This page documents how to configure a site with Aquilon, once the Aquilon broker is running, i.e. how to describe the hardware present in the site and how to configure hosts and services. For Aquilon installation, refer to the dedicate page
This document explains the steps required to set up the clusters for the Daily Planet, Superman’s employer. Feel free to replace the names used here by those relevant to your organisation but be sure to remain consistent.
Note: this documentation assumes that you have an aq
command available in your
path. If this is not the case, define an aq
alias to /opt/aquilon/bin/aq.py
.
Note: the commands provided in this documentation can be be copy/pasted and should result in a working configuration. If you are not familiar with Aquilon, it is recommended to execute the tutorial once with the proposed parameters and then to redo it changing them to values relevant for your organisation.
Aquilon terminology
These are the basic terms in Aquilon operations:
archetype
: The highest possible grouping of hosts into distinctly separate types. Archetypes are a bundle that expresses how to build something. It defines what set of templates to use (for example, what operating systems are available, etc). Hosts therefore require an archetype to define how they are compiled.broker
: The back-end which theaq
client communicates with and the owner of all object and production templates. We’ll refer to it also asaqd
.cluster
: A group of hosts related in some way, different to an archetype in that hosts may or may not be in a cluster. When grouping hosts into a cluster, an object profile is also built for the cluster, as well as the hosts. Clusters go through a completely different schema and build process to how hosts are built and therefore have a different archetypes.domain
: A set of shared Quattor templates. Entities to be configured live in exactly one domain. A domain is currently implemented as a branch in the template-king git repository.feature
: A reusable configuration template that configures a specific thing but does not in itself describe a complete system. A feature may be included in a personality or anywhere else that PAN template code can be included.personality
: describes the services required but not the instance (selected using plenary template information) specific configuration (hardware used, OS version…).plenary
: Template generated by the broker, on the fly, from an external source such as the Aquilon database.sandbox
: A development area for making changes to Pan templates. Each sandbox must be started from a domain and hosts or clusters may be managed into the sandbox to allow for predeployment testing. Once the template code is fully tested, it must be published back to the broker and then deployhttp://quattor-pan.readthedocs.org/en/latested to the shared domain.service
: A network-based service with well-known clients and servers such as DNS, DHCP, NTP, etc. Each service can have multiple instances. Service instances must be mapped which allows the administrator to model client hosts connecting to different instances based on location and optionally personality.
For more details on these concepts, see the the dedicated page.
Before proceeding
Some understanding of Quattor architecture and the Pan language are expected before reading this document.
We’ll interact with the broker using the aq
command, which has lots
of sub-commands. Each sub-command has a detailed help. aq
sub-commands are generally
made of several words that can be separated either by a space or an _
. The latter (_
)
is preferred as it allows to use tab completion when entering command. This is the form
used throughout this document. In aq
, everything before the first option
(introduced
by --
) is considered as a sub-command word. Options can be abbreviated as long as they
are non ambiguous but sub-command words cannot.
In this stage we will be adding a site, so we will use add_*
commands. Most of the Aquilon commands have a show_
, update_
, search_
and
del_
counterparts. search_
commands are similar to show_
commands but provide more
options to select the objects to show. You are recommended to read the help of each
command before actually running it.
Before starting using the aq
command, you need get a Kerberos ticket. Use the kinit
command
to get it. If the Kerberos principal to use is different from the current Linux user, pass its name
as a parameter to the kinit
command.
Domain and archetypes
Domains
Domains allow to implement a staged deployment workflow. In our example, we will use two domains:
-
test
: used for for testing configuration changes before wide deploymentaq add_domain --domain 'test'
-
prod
: used for managing all the production services. During the initialisation of Aquilon database, theprod
domain was created in the database but the matching directory was not. Also the Pan compiler path must be fixed to the one declared in/etc/aqd.conf
. Below are the command to fix this:# Replace the directory by what is used at your site cd /var/quattor/domains cp -R test prod cd prod git checkout prod git branch -d test # Fix Pan compiler path aq update domain --domain prod --compiler_version prod
Archetypes
Archetypes are used to group hosts with common configuration parameters/requirements
(e.g. all your network switches) or with similar purposes (e.g. all your cloud hosts). In our example, we
will start with one archetype, web_servers
.
aq add_archetype --archetype web_servers --compilable
Configuring the Template Library
The template library is a set of generic templates that
help to build host descriptions. It provides many building blocks, in particular
features
and hardware-related templates, ready to use to configure the host hardware,
standard OS services and a few more specific
middleware, like OpenStack for clouds or
UMD
for grid.
Importing the Template Library
The template library must be imported in the plenary template area using the
plenary_template_library.py
script. Download the script and execute it with option --help
to display all the options available. A typical execution of this
script, to download the template library version 18.3.0
, is:
plenary_template_library.py --releases 18.3.0 /var/quattor/cfg/plenary/template-library
The /var/quattor/cfg/plenary/template-library
directory will contain a directory corresponding to the version
downloaded, making easy to have different versions of the template library. In this directory, a sub-directory
is created for each component of the template library: core
, os
, standard
, openstack
and grid
. As the
template library is not supposed to be modified, it is intentionally placed into the plenary templates
directory rather than in the template-king
Git repository.
Enabling the Template Library
A template library version is enabled in the context of an archetype, using archetype/declarations.pan
This template is typically placed in the archetype directory for which you want to enable this version
of the template library. Temporarily, for the purposes of this tutorial, we’ll add it to the plenary
templates area, under /var/quattor/cfg/plenary/web_servers
, where web_servers
is the
archetype we’ll use in our examples.
The typical contents for declarations.pan
can be created with:
mkdir -p /var/quattor/cfg/plenary/web_servers/archetype
cat > web_servers/archetype/declarations.pan <<EOF
# It is VERY IMPORTANT not to use this template for anything else than the initial
# LOADPATH configuration.
#
# This is the first template loaded by an object, before / is populated. This must
# be a declaration template because any change to / will be removed by a subsequent
# line in the object template.
declaration template archetype/declarations;
# Replace by the template library version you want to use
final variable QUATTOR_RELEASE = '18.3.0';
variable LOADPATH = append(SELF, format('template-library/%s/core', QUATTOR_RELEASE));
variable LOADPATH = append(SELF, format('template-library/%s/standard', QUATTOR_RELEASE));
variable DEBUG = debug(format('%s: (template=%S) LOADPATH=%s', OBJECT, TEMPLATE, to_string(LOADPATH)));
EOF
Storing your inventory
The Aquilon database contains the entire inventory of your infrastructure. You may use it as your asset management database, or feed it from your existing one. You will have to store all your hardware, its characteristics and locations.
Geographical locations
Before starting, you have to add the geographical locations of your infrastructure. The meanings of the commands to run should be obvious. We list here an example:
aq add_organization --organization 'daily_planet'
aq add_hub --hub 'pacific' --organization 'daily_planet'
aq add_continent --continent 'america' --hub 'pacific'
aq add_country --country 'us' --continent 'america'
aq add_city --city 'metropolis' --fullname 'Metropolis' --country 'us' --timezone 'dct'
aq add_building --building 'hq' --city 'metropolis' --address '355, 1000 Broadway'
aq add_room --room 'supersecret' --building 'hq' --floor 1
List your own addresses, rooms… but remember that each step depends on the previous ones. If you want to add European countries, you have to insert Europe as a continent first! Also note that object names should not start with a digit and cannot contain spaces.
Your hardware inventory
Next comes your hardware. At the very least, your racks, chassis and servers will be stored here. It is a good place to store other hardware such as switches. Many building blocks, like NIC and hard disks, are available in the template library that we configured in a previous step. The examples here uses them but, if necessary, you can define new hardware components: see the dedicated section.
For racks, you have to specify on which row and column inside that row they are, the room they are located into and an optional fullname. A rack ID will be allocated automatically with a prefix who is the building name and a sequential number in this building.
# 'aq add_rack` returns the rack ID to use in further commands
aq add_rack --fullname forlexluthor --row 3 --column C --room supersecret
Next come servers, switches, routers… we’ll go for servers,
machine
in Aquilon terms. To be able to define a server, we need to first define its
vendor and its CPU model. Models are used to build an actual machine and they cover every
component used in the machine. A model is identified by its name and its vendor.
Initial Aquilon database already has several vendors and models
defines: use aq show_vendor --all
and aq show_model --all
to see them.
Here we’ll use a simple rack-mounted server but Aquilon also allows to
define other types of servers, in particular chassis and blades, and to
use them to build a machine. See aq help add_model
.
# --comment is optional and is valid also in 'aq add_model'
aq add_vendor --vendor luthorindustries --comments "My preferred vendor"
# xeon-e5-2670v3 is one of the many CPU models provided by the template library
aq add_model --model xeon_e5_2670v3 --vendor intel --type cpu
aq add_model --model thegreatserver --vendor luthorindustries --type rackmount --cpuname xeon_e5_2670v3 \
--cpunum 2 --memory 98304 --disktype local --diskcontroller sas --disksize 1000 \
--nicmodel bcm57711
rackid=$(aq search rack --fullname forlexluthor)
aq add_machine --machine testhw --model thegreatserver --rack ${rackid}
Network interfaces
Each machine has a number of network interfaces, with their MAC
addresses. They need to be added to the machine object previously created. Aquilon
supports different types of interfaces (public, management, VLAN…): see aq help add_interface
for details. The MAC address can be explicitly defined for a standard machine or auto-generated
for a virtual machine. The interface can belong to a port group. One of the interface must be
marked as bootable
to be able to define an IP address when adding the host.
In our example, we’ll use a standard public interface and mark it as bootable.
aq add_interface --interface eth0 --machine 'testhw' --mac 'AA:BB:CC:DD:EE:FF'
aq update_interface --interface eth0 --machine 'testhw' --boot
Declaring networks
Once we have the hardware in place, it’s time to declare the networks our hosts live in.
We’ll use the add_network
command:
aq add_network --network 'leaks' --ip '192.168.1.0' --netmask '255.255.255.0' --city 'metropolis'
aq add_network --network 'reporters' --ip '192.168.100.0' --netmask '255.255.255.0' --city 'metropolis'
And now the broker knows about two networks, each with its own
separate gateways. Networks can live in different network
environments (for instance, internal, public…) on which separate policies may
apply. Check the help for the aq add_network_environment
command.
DNS domains
Our network has some DNS domains. We have to add them:
aq add_dns_domain --dns_domain 'dailyplanet.com'
Declaring hosts
Adding a personality
Before being able to add a host, we need to define a personality
.
Personalities are collections of smaller chunks called features. A
feature
is re-usable in many contexts, by different personalities,
hardware models…
At this stage we’ll create an empty personality, without associated features. Indeed, a feature definition implies writing some pan templates, something that cannot be done at this stage.
Before creating the personality, we need to define a GRN. A GRN is an organisation group or
entity name that will own features and personalities. You can create as
many GRNs as you want. Each GRN has a name and a unique ID, called an EON_ID
.
They are respectively specified with option --grn
and --eon_id
in aq
commands that need them: both
are equivalent. To create our first GRN, use the following command:
```bash
aq add_grn --grn test --eon_id 1
```
When creating a personality, here test
, it must be attached to an already existing archetype (here
web_servers
) and to be usable by a host, it must be marked as current
with aq promote
:
```bash
aq add_personality --personality test --archetype web_servers \
--grn test --host_environment dev
aq promote --personality test --archetype web_servers
```
Adding the operating system
Aquilon must also know about the valid OS for each archetype (you can declare several). An OS has a name and a version.
To create an OS object for CentOS 7.x for the archetype web_servers
, use the following command:
```bash
aq add_os --osname centos --osversion 7.x --archetype web_servers
```
Once the OS object has been created, it is necessary to create a template associated with it.
We will temporarily create this in the plenary template area normally reserved for templates managed by the database.
The templates will be moved to their proper location in the next section. Create a file called config.pan
in /var/quattor/cfg/plenary/$archetype/os/$osname/$osversion
, i.e.
/var/quattor/cfg/plenary/web_servers/os/centos/7.x/config.pan
.
At this stage we will create an empty template:
Currently, we’ll create it in the plenary template area, /var/quattor/cfg/plenary
. The template
must be called config.pan
, under the directory web_servers/os/centos/7.x
(archetype
, osname
, osversion
).
At this stage we’ll create an empty template:
cd /var/quattor/cfg/plenary/web_servers
template=os/centos/7.x/config
template_ns=$(dirname ${template})
template_file=${template}.pan
mkdir -p ${template_ns}
echo "unique template ${template};" > ${template_file}
Creating Hardware-related templates
Every model object must have a matching template that must be created manually. Templates for the building
blocks we used are already provided in the template library, except for the machine model.
Again, we’ll temporarily create them
in the plenary template area, /var/quattor/cfg/plenary
, under the hardware
directory. For
machines, the template must exist but can be empty.
Note: you need a version later than 18.3.0 for the template library in order to get the templates
for the machine building blocks. If your version of the template library is older, update the hardware
part from master branch of template-library-standard
repository.
cd /var/quattor/cfg/plenary
template=hardware/machine/luthorindustries/thegreatserver
template_ns=$(dirname ${template})
template_file=${template}.pan
mkdir -p ${template_ns}
echo "structure template ${template};" > ${template_file}
Creating the archetype/base and archetype/final templates
In addition to the declarations.pan template described above, each archetype requires 2
further templates located in a directory called <<name-of-archetype>>/archetype
,
in our example web_servers/archetype
, in the plenary template area,
/var/quattor/cfg/plenary
:
base.pan
: this template is the first executed template after the definition of the hardware.final.pan
: it will be the very last one executed in the host profile. It will be created empty at this stage.
We will create empty templates at this stage. To define these templates, use the following commands:
cd /var/quattor/cfg/plenary/web_servers
for template in archetype/base archetype/final
do
template_file=${template}.pan
echo "Creating template ${template_file}..."
echo "unique template ${template};" > ${template_file}
done
Adding and Building the First Host
Now we can declare a host on our testhw
machine.
A host needs to receive a personality when it is
first registered in Aquilon, that can be later changed if necessary.
Now, we use all that information to add a testsrv.dailyplanet.com
host:
aq add_host --hostname testsrv.dailyplanet.com --machine testhw --ip 192.168.1.3 \
--domain test --archetype web_servers --personality test --osname centos --osversion 7.x
Once the host has been added to the Aquilon database, it is possible to build its configuration.
This step involves generating the plenary templates describing the host configuration (machine used,
OS, personality…) and compiling those templates. This is done with the command aq reconfigure
:
aq reconfigure --hostname testsrv.dailyplanet.com
The execution of aq reconfigure
will build the host profile in /var/quattor/cfg/domains/test/profiles
and compile it. The compilation should succeed: if it fails, review the previous steps. Failure to compile
a profile causes it to be removed from the profiles
directory.
We now have a host profile compiled but it’s configuration is almost empty. Next steps will show
how to describe the target configuration for the host testsrv.dailyplanet.com
, using the template
library. But before, we need to setup a sandbox which is the place where the
configuration changes will be developed.
Creating a Sandbox
Up to now, the templates have been placed into the plenary templates area but this is not a suitable approach for several reasons, in particular:
-
Plenary templates can be edited only by the Aquilon administrator(s), not by every Aquilon users.
-
Plenary templates are not versioned
-
Plenary templates cannot be edited by several users in parallel
The purpose of sandboxes it to allow each Aquilon user to develop its changes without impacting others, until the changes are ready to be published, reviewed and eventually merged into the production ones. Some hosts can be associated with the sandbox to test the changes.
In the following steps, we’ll create a sandbox for the future changes and move into it the templates we wrote until now.
Add an Aquilon user for the current user
A sandbox is associated with an Aquilon user. The Aquilon user is derived from the Kerberos principal
and is associated with an existing Linux account
via the uid
and gid
. The Aquilon user name doesn’t have to match the Linux user ID. It must be created
with the aq add_user
command if the user doesn’t exist already. To list existing
users, use:
aq show_user --all
If you are using the aquilon
Linux user as suggested, use the following commands:
# Retrieve the Linux `uid` and `gid` for this account
id aquilon
# Create the Aquilon account
aq add_user --user aquilon --uid uid_retrieved --gid gid_retrieved \
--home aquilon_account_dir --fullname "Aquilon administrator"
To be able to add a sandbox for the user, the Kerberos realm used to authenticate Aquilon users must be trusted. This is not the default when a realm is added. To declare a realm as trusted:
aq update_realm --realm dailyplanet.com --trusted
Note: the actual realm used is based on the Kerberos configuration that was done during Aquilon
installation. Use klist
command to get it, if you don’t know it.
Sandbox creation
The following command will create the sandbox object and the Git repository associated in
/var/quattor/templates/user/sandbox_name
with user
the Aquilon user matching the Kerberos principal
used and sandbox_name
the name of the sandbox create. The sandbox is a Git repository
created as a clone of the template-king
repository (template-king
is the Git remote
origin
for the sandbox repository):
aq add_sandbox --sandbox tutorial
Once the sandbox is created, it is necessary to associate with it the host we want to manage with the
sandbox. In (almost) all the Aquilon commands requiring a --sandbox
option (except the xxx_sandbox
commands),
the sandbox name is user/sandbox
.
# The following command assumes that the Aquilon user has the same name as the current Linux user
aq manage --sandbox $USER/tutorial --hostname testsrv.dailyplanet.com
You can check that the host testsrv.dailyplanet.com
still compiles successfully after its move to
the sandbox, with the command used previously:
aq reconfigure --hostname testsrv.dailyplanet.com
Moving Added Templates to the Sandbox
We can now move the templates created at previous steps in the sandbox. Only the template library
has been intentionally placed into the plenary templates as this is component that is not intended
to be modified by a site. Use the following commands, customising the paths to your configuration if
you didn’t adopt the standard layout. In the destination directories, aquilon
is the Aquilon user,
tutorial
is the sandbox name and web_servers
is the archetype name.
cd /var/quattor
# Move the hardware templates
mv cfg/plenary/hardware templates/$USER/tutorial
# Create the archetype directory in the sandbox
mkdir templates/$USER/tutorial/web_servers
# Move archetype/base.pan and archetype/final.pan
mv cfg/plenary/web_servers/archetype templates/$USER/tutorial/web_servers
# Move the OS template
mv cfg/plenary/web_servers/os templates/$USER/tutorial/web_servers
Again, check that the host testsrv.dailyplanet.com
still compiles successfully after moving to
the templates to the sandbox, as previously:
aq reconfigure --hostname testsrv.dailyplanet.com
After checking the successful compile, commit your changes in the sandbox:
cd /var/quattor/templates/$USER/tutorial
git add hardware web_servers
git commit -m 'Initial templates moved to sandbox'
Publishing and Deploying the Sandbox Changes
To illustrate the Aquilon deployment workflow, we can now publish these changes so that they can be reviewed by others and then deploy them into a domain.
To publish the changes so that it is possible to deploy them later:
aq publish --branch tutorial
This pushes the changes to the tutorial
branch of the template-king repository. Once the
changes are considered ready to be deployed in the test
domain, use aq deploy
:
# You can add option --dryrun if you want to see what will be done before
# actually doing it
aq deploy --source tutorial --target test
To test that everything is correct, we need to add a second host in the test
domain (testsrv
is now the
tutorial
sandbox) and compile it:
rackid=$(aq search rack --fullname forlexluthor)
aq add_machine --machine testhw2 --model thegreatserver --rack ${rackid}
aq add_interface --interface eth0 --machine 'testhw2' --mac 'AA:BB:CC:DD:FF:EE'
aq update_interface --interface eth0 --machine 'testhw2' --bootable
aq add_host --hostname preprodsrv.dailyplanet.com --machine testhw2 --ip 192.168.1.4 \
--domain test --archetype web_servers --personality test --osname centos --osversion 7.x
aq reconfigure --hostname preprodsrv.dailyplanet.com
At this point we can also check that everything is properly configured with the domain prod
and
that we can deploy to it, after the validation in domain test
. For the sake of simplicity,
we’ll use the same host after moving it to the domain prod
:
aq deploy --source test --target prod
aq manage --hostname preprodsrv.dailyplanet.com --domain prod
aq manage
, when moving a host from between domains or between a sandbox and a domain, is trying
to compile the host profile. If it fails, the host is not moved to the new domain/sandbox.
Configuring the base OS
This section shows how to leverage the template library to do the host basic configuration, i.e. the base OS and the Quattor client configuration
Defining the site global variables
It is a good practice to declare the main site variables in one template so that it is easy
to call them during the initialisation of every archetype. The choice made in this example is to
create a site/config
directory at the top-level in the sandbox and to create a template
global_variables.pan
in it with the following typical contents:
cd /var/quattor/templates/$USER/tutorial
template=site/config/global_variables
template_ns=$(dirname ${template})
template_file=${template}.pan
mkdir -p ${template_ns}
cat > ${template_file} <<EOF
# This templlate is expected to contain only variable definitions that
# apply to the whole site
declaration template ${template};
# OS_FLAVOUR_ENABLED activates generic major version
# i.e sl6.x el7.x ... instead of fixed version (sl6.8, el7.2, ...)
variable OS_FLAVOUR_ENABLED ?= true;
# By default, do not remove postfix service
variable OS_CORE_POSTFIX ?= true;
# Define some variable used on many templates based on the current object template
variable HOSTNAME = hostname_from_object();
variable DOMAIN = domain_from_object('no.default');
variable FULL_HOSTNAME= OBJECT;
# Network parameters are defined by the Aquilon broker
final variable NETWORK_PARAMS = {
SELF['ip'] = value('/system/network/primary_ip');
SELF['gateway'] = value('/system/network/default_gateway');
SELF;
};
# Define the nameservers to use for the site.
variable NAMESERVERS = list("192.168.1.250", "192.168.1.250");
# Define NTP servers
variable NTP_SERVERS = list("ntp.dailyplanet.com");
# Location and format of quattor profile.
variable QUATTOR_PROFILE_URL ?= "http://aquilon-broker.dailyplanet.com/profiles";
variable QUATTOR_PROFILE_FORMAT ?= 'json';
# Location of repository SNAPSHOT
variable YUM_SNAPSHOT_ROOT_URL ?= 'http://yum.dailyplanet.com/snapshots';
# Variable defining the Pan namespace for YUM snapshot templates
variable YUM_SNAPSHOT_NS ?= 'site/repository/snapshot';
# AII specific parameters
variable AII_OSINSTALL_SRV ?= "aii-server.dailyplanet.com";
variable AII_OSINSTALL_ROOT = '/packages/os';
# SELinux state at installation time
variable AII_OSINSTALL_SELINUX ?= 'permissive';
EOF
Note: when migrating from SCDB, you can reuse the contents of the SCDB template
site/global_variables.pan
in your site directory.
Adding the base information for the archetype
web_servers/archetype/base.pan
, currently empty, is the place for all the actions that must be done before
configuring the OS and the other components (e.g. personalities) of the host.
A typical web_servers/archetype/base.pan
is:
cd /var/quattor/templates/$USER/tutorial
cat > web_servers/archetype/base.pan <<EOF
unique template archetype/base;
# Define the default suffix for YUM-based variant of RPMS configuration templates
# Defined too late by the standard templates in the context of Aquilon
variable RPMS_CONFIG_SUFFIX ?= '-yd';
## This variable will allow to control the YUM snapshot used, if you are using YUM
# snapshots as recommended
variable YUM_SNAPSHOT_DATE ?= '20180409';
# OS distribution used, e.g. centos7 used to build the actual repository name
# Must match the first part of the YUM repository actual name
variable YUM_OS_DISTRIBUTION_NAME ?= 'centos7';
# Timezone definition until the broker put it in the plenary templates
# See https://github.com/quattor/aquilon/issues/91
variable TIMEZONE ?= 'US/Pacific';
# Basic stuff from Quattor core that will be needed in many places
include 'quattor/functions/network';
include 'components/spma/config';
# Template used to define filesystem partition (optional)
variable FILESYSTEM_LAYOUT_CONFIG_SITE ?= "site/filesystems/layout-example";
include "filesystem/config";
# Load Quattor profile schema
include 'quattor/profile_base';
# Required information for every machine
"/system/rootmail" = "admins@dailyplanet.com";
include 'components/accounts/config';
"/software/components/accounts/rootpwd" = "hash_for_very_secret_password";
include 'site/config/global_variables';
EOF
Adding the package repositories
In order to configure packages, we need to define package (YUM) repositories. This involves several steps :
-
One template is needed to describe each repository available. The choice made in this example is to place them in the directory
site/repository/snapshot
. After creating this directory, use the following templates as an example: they declare a repository for the base OS,el7x_x86_64
, and one for the errata,el7x_x86_64_errata
.cd /var/quattor/templates/$USER/tutorial template_dir=site/repository/snapshot mkdir -p ${template_dir} for repository in el7x_x86_64 el7x_x86_64_errata do template=${template_dir}/${repository} template_file=${template}.pan repository_suffix=$(echo ${repository} | sed -e 's/^el7x_//') cat > ${template_file} <<EOF structure template ${template}; "name" = "${repository}"; "owner" = "aquilon.support@dailyplanet.com"; "protocols" = list( nlist("name","http", "url",YUM_SNAPSHOT_ROOT_URL+"/"+YUM_SNAPSHOT_DATE+"/"+YUM_OS_DISTRIBUTION_NAME+"-${repository_suffix}") ); EOF done
-
Create a template to add all the required repository to the profile. In this example, we’ll use
site/repository/config/base.pan
. First create the directory, then create the template with the following typical content is:cd /var/quattor/templates/$USER/tutorial template=site/repository/config/base template_ns=$(dirname ${template}) template_file=${template}.pan mkdir -p ${template_ns} cat > ${template_file} <<EOF # NOTE: This template should be the LAST thing included in a # machine profile as other parts of the configuration could modify # some variables used to configure the package repositories. unique template site/repository/config/base; # Repositories related to base OS and quattor client (should be first) include {'repository/config/os'}; variable DEBUG = debug('OS_REPOSITORY_LIST = ' + to_string(OS_REPOSITORY_LIST) + "\n" + 'QUATTOR_REPOSITORY_LIST = ' + to_string(QUATTOR_REPOSITORY_LIST) + "\n"); # Cleanup repository information include { 'components/spma/repository_cleanup' }; EOF
Adding the final information for the archetype
The very last template to get included into the host configuration is archetype/final.pan
, in
the archetype directory (here web_servers
). This is the place where is typically added the configuration
about the Quattor client, the initial installation (AII) and the package repositories, as they tend
to depend from several things done during the other part of the configuration. A typical contents
for web_servers/archetype/final.pan
(currently empty) is:
cd /var/quattor/templates/$USER/tutorial
cat > web_servers/archetype/final.pan <<EOF
unique template archetype/final;
# AII (initial installation) configuration
variable AII_OSINSTALL_EXTRAPKGS ?= list();
variable AII_OSINSTALL_OPTION_TIMEZONE = TIMEZONE;
# Configure Quattor client
include 'quattor/client/config';
# Must be included after AII_OSINSTALL_EXTRAPKGS is populated
include "config/quattor/aii"; # Part of the OS templates
# Configure YUM repositories
# Must be done last
include 'site/repository/config/base';
EOF
Configuring the OS
Aquilon expects the main configuration template for the OS to be in the template
os/centos/7.x/config.pan
(where centos
is the OS name specified for the host and
7.x
is the OS version), typically in the archetype directory (in our example,
web_servers/os/centos/7.x/config.pan
).
A typical template content is:
cd /var/quattor/templates/$USER/tutorial/web_servers
template=os/centos/7.x/config
template_ns=$(dirname ${template})
template_file=${template}.pan
mkdir -p ${template_ns}
cat > ${template_file} <<EOF
unique template ${template};
# It doesn't make sense to modify the variables in this template
# at a later stage, thus they are marked final
final variable NODE_OS_VERSION = 'el7.x-x86_64';
# Bind interface names defined in the profile to the machine interface
# with the matching MAC address
'/system/network/set_hwaddr' = true;
include 'os/config/declarations';
include 'config/core/base';
EOF
This template is calling a template independent of the particular OS name and version to
add to the LOADPATH
the template library for the selected OS version. In the example,
this template is called os/config/declarations.pan
(in the archetype directory, i.e.
web_servers/os/config/declarations.pan
). A typical content for this template is;
cd /var/quattor/templates/$USER/tutorial/web_servers
template=os/config/declarations
template_ns=$(dirname ${template})
template_file=${template}.pan
mkdir -p ${template_ns}
cat > ${template_file} <<EOF
declaration template ${template};
variable LOADPATH = append(SELF, format('template-library/%s/os/%s', QUATTOR_RELEASE, NODE_OS_VERSION));
variable DEBUG = debug(format('%s: (template=%S) LOADPATH=%s', OBJECT, TEMPLATE, to_string(LOADPATH)));
EOF
Compiling the host profile
As usual, we can compile the profile for the host testsrv.dailyplanet.com
with all the changes made:
aq reconfigure --hostname testsrv.dailyplanet.com
It should compile successfully. If not, please review carefully all the previous steps.
Publishing and deploying the changes
Once the profile has been successfully rebuilt, it is necessary o publish the changes so that they become visible to other users and they can be used by other domains:
aq publish --branch tutorial
This pushes the changes to the tutorial
branch of the template-king repository. Once the
changes are considered ready to be deployed in the test
domain, use aq deploy
:
# You can add option --dryrun if you want to see what will be done before
# actually doing it
aq deploy --source tutorial --target test
We can check that the host in the test
domain added previously also compile successfully:
# preprodsrv should be in the prod domain after the previous step
aq manage --hostname preprodsrv.dailyplanet.com --domain test
aq reconfigure --hostname preprodsrv.dailyplanet.com
And when everything is correct, we can deploy the changes to the prod
domain and
test them:
aq deploy --source test --target prod
aq manage --hostname preprodsrv.dailyplanet.com --domain prod
Summary
We know have a two hosts successfully configured with a configuration that allows to deploy and manage a basic OS configuration. Thanks to the template library, it has been the matter of adding around ten Pan templates that are mainly variable definitions and includes.
Defining the Personality
Personality configuration is staged. That means that when a personality is updated, the change is not
visible to the hosts using it until it is promoted as the current
version with the aq promote
command.
When a personality is created and when it is updated, its stage is defined to next
(configuration that
will be applied to the personality when the new configuration is promoted as the production (current
) one.
Personality configuration consists mainly of adding or removing features to it with the
aq update_personoality
command. More details can be found in the documentation on
advanced management tasks, in particular the section related to features.
Adding a feature to test personality
In our example, we will add the feature
pakiti)
to the personality test
used with the host
testsrv.dailyplanet.com
. Pakiti is a service to collect and
display the patch status of hosts against known CVEs. Its configuration is part of the template library,
meaning that we don’t need to write the Pan templates associated with the feature.
The pakiti
feature is easily added to the Aquilon database with:
aq add feature --feature pakiti --type host --activation dispatch --deactivation reboot \
--grn test --comment "This feature deploys de Pakiti software"
--comment
is optional but it is a good practice to use it to describe what the feature does.
Once added it must be bound to the web-servers
personality:
aq bind_feature --feature pakiti --personality test --archetype web_servers
After modifying a personality and before promoting the new configuration as the current
one, it is possible to see the differences between the current and the new configuration with
aq show_diff
:
aq show_diff --archetype web_servers --personality test --personality_stage current --other_stage next
The resulting new personality configuration must now be promoted as current
so that testsrv.dailyplanet.com
can use the updated personality:
aq promote --personality test --archetype web_servers
This feature requires one variable to be added to our site configuration to define the name of the
Pakiti server. Based on whether the current host is the pakiti server or not, the server or the client will
be configured. Presently, we will configure the Pakiti client as part of the test
personality. To achieve
this, add the following variable definition to site/config/global_variables.pan
:
# Pakiti server
variable PAKITI_SERVER ?= 'pakiti.dailyplanet.com';
The new host configuration can now be compiled, published an deployed with the usual commands:
aq reconfigure --hostname testsrv.dailyplanet.com
aq publish --branch tutorial
aq deploy --source tutorial --target test
This demonstrates again the power of the template library, we we can rely on features already defined by another site. This is particularly true when configuring hosts with middleware like OpenStack for a cloud or like UMD for the European Grid. Nevertheless some features are site specific and in this case, adding a feature will require to write the associated Pan configuration.
Troubleshooting
Error “branch already exists” when creating a domain
This may happen when using the command aq add_domain
if a previous execution of the same domain failed after
the corresponding Git branch in template-king
repository has been created. Once the problem that caused the
command to fail has been fixed, to be able to create the domain it is necessary to first delete this branch.
To do so, go to the template-king
repository and delete the branch with the following commands
# Replace the directory by your actual path, if different from the default configuration
cd /var/quattor/template-king
# Replace 'domain' by the actual domain name that you are trying to create
git branch -D domain
Failure to run aq compile
If aq compile
fails to run properly (not if the compilation results in errors) because of something wrong
with the compilation command, look for string ant
in /var/quattor/logs/aqd.log
and execute the command found
in the log as the user who run the aq compile
command, adding the option --execdebug
, after defining
the ANT_HOME
environment variable with the value of the ant_home
parameter in /etc/aqd.conf
.
This allows to see the Java command executed with all its options and to identify the wrong one.
In particular if you get the error Could not find or load main class org.apache.tools.ant.launch.Launcher
and if ant
has been installed, you should suspect an incorrect definition of ant_home
parameter in
/etc/aqd.conf
. The standard value should be /usr/share/ant
and result in /usr/share/ant/lib/ant-launcher.jar
being added to the class path.