-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(research): Create staging-1 server with auto wiping database #1530
feat(research): Create staging-1 server with auto wiping database #1530
Conversation
Signed-off-by: Victor Bustamante <victor@systeminit.com>
Signed-off-by: Victor Bustamante <victor@systeminit.com>
ENG-692 Refactor our deployment strategy
|
👷 Deploy request for system-init-corp pending review.A Netlify team Owner will need to approve the deploy before you can run your build. Are you a team Owner? Visit the deploys page to approve it → Need more help? Learn more in the Netlify docs →
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apt update | ||
apt install -y postgresql-client |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where are these commands ran?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They run inside of the container that is going to be affected. Since we're running everything on debians (rust's default docker images use it as a base) this is safe, but it does feel a bit hack-ish
- "${DOCKER_CONFIG:-~/.docker/config}:/config.json:ro" | ||
command: --interval 30 --label-enable | ||
- "${DOCKER_CONFIG:-~/.docker/config.json}:/config.json:ro" | ||
command: --interval 10 --label-enable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Note(victor): This is not vital but is necessary. I will not be taking questions at this time. | ||
- name: layer-vim.service | ||
enabled: true | ||
contents: | | ||
[Unit] | ||
Description=Install Vim | ||
Wants=network-online.target | ||
After=network-online.target | ||
|
||
# We run before `zincati.service` to avoid conflicting rpm-ostree | ||
# transactions. - https://docs.fedoraproject.org/en-US/fedora-coreos/os-extensions/ | ||
After=layer-awscli.service | ||
Before=zincati.service | ||
|
||
|
||
[Service] | ||
Type=oneshot | ||
RemainAfterExit=yes | ||
ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive --idempotent vim |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Jokes aside, there may be a "system packages" step that evolves from the groundwork here. For instance, we will likely eventually want toolbox on here so that we don't have to do this on the host.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is very cool! I also feel like butane could make this simpler but the task that track this isn't very active sadly
bors merge |
Build succeeded: |
This wraps up this iteration of the staging-1 work started on #1474
With the code contained here, a functional version of staging-1 can be brought up, loading most of the sensitive data (save only the database credentials, which proved a little harder to isolate) from AWS Secrets.
The only remaining issue is CoreOS' SELinux, which isn't easily disabled via terraform/butane. The method to disable it manually is documented in the README file.