Introduction

OSCI maintained services are maintained using the OSAS/community-cage-infra-ansible repository on GitLab. Contributions are welcome.

Deployment

Configuration Management

This repository contains Ansible playbooks to deploy VMs and configure hosts to provide the service. Only a few secrets (tokens, or emails to avoid SPAM) are kept private using Ansible Vault.

Some communities (RDO, oVirt…) possess their own resources with an internal Infra team; in this case the deployment rules are hosted in their own repositories.

Packaging

Along with these rules we might need specific packages for certain softwares. For example we use the Mailman 3 repository maintained by a fellow developer in the mailman3 Ansible role. We also maintain our own repository for important fixes.

Procedures

• Common Procedures:

  • VM Management
  • Host Network Setup
  • DNS Management
  • Post Installation:
    • Monitoring
    • Backup

• Blade Management:

  • Blade Administrative Access
  • Blade Hardware Configuration
  • Blade OS Installation

• Specific Services:

  • Zanata (translate.zanata.org)
  • Mailing-Lists

• Testing:

  • Ansible Roles Tests

• Troubleshooting

Resources

Our resources are located in the Community Cage in the RDU datacenter. OSCI is managed as a separate tenant of the Community Cage with the following resources:

• Network VLANs and IPs
• Hardware
• Underlying Technical Services

Administration Access

Direct Access

All machines with a public IP address are currently reachable through SSH with keys. OSCI admins keys are automatically installed via Ansible, user root access may also be available on a case-by-case basis.

Internal/Management Access (for tenants and OSCI administrators)

Machines in VLANs without publics IPs can be reached through a jump host. Currently it is used to reach the OSCI Internal VLAN and the Tenants Management VLAN.

Each tenant’s administrators should have their SSH key(s) registered first. Access is restricted to specific host+port combinations, except for OSCI admins.

You can reach the host using its internal DNS name or IP using:

ssh -J <tenant>@soeru.osci.io <user>@<target-host>

Port forwarding is allowed to the same host+port targets:

ssh -J <tenant>@soeru.osci.io - L <local-port>:<target-host>:<remote-port> <user>@<target-host>

If the target host’s SSH implementation does not support port forwarding or you only need forwarding you can use this instead:

ssh -N -L <local-port>:<target-host>:<remote-port> <tenant>@soeru.osci.io

To simplify administration of your hosts via Ansible, you can create a osci_internal_zone group with all hosts in the Internal VLAN, and create group_vars/osci_internal_zone/connection.yml containing:

---
ansible_ssh_common_args: "-o ProxyJump=<tenant>@soeru.osci.io"

(and replace <tenant> with your tenant login)

OSCI administrators may also jump using -J root@catton.osci.io or -J root@spritz.osci.io.

Management Access for OSCI Resources

All bare metal machines or equipments are accessible for administration tasks via the management VLAN:

• SSH gives access to a shell or a CLI (for switches or CMM)
  • jump using -J root@catton.osci.io or -J root@spritz.osci.io
  • for SuperMicro switches, use -o Ciphers=aes256-cbc -o PreferredAuthentications=password, but do not use Compression yes
• CMM or blade admin interfaces both allow web UI and IPMI access

Fallback Access

In case we totally break network/SSH configuration on bare metal hosts, access via a console server is not possible. Each host is accessible by connecting via SSH on conserve.adm.osci.io on a specific port (use -oKexAlgorithms=+diffie-hellman-group1-sha1):

You first need to authenticate with your console server account, and then you can access a direct console on the host.

Using Ctrl-z (even via SSH) allows you to access a menu and quit.

OSCI admins can login as root via SSH to the standard port to access a UNIX shell. The portaccessmenu command allows you to list available machines and connect to them. Be aware that you need to authenticate with your console server account first even if you’re already logged in. The configmenu command is used to setup the device (users, groups, ports, ACLs…). The device configuration has been saved (manually) on file.rdu.redhat.com:/mnt/share/OSAS/backups/Conserve/ so please update it if needed.

To create a new user follow these steps:

• 1. System Administration
• 1. User Administration
• 1. Add
• enter username
• 3 - Users ( Port access only )
• 1 - Port Access Menu
• enter password twice
• ESC twice
• a