centos / centos-infra-docs

Clone
Source Code
GIT

#11 Convert to relative links
Opened 3 months ago by dcavalca. Modified 3 months ago
centos/ dcavalca/centos-infra-docs links  into  master

Merge
file modified
+1 -1 
@@ -1,6 +1,6 @@ 
 

  # Ansible Environments
 

  

- As explained in the [Overview](/#available-environments), we use different ansible inventories based on the target infra that we'll target.
 

+ As explained in the [Overview](../index.md#available-environments), we use different ansible inventories based on the target infra that we'll target.
 

  

  Apart from the roles and playbooks which are all common for *all* environments, each env will use its own :

file modified
+2 -2 
@@ -6,7 +6,7 @@ 
 

  

  To keep it simple, we try to rely only on wordpress 'core' and just deploy some needed plugins, like : 

  

-  * openid : needed to let users log in through our [authentication platform](/infra/authentication/)
 

+  * openid : needed to let users log in through our [authentication platform](../infra/authentication.md)
 

   * classic-editor : request from Community Manager to let people edit easily drafts/posts
 

   * akismet : classic one that is used against spammers
 

  
@@ -18,4 +18,4 @@ 
 

  

  ## Operations
 

  

- See [dedicated section](/operations/apps/blog/) about some BAU operations needed for Wordpress
 

+ See [dedicated section](../operations/apps/blog.md) about some BAU operations needed for Wordpress

file modified
+1 -1 
@@ -4,7 +4,7 @@ 
 

  

  It's hosted at [https://lists.centos.org](https://lists.centos.org) and on a sponsored node.
 

  

- Due to the fact that it was created (back in time decision) on the centos.org MX machine , the lists are using the `@centos.org` domain, and so mailman is hosted *on* the main centos [mailserver](/apps/mailservers/), reason why the postfix ansible role will have the `postfix_mailman` [variable boolean](https://github.com/CentOS/ansible-role-postfix/blob/master/defaults/main.yml#L80) set to `True`, as it will automatically create the `<list>@centos.org` aliases on the host (needed to pass through mailman)
 

+ Due to the fact that it was created (back in time decision) on the centos.org MX machine , the lists are using the `@centos.org` domain, and so mailman is hosted *on* the main centos [mailserver](../infra/mailservers.md), reason why the postfix ansible role will have the `postfix_mailman` [variable boolean](https://github.com/CentOS/ansible-role-postfix/blob/master/defaults/main.yml#L80) set to `True`, as it will automatically create the `<list>@centos.org` aliases on the host (needed to pass through mailman)
 

  

  Some links:

file modified
+1 -1 
@@ -22,7 +22,7 @@ 
 

  

  ## Authentication
 

  

- Our pagure instance is tied with our existing [Authentication service](/infra/authentication/) so one needs to first have a account there to interact with the pagure instance (except of course for Read-Only operations like cloning a repository, etc)
 

+ Our pagure instance is tied with our existing [Authentication service](../infra/authentication.md) so one needs to first have a account there to interact with the pagure instance (except of course for Read-Only operations like cloning a repository, etc)
 

  

  When a user is added in a SIG group , and logs in again, its membership will be reflected at the pagure/git.centos.org side.

file modified
+2 -2 
@@ -3,11 +3,11 @@ 
 

  To build artifacts that will be released/pushed to the mirror network, CentOS Project relies on distributed build systems, mostly :
 

  

    * [Koji](https://pagure.io/koji)
 

-   * [reimzul](/buildsys/reimzul/)
 

+   * [reimzul](reimzul.md)
 

  

  While reimzul is still being used for CentOS Linux 7 rpm builds, koji is now the one being used for CentOS Linux 8 and all Stream releases (but different environments)
 

  

- RPM packages built by/for Special Interest Groups on our [Community Build Service](/buildsys/koji-cbs/) are also built on a koji instance, different from the one[s] used to build CentOS Linux/Stream distributions.
 

+ RPM packages built by/for Special Interest Groups on our [Community Build Service](koji-cbs.md) are also built on a koji instance, different from the one[s] used to build CentOS Linux/Stream distributions.
 

  

  We adviced you to read upstream koji documentation to have details of all needed components and how they can be combined all together to be able to build/distribute packages, but here is a quick overview :

file modified
+5 -5 
@@ -6,18 +6,18 @@ 
 

  

  ## Authentication
 

  

- The whole CBS/koji infra is using the centralized [Authentication service](/infra/authentication/) so both the infra components (services/nodes) and the users are authenticated with TLS certificates.
 

+ The whole CBS/koji infra is using the centralized [Authentication service](../infra/authentication.md) so both the infra components (services/nodes) and the users are authenticated with TLS certificates.
 

  

- That means that for each node, we need a valid [TLS cert signed by IPA](/security/tls/#ipadogtag-central-authentication).
 

+ That means that for each node, we need a valid [TLS cert signed by IPA](../security/tls.md#ipadogtag-central-authentication).
 

  

  Same rule applies for `users` : they need to be authenticated with valid TLS certificated signed by same CA but we'll consider two kind of users:
 

  

-   * service account[s]: used to run services (not real users) so can be [created](/security/tls/#tls-service-account) by infra team
 

-   * real users: they can use instructions to create their [own TLS cert](/infra/authentication/#tlsx509-authentication)
 

+   * service account[s]: used to run services (not real users) so can be [created](../security/tls.md#tls-service-account) by infra team
 

+   * real users: they can use instructions to create their [own TLS cert](../infra/authentication.md#tlsx509-authentication)
 

  

  ## Koji tags structure
 

  

- When the Special Interest Groups ([SIG](https://wiki.centos.org/SpecialInterestGroup) in short) wanted to start building , the idea discussed on the centos-devel list (back in 2014) was to create some koji [tags](https://docs.pagure.org/koji/HOWTO/#package-organization) that would let people build/test/promote their packages that would then be pushed to the external mirrors CDN (while being signed with a specific [GPG key](/koji-cbs-sigs/#security-gpg-key-for-packages-signing))
 

+ When the Special Interest Groups ([SIG](https://wiki.centos.org/SpecialInterestGroup) in short) wanted to start building , the idea discussed on the centos-devel list (back in 2014) was to create some koji [tags](https://docs.pagure.org/koji/HOWTO/#package-organization) that would let people build/test/promote their packages that would then be pushed to the external mirrors CDN (while being signed with a specific [GPG key](koji-cbs-sigs.md#security-gpg-key-for-packages-signing))
 

  

  The proposed and agreed levels are :

file modified
+2 -2 
@@ -38,7 +38,7 @@ 
 

  ## Available Environments
 

  

  While the same automation code should be used to configure all infra/services nodes within CentOS Infra, it's worth knowing that we still "divide" it into sub-sections, and so having different environments.
 

- Let's just have a quick look at the existing environments, *each* using its own dedicated [Ansible](/ansible) inventory, and so various settings and/or permitted access :
 

+ Let's just have a quick look at the existing environments, *each* using its own dedicated [Ansible](ansible/index.md) inventory, and so various settings and/or permitted access :
 

  

    * `CentOS main` : if not defined, all the nodes considered as "production" nodes and managed as such
 

      * `CentOS staging` (STG) : pre-prod environment, with limited number of nodes, but mostly used to test changes/deployments before being rolled-out to the `CentOS main` one
 
@@ -49,4 +49,4 @@ 
 

  

  ## CentOS Infra team
 

  

- See the [dedicated section](/infra/team/) 

+ See the [dedicated section](infra/team.md)

file modified
+1 -1 
@@ -18,7 +18,7 @@ 
 

  CentOS Infra team though is in charge of the [haproxy](https://github/centos/ansible-role-haproxy) node in front of openshift and routing requests to correct openshift compute nodes from Fedora infra.
 

  All the needed variables for haproxy are stored in the CentOS ansible inventory, either through group_vars and/or host_vars variables
 

  

- Same goes for the TLS certificates used on the haproxy reverse proxy : automatically applied by the ansible role *after* they are renewed through BAU process (see [dedicated TLS](/security/tls/#how-to-renew-existing-certs) documentation)
 

+ Same goes for the TLS certificates used on the haproxy reverse proxy : automatically applied by the ansible role *after* they are renewed through BAU process (see [dedicated TLS](../security/tls.md#how-to-renew-existing-certs) documentation)
 

  

  ### Identity Provider (IdP)

file modified
+1 -1 
@@ -65,7 +65,7 @@ 
 

  We also have a specific `acme.centos.org` zone, that is only use for one specific purpose : creating on the fly TXT records that will be used by LetsEncrypt/ACME for DNS challenge.
 

  For this we use [acme.sh](https://github.com/Neilpang/acme.sh) tool that will do that automatically for us : it will use nsupdate with specific allowed key to create dynamically the needed record that ACME server will verify to validate and then sign the CSR.
 

  

- See [TLS section](/tls/#how-to-obtain-new-cert-dns-challenge-is-the-preferred-way) on how to use it.
 

+ See [TLS section](../security/tls.md#how-to-obtain-new-cert-dns-challenge-is-the-preferred-way) on how to use it.
 

  

  Some pointers:

file modified
+1 -1 
@@ -52,7 +52,7 @@ 
 

  Here is an an overview of the deployed ocp ci cluster : 

  

  	

- ![CI Infra overview](/img/duffy-aws.drawio.png)
 

+ ![CI Infra overview](../img/duffy-aws.drawio.png)
 

  

  Apart from the FAS/auth/EFS volumes, it's worth knowing that :

file modified
+5 -5 
@@ -6,8 +6,8 @@ 
 

  

  All that is possible at various levels :
 

  

-  * Application level : granted needed credentials (usually authenticated through [ACO](/infra/authentication/))
 

-  * Ansible role level : through Pull Requests against our [Ansible](/ansible/) roles and/or inventories
 

+  * Application level : granted needed credentials (usually authenticated through [ACO](authentication.md))
 

+  * Ansible role level : through Pull Requests against our [Ansible](../ansible/index.md) roles and/or inventories
 

   * Machine/Infra level : granted shell/elevated rights based on Ansible rights
 

  

  ## Onboarding infra members
 
@@ -24,11 +24,11 @@ 
 

  While being part of the `sig-infra` group doesn't grant any shell/sudo permission *anywhere* , it at least reflect that new person joigning the team will be a PoC for infra and also automatically granted : 

  

   * rights to build/promote pkgs on the [infra koji tags](https://cbs.centos.org/koji/search?match=glob&type=tag&terms=infra*)
 

-  * a `@centosproject.org` email address (see also the [postfix](/infra/mailservers) section)
 

+  * a `@centosproject.org` email address (see also the [postfix](mailservers.md) section)
 

  

  ### Ansible inventory access (for "full" sysadmin)
 

  

- Based on the [Environment](/#available-environments) that new infra team member needs access to (delegation, as some are in charge of CentOS CI but not -yet- other parts, etc), one needs to be added in a specific ansible list/variables in inventory, the [admins_list](https://github.com/CentOS/ansible-role-baseline/blob/master/defaults/main.yml#L5) that contains list of shell accounts to create , with their ssh pub key and if they are granted sudo rights.
 

+ Based on the [Environment](../index.md#available-environments) that new infra team member needs access to (delegation, as some are in charge of CentOS CI but not -yet- other parts, etc), one needs to be added in a specific ansible list/variables in inventory, the [admins_list](https://github.com/CentOS/ansible-role-baseline/blob/master/defaults/main.yml#L5) that contains list of shell accounts to create , with their ssh pub key and if they are granted sudo rights.
 

  

  From that point, next time Ansible will be ran across servers fleet (either automatically through central mgmt station *or* manually for the machines in the `manual-run` specific group), it will add the new sysadmin (or modify/remove) on the nodes.
 

  
@@ -47,7 +47,7 @@ 
 

        * have enabled OTP on their account for authentication services
 

  

  

- Once you have verified the GPG public key, you can (for `git-crypt`ed git repositories for ansible, add the new collaborator like this (do this on *each* [git repo](/ansible/topology/) that the new sysadmin is granted access to).
 

+ Once you have verified the GPG public key, you can (for `git-crypt`ed git repositories for ansible, add the new collaborator like this (do this on *each* [git repo](../ansible/topology.md) that the new sysadmin is granted access to).
 

  So after you've added the gpg in your own keyring, you can add it to git-crypt
 

  

  ```

file modified
+2 -2 
@@ -2,11 +2,11 @@ 
 

  

  ## Steps
 

  

- 1. Create an entry in duffy db (with ssh key) - [follow adding-duffy-tenant.md](/operations/ci/adding_cico_tenant/adding-duffy-tenant/)
 

+ 1. Create an entry in duffy db (with ssh key) - [follow adding-duffy-tenant.md](adding-duffy-tenant.md)
 

  2. Create an OpenShift namespace/project (done with ansible)
 

  3. Create a PV(Persistent Volume) and deploy Jenkins instance (done with ansible)
 

  

- ## Create an entry in duffy db (with ssh key) - [follow adding-duffy-tenant.md](/operations/ci/adding_cico_tenant/adding-duffy-tenant/)
 

+ ## Create an entry in duffy db (with ssh key) - [follow adding-duffy-tenant.md](adding-duffy-tenant.md)
 

  

  

  ### Create an OpenShift namespace

file modified
+1 -1 
@@ -1,4 +1,4 @@ 
 

  ## This guide is for admins to troubleshoot seamicro chassis when needed
 

  

  !!! note
 

-     This section was moved to [Tips and Tricks/hardware](/tips/hardware/#seamicro-chassis)
 

+     This section was moved to [Tips and Tricks/hardware](../../../tips/hardware.md#seamicro-chassis)

file modified
+1 -1 
@@ -6,7 +6,7 @@ 
 

  

    * Delete/reinstall the (virtual) machine (cleaning up)
 

      * If hosted within Red Hat DC, update [internal ip inventory](https://docs.google.com/spreadsheets/d/1K-aewLJ17z3pRC6K5qyBRJYtNXy1WcxRSVwPkGf4NXQ) (Obviously need RH SSO and permission)
 

-   * Remove from [DNS](/infra/dns/) (public or internal, depending on the case and don't forget to also remove from PowerDNS if record is delegated to that dns infra, see below)
 

+   * Remove from [DNS](../infra/dns.md) (public or internal, depending on the case and don't forget to also remove from PowerDNS if record is delegated to that dns infra, see below)
 

    * Remove it from Ansible inventory (and search for references for that node in case of)
 

    * Remove it from Zabbix monitoring
 

    * (optional and if sponsored : remove sponsor logo from [website git repo](https://git.centos.org/centos/centos.org) )

file modified
+1 -1 
@@ -59,5 +59,5 @@ 
 

    * we receive initial credentials
 

    * we collect needed informations (like ipv4/ipv6 address[es], dns resolvers, etc)
 

    * we perform remotely (without remote console access) a reinstall on itself (faster then auditing the state in which we receive a machine) that is reinstalled following our standards
 

-   * we add node in dns/ansible (see [Common section](/operations/deploy/common) )
 

+   * we add node in dns/ansible (see [Common section](common.md) )

file modified
+2 -2 
@@ -10,7 +10,7 @@ 
 

  

  ## Adding node
 

  

- You first need to add the node into DNS (either internally or externally) so please have a look at the dedicated [DNS section](/infra/dns), and that means kicking the `role-bind.yml` or `role-unbound.yml` playbooks based on the need, and after having pushed the change to git.
 

+ You first need to add the node into DNS (either internally or externally) so please have a look at the dedicated [DNS section](../../infra/dns.md), and that means kicking the `role-bind.yml` or `role-unbound.yml` playbooks based on the need, and after having pushed the change to git.
 

  

  Once the node is available, we need *once* to initialize the node to confirm access and ssh host key/fingerprint and then sign it with our SSH CA.
 

  
@@ -55,7 +55,7 @@ 
 

  

    * (optional) retrieve the public IP and allow incoming connections from that new ip for some infra services restricted by iptables
 

    * retrieve ssh host keys, sign these and push the signed 

-   * retrieve locally some facts that can be used later for basic host_vars template
 

+   * retrieve locally some facts that can be used later for basic `host_vars` template
 

    * play the `baseline` role (common for *all* nodes but with different settings, based on inventory
 

      * if that's a RHEL host, either point to internal mirror, or RH CDN (based on `rhel_host_use_cdn` variable/boolean in ansible)
 

    * (optional): play other roles that are tied to ansible inventory group membership (if you added the host already in some specific groups)

file modified
+4 -4 
@@ -4,9 +4,9 @@ 
 

  

  Except for some identified ssh Jump Hosts, or for public services over ssh (like pushing to git.centos.org), the tcp/22 port used by sshd is [firewalled](https://github.com/CentOS/ansible-role-iptables/blob/master/defaults/main.yml#L11) on almost all the fleet.
 

  

- As part of the `init` [process](/operations/deploy/common/) we sign the sshd host key, meaning that once it's signed by central key, you just have to trust that cert-authority and so not have to confirm each host key/fingerprint when connecting to a server over ssh.
 

+ As part of the `init` [process](../operations/deploy/common.md) we sign the sshd host key, meaning that once it's signed by central key, you just have to trust that cert-authority and so not have to confirm each host key/fingerprint when connecting to a server over ssh.
 

  

- The Ansible [sshd](https://github.com/CentOS/ansible-role-sshd) is also distributing a ssh_known_hosts system file, so that each node (if needed) can also ssh into other centos nodes (like for backup purposes), as long as of course :
 

+ The Ansible [sshd](https://github.com/CentOS/ansible-role-sshd) is also distributing a `ssh_known_hosts` system file, so that each node (if needed) can also ssh into other centos nodes (like for backup purposes), as long as of course :
 

  

    * a valid user pub key is injected
 

    * tcp/22 isn't blocked through iptables from ansible
 
@@ -19,9 +19,9 @@ 
 

    * Doesn't permit password authentication
 

    * specify the `HostCertificate` (see the node about CA sshd host above)
 

  

- From a client perspective, all users ssh public keys are distributed by ansible (for sysadmin) or coming from [IPA](/infra/authentication/) through ipsilon for some services able to query/import ssh public keys through openid/openidc (like for example pagure/git.centos.org)
 

+ From a client perspective, all users ssh public keys are distributed by ansible (for sysadmin) or coming from [IPA](../infra/authentication.md) through ipsilon for some services able to query/import ssh public keys through openid/openidc (like for example pagure/git.centos.org)
 

  

- We also tune the default ciphers in our host sshd_config to match current security standards and following best practices in that regard.
 

+ We also tune the default ciphers in our host `sshd_config` to match current security standards and following best practices in that regard.
 

  

  ## Bastion hosts

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation