README.md 4.42 KB
Newer Older
1
Read Me
2
3
================

4
1. About
5

viscapi's avatar
viscapi committed
6
These Ansible roles allow you to install, from a deployment host, iRODS [4.2.0 - 4.2.8] on one or more CentOS 7.x x86_64 hosts. The iRODS role is compatible with both provider and consumer installation modes. PostgreSQL (from 9.4 to 13 on CentOS 7.x or 10.6 on CentOS 8.x) will be used to serve the iCAT catalogue. All firewalls should be stopped before attempting a deployment.
7

viscapi's avatar
viscapi committed
8
2. Ansible installation 
9
10

```bash
viscapi's avatar
viscapi committed
11
yum install python2-pip # as root
viscapi's avatar
viscapi committed
12
pip install ansible --user # first installation
viscapi's avatar
viscapi committed
13
pip install -U ansible --user # update
14
15
```

viscapi's avatar
viscapi committed
16
**N.B:** iRODS and postgresql roles are known to work with Ansible 2.10 
17

18
3. Gitlab repository
19

20
This Gitlab repository is comprised of two Ansible roles:
21

viscapi's avatar
viscapi committed
22
- irods
23
24
- postgresql

25
4. Fetch the roles
26
27

```bash
viscapi's avatar
viscapi committed
28
mkdir -p ansible/{group_vars/{iRODS,all},host_vars,roles} ; cd ansible
viscapi's avatar
viscapi committed
29
$ git clone https://dci-gitlab.cines.fr/poc_irods/poc-irods.git roles
30
31
```

32
5. Work space on the deployment host
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

```
ansible
  |
  |_ irods.yml
  |_ irods_hosts
  |
  |_ group_vars
  |       |
  |       |_ iRODS
  |       |    |
  |       |    |_ main.yml
  |       |
  |       |_ all
  |           |
  |           |_ var_pass.yml
  |
viscapi's avatar
viscapi committed
50
51
52
53
  |_ host_vars
  |      |
  |      |_ myhost1.mydomain.tld
  |
54
55
  |_ roles
       |
viscapi's avatar
viscapi committed
56
       |_ irods
57
58
59
60
       |
       |_ postgresql
```

61
**N.B:** privilege escalation (sudo) relies on the "ansible_become_password" variable in group_vars/all/var_pass.yml file (it should be vaulted):
viscapi's avatar
viscapi committed
62
63
64
65
66
67
68
69
70
71
72
73
74
75

```bash
cd ansible/group_vars/all/
ansible-vault create var_pass.yml
```

```
---

ansible_become_password: your password to become root on the target machines 

...
```

76
**N.B:** The provider / consumer installation mode is handled with the "irods_server_mode" variable in host_vars/myhost1.mydomain.tld file:
viscapi's avatar
viscapi committed
77
78
79
80
81
82

```
irods_server_mode: provider

```

83
6. Preparation of the irods.yml playbook
84
85
86
87

```
---

88
- name: Installation of PostgreSQL server
89
90
91
92
93
94
95
96
97
  hosts: irods_database
  roles:
    - postgresql
  become: true
  become_user: root
  become_method: sudo
  vars_files:
  - "group_vars/iRODS/main.yml"

98
- name: Installation of iRODS server
99
100
  hosts: irods_server
  roles:
viscapi's avatar
viscapi committed
101
    - irods
102
103
104
105
106
107
108
109
110
111
  become: true
  become_user: root
  become_method: sudo
  vars_fles:
  - "group_vars/iRODS/main.yml"

...

```

112
7. Preparation of the irods_hosts inventory file
113
114
115
116
117

```
[irods_server]
myhost1.mydomain.tld

viscapi's avatar
viscapi committed
118
[irods_database]
119
120
121
myhost2.mydomain.tld

```
viscapi's avatar
viscapi committed
122
**N.B:** iRODS and PostgreSQL may also be installed on the same host.
123

124
8. Preparation of your vaulted variables
125

126
The values below are given as examples only, you can obviously modify them.
127

128
129
```bash
cd ansible/group_vars/iRODS/
viscapi's avatar
viscapi committed
130
ansible-vault create --vault-id irods@prompt main.yml
131
132
```
```
viscapi's avatar
viscapi committed
133
134
135
136
---

# Passwords

137
admin_password:
viscapi's avatar
viscapi committed
138
139
140
negotiation_key:
server_control_plane_key:
zone_key:
141
irods_unix_password: see https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module for details
viscapi's avatar
viscapi committed
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
database_password:

# Hosts

database_hostname: myhost2.mydomain.tld
provider_hostname: myhost1.mydomain.tld
provider_ip:

# Users and groups

postgresql_unix_group_name: postgres
postgresql_unix_user_name: postgres
irods_unix_group_name: irods
irods_unix_user_name: irods
irods_unix_group_id: 
irods_unix_user_id:
database_user: irodsdb

# iRODS

162
irods_version: from 4.2.0 to 4.2.8
163
use_local_mirror: true or false
viscapi's avatar
viscapi committed
164
165
path_to_data: /irods/data
path_to_icat: /irods/icat
166
167
168
irods_zone: TESTZONE
default_resource: demoResc
database_name: ICAT
viscapi's avatar
viscapi committed
169
170
171

# Misc

172
external_postgresql_version: from 9.4 to 13
173
use_external_epel: true or false
174
use_distribution_postgresql: true or false
175
selinux_mode: enforcing or permissive
viscapi's avatar
viscapi committed
176
177
178
179
180
181
182
...
```

9. SSH keys

Ansible has only two dependencies: SSH and Python. For that reason you need to generate a pair of SSH keys (without password) on the deployment host and copy the public part of it to each target machines:

183
```
viscapi's avatar
viscapi committed
184
185
186
ssh-keygen -b 2018 -t rsa -C "Some comment" -f /home/user/.ssh/ansible_id_rsa
ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost1.mydomain.tld
ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost2.mydomain.tld
187

viscapi's avatar
viscapi committed
188
```
189
**N.B:** if SELinux is set to "enforcing", please don't forget to run "/usr/sbin/restorecon -r -v .ssh" on each target machine, else your public key won't work.
viscapi's avatar
viscapi committed
190
191

10. Run the playbook
192
193

```bash
viscapi's avatar
viscapi committed
194
cd ansible
viscapi's avatar
viscapi committed
195
ansible-playbook --key-file=/path/to/your/.ssh/ansible_id_rsa -i irods_hosts irods.yml --ask-vault-pass --vault-id irods@prompt
196
```
viscapi's avatar
viscapi committed
197
198

The ansible-playbook command will then ask you to input two passwords in order to decrypt your vaulted variables.