From f7efa6c4e335725bd289c4ed49ae163b198654ce Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Tue, 4 Nov 2025 11:20:39 +0000 Subject: [PATCH 1/5] Add protected environment checks hook --- environments/site/hooks/pre.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 environments/site/hooks/pre.yml diff --git a/environments/site/hooks/pre.yml b/environments/site/hooks/pre.yml new file mode 100644 index 000000000..cd25e9217 --- /dev/null +++ b/environments/site/hooks/pre.yml @@ -0,0 +1,20 @@ +--- + +- hosts: localhost + gather_facts: no + become: no + tasks: + - name: Confirm continuing if using production environment + ansible.builtin.pause: + prompt: | + ************************************* + * WARNING: PROTECTED ENVIRONMENT! * + ************************************* + + Current environment: {{ appliances_environment_name }} + Do you really want to continue (yes/no)? + register: env_confirm_safe + when: + - appliances_environment_name in protected_environments + - not (prd_continue | default(false) | bool) + failed_when: not (env_confirm_safe.user_input | bool) \ No newline at end of file From ca475780c660cdd19e6e840d5165e9859c21ca3f Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Tue, 4 Nov 2025 11:23:16 +0000 Subject: [PATCH 2/5] populate protected_environments list --- environments/site/hooks/pre.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/environments/site/hooks/pre.yml b/environments/site/hooks/pre.yml index cd25e9217..cc0a6c6a9 100644 --- a/environments/site/hooks/pre.yml +++ b/environments/site/hooks/pre.yml @@ -3,6 +3,9 @@ - hosts: localhost gather_facts: no become: no + vars: + protected_environments: + - prd tasks: - name: Confirm continuing if using production environment ansible.builtin.pause: From ceaba175873f02c595e235c1693a788be5663f7b Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Tue, 4 Nov 2025 16:24:48 +0000 Subject: [PATCH 3/5] unlock instances before rebuild-via-slurm --- ansible/adhoc/lock_unlock_instances.yml | 10 ++++++++++ ansible/adhoc/rebuild-via-slurm.yml | 10 ++++++++++ ansible/site.yml | 6 ++++++ 3 files changed, 26 insertions(+) create mode 100644 ansible/adhoc/lock_unlock_instances.yml diff --git a/ansible/adhoc/lock_unlock_instances.yml b/ansible/adhoc/lock_unlock_instances.yml new file mode 100644 index 000000000..81ec547ab --- /dev/null +++ b/ansible/adhoc/lock_unlock_instances.yml @@ -0,0 +1,10 @@ +--- + +- hosts: "{{ target_hosts | default('all') }}" + gather_facts: no + become: no + tasks: + - name: Lock/Unlock instances + openstack.cloud.server_action: + action: "{{ server_action | default('lock') }}" + server: "{{ inventory_hostname }}" \ No newline at end of file diff --git a/ansible/adhoc/rebuild-via-slurm.yml b/ansible/adhoc/rebuild-via-slurm.yml index 33cbe5cc7..bf26e0323 100644 --- a/ansible/adhoc/rebuild-via-slurm.yml +++ b/ansible/adhoc/rebuild-via-slurm.yml @@ -8,6 +8,16 @@ # See docs/slurm-controlled-rebuild.md. +- hosts: localhost + gather_facts: false + vars: + server_action: unlock + target_hosts: compute + tasks: + - name: Unlock compute instances for rebuild + ansible.builtin.include_playbook: + file: adhoc/lock_unlock_instances.yml + - hosts: login run_once: true gather_facts: false diff --git a/ansible/site.yml b/ansible/site.yml index 79b71e10a..fa229800a 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -1,4 +1,10 @@ --- +- name: Lock all instances + vars: + server_action: lock + target_hosts: all + ansible.builtin.import_playbook: adhoc/lock_unlock_instances.yml + - name: Run pre.yml hook vars: # hostvars not available here, so have to recalculate environment root: From 36a10e776faec49ec9974120dbb1b3de97994a11 Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Fri, 7 Nov 2025 09:40:08 +0000 Subject: [PATCH 4/5] fix rebuild unlocking --- ansible/adhoc/lock_unlock_instances.yml | 3 ++- ansible/adhoc/rebuild-via-slurm.yml | 8 ++------ ansible/safe-env.yml | 22 ++++++++++++++++++++++ ansible/site.yml | 3 +++ environments/site/hooks/pre.yml | 22 ---------------------- 5 files changed, 29 insertions(+), 29 deletions(-) create mode 100644 ansible/safe-env.yml diff --git a/ansible/adhoc/lock_unlock_instances.yml b/ansible/adhoc/lock_unlock_instances.yml index 81ec547ab..db9464cae 100644 --- a/ansible/adhoc/lock_unlock_instances.yml +++ b/ansible/adhoc/lock_unlock_instances.yml @@ -7,4 +7,5 @@ - name: Lock/Unlock instances openstack.cloud.server_action: action: "{{ server_action | default('lock') }}" - server: "{{ inventory_hostname }}" \ No newline at end of file + server: "{{ inventory_hostname }}" + delegate_to: localhost \ No newline at end of file diff --git a/ansible/adhoc/rebuild-via-slurm.yml b/ansible/adhoc/rebuild-via-slurm.yml index bf26e0323..fca4258a8 100644 --- a/ansible/adhoc/rebuild-via-slurm.yml +++ b/ansible/adhoc/rebuild-via-slurm.yml @@ -8,15 +8,11 @@ # See docs/slurm-controlled-rebuild.md. -- hosts: localhost - gather_facts: false +- name: Unlock compute instances for rebuild vars: server_action: unlock target_hosts: compute - tasks: - - name: Unlock compute instances for rebuild - ansible.builtin.include_playbook: - file: adhoc/lock_unlock_instances.yml + ansible.builtin.import_playbook: lock_unlock_instances.yml - hosts: login run_once: true diff --git a/ansible/safe-env.yml b/ansible/safe-env.yml new file mode 100644 index 000000000..8479a298b --- /dev/null +++ b/ansible/safe-env.yml @@ -0,0 +1,22 @@ +--- +- hosts: localhost + gather_facts: no + become: no + vars: + protected_environments: + - prd + tasks: + - name: Confirm continuing if using production environment + ansible.builtin.pause: + prompt: | + ************************************* + * WARNING: PROTECTED ENVIRONMENT! * + ************************************* + + Current environment: {{ appliances_environment_name }} + Do you really want to continue (yes/no)? + register: env_confirm_safe + when: + - appliances_environment_name in protected_environments + - not (prd_continue | default(false) | bool) + failed_when: not (env_confirm_safe.user_input | bool) \ No newline at end of file diff --git a/ansible/site.yml b/ansible/site.yml index fa229800a..4cafa71c2 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -1,4 +1,7 @@ --- + +- ansible.builtin.import_playbook: safe-env.yml + - name: Lock all instances vars: server_action: lock diff --git a/environments/site/hooks/pre.yml b/environments/site/hooks/pre.yml index cc0a6c6a9..ed97d539c 100644 --- a/environments/site/hooks/pre.yml +++ b/environments/site/hooks/pre.yml @@ -1,23 +1 @@ --- - -- hosts: localhost - gather_facts: no - become: no - vars: - protected_environments: - - prd - tasks: - - name: Confirm continuing if using production environment - ansible.builtin.pause: - prompt: | - ************************************* - * WARNING: PROTECTED ENVIRONMENT! * - ************************************* - - Current environment: {{ appliances_environment_name }} - Do you really want to continue (yes/no)? - register: env_confirm_safe - when: - - appliances_environment_name in protected_environments - - not (prd_continue | default(false) | bool) - failed_when: not (env_confirm_safe.user_input | bool) \ No newline at end of file From 675d3ba294eafcdeda0783d163783ab341778684 Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Fri, 7 Nov 2025 09:42:13 +0000 Subject: [PATCH 5/5] remove site hook --- environments/site/hooks/pre.yml | 1 - 1 file changed, 1 deletion(-) delete mode 100644 environments/site/hooks/pre.yml diff --git a/environments/site/hooks/pre.yml b/environments/site/hooks/pre.yml deleted file mode 100644 index ed97d539c..000000000 --- a/environments/site/hooks/pre.yml +++ /dev/null @@ -1 +0,0 @@ ----