Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore(docs): update external provisioners documentation#12315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
johnstcn merged 2 commits intomainfromcj/provisioner-tags-docs
Feb 27, 2024
Merged
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 85 additions & 44 deletionsdocs/admin/provisioners.md
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -47,50 +47,91 @@ the [Helm example](#example-running-an-external-provisioner-with-helm) below.

## Types of provisioners

- **Generic provisioners** can pick up any build job from templates without
provisioner tags.

```shell
coder provisionerd start
```

- **Tagged provisioners** can be used to pick up build jobs from templates (and
corresponding workspaces) with matching tags.

```shell
coder provisionerd start \
--tag environment=on_prem \
--tag data_center=chicago

# In another terminal, create/push
# a template that requires this provisioner
coder templates push on-prem \
--provisioner-tag environment=on_prem

# Or, match the provisioner exactly
coder templates push on-prem-chicago \
--provisioner-tag environment=on_prem \
--provisioner-tag data_center=chicago
```

> At this time, tagged provisioners can also pick jobs from untagged
> templates. This behavior is
> [subject to change](https://github.com/coder/coder/issues/6442).

- **User provisioners** can only pick up jobs from user-tagged templates. Unlike
the other provisioner types, any Coder user can run user provisioners, but
they have no impact unless there is at least one template with the
`scope=user` provisioner tag.

```shell
coder provisionerd start \
--tag scope=user

# In another terminal, create/push
# a template that requires user provisioners
coder templates push on-prem \
--provisioner-tag scope=user
```
> Provisioners have two important tags: `scope` and `owner`. Coder sets these
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I'm not sure "important" is the right word. Maybescope andowner are implicit tags and then we can talk about explicit tags being the ones you explicitly set on the command line

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yeah "explicit" vs "implicit" is good wording.

> tags automatically.

### Organization-Scoped Provisioners

**Organization-scoped Provisioners** can pick up build jobs created by any user.
These provisioners always have tags `scope=organization owner=""`.

```shell
coder provisionerd start
```

### User-scoped Provisioners

**User-scoped Provisioners** can only pick up build jobs created from
user-tagged templates. User-scoped provisioners always have tags
`scope=owner owner=<uuid>`. Unlike the other provisioner types, any Coder user
can run user provisioners, but they have no impact unless there is at least one
template with the `scope=user` provisioner tag.

```shell
coder provisionerd start \
--tag scope=user

# In another terminal, create/push
# a template that requires user provisioners
coder templates push on-prem \
--provisioner-tag scope=user
```

### Provisioner Tags

You can use **provisioner tags** to control which provisioners can pick up build
jobs from templates (and corresponding workspaces) with matching tags.

```shell
coder provisionerd start \
--tag environment=on_prem \
--tag data_center=chicago

# In another terminal, create/push
# a template that requires this provisioner
coder templates push on-prem \
--provisioner-tag environment=on_prem

# Or, match the provisioner exactly
coder templates push on-prem-chicago \
--provisioner-tag environment=on_prem \
--provisioner-tag data_center=chicago
```

A provisioner can run a given build job if one of the below is true:

1. The provisioner and job tags are both organization-scoped and both have no
additional tags set,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

What if the job is user-scoped and has no additional tags set? Can it run on a user-scoped provisioner that has tags?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yes, it currently can. There's no extra special-casing for user-scoped provisioners.

1. The set of tags of the build job is a subset of the set of tags of the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This makes it sound like if the job is organization scoped with no further tags it can run on any org-scoped provisioner.

I thought such a job can only run on an org-scoped provisioner with no further tags?

The way I would explain it is thatscope andowner are implicit tags.

An job with no explicit tags can only be run on a provisioner with no explicit tags. This way you can introduce tagging into your deployment without disrupting existing provisioners and jobs.

If a job has any explicit tags, it can only run on a provisioner with those explicit tags (the provisioner could have additional tags).

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

provisioner.

This is illustrated in the below table:

| Provisioner Tags | Job Tags | Can run job? |
| ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ------------ |
| `{"owner":"","scope":"organization"}` | `{"owner":"","scope":"organization"}` | true |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think these would be easier to read if it was just inkey1=value1, key2=value2 format instead of JSON.

| `{"owner":"","scope":"organization"}` | `{"environment":"on_prem","owner":"","scope":"organization"}` | false |
| `{"environment":"on_prem","owner":"","scope":"organization"}` | `{"owner":"","scope":"organization"}` | false |
| `{"environment":"on_prem","owner":"","scope":"organization"}` | `{"foo":"bar","owner":"","scope":"organization"}` | true |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

shouldn't this befalse because the provisioner doesn't havefoo=bar?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Good catch. I updated this to be auto-generated#12347

| `{"environment":"on_prem","owner":"","scope":"organization"}` | `{"data_center":"chicago","foo":"bar","owner":"","scope":"organization"}` | false |
| `{"data_center":"chicago","environment":"on_prem","owner":"","scope":"organization"}` | `{"foo":"bar","owner":"","scope":"organization"}` | true |
| `{"data_center":"chicago","environment":"on_prem","owner":"","scope":"organization"}` | `{"data_center":"chicago","foo":"bar","owner":"","scope":"organization"}` | true |
| `{"owner":"aaa","scope":"owner"}` | `{"owner":"","scope":"organization"}` | false |
| `{"owner":"aaa","scope":"owner"}` | `{"owner":"aaa","scope":"owner"}` | true |
| `{"owner":"aaa","scope":"owner"}` | `{"owner":"bbb","scope":"owner"}` | false |
| `{"owner":"","scope":"organization"}` | `{"owner":"aaa","scope":"owner"}` | false |

The external provisioner in the above example can run build jobs with tags:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

which is the above example? The one on line 86? If so, this should be moved to before the table


- `environment=on_prem`
- `data_center=chicago`
- `environment=on_prem datacenter=chicago`
- `environment=cloud datacenter=chicago`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

it shouldn't be able to runenvironment=cloud jobs if it is taggedenvironment=on_prem

- `environment=on_prem datacenter=new_york`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

if the provisioner has adatacenter tag, it can't runbothdatacenter=chicago anddatacenter=new_york jobs.


However, it will not pick up any build jobs that do not have either of the
`environment` or `datacenter` tags set. It will also not pick up any build jobs
from templates with the `user` tag set.

## Example: Running an external provisioner with Helm

Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp