Browse Source

[UG][IaC] Added section about audit and enforce

Added a section about changes audit and enforcing changes
to an environment.

Change-Id: I122c05796f13e61185c7aa164e20ff6f48e51d3a
Svetlana Karslioglu 2 years ago
parent
commit
d76d4dc2f0

+ 2
- 0
userdocs/fuel-user-guide/post-deployment-conf/lcm-git-repo.rst View File

@@ -32,6 +32,8 @@ This section includes the following topics:
32 32
    lcm-git-repo/configure-iac.rst
33 33
    lcm-git-repo/repo-structure.rst
34 34
    lcm-git-repo/set-up-git-repo.rst
35
+   lcm-git-repo/audit-enforce-changes.rst
36
+   lcm-git-repo/filter-results.rst
35 37
 
36 38
 .. seealso::
37 39
 

+ 40
- 0
userdocs/fuel-user-guide/post-deployment-conf/lcm-git-repo/audit-enforce-changes.rst View File

@@ -0,0 +1,40 @@
1
+.. _audit-enforce-changes:
2
+
3
+Verify and enforce the changes
4
+==============================
5
+
6
+You can check whether a file has been modified or not using
7
+the ``fuel2 audit`` command and then enforce application of
8
+the changed configuration if needed.
9
+
10
+Similarly to running a Fuel deployment workflows with the ``noop`` flag,
11
+the ``fuel2 audit`` command performs a dry-run of the applied
12
+changes and records Puppet resources that will be modified after
13
+applying the changes.
14
+
15
+**To verify and enforce the changes:**
16
+
17
+#. Verify the changes by performing a dry-run of the applied changes:
18
+
19
+   ::
20
+
21
+     fuel2 audit noop --env <ENV_ID> || --repo <REPO_ID>
22
+
23
+#. List the changes to Puppet resources:
24
+
25
+   ::
26
+
27
+     fuel2 audit list outofsync --task <NOOP_TASK_ID> || --repo <REPO_ID>
28
+
29
+#. Redeploy (enforce) the environment with the new changes:
30
+
31
+   ::
32
+
33
+     fuel2 env redeploy <ENV_ID>
34
+
35
+#. Alternatively, you can perform a dry-run and redeployment
36
+   in one go:
37
+
38
+   ::
39
+
40
+     fuel2 audit enforce --env <ENV_ID> || --repo <REPO_ID>

+ 71
- 0
userdocs/fuel-user-guide/post-deployment-conf/lcm-git-repo/filter-results.rst View File

@@ -0,0 +1,71 @@
1
+.. _filter-results:
2
+
3
+Exclude tasks from an audit
4
+===========================
5
+
6
+When you verify changes with the ``fuel2 audit`` command, Fuel checks
7
+all Puppet tasks disregarding whether they do not change their states
8
+(idempotent) or they do change their states (non-idempotent). Each audit
9
+report includes both types of tasks. However, the result of the
10
+non-idempotent task run typically does not provide important information
11
+about the state of the system, and, therefore, can be ignored.
12
+
13
+You can exclude the non-idempotent Puppet tasks from the audit by creating a
14
+whitelist.
15
+A whitelist includes a set of rules in a form of a pair of strings. The first
16
+string is a Fuel Puppet task. The second string is the rule.
17
+
18
+**Example:**
19
+
20
+::
21
+
22
+  - fuel_task: netconfig
23
+    rule: L23_stored_configs
24
+  - fuel_task: top-role-compute
25
+    rule: Service[nova-compute]/ensure
26
+
27
+To apply a rule to all tasks, specify an empty task.
28
+
29
+Fuel provides a default whitelist for your reference.
30
+
31
+**To exclude tasks from an audit:**
32
+
33
+#. Log in to the Fuel Master node.
34
+
35
+#. Create a new whitelist or upload the existing one.
36
+
37
+   * If you want upload the default whitelist:
38
+
39
+     ::
40
+
41
+       fuel2 audit whitelist load fromfile <ENV_ID>
42
+       /usr/lib/python2.7/site-packages/fuel_external_git/default_whitelist.yaml
43
+
44
+   * If you need to create a new whitelist:
45
+
46
+     #. In the ``/usr/lib/python2.7/site-packages/fuel_external_git/``
47
+        directory, create a ``.yaml`` file with the required rules.
48
+
49
+     #. Alternatively, specify rules using the following command:
50
+
51
+        ::
52
+
53
+         fuel2 audit whitelist add <ENV_ID> --task <FUEL_TASK> --rule <RULE>
54
+
55
+        or by providing a path to the corresponding ``.yaml`` file:
56
+
57
+        ::
58
+
59
+         fuel2 audit whitelist load fromfile <ENV_ID> <PATH_TO_YAML>
60
+
61
+#. Verify that you created a whitelist for the selected environment:
62
+
63
+   ::
64
+
65
+     fuel2 audit whitelist show <ENV_ID>
66
+
67
+#. If you need to delete a rule, run:
68
+
69
+   ::
70
+
71
+     fuel2 audit whitelist delete <RULE_ID>

Loading…
Cancel
Save