Merge inventory-generator with origin-ansible image

[juanvallejo]

Begin adding https://github.com/juanvallejo/dynamic-inventory as a new sub-pkg under images/.
the inventory-generator is based on this proposal

Trello card for the creation of this image: https://trello.com/c/314Df06O
Trello card for integrating this image with openshift-ansible: https://trello.com/c/ARPorrvv

Goal

The goal behind having this new image is to:

• Create a script that runs in a pod in a cluster.
• Script collects information about cluster.
• Script uses collected information to create inventory file for that cluster.
• Our health checks playbook (inside the pod in that same cluster) uses that inventory file to run our checks against the cluster.

Building

From the root of the openshift/ansible directory

$ docker build --rm -t openshift/inventory-gen images/inventory-generator

Implementation

The reason why (currently) both master-config.yaml and admin.kubeconfig are needed is because we use master-config.yaml to extract most of the information about hosts that are part of the current deployment, and then use admin.kubeconfig to establish a connection with the oc binary, to retrieve any additional information about any remaining nodes through the output of $ oc get nodes -o yaml.

I am hoping to use this PR and its feedback to mature the contents of this script.

cc @rhcarvalho @brenton @sosiouxme

[rhcarvalho]

@juanvallejo you have some YAML-lint errors: https://travis-ci.org/openshift/openshift-ansible/jobs/262695660#L669

[rhcarvalho]

Why don't we enable EPEL first and then install all packages at once?

[sosiouxme]

EPEL packages sometimes shadow official packages, which we would usually prefer. There are two basic ways to prevent this - this is one - the other is to define the EPEL repo but leave it inactive and only enable it for the yum transactions needed. Either way you end up separating out the EPEL dependencies.

The other reason to do this is because it identifies which packages are "gaps" in the official packages. In the downstream these tend to require some different treatment, either shipping packages in another channel, getting them via RHSCL, or making them unnecessary somehow. And if things change and the packages are no longer needed... it becomes obvious you can get rid of EPEL.

[rhcarvalho]

Bad indentation / alignment.

[rhcarvalho]

Why does the user needs to edit /etc/passwd?

[juanvallejo]

Ah, will word that comment a bit better. This comment justifies the need to make /etc/passwd writable, in order to tie a username to the given uid. This is required for ssh to work from within the container

[rhcarvalho]

Why do we change the permissions of /bin too?

[rhcarvalho]

Why do we use of -k / --insecure?

[sosiouxme]

Agreed, not needed

[rhcarvalho]

Why this?

[rhcarvalho]

Double space before --become; missing new line.

Why do we default to -vvv (and hard code it)?

Why do we set --become-user root? It is the default.

Why do we need --become?

[rhcarvalho]

Note: the "traditional" path/shebang is #!/usr/bin/env python, though this should also work on Fedora/RHEL/CentOS.

[rhcarvalho]

Suggestion: set shell options in the script, not in the shebang -- if the script is executed like /path/to/shell path/to/script, the -e flag is suddenly gone.

Also, I recommend:

set -o errexit
set -o nounset
set -o pipefail

This is what we do most often (see shell scripts in Origin), each option for a good reason.

[rhcarvalho]

Update URL?

[rhcarvalho]

I did a first pass, but did not review everything.

Is it worth having yet another image, what about simply adding a new script to the existing openshift-ansible image?

[juanvallejo]

@rhcarvalho

Is it worth having yet another image, what about simply adding a new script to the existing openshift-ansible image?

Was not sure to what extent we wanted to couple this with our existing image. But if it makes more sense to have this functionality as part of it, I can go ahead and update the PR.

cc @sosiouxme @brenton

[sosiouxme]

One image sounds good to me.

[juanvallejo]

@rhcarvalho @sosiouxme still testing, but went ahead and merged inventory-generator with our image. Its readme file has been updated (README_INVENTORY_GENERATOR.md).

[sosiouxme]

So I know this isn't supposed to be full-featured, but it needs a fair amount more before it will even handle my regular AWS test clusters passably...

(Sorry for the tardiness of my input here)

[sosiouxme]

What if there is no alias? My hosts don't have aliases.

[sosiouxme]

Likewise; aliases should be optional and I don't think you're going to want to use the same one for all the nodes.

[sosiouxme]

all hosts default to the same alias? that seems unlikely to work if there is more than one host.

[sosiouxme]

What if there are multiple masters?

[sosiouxme]

I'd really like to be able to just use an existing kubeconfig to connect.

This only handles the use case of a user with a login and password. It's can be a pain to set one of those up and it's likely they want it to be a service account with a revocable auth token. Plus it's possible the master_public_url isn't what they want to use, nor insecure TLS.

Simplest would probably be to use a kubeconfig. It's easy for the user to create one with oc login. We don't need to recreate oc login in python.

[sosiouxme]

if the file is empty then this returns None and all the access below fails. Should check that the result is a dict or just make it an empty one.

[sosiouxme]

need to mention where the inventory gets generated, and they need to specify where Ansible should look for it right?

[sosiouxme]

should be able to specify full path, not just the name.

Also would like to be able to print to stdout.

[sosiouxme]

should be configurable

[sosiouxme]

What about all the other stuff from my config file?

openshift_release: 3.6
openshift_image_tag: v3.6.0
openshift_hosted_logging_deploy: True
openshift_logging_image_version: v3.6.0
openshift_disable_check: disk_availability,docker_storage,memory_availability

etc.... i think we want to be able to generate as close to the original file as possible.

[juanvallejo]

@sosiouxme thanks for the feedback; review comments addressed.
Will only support one master in this iteration. In a future update it would
be nice to add support to multiple masters (and host aliases) through the
user config file.

[juanvallejo]

[test]

[rhcarvalho]

I suspect this file is bind-mounted, and thus this would have an impact on permissions outside of the container...

[rhcarvalho]

How come it is both required and has a default value?!

[rhcarvalho]

How come it is both required and has a default value?!

[rhcarvalho]

These lines ignore admin_kubeconfig_path, and I think it will only work if admin_kubeconfig_path has its default value?

[rhcarvalho]

I suspect this must be run from the repository root (to give the correct meaning for .) and thus we need to note that?

[rhcarvalho]

Use triple-backticks for making it a block. Single backtick is used for inline code snippets.

```
docker build --rm -t openshift/origin-ansible -f images/installer/Dockerfile .

```

[rhcarvalho]

Hmm, on a second thought, the build process is already described elsewhere, the inventory generation does not need to talk about building images?!

[rhcarvalho]

INVY? Sounds funny :-)

[rhcarvalho]

Why the symlink?

[rhcarvalho]

Won't this suggest people to disable these checks unintentionally?

[juanvallejo]

Hm, so I had this for debugging purposes and had meant to take them out :) will update

[rhcarvalho]

How helpful is it to include these?

Feels like the default paths are repeated in many places.

[rhcarvalho]

Is it helpful to include this?

[juanvallejo]

I'm thinking with this and admin_kubeconfig_path above, I could at least default them to their default values instead of null. I think having these present in the default config file gives a better glance of what can be tweaked

[juanvallejo]

@sosiouxme thanks for the feedback, review comments addressed. Let's see how ci tests fare this time

[rhcarvalho]

@juanvallejo please rebase and if there are no other changes we can start aos-ci-test and then tag for merge ;)

[juanvallejo]

@rhcarvalho thanks, done!

[juanvallejo]

re[test]

[juanvallejo]

flaked on openshift/origin#8571 re[test]

[sosiouxme]

aos-ci-test

[openshift-bot]

Evaluated for openshift ansible test up to 19ea800

[sosiouxme]

I found a few things that still needed addressing, so I did that... works for me now.

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible/659/) (Base Commit: 665c5c2) (PR Branch Commit: 19ea800)

[openshift-bot]

success: "aos-ci-jenkins/OS_3.6_NOT_containerized, aos-ci-jenkins/OS_3.6_NOT_containerized_e2e_tests" for c032e4c (logs)

[openshift-bot]

success: "aos-ci-jenkins/OS_3.6_containerized, aos-ci-jenkins/OS_3.6_containerized_e2e_tests" for c032e4c (logs)

[sosiouxme]

... why are the test statuses still yellow?

[sdodson]

Looks like they were run against an old commit, the commit is recorded at the time the aos-ci-test job is queued rather than at the start of the job. So it ran against c032e4c which has since been updated?

[sdodson]

aos-ci-test

[sdodson]

If that isn't complete tomorrow i'm fine to merge this manually based on the results of https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible/659/

[sdodson]

sigh I just noticed no one had added a merge tag, let me know if this should be reverted.

[sosiouxme]

@sdodson only reason there was no merge tag was because waiting for aos-ci-test. This is quite low risk so I wouldn't worry about reverting.