|
 |
a6768b |
# SOP to create/migrate Duffy tenant
|
|
 |
c14d2e |
This SOP covers the process of how to create a duffy tenant
|
|
|
c14d2e |
|
|
|
a6768b |
## Create new tenant
|
|
|
a6768b |
### Connect to duffy.ci.centos.org
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
ssh duffy.ci.centos.org
|
|
|
c14d2e |
```
|
|
|
c14d2e |
|
|
|
a6768b |
### Change to duffy user
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
sudo su - duffy
|
|
|
c14d2e |
```
|
|
|
a6768b |
### Create tenant with the command below and save api key somewhere safe, it outputs the key as `<tenant name>: <API key>`
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
duffy admin create-tenant <tenant name> <ssh pub-key>
|
|
|
c14d2e |
```
|
|
|
c14d2e |
|
|
|
a6768b |
|
|
|
a6768b |
## Migrate/Update tenant
|
|
|
a6768b |
|
|
|
a6768b |
Migrating an existing Duffy tenant from older DB is like previous step but we just need to enforce a specific (and known) API key. So we can apply previous `duffy admin create-tenant` step but then calling `duffy admin update-tenant` to enforce existing API key to be "valid" in new DB :
|
|
|
a6768b |
|
|
|
a6768b |
```
|
|
|
a6768b |
duffy admin update-tenant --help
|
|
|
a6768b |
Usage: duffy admin update-tenant [OPTIONS] NAME
|
|
|
a6768b |
|
|
|
a6768b |
Update a tenant.
|
|
|
a6768b |
|
|
|
a6768b |
Options:
|
|
|
a6768b |
--ssh-key TEXT New SSH key for the tenant.
|
|
|
a6768b |
--api-key TEXT Either a new API key (UUID) for the tenant
|
|
|
a6768b |
or 'reset' to set automatically.
|
|
|
a6768b |
--node-quota INT_OR_NONE How many nodes the tenant can use at a time
|
|
|
a6768b |
(optional, will use default if unset).
|
|
|
a6768b |
--session-lifetime INTERVAL_OR_NONE
|
|
|
a6768b |
The initial session lifetime for this
|
|
|
a6768b |
tenant.
|
|
|
a6768b |
--session-lifetime-max INTERVAL_OR_NONE
|
|
|
a6768b |
The maximum session lifetime for this
|
|
|
a6768b |
tenant.
|
|
|
a6768b |
|
|
|
a6768b |
```
|
|
|
a6768b |
|
|
|
a6768b |
We just need first to retrieve existing duffy api key and ssh public keys from old Duffy DB
|
|
|
a6768b |
Let's assume for the example that projectname is "test-infra" :
|
|
|
a6768b |
|
|
|
a6768b |
```
|
|
|
a6768b |
MariaDB [duffy]> select * from users where projectname like '%test-infra%';
|
|
|
a6768b |
+--------------------------------------+-------------+-------------+------------+------------+
|
|
|
a6768b |
| apikey | projectname | jobname | createdat | limitnodes |
|
|
|
a6768b |
+--------------------------------------+-------------+-------------+------------+------------+
|
|
|
a6768b |
| d6e0483b-c9e1-40c7-a2a0-0f29f4961cde | test-infra | test-infr a | 2015-06-10 | 10 |
|
|
|
a6768b |
+--------------------------------------+-------------+-------------+------------+------------+
|
|
|
a6768b |
1 row in set (0.00 sec)
|
|
|
a6768b |
MariaDB [duffy]> select `key` from userkeys where project_id='d6e0483b-c9e1-40c7-a2a0-0f29f4961cde';
|
|
|
a6768b |
|
|
|
a6768b |
|
|
|
a6768b |
```
|
|
|
a6768b |
|
|
|
a6768b |
Now that we have both the apikey and ssh keys (can be multiple ones), we can use `duffy admin update-tenant` with new values
|
|
|
a6768b |
We can follow same `update-tenant` process to change node-quota and session-lifetime
|
|
|
a6768b |
|
|
|
a6768b |
!!! warning
|
|
|
a6768b |
for newly created CI tenants in openshift we had only *one* ssh keypair and so *one* ssh public key to import. But for previous/legacy jobs, it's possible that we have *multiple* ssh public keys. In that case, duffy cli lets you only import "one" string, which should absolutely contain new line character, so it can be done like this :
|
|
|
a6768b |
|
|
|
a6768b |
```
|
|
|
a6768b |
duffy admin update-tenant --api-key d6e0483b-c9e1-40c7-a2a0-0f29f4961cde --ssh-key "ssh-rsa <fake_one_>+W2EMNDARNa50KaFXQ3hM6TWLPwGhnG0Sj5l1obae0sNiEgzUejp1gNnTPWv/BLKdOH5yl14Z
|
|
|
a6768b |
> ssh-rsa <fake_two>SBLcm+f3Xy8WJEqtFF461XSoM97rSapDM9KH/h1tMqUyXnVTzbofQlGGAJw40+l9D4+F98Nbm95jWVmjQ+1N/uCiz0/Io5MDxZPq645mR4ChUAhrwE16JPr7c1DsYES7rTPbmC0lX9VCjhzxBSlbOzvxBuEipYt0FMKRlwvMzwPHONijvmx1AkB7t test-infra@jenkins-agent.ci.centos.org
|
|
|
a6768b |
> ssh-rsa <fake_key_three>PyqI7/BvcozCQQaM33LfbcpKb4ks0vw4+RH1AjnjC9r8SNivUiUQ9zg0RHXwUGRCK0iD70JGeO43Q7cSixtYfHu/MXm2feFNz01hsAIEGrlJVUlMzUyLYcqOu0BTKxIlKyK3tG1RLNvG/IDcaZMMBNS83k9phJyATvzXpeocyo6NgUVDeZstpunVv4xKQNX39nD4S/09jslXk6lZ8Pj7fyKf0rGOHuu7NpJOIb2rcSd8sC1MmsOGlY+EUuZ test-infra@CI" test-infra
|
|
|
a6768b |
|
|
|
a6768b |
```
|
|
|
a6768b |
|
|
|
a6768b |
It's really *important* that the whole --ssh-key "block" is seen as a string with newline inside so that it's correct injected for duffy job as different lines in remote .ssh/authorized_keys when duffy will contextualize the node
|
|
|
a6768b |
|
|
|
a6768b |
It's also important to add this <project>/<apikey> keypair in the `duffy_metaclient_usermap` list in ansible inventory, in the host_vars, so that if tenant is actually just using only old/legacy endpoint with his apikey, it will still be recognized by duffy (until we remote the legacy endpoint)
|
|
|
a6768b |
When committed to git and pushed, one can play the duffy role with the config tags and it will update 20_metaclient.yaml file used by metaclient service.
|
|
|
a6768b |
|
|
|
a6768b |
Once tenant is imported (apikey and ssh public key(s)) and ansible duffy role applied, the tenant can either use `icico` client (in compatibility mode) or already use the new duffy client (see below)
|
|
|
a6768b |
|
|
|
a6768b |
|
|
|
c2a162 |
## Artifacts storage box
|
|
|
c2a162 |
|
|
|
c2a162 |
CI tenants are allowed to upload artifacts to one storage box, so we need to allow them to upload/rsync to it.
|
|
|
c2a162 |
It's all controlled by the `artifacts_projects_list` list in ansible (host_vars) so don't forget to also add project and ssh public keys there too
|
|
|
c2a162 |
|
|
|
c2a162 |
|
|
|
a6768b |
## Duffy client configuration (external)
|
|
|
a6768b |
|
|
|
a6768b |
### Connect to the host that will have duffy client
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
ssh <host user>@<target host>
|
|
|
c14d2e |
```
|
|
|
c14d2e |
|
|
|
a6768b |
### Install duffy client using `pip`
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
pip3.8 install --user duffy[client]
|
|
|
c14d2e |
```
|
|
|
c14d2e |
|
|
|
a6768b |
### In the home path of the user, create `.config` directory if it doesn’t exist and create `.config/duffy` with the following content
|
|
|
c14d2e |
```
|
|
|
c14d2e |
client:
|
|
|
c14d2e |
url: https://duffy.ci.centos.org/api/v1
|
|
|
c14d2e |
auth:
|
|
|
c14d2e |
name: <tenant name>
|
|
|
c14d2e |
key: <API key>
|
|
|
c14d2e |
```
|
|
|
c14d2e |
|
|
|
a6768b |
### To create a session, the name of the pool is required. Check the pool available executing the command **_(Optional)_**
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
duffy client list-pools
|
|
|
c14d2e |
```
|
|
|
a6768b |
### Request a session
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
duffy client request-session pool=<name of the pool>,quantity=<number of sessions wanted>
|
|
|
c14d2e |
```
|
|
|
c14d2e |
|
|
|
c14d2e |
By default this command outputs a _json_, but it's possible to change the format to _yaml_ or _flat_ using `--format`. Under "node" key it's possible to find the hostname to be used. Log in to it as `root` user, using `ssh`.
|
|
|
c14d2e |
|
|
|
c14d2e |
```json
|
|
|
c14d2e |
{
|
|
|
c14d2e |
...output ommited...
|
|
|
c14d2e |
|
|
|
c14d2e |
"nodes": [
|
|
|
c14d2e |
{
|
|
|
c14d2e |
"hostname": "<hostname>.ci.centos.org",
|
|
|
c14d2e |
"ipaddr": "<ip address>",
|
|
|
c14d2e |
|
|
|
c14d2e |
...output ommited...
|
|
|
c14d2e |
}
|
|
|
c14d2e |
```
|
|
|
c14d2e |
|
|
|
a6768b |
### When needed to retire the session, connect to your duffy client host and execute the command
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
duffy client retire-session <session id>
|
|
|
c14d2e |
```
|
|
|
c14d2e |
|
|
|
c14d2e |
It's possible to check the session id either when the session is requested, in the output under "session" key, or using the following command:
|
|
|
c14d2e |
```shell
|
|
|
c14d2e |
duffy client list-sessions
|
|
|
c14d2e |
```
|