Feature #22862
open
Ansible playbooks should validate Arvados config before use
Description
Before running, each playbook that reads Arvados cluster configuration should validate that the values it needs are meaningful: that they have the right types, that they have meaningful values (e.g., tokens aren't empty), etc.
It should only check the values that it actually depends on. e.g., build-compute-image.yml doesn't need most service configuration, and it makes ops' lives a lot easier if we don't require it to have that to run.
One implementation idea I have is that we write a custom test in Python that takes a list of configuration keys to validate. The Python code knows how to validate every configuration key used by Ansible and can explain which one(s) are wrong and why. It would be good to explore whether there's some way to have that Python share logic with configuration validation logic we already have in Go.
Another idea is to extend arvados-server config-dump to only dump specific section(s), and check those sections as part of its work. Then the Ansible playbook could call that and use that to load the configuration instead. (This would require us to do #20727 and have each playbook download arvados-server.)
Specific requirements as of 2025-05-09:
build-compute-image.ymlonly reads theContainerssection.install-test-env.ymlonly reads thePostgreSQLsection.install-arvados-cluster.ymlshould check the entire configuration, because it's going to deploy that to hosts across the cluster. So while there are whole sections the playbook itself ignores, it should validate the entire configuration as part of its work, and therefore be able to count on using any of it.
Updated by Peter Amstutz 10 months ago
- Related to Bug #22830: Ansible playbooks should respect config.default.yml added
Updated by Peter Amstutz 10 months ago
So, between this and #22830 it seem pretty clear we want to have arvados-server and arvados-client installed, we have talked about publishing standalone binaries (#20727) but provided we're running Ansible from a supported OS we can also install them locally as packages:
- name: Install arvados-client debian package
hosts: localhost
tasks:
- name: Install python-debian into current virtualenv
ansible.builtin.pip:
name:
- python-debian
- ansible.builtin.include_role:
name: arvados_apt
- name: Install arvados-client
become: yes
ansible.builtin.apt:
name:
- arvados-client
- arvados-server
Updated by Brett Smith 10 months ago
Peter Amstutz wrote in #note-7:
provided we're running Ansible from a supported OS we can also install them locally as packages:
We can but IMO that sucks and we shouldn't. Nothing in the current Ansible playbooks requires messing with the system configuration on the control node and there's a lot of operational value in keeping it that way. It's also just ergonomically annoying because your sudo password on the control node is probably not the same as your sudo password on the managed nodes and there's no good options for handling that split.
#20727 avoids all these problems and has additional benefits to users besides. We should just do that.
Updated by Brett Smith 9 months ago
- Target version deleted (
Development 2025-07-09)
Updated by Brett Smith 9 months ago
- Related to Idea #18337: Easier install using Ansible added