saying I should do:
d-i pkgsel/include string openssh-server curl ansible
but ansible doesn't need to be installed on it's target
personally, I don't mind installing everything everywhere ;)
| d-i preseed/late_command string in-target sh -c "curl -o penultimate_setup.sh '{{ late_command_url }}' && ANSIBLE_UNDER_DI=1 sh penultimate_setup.sh && rm penultimate_setup.sh" | ||
| {% else %} | ||
| d-i preseed/late_command string in-target sh -c "wget -O penultimate_setup.sh '{{ late_command_url }}' && ANSIBLE_UNDER_DI=1 sh penultimate_setup.sh && rm penultimate_setup.sh" | ||
| # d-i preseed/late_command string in-target sh -c "wget -O penultimate_setup.sh '{{ late_command_url }}' && ANSIBLE_UNDER_DI=1 sh penultimate_setup.sh && rm penultimate_setup.sh" |
There was a problem hiding this comment.
Similar comment about commenting stuff out, as before.
roles/apt/tasks/main.yml
Outdated
| dest: /etc/apt/sources.list | ||
| notify: apt update | ||
| when: ansible_distribution == 'Debian' | ||
| when: distro == 'Debian' |
There was a problem hiding this comment.
I don't understand the point of these changes
| tftp-root=/srv/tftp | ||
| no-hosts | ||
| host-record={{ inventory_hostname }},{{ eth_local_ip_address }} | ||
| host-record={{ inventory_hostname }}.{{ domain }},{{ eth_local_ip_address }} |
There was a problem hiding this comment.
What's the point of having the machine return itself in DNS, but nothing else?
| dhcp-authoritative | ||
| enable-tftp | ||
| tftp-root=/srv/tftp | ||
| no-hosts |
There was a problem hiding this comment.
I still don't like this change, I find it useful to be able to ssh into machines by hostname, on the video network.
| # fsid=X is needed for XFS filesystems with 64bit inodes | ||
| /srv/{{ nfs_server }}/veyepar {{ eth_local_ip_address|default(ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) }}(ro,async,no_subtree_check,fsid=0) | ||
| /srv/{{ nfs_server }}/video {{ eth_local_ip_address|default(ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) }}(rw,sync,no_subtree_check,fsid=1) | ||
| {% if eth_local_ip_address is defined %} |
roles/opsis/files/minirc.dfl
Outdated
| @@ -0,0 +1,8 @@ | |||
| pu port /dev/ttyACM0 | |||
There was a problem hiding this comment.
We have better port names than that, provided by our udev package
roles/tftp-server/defaults/main.yml
Outdated
| --- | ||
| netboot_image: https://deb.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/netboot.tar.gz | ||
| late_command_url: https://anonscm.debian.org/cgit/debconf-video/ansible.git/plain/setup_ansible.sh | ||
| # late_command_url: https://anonscm.debian.org/cgit/debconf-video/ansible.git/plain/setup_ansible.sh |
There was a problem hiding this comment.
Please delete rather than comment out. git has history.
| # We clone our ansible repository and copy the ansible config files | ||
|
|
||
| # git clone https://anonscm.debian.org/git/debconf-video/ansible.git /root/debconf-ansible | ||
| git clone https://github.com/CarlFK/video-stack-deploy.git /root/debconf-ansible |
There was a problem hiding this comment.
This, and many other things in this file, should be templated.
roles/tftp-server/tasks/main.yml
Outdated
| apt: | ||
| name: "{{ item }}" | ||
| with_items: | ||
| - nginx |
There was a problem hiding this comment.
It's a list of one item, just install it, no need to iterate over the list.
roles/xorg/tasks/lightdm.yml
Outdated
| file: | ||
| path: /etc/lightdm/lightdm.conf.d | ||
| state: directory | ||
| when: distro=="Debian" |
There was a problem hiding this comment.
Do we need that? Surely if it already exists, it's no big deal?
| path: /etc/apt/apt.conf.d/30apt-proxy | ||
| state: absent | ||
| when: apt_proxy == "" | ||
| when: not apt_proxy |
There was a problem hiding this comment.
I assume you can delete this whole block, because nothing is ever going to create that file any more.
stefanor
force-pushed
the
pxe-toucheup
branch
3 times, most recently
from
a5386c7 to
919da4b
Compare
stefanor
force-pushed
the
pxe-toucheup
branch
2 times, most recently
from
6accdcd to
b9c9955
Compare
roles/tftp-server/defaults/main.yml
Outdated
| pw_salt: U1ESiTXUQE0tFh2r4LRl | ||
| # how to make the hash: | ||
| # $ printf "r00tme" | mkpasswd -s -m md5 | ||
| user_password_hash: $1$G1uRZoLB$r68rPXmpJl/C6ervlynKa/ |
There was a problem hiding this comment.
The default doesn't belong here, it should probably default to null here (and have an appropriate if block in the preseed template)
roles/tftp-server/defaults/main.yml
Outdated
| user_password: null | ||
| pw_salt: U1ESiTXUQE0tFh2r4LRl | ||
| # how to make the hash: | ||
| # $ printf "r00tme" | mkpasswd -s -m md5 |
roles/tftp-server/defaults/main.yml
Outdated
|
|
||
| user_name: videoteam | ||
| user_password: null | ||
| pw_salt: U1ESiTXUQE0tFh2r4LRl |
There was a problem hiding this comment.
This change needs to be made in more places (inventory/group_vars/all, roles/users/defaults/main.yml)
2 participants
base that can be used as is to build production boxes, and extended for R&D of new and and untested things.