diff options
Diffstat (limited to 'fdio.infra.ansible/roles/nomad')
12 files changed, 437 insertions, 0 deletions
diff --git a/fdio.infra.ansible/roles/nomad/defaults/main.yaml b/fdio.infra.ansible/roles/nomad/defaults/main.yaml new file mode 100644 index 0000000000..864890c11e --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/defaults/main.yaml @@ -0,0 +1,105 @@ +--- +# file: roles/nomad/defaults/main.yaml + +# Inst - Prerequisites. +packages: "{{ packages_base + packages_by_distro[ansible_distribution | lower] + packages_by_arch[ansible_machine] }}" + +packages_base: + - "cgroup-bin" + - "curl" + - "git" + - "libcgroup1" + - "unzip" + - "htop" +packages_by_distro: + ubuntu: + - [] +packages_by_arch: + aarch64: + - [] + x86_64: + - [] + +# Inst - Download Nomad. +nomad_architecture_map: + amd64: "amd64" + x86_64: "amd64" + armv7l: "arm" + aarch64: "arm64" + 32-bit: "386" + 64-bit: "amd64" +nomad_architecture: "{{ nomad_architecture_map[ansible_architecture] }}" +nomad_version: "0.12.0" +nomad_pkg: "nomad_{{ nomad_version }}_linux_{{ nomad_architecture }}.zip" +nomad_zip_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/{{ nomad_pkg }}" + +# Inst - System paths. +nomad_bin_dir: "/usr/local/bin" +nomad_config_dir: "/etc/nomad.d" +nomad_data_dir: "/var/nomad" +nomad_inst_dir: "/opt" +nomad_lockfile: "/var/lock/subsys/nomad" +nomad_run_dir: "/var/run/nomad" +nomad_ssl_dir: "/etc/nomad.d/ssl" + +# Conf - Service. +nomad_node_role: "both" +nomad_restart_handler_state: "restarted" + +# Conf - User and group. +nomad_group: "nomad" +nomad_group_state: "present" +nomad_manage_group: true +nomad_manage_user: true +nomad_user: "nomad" +nomad_user_groups: [ docker, nomad, root ] +nomad_user_state: "present" + +# Conf - base.hcl +nomad_bind_addr: "0.0.0.0" +nomad_datacenter: "dc1" +nomad_disable_update_check: true +nomad_enable_debug: false +nomad_log_level: "INFO" +nomad_name: "{{ inventory_hostname }}" +nomad_region: "global" +nomad_syslog_enable: true + +# Conf - tls.hcl +nomad_ca_file: "{{ nomad_ssl_dir }}/ca.pem" +nomad_cert_file: "{{ nomad_ssl_dir }}/nomad.pem" +nomad_http: false +nomad_key_file: "{{ nomad_ssl_dir }}/nomad-key.pem" +nomad_rpc: false + +# Conf - client.hcl +nomad_certificates: + - src: "{{ vault_nomad_ca_file }}" + dest: "{{ nomad_ca_file }}" + - src: "{{ vault_nomad_cert_file }}" + dest: "{{ nomad_cert_file }}" + - src: "{{ vault_nomad_key_file }}" + dest: "{{ nomad_key_file }}" +nomad_node_class: "" +nomad_no_host_uuid: true +nomad_options: {} +nomad_servers: [] +nomad_volumes: [] + +# Conf - server.hcl +nomad_bootstrap_expect: 2 +nomad_encrypt: "" +nomad_retry_join: true + +# Conf - telemetry.hcl +nomad_disable_hostname: false +nomad_collection_interval: 60s +nomad_use_node_name: false +nomad_publish_allocation_metrics: true +nomad_publish_node_metrics: true +nomad_backwards_compatible_metrics: false +nomad_telemetry_provider_parameters: + prometheus_metrics: true + +# Conf - custom.hcl +# empty diff --git a/fdio.infra.ansible/roles/nomad/handlers/main.yaml b/fdio.infra.ansible/roles/nomad/handlers/main.yaml new file mode 100644 index 0000000000..f0bcee9142 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/handlers/main.yaml @@ -0,0 +1,10 @@ +--- +# file roles/nomad/handlers/main.yaml + +- name: Restart Nomad + systemd: + daemon_reload: true + enabled: true + name: "nomad" + state: "{{ nomad_restart_handler_state }}" + diff --git a/fdio.infra.ansible/roles/nomad/meta/main.yaml b/fdio.infra.ansible/roles/nomad/meta/main.yaml new file mode 100644 index 0000000000..9fc40d9ae1 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/meta/main.yaml @@ -0,0 +1,9 @@ +--- +# file: roles/nomad/meta/main.yaml + +# desc: Install nomad from stable branch and configure service. +# inst: Nomad +# conf: ? +# info: 1.0 - added role + +dependencies: [ docker ] diff --git a/fdio.infra.ansible/roles/nomad/tasks/main.yaml b/fdio.infra.ansible/roles/nomad/tasks/main.yaml new file mode 100644 index 0000000000..54e80513b8 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/tasks/main.yaml @@ -0,0 +1,192 @@ +--- +# file: roles/nomad/tasks/main.yaml + +- name: Inst - Update Package Cache (APT) + apt: + update_cache: yes + cache_valid_time: 3600 + when: + - ansible_distribution|lower == 'ubuntu' + tags: + - nomad-inst-prerequisites + +- name: Inst - Prerequisites + package: + name: "{{ packages | flatten(levels=1) }}" + state: latest + tags: + - nomad-inst-prerequisites + +- name: Conf - Add Nomad Group + group: + name: "{{ nomad_group }}" + state: "{{ nomad_group_state }}" + when: + - nomad_manage_group | bool + tags: + - nomad-conf-user + +- name: Conf - Add Nomad user + user: + name: "{{ nomad_user }}" + group: "{{ nomad_group }}" + groups: "{{ nomad_user_groups }}" + state: "{{ nomad_user_state }}" + system: true + when: + - nomad_manage_user | bool + tags: + - nomad-conf-user + +- name: Inst - Clean Nomad + file: + path: "{{ nomad_inst_dir }}/nomad" + state: "absent" + tags: + - nomad-inst-package + +- name: Inst - Download Nomad + get_url: + url: "{{ nomad_zip_url }}" + dest: "{{ nomad_inst_dir }}/{{ nomad_pkg }}" + tags: + - nomad-inst-package + +- name: Inst - Unarchive Nomad + unarchive: + src: "{{ nomad_inst_dir }}/{{ nomad_pkg }}" + dest: "{{ nomad_inst_dir }}/" + creates: "{{ nomad_inst_dir }}/nomad" + remote_src: true + tags: + - nomad-inst-package + +- name: Inst - Nomad + copy: + src: "{{ nomad_inst_dir }}/nomad" + dest: "{{ nomad_bin_dir }}" + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + force: true + mode: 0755 + remote_src: true + tags: + - nomad-inst-package + +- name: Conf - Create Directories "{{ nomad_data_dir }}" + file: + dest: "{{ nomad_data_dir }}" + state: directory + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + tags: + - nomad-conf + +- name: Conf - Create Directories "{{ nomad_ssl_dir }}" + file: + dest: "{{ nomad_ssl_dir }}" + state: directory + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + tags: + - nomad-conf + +- name: Conf - Create Config Directory + file: + dest: "{{ nomad_config_dir }}" + state: directory + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + mode: 0755 + tags: + - nomad-conf + +- name: Conf - Base Configuration + template: + src: base.hcl.j2 + dest: "{{ nomad_config_dir }}/base.hcl" + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + mode: 0644 + tags: + - nomad-conf + +- name: Conf - Server Configuration + template: + src: server.hcl.j2 + dest: "{{ nomad_config_dir }}/server.hcl" + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + mode: 0644 + when: + - nomad_node_server | bool + tags: + - nomad-conf + +- name: Conf - Client Configuration + template: + src: client.hcl.j2 + dest: "{{ nomad_config_dir }}/client.hcl" + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + mode: 0644 + when: + - nomad_node_client | bool + tags: + - nomad-conf + +- name: Conf - TLS Configuration + template: + src: tls.hcl.j2 + dest: "{{ nomad_config_dir }}/tls.hcl" + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + mode: 0644 + tags: + - nomad-conf + +- name: Conf - Telemetry Configuration + template: + src: telemetry.hcl.j2 + dest: "{{ nomad_config_dir }}/telemetry.hcl" + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + mode: 0644 + tags: + - nomad-conf + +- name: Conf - Custom Configuration + template: + src: custom.json.j2 + dest: "{{ nomad_config_dir }}/custom.json" + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + mode: 0644 + when: + - nomad_config_custom is defined + tags: + - nomad-conf + +- name: Conf - Copy Certificates And Keys + copy: + content: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ nomad_user }}" + group: "{{ nomad_group }}" + mode: 0600 + no_log: true + loop: "{{ nomad_certificates | flatten(levels=1) }}" + tags: + - nomad-conf + +- name: Conf - System.d Script + template: + src: "nomad_systemd.service.j2" + dest: "/lib/systemd/system/nomad.service" + owner: "root" + group: "root" + mode: 0644 +# notify: +# - "Restart Nomad" + tags: + - nomad-conf diff --git a/fdio.infra.ansible/roles/nomad/templates/base.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/base.hcl.j2 new file mode 100644 index 0000000000..7badecf9e0 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/base.hcl.j2 @@ -0,0 +1,11 @@ +name = "{{ nomad_name }}" +region = "{{ nomad_region }}" +datacenter = "{{ nomad_datacenter }}" + +bind_addr = "{{ nomad_bind_addr }}" +data_dir = "{{ nomad_data_dir }}" + +enable_syslog = {{ nomad_syslog_enable | bool | lower }} +enable_debug = {{ nomad_enable_debug | bool | lower }} +disable_update_check = {{ nomad_disable_update_check | bool | lower }} +log_level = "{{ nomad_log_level }}" diff --git a/fdio.infra.ansible/roles/nomad/templates/client.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/client.hcl.j2 new file mode 100644 index 0000000000..f245697a22 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/client.hcl.j2 @@ -0,0 +1,31 @@ +client { + enabled = {{ nomad_node_client | bool | lower }} + no_host_uuid = {{ nomad_no_host_uuid | bool | lower }} + node_class = "{{ nomad_node_class }}" + + {% if nomad_cpu_total_compute is defined -%} + cpu_total_compute = {{ nomad_cpu_total_compute }} + {% endif -%} + + {% if nomad_servers -%} + servers = [ {% for ip_port in nomad_servers -%} "{{ ip_port }}" {% if not loop.last %},{% endif %}{%- endfor -%} ] + {% endif %} + + {% if nomad_options -%} + options = { + {% for key, value in nomad_options.items() %} + "{{ key }}" = "{{ value }}" + {% endfor -%} + } + {% endif %} + + {% if nomad_volumes -%} + {% for volume in nomad_volumes -%} + host_volume "{{ volume.name }}" { + path = "{{ volume.path }}" + read_only = {{ volume.read_only | bool | lower }} + } + {% endfor -%} + {% endif %} + +} diff --git a/fdio.infra.ansible/roles/nomad/templates/custom.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/custom.hcl.j2 new file mode 100644 index 0000000000..37ff6f3496 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/custom.hcl.j2 @@ -0,0 +1,5 @@ +{% if nomad_config_custom -%} +{{ nomad_config_custom | to_nice_json }} +{% else %} +{} +{% endif %} diff --git a/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 b/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 new file mode 100644 index 0000000000..2a87c65063 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 @@ -0,0 +1,21 @@ +[Unit] +Description=Nomad Service +Documentation=https://www.nomadproject.io/docs/ +Wants=network-online.target +After=network-online.target + +[Service] +# TODO: Decrease privilege +ExecReload=/bin/kill -SIGHUP $MAINPID +ExecStart={{ nomad_bin_dir }}/nomad agent -config={{ nomad_config_dir }} +KillSignal=SIGTERM +LimitNOFILE=infinity +LimitNPROC=infinity +Restart=on-failure +RestartSec=1 +User=root +Group=root +Environment="GOMAXPROCS=2" + +[Install] +WantedBy=multi-user.target diff --git a/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 new file mode 100644 index 0000000000..b581de9ad0 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 @@ -0,0 +1,16 @@ +server { + enabled = {{ nomad_node_server | bool | lower }} + + {% if nomad_node_server | bool -%} + bootstrap_expect = {{ nomad_bootstrap_expect }} + {%- endif %} + + encrypt = "{{ nomad_encrypt }}" + + {% if nomad_retry_join | bool -%} + server_join { + retry_join = [ {% for ip_port in nomad_retry_servers -%} "{{ ip_port }}" {% if not loop.last %},{% endif %}{%- endfor -%} ] + } + {%- endif %} + +} diff --git a/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 new file mode 100644 index 0000000000..256c6999e9 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 @@ -0,0 +1,20 @@ +telemetry { + # Telemetry provider parameters + {% for key, value in nomad_telemetry_provider_parameters.items() -%} + {% if value|bool -%} + {{ key }} = {{ value | bool | lower }} + {% elif value|string or value == "" -%} + {{ key }} = "{{ value }}" + {% else %} + {{ key }} = {{ value }} + {% endif -%} + {% endfor -%} + + # Common parameters + disable_hostname = {{ nomad_disable_hostname | bool | lower }} + collection_interval = "{{ nomad_collection_interval }}" + use_node_name = {{ nomad_use_node_name | bool | lower }} + publish_allocation_metrics = {{ nomad_publish_allocation_metrics | bool | lower }} + publish_node_metrics = {{ nomad_publish_node_metrics | bool | lower }} + backwards_compatible_metrics = {{ nomad_backwards_compatible_metrics | bool | lower }} +} diff --git a/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 new file mode 100644 index 0000000000..650765f1b1 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 @@ -0,0 +1,12 @@ +{% if ( nomad_ca_file ) and + ( nomad_cert_file ) and + ( nomad_key_file ) +%} +tls { + http = {{ nomad_http | bool | lower }} + rpc = {{ nomad_rpc | bool | lower }} + ca_file = "{{ nomad_ca_file }}" + cert_file = "{{ nomad_cert_file }}" + key_file = "{{ nomad_key_file }}" +} +{% endif %} diff --git a/fdio.infra.ansible/roles/nomad/vars/main.yaml b/fdio.infra.ansible/roles/nomad/vars/main.yaml new file mode 100644 index 0000000000..a72222c992 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/vars/main.yaml @@ -0,0 +1,5 @@ +--- +# file: roles/nomad/vars/main.yaml + +nomad_node_client: "{{ (nomad_node_role == 'client') or (nomad_node_role == 'both') }}" +nomad_node_server: "{{ (nomad_node_role == 'server') or (nomad_node_role == 'both') }}" |