Added a lot of details to README.md

6e0d8426 · viscapi · 40b0217f · 6e0d8426
Commit 6e0d8426 authored Nov 10, 2020 by viscapi
--- a/README.md
+++ b/README.md
@@ -3,14 +3,14 @@ Read Me

 1. About

-Those Ansible roles should allow you to install, from a deployment host, iRODS [4.2.0 - 4.2.8] on one or more CentOS 7.x / 8.x x86_64 hosts. PostgreSQL (9.6 on CentOS 7.x or 10.6 on CentOS 8.x) will be used to serve the iCAT catalogue. All firewalls should be stopped before attempting a deployment.
+Those Ansible roles allow you to install, from a deployment host, iRODS [4.2.0 - 4.2.8] on one or more CentOS 7.x x86_64 hosts. The iRODS role is compatible with both provider and consumer installation modes. PostgreSQL (9.6 on CentOS 7.x or 10.6 on CentOS 8.x) will be used to serve the iCAT catalogue. All firewalls should be stopped before attempting a deployment.

 2. Ansible installation

 ```bash
-yum install python2-pip # en tant que root 
-pip install ansible --user # installation initiale
-pip install -U ansible --user # mise à jour
+yum install python2-pip # as root
+pip install ansible --user # first installation
+pip install -U ansible --user # update
 ```

 3. Gitlab repository
@@ -23,7 +23,7 @@ This Gitlab repository is comprised of two Ansible roles:
 4. Fetch the roles

 ```bash
-mkdir -p ansible/{group_vars/{iRODS,all},roles} ; cd ansible
+mkdir -p ansible/{group_vars/{iRODS,all},host_vars,roles} ; cd ansible
 $ git clone https://dci-gitlab.cines.fr/poc_irods/poc-irods.git roles
 ```

@@ -45,6 +45,10 @@ ansible
  |           |
  |           |_ var_pass.yml
  |
+  |_ host_vars
+  |      |
+  |      |_ myhost1.mydomain.tld
+  |
  |_ roles
       |
       |_ iRODS
@@ -52,6 +56,28 @@ ansible
       |_ postgresql
 ```

+N.B: privilege escalation (sudo) relies on the "ansible_become_password" variable in group_vars/all/var_pass.yml file (it should be vaulted):
+
+```bash
+cd ansible/group_vars/all/
+ansible-vault create var_pass.yml
+```
+
+```
+---
+
+ansible_become_password: your password to become root on the target machines 
+
+...
+```
+
+N.B: The provider / consumer installation mode is handled with the "irods_server_mode" variable in host_vars/myhost1.mydomain.tld file:
+
+```
+irods_server_mode: provider
+
+```
+
 6. Preparation of the irods.yml playbook

 ```
@@ -89,7 +115,7 @@ iRODS and PostgreSQL may be installed on the same host.
 [irods_server]
 myhost1.mydomain.tld

-[irods_data]
+[irods_database]
 myhost2.mydomain.tld

 ```
@@ -103,29 +129,65 @@ cd ansible/group_vars/iRODS/
 ansible-vault create --vault-id irods@prompt main.yml
 ```
 ```
-irods_unix_user_name: irods
-irods_unix_user_id: 
-irods_unix_group_name: irods
-irods_unix_group_id:
-irods_unix_password:
-selinux_mode: enforcing
+---
+
+# Passwords
+
 admin_password:
+negotiation_key:
+server_control_plane_key:
+zone_key:
+irods_unix_password:
+database_password:
+
+# Hosts
+
+database_hostname: myhost2.mydomain.tld
+provider_hostname: myhost1.mydomain.tld
+provider_ip:
+
+# Users and groups
+
+postgresql_unix_group_name: postgres
+postgresql_unix_user_name: postgres
+irods_unix_group_name: irods
+irods_unix_user_name: irods
+irods_unix_group_id: 
+irods_unix_user_id:
+database_user: irodsdb
+
+# iRODS
+
+irods_version: 4.2.8
+path_to_data: /irods/data
+path_to_icat: /irods/icat
 irods_zone: TESTZONE
 default_resource: demoResc
-negotiation_key: "A 32-byte encryption key shared by the zone for use in the advanced negotiation handshake at the beginning of an iRODS client connection"
-database_hostname: myhost2.mydomain.tld
 database_name: ICAT
-database_password:
-database_user: irods
-server_control_plane_key: "The encryption key required for communicating with the iRODS grid control plane. Must be 32 bytes long. This must be the same across all iRODS servers in a Zone."
-zone_key: "The shared secret used for authentication and identification of server-to-server communication - this can be a string of any length, excluding the use of hyphens, for historical purposes. This must be the same across all iRODS servers in a Zone."
-path_to_icat: /data/icat
-irods_server: the IP of myhost1.mydomain.tld
+
+# Misc
+
+selinux_mode: enforcing
+...
+```
+
+9. SSH keys
+
+Ansible has only two dependencies: SSH and Python. For that reason you need to generate a pair of SSH keys (without password) on the deployment host and copy the public part of it to each target machines:
+
 ```
+ssh-keygen -b 2018 -t rsa -C "Some comment" -f /home/user/.ssh/ansible_id_rsa
+ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost1.mydomain.tld
+ssh-copy-id -i /home/user/.ssh/ansible_id_rsa.pub user@myhost2.mydomain.tld

-9. Run the playbook
+```
+N.B: if SELinux is set to "enforcing", please don't forget to run "/usr/sbin/restorecon -r -v .ssh" on each target machine, else your public key won't work.
+
+10. Run the playbook

 ```bash
 cd ansible
 ansible-playbook --key-file=/path/to/your/.ssh/id_rsa -i irods_hosts irods.yml --ask-vault-pass --vault-id irods@prompt
 ```
+
+The ansible-playbook command will then ask you to input two passwords in order to decrypt your vaulted variables.