docs: Add management services doc #457
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| # Management services | ||
|
|
||
| When running a fleet of systems, it is common to use a central management service. Commonly, these services provide a client to be installed on each system which connects to the central service. Often, the management service requires the client to perform a one time registration. | ||
|
|
||
| The following example shows how to install the client into a bootc image and run it at startup to register the system. This example assumes the management-client handles future connections to the server, e.g. via a cron job or a separate systemd service. This example could be modified to create a persistent systemd service if that is required. The Containerfile is not optimized in order to more clarly explain each step, e.g. it's generally better to invoke RUN a single time to avoid creating multiple layers in the image. | ||
|
|
||
| ```Dockerfile | ||
| FROM <bootc base image> | ||
|
|
||
| # Typically when using a management service, it will determine when to upgrade the system. | ||
| # So, disable bootc-fetch-apply-updates.timer if it is included in the base image. | ||
| RUN systemctl disable bootc-fetch-apply-updates.timer | ||
|
|
||
| # Install the client from dnf, or some other method that applies for your client | ||
| RUN dnf install management-client -y && dnf clean all | ||
|
|
||
| # Bake the credentials for the management service into the image | ||
| ARG activation_key= | ||
|
|
||
| # The existence of .run_next_boot acts as a flag to determine if the | ||
| # registration is required to run when booting | ||
| RUN touch /etc/management-client/.run_next_boot | ||
|
|
||
| COPY <<"EOT" /usr/lib/systemd/system/management-client.service | ||
| [Unit] | ||
| Description=Run management client at boot | ||
| After=network-online.target | ||
| ConditionPathExists=/etc/management-client/.run_client_next_boot | ||
|
|
||
| [Service] | ||
| Type=oneshot | ||
| EnvironmentFile=/etc/management-client/.credentials | ||
| ExecStart=/usr/bin/management-client register --activation-key ${CLIENT_ACTIVATION_KEY} | ||
| ExecStartPre=/bin/rm -f /etc/management-client/.run_next_boot | ||
| ExecStop=/bin/rm -f /etc/management-client/.credentials | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target | ||
| EOT | ||
|
|
||
| # Link the service to run at startup | ||
| RUN ln -s /usr/lib/systemd/system/management-client.service /usr/lib/systemd/system/multi-user.target.wants/management-client.service | ||
|
|
||
| # Store the credentials in a file to be used by the systemd service | ||
| RUN echo -e "CLIENT_ACTIVATION_KEY=${activation_key}" > /etc/management-client/.credentials | ||
|
|
||
| # Set the flag to enable the service to run one time | ||
| # The systemd service will remove this file after the registration completes the first time | ||
| RUN touch /etc/management-client/.run_next_boot | ||
|
There was a problem hiding this comment. BTW this is a really minor nit unrelated to all things but one tricky bit with containerfiles by default is you end up with a lot of tiny layers unless you build with There was a problem hiding this comment. Added info to the top explaining the containerfile is not optimized. |
||
| ``` | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait but wouldn't the agent want to run persistently?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added docs to the top summary to explain why this is setup to run once.