Feature: Provisioning (ix-iocage-plugin) #426
Conversation
gronke
force-pushed
the
feature/provisioning
branch
13 times, most recently
from
dfe52be to
60d2e1a
Compare
|
The libiocage does not automatically configure the network when provisioning jails or templates because they are potentially untrusted. |
iocage/lib/Provisioning/ix.py
Outdated
| yield event | ||
|
|
||
| try: |
There was a problem hiding this comment.
Why do a try: finally block when any of the try's above the finally statement would end execution. I think you can drop a whole nested level here.
There was a problem hiding this comment.
It would, but instead each nested try block would require the same fallback. This top-level try/finally makes sure that the code in finally is executed independently of the success of its internal steps.
iocage/lib/Provisioning/ix.py
Outdated
| yield packageInstallEvent.begin() | ||
| try: | ||
| stdout, stderr, returncode = self.jail.exec( | ||
| ["pkg", "install", "-yield"] + pkg_packages, |
There was a problem hiding this comment.
Hahahaha, damn you auto-correct. 😆(Have no other explanation)
Of course this must be just -y.
iocage/lib/Provisioning/ix.py
Outdated
| zfs.delete_dataset_recursive(dataset) | ||
| except libzfs.ZFSException: | ||
| except libzfs.ZFSException as e: |
There was a problem hiding this comment.
You aren't using e, you can drop that
iocage/lib/Jail.py
Outdated
| @@ -375,6 +374,7 @@ def provisioner(self) -> 'iocage.lib.Provisioning.prototype.Provisioner': | |||
| except AttributeError: | |||
| pass | |||
|
|
|||
| import iocage.lib.Provisioning | |||
There was a problem hiding this comment.
Why do you remove the top level import? Recursion issues?
There was a problem hiding this comment.
Yes Python does not like circular dependencies when loading them at import time. And In long term I'd like to reduce the memory footprint and startup time by lazy-loading specific features. There is a relatively small penalty for re-importing dependencies, but this would only happen once per jail if the provisioner is used.
iocage/cli/provision.py
Outdated
| yield event | ||
| if isinstance(event, iocage.lib.events.JailCommandExecution): |
There was a problem hiding this comment.
This should just be an additional line with \ as there isn't anything else to be done if the if statement below isn't True
There was a problem hiding this comment.
I don't get it. Could you please further explain or leave a code snippet?
gronke
force-pushed
the
feature/provisioning
branch
2 times, most recently
from
1a9271e to
c20d993
Compare
|
@william-gr we've talked about ix-iocage-plugin support at BSDCan. Finally here is the implementation to install the plugins using the provision command (or Jail method). @skarekrow you have pointed out some plugin features that were not implemented in this branch. In my opinion another application layer than libiocage should implement UI specific features such as printing administration URLs. My recommendation here is to use custom jail config properties to store the desired port and applying it (or the plugins default) during jail start. At jail start you have such properties stored in the environment variables. Can you spot any missing install steps besides the UI part, that seems FreeNAS specific to me. |
gronke
changed the title
gronke
force-pushed
the
feature/provisioning
branch
from
c20d993 to
b406f6b
Compare
gronke
force-pushed
the
feature/provisioning
branch
from
b406f6b to
001ac8e
Compare
|
This feature can be enhanced after #435 is merged, so that no network is required in jails for package installation. Most of the ix-iocage-plugins will then not require network to get provisioning. |
iocage/cli/provision.py
Outdated
| __rootcmd__ = True | ||
|
|
||
|
|
||
| @click.command(name="start", help="Trigger provisionong of jails.") |
iocage/cli/provision.py
Outdated
| "--option", "-o", | ||
| "temporary_config_override", | ||
| multiple=True, | ||
| help="Temporary override jail config options" |
iocage/cli/provision.py
Outdated
| jails: typing.Tuple[str, ...], | ||
| temporary_config_override: typing.Tuple[str, ...] | ||
| ) -> None: | ||
| """Start one or many jails.""" |
| failed_jails.append(jail) | ||
| continue | ||
|
|
||
| changed_jails.append(jail) |
There was a problem hiding this comment.
can we really tell here if a jail was changed (again)? or if an idempotent operation did, in fact, nothing?
There was a problem hiding this comment.
No, at the current time plugins do not signal whether they applied changes or not. We only know that the provisioner ran and did not error.
There was a problem hiding this comment.
puppet returns 1 on success, 0 on idempotent success, and 2 on failure
There was a problem hiding this comment.
Then we can listen for the return code in the puppet provisioner. The ix-plugins do not differentiate, so that there is no need yet to respond here now.
iocage/cli/start.py
Outdated
| "--option", "-o", | ||
| "temporary_config_override", | ||
| multiple=True, | ||
| help="Temporary override jail config options" |
There was a problem hiding this comment.
"temporarily", or else, make it "for jail config options"
| key: str, | ||
| data: typing.Dict[str, typing.Any] | ||
| ) -> None: | ||
| if "." in key: |
There was a problem hiding this comment.
mumbles something about nested json
There was a problem hiding this comment.
This is about CLI interaction. The internal storage occurs as nested JSON - just the property may be accessed via dot notation.
iocage/lib/Provisioning/ix.py
Outdated
| try: | ||
| if os.path.isfile(f"{plugin_dataset.mountpoint}/post_install.sh"): | ||
| stdout, stderr, returncode = self.jail.exec( | ||
| ["/.ix-plugin/post_install.sh"] |
There was a problem hiding this comment.
is this file guaranteed to be executable?
There was a problem hiding this comment.
It was created by ourselves. Yes, we can assume that this file is existing and executable.
iocage/lib/ResourceUpdater.py
Outdated
| @@ -441,6 +441,7 @@ class HardenedBSD(Updater): | |||
|
|
|||
| @property | |||
| def _update_command(self) -> typing.List[str]: | |||
| return ["sleep", "2000"] | |||
There was a problem hiding this comment.
😮 Good question. Will be removed!
gronke
force-pushed
the
feature/provisioning
branch
2 times, most recently
from
c8f133d to
a630e5c
Compare
fixes an issue deleting properties from jails
instead of returning provisioning that points to a dict structure provisioning.source and its siblings are returned
gronke
force-pushed
the
feature/provisioning
branch
from
40bb603 to
0fa7c34
Compare
|
This basic implementation of ix-iocage-plugins also lays the groundwork for libiocage provisioning. As discussed offline with @skarekrow there are changes to the ix-iocage-plugin standard planned aiming for:
Now is the right time to start an open discussion around this topic, so that we end up with a solution that shares interfaces with Ansible and Puppet provisioning. With support for provisioning of current ix-iocage-plugins and the base implementation for generalised provisioning in this branch is ready to get merged at this point. |
closes #1
ixfor ix-iocage-pluginsansibleas runner for ansible playbooks stored in a remote git repositoryix-iocage-plugin install stages
When a jail is configured with
provisioning.method=ix, the following will happen when running the provisioning command withprovisioning.source=jenkins:artifactsfrom jenkins.jsonpkgsin jenkinsk.json within the jailpost_install.shfrom the artifacts folder if it existsCLI Syntax
ioc create plextemplate \ provisioning.method=ix \ provisioning.source=plexmediaserver \ template=yes # run provisioner ioc provision plextemplate # create jail from the provisioned template ioc create -t plextemplate plexjail # configure network and run plexjail # ...Update: Providing a temporary network connecting is no longer required. The ix-iocage-plugin now installs packages via iocage.lib.Pkg which does not require internet connections within a jail.