README.md 4.04 KB
Newer Older
1
Read Me
2
3
================

4
1. About
5

viscapi's avatar
viscapi committed
6
These Ansible roles allow you to install, from a deployment host, iRODS [4.2.0 - 4.2.8] on one or more CentOS 7.x x86_64 hosts. The iRODS role is compatible with both provider and consumer installation modes. PostgreSQL (9.6 on CentOS 7.x or 10.6 on CentOS 8.x) will be used to serve the iCAT catalogue. All firewalls should be stopped before attempting a deployment.
7

viscapi's avatar
viscapi committed
8
2. Ansible installation 
9
10

```bash
viscapi's avatar
viscapi committed
11
12
13
yum install python2-pip # as root
pip install ansible --user # first installation
pip install -U ansible --user # update
14
15
```

16
3. Gitlab repository
17

18
This Gitlab repository is comprised of two Ansible roles:
19
20
21
22

- iRODS
- postgresql

23
4. Fetch the roles
24
25

```bash
viscapi's avatar
viscapi committed
26
mkdir -p ansible/{group_vars/{iRODS,all},host_vars,roles} ; cd ansible
viscapi's avatar
viscapi committed
27
$ git clone https://dci-gitlab.cines.fr/poc_irods/poc-irods.git roles
28
29
```

30
5. Work space on the deployment host
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

```
ansible
  |
  |_ irods.yml
  |_ irods_hosts
  |
  |_ group_vars
  |       |
  |       |_ iRODS
  |       |    |
  |       |    |_ main.yml
  |       |
  |       |_ all
  |           |
  |           |_ var_pass.yml
  |
viscapi's avatar
viscapi committed
48
49
50
51
  |_ host_vars
  |      |
  |      |_ myhost1.mydomain.tld
  |
52
53
54
55
56
57
58
  |_ roles
       |
       |_ iRODS
       |
       |_ postgresql
```

59
**N.B:** privilege escalation (sudo) relies on the "ansible_become_password" variable in group_vars/all/var_pass.yml file (it should be vaulted):
viscapi's avatar
viscapi committed
60
61
62
63
64
65
66
67
68
69
70
71
72
73

```bash
cd ansible/group_vars/all/
ansible-vault create var_pass.yml
```

```
---

ansible_become_password: your password to become root on the target machines 

...
```

74
**N.B:** The provider / consumer installation mode is handled with the "irods_server_mode" variable in host_vars/myhost1.mydomain.tld file:
viscapi's avatar
viscapi committed
75
76
77
78
79
80

```
irods_server_mode: provider

```

81
6. Preparation of the irods.yml playbook
82
83
84
85

```
---

86
- name: Installation of PostgreSQL server
87
88
89
90
91
92
93
94
95
  hosts: irods_database
  roles:
    - postgresql
  become: true
  become_user: root
  become_method: sudo
  vars_files:
  - "group_vars/iRODS/main.yml"

96
- name: Installation of iRODS server
97
98
99
100
101
102
103
104
105
106
107
108
109
  hosts: irods_server
  roles:
    - iRODS
  become: true
  become_user: root
  become_method: sudo
  vars_fles:
  - "group_vars/iRODS/main.yml"

...

```

110
7. Preparation of the irods_hosts inventory file
111

viscapi's avatar
viscapi committed
112
iRODS and PostgreSQL may also be installed on the same host.
113

114
115
116
117
```
[irods_server]
myhost1.mydomain.tld

viscapi's avatar
viscapi committed
118
[irods_database]
119
120
121
myhost2.mydomain.tld

```
122

123
8. Preparation of your vaulted variables
124

125
The values below are given as examples only, you can obviously modify them.
126

127
128
```bash
cd ansible/group_vars/iRODS/
viscapi's avatar
viscapi committed
129
ansible-vault create --vault-id irods@prompt main.yml
130
131
```
```
viscapi's avatar
viscapi committed
132
133
134
135
---

# Passwords

136
admin_password:
viscapi's avatar
viscapi committed
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
negotiation_key:
server_control_plane_key:
zone_key:
irods_unix_password:
database_password:

# Hosts

database_hostname: myhost2.mydomain.tld
provider_hostname: myhost1.mydomain.tld
provider_ip:

# Users and groups

postgresql_unix_group_name: postgres
postgresql_unix_user_name: postgres
irods_unix_group_name: irods
irods_unix_user_name: irods
irods_unix_group_id: 
irods_unix_user_id:
database_user: irodsdb

# iRODS

irods_version: 4.2.8
path_to_data: /irods/data
path_to_icat: /irods/icat
164
165
166
irods_zone: TESTZONE
default_resource: demoResc
database_name: ICAT
viscapi's avatar
viscapi committed
167
168
169
170
171
172
173
174
175
176
177

# Misc

selinux_mode: enforcing
...
```

9. SSH keys

Ansible has only two dependencies: SSH and Python. For that reason you need to generate a pair of SSH keys (without password) on the deployment host and copy the public part of it to each target machines:

178
```
viscapi's avatar
viscapi committed
179
180
181
ssh-keygen -b 2018 -t rsa -C "Some comment" -f /home/user/.ssh/ansible_id_rsa
ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost1.mydomain.tld
ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost2.mydomain.tld
182

viscapi's avatar
viscapi committed
183
```
184
**N.B:** if SELinux is set to "enforcing", please don't forget to run "/usr/sbin/restorecon -r -v .ssh" on each target machine, else your public key won't work.
viscapi's avatar
viscapi committed
185
186

10. Run the playbook
187
188

```bash
viscapi's avatar
viscapi committed
189
cd ansible
viscapi's avatar
viscapi committed
190
ansible-playbook --key-file=/path/to/your/.ssh/ansible_id_rsa -i irods_hosts irods.yml --ask-vault-pass --vault-id irods@prompt
191
```
viscapi's avatar
viscapi committed
192
193

The ansible-playbook command will then ask you to input two passwords in order to decrypt your vaulted variables.