[RFC PATCH 0/2] Provisioning the AWS private network

[RFC PATCH 0/2] Provisioning the AWS private network

[cel]

From: Chuck Lever <chuck.lever@oracle.com>

Here are a couple of improvements to make terraform provision a
security group and DNS for handling NFS traffic between the test
nodes.

The DNS set-up here is what I'd like to see for libvirt as well,
rather than poking IP addresses into the target node's /etc/hosts
files. But that's for another day.

Chuck Lever (2):
  aws: Permit inter-node network traffic
  aws: Add each test instance to the local DNS service

 terraform/aws/main.tf | 51 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

-- 
2.47.0

[RFC PATCH 1/2] aws: Permit inter-node network traffic

[cel]

From: Chuck Lever <chuck.lever@oracle.com>

Permit target nodes to mount the kdevops NFS server by adding
a security group that allows traffic between test nodes.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 terraform/aws/main.tf | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf
index 290d5c0f04b1..62730d77422c 100644
--- a/terraform/aws/main.tf
+++ b/terraform/aws/main.tf
@@ -51,6 +51,22 @@ resource "aws_security_group" "kdevops_sec_group" {
   }
 }
 
+resource "aws_security_group" "kdevops_internal_group" {
+  name   = "kdevops_isg"
+  vpc_id = aws_vpc.kdevops_vpc.id
+
+  # Allow all traffic between hosts in the security group
+  ingress {
+    cidr_blocks = [
+      "10.0.0.0/16",
+    ]
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+  }
+}
+
+
 resource "aws_key_pair" "kdevops_keypair" {
   key_name   = var.ssh_keyname
   public_key = var.ssh_pubkey_data != "" ? var.ssh_pubkey_data : var.ssh_config_pubkey_file != "" ? file(var.ssh_config_pubkey_file) : ""
@@ -110,7 +126,10 @@ resource "aws_instance" "kdevops_instance" {
   count           = local.kdevops_num_boxes
   ami             = data.aws_ami.distro.id
   instance_type   = var.aws_instance_type
-  security_groups = [aws_security_group.kdevops_sec_group.id]
+  security_groups = [
+	aws_security_group.kdevops_sec_group.id,
+	aws_security_group.kdevops_internal_group.id
+  ]
   key_name        = var.ssh_keyname
   subnet_id       = aws_subnet.kdevops_subnet.id
   user_data_base64 = element(
-- 
2.47.0

[RFC PATCH 2/2] aws: Add each test instance to the local DNS service

[cel]

From: Chuck Lever <chuck.lever@oracle.com>

The kdevops NFS workflows typically set up separate nodes for an NFS
server and NFS clients. kdevops then provisions exports on the NFS
server and mount points on the clients.

For libvirt, kdevops adds the IP address of each test node to all of
the /etc/hosts files. This enables the clients to mount the test NFS
server conveniently by hostname.

For AWS, kdevops can provision a private DNS service and add "A"
records for each test host there. This patch implements that
approach.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 terraform/aws/main.tf | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf
index 62730d77422c..77aabd79e658 100644
--- a/terraform/aws/main.tf
+++ b/terraform/aws/main.tf
@@ -184,3 +184,33 @@ resource "aws_route_table_association" "kdevops_rt_assoc" {
   route_table_id = aws_route_table.kdevops_rt.id
 }
 
+resource "aws_vpc_dhcp_options" "kdevops_dhcp_opts" {
+  domain_name         = "kdevops.local"
+  domain_name_servers = ["AmazonProvidedDNS"]
+
+  tags = {
+    Name = "kdevops_dhcp_opts"
+  }
+}
+
+resource "aws_vpc_dhcp_options_association" "kdevops_dhcp_association" {
+  vpc_id          = aws_vpc.kdevops_vpc.id
+  dhcp_options_id = aws_vpc_dhcp_options.kdevops_dhcp_opts.id
+}
+
+resource "aws_route53_zone" "kdevops_private_zone" {
+  name = "kdevops.local"
+  vpc {
+    vpc_id = aws_vpc.kdevops_vpc.id
+  }
+}
+
+resource "aws_route53_record" "kdevops_dns_record" {
+  count   = local.kdevops_num_boxes
+  zone_id = aws_route53_zone.kdevops_private_zone.zone_id
+  name    = "${element(var.kdevops_nodes, count.index)}.kdevops.local"
+  type    = "A"
+  ttl     = "300"
+  records = ["${element(aws_instance.kdevops_instance.*.private_ip, count.index)}"]
+}
+
-- 
2.47.0

Re: [RFC PATCH 0/2] Provisioning the AWS private network

[Luis Chamberlain]

On Fri, Nov 08, 2024 at 03:12:43PM -0500, cel@kernel.org wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> Here are a couple of improvements to make terraform provision a
> security group and DNS for handling NFS traffic between the test
> nodes.
> 
> The DNS set-up here is what I'd like to see for libvirt as well,
> rather than poking IP addresses into the target node's /etc/hosts
> files. But that's for another day.

Tested-by: Luis Chamberlain <mcgrof@kernel.org>

I ran:

make bringup
make linux
make destroy

Worked well. Now to get our CI to do this too, it seems with current defaults
this will take about 30 minutes give or take. I wonder if at that rate,
a compile test on a higher end system is cheaper.

  Luis

Re: [RFC PATCH 0/2] Provisioning the AWS private network

[Chuck Lever III]

> On Nov 8, 2024, at 7:44 PM, Luis Chamberlain <mcgrof@kernel.org> wrote:
> 
> On Fri, Nov 08, 2024 at 03:12:43PM -0500, cel@kernel.org wrote:
>> From: Chuck Lever <chuck.lever@oracle.com>
>> 
>> Here are a couple of improvements to make terraform provision a
>> security group and DNS for handling NFS traffic between the test
>> nodes.
>> 
>> The DNS set-up here is what I'd like to see for libvirt as well,
>> rather than poking IP addresses into the target node's /etc/hosts
>> files. But that's for another day.
> 
> Tested-by: Luis Chamberlain <mcgrof@kernel.org>
> 
> I ran:
> 
> make bringup
> make linux
> make destroy
> 
> Worked well. Now to get our CI to do this too, it seems with current defaults
> this will take about 30 minutes give or take. I wonder if at that rate,
> a compile test on a higher end system is cheaper.

Thanks for the review and testing! I've pushed this set
and "Enable AWS for users in US/Eastern".


--
Chuck Lever