README.md 4.53 KB
Newer Older
1
Read Me
2
3
================

4
1. About
5

6
These Ansible roles allow you to install, from a deployment host, iRODS [4.2.0 - 4.2.8] on one or more CentOS 7.x x86_64 hosts. The iRODS role is compatible with both provider and consumer installation modes. PostgreSQL (stock versions from the distribution or newer ones) will be used to serve the iCAT catalogue. All firewalls should be stopped before attempting a deployment.
7

viscapi's avatar
viscapi committed
8
2. Ansible installation 
9
10

```bash
11
12
yum install epel-release # as root
yum update # as root
viscapi's avatar
viscapi committed
13
yum install python2-pip # as root
14
pip install --upgrade pip # as root
viscapi's avatar
viscapi committed
15
pip install ansible --user # first installation
viscapi's avatar
viscapi committed
16
pip install -U ansible --user # update
17
18
```

viscapi's avatar
viscapi committed
19
**N.B:** iRODS and postgresql roles are known to work with Ansible 2.10 
20

21
3. Gitlab repository
22

23
This Gitlab repository is comprised of two Ansible roles:
24

viscapi's avatar
viscapi committed
25
- irods
26
27
- postgresql

28
4. Fetch the roles
29
30

```bash
31
yum install git # as root
viscapi's avatar
viscapi committed
32
mkdir -p ansible/{group_vars/{iRODS,all},host_vars,roles} ; cd ansible
viscapi's avatar
viscapi committed
33
$ git clone https://dci-gitlab.cines.fr/poc_irods/poc-irods.git roles
34
35
```

36
5. Work space on the deployment host
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

```
ansible
  |
  |_ irods.yml
  |_ irods_hosts
  |
  |_ group_vars
  |       |
  |       |_ iRODS
  |       |    |
  |       |    |_ main.yml
  |       |
  |       |_ all
  |           |
  |           |_ var_pass.yml
  |
viscapi's avatar
viscapi committed
54
55
56
57
  |_ host_vars
  |      |
  |      |_ myhost1.mydomain.tld
  |
58
59
  |_ roles
       |
viscapi's avatar
viscapi committed
60
       |_ irods
61
62
63
64
       |
       |_ postgresql
```

65
**N.B:** privilege escalation (sudo) relies on the "ansible_become_password" variable in group_vars/all/var_pass.yml file (it should be vaulted):
viscapi's avatar
viscapi committed
66
67
68
69
70
71
72
73
74
75
76
77
78
79

```bash
cd ansible/group_vars/all/
ansible-vault create var_pass.yml
```

```
---

ansible_become_password: your password to become root on the target machines 

...
```

80
**N.B:** The provider / consumer installation mode is handled with the "irods_server_mode" variable in host_vars/myhost1.mydomain.tld file:
viscapi's avatar
viscapi committed
81
82
83
84
85
86

```
irods_server_mode: provider

```

87
6. Preparation of the irods.yml playbook
88
89
90
91

```
---

92
- name: Installation of PostgreSQL server
93
94
95
96
97
98
99
100
101
  hosts: irods_database
  roles:
    - postgresql
  become: true
  become_user: root
  become_method: sudo
  vars_files:
  - "group_vars/iRODS/main.yml"

102
- name: Installation of iRODS server
103
104
  hosts: irods_server
  roles:
viscapi's avatar
viscapi committed
105
    - irods
106
107
108
109
110
111
112
113
114
115
  become: true
  become_user: root
  become_method: sudo
  vars_fles:
  - "group_vars/iRODS/main.yml"

...

```

116
7. Preparation of the irods_hosts inventory file
117
118
119
120
121

```
[irods_server]
myhost1.mydomain.tld

viscapi's avatar
viscapi committed
122
[irods_database]
123
124
125
myhost2.mydomain.tld

```
viscapi's avatar
viscapi committed
126
**N.B:** iRODS and PostgreSQL may also be installed on the same host.
127

128
8. Preparation of your vaulted variables
129

130
The values below are given as examples only, you can obviously modify them.
131

132
133
```bash
cd ansible/group_vars/iRODS/
viscapi's avatar
viscapi committed
134
ansible-vault create --vault-id irods@prompt main.yml
135
136
```
```
viscapi's avatar
viscapi committed
137
138
139
140
---

# Passwords

141
admin_password:
viscapi's avatar
viscapi committed
142
143
144
negotiation_key:
server_control_plane_key:
zone_key:
145
irods_unix_password: see https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module for details
viscapi's avatar
viscapi committed
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
database_password:

# Hosts

database_hostname: myhost2.mydomain.tld
provider_hostname: myhost1.mydomain.tld
provider_ip:

# Users and groups

postgresql_unix_group_name: postgres
postgresql_unix_user_name: postgres
irods_unix_group_name: irods
irods_unix_user_name: irods
irods_unix_group_id: 
irods_unix_user_id:
database_user: irodsdb

# iRODS

166
irods_version: from 4.2.0 to 4.2.8
167
use_local_mirror: true or false
viscapi's avatar
viscapi committed
168
169
path_to_data: /irods/data
path_to_icat: /irods/icat
170
171
172
irods_zone: TESTZONE
default_resource: demoResc
database_name: ICAT
viscapi's avatar
viscapi committed
173
174
175

# Misc

176
external_postgresql_version: from 9.4 to 13
177
use_external_epel: true or false
178
use_distribution_postgresql: true or false
179
selinux_mode: enforcing or permissive
viscapi's avatar
viscapi committed
180
181
182
183
184
185
186
...
```

9. SSH keys

Ansible has only two dependencies: SSH and Python. For that reason you need to generate a pair of SSH keys (without password) on the deployment host and copy the public part of it to each target machines:

187
```
viscapi's avatar
viscapi committed
188
189
190
ssh-keygen -b 2018 -t rsa -C "Some comment" -f /home/user/.ssh/ansible_id_rsa
ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost1.mydomain.tld
ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost2.mydomain.tld
191

viscapi's avatar
viscapi committed
192
```
193
**N.B:** if SELinux is set to "enforcing", please don't forget to run "/usr/sbin/restorecon -r -v .ssh" on each target machine, else your public key won't work.
viscapi's avatar
viscapi committed
194
195

10. Run the playbook
196
197

```bash
viscapi's avatar
viscapi committed
198
cd ansible
viscapi's avatar
viscapi committed
199
ansible-playbook --key-file=/path/to/your/.ssh/ansible_id_rsa -i irods_hosts irods.yml --ask-vault-pass --vault-id irods@prompt
200
```
viscapi's avatar
viscapi committed
201
202

The ansible-playbook command will then ask you to input two passwords in order to decrypt your vaulted variables.