From: "Alex Bennée" <alex.bennee@linaro.org>
To: Willian Rampazzo <wrampazz@redhat.com>
Cc: "Fam Zheng" <fam@euphon.net>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Thomas Huth" <thuth@redhat.com>,
"Daniel P . Berrangé" <berrange@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Erik Skultety" <eskultet@redhat.com>,
"Stefan Hajnoczi" <stefanha@gmail.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Wainer dos Santos Moschetta" <wainersm@redhat.com>,
qemu-devel <qemu-devel@nongnu.org>,
"Cleber Rosa" <crosa@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Beraldo Leal" <bleal@redhat.com>
Subject: Re: [PATCH v7 2/4] Jobs based on custom runners: build environment docs and playbook
Date: Thu, 01 Jul 2021 13:35:44 +0100 [thread overview]
Message-ID: <87h7hep5v7.fsf@linaro.org> (raw)
In-Reply-To: <CAKJDGDaErDRt+3=Gjk7emgpkbapdPS-Xo0fvj3AFDdLyyARG-A@mail.gmail.com>
Willian Rampazzo <wrampazz@redhat.com> writes:
> On Wed, Jun 30, 2021 at 8:28 AM Alex Bennée <alex.bennee@linaro.org> wrote:
>>
>>
>> Cleber Rosa <crosa@redhat.com> writes:
>>
>> > To run basic jobs on custom runners, the environment needs to be
>> > properly set up. The most common requirement is having the right
>> > packages installed.
>> >
>> > The playbook introduced here covers the QEMU's project s390x and
>> > aarch64 machines. At the time this is being proposed, those machines
>> > have already had this playbook applied to them.
>> >
>> > Signed-off-by: Cleber Rosa <crosa@redhat.com>
>> > ---
>> > docs/devel/ci.rst | 40 +++++++++
>> > scripts/ci/setup/.gitignore | 2 +
>> > scripts/ci/setup/build-environment.yml | 116 +++++++++++++++++++++++++
>> > scripts/ci/setup/inventory.template | 1 +
>> > 4 files changed, 159 insertions(+)
>> > create mode 100644 scripts/ci/setup/.gitignore
>> > create mode 100644 scripts/ci/setup/build-environment.yml
>> > create mode 100644 scripts/ci/setup/inventory.template
>> >
>> > diff --git a/docs/devel/ci.rst b/docs/devel/ci.rst
>> > index 064ffa9988..bfedbb1025 100644
>> > --- a/docs/devel/ci.rst
>> > +++ b/docs/devel/ci.rst
>> > @@ -30,3 +30,43 @@ The GitLab CI jobs definition for the custom runners are located under::
>> > Custom runners entail custom machines. To see a list of the machines
>> > currently deployed in the QEMU GitLab CI and their maintainers, please
>> > refer to the QEMU `wiki <https://wiki.qemu.org/AdminContacts>`__.
>> > +
>> > +Machine Setup Howto
>> > +-------------------
>> > +
>> > +For all Linux based systems, the setup can be mostly automated by the
>> > +execution of two Ansible playbooks. Create an ``inventory`` file
>> > +under ``scripts/ci/setup``, such as this::
>> > +
>> > + fully.qualified.domain
>> > + other.machine.hostname
>> > +
>> > +You may need to set some variables in the inventory file itself. One
>> > +very common need is to tell Ansible to use a Python 3 interpreter on
>> > +those hosts. This would look like::
>> > +
>> > + fully.qualified.domain ansible_python_interpreter=/usr/bin/python3
>> > + other.machine.hostname ansible_python_interpreter=/usr/bin/python3
>>
>> I was able to put root@foo for the machines I had in my .ssh/config
>>
>> > +
>> > +Build environment
>> > +~~~~~~~~~~~~~~~~~
>> > +
>> > +The ``scripts/ci/setup/build-environment.yml`` Ansible playbook will
>> > +set up machines with the environment needed to perform builds and run
>> > +QEMU tests. This playbook consists on the installation of various
>> > +required packages (and a general package update while at it). It
>> > +currently covers a number of different Linux distributions, but it can
>> > +be expanded to cover other systems.
>> > +
>> > +The minimum required version of Ansible successfully tested in this
>> > +playbook is 2.8.0 (a version check is embedded within the playbook
>> > +itself). To run the playbook, execute::
>> > +
>> > + cd scripts/ci/setup
>> > + ansible-playbook -i inventory build-environment.yml
>> > +
>> > +Please note that most of the tasks in the playbook require superuser
>> > +privileges, such as those from the ``root`` account or those obtained
>> > +by ``sudo``. If necessary, please refer to ``ansible-playbook``
>> > +options such as ``--become``, ``--become-method``, ``--become-user``
>> > +and ``--ask-become-pass``.
>>
>> If the above works maybe worth mentioning here because just having root
>> ssh is probably the easiest way to manage a box.
>
> If the host is internet-facing, there are lots of recommendations to
> disable root access using ssh (eg.
> https://www.redhat.com/sysadmin/administering-remote-systems). There
> are also recommendations from NIST and SANS.
>
> So, to avoid an unintended creation of an attack vector in the custom
> runners, I would personally prefer to let just the ansible tricks in
> the documentation than mentioning it is possible (and maybe easier) to
> enable root access thru ssh.
I agree you don't want remote password based authentication. I use
key-based authentication because it seems easier to log in directly as
root than to keep trusting my user password to the remote console to
gain sudo privileges. Anyway either way I'm happy.
--
Alex Bennée
next prev parent reply other threads:[~2021-07-01 12:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-30 1:26 [PATCH v7 0/4] GitLab Custom Runners and Jobs (was: QEMU Gating CI) Cleber Rosa
2021-06-30 1:26 ` [PATCH v7 1/4] Jobs based on custom runners: documentation and configuration placeholder Cleber Rosa
2021-06-30 1:26 ` [PATCH v7 2/4] Jobs based on custom runners: build environment docs and playbook Cleber Rosa
2021-06-30 10:30 ` Alex Bennée
2021-06-30 18:23 ` Willian Rampazzo
2021-07-01 12:35 ` Alex Bennée [this message]
2021-06-30 17:56 ` Willian Rampazzo
2021-06-30 21:51 ` Wainer dos Santos Moschetta
2021-06-30 1:26 ` [PATCH v7 3/4] Jobs based on custom runners: docs and gitlab-runner setup playbook Cleber Rosa
2021-06-30 16:55 ` Willian Rampazzo
2021-06-30 22:02 ` Wainer dos Santos Moschetta
2021-07-01 12:54 ` Alex Bennée
2021-06-30 1:26 ` [PATCH v7 4/4] Jobs based on custom runners: add job definitions for QEMU's machines Cleber Rosa
2021-06-30 22:19 ` Wainer dos Santos Moschetta
2021-07-02 11:02 ` [PATCH v7 0/4] GitLab Custom Runners and Jobs (was: QEMU Gating CI) Alex Bennée
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h7hep5v7.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=berrange@redhat.com \
--cc=bleal@redhat.com \
--cc=crosa@redhat.com \
--cc=ehabkost@redhat.com \
--cc=eskultet@redhat.com \
--cc=f4bug@amsat.org \
--cc=fam@euphon.net \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=thuth@redhat.com \
--cc=wainersm@redhat.com \
--cc=wrampazz@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).