[future ideas] Terraform -> Cloud init architecture & pass off to ansible

[NeilHanlon]

Rocky Linux will require a stable process to create resources and hand them over to ansible to be provisioned.

Ideally it would be all wrapped in a webhook to notify us when things are done.

Some ideas off the top of my head are:

• cloud-init configures ansible and runs it from the server, pulling from main ansible servers
• cloud-init configures ansible and triggers AWX to run the provisioning

Want to make sure security concerns are addressed and machines are bootstrapped immediately.

[elreydetoda]

It sounds like you are almost wanting something more event based with this issue description. Am I understanding this properly? Or not necessarily, but it could be controlled by webhooks? ( i.e. and endpoint for start, status, and when it ends the final event kicks out completed somewhere? )

[NeilHanlon]

It sounds like you are almost wanting something more event based with this issue description. Am I understanding this properly? Or not necessarily, but it could be controlled by webhooks? ( i.e. and endpoint for start, status, and when it ends the final event kicks out completed somewhere? )

Not necessarily event based, more in the realm of just being able to track the state of a host as it goes through its life cycle.. from creation to termination -- the implementation of the steps may change but in general there is always some

1. register the thing in a source of truth
2. make the thing (metal, aws, private cloud, etc)
3. Put the thing into IPAM/etc
4. boot the thing (turn it on with user-data to give it a hostname, IP address.. IPAM
5. tell the thing to bootstrap itself with Configuration Management so the Thing has Purpose.
7. Eventually, it is retired for some reason at some point in the future and is terminated/deprovisioned.. in reverse order, essentially. (perhaps there are some circular dependencies I'm writing off the cuff)

Basically that's all I want to think about here, at a high level, how to hand off and track state between tasks if we have terraform or some other API doing the 'make and boot' parts, and needing to track the 'thing's progress while bootstrapping without terraform or whatever creates it.

[chriscowley]

We need to expand on step 5 a little in my opinion.

What do we want that step to do?

• The absolute minimum before handing it over to Ansible to do the rest?
• Install ALL THE THINGS then Ansible/human does the actual config?
• Somewhere in between?

[NeilHanlon]

Agreed @chriscowley

As it stands now, machines are built and then manually 'bootstrapped' with some ansible roles (system-init and ipa-client, iirc).

There are also configurations performed by the image build itself (via kickstart) - but those shouldn't be relied on, IMO. Rebuilding the image shouldn't be something we do all the time, IMO (except on a schedule to keep the OS updated and make rollouts faster).

atm, we bake ansible's SSH key into the image (but it can also be delivered over cloud-init).. So as soon as a VM (ec2 instance) boots, it can be 'ansiblized'.

[srbala]

atm, we bake ansible's SSH key into the image (but it can also be delivered over cloud-init).. So as soon as a VM (ec2 instance) boots, it can be 'ansiblized'.

Fedora CoreOS and RHCOS uses Ignition from CoreOS. Similar feature avaiilable in SUSE using Igniion https://en.opensuse.org/Portal:MicroOS/Ignition or enhanced https://en.opensuse.org/Portal:MicroOS/Combustion

Is it possible to consider Rocky version of RHCOS minus the subsciption?

[srbala]

Is it possible to consider Rocky version of RHCOS minus the subsciption?

this will be good complement for OKD https://www.okd.io/