Add an image-build role and playbook

Author: m-bull

build-image.yml

@@ -0,0 +1,16 @@
+---
+
+# Provision the infrastructure using Terraform
+- name: Build image
+  hosts: openstack
+  roles:
+    - image_build
+
+  tasks:
+    - name: Set cluster_image fact
+      set_fact:
+        cluster_image: "{{ image_build_data.artifact_id }}"
+
+    - name: Print cluster_image UUID
+      debug:
+        msg: "{{ cluster_image }}"

roles/image_build/defaults/main.yml

@@ -0,0 +1,39 @@
+---
+image_build_terraform_project_path: "{{ playbook_dir }}/terraform-image-build"
+image_build_cluster_id: "image-build"
+
+# Regex to capture existing cloud image names to use as the
+# OpenHPC Slurm base-image
+image_build_existing_image_regex: "^Rocky-8-GenericCloud-Base-8.7-.*"
+# Attributes to sort the list of existing base images returned by
+# image_build_existing_image_regex. See
+# https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/data-sources/images_image_ids_v2#sort
+image_build_existing_image_sort_attributes: "name,updated_at"
+
+# Attach a floating IP to the Packer build instance
+image_build_attach_floating_ip: false
+
+# Use a volume for the root disk of the Packer build instance
+image_build_use_blockstorage_volume: false
+
+# Packer image format (only used when image_build_use_blockstorage_volume: true
+image_build_image_disk_format: "qcow2"
+
+# Metadata items to set on the Packer image
+image_build_metadata: {}
+
+# The directory that contains the openstack.pkr.hcl to build the Slurm image
+image_build_packer_root_path: "{{ playbook_dir }}/vendor/stackhpc/ansible-slurm-appliance/packer"
+
+# Vars to apply to the builder group
+image_build_builder_group_vars:
+  update_log_path: /tmp/update_log
+  appliances_repository_root: "{{ playbook_dir }}/vendor/stackhpc/ansible-slurm-appliance"
+
+# ansible_ssh_common_args for Packer build
+image_build_ansible_ssh_common_args: >-
+    '-o ProxyCommand="ssh -W %h:%p -q
+    {% if image_build_ssh_bastion_private_key_file is defined %}
+    -i {{ image_build_ssh_bastion_private_key_file }}
+    {% endif %}
+    {{ image_build_ssh_bastion_username }}@{{ image_build_ssh_bastion_host }}"'

roles/image_build/tasks/main.yml

@@ -0,0 +1,127 @@
+---
+- debug:
+    msg: |
+      terraform_backend_type: {{ terraform_backend_type }}
+      terraform_state: {{ terraform_state }}
+
+- name: Run prechecks
+  include_tasks: prechecks.yml
+
+- name: Install Terraform binary
+  include_role:
+    name: stackhpc.terraform.install
+
+- name: Make Terraform project directory
+  file:
+    path: "{{ image_build_terraform_project_path }}"
+    state: directory
+
+- name: Write backend configuration
+  copy:
+    content: |
+      terraform {
+        backend "{{ terraform_backend_type }}" { }
+      }
+    dest: "{{ image_build_terraform_project_path }}/backend.tf"
+
+- name: Template Terraform files into project directory
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ image_build_terraform_project_path }}/{{ item }}"
+  loop:
+    - outputs.tf
+    - providers.tf
+    - resources.tf
+
+- name: Provision infrastructure
+  include_role:
+    name: stackhpc.terraform.infra
+  vars:
+    terraform_project_path: "{{ image_build_terraform_project_path }}"
+
+- name: Set image build infrastructure facts
+  set_fact:
+    image_build_network_id: "{{ terraform_provision.outputs.network_id.value }}"
+    image_build_floating_ip_network: "{{ terraform_provision.outputs.floating_ip_network_id.value }}"
+    image_build_ssh_keypair_name: "{{ terraform_provision.outputs.ssh_keypair_name.value }}"
+    image_build_ssh_private_key_file: "{{ cluster_ssh_private_key_file }}"
+    image_build_source_image_id: "{{ terraform_provision.outputs.source_image_name.value.ids | first }}"
+    image_build_security_group_id: "{{ terraform_provision.outputs.security_group_id.value }}"
+
+- name: Make Packer vars file
+  template:
+    src: builder.pkrvars.hcl.j2
+    dest: /tmp/builder.pkrvars.hcl
+
+- name: Create temporary image-build inventory directory
+  ansible.builtin.tempfile:
+    state: directory
+    prefix: image-build
+  register: image_build_inventory
+
+- name: Symlink "everything" layout to image-build inventory
+  file:
+    state: link
+    src: "{{ playbook_dir }}/vendor/stackhpc/ansible-slurm-appliance/environments/common/layouts/everything"
+    dest: "{{ image_build_inventory.path }}/groups"
+
+- name: Symlink CAAS group_vars to image-build inventory
+  file:
+    state: link
+    src: "{{ playbook_dir }}/group_vars"
+    dest: "{{ image_build_inventory.path }}/group_vars"
+
+- name: Add builder vars to image-build inventory hosts file
+  copy:
+    dest: "{{ image_build_inventory.path }}/hosts"
+    content: |
+      [builder:vars]
+      {% if image_build_ssh_bastion_host is defined %}
+      ansible_ssh_common_args={{ image_build_ansible_ssh_common_args }}
+      {% endif %}
+      {% for k,v in image_build_builder_group_vars.items() -%}
+      {{ k }}={{ v }}
+      {% endfor -%}
+
+- name: Create temporary file for ansible.cfg
+  ansible.builtin.tempfile:
+    state: file
+    suffix: ansible.cfg
+  register: ansible_cfg_file
+
+- name: Template image-build ansible.cfg
+  template:
+    src: ansible.cfg.j2
+    dest: "{{ ansible_cfg_file.path }}"
+
+- name: Packer init
+  command:
+    cmd: |
+      packer init .
+    chdir: "{{ image_build_packer_root_path }}"
+
+- name: Build image with packer
+  command:
+    cmd: |
+      packer build -only openstack.openhpc -var-file=/tmp/builder.pkrvars.hcl openstack.pkr.hcl
+    chdir: "{{ image_build_packer_root_path }}"
+  environment:
+    ANSIBLE_CONFIG: "{{ ansible_cfg_file.path }}"
+    PACKER_LOG: 1
+    PACKER_LOG_PATH: "/tmp/packer-build.log"
+
+- name: Parse packer-manifest.json
+  set_fact:
+    packer_manifest: "{{ lookup('file', '/tmp/builder.manifest.json') | from_json }}"
+
+- name: Extract image-build data
+  set_fact:
+    image_build_data: "{{ packer_manifest.builds | selectattr('packer_run_uuid', 'eq', packer_manifest.last_run_uuid) | first }}"
+
+- name: Destroy infrastructure
+  include_role:
+    name: stackhpc.terraform.infra
+  vars:
+    terraform_project_path: "{{ image_build_terraform_project_path }}"
+    cluster_state: absent
+

roles/image_build/tasks/prechecks.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Ensure builder access mode
+  fail:
+    msg: >- 
+      Set either image_build_ssh_bastion_host or 
+      image_build_attach_floating_ip to access the image
+      build instance via a bastion or directly
+  when:
+    - image_build_ssh_bastion_host is defined 
+    - image_build_attach_floating_ip is defined and image_build_attach_floating_ip
+

roles/image_build/templates/ansible.cfg.j2

@@ -0,0 +1,16 @@
+[defaults]
+any_errors_fatal = True
+gathering = smart
+forks = 30
+host_key_checking = False
+remote_tmp = /tmp
+roles_path = {{ playbook_dir }}/vendor/stackhpc/ansible-slurm-appliance/ansible/roles
+inventory = {{ playbook_dir }}/vendor/stackhpc/ansible-slurm-appliance/environments/common/inventory,{{ image_build_inventory.path }}
+
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=240s -o PreferredAuthentications=publickey -o UserKnownHostsFile=/dev/null
+pipelining = True
+# This is important because we are using one of the hosts in the play as a jump host
+# This ensures that if the proxy connection is interrupted, rendering the other hosts
+# unreachable, the connection is retried instead of failing the entire play
+retries = 10

roles/image_build/templates/builder.pkrvars.hcl.j2

@@ -0,0 +1,31 @@
+repo_root = "{{ playbook_dir }}/vendor/stackhpc/ansible-slurm-appliance"
+environment_root = "{{ playbook_dir }}/image_build"
+networks = ["{{ image_build_network_id }}"]
+{% if image_build_ssh_bastion_host is defined %}
+ssh_bastion_host = "{{ image_build_ssh_bastion_host }}"
+{% endif %}
+{% if image_build_ssh_bastion_username is defined %}
+ssh_bastion_username = "{{ image_build_ssh_bastion_username }}"
+{% endif %}
+{% if image_build_ssh_bastion_private_key_file is defined %}
+ssh_bastion_private_key_file = "{{ image_build_ssh_bastion_private_key_file }}"
+{% endif %}
+{% if image_build_attach_floating_ip %}
+floating_ip_network = "{{ image_build_floating_ip_network }}"
+{% endif %}
+security_groups = ["{{ image_build_security_group_id }}"]
+fatimage_source_image = "{{ image_build_source_image_id }}"
+ssh_keypair_name = "{{ image_build_ssh_keypair_name }}"
+ssh_private_key_file = "{{ image_build_ssh_private_key_file }}"
+flavor = "{{ image_build_flavor_name }}"
+metadata = {
+{% for k,v in image_build_metadata.items() %}
+  "{{ k }}" = "{{ v }}"
+{% endfor %}
+}
+use_blockstorage_volume = {{ image_build_use_blockstorage_volume | string | lower }}
+{% if image_build_use_blockstorage_volume %}
+volume_size = {{ image_build_volume_size }}
+image_disk_format = "{{ image_build_image_disk_format }}"
+{% endif %}
+manifest_output_path = "/tmp/builder.manifest.json"

roles/image_build/templates/outputs.tf.j2

@@ -0,0 +1,39 @@
+output "network_id" {
+  description = "The image build network ID"
+  value       = data.openstack_networking_network_v2.caas_image_build_network.id
+}
+
+output "ssh_keypair_name" {
+  description = "The name of the SSH keypair generated for image build"
+  value = openstack_compute_keypair_v2.image_build_keypair.name
+}
+
+output "source_image_name" {
+  description = "The id of the image used to build the cluster nodes"
+  value       = data.openstack_images_image_ids_v2.image_build_source_image
+}
+
+output "cluster_ssh_private_key" {
+  description = "The private component of the SSH keypair generated for image build"
+  value = openstack_compute_keypair_v2.image_build_keypair.private_key
+  sensitive   = true
+}
+
+output "floating_ip_network_id" {
+  description = "Network to allocate floating IPs from"
+  value = data.openstack_networking_network_v2.caas_image_build_external_network.id
+}
+
+output "security_group_id" {
+  description = "Security group ID to associate with the builder instance"
+  value = openstack_networking_secgroup_v2.caas_image_build_secgroup.id
+}
+
+# Empty values to keep ansible-collection-terraform happy
+output "cluster_nodes" {
+  value = []
+}
+
+output "cluster_gateway_ip" {
+  value = ""
+}

roles/image_build/templates/providers.tf.j2

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.14"
+
+  # We need the OpenStack provider
+  required_providers {
+    openstack = {
+      source = "terraform-provider-openstack/openstack"
+    }
+  }
+}

roles/image_build/templates/resources.tf.j2

@@ -0,0 +1,98 @@
+#jinja2: trim_blocks:False
+
+######
+###### Image build network
+######
+
+data "openstack_networking_network_v2" "caas_image_build_external_network" {
+  external = true
+}
+
+{% if image_build_network_name is not defined %}
+# Create a network
+resource "openstack_networking_network_v2" "caas_image_build_network" {
+  name           = "caas-image-build"
+  admin_state_up = "true"
+}
+
+resource "openstack_networking_subnet_v2" "caas_image_build_subnet" {
+  name       = "caas-image-build"
+  network_id = "${openstack_networking_network_v2.caas_image_build_network.id}"
+  cidr       = "192.168.244.0/24"
+  {% if image_build_nameservers is defined %}
+  dns_nameservers = [
+  {% for nameserver in image_build_nameservers %}
+    "{{ nameserver }}"{{ ',' if not loop.last }}
+  {% endfor %}
+  ]
+  {% endif %}
+  ip_version = 4
+}
+
+resource "openstack_networking_router_v2" "caas_image_build_router" {
+  name                = "caas-image-build"
+  admin_state_up      = true
+  external_network_id = "${data.openstack_networking_network_v2.caas_image_build_external_network.id}"
+}
+
+resource "openstack_networking_router_interface_v2" "caas_image_build_router_interface" {
+  router_id = "${openstack_networking_router_v2.caas_image_build_router.id}"
+  subnet_id = "${openstack_networking_subnet_v2.caas_image_build_subnet.id}"
+}
+{% endif %}
+
+# Get existing network resource data by name, from either the created
+# network or the network name if supplied
+data "openstack_networking_network_v2" "caas_image_build_network" {
+  {% if image_build_network_name is not defined %}
+  network_id = "${openstack_networking_network_v2.caas_image_build_network.id}"
+  {% else %}
+  name = "{{ image_build_network_name }}"
+  {% endif %}
+}
+
+######
+###### Image build keypair
+######
+
+resource "openstack_compute_keypair_v2" "image_build_keypair" {
+  name = "caas-image-build"
+}
+
+######
+###### Image build base image
+######
+
+data "openstack_images_image_ids_v2" "image_build_source_image" {
+  name_regex = "{{ image_build_existing_image_regex }}"
+  sort       = "{{ image_build_existing_image_sort_attributes }}"
+}
+
+######
+###### Image build security groups
+######
+
+# Security group to hold specific rules for the image build instance
+resource "openstack_networking_secgroup_v2" "caas_image_build_secgroup" {
+  name                 = "caas-image_build"
+  description          = "Specific rules for caas image build"
+  delete_default_rules = true   # Fully manage with terraform
+}
+
+## Allow all egress for the image build instance
+resource "openstack_networking_secgroup_rule_v2" "caas_image_build_secgroup_egress_v4" {
+  direction         = "egress"
+  ethertype         = "IPv4"
+  security_group_id = "${openstack_networking_secgroup_v2.caas_image_build_secgroup.id}"
+}
+
+## Allow ingress on port 22 (SSH) from anywhere for the image build instance
+resource "openstack_networking_secgroup_rule_v2" "caas_image_build_secgroup_ingress_ssh_v4" {
+  direction = "ingress"
+  ethertype = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  security_group_id = "${openstack_networking_secgroup_v2.caas_image_build_secgroup.id}"
+}
+