From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mark@klomp.org>
Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184])
 by sourceware.org (Postfix) with ESMTPS id A2AA8385608E
 for <buildbot@sourceware.org>; Thu, 16 Jun 2022 22:49:15 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A2AA8385608E
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=klomp.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org
Received: from reform (deer0x09.wildebeest.org [172.31.17.139])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by gnu.wildebeest.org (Postfix) with ESMTPSA id 34433302FB88;
 Fri, 17 Jun 2022 00:49:14 +0200 (CEST)
Received: by reform (Postfix, from userid 1000)
 id D6A252E80832; Fri, 17 Jun 2022 00:49:13 +0200 (CEST)
Date: Fri, 17 Jun 2022 00:49:13 +0200
From: Mark Wielaard <mark@klomp.org>
To: Lance Albertson via RT <hosting-request@osuosl.org>
Cc: buildbot@sourceware.org
Subject: Re: [support.osuosl.org #32563] Request CI hosting for
 builder.sourceware.org
Message-ID: <YquzaUkVzeNrp20b@wildebeest.org>
References: <RT-Ticket-32563@osuosl.org> <Yp5+pqvhR8WYiaqq@wildebeest.org>
 <rt-4.0.4-32453-1654617175-469.32563-6-0@osuosl.org>
 <Yp/QJe5mY3nf6vPY@wildebeest.org>
 <rt-4.0.4-80639-1654640709-839.32563-6-0@osuosl.org>
 <rt-4.0.4-136335-1655401242-1064.32563-6-0@osuosl.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="YihNs851sc+szuS7"
Content-Disposition: inline
In-Reply-To: <rt-4.0.4-136335-1655401242-1064.32563-6-0@osuosl.org>
X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00, JMQ_SPF_NEUTRAL,
 KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: buildbot@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "The https://builder.sourceware.org/ buildbot"
 <buildbot.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/buildbot>,
 <mailto:buildbot-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/buildbot/>
List-Post: <mailto:buildbot@sourceware.org>
List-Help: <mailto:buildbot-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/buildbot>,
 <mailto:buildbot-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 22:49:17 -0000


--YihNs851sc+szuS7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi Lance,

On Thu, Jun 16, 2022 at 10:40:42AM -0700, Lance Albertson via RT wrote:
> On Tue Jun 07 15:25:09 2022, mark@klomp.org wrote:
> > Yes. I didn't know if it was appropriate to include a public list on osuosl
> > tickets. But I added the builder project email address buildbot@sourceware.org
> > to this email.
> 
> We've done it with other projects so it shouldn't be a problem as long as you're
> OK with it.

Yes, this makes sure all builder contributors know what is being setup.

> > Fedora would be fine. But for the other container builders we are actually
> > using Fedora CoreOS, which is an auto updating variant (which is great for our
> > zero maintenance infrastructure). We could install that ourselves. Or go with
> > plain Fedora if we make sure it also autoupdates.
> 
> I haven't had a chance to get in the data center to allocate a system. I'm
> hoping to get to that next week. Sorry for the delay! I'll try and get Fedora
> CoreOS installed.

If you could use something like the attached butane/ignition file that
would be great. You might need to change the disk device name if it
isn't /dev/vda but everything else (except the hostname) is generic
and allows the buildbot to connect to it through ssh directly (might
be on a different port behind NAT).

This is all the state/config needed. Everything else (docker images,
git repos, buildbot workers, builds, etc) can/will be regenerated when
needed. So we don't need any backups, because the whole setup can be
regenerated by this butane.yaml file.

Assuming you are using openstack, see also
https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-openstack/

You don't need to use my ssh key for the core user. With this setup I
don't really need access. You can assign a different authorized key if
you want to have access yourself.

But we can also go with plain Fedora and then I'll setup docker and
the builder user up myself.

> > > We typically name systems as <short project name>-<hostname>.osuosl.org. So
> > > I'd assume we'd go with sourceware-<hostname>.osuosl.org. Do you have a
> > > hostname in mind?
> >
> > sourceware-builder.osuosl.org but note that we don't need a public reachable
> > host. All that is needed is a port to access it through ssh, which doesn't
> > need to be port 22.
> 
> I'll likely go with sourceware-builder1.osuosl.org so we can easily increment it
> if we add more hosts.

I like that :)

Thanks,

Mark
--YihNs851sc+szuS7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="osuosl-butane.yaml"

variant: fcos
version: 1.4.0
storage:
  disks:
  - device: /dev/vda
    wipe_table: false
    partitions:
    # 10GB root (already exists, resize)
    - number: 4
      label: root
      size_mib: 10240
      resize: true
    # 8GB swap
    - number: 5
      label: swap
      size_mib: 8192
    # Everything else for /var (which includes everything writable)
    - size_mib: 0
      label: var
  filesystems:
    - device: /dev/disk/by-partlabel/swap
      format: swap
      wipe_filesystem: true
      with_mount_unit: true
    - path: /var
      device: /dev/disk/by-partlabel/var
      # We can select the filesystem we'd like.
      format: ext4
      wipe_filesystem: true
      # Ask Butane to generate a mount unit for us so that this filesystem
      # gets mounted in the real root.
      with_mount_unit: true
  files:
    - path: /etc/hostname
      mode: 0644
      contents:
        inline: sourceware-builder1
systemd:
  units:
    # Create and set selinux context for shared builder dir
    - name: builder-shared-dir.service
      enabled: true
      contents: |
        [Unit]
        Description=Builder shared dir
        Wants=network-online.target
        After=network-online.target
        Before=zincati.service
        ConditionPathExists=!/var/lib/%N.stamp

        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=/bin/mkdir -p /home/builder/shared
        ExecStart=/bin/chown builder.builder /home/builder/shared
        ExecStart=/bin/chcon -t container_file_t /home/builder/shared
        ExecStart=/bin/touch /var/lib/%N.stamp

        [Install]
        WantedBy=multi-user.target
passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgVJJnY8zh8uHn8d/E7p4j+9ueTvTHMRYOS0kkGhHBC7JmxCw6/EvbnbTsI0CQeyIJHlmPIqDVgRVjijcTWacd3vIdazzH9sqs65nl49yMnA23tIya4VWlbHC3J4x/LL84A4GaJO/FVF2vv6hVg3IGbopp5KX+pr6s56TiWddSDqMgjb7rSzjWuNyRK75ToctL7Y/Zn6st3ZioO7LXq3ghkWf8JR7ZaUFIY6P1qS5heiCHP0PxQJSrtpYzH3rKJoHpIkjxnsB/sD0C05cAdlzXBTUVTNLY+DPlQ7FeRkG+VK91briG4tvQ8ohhEiC9HuJu1AKMNWBZ9qeUwsXaJvNz
    - name: builder
      uid: 1001
      groups: [docker]
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnB//uE66TX+nmLuox3ETfZ7dvjUl2mlwN4Q+107EWCuP05eKxcahyzwenmzODzzC8/hUVeUtuCJJyMW8+CpqCluHd2bEUT9WIzP1C/T22jBUbhY7zXLufSYfKmZe9zHNUizEbqbGAfR01D3jv3wis8JNOq/yopGLKJmAPd/Ye8XN5lsfAUTREIF+xygjxSb6SZPU9UvKlJmnwZoCN2Fd1u4IhSWBcD3dyZyirD80ZLGsSdOUmzX2Z2NaSI5tG6MxjYtQZbzmsG/Z0HY1Y/KiSolX989+7dMKMy2V911SkS6Cx9aVuSY+ig9Rq6GpfjGkBnHrNCCeVFe8PlYJl6DXZ

--YihNs851sc+szuS7--