introducing ovirt-engine-setup role #123
Conversation
roles/ovirt-engine-setup/README.md
Outdated
|
|
||
| | Name | Default value | Description | | ||
| |---------------------------------|-----------------------|-----------------------------------------------------------| | ||
| | ovirt_engine_type | ovirt-engine | Type of product 'ovirt-engine|rhevm' | |
There was a problem hiding this comment.
the | after ovirt-engine is interpreted as end of column
| delay: 10 | ||
| until: health_page|success | ||
|
|
||
| - name: clean tmp files |
There was a problem hiding this comment.
I would make sure this is always removed to not store any password in plain in case of failure.
There was a problem hiding this comment.
i will change it to block and add the always section
| template: | ||
| src: answerfile_{{ ovirt_engine_version }}_basic.txt.j2 | ||
| dest: /tmp/answerfile.txt | ||
| mode: 0644 |
There was a problem hiding this comment.
Any reason this is world readable if there are stored passwords in plain text?
There was a problem hiding this comment.
no idea.
but the engine setup should read this file. so it should be plain text and readable. ...
do u suggest to make it 0600 ?
There was a problem hiding this comment.
yes, please make it 0600 and set no_log to true, as I think it's printed to stdout as well
There was a problem hiding this comment.
What is the credentials of the user running this Ansible script? You do NOT put files with predicted name under /tmp (especially if you are root!).
| OVESETUP_CONFIG/applicationMode=str:both | ||
| OVESETUP_CONFIG/remoteEngineSetupStyle=none:None | ||
| OVESETUP_CONFIG/sanWipeAfterDelete=bool:False | ||
| OVESETUP_CONFIG/storageIsLocal=bool:False |
There was a problem hiding this comment.
Do we need to have all of the options listed here? Can we just have those which can be changed and run with accept-defaults ? Or is there any issue with that?
There was a problem hiding this comment.
i think its there because it is needed..
There was a problem hiding this comment.
I just wonder what will happen, if there will be introduced new option in zstream, it can stop to work, so I think the accept defaults is better way, but I don't have deep knowledge of this. Just asking.
There was a problem hiding this comment.
I tend to agree with accept default for oVirt side, as the playbook accomodates to it autoamtically.
I tend to disagree with accept default for oVirt QA side, as we would need to track changes manually., as we want to know what are we testing and new options we might miss new options.
There was a problem hiding this comment.
I think you should create one common file and use include jinja statement, better than copy-pasting. And change only things which are relevant for the verison, this is unreadeble.
There was a problem hiding this comment.
Hmm, I think it's better to have one answer file per version as variable might be renamed between versions and no backward compatibility is ensured, so having only 1 answer could complicate things significantly.
But I think, we should provide a way how to use --accept-defaults and override only variables that user selects (for example disable OVN, but leave the rest on defaults). But this can be done in separate RFE
There was a problem hiding this comment.
I created a basic answer file and already tested on 4.1 and 4.2 and I don't see issues. I think it's good idea and definitely makes it much easier to read.
There was a problem hiding this comment.
'--accept-defaults' already behaves like that - it obeys all var/val in the answer file, and "accepts the default" only if not supplied.
|
cc @mwperina |
| ovirt_engine_type: 'ovirt-engine' | ||
| ovirt_engine_version: '4.1' | ||
| ovirt_engine_organization: 'of.ovirt.engine.com' | ||
| ovirt_engine_admin_password: 'secret' |
There was a problem hiding this comment.
In the example please follow the best practise with password using ansible vault
There was a problem hiding this comment.
Can you please use the vault?
| - hosts: engine | ||
| vars: | ||
| ovirt_engine_type: 'ovirt-engine' | ||
| ovirt_engine_version: '4.1' |
There was a problem hiding this comment.
I just wonder why installer need to have version variable, any reason to not autodetect it?
There was a problem hiding this comment.
it is just to load the answer file.
I would like to assume that whoever runs this actually knows what he is doing and what version is he installing.
There was a problem hiding this comment.
Since we decided to install engine packages in this role as well, we don't really have way to know engine version.
So, I guess this variable will be needed.
roles/ovirt-engine-setup/README.md
Outdated
| ovirt_engine_type: 'ovirt-engine' | ||
| ovirt_engine_version: '4.1' | ||
| ovirt_rpm_repo: 'http://resources.ovirt.org/pub/yum-repo/ovirt-release41.rpm' | ||
| ovirt_engine_organization: 'dwhmanualenginetest.ovirt.org' |
There was a problem hiding this comment.
organization is twice here
| ovirt_engine_dwh: True | ||
| ovirt_engine_type: 'ovirt-engine' | ||
| ovirt_engine_version: '4.1' | ||
| ovirt_engine_admin_password: '123456' |
| ovirt_engine_admin_password: '123456' | ||
|
|
||
| ovirt_provider_ovn_username: 'admin@internal' | ||
| ovirt_provider_ovn_password: '{{ ovirt_engine_admin_password }}' |
| ovirt_engine_db_port: 5432 | ||
| ovirt_engine_db_name: 'engine' | ||
| ovirt_engine_db_user: 'engine' | ||
| ovirt_engine_db_password: 'AqbXg4dpkbcVRZwPbY8WOR' |
There was a problem hiding this comment.
dont put db password to asnwer files, we want them to be generated by engine
| @@ -0,0 +1,23 @@ | |||
| --- | |||
| galaxy_info: | |||
| author: Tareq Alayan | |||
There was a problem hiding this comment.
I would add Petr Kubica - original developer and maintainer of these
| description: Role to run engine-setup. | ||
| company: Red Hat, Inc. | ||
|
|
||
| license: Apache License 2.0 |
There was a problem hiding this comment.
Original playbooks were published under GPL, ovirt is published under Apache License 2.0, we might want to check what is the best approach on licensing here.
There was a problem hiding this comment.
what should it be?
This role will enable you to deploy ovirt-engine with answere file.
tareqalayan
force-pushed
the
ovirt-deployment-role
branch
from
bcd443e to
20f0f15
Compare
|
Some tests failed |
|
|
||
| | Name | Default value | Description | | ||
| |---------------------------------|-----------------------|-----------------------------------------------------------| | ||
| | ovirt_engine_type | ovirt-engine | Type of product 'ovirt-engine' or 'rhevm' | |
There was a problem hiding this comment.
should the product be 'rhvm' instead of 'rhevm'
There was a problem hiding this comment.
should the product be 'rhv' instead of 'rhvm'
There was a problem hiding this comment.
rhvm is fine, as this is the downstream package name for 4.2 (ie yum install rhvm)
There was a problem hiding this comment.
I think this parameter can be removed. we know the version, we can create the matrix for package name per version and hide it from user.
There was a problem hiding this comment.
Yes, but how do you know if user wants to install oVirt or RHV?
There was a problem hiding this comment.
Hmm, you 're right. I 'll keep it
| | Name | Default value | Description | | ||
| |---------------------------------|-----------------------|-----------------------------------------------------------| | ||
| | ovirt_engine_type | ovirt-engine | Type of product 'ovirt-engine' or 'rhevm' | | ||
| | ovirt_engine_version | UNDEF | Allowed version: [3.6, 4.0, 4.1] | |
| | ovirt_engine_dwh | UNDEF | Bool value for installing local DWH. | | ||
| | ovirt_engine_answer_file_path | UNDEF | /path/to/custom/answerfile. | | ||
| | ovirt_engine_db_host | localhost | IP or hostname of PostgreSQL server for engine database. | | ||
| | ovirt_engine_db_port | 5432 | Server listening port. | |
There was a problem hiding this comment.
Database server port.
There was a problem hiding this comment.
Port of a PostgreSQL server for Engine database
| | ovirt_engine_type | ovirt-engine | Type of product 'ovirt-engine' or 'rhevm' | | ||
| | ovirt_engine_version | UNDEF | Allowed version: [3.6, 4.0, 4.1] | | ||
| | ovirt_engine_dwh | UNDEF | Bool value for installing local DWH. | | ||
| | ovirt_engine_answer_file_path | UNDEF | /path/to/custom/answerfile. | |
There was a problem hiding this comment.
Path to custom answerfile.
There was a problem hiding this comment.
Path to custom answer file for engine-setup
| | ovirt_engine_answer_file_path | UNDEF | /path/to/custom/answerfile. | | ||
| | ovirt_engine_db_host | localhost | IP or hostname of PostgreSQL server for engine database. | | ||
| | ovirt_engine_db_port | 5432 | Server listening port. | | ||
| | ovirt_engine_db_name | engine | DB name for ovirt-engine. | |
There was a problem hiding this comment.
Database name of ovirt-engine.
Not sure but I think of is better than for here.
| | ovirt_engine_db_host | localhost | IP or hostname of PostgreSQL server for engine database. | | ||
| | ovirt_engine_db_port | 5432 | Server listening port. | | ||
| | ovirt_engine_db_name | engine | DB name for ovirt-engine. | | ||
| | ovirt_engine_db_user | engine | DB user which can access ovirt-engine DB. | |
There was a problem hiding this comment.
Name of a user to access Engine database
| ovirt_engine_db_port: 5432 | ||
| ovirt_engine_db_name: 'engine' | ||
| ovirt_engine_db_user: 'engine' | ||
| ovirt_engine_db_password: 'AqbXg4dpkbcVRZwPbY8WOR' |
| template: | ||
| src: answerfile_{{ ovirt_engine_version }}_basic.txt.j2 | ||
| dest: /tmp/answerfile.txt | ||
| mode: 0644 |
There was a problem hiding this comment.
I think there still could be password no? So again 0600 please
| - skip_ansible_lint | ||
|
|
||
| - name: run engine-setup with answerfile | ||
| shell: 'engine-setup --config-append=/tmp/answerfile.txt' |
There was a problem hiding this comment.
What is the reason to use shell, instead of command? It is a best practise to use command unless shell is a must to use.
There was a problem hiding this comment.
Not sure it's a valid reason, but you might want to pass certain shell env vars, e.g. 'OTOPI_DEBUG=1'. Not sure ansible's shell modules allows to do this without changing the play either.
| - name: restart of ovirt-engine service | ||
| service: | ||
| name: ovirt-engine | ||
| state: restarted |
There was a problem hiding this comment.
Hmm, if you restart it here, then the started state before is useless, no?
There was a problem hiding this comment.
Why do we restart ovirt-engine there? The service is (re)started during engine-setup, no?
| OVESETUP_CONFIG/applicationMode=str:both | ||
| OVESETUP_CONFIG/remoteEngineSetupStyle=none:None | ||
| OVESETUP_CONFIG/sanWipeAfterDelete=bool:False | ||
| OVESETUP_CONFIG/storageIsLocal=bool:False |
There was a problem hiding this comment.
I think you should create one common file and use include jinja statement, better than copy-pasting. And change only things which are relevant for the verison, this is unreadeble.
|
@machacekondra I 'll adjust all comments and create PR for the separate repository https://github.com/oVirt/ovirt-ansible-engine-setup. |
|
|
||
| | Name | Default value | Description | | ||
| |---------------------------------|-----------------------|-----------------------------------------------------------| | ||
| | ovirt_engine_type | ovirt-engine | Type of product 'ovirt-engine' or 'rhevm' | |
There was a problem hiding this comment.
rhvm is fine, as this is the downstream package name for 4.2 (ie yum install rhvm)
| | ovirt_engine_answer_file_path | UNDEF | /path/to/custom/answerfile. | | ||
| | ovirt_engine_db_host | localhost | IP or hostname of PostgreSQL server for engine database. | | ||
| | ovirt_engine_db_port | 5432 | Server listening port. | | ||
| | ovirt_engine_db_name | engine | DB name for ovirt-engine. | |
| | ovirt_engine_dwh | UNDEF | Bool value for installing local DWH. | | ||
| | ovirt_engine_answer_file_path | UNDEF | /path/to/custom/answerfile. | | ||
| | ovirt_engine_db_host | localhost | IP or hostname of PostgreSQL server for engine database. | | ||
| | ovirt_engine_db_port | 5432 | Server listening port. | |
There was a problem hiding this comment.
Port of a PostgreSQL server for Engine database
| | ovirt_engine_db_host | localhost | IP or hostname of PostgreSQL server for engine database. | | ||
| | ovirt_engine_db_port | 5432 | Server listening port. | | ||
| | ovirt_engine_db_name | engine | DB name for ovirt-engine. | | ||
| | ovirt_engine_db_user | engine | DB user which can access ovirt-engine DB. | |
There was a problem hiding this comment.
Name of a user to access Engine database
| | ovirt_engine_db_port | 5432 | Server listening port. | | ||
| | ovirt_engine_db_name | engine | DB name for ovirt-engine. | | ||
| | ovirt_engine_db_user | engine | DB user which can access ovirt-engine DB. | | ||
| | ovirt_engine_db_password | UNDEF | password for user of ovirt-engine DB. | |
There was a problem hiding this comment.
Password of a user to access Engine database
| group: root | ||
| when: ovirt_engine_answer_file_path is defined | ||
|
|
||
| - name: update setup packages |
| - name: restart of ovirt-engine service | ||
| service: | ||
| name: ovirt-engine | ||
| state: restarted |
There was a problem hiding this comment.
Why do we restart ovirt-engine there? The service is (re)started during engine-setup, no?
| name: ovirt-engine | ||
| state: restarted | ||
|
|
||
| - name: check health status of page |
| OVESETUP_CONFIG/applicationMode=str:both | ||
| OVESETUP_CONFIG/remoteEngineSetupStyle=none:None | ||
| OVESETUP_CONFIG/sanWipeAfterDelete=bool:False | ||
| OVESETUP_CONFIG/storageIsLocal=bool:False |
There was a problem hiding this comment.
Hmm, I think it's better to have one answer file per version as variable might be renamed between versions and no backward compatibility is ensured, so having only 1 answer could complicate things significantly.
But I think, we should provide a way how to use --accept-defaults and override only variables that user selects (for example disable OVN, but leave the rest on defaults). But this can be done in separate RFE
| @@ -0,0 +1,72 @@ | |||
| # action=setup | |||
There was a problem hiding this comment.
Why do we need a special templates for new installation and upgrades?
There was a problem hiding this comment.
Because for upgrading you have some extra questions when running the engine setup.
|
Sandro/Didi could you please also take a look? |
|
@mwperina I will check your comments from here and adjust but please let's continue the review once I repost in the new repository as I said above. |
|
Didn't review the code, only replied to some comments. Feel free to add me as a reviewer on the new patch once it's ready. |
|
Closing this PR, as it was moved to : oVirt/ovirt-ansible-engine-setup#1 |
This role will enable you to deploy ovirt-engine with answere file.