dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity
798 Commits
14 Branches
0 Tags
7.3 MiB
Commit Graph

7 Commits (nut0)

Author SHA1 Message Date
Dustin b7381b3fb1 ci: Use lockable resource to enforce serial runs 
It is important that only one configuration management job run at a
time. Currently, this is enforced by having only one agent with the
*ansible* label, and that agent has only one executor. This is not an
ideal solution, because it requires maintaining a separate machine for
this purpose.

The *Lockable Resources Plugin* provides an alternate solution to this
problem. Using this plugin, jobs can acquire an exclusive lock on a
"resource" that prevents other jobs that require the same resource from
running. Any job that starts while the lock is held will wait until it
is released before executing. This will enforce the same serial
execution policy, but does not require a separate, dedicated machine.
Jobs will be able to run on any executor with the appropriate label.

Using this option, it is now possible to run configuration management
jobs on the normal agents, defining the execution environment in a
Docker image, so the *cm0.pyrocufflink.blue* agent can be
decommissioned.
 2019-05-02 09:58:20 -05:00
Dustin 7766cc1d05 ci: zabbix: Specify credentials 
Since the host *gw0* is not a member of the *pyrocufflink.blue* domain,
GSSAPI authentication does not work. As such, the SSH private key has to
be made available to the `ansible-playbook` process for authentication
to that host.
 2018-06-22 19:43:08 -05:00
Dustin cae9f2e3c2 ci: zabbix: Separate server, agent stages 
Separating the Zabbix server and agent playbooks into separate stages
allows better visibility into the time taken for each.
 2018-06-22 19:43:06 -05:00
Dustin 0500adadfa ci: zabbix: Use multiple sudo-pass files 
The `zabbix.yml` playbook applies to hosts that are not members of the
*pyrocufflink.blue* domain, and thus have different passwords for
`sudo`. Using the `-e` argument to `ansible-playbook` and specifying a
single Vault-encrypted file that defines the `ansible_become_password`
variable effectively forces Ansible to try to use that password on every
host. This is because variables defined on the command line, or read
from a file specified on the command line, have the highest precedence.

To use different passwords on different hosts, the normal variable
scoping rules have to be used. To that end, one `sudo-pass` file is
created in the `group_vars/pyrocufflink` directory, so it will apply to
all machines that are members of the *pyrocufflink.blue* domain.
Additionally, another `sudo-pass` file is created in the `host_vars/gw0`
directory; it will only apply to the gateway device.
 2018-06-22 19:33:23 -05:00
Dustin 1d2e581a85 ci: Send emails on failed builds 2018-05-19 10:00:34 -05:00
Dustin e61fe015ed ci: zabbix: Remount filesystems 2018-04-15 13:48:54 -05:00
Dustin 8b5c1fccfc ci: Add pipeline for Zabbix 2018-04-14 15:57:41 -05:00