New production1 deployment @ PSNC

* Tune OpenStack parameters * Enlarge flavours on PSNC production * Disable scratch volumes * Fix production FW for admin machine * Inventory file * Site name

New production1 deployment @ PSNC
113d19ed · František Dvořák · a53286dc · 113d19ed · 113d19ed · 113d19ed
Commit 113d19ed authored 7 months ago by František Dvořák
--- a/common/terraform/network.tf
+++ b/common/terraform/network.tf
+data "openstack_networking_network_v2" "public-network" {
+  name = var.ip_pool
+}
+
+resource "openstack_networking_network_v2" "local-network" {
+  name           = "local-network"
+  admin_state_up = "true"
+}
+
+resource "openstack_networking_subnet_v2" "local-network-subnet" {
+  name       = "local-network-subnet"
+  network_id = openstack_networking_network_v2.local-network.id
+  cidr       = "192.168.0.0/24"
+}
+
+resource "openstack_networking_router_v2" "local-router" {
+  name                = "local-router"
+  admin_state_up      = true
+  external_network_id = data.openstack_networking_network_v2.public-network.id
+}
+
+resource "openstack_networking_router_interface_v2" "router_interface_1" {
+  router_id = openstack_networking_router_v2.local-router.id
+  subnet_id = openstack_networking_subnet_v2.local-network-subnet.id
+}
--- a/production1/ansible.cfg
+++ b/production1/ansible.cfg
+[defaults]
+inventory=inventory
+
+[diff]
+always=true
--- a/production1/deploy.sh
+++ b/production1/deploy.sh
+#! /bin/bash -xe
+
+#
+# Deploy EOSC production instance
+#
+
+cd terraform && terraform init && terraform apply
+cd -
+cp -pv terraform/inventory.yaml inventory/1-psnc.yaml
+
+# dynamic DNS
+ip="$(head -n 1 < terraform/fip.txt)"
+# shellstate=$(shopt -po xtrace)
+# set +o xtrace
+# # https://nsupdate.fedcloud.eu
+# vault_prefix=secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-production
+# FEDCLOUD_DYNAMIC_DNS=$(vault read -field data $vault_prefix/FEDCLOUD_DYNAMIC_DNS | grep ^map | head -n 1 | sed 's/map\[\(.*\)\]/\1/')
+# for auth in $FEDCLOUD_DYNAMIC_DNS; do
+# 	echo "curl -i -X GET -u $(echo "$auth" | cut -d: -f1):XXX https://nsupdate.fedcloud.eu/nic/update?myip=$ip"
+# 	curl -i -X GET -u "$auth" https://nsupdate.fedcloud.eu/nic/update?myip="$ip"
+# done
+# eval "$shellstate"
+echo "Terraform finished. Check terraform/docker-volume.sh. Continue? (CTRL-C to quit)"
+read -r _
+
+# wait for ping and ssh
+for ip in $(cat terraform/fip.txt); do
+	while ! ping -c 1 "$ip"; do sleep 5; done
+	ssh-keygen -R "$ip"
+	while ! ssh egi@"$ip" -o ConnectTimeout=10 -o PreferredAuthentications=publickey -o StrictHostKeyChecking=no :; do sleep 10; done
+done
+
+# check ssh access
+ansible -m command -a 'uname -a' allnodes
+
+# wait cloud-init
+ansible -m shell -a 'while ! test -f /var/lib/cloud/instance/boot-finished; do sleep 2; done' allnodes
+
+# setup volumes
+ansible -m copy -a 'src=terraform/nfs-volume.sh dest=/root/ mode=preserve' nfs
+ansible -m command -a '/root/nfs-volume.sh' nfs
+ansible -m copy -a 'src=terraform/squid-volume.sh dest=/root/ mode=preserve' 'ingress[0]'
+ansible -m command -a '/root/squid-volume.sh' 'ingress[0]'
+
+# kubernetes
+ansible-playbook playbooks/k8s.yaml
+while ansible -m command -a 'kubectl get pods --all-namespaces' master | tail -n +3 | grep -Ev ' (Running|Completed) '; do sleep 5; done
+# docker runtime directory after Kubernetes deployment (problem with unmounts)
+ansible -m copy -a 'src=terraform/docker-volume.sh dest=/root/ mode=preserve' 'ingress nfs worker gpu'
+ansible -m command -a '/root/docker-volume.sh' 'ingress nfs worker gpu'
+ansible-playbook playbooks/squid.yaml
+ansible-playbook playbooks/cvmfs.yaml
+
+# wait for finish
+while ansible -m command -a 'kubectl get pods --all-namespaces' master | tail -n +3 | grep -Ev ' (Running|Completed) '; do sleep 5; done
+
+ansible-playbook playbooks/security-assets.yaml
+ansible-playbook playbooks/security-logs.yaml
+ansible-playbook playbooks/security-scanner.yaml
--- a/production1/deployments/hub.yaml
+++ b/production1/deployments/hub.yaml
+../../common/deployments/hub-production.yaml
\ No newline at end of file
--- a/production1/extra
+++ b/production1/extra
+../common/extra
\ No newline at end of file
--- a/production1/inventory/1-psnc.yaml
+++ b/production1/inventory/1-psnc.yaml
+---
+fip:
+  hosts:
+    62.3.174.184:
+
+master:
+  hosts:
+    192.168.0.80:
+      # must be IPv4 address or hostname
+      kube_server: 192.168.0.80
+
+ingress:
+  hosts:
+    192.168.0.74:
+
+nfs:
+  hosts:
+    192.168.0.129:
+
+worker:
+  hosts:
+    192.168.0.98:
+    192.168.0.109:
+    192.168.0.147:
+
+gpu:
+  hosts:
+
+# using public IP of kube_server for ansible delegate_to
+kube_server:
+  hosts:
+    192.168.0.80:
+      ansible_host: 192.168.0.80
--- a/production1/inventory/99-all.yaml
+++ b/production1/inventory/99-all.yaml
+---
+allnodes:
+  children:
+    master:
+    ingress:
+    nfs:
+    worker:
+    gpu:
+
+all:
+  vars:
+    ansible_become: yes
+    ansible_user: egi
+    ansible_ssh_common_args: '-o ProxyCommand="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -q egi@{{ groups["fip"][0] }}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
+
+    mail_local: true
+    site_name: psnc-production1
+    vault_mount_point: secrets/users/e1662e20-e34b-468c-b0ce-d899bc878364@egi.eu/eosc-production
+
+    notebooks_hostname: eu-1.notebooks.open-science-cloud.ec.europa.eu
+    grafana_hostname: grafana.eu-1.notebooks.open-science-cloud.ec.europa.eu
--- a/production1/playbooks/cvmfs.yaml
+++ b/production1/playbooks/cvmfs.yaml
+../../common/playbooks/cvmfs.yaml
\ No newline at end of file
--- a/production1/playbooks/files/calico.yaml
+++ b/production1/playbooks/files/calico.yaml
+../../../common/playbooks/files/calico.yaml
\ No newline at end of file
--- a/production1/playbooks/files/etc
+++ b/production1/playbooks/files/etc
+../../../common/playbooks/files/etc
\ No newline at end of file
--- a/production1/playbooks/files/jupyterhub-jwt.yaml
+++ b/production1/playbooks/files/jupyterhub-jwt.yaml
+../../../common/playbooks/files/jupyterhub-jwt.yaml
\ No newline at end of file
--- a/production1/playbooks/files/usr
+++ b/production1/playbooks/files/usr
+../../../common/playbooks/files/usr
\ No newline at end of file
--- a/production1/playbooks/k8s.yaml
+++ b/production1/playbooks/k8s.yaml
+../../common/playbooks/k8s.yaml
\ No newline at end of file
--- a/production1/playbooks/notebooks.yaml
+++ b/production1/playbooks/notebooks.yaml
+../../common/playbooks/notebooks.yaml
\ No newline at end of file
--- a/production1/playbooks/public_keys
+++ b/production1/playbooks/public_keys
+../../common/playbooks/public_keys
\ No newline at end of file
--- a/production1/playbooks/security-assets.yaml
+++ b/production1/playbooks/security-assets.yaml
+../../common/playbooks/security-assets.yaml
\ No newline at end of file
--- a/production1/playbooks/security-logs.yaml
+++ b/production1/playbooks/security-logs.yaml
+../../common/playbooks/security-logs.yaml
\ No newline at end of file
--- a/production1/playbooks/security-scanner.yaml
+++ b/production1/playbooks/security-scanner.yaml
+../../common/playbooks/security-scanner.yaml
\ No newline at end of file
--- a/production1/playbooks/squid.yaml
+++ b/production1/playbooks/squid.yaml
+../../common/playbooks/squid.yaml
\ No newline at end of file
--- a/production1/playbooks/templates/deepfence-agent.yaml.j2
+++ b/production1/playbooks/templates/deepfence-agent.yaml.j2
+../../../common/playbooks/templates/deepfence-agent.yaml.j2
\ No newline at end of file