diff --git a/doc/source/afs.rst b/doc/source/afs.rst index ec2d67ab47..cdc69437f4 100644 --- a/doc/source/afs.rst +++ b/doc/source/afs.rst @@ -26,10 +26,15 @@ At a Glance * afs01.dfw.openstack.org (a fileserver in DFW) * afs02.dfw.openstack.org (a second fileserver in DFW) * afs01.ord.openstack.org (a fileserver in ORD) + * mirror-update.openstack.org (host running legacy mirror update jobs) + * mirror-update01.opendev.org (host running mirror update jobs) :Puppet: * https://opendev.org/opendev/puppet-openafs * :git_file:`modules/openstack_project/manifests/afsdb.pp` * :git_file:`modules/openstack_project/manifests/afsfs.pp` +:Ansible: + * :git_file:`playbooks/service-mirror.yaml` + * :git_file:`playbooks/service-mirror-update.yaml` :Projects: * http://openafs.org/ :Bugs: @@ -321,7 +326,7 @@ In order to establish a new mirror, do the following: * The following commands need to be run authenticated on a host with kerberos and AFS setup (see `afs_client`_; admins can run the - commands on ``mirror-update.openstack.org``). Firstly ``kinit`` and + commands on ``mirror-update.opendev.org``). Firstly ``kinit`` and ``aklog`` to get tokens. * Create the mirror volume. See `Creating a Volume`_ for details. @@ -381,14 +386,14 @@ read-write volumes. kadmin: addprinc -randkey service/foo-mirror@OPENSTACK.ORG kadmin: ktadd -k /path/to/foo.keytab service/foo-mirror@OPENSTACK.ORG -* Add the service principal's keytab to hiera. Copy the binary key to - ``bridge.openstack.org`` and then use ``hieraedit`` to update - the files +* Add the service principal's keytab to Ansible secrets. Copy the + binary key to ``bridge.openstack.org`` and then use ``hieraedit`` to + update the files .. code-block:: console root@bridge:~# /opt/system-config/tools/hieraedit.py \ - --yaml /etc/ansible/hosts/host_vars/mirror-update.openstack.org.yaml \ + --yaml /etc/ansible/hosts/host_vars/mirror-update01.opendev.org.yaml \ -f /path/to/foo.keytab KEYNAME (don't forget to ``git commit`` and save the change; you can remove @@ -398,8 +403,12 @@ read-write volumes. cat /path/to/foo.keytab | base64 -* Add the new key to ``mirror-update.openstack.org`` in - ``manifests/site.pp`` for the mirror scripts to use during update. +* Ensure the values in this new variable are written to disk as the + keytab on ``mirror-update.opendev.org`` by adding it to the + ``mirror-update`` role for the mirror scripts to use during update. + You should check this with ``testinfra`` in + ``testinfra/test_mirror-update.py`` (note this involves defining a + "dummy" keytab for testing; see the other examples). * Create an AFS user for the service principal:: @@ -437,7 +446,7 @@ membership if our needs change. Because the initial replication may take more time than we allocate in our mirror update cron jobs, manually perform the first mirror update: -* In screen, obtain the lock on ``mirror-update.openstack.org``:: +* In screen, obtain the lock on ``mirror-update01.opendev.org``:: flock -n /var/run/foo-mirror/mirror.lock bash