Need to deploy custom file to worker nodes
90 views
Skip to first unread message
Kevin Knox
Jan 23, 2023, 3:11:19 PM1/23/23
to AWX Project
I need a custom /etc/krb5.conf on my AWX worker nodes so they can log into Windows boxes in my company. I could do this with other files by copying the file to localhost as an initial task. I cannot do this with krb5.conf, because it's owned by root. Stymied.
I assume my only path forward is to create a custom EE image with my file baked in. The admin I'm replacing could do this, but he left without documentation. Is there a guide somewhere on how to do this?
Thank you.
Kevin Knox
Jan 23, 2023, 4:00:45 PM1/23/23
to AWX Project
I have a configmap with the contents of the krb5.conf I need, and that file is a part of the web, task, and ee running nodes. But it is not a part of the ephemeral worker nodes. I don't know the process of modifying the worker nodes.
Diego Rivera
Jan 23, 2023, 4:26:53 PM1/23/23
to AWX Project
As far as I know, you can only do this by referencing PVCs that can be bound to the containers using the extra_volumes, web_extra_volume_mounts, task_extra_volume_mounts, and ee_extra_volume_mounts directives, likes so:
extra_volumes: |
- name: ssh-config
persistentVolumeClaim:
# This volume claim (and its matching volume) must be created manually
claimName: ssh-config
- name: static-data
persistentVolumeClaim:
# This volume claim (and its matching volume) must be created manually
claimName: arkcase-static-data
web_extra_volume_mounts: |
- name: ssh-config
mountPath: /etc/ssh/ssh_config.d
- name: static-data
mountPath: /var/lib/projects
task_extra_volume_mounts: |
- name: ssh-config
mountPath: /etc/ssh/ssh_config.d
ee_extra_volume_mounts: |
- name: ssh-config
mountPath: /etc/ssh/ssh_config.d
persistentVolumeClaim:
# This volume claim (and its matching volume) must be created manually
claimName: ssh-config
- name: static-data
persistentVolumeClaim:
# This volume claim (and its matching volume) must be created manually
claimName: arkcase-static-data
web_extra_volume_mounts: |
- name: ssh-config
mountPath: /etc/ssh/ssh_config.d
- name: static-data
mountPath: /var/lib/projects
task_extra_volume_mounts: |
- name: ssh-config
mountPath: /etc/ssh/ssh_config.d
ee_extra_volume_mounts: |
- name: ssh-config
mountPath: /etc/ssh/ssh_config.d
This is what I ended up doing to distribute specific SSH configurations that were required (not keys, but rather configurations the ssh client should apply when attempting connections).
I did look at the source code while researching this and I didn't see a clean way to do more "arbitrary" volume mounts here. The issue stems from the schema for the AWXS definition file restricting the kinds of "magic" one can do with it. I have no doubt something like what you suggest could be supported, but it would definitely require quite a few changes in several places.
Cheers!
Kevin Knox
Jan 23, 2023, 4:38:30 PM1/23/23
to AWX Project
Thank you! I have done this for the web, task, and ee nodes, but I don't know how to do it for the worker nodes.
web_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
task_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
extra_volumes: |
- name: krb5
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: aep-krb5-conf-cm
web_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
task_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
ee_extra_volume_mounts: |
- name: krb5
mountPath: /etc/krb5.conf
subPath: krb5.conf
extra_volumes: |
- name: krb5
configMap:
defaultMode: 420
items:
- key: krb5.conf
path: krb5.conf
name: aep-krb5-conf-cm
kurokobo
Jan 23, 2023, 7:32:33 PM1/23/23
to awx-p...@googlegroups.com
Hi,
Have you tried to use Container Group?
Here is my unofficial guide to use kerberos auth on the ephemeral automation job pod:
Regards,
--
@kurokobo
------- Original Message -------
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/fd7290d4-64eb-45ab-a075-14bd749547f3n%40googlegroups.com.
Diego Rivera
Jan 24, 2023, 12:58:30 PM1/24/23
to AWX Project
Yeah this is actually a good approach - a custom pod spec. It's a shame there's no simpler way to implement this b/c having to specify an entire pod for the automation group carries its own risks of misconfigurations (due to ignorance, mostly) leading the workers astray.
But yes - this approach of customizing the pod for the group should definitely work.
But yes - this approach of customizing the pod for the group should definitely work.
Cheers!
Diego Rivera
Jan 24, 2023, 1:38:41 PM1/24/23
to AWX Project
Let me clarify: the risk of mucking up the pod spec is high, is what I meant :D
Kevin Knox
Jan 24, 2023, 2:01:57 PM1/24/23
to AWX Project
Thank you, @kurokobo! This looks like exactly what I need. I did a quick, naive implementation from your outline with my namespace and the pod in the worker node failed with:
{"status": "error", "job_explanation": "Failed to JSON parse a line from transmit stream."}
{"eof": true}
I've been in meeting after meeting all day, and I have a couple more in front of me, so I doubt I'll be able to push at this for a day or so, but it sure looks like exactly what I need. Thank you! I'll dig in soonest.
And thank you, Diego, for the confirmation.
Kevin
Reply all
Reply to author
Forward
0 new messages