Skip to content

Lock instances to prevent accidental changes #844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bertiethorpe wants to merge 26 commits into
base: main
Choose a base branch
from
Open

Lock instances to prevent accidental changes #844

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
f7efa6c
Add protected environment checks hook
bertiethorpe Nov 4, 2025
ca47578
populate protected_environments list
bertiethorpe Nov 4, 2025
ceaba17
unlock instances before rebuild-via-slurm
bertiethorpe Nov 4, 2025
36a10e7
fix rebuild unlocking
bertiethorpe Nov 7, 2025
ccde8b4
Merge branch 'main' into feat/prevent-prod-changes
bertiethorpe Nov 7, 2025
675d3ba
remove site hook
bertiethorpe Nov 7, 2025
ab80154
Merge branch 'main' into feat/prevent-prod-changes
bertiethorpe Nov 11, 2025
0a4988d
define protected envs in common vars, improve lock_unlock_instances
bertiethorpe Nov 11, 2025
2576d25
fix locking instances play
bertiethorpe Nov 12, 2025
e2d2a93
linting fix
bertiethorpe Nov 12, 2025
f842409
linter error
bertiethorpe Nov 12, 2025
0fa67e5
lock playbook path fix
bertiethorpe Nov 12, 2025
af27191
document locking/unlocking instances
bertiethorpe Nov 12, 2025
5192f60
linting docs
bertiethorpe Nov 12, 2025
6119c22
fix
bertiethorpe Nov 12, 2025
7b832c3
improve docs style
bertiethorpe Nov 12, 2025
5bb6d98
Review changes / unlock instances before CI cleanup
bertiethorpe Nov 13, 2025
f003db8
prettier linting
bertiethorpe Nov 13, 2025
5efe606
Merge branch 'main' into feat/prevent-prod-changes
bertiethorpe Dec 8, 2025
78c52c1
Merge branch 'main' into feat/prevent-prod-changes
sjpb Dec 31, 2025
c0f29f3
Merge branch 'main' into feat/prevent-prod-changes
sjpb Jan 28, 2026
80d3b4c
default to unlock action and simplify things
sjpb Jan 28, 2026
95f1b0b
fix lint errors
sjpb Jan 28, 2026
4f4490e
add lock playbook
sjpb Jan 28, 2026
a2fb244
fix lint errors
sjpb Jan 28, 2026
8cf325f
relock instances in CI after upgrade
sjpb Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions ansible/adhoc/lock_unlock_instances.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---

- hosts: "{{ target_hosts | default('all') }}"
gather_facts: no

Check failure on line 4 in ansible/adhoc/lock_unlock_instances.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

yaml[truthy] 

Truthy value should be one of [false, true]
become: no

Check failure on line 5 in ansible/adhoc/lock_unlock_instances.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

yaml[truthy] 

Truthy value should be one of [false, true]
tasks:
- name: Lock/Unlock instances
openstack.cloud.server_action:
action: "{{ server_action | default('lock') }}"
server: "{{ inventory_hostname }}"
delegate_to: localhost

Check failure on line 11 in ansible/adhoc/lock_unlock_instances.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file
6 changes: 6 additions & 0 deletions ansible/adhoc/rebuild-via-slurm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,12 @@

# See docs/slurm-controlled-rebuild.md.

- name: Unlock compute instances for rebuild
vars:
server_action: unlock
target_hosts: compute
ansible.builtin.import_playbook: lock_unlock_instances.yml

- hosts: login
run_once: true
gather_facts: false
Expand Down
22 changes: 22 additions & 0 deletions ansible/safe-env.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
- hosts: localhost
gather_facts: no

Check failure on line 3 in ansible/safe-env.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

yaml[truthy] 

Truthy value should be one of [false, true]
become: no

Check failure on line 4 in ansible/safe-env.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

yaml[truthy] 

Truthy value should be one of [false, true]
vars:
protected_environments:
- prd
tasks:
- name: Confirm continuing if using production environment
ansible.builtin.pause:
prompt: |
*************************************
* WARNING: PROTECTED ENVIRONMENT! *
*************************************

Current environment: {{ appliances_environment_name }}
Do you really want to continue (yes/no)?
register: env_confirm_safe
when:
- appliances_environment_name in protected_environments
- not (prd_continue | default(false) | bool)
failed_when: not (env_confirm_safe.user_input | bool)

Check failure on line 22 in ansible/safe-env.yml

View workflow job for this annotation

GitHub Actions / Lint / Lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file
9 changes: 9 additions & 0 deletions ansible/site.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,13 @@
---

- ansible.builtin.import_playbook: safe-env.yml

- name: Lock all instances
vars:
server_action: lock
target_hosts: all
ansible.builtin.import_playbook: adhoc/lock_unlock_instances.yml

- name: Run pre.yml hook
vars:
# hostvars not available here, so have to recalculate environment root:
Expand Down
Loading