So the OS deployment development in confluent has progressed to the point I can
demonstrate most of its usage with a few suboptimal behaviors (e.g. I want more
informative errors when things could be better, there's a few commands run once
to bootstrap manually that I want to pull together into one 'wizard'), but
enough for me to ask if anyone wants to discuss or review. In general obviously
it is influenced by my work on xCAT, but different in a few ways:
Different SSH strategy:
-No private keys are ever moved around ever. To the extent there is interaction
with SSH or TLS keys, there is no longer a need to move them around, even if
you want root to ssh between nodes without a password)
-ssh_known_hosts are now automatically handled across a cluster for all users
(confluent takes responsibility by managing an SSH CA, meaning a one line
known_hosts file can suffice for thousands, though it'd be one line per
collective member)
-Users no longer need private/public keys in their home directories to SSH
between nodes (root and all users may have SSH enabled using host based
authentication. Connections are authenticated according to known_hosts rather
than user keys)
-This all sums to SSH keying material used within a cluster, but not useful
between clusters
Confluent no longer runs as root (this is already the case, but will continue
to be the case into OS deployment)
Confluent is tested with SELinux (documentation will include the couple of
sesetbools that would commonly be needed when dealing with NFS or Gluster)
Confluent collective doesn't require a 'master' and 'service' nodes, all
members are equal (though you are free to think of one as a master for
convenience, the actual installation and code will not care about the
distinction)
-Additionally, unambiguously /var/lib/confluent should be
synchronized or a cluster filesystem across the board, no collective member
unique data is anywhere in the tree
The default templates will be closer to default behavior of relative oses. For
example, install RHEL/CentOS and it will have SELinux enabled and firewall
enabled unless the user customizes it.
The default root password behavior changes from 'won't install' to 'password
authentication disabled'. If user does not specify, then only ssh keys may be
used to log in as root.
-When root password is specified, confluent will refuse to store
the password in the clear and will always apply a one-way crypt to input before
retaining
-Even when configured, they are not present in the
kickstart/autoyast/autoinstall files that get downloaded, they get handled
differently
Scripted install files are no longer templates that get filled in to
node-unique values and put into web server. Every node downloads the exact same
scripted install file, which contains no node or site specific content (unless
added through customization).
By the same token, nodes no longer receive unique kernel command line
arguments. PXE, HTTP, and remote media based boot are working and the identical
boot image may be used across many nodes.
Modifying the profile to have 'console=tty...' is optional, if not specified
and serial console is detected from firmware, then a best effort will be made
during install to give info on 'nodeconsole', and the installed system will
have the autodetected value put into console=.. on your behalf (unless
overridden).
Generally speaking, distribution specific logic is moved out of the server.
Mostly this means that to the extent templates are specialized, it is done on
the node during install time rather than at the server in advance.
OS images are no longer spread all around the filesystems glued together by
database entries across multiple tables, each profile is a directory. The
equivalent of 'lsdef -t osimage' can be done by 'ls
/var/lib/confluent/public/os/'. To the extent that large content is in multiple
profiles, symbolic links are used to share the data in an obvious way. For
example:
[root@pompeius os]# pwd
/var/lib/confluent/public/os
[root@pompeius os]# ls
centos-8.1-x86_64-default opensuse_leap-15.1-x86_64-hpc
ubuntu-20.04-x86_64-default
[root@pompeius os]# find centos-8.1-x86_64-default/ ! -type d
centos-8.1-x86_64-default/kickstart
centos-8.1-x86_64-default/profile.yaml
centos-8.1-x86_64-default/initprofile.sh
centos-8.1-x86_64-default/scripts/firstboot.service
centos-8.1-x86_64-default/scripts/post.sh
centos-8.1-x86_64-default/scripts/pre.sh
centos-8.1-x86_64-default/scripts/firstboot.sh
centos-8.1-x86_64-default/boot/initramfs/addons.cpio
centos-8.1-x86_64-default/boot/initramfs/site.cpio
centos-8.1-x86_64-default/boot/initramfs/distribution
centos-8.1-x86_64-default/boot/kernel
centos-8.1-x86_64-default/boot/efi/boot/BOOTX64.EFI
centos-8.1-x86_64-default/boot/efi/boot/grubx64.efi
centos-8.1-x86_64-default/boot/efi/boot/grub.cfg
centos-8.1-x86_64-default/boot/boot.ipxe
centos-8.1-x86_64-default/distribution
centos-8.1-x86_64-default/boot.img
Generally speaking, OS image
_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
