diff --git a/modules/sysadmin_guide/nav.adoc b/modules/sysadmin_guide/nav.adoc index 3b22d2e..022e08e 100644 --- a/modules/sysadmin_guide/nav.adoc +++ b/modules/sysadmin_guide/nav.adoc @@ -76,7 +76,7 @@ ** xref:mote.adoc[mote - SOP] ** xref:nagios.adoc[Fedora Infrastructure Nagios - SOP] ** xref:netapp.adoc[Netapp Infrastructure - SOP] -** xref:new-hosts.adoc[new-hosts - SOP in review ] +** xref:new-hosts.adoc[DNS Host Addition - SOP] ** xref:nonhumanaccounts.adoc[nonhumanaccounts - SOP in review ] ** xref:nuancier.adoc[nuancier - SOP in review ] ** xref:odcs.adoc[odcs - SOP in review ] diff --git a/modules/sysadmin_guide/pages/new-hosts.adoc b/modules/sysadmin_guide/pages/new-hosts.adoc index 9ffeb1b..cda0f02 100644 --- a/modules/sysadmin_guide/pages/new-hosts.adoc +++ b/modules/sysadmin_guide/pages/new-hosts.adoc @@ -17,28 +17,28 @@ been recently added to the data center/network that you want: .... git grep badges-web01 - built/126.5.10.in-addr.arpa:69 IN PTR badges-web01.stg.phx2.fedoraproject.org. + built/126.5.10.in-addr.arpa:69 IN PTR badges-web01.stg.iad2.fedoraproject.org. [...lots of other stuff in built/ ignore these as they'll be generated later...] - master/126.5.10.in-addr.arpa:69 IN PTR badges-web01.stg.phx2.fedoraproject.org. - master/126.5.10.in-addr.arpa:101 IN PTR badges-web01.phx2.fedoraproject.org. - master/126.5.10.in-addr.arpa:102 IN PTR badges-web02.phx2.fedoraproject.org. + master/126.5.10.in-addr.arpa:69 IN PTR badges-web01.stg.iad2.fedoraproject.org. + master/126.5.10.in-addr.arpa:101 IN PTR badges-web01.iad2.fedoraproject.org. + master/126.5.10.in-addr.arpa:102 IN PTR badges-web02.iad2.fedoraproject.org. master/168.192.in-addr.arpa:109.1 IN PTR badges-web01.vpn.fedoraproject.org master/168.192.in-addr.arpa:110.1 IN PTR badges-web02.vpn.fedoraproject.org - master/phx2.fedoraproject.org:badges-web01.stg IN A 10.5.126.69 - master/phx2.fedoraproject.org:badges-web01 IN A 10.5.126.101 - master/phx2.fedoraproject.org:badges-web02 IN A 10.5.126.102 + master/iad2.fedoraproject.org:badges-web01.stg IN A 10.5.126.69 + master/iad2.fedoraproject.org:badges-web01 IN A 10.5.126.101 + master/iad2.fedoraproject.org:badges-web02 IN A 10.5.126.102 master/vpn.fedoraproject.org:badges-web01 IN A 192.168.1.109 master/vpn.fedoraproject.org:badges-web02 IN A 192.168.1.110 .... So those are the files we need to edit. In the above example, two of -those files are for the host on the PHX network. The other two are for +those files are for the host on the IAD network. The other two are for the host to be able to talk over the VPN. Although the VPN is not always needed, the common case is that the host will need it. (If any clients _need to connect to it via the proxy servers_ or it is not hosted in -PHX2 it will need a VPN connection). An common exception is here the +IAD2 it will need a VPN connection). An common exception is here the staging environment: since we only have one proxy server in staging and -it is in PHX2, a VPN connection is not typically needed for staging +it is in IAD2, a VPN connection is not typically needed for staging hosts. Edit the zone file for the reverse lookup first (the *in-addr.arpa file) @@ -55,13 +55,13 @@ in stg into production: -106 IN PTR unused. -107 IN PTR unused. -108 IN PTR unused. -+105 IN PTR elections01.stg.phx2.fedoraproject.org. -+106 IN PTR elections02.stg.phx2.fedoraproject.org. -+107 IN PTR elections01.phx2.fedoraproject.org. -+108 IN PTR elections02.phx2.fedoraproject.org. ++105 IN PTR elections01.stg.iad2.fedoraproject.org. ++106 IN PTR elections02.stg.iad2.fedoraproject.org. ++107 IN PTR elections01.iad2.fedoraproject.org. ++108 IN PTR elections02.iad2.fedoraproject.org. .... -Edit the forward domain (phx2.fedoraproject.org in our example) next: +Edit the forward domain (iad2.fedoraproject.org in our example) next: .... elections01.stg IN A 10.5.126.105 @@ -71,8 +71,8 @@ elections02 IN A 10.5.126.108 .... Repeat these two steps if you need to make them available on the VPN. -Note: if your stg hosts are in PHX2, you don't need to configure VPM for -them as all our stg proxy servers are in PHX2. +Note: if your stg hosts are in IAD2, you don't need to configure VPN for +them as all our stg proxy servers are in IAD2. Also remember to update the Serial at the top of all zone files. @@ -98,12 +98,15 @@ $ sudo -i ansible ns\* -a '/usr/local/bin/update-dns' # This tells the dns serve == Make certs -WARNING: If you already had a clone of private, make VERY sure to do a +[WARNING] +==== +If you already had a clone of private, make VERY sure to do a git pull first! It's quite likely somebody else added a new host without you noticing it, and you cannot merge the keys repos manually. (seriously, don't: the index and serial files just wouldn't match up with the certificate, and you would revoke the wrong certificate upon revocation). +==== When doing 2 factor auth for sudo, the hosts that we connect from need to have valid SSL Certs. These are currently stored in the private repo: @@ -112,11 +115,11 @@ to have valid SSL Certs. These are currently stored in the private repo: git clone /srv/git/ansible-private && chmod 0700 ansible-private cd ansible-private/files/2fa-certs . ./vars -./build-and-sign-key $FQDN # ex: elections01.stg.phx2.fedoraproject.org +./build-and-sign-key $FQDN # ex: elections01.stg.iad2.fedoraproject.org .... -The $FQDN should be the phx2 domain name if it's in phx2, vpn if not in -phx2, and if it has no vpn and is not in phx2 we should add it to the +The `$FQDN` should be the iad2 domain name if it's in iad2, vpn if not in +iad2, and if it has no vpn and is not in iad2 we should add it to the vpn.: .... @@ -125,10 +128,13 @@ git commit -a git push .... -NOTE: Make sure to re-run vars from the vpn repo. If you forget to do +[NOTE] +==== +Make sure to re-run vars from the vpn repo. If you forget to do that, You will just (try to) generate a second pair of 2fa certs, since the ./vars script create an environment var to the root key directory, which is different. +==== Servers that are on the VPN also need certs for that. These are also stored in the private repo: @@ -136,12 +142,12 @@ stored in the private repo: .... cd ansible-private/files/vpn/openvpn . ./vars -./build-and-sign-key $FQDN # ex: elections01.phx2.fedoraproject.org -./build-and-sign-key $FQDN # ex: elections02.phx2.fedoraproject.org +./build-and-sign-key $FQDN # ex: elections01.iad2.fedoraproject.org +./build-and-sign-key $FQDN # ex: elections02.iad2.fedoraproject.org .... -The $FQDN should be the phx2 domain name if it's in phx2, and just -fedoraproject.org if it's not in PHX2 (note that there is never .vpn in +The `$FQDN` should be the iad2 domain name if it's in iad2, and just +fedoraproject.org if it's not in IAD2 (note that there is never .vpn in the FQDN in the openvpn keys). Now commit and push.: .... @@ -174,42 +180,42 @@ create things like this: .... [elections] -elections01.phx2.fedoraproject.org -elections02.phx2.fedoraproject.org +elections01.iad2.fedoraproject.org +elections02.iad2.fedoraproject.org [elections-stg] -elections01.stg.phx2.fedoraproject.org -elections02.stg.phx2.fedoraproject.org +elections01.stg.iad2.fedoraproject.org +elections02.stg.iad2.fedoraproject.org [... find the staging group and add there: ...] [staging] -db-fas01.stg.phx2.fedoraproject.org -elections01.stg.phx2.fedoraproject.org -electionst02.stg.phx2.fedoraproject.org +db-fas01.stg.iad2.fedoraproject.org +elections01.stg.iad2.fedoraproject.org +electionst02.stg.iad2.fedoraproject.org .... The hosts should use their fully qualified domain names here. The rules -are slightly different than for 2fa certs. If the host is in PHX2, use -the .phx2.fedoraproject.org domain name. If they aren't in PHX2, then +are slightly different than for 2fa certs. If the host is in IAD2, use +the .iad2.fedoraproject.org domain name. If they aren't in IAD2, then they usually just have .fedoraproject.org as their domain name. (If in -doubt about a not-in-PHX2 host, just ask). +doubt about a not-in-IAD2 host, just ask). === VPN config If the machine is in VPN, create a file in ansible at -roles/openvpn/server/files/ccd/$FQDN with contents like: +`roles/openvpn/server/files/ccd/$FQDN` with contents like: -____ +.... ifconfig-push 192.168.1.X 192.168.0.X -____ +.... Where X is the last octet of the DNS IP address assigned to the host, so -for example for elections01.phx2.fedoraproject.org that would be: +for example for _elections01.iad2.fedoraproject.org_ that would be: -____ +.... ifconfig-push 192.168.1.44 192.168.0.44 -____ +.... == Work in progress @@ -217,11 +223,13 @@ From here to the end of file is still being worked on === host_vars and group_vars -ansible consults files in inventory/group_vars and inventory/host_vars +ansible consults files in +https://pagure.io/fedora-infra/ansible/blob/main/f/inventory/group_vars[inventory/group_vars] +and https://pagure.io/fedora-infra/ansible/blob/main/f/inventory/host_vars[inventory/host_vars] to set parameters that can be used in templates and playbooks. You may need to edit these -It's usually easy to copy the host_vars and group_vars from an existing +It's usually easy to copy the `host_vars` and `group_vars` from an existing host that's similar to the one you are working on and then modify a few names to make it work. For instance, for a web application server: @@ -246,7 +254,7 @@ claimed in the dns repo: .... cd ~/ansible/inventory/host_vars -cp badges-web01.stg.phx2.fedoraproject.org elections01.stg.phx2.fedoraproject.org +cp badges-web01.stg.iad2.fedoraproject.org elections01.stg.iad2.fedoraproject.org .... @@ -266,15 +274,21 @@ You mant want to run "lsblk" to check that the volume group you expect is the one actually used for virtual guests. [NOTE] -.Note ==== -| 19:16:01 3. add ./inventory/host_vars/FQDN host_vars for the -new host. | 19:16:56 that will have in it ip addresses, dns +19:16:01 3. add ./inventory/host_vars/FQDN host_vars for the new host. + +19:16:56 that will have in it ip addresses, dns resolv.conf, ks url/repo, volume group to make the host lv in, etc etc. -| 19:17:10 4. add any needed vars to inventory/group_vars/ for -the group | 19:17:33 this has memory size, lvm size, cpus, etc | + +19:17:10 4. add any needed vars to inventory/group_vars/ for +the group + +19:17:33 this has memory size, lvm size, cpus, etc | + 19:17:45 5. add tasks/virt_instance_create.yml task to top of -group/host playbook | 19:18:10 6. run the playbook and it will +group/host playbook + +19:18:10 6. run the playbook and it will go to the virthost you set, create the lv, guest, install it, wait for it to come up, then continue configuring it. ==== @@ -307,12 +321,12 @@ When adding a new web server other files must be edited by hand currently until templates replace them. These files cover getting httpd logs from the server onto log01 so that log analysis can be done. -____ +.... roles/base/files/syncHttpLogs.sh roles/epylog/files/merged/modules.d/rsyncd.conf roles/hosts/files/staging-hosts roles/mediawiki123/templates/LocalSettings.php.fp.j2 -____ +.... There are also nagios files which will need to be edited but that should be done following the nagios document.