Update the OpenCHAMI tutorial to use new fabrica-based services#100
Update the OpenCHAMI tutorial to use new fabrica-based services#100davidallendj wants to merge 3 commits into
Conversation
Signed-off-by: David Allen <davidallendj@gmail.com>
davidallendj
force-pushed
the
allend/update-tutorial-with-new-services
branch
from
fc69bed to
08154d8
Compare
synackd
left a comment
synackd
left a comment
There was a problem hiding this comment.
Thanks for this effort, @davidallendj! I haven't run through this yet, but had a few initial comments based on the content.
| export DEMO_ACCESS_TOKEN=$(sudo bash -lc 'gen_access_token') | ||
| export DEMO_ACCESS_TOKEN=$(sudo podman exec tokensmith /bin/sh -c "/usr/local/bin/tokensmith user-token create --audience smd --key-file /tokensmith/data/keys/private.pem --subject 'admin@example.com' --scopes 'admin' --enable-local-user-mint") |
There was a problem hiding this comment.
Hmm... This is a rather large command. I anticipate that tutorial participants will mention this, so I wonder if we should put a note here saying that normally tokens are obtained through the identity provider, but we are doing this method for simplicity for the tutorial.
There was a problem hiding this comment.
The original gen_access_token was a large command as well. The alternative would be to update the gen_access_token function to use the command above.
There was a problem hiding this comment.
Looks like it's still being included in the release on PR 50. We can probably reuse that function and include the note here.
There was a problem hiding this comment.
We'll just need to make sure the subject is configurable.
There was a problem hiding this comment.
Do you mean for the tutorial or in general? If in general, we have want to make a few more of the flags configurable since these are user tokens.
There was a problem hiding this comment.
Yeah thinking back now, for the tutorial it is fine but yeah in general. I'm wondering if we want to explain the flags in this command line that generates the token. I imagine participants will be curious (I know I am).
There was a problem hiding this comment.
I don't think we should unless we introduce a section going more in-depth about tokensmith/security/JWTs in general and we actively configure the tokens within the tutorial itself, but I think that's a bit unnecessary for the main tutorial. I would rather try to keep the main parts as condensed and relevant to a new user getting all the services up and running and booting a node instead. If we do decide to add a section like that, I think it should be something like with the Slurm tutorial where we can show in more depth how changing the flags can be done in a meaningful way.
I do think that it's fine to point to the tokensmith documentation for more info about the flags here though. In fact, I think that would probably be helpful if referencing this section later.
| **Keep this command handy! Tokens expire after an hour.** | ||
| **Keep this command handy! Tokens expire after a short period of time.** |
There was a problem hiding this comment.
When do tokens expire with the new tokensmith implementation?
There was a problem hiding this comment.
I'm not sure, but by default I think it's something like 5 minutes. I don't think it's an hour though unless configured and since tokensmith was changing when I started this, I just put that in its place.
There was a problem hiding this comment.
I think it's an hour if the --ttl flag default value is to be believed:
There was a problem hiding this comment.
That makes sense. I think the 5 mins default was for the bootstrap token and not the user token.
There was a problem hiding this comment.
That sounds right. Can we change this back to an hour?
| cat << EOF | sudo tee /etc/openchami/data/boot/bss/compute-debug-rocky9.yaml | ||
| cat << EOF | sudo tee /etc/openchami/data/boot/compute-debug-rocky9.json |
There was a problem hiding this comment.
I think this was meant to stay YAML, yes? The instructions above use YAML as well.
There was a problem hiding this comment.
No, this was supposed to all be in JSON since boot-service takes JSON for the --spec flag. I think I forgot to update the references there and remove the YAML part.
[rocky@openchami-testing boot-service]$ bin/client bootconfiguration create --help
Create a new BootConfiguration.
Examples:
# Create from stdin
echo '{"hosts": ["["item1","item2"]"], "macs": ["["item1","item2"]"], "nids": [], "groups": ["["item1","item2"]"], "kernel": "example-value", "initrd": "example-value", "params": "example-value", "priority": 42}' | client bootconfiguration create
# Create with --spec flag
client bootconfiguration create --spec '{"hosts": ["["item1","item2"]"], "macs": ["["item1","item2"]"], "nids": [], "groups": ["["item1","item2"]"], "kernel": "example-value", "initrd": "example-value", "params": "example-value", "priority": 42}'
Spec fields:
hosts ([]string)
macs ([]string)
nids ([]int32)
groups ([]string)
kernel (string)
initrd (string)
params (string)
priority (int)
Usage:
client bootconfiguration create [flags]
Flags:
-h, --help help for create
--spec string BootConfiguration specification in JSON format
Global Flags:
--config string config file (default is $HOME/.boot_service-cli.yaml)
-o, --output string output format: table, json, yaml (default "table")
--server string boot_service server URL (default "http://localhost:8080")
--timeout duration request timeout (default 30s)
--token string JWT bearer token
-v, --version string API version to request (e.g., v1, v2beta1)There was a problem hiding this comment.
Right, but I noticed we are using ochami to add the boot configs, which supports -F yaml. Am I correct to presume that keeping it JSON is specifically for lines 2519 to 2527 where the boot-service client is optionally used?
There was a problem hiding this comment.
Yes, but I think it would be better to change this section a bit. I'm thinking we could have a tabs with a YAML file using just ochami and another tab with JSON using both.
There was a problem hiding this comment.
If we can keep it clean and straightforward, I am for it. 🙂
|
|
||
| { | ||
| "macs": [ | ||
| "52:54:00:be:ef:01", | ||
| "52:54:00:be:ef:02", | ||
| "52:54:00:be:ef:03", | ||
| "52:54:00:be:ef:04", | ||
| "52:54:00:be:ef:05" | ||
| ], | ||
| "params": "nomodeset ro root=live:${URI_IMG} ip=dhcp overlayroot=tmpfs overlayroot_cfgdisk=disabled apparmor=0 selinux=0 console=ttyS0,115200 ip6=off cloud-init=enabled ds=nocloud-net;s=http://172.16.0.254:8081/cloud-init", | ||
| "kernel": "${URI_KERNEL}", | ||
| "initrd": "${URI_INITRAMFS}" | ||
|
|
||
| } |
There was a problem hiding this comment.
Should this be YAML to match the YAML input above?
Signed-off-by: David Allen <davidallendj@gmail.com>
synackd
left a comment
synackd
left a comment
There was a problem hiding this comment.
Whoops, looks like I never submitted my review.
I meant these to be instant comments but was reviewing at the same time so the responses are part of the review.
| ochami bss service status | jq | ||
| curl https://demo.openchami.cluster:8443/boot-service/health |
There was a problem hiding this comment.
ochami v0.7.3 has boot service status we can use here.
There was a problem hiding this comment.
Great. I was waiting for that change.
| export DEMO_ACCESS_TOKEN=$(sudo bash -lc 'gen_access_token') | ||
| export DEMO_ACCESS_TOKEN=$(sudo podman exec tokensmith /bin/sh -c "/usr/local/bin/tokensmith user-token create --audience smd --key-file /tokensmith/data/keys/private.pem --subject 'admin@example.com' --scopes 'admin' --enable-local-user-mint") |
There was a problem hiding this comment.
We'll just need to make sure the subject is configurable.
| **Keep this command handy! Tokens expire after an hour.** | ||
| **Keep this command handy! Tokens expire after a short period of time.** |
There was a problem hiding this comment.
I think it's an hour if the --ttl flag default value is to be believed:
|
|
||
| ```bash | ||
| ochami bss boot params set -f yaml -d @/etc/openchami/data/boot/bss/compute-debug-rocky9.yaml | ||
| sudo ochami config --system cluster set demo boot-service.uri: /boot-service |
There was a problem hiding this comment.
Did having the colon after boot-service.uri work for you? I don't think that is supposed to be there.
There was a problem hiding this comment.
Interesting...I thought it was since I don't get an error when running that.
There was a problem hiding this comment.
Hmm, wonder if that is a koanf thing. I assume ochami config --system cluster show demo cluster.boot-service.uri shows /boot-service?
There was a problem hiding this comment.
It does, but I think that was set beforehand. I tried deleting that and trying again and this is what I see.
[rocky@openchami-testing ~]$ sudo ochami config --system cluster set demo boot-service.uri: /boot-service
[rocky@openchami-testing ~]$ ochami config --system cluster show demo cluster.boot-service.uri
[rocky@openchami-testing ~]$ sudo ochami config --system cluster set demo boot-service.uri /boot-service
[rocky@openchami-testing ~]$ ochami config --system cluster show demo cluster.boot-service.uriI double-checked the config and it doesn't look like the config file is being updated either for either command variant.
log:
format: rfc3339
level: debug
timeout: 30s
default-cluster: demo
clusters:
- name: demo
cluster:
uri: https://demo.openchami.cluster:8443
enable-auth: trueHere's the ochami version:
[rocky@openchami-testing ~]$ ochami version
Version: 0.7.3
Tag: v0.7.3
Branch: HEAD
Commit: f07bc1e13e8673ad69cc79091208288ea2510364
Git State: clean
Date: 2026-05-13T22:16:44Z
Go: go1.26.3
Compiler: gc
Build Host: runnervmeorf1
Build User: runner| cat << EOF | sudo tee /etc/openchami/data/boot/bss/compute-debug-rocky9.yaml | ||
| cat << EOF | sudo tee /etc/openchami/data/boot/compute-debug-rocky9.json |
There was a problem hiding this comment.
Right, but I noticed we are using ochami to add the boot configs, which supports -F yaml. Am I correct to presume that keeping it JSON is specifically for lines 2519 to 2527 where the boot-service client is optionally used?
Signed-off-by: David Allen <davidallendj@gmail.com>
2 participants
Pull Request Template
Thank you for your contribution! Please ensure the following before submitting:
Checklist
make test(or equivalent) locally and all tests passgit commit -s) with my real name and email<filename>.licensesidecarLICENSES/directoryDescription
This PR updates the existing tutorial to replace the old services with the new ones that are being added to the latest release based on OpenCHAMI/release#50. The tutorial already contains a section including boot-service but will now completely replace the BSS sections. In addition, instructions for metadata-service and tokensmith integration is added to replace cloud-init and haproxy/opaal respectively.
This PR is dependent on the following:
Type of Change
For more info, see Contributing Guidelines.