From 63a0dd72b00cc8f262a09815c9b34414c8229100 Mon Sep 17 00:00:00 2001 From: MacPingu Date: Mon, 15 Apr 2024 15:50:36 +0200 Subject: [PATCH] Dev almalinux9 (#147) * use vagrant with almalinux-9 * clean up common rh packages * update vagrant * added supervisor config * update to almalinux * replaced include by include_tasks * added atlas v1 * use geerlinguy postgres role * udpate postgres * update locales * update port * added slurm role * update munge slurm * update slurm * update hostname * update gitignore * update pywps handler * update restart of supervisor * fix restart script * update slurm drmaa version * use munge role * update logrotate * update readme with slurm * using minimal munge role * update albatross * updated config for redhat 8 * update on redhat 7 * update supervisor * added shearwater * update vagrant example with emu * use logratote template instead of role * update logrotate package * update shearwater config * added selinux * update slurm config * added owl * added duck * removed role ssl-certs * addes ssl vars * use https * cleaned up docs --------- Co-authored-by: root --- .gitignore | 3 + README.rst | 50 +++++++++- Vagrantfile | 31 +++--- docs/source/appendix.rst | 30 ------ docs/source/changes.rst | 1 - docs/source/deploy.rst | 7 +- docs/source/examples.rst | 78 --------------- docs/source/index.rst | 5 - docs/source/live.rst | 32 ------ docs/source/preparing.rst | 110 -------------------- docs/source/testing.rst | 116 ---------------------- etc/albatross_dkrz.yml | 31 ++++++ etc/owl_dkrz.yml | 31 ++++++ etc/sample-vagrant.yml | 21 ++-- etc/shearwater_dkrz.yml | 31 ++++++ etc/smartduck_dkrz.yml | 34 +++++++ group_vars/all | 93 ++++++++--------- playbook.yml | 17 ++-- requirements.yml | 9 +- roles/common/tasks/Debian.yml | 1 + roles/common/tasks/RedHat.yml | 28 +++++- roles/common/tasks/main.yml | 4 +- roles/pywps/handlers/main.yml | 10 +- roles/pywps/tasks/base.yml | 8 +- roles/pywps/tasks/logrotate.yml | 8 ++ roles/pywps/tasks/main.yml | 4 +- roles/pywps/tasks/selinux.yml | 19 ++++ roles/pywps/tasks/webservice.yml | 17 ++-- roles/pywps/templates/logrotate.j2 | 13 +++ roles/pywps/templates/restart-pywps.sh.j2 | 4 +- roles/slurm/tasks/main.yml | 2 + roles/slurm/tasks/munge.yml | 15 +++ roles/supervisor/tasks/main.yml | 14 +++ 33 files changed, 376 insertions(+), 501 deletions(-) delete mode 100644 docs/source/appendix.rst delete mode 100644 docs/source/changes.rst delete mode 100644 docs/source/live.rst delete mode 100644 docs/source/preparing.rst delete mode 100644 docs/source/testing.rst create mode 100644 etc/albatross_dkrz.yml create mode 100644 etc/owl_dkrz.yml create mode 100644 etc/shearwater_dkrz.yml create mode 100644 etc/smartduck_dkrz.yml create mode 100644 roles/pywps/tasks/logrotate.yml create mode 100644 roles/pywps/tasks/selinux.yml create mode 100644 roles/pywps/templates/logrotate.j2 create mode 100644 roles/slurm/tasks/main.yml create mode 100644 roles/slurm/tasks/munge.yml create mode 100644 roles/supervisor/tasks/main.yml diff --git a/.gitignore b/.gitignore index 8055a47..6577aa9 100644 --- a/.gitignore +++ b/.gitignore @@ -6,10 +6,13 @@ etc/custom*.yml roles/andrewrothstein.* roles/geerlingguy.* roles/ANXS.* +roles/anxs.* roles/ansible-role-supervisor roles/jdauphant.ssl-certs roles/nginxinc.nginx roles/arillso.logrotate +roles/galaxyproject.* +roles/grycap.* # ansible collections ansible_collections/ diff --git a/README.rst b/README.rst index 6e351ac..a43ece1 100644 --- a/README.rst +++ b/README.rst @@ -28,9 +28,10 @@ Introduction PyWPS Ansible Playbook can completely provision a remote server to run the full stack of PyWPS_, including: * Conda_ to manage application dependencies. -* `Nginx `_ as Web-Server. -* `Supervisor `_ to start/stop and monitor services. +* Nginx_ as Web-Server. +* Supervisor_ to start/stop and monitor services. * PostgreSQL_ optional database used for job logging. +* Slurm_ optional workload manager for jobs. It will install a PyWPS application on a single host. Nginx, Supervisor and miniconda are installed on the system. @@ -44,4 +45,49 @@ See the ``docs`` subdirectory or `readthedocs = 1.7.0" +# This guide is optimized for Vagrant 2.4 and above. +Vagrant.require_version ">= 2.4.0" Vagrant.configure("2") do |config| @@ -17,22 +17,19 @@ Vagrant.configure("2") do |config| config.ssh.private_key_path = '~/.vagrant.d/insecure_private_key' config.vm.define "wps" do |wps| - # wps.vm.box = "bento/ubuntu-18.04" - # wps.vm.box = "bento/ubuntu-16.04" - # wps.vm.box = "bento/debian-9" - wps.vm.box = "bento/centos-7" - # wps.vm.box = "bento/centos-6" - # wps.vm.box = "bento/fedora-27" + # wps.vm.box = "bento/centos-7" + # wps.vm.box = "bento/almalinux-8" + wps.vm.box = "bento/almalinux-9" wps.vm.hostname = "wps.local" wps.vm.network "private_network", ip: "192.168.128.100" - wps.vm.provision 'ansible' do |ansible| - ansible.playbook = 'playbook.yml' - ansible.verbose = "v" - ansible.host_key_checking = false - ansible.groups = { - "web" => ["wps"], - "worker" => [] - } - end + # wps.vm.provision 'ansible' do |ansible| + # ansible.playbook = 'playbook.yml' + # ansible.verbose = "v" + # ansible.host_key_checking = false + # ansible.groups = { + # "web" => ["wps"], + # "worker" => [] + # } + # end end end diff --git a/docs/source/appendix.rst b/docs/source/appendix.rst deleted file mode 100644 index f88daa9..0000000 --- a/docs/source/appendix.rst +++ /dev/null @@ -1,30 +0,0 @@ -Ansible Hints -============= - -Show local variables and facts: - -.. code-block:: sh - - $ ansible -m setup -c local localhost - - -Skip specific tasks for quick tests, for example skip ``conda`` tasks: - -.. code-block:: sh - - $ ansible-playbook -c local --skip-tags=conda -i hosts playbook.yml - -Links -===== - -Used roles: - -* miniconda: https://galaxy.ansible.com/andrewrothstein/miniconda/ -* nginx: https://galaxy.ansible.com/geerlingguy/nginx -* supervisor: https://galaxy.ansible.com/geerlingguy/supervisor -* postgresql: https://galaxy.ansible.com/anxs/postgresql -* ssl-certs: https://galaxy.ansible.com/jdauphant/ssl-certs - -Alternative roles: - -* postgresql: https://galaxy.ansible.com/geerlingguy/postgresql diff --git a/docs/source/changes.rst b/docs/source/changes.rst deleted file mode 100644 index d76c92b..0000000 --- a/docs/source/changes.rst +++ /dev/null @@ -1 +0,0 @@ -.. include:: ../../CHANGES.rst diff --git a/docs/source/deploy.rst b/docs/source/deploy.rst index f2a01f7..48d33fe 100644 --- a/docs/source/deploy.rst +++ b/docs/source/deploy.rst @@ -7,7 +7,7 @@ Deploy a PyWPS Application .. note:: - You can safely try the installation using Vagrant_ or Docker. See :ref:`testing`. + You can safely try the installation using Vagrant_. Prepare ------- @@ -19,7 +19,6 @@ You need a recent Ansible_ version (`>=2.7`) on your local client: $ ansible --version ansible 2.7.2 -If you don't have Ansible installed, then follow these instructions: :ref:`requirements`. Get the Playbook ---------------- @@ -53,7 +52,7 @@ Running your playbook locally Make sure your Ansible directory is not world-readable, otherwise the `ansible.cfg` file will not be read. See `Ansible Documentation `_. -If not already done (see :ref:`requirements`), fetch required roles/recipes from `ansible-galaxy`: +If not already done, fetch required roles/recipes from `ansible-galaxy`: .. code-block:: console @@ -68,5 +67,3 @@ Run your playbook locally: .. note:: You can also use the shortcut to run both:: $ make play - -For remote deployment follow the instructions in the next section :ref:`live`. diff --git a/docs/source/examples.rst b/docs/source/examples.rst index 12bfce4..d7f79fc 100644 --- a/docs/source/examples.rst +++ b/docs/source/examples.rst @@ -48,81 +48,3 @@ Run "hello" in sync mode: http://localhost:5000/wps?service=WPS&version=1.0.0&request=Execute&identifier=hello&DataInputs=name=Stranger -Install Slurm cluster ---------------------- - -Use this slurm playbook: - -https://github.com/roocs/slurm-playbook - -Run playbook with Vagrant:: - - $ vagrant up - $ ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u vagrant --private-key=~/.vagrant.d/insecure_private_key -i inventories/vagrant-cluster.yml playbook.yml - - -Login to slurm master node:: - - $ vagrant ssh slurmmaster - -Run slurm test:: - - > sudo -i # become root - > squeue # to view the queue - > sbatch /root/hostname.sh # to run a job - > squeue # to see if it is running - - -Install Emu/PyWPS on cluster ----------------------------- - -Use the WPS playbook: - -https://github.com/bird-house/ansible-wps-playbook - -Install PyWPS into the same cluster as slurm:: - - $ cp etc/vagrant-cluster.yml custom.yml - $ ansible-playbook -u vagrant --private-key=~/.vagrant.d/insecure_private_key -i inventory/vagrant-cluster.yml playbook.yml - -This example is using the Emu WPS with simple test processes: - -https://github.com/bird-house/emu - -Test Emu WPS service -++++++++++++++++++++ - -Test connection: - -http://192.168.50.44:5000/wps?service=WPS&version=1.0.0&request=GetCapabilities - -Run "sleep" in async mode with scheduler: - -http://192.168.50.44:5000/wps?service=WPS&version=1.0.0&request=Execute&identifier=sleep&storeExecuteResponse=true&status=true&DataInputs=delay=2 - -Install the rook/PyWPS for subsetting on cluster ------------------------------------------------- - -This example is using the rook WPS with subsetting processes on climate model data: - -https://github.com/roocs/rook - -Installation is like before with slurm cluster but using a different config file:: - - $ cp etc/vagrant-cluster-with-rook.yml custom.yml - $ ansible-playbook -u vagrant --private-key=~/.vagrant.d/insecure_private_key -i inventory/vagrant-cluster.yml playbook.yml - -In this example demo data is installed in a shared Vagrant folder ``.local/data``: - -https://github.com/roocs/mini-esgf-data - -Test rook WPS service -+++++++++++++++++++++ - -Test connection: - -http://192.168.50.44:5000/wps?service=WPS&version=1.0.0&request=GetCapabilities - -Run "subset" in async mode with scheduler and default values: - -http://192.168.50.44:5000/wps?service=WPS&version=1.0.0&request=Execute&identifier=subset&storeExecuteResponse=true&status=true diff --git a/docs/source/index.rst b/docs/source/index.rst index bb596e3..6fee3b2 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -6,11 +6,6 @@ Getting started .. toctree:: :maxdepth: 2 - preparing deploy - live configuration - testing examples - changes - appendix diff --git a/docs/source/live.rst b/docs/source/live.rst deleted file mode 100644 index 94f355a..0000000 --- a/docs/source/live.rst +++ /dev/null @@ -1,32 +0,0 @@ -.. _live: - -Live host deployment -==================== - -Creating a host file --------------------- - -You'll need to tell Ansible how to connect to your host. -There are multiple ways to do this. The easiest for our purposes is to create a *manifest* file. - -Create a file with a name like ``myhost.cfg`` that follows the pattern: - -.. code-block:: ini - - wps.demo ansible_ssh_user=vagrant ansible_ssh_host=192.168.128.100 ansible_ssh_port=22 - -You may leave off the ``ansible_ssh_host`` setting if the hostname is real. -However, when doing early provisioning, it's often not available. -``ansible_ssh_port`` is only required if you want to use a non-standard ssh port. -``ansible_ssh_user`` should be the login id on the remote machine. -That user must have `sudo` rights. - -Running your playbook ---------------------- - -.. code-block:: console - - $ ansible-playbook --ask-become-pass -i myhost.cfg playbook.yml - -The ``--ask-become-pass`` option instructs Ansible to ask for your user password when it uses sudo for provisioning. -It's not required if the remote user has password-less sudo rights. diff --git a/docs/source/preparing.rst b/docs/source/preparing.rst deleted file mode 100644 index 0cd7dc7..0000000 --- a/docs/source/preparing.rst +++ /dev/null @@ -1,110 +0,0 @@ -.. _requirements: - -Requirements -============ - -.. contents:: - :local: - :depth: 2 - -Target Server -------------- - -Supported platforms -~~~~~~~~~~~~~~~~~~~ - -At the moment, we are testing with CentOS 6/7 and Ubuntu 18.04. - -SSH access; sudo -~~~~~~~~~~~~~~~~ - -Beyond the basic platform, the only requirements are that you have ``ssh`` access -to the remote server with full ``sudo`` rights. - -For local testing via virtual machine, any machine that supports VirtualBox/Vagrant -should be adequate. - -Local setup ------------ - -.. note:: - You will need Ansible only on your client which you use for running the Ansible scripts. - The server can be installed remotely. - -On your local machine (the one from which you're controlling the remote server), -you will need a recent copy of Ansible (`>=2.7`). `docs.ansible.com`_ -has thorough installation instructions. - -.. warning:: - Don't us your OS package manager to install Ansible; you may get an unusably out-of-date version. - -You will also nearly certainly want `git`, both for cloning the playbook and for version-controlling your own work. - -To clone the playbook, use the command: - -.. code-block:: console - - $ git clone https://github.com/bird-house/ansible-wps-playbook.git - - -Quick setup ------------ - -In the following we give some installation examples. - -MacOS -~~~~~ - -Use brew_ to install Ansible: - -.. code-block:: console - - $ brew install git - $ brew install ansible - # check version - $ ansible --version - ansible 2.7.2 - -Conda -~~~~~ - -You can use Conda_ to install Ansible. Conda is available for Linux, MacOS and Windows. - -.. code-block:: console - - $ conda install -c conda-forge ansible - # check ansible version - $ ansible --version - ansible 2.7.2 - -If you don't have Conda installed, the fastest way is to install Miniconda_, preferably the Python 3.x version. - -Ansible role requirements -------------------------- - -We have a several Ansible role dependencies which you may fulfill via Ansible Galaxy with the command: - -.. code-block:: console - - $ ansible-galaxy -r requirements.yml -p roles install - -This should be executed in your playbook directory. -Downloaded requirements will be dropped into the ``roles`` directory there. - -Remote setup ------------- - -Ansible requires that the target server have a recent Python 2.x on the server. -Newer platforms (like Ubuntu Xenial and later) may not have this activated on pristine new machines. - -If you get connection errors from Ansible, check the remote machine to make sure Python 2.7 is available. -`which python2.7` will let you know. -If it's missing, use your package manager to install it. - -On Ubuntu Xenial (16.0.4 LTS), `sudo apt-get install -y python` will do the trick. - - -.. _`docs.ansible.com`: http://docs.ansible.com/intro_installation.html -.. _brew: https://brew.sh/ -.. _Conda: https://conda.io/docs/user-guide/install/index.html -.. _Miniconda: https://conda.io/miniconda.html diff --git a/docs/source/testing.rst b/docs/source/testing.rst deleted file mode 100644 index 8e99976..0000000 --- a/docs/source/testing.rst +++ /dev/null @@ -1,116 +0,0 @@ -.. _testing: - -Testing -======= - -.. contents:: - :local: - :depth: 2 - -Test Ansible with Vagrant -------------------------- - -Install Vagrant -+++++++++++++++ - -You need to install Vagrant_. See the following links for details: - -* https://docs.ansible.com/ansible/latest/scenario_guides/guide_vagrant.html -* https://www.vagrantup.com/intro/getting-started/index.html -* https://blog.scriptmyjob.com/creating-an-ansible-testing-environment-using-vagrant-on-macos/ - -In short, you can install Vagrant on macOS with `Homebrew `_ -(and `Homebrew Cask `_): - -.. code-block:: sh - - $ brew cask install virtualbox - $ brew cask install vagrant - -You need Ansible locally installed: - -.. code-block:: sh - - $ conda install -c conda-forge ansible - OR - $ brew install ansible # macOS only - -Install Ansible roles: - -.. code-block:: sh - - $ ansible-galaxy install -p roles -r requirements.yml --ignore-errors - -Run Vagrant -+++++++++++ - -Use Vagrant config: - -.. code-block:: sh - - $ ln -s etc/sample-vagrant.yml custom.yml - -Initial setup: - -.. code-block:: sh - - $ vagrant up - -Provision with Ansible again: - -.. code-block:: sh - - $ vagrant provision - -Login with SSH: - -.. code-block:: sh - - $ vagrant ssh - -Run Ansible manually: - -.. code-block:: sh - - $ ansible-playbook -i .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory playbook.yml - -Remove VMs: - -.. code-block:: sh - - $ vagrant destroy -f - -Try WPS requests -++++++++++++++++ - -Run a WPS GetCapabilites request:: - - $ curl -s -o caps.xml \ - "http://192.168.128.100:5000/wps?service=WPS&request=GetCapabilities" - $ less caps.xml - -Try other OS -++++++++++++ - -Configure ``Vagrantfile`` with another `Bento Box `_:: - - wps.vm.box = "bento/ubuntu-18.04" - -Alternative: use Vagrant without provisioning ---------------------------------------------- - -Use Vagrant without provisioning and just to setup a new VM:: - - $ vagrant destroy -f # remove previous VM - $ vagrant up --no-provision # setup new VM - $ vagrant ssh # ssh into VM - -Run the installation manually now:: - - vagrant> sudo yum install git - vagrant> cd /vagrant - vagrant> sudo yum install epel-release - vagrant> sudo yum install ansible - vagrant> ln -s etc/sample-vagrant.yml custom.yml - vagrant> ansible-galaxy install -r requirements.yml - vagrant> ansible-playbook -c local -i hosts playbook.yml diff --git a/etc/albatross_dkrz.yml b/etc/albatross_dkrz.yml new file mode 100644 index 0000000..8b6383f --- /dev/null +++ b/etc/albatross_dkrz.yml @@ -0,0 +1,31 @@ +--- +# enable cronjob to clean outputs +cron_mailto: ehbrecht@dkrz.de +cron_enabled: yes +cron_user: root +wps_outputs_keep_days: 0 +wps_temp_keep_days: 0 +# db +db_install_postgresql: true +db_install_sqlite: false +# conda +conda_env_use_spec: true +conda_env_spec_file: spec-list.txt +# slurm +slurm_enabled: yes +slurm_cpus: 4 +# Configuration for Albatross WPS +wps_services: + - name: albatross + repo: https://github.com/climateintelligence/albatross.git + version: main + hostname: albatross.dkrz.de + port: 80 + mode: scheduler + maxprocesses: -1 + parallelprocesses: -1 + storage_copy_function: link + log_level: INFO + cleantempdir: true + provider_name: CLINT + provider_url: https://climateintelligence.eu/ diff --git a/etc/owl_dkrz.yml b/etc/owl_dkrz.yml new file mode 100644 index 0000000..ad53fc2 --- /dev/null +++ b/etc/owl_dkrz.yml @@ -0,0 +1,31 @@ +--- +# enable cronjob to clean outputs +cron_mailto: ehbrecht@dkrz.de +cron_enabled: yes +cron_user: root +wps_outputs_keep_days: 0 +wps_temp_keep_days: 0 +# db +db_install_postgresql: true +db_install_sqlite: false +# conda +conda_env_use_spec: true +conda_env_spec_file: spec-list.txt +# slurm +slurm_enabled: yes +slurm_cpus: 4 +# Configuration for Albatross WPS +wps_services: + - name: owl + repo: https://github.com/climateintelligence/owl.git + version: main + hostname: owl1.cloud.dkrz.de + port: 80 + mode: scheduler + maxprocesses: -1 + parallelprocesses: -1 + storage_copy_function: link + log_level: INFO + cleantempdir: true + provider_name: CLINT + provider_url: https://climateintelligence.eu/ diff --git a/etc/sample-vagrant.yml b/etc/sample-vagrant.yml index 96593d3..1ee0655 100644 --- a/etc/sample-vagrant.yml +++ b/etc/sample-vagrant.yml @@ -1,21 +1,20 @@ --- server_name: 192.168.128.100 +# use postgres db_install_postgresql: true db_install_sqlite: false -#db_user: dbuser -#db_password: dbuser +# no https wps_enable_https: false -# Enable separate Fileserver for WPS outputs -# fs_enabled: false -# fs_host: "{{ server_name }}" -# fs_port: 5001 # Conda spec -# conda_env_use_spec: false +conda_env_use_spec: true +conda_env_spec_file: spec-list.txt +# slurm +slurm_enabled: yes # Configuration for Emu WPS wps_services: - name: emu hostname: "{{ server_name }}" - fs_hostname: "{{ server_name }}" - port: 5000 - log_level: DEBUG - cleantempdir: false + port: 80 + mode: scheduler + maxprocesses: -1 + parallelprocesses: -1 diff --git a/etc/shearwater_dkrz.yml b/etc/shearwater_dkrz.yml new file mode 100644 index 0000000..7a19db4 --- /dev/null +++ b/etc/shearwater_dkrz.yml @@ -0,0 +1,31 @@ +--- +# enable cronjob to clean outputs +cron_mailto: ehbrecht@dkrz.de +cron_enabled: yes +cron_user: root +wps_outputs_keep_days: 0 +wps_temp_keep_days: 0 +# db +db_install_postgresql: true +db_install_sqlite: false +# conda +conda_env_use_spec: true +conda_env_spec_file: spec-list.txt +# slurm +slurm_enabled: yes +slurm_cpus: 4 +# Configuration for Shearwater WPS +wps_services: + - name: shearwater + repo: https://github.com/climateintelligence/shearwater.git + version: main + hostname: shearwater.dkrz.de + port: 80 + mode: scheduler + maxprocesses: -1 + parallelprocesses: -1 + storage_copy_function: link + log_level: INFO + cleantempdir: true + provider_name: CLINT + provider_url: https://climateintelligence.eu/ diff --git a/etc/smartduck_dkrz.yml b/etc/smartduck_dkrz.yml new file mode 100644 index 0000000..ba28b24 --- /dev/null +++ b/etc/smartduck_dkrz.yml @@ -0,0 +1,34 @@ +--- +# enable cronjob to clean outputs +cron_mailto: ehbrecht@dkrz.de +cron_enabled: yes +cron_user: root +wps_outputs_keep_days: 0 +wps_temp_keep_days: 0 +# db +db_install_postgresql: true +db_install_sqlite: false +# conda +conda_env_use_spec: true +conda_env_spec_file: spec-list.txt +# nginx +wps_enable_https: true +# slurm +slurm_enabled: yes +slurm_cpus: 4 +# Configuration for Duck/CRAI WPS +wps_services: + - name: duck + repo: https://github.com/climateintelligence/duck.git + # version: main + version: curiousduck + hostname: smartduck.dkrz.de + port: 443 + mode: scheduler + maxprocesses: -1 + parallelprocesses: -1 + storage_copy_function: link + log_level: INFO + cleantempdir: true + provider_name: CLINT + provider_url: https://climateintelligence.eu/ diff --git a/group_vars/all b/group_vars/all index 67c7380..4d29ff9 100644 --- a/group_vars/all +++ b/group_vars/all @@ -12,63 +12,42 @@ service_groups: "{{ service_group }}" service_user_home: /var/lib/pywps cron_script_dir: "{{ service_user_home }}" -# RedHat/CentOS epel repo -epel_repo_disable: false - -# logrotation -logrotate_use_hourly_rotation: false -logrotate_applications: - - name: pywps - definitions: - - logs: - - /var/log/pywps/*.log - options: - - rotate 7 - - daily - - dateext - - copytruncate - - missingok - - notifempty - - sharedscripts - postrotate: - - supervisorctl restart all >/dev/null 2>/dev/null || true - - name: slurm - definitions: - - logs: - - /var/log/slurm/*.log - options: - - rotate 7 - - daily - - dateext - - copytruncate - - missingok - - notifempty - - sharedscripts - postrotate: - - systemctl reload slurmd > /dev/null 2>&1 || true - - systemctl reload slurmctld > /dev/null 2>&1 || true - # postgres db_install_postgresql: true db_install_sqlite: false db_host: localhost db_port: 5432 -db_user: dbuser -db_password: dbuser +db_user: pywps +db_password: pywps # nginx fileserver fs_enabled: false fs_host: localhost fs_port: 6000 -# drmaa +# slurm/drmaa +# https://github.com/galaxyproject/ansible-slurm slurm_enabled: false -slurm_drmaa_version: 1.1.3 +slurm_cpus: 2 +slurm_drmaa_version: 1.1.4 +slurm_roles: ['controller', 'exec'] +slurm_config: + SchedulerType: "sched/builtin" + SelectType: "select/cons_res" + SelectTypeParameters: "CR_Core" +slurm_nodes: + - name: localhost + CPUs: "{{ slurm_cpus }}" +slurm_partitions: + - name: fast + Default: YES + MaxTime: INFINITE + Nodes: localhost +slurm_munge_key: /etc/munge/munge.key # miniconda miniconda_parent_dir: "{{ prefix }}" miniconda_make_sys_default: False -# miniconda_ver: '4.7.12.1' # conda conda_location: "{{ prefix }}/anaconda" @@ -79,6 +58,7 @@ conda_env_use_spec: false conda_env_spec_file: spec-list.txt # supervisor +# https://github.com/geerlingguy/ansible-role-supervisor supervisor_user: root supervisor_password: 'test' supervisor_unix_http_server_password_protect: false @@ -88,6 +68,8 @@ supervisor_inet_http_server_enable: false supervisor_inet_http_server_port: '*:9001' # nginx +# https://galaxy.ansible.com/ui/standalone/roles/geerlingguy/nginx/ +# https://galaxy.ansible.com/ui/standalone/roles/nginxinc/nginx/ nginx_user: "{{ service_user }} {{ service_group }}" nginx_remove_default_vhost: true nginx_extra_http_options: | @@ -99,6 +81,12 @@ nginx_keepalive_timeout: "60" nginx_keepalive_requests: "100" nginx_proxy_timeout: "60s" +# ssl +ssl_certs_common_name: "{{ ansible_fqdn }}" +ssl_certs_path: "/etc/ssl/{{ ssl_certs_common_name }}" +ssl_certs_privkey_path: "{{ ssl_certs_path }}/{{ ssl_certs_common_name }}.key" +ssl_certs_cert_path: "{{ ssl_certs_path }}/{{ ssl_certs_common_name }}.pem" + # gunicorn # https://docs.gunicorn.org/en/stable/settings.html gunicorn_workers: 5 # rule of thumb: 2 * CPUs + 1 @@ -106,22 +94,20 @@ gunicorn_worker_class: 'sync' # or "gevent", needs gevent gunicorn_timeout: 30 # postgres +# https://github.com/geerlingguy/ansible-role-postgresql +postgresql_restarted_state: "restarted" +postgresql_service_state: "started" +postgresql_service_enabled: true +postgresql_locales: + - 'en_US.utf8' postgresql_databases: - name: "pywps" + port: "{{ db_port }}" postgresql_users: - name: "{{ db_user }}" - pass: "{{ db_password }}" + password: "{{ db_password }}" encrypted: yes # encryption necessary for postgres>=10.0. -postgresql_listen_addresses: - - "*" -postgresql_pg_hba_md5_hosts: [] -postgresql_pg_hba_trust_hosts: [] -postgresql_port: "{{ db_port }}" - -# ssl-certs -# https://github.com/jdauphant/ansible-role-ssl-certs/blob/master/defaults/main.yml -ssl_certs_path_owner: "{{ service_user }}" -ssl_certs_path_group: "{{ service_group }}" +# postgresql_hba_entries: [] # cron cron_enabled: false @@ -129,6 +115,9 @@ cron_disabled: "{{ cron_enabled | bool == false }}" cron_mailto: root cron_user: root +# selinux +# https://docs.ansible.com/ansible/latest/collections/community/general/sefcontext_module.html +selinux_enabled: true # roocs roocs_enabled: false diff --git a/playbook.yml b/playbook.yml index 683e1a5..b64e311 100644 --- a/playbook.yml +++ b/playbook.yml @@ -14,28 +14,29 @@ # debug: # var: hostvars['192.168.50.44'] roles: - - role: geerlingguy.repo-epel - when: (ansible_os_family == "RedHat") and (not epel_repo_disable) - common - role: andrewrothstein.miniconda tags: conda - - role: geerlingguy.supervisor + - role: supervisor tags: supervisor - - role: jdauphant.ssl-certs + - role: geerlingguy.supervisor tags: - nginx + supervisor - role: geerlingguy.nginx tags: nginx - - role: ANXS.postgresql + - role: geerlingguy.postgresql when: db_install_postgresql tags: db + - role: slurm + when: slurm_enabled + - role: galaxyproject.slurm + when: slurm_enabled - name: pywps wps_webservice_enabled: true - - role: arillso.logrotate - name: roocs when: roocs_enabled - name: flamingo @@ -52,8 +53,6 @@ - custom.yml - null.yml roles: - - role: geerlingguy.repo-epel - when: (ansible_os_family == "RedHat") and (not epel_repo_disable) - common - role: andrewrothstein.miniconda tags: diff --git a/requirements.yml b/requirements.yml index e239f92..219e65a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,14 +1,11 @@ --- roles: - name: andrewrothstein.miniconda - - name: andrewrothstein.bash - - name: andrewrothstein.unarchive-deps - - name: geerlingguy.repo-epel - name: geerlingguy.supervisor - name: geerlingguy.nginx - - name: ANXS.postgresql - - name: jdauphant.ssl-certs - - name: arillso.logrotate + - name: geerlingguy.postgresql + - name: galaxyproject.slurm collections: - name: community.general + - name: ansible.posix diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml index a6a8567..29f6704 100644 --- a/roles/common/tasks/Debian.yml +++ b/roles/common/tasks/Debian.yml @@ -4,6 +4,7 @@ state: latest vars: packages: + - python3-pip - build-essential - libssl-dev diff --git a/roles/common/tasks/RedHat.yml b/roles/common/tasks/RedHat.yml index 0484b9d..f3faad6 100644 --- a/roles/common/tasks/RedHat.yml +++ b/roles/common/tasks/RedHat.yml @@ -6,11 +6,29 @@ packages: - gcc-c++ - make - - libselinux-python - - initscripts - - python-meld3 - - openssl-devel - - cronie + - libselinux + +- name: Install packages on RedHat 7/8 + yum: + name: "{{ packages }}" + state: latest + vars: + packages: + - python2-pip + when: + - ansible_distribution_major_version|int <= 8 + +- name: Install packages on RedHat 9 + yum: + name: "{{ packages }}" + state: latest + vars: + packages: + - python3-pip + - langpacks-en + - glibc-all-langpacks + when: + - ansible_distribution_major_version|int >= 9 - name: Remove unwanted packages on RedHat yum: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 8a1db17..f558dc2 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -7,10 +7,12 @@ - name: Install common packages package: name={{ item }} state=latest with_items: - - python-pip - wget - curl - git + - vim + - tmux + - logrotate tags: - common diff --git a/roles/pywps/handlers/main.yml b/roles/pywps/handlers/main.yml index 7b0e54a..13bf932 100644 --- a/roles/pywps/handlers/main.yml +++ b/roles/pywps/handlers/main.yml @@ -1,12 +1,8 @@ --- -- name: restart pywps - supervisorctl: - name: "{{ item.name }}" +- name: restart supervisord + service: + name: supervisord state: restarted - # config: "{{ supervisor_config_path}}/supervisord.conf" - username: "{{ supervisor_user }}" - password: "{{ supervisor_password }}" - with_items: "{{ wps_services }}" - name: restart nginx service: diff --git a/roles/pywps/tasks/base.yml b/roles/pywps/tasks/base.yml index d59ad3a..e2306c5 100644 --- a/roles/pywps/tasks/base.yml +++ b/roles/pywps/tasks/base.yml @@ -1,8 +1,8 @@ --- -- include: source.yml +- include_tasks: source.yml -- include: conda.yml +- include_tasks: conda.yml -- include: folders.yml +- include_tasks: folders.yml -- include: config.yml +- include_tasks: config.yml diff --git a/roles/pywps/tasks/logrotate.yml b/roles/pywps/tasks/logrotate.yml new file mode 100644 index 0000000..2566695 --- /dev/null +++ b/roles/pywps/tasks/logrotate.yml @@ -0,0 +1,8 @@ +--- +- name: Copy pywps logrotate config + template: + src: ./templates/logrotate.j2 + dest: /etc/logrotate.d/pywps + tags: + - pywps + - conf \ No newline at end of file diff --git a/roles/pywps/tasks/main.yml b/roles/pywps/tasks/main.yml index f324ca1..c5f5e57 100644 --- a/roles/pywps/tasks/main.yml +++ b/roles/pywps/tasks/main.yml @@ -1,5 +1,5 @@ --- -- include: base.yml +- include_tasks: base.yml -- include: webservice.yml +- include_tasks: webservice.yml when: wps_webservice_enabled diff --git a/roles/pywps/tasks/selinux.yml b/roles/pywps/tasks/selinux.yml new file mode 100644 index 0000000..bbcf838 --- /dev/null +++ b/roles/pywps/tasks/selinux.yml @@ -0,0 +1,19 @@ +--- +- name: Enable SELinux + ansible.posix.selinux: + policy: targeted + state: enforcing + +- name: Allow nginx to modify access socket files in /var/run/pywps + community.general.sefcontext: + target: '/var/run/pywps(/.*)?' + setype: httpd_var_run_t + state: present + +- name: Apply new SELinux file context to filesystem + command: restorecon -iRv /var/run + +- name: Change the httpd_t domain to permissive + community.general.selinux_permissive: + name: httpd_t + permissive: true \ No newline at end of file diff --git a/roles/pywps/tasks/webservice.yml b/roles/pywps/tasks/webservice.yml index 9486630..41c6e26 100644 --- a/roles/pywps/tasks/webservice.yml +++ b/roles/pywps/tasks/webservice.yml @@ -1,23 +1,26 @@ --- -- include: clean.yml -- include: cronjob.yml -- include: webservice_config.yml +- include_tasks: clean.yml +- include_tasks: cronjob.yml +- include_tasks: webservice_config.yml +- include_tasks: logrotate.yml +- include_tasks: selinux.yml + when: selinux_enabled -- include: slurm.yml +- include_tasks: slurm.yml when: slurm_enabled tags: - slurm -- include: sqlite.yml +- include_tasks: sqlite.yml when: db_install_sqlite -- include: fileserver.yml +- include_tasks: fileserver.yml when: fs_enabled - name: Assure PyWPS running at end of playbook command: /bin/true notify: - - restart pywps + - restart supervisord tags: - pywps - conf diff --git a/roles/pywps/templates/logrotate.j2 b/roles/pywps/templates/logrotate.j2 new file mode 100644 index 0000000..9dcab8c --- /dev/null +++ b/roles/pywps/templates/logrotate.j2 @@ -0,0 +1,13 @@ +# +# Ansible managed +# + +/var/log/pywps/*.log { + rotate 7 + daily + dateext + copytruncate + missingok + notifempty + sharedscripts +} diff --git a/roles/pywps/templates/restart-pywps.sh.j2 b/roles/pywps/templates/restart-pywps.sh.j2 index da6b673..30c2910 100644 --- a/roles/pywps/templates/restart-pywps.sh.j2 +++ b/roles/pywps/templates/restart-pywps.sh.j2 @@ -4,12 +4,14 @@ # Usage: restart-pywps [service_name] # Example: restart-pywps rook +export PATH=/usr/local/bin:$PATH + APP="$1" echo "[INFO] Stopping $APP" supervisorctl stop $APP sleep 1 echo "[INFO] Finding gunicorn processes..." -gunicorn_pids=$(echo $(ps aux | grep -i gunicorn | grep $APP | cut -c10-15)) +gunicorn_pids=$(echo $(ps -eo pid,cmd | grep -i gunicorn | grep $APP | cut -s --delimiter=" " -f2)) echo "[INFO] Found processes: $gunicorn_pids" if [ "$gunicorn_pids" ]; then echo "[WARN] Killing processes: $gunicorn_pids" diff --git a/roles/slurm/tasks/main.yml b/roles/slurm/tasks/main.yml new file mode 100644 index 0000000..7bd1974 --- /dev/null +++ b/roles/slurm/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include_tasks: munge.yml \ No newline at end of file diff --git a/roles/slurm/tasks/munge.yml b/roles/slurm/tasks/munge.yml new file mode 100644 index 0000000..66f3224 --- /dev/null +++ b/roles/slurm/tasks/munge.yml @@ -0,0 +1,15 @@ +--- + - name: Install munge + package: name={{ item }} state=latest + with_items: + - munge + - slurm-devel + + - name: set munge log directory access rights + file: path=/var/log/munge state=directory mode=0700 + + - name: set log directory access rights + file: path=/var/log state=directory mode=0755 + + - name: Generate munge key + shell: create-munge-key < /dev/null creates={{ slurm_munge_key }} diff --git a/roles/supervisor/tasks/main.yml b/roles/supervisor/tasks/main.yml new file mode 100644 index 0000000..7c3bb4c --- /dev/null +++ b/roles/supervisor/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: Create links to supervisor bin + ansible.builtin.file: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + state: link + force: yes + loop: + - { src: /usr/local/bin/supervisord, dest: /usr/bin/supervisord } + - { src: /usr/local/bin/supervisorctl, dest: /usr/bin/supervisorctl } + when: + - ansible_os_family == "RedHat" + - ansible_distribution_major_version|int >= 8 + \ No newline at end of file