From: Javier Bértoli Date: Wed, 23 Mar 2022 22:39:09 +0000 (-0300) Subject: 18631: add login-sync cron to provision script X-Git-Tag: 2.5.0~225^2~9 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/972f9d0c4c32082e873bcbe29d5f7ac87b66af4a 18631: add login-sync cron to provision script Arvados-DCO-1.1-Signed-off-by: Javier Bértoli --- diff --git a/tools/salt-install/Vagrantfile b/tools/salt-install/Vagrantfile index 1573b6862b..b08ff8ffae 100644 --- a/tools/salt-install/Vagrantfile +++ b/tools/salt-install/Vagrantfile @@ -68,19 +68,19 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| # Networking # WEBUI PORT - arv.vm.network "forwarded_port", guest: 9443, host: 9443 + arv.vm.network "forwarded_port", guest: 443, host: 9443 # WORKBENCH1 - arv.vm.network "forwarded_port", guest: 9444, host: 9444 + arv.vm.network "forwarded_port", guest: 8805, host: 9444 # WORKBENCH2 - arv.vm.network "forwarded_port", guest: 9445, host: 9445 + arv.vm.network "forwarded_port", guest: 443, host: 9445 # KEEPPROXY - arv.vm.network "forwarded_port", guest: 35101, host: 35101 + arv.vm.network "forwarded_port", guest: 8801, host: 35101 # KEEPWEB - arv.vm.network "forwarded_port", guest: 11002, host: 11002 + arv.vm.network "forwarded_port", guest: 8802, host: 11002 # WEBSHELL - arv.vm.network "forwarded_port", guest: 14202, host: 14202 + arv.vm.network "forwarded_port", guest: 8803, host: 14202 # WEBSOCKET - arv.vm.network "forwarded_port", guest: 18002, host: 18002 + arv.vm.network "forwarded_port", guest: 8804, host: 18002 arv.vm.provision "shell", inline: "cp -vr /vagrant/config_examples/single_host/single_hostname /home/vagrant/local_config_dir; cp -vr /vagrant/tests /home/vagrant/tests; diff --git a/tools/salt-install/config_examples/multi_host/aws/states/shell_cron_add_login_sync.sls b/tools/salt-install/config_examples/multi_host/aws/states/shell_cron_add_login_sync.sls new file mode 100644 index 0000000000..8e68b4131a --- /dev/null +++ b/tools/salt-install/config_examples/multi_host/aws/states/shell_cron_add_login_sync.sls @@ -0,0 +1,100 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +# This state tries to query the controller using the parameters set in +# the `arvados.cluster.resources.virtual_machines` pillar, to get the +# scoped_token for the host and configure the arvados login-sync cron +# as described in https://doc.arvados.org/v2.0/install/install-shell-server.html + +{%- set curr_tpldir = tpldir %} +{%- set tpldir = 'arvados' %} +{%- set sls_config_file = 'arvados.config.file' %} +{# from "arvados/map.jinja" import arvados with context #} +{%- from "arvados/map.jinja" import arvados with context %} +{%- from "arvados/libtofs.jinja" import files_switch with context %} +{%- set tpldir = curr_tpldir %} + +{%- set virtual_machines = arvados.cluster.resources.virtual_machines | default({}) %} +{%- set api_token = arvados.cluster.tokens.system_root | yaml_encode %} +{%- set api_host = arvados.cluster.Services.Controller.ExternalURL | regex_replace('^http(s?)://', '', ignorecase=true) %} + +include: + - arvados + +extra_shell_cron_add_login_sync_add_jq_pkg_installed: + pkg.installed: + - name: jq + +{%- for vm, vm_params in virtual_machines.items() %} + {%- set vm_name = vm_params.name | default(vm) %} + + # Check if any of the specified virtual_machines parameters corresponds to this instance + # It should be an error if we get more than one occurrence + {%- if vm_name in [grains['id'], grains['host'], grains['fqdn'], grains['nodename']] or + vm_params.backend in [grains['id'], grains['host'], grains['fqdn'], grains['nodename']] + + grains['ipv4'] + grains['ipv6'] %} + + {%- set cmd_query_vm_uuid = 'arv --short virtual_machine list' ~ + ' --filters \'[["hostname", "=", "' ~ vm_name ~ '"]]\'' + %} + +# We need to use the UUID generated in the previous command to see if there's a +# scoped token for it. There's no easy way to pass the value from a shellout +# to another state, so we store it in a temp file and use that in the next +# command. Flaky, mostly because the `unless` clause is just checking that +# the file content is a token uuid :| +extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run: + cmd.run: + - env: + - ARVADOS_API_TOKEN: {{ api_token }} + - ARVADOS_API_HOST: {{ api_host }} + - name: {{ cmd_query_vm_uuid }} | head -1 | tee /tmp/vm_uuid_{{ vm }} + - require: + - cmd: arvados-controller-resources-virtual-machines-{{ vm }}-record-cmd-run + - unless: + - /bin/grep -qE "[a-z0-9]{5}-2x53u-[a-z0-9]{15}" /tmp/vm_uuid_{{ vm }} + + # There's no direct way to query the scoped_token for a given virtual_machine + # so we need to parse the api_client_authorization list through some jq + {%- set cmd_query_scoped_token_url = 'VM_UUID=$(cat /tmp/vm_uuid_' ~ vm ~ ') && ' ~ + 'arv api_client_authorization list | ' ~ + '/usr/bin/jq -e \'.items[]| select(.scopes[] == "GET ' ~ + '/arvados/v1/virtual_machines/\'${VM_UUID}\'/logins") | ' ~ + '.api_token\' | head -1 | tee /tmp/scoped_token_' ~ vm ~ ' && ' ~ + 'unset VM_UUID' + %} + +extra_shell_cron_add_login_sync_add_{{ vm }}_get_scoped_token_cmd_run: + cmd.run: + - env: + - ARVADOS_API_TOKEN: {{ api_token }} + - ARVADOS_API_HOST: {{ api_host }} + - name: {{ cmd_query_scoped_token_url }} + - require: + - cmd: extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run + - unless: + - test -s /tmp/scoped_token_{{ vm }} + +extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_host_cron_env_present: + cron.env_present: + - name: ARVADOS_API_HOST + - value: {{ api_host }} + +extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_token_cron_env_present: + cron.env_present: + - name: ARVADOS_API_TOKEN + - value: __slot__:salt:cmd.run("cat /tmp/scoped_token_{{ vm }}") + +extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_virtual_machine_uuid_cron_env_present: + cron.env_present: + - name: ARVADOS_VIRTUAL_MACHINE_UUID + - value: __slot__:salt:cmd.run("cat /tmp/scoped_token_{{ vm }}") + +extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_login_sync_cron_present: + cron.present: + - name: arvados-login-sync + - minute: '*/2' + + {%- endif %} +{%- endfor %} diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls index 2579c5ffb0..d11e61bba3 100644 --- a/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls +++ b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls @@ -28,7 +28,6 @@ arvados: ## manage OS packages with some other tool and you don't want us messing up ## with your setup. ruby: - ## We set these to `true` here for testing purposes. ## They both default to `false`. manage_ruby: true @@ -90,7 +89,7 @@ arvados: virtual_machines: shell: name: webshell - backend: 127.0.1.1 + backend: 127.0.0.1 port: 4200 ### TOKENS diff --git a/tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls index 8e4d66caf5..21bb2c45a8 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls @@ -88,8 +88,8 @@ arvados: resources: virtual_machines: shell: - name: webshell - backend: 127.0.1.1 + name: __HOSTNAME_EXT__ + backend: 127.0.0.1 port: 4200 ### TOKENS diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/shell_cron_add_login_sync.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/shell_cron_add_login_sync.sls new file mode 100644 index 0000000000..8e68b4131a --- /dev/null +++ b/tools/salt-install/config_examples/single_host/single_hostname/states/shell_cron_add_login_sync.sls @@ -0,0 +1,100 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +# This state tries to query the controller using the parameters set in +# the `arvados.cluster.resources.virtual_machines` pillar, to get the +# scoped_token for the host and configure the arvados login-sync cron +# as described in https://doc.arvados.org/v2.0/install/install-shell-server.html + +{%- set curr_tpldir = tpldir %} +{%- set tpldir = 'arvados' %} +{%- set sls_config_file = 'arvados.config.file' %} +{# from "arvados/map.jinja" import arvados with context #} +{%- from "arvados/map.jinja" import arvados with context %} +{%- from "arvados/libtofs.jinja" import files_switch with context %} +{%- set tpldir = curr_tpldir %} + +{%- set virtual_machines = arvados.cluster.resources.virtual_machines | default({}) %} +{%- set api_token = arvados.cluster.tokens.system_root | yaml_encode %} +{%- set api_host = arvados.cluster.Services.Controller.ExternalURL | regex_replace('^http(s?)://', '', ignorecase=true) %} + +include: + - arvados + +extra_shell_cron_add_login_sync_add_jq_pkg_installed: + pkg.installed: + - name: jq + +{%- for vm, vm_params in virtual_machines.items() %} + {%- set vm_name = vm_params.name | default(vm) %} + + # Check if any of the specified virtual_machines parameters corresponds to this instance + # It should be an error if we get more than one occurrence + {%- if vm_name in [grains['id'], grains['host'], grains['fqdn'], grains['nodename']] or + vm_params.backend in [grains['id'], grains['host'], grains['fqdn'], grains['nodename']] + + grains['ipv4'] + grains['ipv6'] %} + + {%- set cmd_query_vm_uuid = 'arv --short virtual_machine list' ~ + ' --filters \'[["hostname", "=", "' ~ vm_name ~ '"]]\'' + %} + +# We need to use the UUID generated in the previous command to see if there's a +# scoped token for it. There's no easy way to pass the value from a shellout +# to another state, so we store it in a temp file and use that in the next +# command. Flaky, mostly because the `unless` clause is just checking that +# the file content is a token uuid :| +extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run: + cmd.run: + - env: + - ARVADOS_API_TOKEN: {{ api_token }} + - ARVADOS_API_HOST: {{ api_host }} + - name: {{ cmd_query_vm_uuid }} | head -1 | tee /tmp/vm_uuid_{{ vm }} + - require: + - cmd: arvados-controller-resources-virtual-machines-{{ vm }}-record-cmd-run + - unless: + - /bin/grep -qE "[a-z0-9]{5}-2x53u-[a-z0-9]{15}" /tmp/vm_uuid_{{ vm }} + + # There's no direct way to query the scoped_token for a given virtual_machine + # so we need to parse the api_client_authorization list through some jq + {%- set cmd_query_scoped_token_url = 'VM_UUID=$(cat /tmp/vm_uuid_' ~ vm ~ ') && ' ~ + 'arv api_client_authorization list | ' ~ + '/usr/bin/jq -e \'.items[]| select(.scopes[] == "GET ' ~ + '/arvados/v1/virtual_machines/\'${VM_UUID}\'/logins") | ' ~ + '.api_token\' | head -1 | tee /tmp/scoped_token_' ~ vm ~ ' && ' ~ + 'unset VM_UUID' + %} + +extra_shell_cron_add_login_sync_add_{{ vm }}_get_scoped_token_cmd_run: + cmd.run: + - env: + - ARVADOS_API_TOKEN: {{ api_token }} + - ARVADOS_API_HOST: {{ api_host }} + - name: {{ cmd_query_scoped_token_url }} + - require: + - cmd: extra_shell_cron_add_login_sync_add_{{ vm }}_get_vm_uuid_cmd_run + - unless: + - test -s /tmp/scoped_token_{{ vm }} + +extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_host_cron_env_present: + cron.env_present: + - name: ARVADOS_API_HOST + - value: {{ api_host }} + +extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_api_token_cron_env_present: + cron.env_present: + - name: ARVADOS_API_TOKEN + - value: __slot__:salt:cmd.run("cat /tmp/scoped_token_{{ vm }}") + +extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_virtual_machine_uuid_cron_env_present: + cron.env_present: + - name: ARVADOS_VIRTUAL_MACHINE_UUID + - value: __slot__:salt:cmd.run("cat /tmp/scoped_token_{{ vm }}") + +extra_shell_cron_add_login_sync_add_{{ vm }}_arvados_login_sync_cron_present: + cron.present: + - name: arvados-login-sync + - minute: '*/2' + + {%- endif %} +{%- endfor %} diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index c4ccfd1269..5f6c389b76 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -514,7 +514,7 @@ if [ -d "${F_DIR}"/extra/extra ]; then # Same when using self-signed certificates. SKIP_SNAKE_OIL="dont_add_snakeoil_certs" fi - for f in $(ls "${F_DIR}"/extra/extra/*.sls | egrep -v "${SKIP_SNAKE_OIL}|shell_sudo_passwordless"); do + for f in $(ls "${F_DIR}"/extra/extra/*.sls | egrep -v "${SKIP_SNAKE_OIL}|shell_"); do echo " - extra.$(basename ${f} | sed 's/.sls$//g')" >> ${S_DIR}/top.sls done # Use byo or self-signed certificates @@ -544,10 +544,11 @@ if [ -z "${ROLES}" ]; then grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls fi - echo " - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls echo " - postgres" >> ${S_DIR}/top.sls echo " - docker.software" >> ${S_DIR}/top.sls echo " - arvados" >> ${S_DIR}/top.sls + echo " - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls + echo " - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls # Pillars echo " - docker" >> ${P_DIR}/top.sls @@ -755,6 +756,7 @@ else "shell") # States echo " - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls + echo " - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls grep -q "docker" ${S_DIR}/top.sls || echo " - docker.software" >> ${S_DIR}/top.sls grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars