From 64f0573c9a57d8840a1dcae3814664bc770503f4 Mon Sep 17 00:00:00 2001
From: Brett Smith <brett.smith@curii.com>
Date: Sun, 24 Nov 2024 14:02:26 -0500
Subject: [PATCH] 22317: Get compute node settings from cluster configuration

This reduces the risk that Ansible configuration and cluster
configuration get out of sync.

We can use this same technique in other Ansible install playbooks we
write in the future.

Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
---
 .../install-compute-node.html.textile.liquid  |  2 +-
 tools/compute-images/README.md                | 20 +++++++++++-
 .../ansible/build-compute-image.yml           | 31 ++++++++++++-------
 .../roles/compute_user/defaults/main.yml      |  3 +-
 .../ansible/roles/compute_user/tasks/main.yml |  9 +++++-
 tools/compute-images/aws_template.json        |  1 +
 tools/compute-images/azure_template.json      |  1 +
 tools/compute-images/host_config.example.yml  | 29 +++++++++--------
 8 files changed, 65 insertions(+), 31 deletions(-)

diff --git a/doc/install/crunch2-cloud/install-compute-node.html.textile.liquid b/doc/install/crunch2-cloud/install-compute-node.html.textile.liquid
index fcbfbebbfd..faad65ab71 100644
--- a/doc/install/crunch2-cloud/install-compute-node.html.textile.liquid
+++ b/doc/install/crunch2-cloud/install-compute-node.html.textile.liquid
@@ -181,7 +181,7 @@ If Arvados does not include a template for your cloud, or you do not have permis
 
 h3(#ansible-variables-standalone). Write Ansible settings for the compute node
 
-In the @tools/compute-images@ directory of your Arvados source checkout, copy @host_config.example.yml@ to @host_config.yml@. Edit @host_config.yml@ with information about how your compute nodes should be set up following the instructions in the comments.
+In the @tools/compute-images@ directory of your Arvados source checkout, copy @host_config.example.yml@ to @host_config.yml@. Edit @host_config.yml@ with information about how your compute nodes should be set up following the instructions in the comments. Note that you *must set* @arvados_cluster_id@ in this file since you are not running Packer.
 
 h3(#ansible-inventory). Write an Ansible inventory
 
diff --git a/tools/compute-images/README.md b/tools/compute-images/README.md
index bf3bafb855..73edb287ce 100644
--- a/tools/compute-images/README.md
+++ b/tools/compute-images/README.md
@@ -4,4 +4,22 @@ This directory includes templates to build custom cloud images for Arvados compu
 
 ## Development
 
-If you are developing the Ansible playbook, note that you can test it by [running the Ansible playbook independently](https:///doc.arvados.org/install/crunch2-cloud/install-compute-node.html#ansible-build) of Packer. You just need a basic Debian or Ubuntu machine to run the playbook on.
+If you are developing the Ansible playbook, note that you can test it by [running the Ansible playbook independently](https:///doc.arvados.org/install/crunch2-cloud/install-compute-node.html#ansible-build) of Packer.
+
+### Managed Node Requirements
+
+For testing, you'll need a Debian or Ubuntu system where you don't mind messing with the system configuration. It can be a virtual machine. You must set up the following before you run Ansible (this is stuff that's typically preconfigured in the cloud):
+
+* Install `locales`, `openssh-server`, `python3`, and `sudo`
+* Set up a user account for yourself that is allowed to SSH in and use `sudo`
+
+### Configuration Requirements
+
+You must have an Arvados cluster configuration. You can start by copying the defaults from the Arvados source in `arvados/lib/config/config.default.yml`. After you make your copy, you should change the following:
+
+* Under `Clusters`, change the example identifier `xxxxx` to a unique five-alphanumeric identifier for your test cluster. It SHOULD start with `z` so it's easily identifiable as a test cluster.
+* Under `Containers`, set `DispatchPrivateKey` to the `file` URL or literal contents of an SSH private key. This key MUST NOT have a passphrase set. This key SHOULD be one [you generate specifically for testing](https://doc.arvados.org/install/crunch2-cloud/install-compute-node.html#sshkeypair).
+
+You may also change other settings that you specifically want to test such as `Containers.RuntimeEngine`.
+
+Once you have this, you can start [following the Ansible build instructions]((https:///doc.arvados.org/install/crunch2-cloud/install-compute-node.html#ansible-build)). When you write `host_config.yml`, set `arvados_config_file` to the ABSOLUTE path of the cluster configuration file you wrote, and `arvados_cluster_id` to the cluster identifier you wrote in there under `Clusters`.
diff --git a/tools/compute-images/ansible/build-compute-image.yml b/tools/compute-images/ansible/build-compute-image.yml
index 6db4bfd0fe..2a69909d48 100644
--- a/tools/compute-images/ansible/build-compute-image.yml
+++ b/tools/compute-images/ansible/build-compute-image.yml
@@ -3,19 +3,26 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-- name: Validate build arguments
+- name: Load Arvados configuration
   hosts: default
   tasks:
-    - name: Check compute_authorized_keys is set
-      ansible.builtin.fail:
-        msg: "`compute_authorized_keys` is not set"
-      when: "compute_authorized_keys is not defined"
-      run_once: true
-    - name: Check compute_authorized_keys exists
-      ansible.builtin.fail:
-        msg: "`compute_authorized_keys` file not found: {{ compute_authorized_keys }}"
-      when: "compute_authorized_keys is not exists"
-      run_once: true
+    - name: Load Arvados configuration file
+      delegate_to: localhost
+      ansible.builtin.include_vars:
+        name: arvados_config
+        file: "{{ arvados_config_file }}"
+    - name: Load Arvados cluster configuration
+      ansible.builtin.set_fact:
+        arvados_cluster: "{{ arvados_config.Clusters[arvados_cluster_id] }}"
+      failed_when: arvados_cluster is undefined
+    - name: Get Crunch dispatch public key
+      delegate_to: localhost
+      vars:
+        key_url: "{{ arvados_cluster.Containers.DispatchPrivateKey | urlsplit }}"
+      ansible.builtin.command:
+        argv: "{{ ['ssh-keygen', '-y'] + (['-f', key_url.path] if key_url.scheme == 'file' else []) }}"
+        stdin: "{{ arvados_cluster.Containers.DispatchPrivateKey if key_url.scheme != 'file' else '' }}"
+      register: compute_dispatch_ssh_keygen
 
 - name: Build compute node
   # `default` is the name that the Packer Ansible plugin assigns to the
@@ -48,7 +55,7 @@
         name: compute_nvidia
       when: "arvados_compute_nvidia|default(false)|bool"
     - include_role:
-        name: "compute_{{ arvados_container_engine|default('docker') }}"
+        name: "compute_{{ arvados_cluster.Containers.RuntimeEngine }}"
     - include_role:
         name: compute_encrypt_tmp
     - include_role:
diff --git a/tools/compute-images/ansible/roles/compute_user/defaults/main.yml b/tools/compute-images/ansible/roles/compute_user/defaults/main.yml
index a147e9d542..c3a93c5b05 100644
--- a/tools/compute-images/ansible/roles/compute_user/defaults/main.yml
+++ b/tools/compute-images/ansible/roles/compute_user/defaults/main.yml
@@ -2,5 +2,6 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-compute_user_account: crunch
+compute_authorized_keys: /dev/null
+compute_user_account: "{{ arvados_cluster.Containers.CloudVMs.DriverParameters.AdminUsername }}"
 compute_user_home: "/home/{{ compute_user_account }}"
diff --git a/tools/compute-images/ansible/roles/compute_user/tasks/main.yml b/tools/compute-images/ansible/roles/compute_user/tasks/main.yml
index 90efa47079..2fbfd3d70d 100644
--- a/tools/compute-images/ansible/roles/compute_user/tasks/main.yml
+++ b/tools/compute-images/ansible/roles/compute_user/tasks/main.yml
@@ -25,9 +25,16 @@
     owner: "{{ compute_user_account }}"
     mode: 0700
 
-- name: Configure compute user authorized keys
+- name: Initialize compute user authorized keys
   ansible.builtin.copy:
     src: "{{ compute_authorized_keys }}"
     dest: "{{ compute_user_home }}/.ssh/authorized_keys"
     owner: "{{ compute_user_account }}"
     mode: 0600
+
+- name: Install dispatch public key
+  ansible.builtin.lineinfile:
+    path: "{{ compute_user_home }}/.ssh/authorized_keys"
+    regexp: "^{{ item.0 | regex_escape }}\\s+{{ item.1 | regex_escape }}(\\s|$)"
+    line: "{{ item | join(' ') }}"
+  loop: "{{ compute_dispatch_ssh_keygen.stdout.splitlines()|map('split') }}"
diff --git a/tools/compute-images/aws_template.json b/tools/compute-images/aws_template.json
index 33e49df999..41d7c3f880 100644
--- a/tools/compute-images/aws_template.json
+++ b/tools/compute-images/aws_template.json
@@ -69,6 +69,7 @@
       "playbook_file": "ansible/build-compute-image.yml",
       "user": "{{user `ssh_user`}}",
       "extra_arguments": [
+          "--extra-vars", "arvados_cluster_id={{ user `arvados_cluster` }}",
           "--extra-vars", "@{{ user `ansible_vars_file` }}"
       ]
   }]
diff --git a/tools/compute-images/azure_template.json b/tools/compute-images/azure_template.json
index 53392c722b..0d3361954c 100644
--- a/tools/compute-images/azure_template.json
+++ b/tools/compute-images/azure_template.json
@@ -49,6 +49,7 @@
       "playbook_file": "ansible/build-compute-image.yml",
       "user": "{{user `ssh_user`}}",
       "extra_arguments": [
+          "--extra-vars", "arvados_cluster_id={{ user `arvados_cluster` }}",
           "--extra-vars", "@{{ user `ansible_vars_file` }}"
       ]
   }]
diff --git a/tools/compute-images/host_config.example.yml b/tools/compute-images/host_config.example.yml
index 702ef97120..e826050268 100644
--- a/tools/compute-images/host_config.example.yml
+++ b/tools/compute-images/host_config.example.yml
@@ -5,22 +5,21 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-# Set `compute_authorized_keys` to the ABSOLUTE path of a file that contains
-# public key(s) the Crunch dispatcher will use to SSH into the compute node.
-# This MUST correspond to the public key(s) for the private key(s) configured
-# as `Containers.DispatchPrivateKey` in your cluster configuration.
-compute_authorized_keys: null
+# `arvados_config_file` is the ABSOLUTE path of an Arvados cluster
+# configuration file. Ansible reads various settings from this file to
+# make sure system configuration is consistent with cluster configuration.
+# This file MUST be readable by the user running Ansible/Packer, along with
+# any files it references (e.g., `Containers.DispatchPrivateKey`).
+arvados_config_file: /etc/arvados/config.yml
 
-# `compute_user_account` is the name of the account the Crunch dispatcher will
-# use to SSH into the compute node. This MUST match
-# `CloudVMs.DriverParameters.AdminUsername` in your cluster configuration.
-# Note this user will be granted full passwordless sudo access.
-#compute_user_account: crunch
-
-# `arvados_container_engine` can be one of 'docker' (the default) or
-# 'singularity'. This MUST match `Containers.RuntimeEngine` in your
-# cluster configuration.
-#arvados_container_engine: docker
+# `arvados_cluster_id` is a five-character cluster identifier defined under
+# `Clusters` in `ansible_config_file`. Ansible will use configuration
+# settings from this specific cluster.
+# If you are running Packer, you do not need to set this; the `arvados_cluster`
+# you set there will be passed through to Ansible.
+# Otherwise, you MUST set this to the identifier of the cluster you are
+# setting up a compute node for.
+#arvados_cluster_id: xxxxx
 
 # `arvados_compute_nvidia` is a flag that determines whether or not
 # NVIDIA CUDA and associated drivers will be installed in the compute
-- 
2.30.2