README.md

Read Me
================

1. About

These Ansible roles allow you to install, from a deployment host, iRODS [4.2.0 - 4.2.8] on one or more CentOS 7.x x86_64 hosts. The iRODS role is compatible with both provider and consumer installation modes. PostgreSQL (stock versions from the distribution or newer ones) will be used to serve the iCAT catalogue. All firewalls should be stopped before attempting a deployment.

2. Ansible installation 

```bash
yum install epel-release # as root
yum update # as root
yum install python2-pip # as root
pip install --upgrade pip # as root
pip install ansible --user # first installation
pip install -U ansible --user # update
```

**N.B:** iRODS and postgresql roles are known to work with Ansible 2.10 

3. Gitlab repository

This Gitlab repository is comprised of two Ansible roles:

- irods
- postgresql

4. Fetch the roles

```bash
yum install git # as root
mkdir -p ansible/{group_vars/{iRODS,all},host_vars,roles} ; cd ansible
$ git clone https://dci-gitlab.cines.fr/poc_irods/poc-irods.git roles
```

5. Work space on the deployment host

```
ansible
  |
  |_ irods.yml
  |_ irods_hosts
  |
  |_ group_vars
  |       |
  |       |_ iRODS
  |       |    |
  |       |    |_ main.yml
  |       |
  |       |_ all
  |           |
  |           |_ var_pass.yml
  |
  |_ host_vars
  |      |
  |      |_ myhost1.mydomain.tld
  |
  |_ roles
       |
       |_ irods
       |
       |_ postgresql
```

**N.B:** privilege escalation (sudo) relies on the "ansible_become_password" variable in group_vars/all/var_pass.yml file (it should be vaulted):

```bash
cd ansible/group_vars/all/
ansible-vault create var_pass.yml
```

```
---

ansible_become_password: your password to become root on the target machines 

...
```

**N.B:** The provider / consumer installation mode is handled with the "irods_server_mode" variable in host_vars/myhost1.mydomain.tld file:

```
irods_server_mode: provider

```

6. Preparation of the irods.yml playbook

```
---

- name: Installation of PostgreSQL server
  hosts: irods_database
  roles:
    - postgresql
  become: true
  become_user: root
  become_method: sudo
  vars_files:
  - "group_vars/iRODS/main.yml"

- name: Installation of iRODS server
  hosts: irods_server
  roles:
    - irods
  become: true
  become_user: root
  become_method: sudo
  vars_fles:
  - "group_vars/iRODS/main.yml"

...

```

7. Preparation of the irods_hosts inventory file

```
[irods_server]
myhost1.mydomain.tld

[irods_database]
myhost2.mydomain.tld

```
**N.B:** iRODS and PostgreSQL may also be installed on the same host.

8. Preparation of your vaulted variables

The values below are given as examples only, you can obviously modify them.

```bash
cd ansible/group_vars/iRODS/
ansible-vault create --vault-id irods@prompt main.yml
```
```
---

# Passwords

admin_password:
negotiation_key:
server_control_plane_key:
zone_key:
irods_unix_password: see https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module for details
database_password:

# Hosts

database_hostname: myhost2.mydomain.tld
provider_hostname: myhost1.mydomain.tld
provider_ip:

# Users and groups

postgresql_unix_group_name: postgres
postgresql_unix_user_name: postgres
irods_unix_group_name: irods
irods_unix_user_name: irods
irods_unix_group_id: 
irods_unix_user_id:
database_user: irodsdb

# iRODS

irods_version: from 4.2.0 to 4.2.8
use_local_mirror: true or false
path_to_data: /irods/data
path_to_icat: /irods/icat
irods_zone: TESTZONE
default_resource: demoResc
database_name: ICAT

# Misc

external_postgresql_version: from 9.4 to 13
use_external_epel: true or false
use_distribution_postgresql: true or false
selinux_mode: enforcing or permissive
...
```

9. SSH keys

Ansible has only two dependencies: SSH and Python. For that reason you need to generate a pair of SSH keys (without password) on the deployment host and copy the public part of it to each target machines:

```
ssh-keygen -b 2018 -t rsa -C "Some comment" -f /home/user/.ssh/ansible_id_rsa
ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost1.mydomain.tld
ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost2.mydomain.tld

```
**N.B:** if SELinux is set to "enforcing", please don't forget to run "/usr/sbin/restorecon -r -v .ssh" on each target machine, else your public key won't work.

10. Run the playbook

```bash
cd ansible
ansible-playbook --key-file=/path/to/your/.ssh/ansible_id_rsa -i irods_hosts irods.yml --ask-vault-pass --vault-id irods@prompt
```

The ansible-playbook command will then ask you to input two passwords in order to decrypt your vaulted variables.