Cray-HPE · dlaine-hpe · Mar 1, 2024 · Sep 25, 2023 · Oct 17, 2023 · Nov 6, 2023
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.14.0] - 2024-03-01
+### Added
+- CASMCMS-8795 - add remote-build-nodes API.
+- CASMCMS-8925 - ims service in CLBO when vault is not accessible.
+
 ## [3.13.0] - 2024-02-22
 ### Dependencies
 - Bumped `kubernetes` from 11.0.0 to 22.6.0 to match CSM 1.6 Kubernetes version

@@ -1,7 +1,7 @@
 #
 # MIT License
 #
-# (C) Copyright 2018, 2021-2022 Hewlett Packard Enterprise Development LP
+# (C) Copyright 2018, 2021-2024 Hewlett Packard Enterprise Development LP
 #
 # Permission is hereby granted, free of charge, to any person obtaining a
 # copy of this software and associated documentation files (the "Software"),
@@ -32,7 +32,7 @@ VOLUME ["/var/ims/data", "/results"]
 
 RUN apk add --upgrade --no-cache apk-tools && \
     apk update && \
-    apk add --no-cache gcc py3-pip python3-dev musl-dev libffi-dev openssl-dev && \
+    apk add --no-cache gcc py3-pip python3-dev musl-dev libffi-dev openssl-dev openssh-keygen && \
     apk -U upgrade --no-cache
 
 USER 65534:65534

@@ -66,6 +66,17 @@ info:
         artifact repository. Recipes themselves define how an image is to be created, including the
         RPMs that will be installed, the RPM repositories to use, etc.
 
+      ### /remote-build-nodes
+
+        Manage the set of nodes set up for running remote jobs. These are jobs that are
+        run on nodes outside of the set of Kubernetes worker nodes. They can be used to
+        offload work from the worker nodes, or match the archetecture of the images
+        being created or customized.
+
+        The remote node must be fully configured and booted into the 'remote-node-image'
+        by the site-admin prior to registration in IMS. It will be tested prior to job
+        launch and if it is not accessible or correctly configured it will not be used.
+
     ## Workflows
 
       There are two main workflows using the IMS - image creation and image customization.
@@ -525,6 +536,99 @@ paths:
           $ref: '#/components/responses/NotFound'
         '500':
           $ref: '#/components/responses/InternalServerError'
+  /v3/remote-build-nodes:
+    get:
+      summary: List remote build nodes
+      operationId: get_all_v3_remote_build_nodes
+      tags:
+        - remote build node
+        - v3
+      description: Retrieve a list of remote build nodes that are registered with IMS.
+      responses:
+        '200':
+          description: A collection of remote build nodes
+          content:
+            application/json:
+              schema:
+                items:
+                  $ref: '#/components/schemas/RemoteBuildNodeRecord'
+                type: array
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+    post:
+      summary: Create a new remote built node record
+      operationId: post_v3_remote_build_node
+      tags:
+        - remote build node
+        - v3
+      description: Create a new remote build node record. Updated by administrator to allow them to run jobs on a remote build node.
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RemoteBuildNodeRecord'
+        description: Remote build node record to create
+        required: true
+      responses:
+        '201':
+          description: New RemoteBuildNode
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RemoteBuildNodeRecord'
+        '400':
+          $ref: '#/components/responses/NoInputProvided'
+        '422':
+          $ref: '#/components/responses/InvalidInputData'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+    delete:
+      summary: Delete all RemoteBuildNodeRecords
+      operationId: delete_all_v3_remote_build_nodes
+      tags:
+        - remote build node
+        - v3
+      description: Delete all remote build node records.
+      responses:
+        '204':
+          description: Remote build node records deleted successfully
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+  '/v3/remote-build-nodes/{remote_build_node_xname}':
+    parameters:
+      - $ref: '#/components/parameters/remote_build_node_xname'
+    get:
+      summary: Retrieve a remote build node by remote_build_node_xname
+      operationId: get_v3_remote_build_node
+      tags:
+        - remote build node
+        - v3
+      description: Retrieve a remote build node by remote_build_node_xname
+      responses:
+        '200':
+          description: A remote build node record
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RemoteBuildNodeRecord'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+    delete:
+      summary: Delete remote build node by remote_build_node_xname
+      operationId: delete_v3_remote_build_node
+      tags:
+        - remote build node
+        - v3
+      description: Delete a RemoteBuildNodeRecord by Xname.
+      responses:
+        '204':
+          description: Remote build node record deleted successfully
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
   /v3/jobs:
     get:
       summary: Retrieve a list of JobRecords that are registered with IMS
@@ -1640,6 +1744,10 @@ paths:
     $ref: "#/paths/~1v2~1public-keys"
   /public-keys/{public_key_id}:
     $ref: "#/paths/~1v2~1public-keys~1{public_key_id}"
+  /remote-build-nodes:
+    $ref: "#/paths/~1v3~1remote-build-nodes"
+  /remote-build-nodes/{remote_build_node_xname}:
+    $ref: "#/paths/~1v3~1remote-build-nodes~1{remote_build_node_xname}"
   /jobs:
     $ref: "#/paths/~1v2~1jobs"
   /jobs/{job_id}:
@@ -1742,6 +1850,14 @@ components:
         type: string
         format: uuid
       example: bc6ec895-6ff5-4481-bd98-88ed4cd233e9
+    remote_build_node_xname:
+      description: The unique xname of a remote build node
+      in: path
+      name: remote_build_node_xname
+      required: true
+      schema:
+        type: string
+      example: x3000c1s10b1n0
     job_id:
       description: The unique ID of a job
       in: path
@@ -1943,6 +2059,17 @@ components:
             ssh-rsa AAAAB3NzaC1yc2EAAAADAQABA ...
             fa6hG9i2SzfY8L6vAVvSE7A2ILAsVruw1Zeiec2IWt
 
+          type: string
+          minLength: 1
+    RemoteBuildNodeRecord:
+      description: A Remote Build Node Record
+      type: object
+      required:
+        - xname
+      properties:
+        xname:
+          description: Xname of the remote build node
+          example: x3000c1s10b1n0
           type: string
           minLength: 1
     ArtifactLinkRecord:

@@ -6,6 +6,7 @@ certifi==2019.11.28
 chardet==3.0.4
 click==6.7
 docutils==0.14
+fabric==3.2.2
 Flask==1.1.4
 flask-marshmallow==0.9.0
 Flask-RESTful==0.3.10

@@ -1,7 +1,7 @@
 {{/*
 MIT License
 
-(C) Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of this software and associated documentation files (the "Software"),
@@ -34,7 +34,7 @@ metadata:
   name: ims-service-launch-job
 rules:
   - apiGroups: [""]
-    resources: ["services","configmaps","roles","persistentvolumeclaims"]
+    resources: ["services","configmaps","roles","persistentvolumeclaims","secrets"]
     verbs: ["get", "create", "delete"]
   - apiGroups: ["networking.istio.io"]
     resources: ["destinationrules"]

@@ -1,7 +1,7 @@
 {{/*
 MIT License
 
-(C) Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of this software and associated documentation files (the "Software"),
@@ -211,6 +211,8 @@ data:
               value: '/etc/admin-client-auth'
             - name: ENABLE_DEBUG
               value: '$enable_debug'
+            - name: REMOTE_BUILD_NODE
+              value: '$remote_build_node'
             - name: RECIPE_ROOT_PARENT
               value: /mnt/image/recipe
             - name: IMAGE_ROOT_PARENT
@@ -223,6 +225,10 @@ data:
               value: "$job_arch"
             - name: IMS_ARM_BUILDER
               value: "{{ .Values.cray_ims_kiwi_ng_opensuse_x86_64_builder.image.repository }}:{{ .Values.cray_ims_kiwi_ng_opensuse_x86_64_builder.image.tag }}"
+            - name: IMAGE_ROOT_ARCHIVE_NAME
+              value: "$image_root_archive_name"
+            - name: INITRD_FILENAME
+              value: "$initrd_filename"
             volumeMounts:
             - name: image-vol
               mountPath: /mnt/image
@@ -232,6 +238,9 @@ data:
             - name: ca-pubkey
               mountPath: /etc/cray/ca
               readOnly: true
+            - name: remote-key
+              mountPath: /etc/cray/remote-keys
+              readOnly: true
             - name: admin-client-auth
               mountPath: '/etc/admin-client-auth'
               readOnly: true
@@ -390,6 +399,12 @@ data:
               items:
               - key: template_dictionary
                 path: template_dictionary
+          - name: remote-key
+            configMap:
+              name: cray-ims-remote-keys
+              items:
+              - key: private_key
+                path: id_ecdsa
           - name: admin-client-auth
             secret:
               secretName: "{{ .Values.keycloak.keycloak_admin_client_auth_secret_name }}"

@@ -1,7 +1,7 @@
 {{/*
 MIT License
 
-(C) Copyright 2021-2023 Hewlett Packard Enterprise Development LP
+(C) Copyright 2021-2024 Hewlett Packard Enterprise Development LP
 
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of this software and associated documentation files (the "Software"),
@@ -97,12 +97,20 @@ data:
               value: '/etc/admin-client-auth'
             - name: IMS_JOB_ID
               value: "$id"
+            - name: SSH_JAIL
+              value: "$ssh_jail"
             - name: DOWNLOAD_MD5SUM
               value: "$download_md5sum"
             - name: JOB_ENABLE_DKMS
               value: "$job_enable_dkms"
             - name: BUILD_ARCH
               value: "$job_arch"
+            - name: REMOTE_BUILD_NODE
+              value: '$remote_build_node'
+            - name: IMAGE_ROOT_PARENT
+              value: /mnt/image
+            - name: IMS_SSHD_IMAGE
+              value: {{ .Values.cray_ims_sshd.image.repository }}:{{ .Values.cray_ims_sshd.image.tag }}
             volumeMounts:
             - name: image-vol
               mountPath: /mnt/image
@@ -112,6 +120,9 @@ data:
             - name: admin-client-auth
               mountPath: '/etc/admin-client-auth'
               readOnly: true
+            - name: remote-key
+              mountPath: /etc/cray/remote-keys
+              readOnly: true
             command: [ "sh", "-ce", "/scripts/prep-env.sh /mnt/image \"$download_url\"" ]
             resources:
               requests:
@@ -120,6 +131,10 @@ data:
               limits:
                 memory: "$job_mem_limit"
                 cpu: "8"
+            securityContext:
+              privileged: true
+              capabilities:
+                add: [$security_capabilites]
           # User customization of image root
           containers:
           - image: {{ .Values.cray_ims_utils.image.repository }}:{{ .Values.cray_ims_utils.image.tag }}
@@ -162,6 +177,8 @@ data:
               value: "$ssh_jail"
             - name: BUILD_ARCH
               value: "$job_arch"
+            - name: REMOTE_BUILD_NODE
+              value: '$remote_build_node'
             - name: S3_BUCKET
               value: "$s3_bucket"
             - name: S3_ACCESS_KEY
@@ -192,6 +209,9 @@ data:
             - name: ca-pubkey
               mountPath: /etc/cray/ca
               readOnly: true
+            - name: remote-key
+              mountPath: /etc/cray/remote-keys
+              readOnly: true
             - name: ssh-pubkey
               mountPath: /etc/cray
               readOnly: true
@@ -233,6 +253,8 @@ data:
               value: "$job_enable_dkms"
             - name: BUILD_ARCH
               value: "$job_arch"
+            - name: REMOTE_BUILD_NODE
+              value: '$remote_build_node'
             resources:
               requests:
                 memory: "$job_mem_size"
@@ -248,6 +270,9 @@ data:
             - name: ca-pubkey
               mountPath: /etc/cray/ca
               readOnly: true
+            - name: remote-key
+              mountPath: /etc/cray/remote-keys
+              readOnly: true
           volumes:
           - name: image-vol
             persistentVolumeClaim:
@@ -263,6 +288,12 @@ data:
               items:
               - key: public_key
                 path: authorized_keys
+          - name: remote-key
+            configMap:
+              name: cray-ims-remote-keys
+              items:
+              - key: private_key
+                path: id_ecdsa
           - name: admin-client-auth
             secret:
               secretName: "{{ .Values.keycloak.keycloak_admin_client_auth_secret_name }}"

@@ -1,6 +1,7 @@
 -c constraints.txt
 
 # Application requirements for cms-ims
+fabric
 flask
 flask-restful
 flask_marshmallow

@@ -30,7 +30,7 @@
 import os
 import os.path
 
-class DataStoreHACK(collections.MutableMapping):
+class DataStoreHACK(collections.abc.MutableMapping):
     """ A dictionary that reads/writes to a file """
 
     def __init__(self, store_file, schema_obj, key_field, *args, **kwargs):