From 012861671df621a4d1a95ab3ff513a90ff8dde8b Mon Sep 17 00:00:00 2001 From: scimerman Date: Mon, 1 Aug 2022 18:28:22 +0200 Subject: [PATCH 01/11] iRODS: davrods limit to TLS >= 1.2 --- roles/irods_davrods/templates/config/davrods-vhost.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/irods_davrods/templates/config/davrods-vhost.conf b/roles/irods_davrods/templates/config/davrods-vhost.conf index 1841e57ed..f5cc34550 100755 --- a/roles/irods_davrods/templates/config/davrods-vhost.conf +++ b/roles/irods_davrods/templates/config/davrods-vhost.conf @@ -17,6 +17,7 @@ ServerName {{ hostvars[inventory_hostname]['fqdn'] }} # protocol support). SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # enable only TLS 1.2 or higher SSLCertificateFile /etc/ssl/certs/{{ irods_ssl_certificate_chain_file }} SSLCertificateKeyFile /etc/ssl/private/{{ irods_ssl_certificate_key_file }} #SSLOpenSSLConfCmd DHParameters /etc/ssl/certs/{{ irods_ssl_dh_params_file }} From 80d3b8d828c637c1db057a48f36fd4b16d123f86 Mon Sep 17 00:00:00 2001 From: scimerman Date: Tue, 9 Aug 2022 15:10:45 +0200 Subject: [PATCH 02/11] irods & davrods v3: irods updated to v4.3.0, replaced certificate, updated variables, rewrite database_connect.py, increased davrods security/tls> v1.2 and limited ciphers ... --- group_vars/irods.yml | 28 +- roles/docker/tasks/main.yml | 20 +- roles/irods/README.md | 14 + roles/irods/files/database_connect.py.4.3.0 | 532 ++++++++++++++++++ roles/irods/tasks/icat.yml | 12 +- roles/irods/tasks/icat_pre.yml | 28 +- roles/irods/tasks/pgsql_local.yml | 10 +- roles/irods/tasks/pgsql_remote.yml | 25 +- roles/irods/tasks/tiering.yml | 44 +- ..._connect.py => database_connect.py.4.2.11} | 0 .../templates/unattended_install.json.j2 | 2 +- roles/irods_davrods/handlers/main.yml | 14 + roles/irods_davrods/tasks/davrods.yml | 39 +- roles/irods_davrods/tasks/main.yml | 3 +- roles/irods_davrods/templates/Dockerfile | 22 +- .../templates/config/davrods-vhost.conf | 21 +- .../templates/config/irods_environment.json | 2 +- .../templates/docker-compose.yml | 2 +- static_inventories/nibbler_cluster.yml | 47 +- 19 files changed, 738 insertions(+), 127 deletions(-) create mode 100644 roles/irods/files/database_connect.py.4.3.0 rename roles/irods/templates/{database_connect.py => database_connect.py.4.2.11} (100%) create mode 100644 roles/irods_davrods/handlers/main.yml diff --git a/group_vars/irods.yml b/group_vars/irods.yml index bb7a58fed..3d325bdfa 100644 --- a/group_vars/irods.yml +++ b/group_vars/irods.yml @@ -7,7 +7,7 @@ firewall_allowed_tcp_ports: # list of open ports on iCAT server - "5432" # PostgreSQL - "20000:20199" # irods -ir_version: '-4.2.11*' # if defined (empty): version will be installed (must start with '-' and end with '*') +ir_version: '-4.3.0*' # if defined (empty): version will be installed (must start with '-' and end with '*') ir_server_type: 'icat' # iRODS Server Type ir_client_server_policy: 'CS_NEG_REQUIRE' # communicating using SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE @@ -15,20 +15,22 @@ ir_ssl_certificate_chain_file: 'nemi_irods/localhost_and_chain_umcg-icat01.crt' ir_ssl_certificate_key_file: 'nemi_irods/localhost-umcg01.key' # iRODS server certificate's key ir_ssl_dh_params_file: 'dhparams.pem' # DHparam filename -ir_zone: 'nlumcg' # default main iRODS zone name -ir_local_res: 'rootResc' # local iRODS resource -ir_vault_path: '/var/lib/irods/Vault' # default path to store files for local resource -ir_default_res: 'surfObjStore' # default resource iRODS uploads to -ir_service_account: 'irods' # linux account under which iRODS runs +ir_service_account: 'irods' # iRODS linux account under which iRODS runs ir_admin_name: 'rods' # iRODS (and zone) account +ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulte main administrator password ir_admin_home_path: '/{{ ir_zone }}/home/{{ ir_admin_name }}' # iRODS admin's home path -ir_db_user: '{{ ir_service_account }}' # db Username, usually same as irods_service_account -ir_db_server: '{{ icat_db_server }}' # iRODS Database Server -ir_db_name: 'ICAT' # iRODS Database Name -ir_negotiation_key: '{{ icat_negotiation_key }}' -ir_ctrl_plane_key: '{{ icat_ctrl_plane_key }}' -ir_zone_key: '{{ icat_zone_key }}' -ir_salt: '{{ icat_salt }}' # iRODS salt +ir_db_user: '{{ icatV_db_user }}' # iRODS Vaulted database username +ir_db_pwd: '{{ icatV_db_pwd }}' # iRODS Vaulted database password +ir_db_name: '{{ icatV_db_name }}' # iRODS Vaulted database name +ir_db_server: '{{ icatV_db_server }}' # iRODS Vaulted database server +ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt +ir_zone: 'nlumcg' # iRODS default main iRODS zone name +ir_zone_key: '{{ icatV_zone_key }}' # iRODS Vaulted zone key +ir_negotiation_key: '{{ icatV_negotiation_key }}' # iRODS Vaulted negotiation key +ir_ctrl_plane_key: '{{ icatV_ctrl_plane_key }}' # iRODS Vaulted control plane key +ir_local_res: 'rootResc' # iRODS local iRODS resource +ir_vault_path: '/var/lib/irods/Vault' # iRODS default path to store files for local resource +ir_default_res: 'surfObjStore' # iRODS default resource iRODS uploads to davrods_install: true # to install davrods docker davrods_docker_folder: 'davrods_docker' # davrods docker folder name, relative to the user home directory diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 2af4270bb..2a3c47245 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -3,18 +3,26 @@ ansible.builtin.yum: name: - docker - - python2-pip + - python3-pip - docker-compose state: latest update_cache: true become: true -- name: Upgrade pip to latest version that still supports Python 2.7 - ansible.builtin.command: pip install pip==20.3.4 +# - name: Upgrade pip to latest version +# ansible.builtin.command: pip3 install -U pip +# become: true +- name: Upgrade pip3 to latest version + ansible.builtin.pip: + name: pip + state: latest + executable: pip3 become: true -- name: Install docker-py (supported by python 2.7) +- name: Install docker-py (supported by python 3) ansible.builtin.pip: - name: docker==4.4.4 + name: docker + executable: pip3 become: true -... \ No newline at end of file + +... diff --git a/roles/irods/README.md b/roles/irods/README.md index cce8242df..0d3648efc 100644 --- a/roles/irods/README.md +++ b/roles/irods/README.md @@ -3,6 +3,20 @@ - preconfigured irods repository - and administrative privileges on the machine +# Variables naming + +`ir_` are all the variables that are used within this playbook + +`icatV_` are the variables that are saved in the **Vault**, and can be accessed when + individual `ir_` variable is mapped to the appropriate `icatV_` variable. + +Mapping is done with one of following files: + 1. `static_inventory/[clustername].yml` + 2. `group/irods.yml` + 3. `roles/irods/defaults/main.yml` + +When the playbook deployed, the variables are over written, 1. will have priority over 2. + # About the iRODS and PostgreSQL database Role sets up the iRODS iCAT server and (optionally) a local PostgreSQL database. diff --git a/roles/irods/files/database_connect.py.4.3.0 b/roles/irods/files/database_connect.py.4.3.0 new file mode 100644 index 000000000..607f60c20 --- /dev/null +++ b/roles/irods/files/database_connect.py.4.3.0 @@ -0,0 +1,532 @@ +from __future__ import print_function + +import itertools +import json +import logging +import os +import pprint +import sys +import tempfile +import time + +from . import six +from . import lib +from . import password_obfuscation +from .exceptions import IrodsError, IrodsWarning + +try: + import pyodbc +except ImportError as e: + print('Fatal error! pyodbc module could not be imported. Perhaps it is missing?', file=sys.stderr) + print('Try installing python3-pyodbc using your package manager or pyodbc using pip3.', file=sys.stderr) + raise e + +def load_odbc_ini(f): + odbc_dict = {} + section = None + for line in f: + line = line.strip() + if not line: + continue + if line[0] == '[' and line[-1] == ']': + section = line[1:-1] + if section in odbc_dict: + raise IrodsError('Multiple sections named %s in %s.' % + (section, f.name)) + odbc_dict[section] = {} + elif section is None: + raise IrodsError('Section headings of the form [section] ' + 'must precede entries in %s.' % (f.name)) + elif '=' in line: + key, _, value = [e.strip() for e in line.partition('=')] + if key in odbc_dict[section]: + raise IrodsError('Multiple entries titled \'%s\' in the ' + 'section titled %s in %s' % (key, section, f.name)) + odbc_dict[section][key] = value + else: + raise IrodsError('Invalid line in %s. All lines must be section ' + 'headings of the form [section], entries containing an ' + '\'=\', or a blank line.' % (f.name)) + + return odbc_dict + +def dump_odbc_ini(odbc_dict, f): + for section in odbc_dict: + print('[%s]' % (section), file=f) + for key in odbc_dict[section]: + if odbc_dict[section][key] is None: + raise IrodsError('Value for key \'%s\' is None.', key) + print('%s=%s' % (key, odbc_dict[section][key]), file=f) + print('', file=f) + +def get_odbc_entry(db_config, catalog_database_type): + if catalog_database_type == 'postgres' and 'db_sslmode' in db_config and db_config['db_sslmode'] == 'require': + return { + 'Description': 'iRODS Catalog', + 'Driver': db_config['db_odbc_driver'], + 'Trace': 'No', + 'Debug': '0', + 'CommLog': '0', + 'TraceFile': '', + 'Database': db_config['db_name'], + 'Servername': db_config['db_host'], + 'Port': str(db_config['db_port']), + 'ReadOnly': 'No', + 'Ksqo': '0', + 'RowVersioning': 'No', + 'ShowSystemTables': 'No', + 'ShowOidColumn': 'No', + 'FakeOidIndex': 'No', + 'ConnSettings': '', + 'SSL': 'on', + 'SSLMode': 'require', + 'SSLRootCert': db_config['db_sslrootcert'], + 'SSLCert': db_config['db_sslcert'], + 'SSLKey': db_config['db_sslkey'] + } + elif catalog_database_type == 'postgres' or catalog_database_type == 'cockroachdb': + return { + 'Description': 'iRODS Catalog', + 'Driver': db_config['db_odbc_driver'], + 'Trace': 'No', + 'Debug': '0', + 'CommLog': '0', + 'TraceFile': '', + 'Database': db_config['db_name'], + 'Servername': db_config['db_host'], + 'Port': str(db_config['db_port']), + 'ReadOnly': 'No', + 'Ksqo': '0', + 'RowVersioning': 'No', + 'ShowSystemTables': 'No', + 'ShowOidColumn': 'No', + 'FakeOidIndex': 'No', + 'ConnSettings': '' + } + elif catalog_database_type == 'mysql': + return { + 'Description': 'iRODS catalog', + 'Driver': db_config['db_odbc_driver'], + 'Server': db_config['db_host'], + 'Port': str(db_config['db_port']), + 'Database': db_config['db_name'], + 'FOUND_ROWS': '1', + 'BIG_PACKETS': '1', + 'Charset': 'UTF8' + } + elif catalog_database_type == 'oracle': + return { + 'Description': 'iRODS catalog', + 'Driver': db_config['db_odbc_driver'] + } + else: + raise IrodsError('No odbc template exists for %s' % (catalog_database_type)) + +def get_installed_odbc_drivers(): + out, _, code = lib.execute_command_permissive(['odbcinst', '-q', '-d']) + return [] if code else [s[1:-1] for s in out.splitlines() if s] + +def get_odbc_drivers_for_db_type(db_type): + if db_type == "cockroachdb": + db_type = "postgres" + return [d for d in get_installed_odbc_drivers() if db_type in d.lower()] + +def get_odbc_driver_paths(db_type, oracle_home=None): + if db_type == 'postgres' or db_type == 'cockroachdb': + return sorted(unique_list(itertools.chain( + lib.find_shared_object('psqlodbcw.so'), + lib.find_shared_object('libodbcpsql.so'), + lib.find_shared_object('psqlodbc.*\.so', regex=True))), + key = lambda p: 0 if is_64_bit_ELF(p) else 1) + elif db_type == 'mysql': + return sorted(unique_list(itertools.chain( + lib.find_shared_object('libmyodbc.so'), + lib.find_shared_object('libmyodbc5.so'), + lib.find_shared_object('libmyodbc3.so'), + lib.find_shared_object('libmyodbc.*\.so', regex=True))), + key = lambda p: 0 if is_64_bit_ELF(p) else 1) + elif db_type == 'oracle': + return sorted(unique_list(itertools.chain( + lib.find_shared_object('libsqora\.so.*', regex=True, additional_directories=[d for d in [oracle_home] if d]))), + key = lambda p: 0 if is_64_bit_ELF(p) else 1) + else: + raise IrodsError('No default ODBC driver paths for %s' % (db_type)) + +def unique_list(it): + seen = set() + seen_add = seen.add + return [x for x in it if not (x in seen or seen_add(x))] + +def is_64_bit_ELF(path): + try: + out, err, returncode = lib.execute_command_permissive(['readelf', '-h', path]) + except IrodsError as e: + l = logging.getLogger(__name__) + l.debug('Could not call readelf on %s, unable to ensure it is an ELF64 file.\nException:\n%s', path, lib.indent(str(e))) + return True + if returncode != 0: + return False + else: + for line in out.splitlines(): + key, _, value = [e.strip() for e in line.partition(':')] + if key == 'Class': + if value == 'ELF64': + return True + else: + return False + return False + +def get_default_port_for_database_type(catalog_database_type): + if catalog_database_type == 'postgres': + return 5432 + elif catalog_database_type == 'cockroachdb': + return 26257 + elif catalog_database_type == 'mysql': + return 3306 + elif catalog_database_type == 'oracle': + return 1521 + raise IrodsError('Unknown database type: %s' % (catalog_database_type)) + +#oracle completely ignores all settings in the odbc.ini file (though +#the unixODBC driver will pick up Driver and Password), so we have +#to set TWO_TASK to '//:/' as well. +def get_two_task_for_oracle(db_config): + return '//%s:%d/%s' % (db_config['db_host'], + db_config['db_port'], + db_config['db_name']) + +def get_connection_string(db_config, irods_config): + odbc_dict = {} + odbc_dict['Password'] = db_config['db_password'] + odbc_dict['PWD'] = db_config['db_password'] + odbc_dict['Username'] = db_config['db_username'] + odbc_dict['User'] = db_config['db_username'] + odbc_dict['UID'] = db_config['db_username'] + if irods_config.catalog_database_type == 'cockroachdb': + odbc_dict['sslrootcert'] = irods_config.database_config['sslrootcert'] + odbc_dict['sslmode'] = 'require' + odbc_dict['ssl'] = 'true' + if irods_config.catalog_database_type == 'postgres' and 'db_sslmode' in db_config and db_config['db_sslmode'] == 'require': + odbc_dict['sslkey'] = db_config['db_sslkey'] + odbc_dict['sslrootcert'] = db_config['db_sslrootcert'] + odbc_dict['sslcert'] = db_config['db_sslcert'] + odbc_dict['sslmode'] = 'require' + odbc_dict['ssl'] = 'true' + + keys = [k for k in odbc_dict.keys()] + + return ';'.join(itertools.chain(['DSN=iRODS Catalog'], ['%s=%s' % (k, odbc_dict[k]) for k in keys])) + +def get_database_connection(irods_config): + l = logging.getLogger(__name__) + if irods_config.catalog_database_type == 'oracle': + os.environ['TWO_TASK'] = get_two_task_for_oracle(irods_config.database_config) + l.debug('set TWO_TASK For oracle to "%s"', os.environ['TWO_TASK']) + + connection_string = get_connection_string(irods_config.database_config, irods_config) + sync_odbc_ini(irods_config) + os.environ['ODBCINI'] = irods_config.odbc_ini_path + os.environ['ODBCSYSINI'] = '/etc' + + try: + if irods_config.catalog_database_type == 'cockroachdb': + return pyodbc.connect(connection_string, ansi=True, autocommit = True) + + if irods_config.catalog_database_type == 'postgres': # TODO This may be required for MySQL. + conn = pyodbc.connect(connection_string, ansi=True) + + # The following options must be set on the connection for PostgreSQL 12. + # TODO This needs to be tested against a PostgreSQL 10+ database. + # See the following for why these are needed: + # + # - https://github.com/mkleehammer/pyodbc/issues/169#issuecomment-268665172 + # - https://github.com/mkleehammer/pyodbc/issues/169#issuecomment-591979062 + # - https://github.com/mkleehammer/pyodbc/issues/169#issuecomment-591994201 + # + conn.setencoding(encoding='utf-8') + conn.setdecoding(pyodbc.SQL_CHAR, encoding='utf-8') + conn.setdecoding(pyodbc.SQL_WCHAR, encoding='utf-8') + + return conn + + return pyodbc.connect(connection_string, ansi=True) + + except pyodbc.Error as e: + if 'file not found' in str(e): + message = ( + 'pyodbc registered a \'file not found\' error when connecting to the database. ' + 'If your driver path exists, this is most commonly caused by a library required by the ' + 'driver being unable to be found by the linker. Try running ldd on the odbc driver ' + 'binary (or sudo ldd if you are running in sudo) to see which libraries are not ' + 'being found and add any necessary library paths to the LD_LIBRARY_PATH environment ' + 'variable. If you are running setup_irods.py, instead set the LD_LIBRARY_PATH with ' + 'the --ld_library_path command line option.\n' + 'The specific error pyodbc reported was:' + ) + else: + message = 'pyodbc encountered an error connecting to the database:' + six.reraise(IrodsError, + IrodsError('%s\n%s' % (message, str(e))), + sys.exc_info()[2]) + +def execute_sql_statement(cursor, statement, *params, **kwargs): + l = logging.getLogger(__name__) + log_params = kwargs.get('log_params', True) + l.debug('Executing SQL statement:\n%s\nwith the following parameters:\n%s', + statement, + pprint.pformat(params) if log_params else '') + try: + return cursor.execute(statement, params) + except pyodbc.Error as e: + six.reraise(IrodsError, + IrodsError('pyodbc encountered an error executing the statement:\n\t%s\n%s' % (statement, str(e))), + sys.exc_info()[2]) + +def execute_sql_file(filepath, cursor, by_line=False): + l = logging.getLogger(__name__) + l.debug('Executing SQL in %s', filepath) + with open(filepath, 'r') as f: + if by_line: + for line in f.readlines(): + if not line.strip(): + continue + l.debug('Executing SQL statement:\n%s', line) + try: + cursor.execute(line) + except IrodsError as e: + six.reraise(IrodsError, + IrodsError('Error encountered while executing ' + 'the statement:\n\t%s\n%s' % (line, str(e))), + sys.exc_info()[2]) + else: + try: + cursor.execute(f.read()) + except IrodsError as e: + six.reraise(IrodsError, + IrodsError('Error encountered while executing ' + 'the sql in %s:\n%s' % (filepath, str(e))), + sys.exc_info()[2]) + +def list_database_tables(cursor): + l = logging.getLogger(__name__) + l.info('Listing database tables...') + table_names = [row[2] for row in cursor.tables()] + l.debug('List of tables:\n%s', pprint.pformat(table_names)) + return table_names + +def irods_tables_in_database(irods_config, cursor): + with open(os.path.join(irods_config.irods_directory, 'packaging', 'sql', 'icatSysTables.sql')) as f: + irods_tables = [l.split()[2].lower() for l in f.readlines() if l.lower().startswith('create table')] + table_names = list_database_tables(cursor) + return [t for t in table_names if t.lower() in irods_tables] + +def get_schema_version_in_database(cursor): + l = logging.getLogger(__name__) + query = "select option_value from R_GRID_CONFIGURATION where namespace='database' and option_name='schema_version';" + try: + rows = execute_sql_statement(cursor, query).fetchall() + except IrodsError as e: + six.reraise(IrodsError, + IrodsError('Error encountered while executing ' + 'the query:\n\t%s\n%s' % (query, str(e))), + sys.exc_info()[2]) + if len(rows) == 0: + raise IrodsError('No schema version present, unable to upgrade. ' + 'If this is an upgrade from a pre-4.0 installation, ' + 'a manual upgrade is required.') + if len(rows) > 1: + raise IrodsError('Expected one row when querying ' + 'for database schema version, received %d rows' % (len(rows))) + + try: + schema_version = int(rows[0][0]) + except ValueError: + raise RuntimeError( + 'Failed to convert [%s] to an int for database schema version' % (rows[0][0])) + l.debug('Schema_version in database: %s' % (schema_version)) + + return schema_version + +def sync_odbc_ini(irods_config): + odbc_dict = get_odbc_entry(irods_config.database_config, irods_config.catalog_database_type) + + #The 'Driver' keyword must be first + keys = [k for k in odbc_dict.keys()] + keys[keys.index('Driver')] = keys[0] + keys[0] = 'Driver' + + template = '\n'.join(itertools.chain(['[iRODS Catalog]'], ['%s=%s' % (k, odbc_dict[k]) for k in keys])) + lib.execute_command(['odbcinst', '-i', '-s', '-h', '-r'], + input=template, + env={'ODBCINI': irods_config.odbc_ini_path, 'ODBCSYSINI': '/etc'}) + +def create_database_tables(irods_config, cursor, default_resource_directory=None): + l = logging.getLogger(__name__) + irods_table_names = irods_tables_in_database(irods_config, cursor) + if irods_table_names: + l.info('The following tables already exist in the database, table creation will be skipped:\n%s', pprint.pformat(irods_table_names)) + return 'skipped' + else: + if irods_config.catalog_database_type == 'mysql': + l.info('Defining mysql functions...') + with tempfile.NamedTemporaryFile() as f: + f.write('\n'.join([ + '[client]', + '='.join(['user', irods_config.database_config['db_username']]), + '='.join(['password', irods_config.database_config['db_password']]), + '='.join(['port', str(irods_config.database_config['db_port'])]), + '='.join(['host', irods_config.database_config['db_host']]) + ]).encode()) + f.flush() + with open(os.path.join(irods_config.irods_directory, 'packaging', 'sql', 'mysql_functions.sql'), 'r') as sql_file: + lib.execute_command( + ['mysql', '='.join(['--defaults-file', f.name]), irods_config.database_config['db_name']], + stdin=sql_file) + l.info('Creating database tables...') + sql_files = [ + os.path.join(irods_config.irods_directory, 'packaging', 'sql', 'icatSysTables.sql'), + os.path.join(irods_config.irods_directory, 'packaging', 'sql', 'icatSysInserts.sql') + ] + for sql_file in sql_files: + try: + execute_sql_file(sql_file, cursor, by_line=True) + except IrodsError as e: + six.reraise(IrodsError, + IrodsError('Database setup failed while running %s:\n%s' % (sql_file, str(e))), + sys.exc_info()[2]) + +def setup_database_values(irods_config, cursor=None, default_resource_directory=None, default_resource_name=None): + l = logging.getLogger(__name__) + timestamp = '{0:011d}'.format(int(time.time())) + + def get_next_object_id(): + if irods_config.catalog_database_type == 'postgres': + return execute_sql_statement(cursor, "select nextval('R_OBJECTID');").fetchone()[0] + elif irods_config.catalog_database_type == 'cockroachdb': + return execute_sql_statement(cursor, "insert into r_objectid default values returning object_id;").fetchone()[0] + elif irods_config.catalog_database_type == 'mysql': + return execute_sql_statement(cursor, "select R_OBJECTID_nextval();").fetchone()[0] + elif irods_config.catalog_database_type == 'oracle': + return execute_sql_statement(cursor, "select R_OBJECTID.nextval from DUAL;").fetchone()[0] + else: + raise IrodsError('no next object id function defined for %s' % irods_config.catalog_database_type) + + #zone + zone_id = get_next_object_id() + execute_sql_statement(cursor, + "insert into R_ZONE_MAIN values (?,?,'local','','',?,?);", + zone_id, + irods_config.server_config['zone_name'], + timestamp, + timestamp) + + #groups + public_group_id = get_next_object_id() + execute_sql_statement(cursor, + "insert into R_USER_MAIN values (?,?,?,?,'','',?,?);", + public_group_id, + 'public', + 'rodsgroup', + irods_config.server_config['zone_name'], + timestamp, + timestamp) + + #users + admin_user_id = get_next_object_id() + execute_sql_statement(cursor, + "insert into R_USER_MAIN values (?,?,?,?,'','',?,?);", + admin_user_id, + irods_config.server_config['zone_user'], + 'rodsadmin', + irods_config.server_config['zone_name'], + timestamp, + timestamp) + + #group membership + execute_sql_statement(cursor, + "insert into R_USER_GROUP values (?,?,?,?);", + admin_user_id, + admin_user_id, + timestamp, + timestamp) + execute_sql_statement(cursor, + "insert into R_USER_GROUP values (?,?,?,?);", + public_group_id, + admin_user_id, + timestamp, + timestamp) + execute_sql_statement(cursor, + "insert into R_USER_GROUP values (?,?,?,?);", + public_group_id, + public_group_id, + timestamp, + timestamp) + + #password + scrambled_password = password_obfuscation.scramble(irods_config.admin_password, + key=irods_config.server_config.get('environment_variables', {}).get('IRODS_DATABASE_USER_PASSWORD_SALT', None)) + execute_sql_statement(cursor, + "insert into R_USER_PASSWORD values (?,?,'9999-12-31-23.59.00',?,?);", + admin_user_id, + scrambled_password, + timestamp, + timestamp, + log_params=False) + + #collections + system_collections = [ + '/', + '/'.join(['', irods_config.server_config['zone_name']]), + '/'.join(['', irods_config.server_config['zone_name'], 'home']), + '/'.join(['', irods_config.server_config['zone_name'], 'trash']), + '/'.join(['', irods_config.server_config['zone_name'], 'trash', 'home']) + ] + public_collections = [ + '/'.join(['', irods_config.server_config['zone_name'], 'home', 'public']), + '/'.join(['', irods_config.server_config['zone_name'], 'trash', 'home', 'public']) + ] + admin_collections = [ + '/'.join(['', irods_config.server_config['zone_name'], 'home', irods_config.server_config['zone_user']]), + '/'.join(['', irods_config.server_config['zone_name'], 'trash', 'home', irods_config.server_config['zone_user']]) + ] + for collection in itertools.chain(system_collections, public_collections, admin_collections): + parent_collection = '/'.join(['', collection[1:].rpartition('/')[0]]) + collection_id = get_next_object_id() + execute_sql_statement(cursor, + "insert into R_COLL_MAIN values (?,?,?,?,?,0,'','','','','','',?,?);", + collection_id, + parent_collection, + collection, + irods_config.server_config['zone_user'], + irods_config.server_config['zone_name'], + timestamp, + timestamp) + + execute_sql_statement(cursor, + "insert into R_OBJT_ACCESS values (?,?,1200,?,?);", + collection_id, + public_group_id if collection in public_collections else admin_user_id, + timestamp, + timestamp) + + #bundle resource + bundle_resc_id = get_next_object_id() + execute_sql_statement(cursor, + "insert into R_RESC_MAIN (resc_id,resc_name,zone_name,resc_type_name,resc_class_name,resc_net,resc_def_path,free_space,free_space_ts,resc_info,r_comment,resc_status,create_ts,modify_ts) values (?,'bundleResc',?,'unixfilesystem','bundle','localhost','/bundle','','','','','',?,?);", + bundle_resc_id, + irods_config.server_config['zone_name'], + timestamp, + timestamp) + + if default_resource_directory: + if default_resource_name: + default_resc_id = get_next_object_id() + execute_sql_statement(cursor, + "insert into R_RESC_MAIN (resc_id,resc_name,zone_name,resc_type_name,resc_class_name,resc_net,resc_def_path,free_space,free_space_ts,resc_info,r_comment,resc_status,create_ts,modify_ts) values (?,?,?,'unixfilesystem','cache',?,?,'','','','','',?,?);", + default_resc_id, + default_resource_name, + irods_config.server_config['zone_name'], + lib.get_hostname(), + default_resource_directory, + timestamp, + timestamp) diff --git a/roles/irods/tasks/icat.yml b/roles/irods/tasks/icat.yml index 91f6401fd..9c90e22b2 100644 --- a/roles/irods/tasks/icat.yml +++ b/roles/irods/tasks/icat.yml @@ -3,6 +3,7 @@ ansible.builtin.template: src: unattended_install.json.j2 dest: /root/unattended_install.json + backup: true mode: '0600' register: create_unattended_installation_json become: true @@ -25,24 +26,27 @@ notify: irodsctl_restart - name: Edit /etc/irods/core.re to enforce the use of the certificates - become: true ansible.builtin.lineinfile: name: /etc/irods/core.re search_string: 'acPreConnect(*OUT) { *OUT="CS_NEG_DONT_CARE"; }' line: 'acPreConnect(*OUT) { *OUT="{{ ir_client_server_policy }}"; }' + backup: true + become: true - name: Edit /etc/irods/core.re to set number of threads to 4 - become: true ansible.builtin.lineinfile: name: /etc/irods/core.re search_string: 'acSetNumThreads {msiSetNumThreads("default","default","default"); }' line: 'acSetNumThreads {msiSetNumThreads("default","4","default"); }' + backup: true + become: true - name: Edit /etc/irods/core.re to set default resource to {{ ir_default_res }} ansible.builtin.lineinfile: name: /etc/irods/core.re search_string: 'acSetRescSchemeForCreate {msiSetDefaultResc("demoResc","null"); }' line: 'acSetRescSchemeForCreate {msiSetDefaultResc("{{ ir_default_res }}","null"); }' + backup: true become: true - name: Edit /etc/irods/core.re to set default replication resource to {{ ir_default_res }} @@ -50,6 +54,7 @@ name: /etc/irods/core.re search_string: 'acSetRescSchemeForRepl {msiSetDefaultResc("demoResc","null"); }' line: 'acSetRescSchemeForRepl {msiSetDefaultResc("{{ ir_default_res }}","null"); }' + backup: true become: true - name: Increase systcl limits to allow longer transfers @@ -64,6 +69,7 @@ name: /etc/init.d/irods search_string: 'rm /var/lock/subsys/irods' line: 'rm -f /var/lock/subsys/irods' + backup: true become: true - name: Temporary bugfix of the irods python script for the remote psql over ssl @@ -71,6 +77,7 @@ name: /etc/init.d/irods search_string: 'rm /var/lock/subsys/irods' line: 'rm -f /var/lock/subsys/irods' + backup: true become: true - name: Fix the s3 authentication by creating dummy s3auth file @@ -89,5 +96,4 @@ - name: Force all services to restart, before we start using iRODS imeta commands ansible.builtin.meta: flush_handlers - ... diff --git a/roles/irods/tasks/icat_pre.yml b/roles/irods/tasks/icat_pre.yml index 0b3b6f63f..8017347b9 100644 --- a/roles/irods/tasks/icat_pre.yml +++ b/roles/irods/tasks/icat_pre.yml @@ -88,12 +88,34 @@ ansible.builtin.package_facts: manager: auto -- name: Fix iRODS to use SSL when access remote PostgreSQL (temporary until upstream fix) +- name: Get version of irods-server + ansible.builtin.shell: | + set -o pipefail + grep "irods_version" /var/lib/irods/version.json.dist | grep -oE "[0-9]\.[0-9]+\.[0-9]+" + register: irods_version + changed_when: false + args: + warn: true + +- name: Fix iRODS v4.2.11 to use SSL when access remote PostgreSQL (temporary until upstream fix) ansible.builtin.template: - src: database_connect.py + src: database_connect.py.4.2.11 dest: /var/lib/irods/scripts/irods/database_connect.py mode: '0644' + backup: true + become_user: '{{ ir_service_account }}' + become: true + when: '"4.2.11" in irods_version.stdout' + +- name: Fix iRODS v4.3.0 to use SSL when access remote PostgreSQL (temporary until upstream fix) + ansible.builtin.copy: + src: database_connect.py.4.3.0 + dest: /var/lib/irods/scripts/irods/database_connect.py + owner: '{{ ir_service_account }}' + group: '{{ ir_service_account }}' + mode: '0644' + backup: true become_user: '{{ ir_service_account }}' become: true - when: '"irods-server-4.2.11-1" in ansible_facts.packages' + when: '"4.3.0" in irods_version.stdout' ... diff --git a/roles/irods/tasks/pgsql_local.yml b/roles/irods/tasks/pgsql_local.yml index 3ab2f3a6b..01de0ea78 100644 --- a/roles/irods/tasks/pgsql_local.yml +++ b/roles/irods/tasks/pgsql_local.yml @@ -1,21 +1,21 @@ --- - name: Installing postgresql-server - become: true ansible.builtin.yum: name: postgresql-server state: latest + become: true - name: Installing python-psycopg2 - become: true ansible.builtin.yum: name: python-psycopg2 state: latest + become: true - name: Initializing PGSQL database - become: true ansible.builtin.command: "/usr/bin/postgresql-setup initdb" args: creates: /var/lib/pgsql/data/pg_hba.conf + become: true - name: Fixing pg_hba.conf to permit ipv4localhost password authentication ansible.builtin.lineinfile: @@ -44,14 +44,14 @@ enabled: true become: true -- name: Create {{ irods_db_name }} database. +- name: Create irods database. postgresql_db: name: '{{ ir_db_name }}' state: present register: db_created become_user: postgres - become: true notify: irodsctl_restart + become: true - name: Creating irods sql user and granting privileges postgresql_user: diff --git a/roles/irods/tasks/pgsql_remote.yml b/roles/irods/tasks/pgsql_remote.yml index 8e05dd486..f0920741d 100644 --- a/roles/irods/tasks/pgsql_remote.yml +++ b/roles/irods/tasks/pgsql_remote.yml @@ -10,7 +10,7 @@ irods_home_path: "{{ getent_output.stdout }}" # Configuring according to the https://www.postgresql.org/docs/current/libpq-ssl.html -- name: Ensure that {{ irods_home_path }}/.postgresql directory exists and is owned by {{ ir_service_account }} +- name: Ensure that .postgresql directory exists in home and is owned by irods service user ansible.builtin.file: path: '{{ irods_home_path }}/.postgresql' state: directory @@ -33,7 +33,7 @@ - name: Deploy remote server's CA signing certificate as root.crt into .postgresql folder ansible.builtin.copy: - src: '{{ remote_psql_server_ca }}' + src: 'files/{{ stack_name }}/{{ remote_psql_server_ca }}' dest: "{{ irods_home_path }}/.postgresql/root.crt" owner: "{{ ir_service_account }}" group: "{{ ir_service_account }}" @@ -43,12 +43,12 @@ - name: Deploy remote server's CA signing certificate into /etc/irods folder ansible.builtin.copy: - src: '{{ remote_psql_server_ca }}' + src: 'files/{{ stack_name }}/{{ remote_psql_server_ca }}' dest: '/etc/irods/{{ remote_psql_server_ca | basename }}' owner: '{{ ir_service_account }}' group: '{{ ir_service_account }}' mode: '0644' - become_user: '{{ irods_service_account }}' + become_user: '{{ ir_service_account }}' become: true when: remote_psql_server_ca is defined @@ -71,4 +71,21 @@ become: true notify: irodsctl_restart +- name: Install additional packages in order to work with remote database (>=4.3.0) + ansible.builtin.yum: + name: + - unixODBC-devel + - python3-devel + - gcc-c++ + state: latest + become: true + notify: irodsctl_restart + +- name: Install pyodbc with pip3 + ansible.builtin.pip: + name: pyodbc + state: latest + executable: pip3 + become: true + become_user: '{{ ir_service_account }}' ... diff --git a/roles/irods/tasks/tiering.yml b/roles/irods/tasks/tiering.yml index 7571d7c49..57851bf81 100644 --- a/roles/irods/tasks/tiering.yml +++ b/roles/irods/tasks/tiering.yml @@ -10,7 +10,7 @@ become: true register: check_unified_storage -- name: Get status of {{ ir_local_stage_res }} resource +- name: Get status of local stage resource ansible.builtin.command: 'ilsresc {{ ir_local_stage_res }} ' changed_when: false register: check_local_stage_resc @@ -18,7 +18,7 @@ become_user: '{{ ir_service_account }}' become: true -- name: Make {{ ir_local_stage_res }} resource folder for Vault +- name: Make local stage resource folder for Vault ansible.builtin.file: path: '{{ ir_local_stage_res_fol }}' state: directory @@ -30,7 +30,7 @@ when: check_local_stage_resc.rc == 1 register: make_stage_vault_folder -- name: Make local {{ ir_local_stage_res }} resource +- name: Make local stage resource ansible.builtin.shell: >- iadmin mkresc {{ ir_local_stage_res }} unixfilesystem $(/usr/bin/hostname):{{ ir_local_stage_res_fol }} @@ -40,7 +40,7 @@ failed_when: make_local_stage_res.rc != 0 when: check_local_stage_resc.rc == 1 -- name: Get status of {{ ir_local_perm_res }} resource +- name: Get status of local permanent resource ansible.builtin.command: 'ilsresc {{ ir_local_perm_res }} ' changed_when: false failed_when: check_local_perm_res.rc != 0 and check_local_perm_res.rc != 1 @@ -48,7 +48,7 @@ become: true register: check_local_perm_res -- name: Make {{ ir_local_perm_res }} resource folder for Vault +- name: Make local permanent resource folder for Vault ansible.builtin.file: path: '{{ ir_local_perm_res_fol }}' state: directory @@ -60,7 +60,7 @@ when: check_local_perm_res.rc == 1 register: make_perm_vault_folder -- name: Make local {{ ir_local_perm_res }} resource +- name: Make local permanent resource ansible.builtin.command: >- iadmin mkresc {{ ir_local_perm_res }} unixfilesystem $(hostname):{{ ir_local_perm_res_fol }} @@ -71,7 +71,7 @@ when: check_local_perm_res.rc == 1 # Check tiering groups -- name: Check if storage_tiering group was defined for {{ ir_local_res }} resource +- name: Check if storage_tiering group was defined for local resource ansible.builtin.command: imeta ls -R {{ ir_local_res }} irods::storage_tiering::group changed_when: false become_user: '{{ ir_service_account }}' @@ -79,7 +79,7 @@ register: check_imeta_tiering_group failed_when: check_imeta_tiering_group.rc != 0 -- name: Make storage_tiering group for {{ ir_local_res }} +- name: Make storage_tiering group for local resource ansible.builtin.command: >- imeta add -R {{ ir_local_res }} irods::storage_tiering::group tiergroup 0 become_user: '{{ ir_service_account }}' @@ -89,7 +89,7 @@ when: 'check_imeta_tiering_group.stdout is not search("attribute: irods::storage_tiering::group")' # Tiering group -- name: Check if storage_tiering group was defined for {{ ir_local_stage_res }} resource +- name: Check if storage_tiering group was defined for local stage resource ansible.builtin.command: >- imeta ls -R {{ ir_local_stage_res }} irods::storage_tiering::group changed_when: false @@ -99,7 +99,7 @@ when: ir_local_stage_res is defined register: check_imeta_tiering_staging_group -- name: Make storage_tiering group for {{ ir_local_stage_res }} +- name: Make storage_tiering group for local stage resource ansible.builtin.command: >- imeta add -R {{ ir_local_stage_res }} irods::storage_tiering::group tiergroup 1 become_user: '{{ ir_service_account }}' @@ -108,7 +108,7 @@ failed_when: make_local_stage_tiering_group.rc != 0 when: 'check_imeta_tiering_staging_group.stdout is not search("attribute: irods::storage_tiering::group")' -- name: Check if storage_tiering group was defined for {{ ir_local_perm_res }} resource +- name: Check if storage_tiering group was defined for local permanent resource ansible.builtin.command: imeta ls -R {{ ir_local_perm_res }} irods::storage_tiering::group changed_when: false become_user: '{{ ir_service_account }}' @@ -117,7 +117,7 @@ register: check_imeta_tiering_perm_group failed_when: check_imeta_tiering_perm_group.rc != 0 -- name: Make storage_tiering group for {{ ir_local_perm_res }} +- name: Make storage_tiering group for local permanent resource ansible.builtin.command: >- imeta add -R {{ ir_local_perm_res }} irods::storage_tiering::group tiergroup 2 become_user: '{{ ir_service_account }}' @@ -126,7 +126,7 @@ failed_when: make_local_perm_tiering_group.rc != 0 when: 'check_imeta_tiering_perm_group.stdout is not search("attribute: irods::storage_tiering::group")' -- name: Check if storage_tiering time was defined for {{ ir_local_res }} resource +- name: Check if storage_tiering time was defined for local resource ansible.builtin.command: >- imeta ls -R {{ ir_local_res }} irods::storage_tiering::time changed_when: false @@ -135,7 +135,7 @@ register: check_imeta_tiering_time failed_when: check_imeta_tiering_time.rc != 0 -- name: Make storage_tiering time for {{ ir_local_res }} +- name: Make storage_tiering time for local resource ansible.builtin.command: >- imeta add -R {{ ir_local_res }} irods::storage_tiering::time 60 become_user: '{{ ir_service_account }}' @@ -144,7 +144,7 @@ failed_when: make_local_tiering_time.rc != 0 when: 'check_imeta_tiering_time.stdout is not search("attribute: irods::storage_tiering::time")' -- name: Check if storage_tiering time was defined for {{ ir_local_stage_res }} resource +- name: Check if storage_tiering time was defined for local stage resource ansible.builtin.command: imeta ls -R {{ ir_local_stage_res }} irods::storage_tiering::time changed_when: false become_user: '{{ ir_service_account }}' @@ -152,7 +152,7 @@ register: check_imeta_staging_tiering_time failed_when: check_imeta_staging_tiering_time.rc != 0 -- name: Make storage_tiering time for {{ ir_local_res }} +- name: Make storage_tiering time for local resource ansible.builtin.command: >- imeta add -R {{ ir_local_stage_res }} irods::storage_tiering::time 300 become_user: '{{ ir_service_account }}' @@ -161,7 +161,7 @@ failed_when: make_local_staging_tiering_time.rc != 0 when: 'check_imeta_staging_tiering_time.stdout is not search("attribute: irods::storage_tiering::time")' -- name: Check if storage_tiering minimum_delay_time_in_seconds was defined for {{ ir_local_res }} resource +- name: Check if storage_tiering minimum_delay_time_in_seconds was defined for local resource ansible.builtin.command: > imeta ls -R {{ ir_local_res }} irods::storage_tiering::minimum_delay_time_in_seconds changed_when: false @@ -170,7 +170,7 @@ register: check_imeta_tiering_min_delay_time failed_when: check_imeta_tiering_min_delay_time.rc != 0 -- name: Make storage_tiering minimum_delay_time for {{ ir_local_res }} +- name: Make storage_tiering minimum_delay_time for local resource ansible.builtin.command: >- imeta add -R {{ ir_local_res }} irods::storage_tiering::minimum_delay_time_in_seconds 1 become_user: '{{ ir_service_account }}' @@ -179,7 +179,7 @@ failed_when: make_local_tiering_mindelaytime.rc != 0 when: 'check_imeta_tiering_min_delay_time.stdout is not search("attribute: irods::storage_tiering::minimum_delay_time_in_seconds")' -- name: Check if storage_tiering maximum_delay_time_in_seconds was defined for {{ ir_local_res }} resource +- name: Check if storage_tiering maximum_delay_time_in_seconds was defined for local resource ansible.builtin.command: imeta ls -R {{ ir_local_res }} irods::storage_tiering::maximum_delay_time_in_seconds changed_when: false @@ -188,7 +188,7 @@ register: check_imeta_tiering_max_delay_time failed_when: check_imeta_tiering_max_delay_time.rc != 0 -- name: Make storage_tiering maximum_delay_time for {{ ir_local_res }} +- name: Make storage_tiering maximum_delay_time for local resource ansible.builtin.command: >- imeta add -R {{ ir_local_res }} irods::storage_tiering::maximum_delay_time_in_seconds 30 become_user: '{{ ir_service_account }}' @@ -197,7 +197,7 @@ failed_when: make_local_tiering_maxdelaytime.rc != 0 when: 'check_imeta_tiering_max_delay_time.stdout is not search("attribute: irods::storage_tiering::maximum_delay_time_in_seconds")' -- name: Check if storage_tiering minimum_restage_tier was defined for {{ ir_local_stage_res }} resource +- name: Check if storage_tiering minimum_restage_tier was defined for local stage resource ansible.builtin.command: >- imeta ls -R {{ ir_local_stage_res }} irods::storage_tiering::minimum_restage_tier changed_when: false @@ -206,7 +206,7 @@ register: check_imeta_staging_minimum_restage failed_when: check_imeta_staging_minimum_restage.rc != 0 -- name: Make storage_tiering minimum_restage_tier for {{ ir_local_stage_res }} +- name: Make storage_tiering minimum_restage_tier for local stage resource ansible.builtin.command: >- imeta add -R {{ ir_local_stage_res }} irods::storage_tiering::minimum_restage_tier true become_user: '{{ ir_service_account }}' diff --git a/roles/irods/templates/database_connect.py b/roles/irods/templates/database_connect.py.4.2.11 similarity index 100% rename from roles/irods/templates/database_connect.py rename to roles/irods/templates/database_connect.py.4.2.11 diff --git a/roles/irods/templates/unattended_install.json.j2 b/roles/irods/templates/unattended_install.json.j2 index 6b4e420c6..9901405da 100644 --- a/roles/irods/templates/unattended_install.json.j2 +++ b/roles/irods/templates/unattended_install.json.j2 @@ -1,5 +1,5 @@ { - "admin_password": "{{ irods_admin_pwd }}", + "admin_password": "{{ ir_admin_pwd }}", "host_access_control_config": { "access_entries": [], "schema_name": "host_access_control_config", diff --git a/roles/irods_davrods/handlers/main.yml b/roles/irods_davrods/handlers/main.yml new file mode 100644 index 000000000..6b08619ad --- /dev/null +++ b/roles/irods_davrods/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: (Re)build and start davrods docker instance ... + ansible.builtin.command: + chdir: '{{ davrods_user_home_path }}/{{ davrods_docker_folder }}' + cmd: docker-compose up -d --build --force-recreate + register: result + failed_when: + - result.rc != 0 + changed_when: false + become_user: '{{ davrods_docker_user }}' + become: true + listen: davrods_build_up + +... diff --git a/roles/irods_davrods/tasks/davrods.yml b/roles/irods_davrods/tasks/davrods.yml index 6e9caf6ae..3434b3a6d 100644 --- a/roles/irods_davrods/tasks/davrods.yml +++ b/roles/irods_davrods/tasks/davrods.yml @@ -10,9 +10,9 @@ ansible.builtin.stat: path: /etc/irods/{{ item }} loop: - - '{{ irods_ssl_certificate_key_file }}' - - '{{ irods_ssl_certificate_chain_file }}' - - '{{ irods_ssl_dh_params_file }}' + - '{{ ir_ssl_certificate_key_file | basename }}' + - '{{ ir_ssl_certificate_chain_file | basename }}' + - '{{ ir_ssl_dh_params_file }}' register: check_irods_certs - name: 'Fail if certificates in /etc/irods do not exist' @@ -53,6 +53,7 @@ when: item.state == 'directory' become: true become_user: '{{ davrods_docker_user }}' + notify: davrods_build_up - name: Copy a certificates into {{ davrods_docker_folder }}/config ansible.builtin.copy: @@ -63,13 +64,14 @@ mode: '{{ item.mode }}' remote_src: true with_items: - - name: '{{ irods_ssl_certificate_key_file }}' + - name: '{{ ir_ssl_certificate_key_file | basename }}' mode: '0600' - - name: '{{ irods_ssl_certificate_chain_file }}' + - name: '{{ ir_ssl_certificate_chain_file | basename }}' mode: '0644' - - name: '{{ irods_ssl_dh_params_file }}' + - name: '{{ ir_ssl_dh_params_file | basename }}' mode: '0644' become: true + notify: davrods_build_up - name: 'Deploy docker template files into {{ davrods_docker_folder }}' ansible.builtin.template: @@ -80,6 +82,7 @@ when: item.state == 'file' become: true become_user: '{{ davrods_docker_user }}' + notify: davrods_build_up - name: Make sure docker is running ansible.builtin.service: @@ -87,26 +90,6 @@ state: started enabled: true become: true + notify: davrods_build_up -- name: Build the davrods docker instance ... (this will take a minute) - ansible.builtin.command: - chdir: '{{ davrods_user_home_path }}/{{ davrods_docker_folder }}' - cmd: docker-compose build davrods - register: result - failed_when: - - result.rc != 0 - changed_when: false - become_user: '{{ davrods_docker_user }}' - become: true - -- name: Start the davrods docker instance ... - ansible.builtin.command: - chdir: '{{ davrods_user_home_path }}/{{ davrods_docker_folder }}' - cmd: docker-compose up -d davrods - register: result - failed_when: - - result.rc != 0 - changed_when: false - become_user: '{{ davrods_docker_user }}' - become: true -... \ No newline at end of file +... diff --git a/roles/irods_davrods/tasks/main.yml b/roles/irods_davrods/tasks/main.yml index 5396e9d81..9389b5d78 100644 --- a/roles/irods_davrods/tasks/main.yml +++ b/roles/irods_davrods/tasks/main.yml @@ -5,4 +5,5 @@ when: - davrods_install is defined - davrods_install == True -... \ No newline at end of file + +... diff --git a/roles/irods_davrods/templates/Dockerfile b/roles/irods_davrods/templates/Dockerfile index a0514e092..7ab489326 100755 --- a/roles/irods_davrods/templates/Dockerfile +++ b/roles/irods_davrods/templates/Dockerfile @@ -55,26 +55,26 @@ ADD config/irods_environment.json /config/irods_environment.json ## dhparm # this is not needded anymore, as the dhparams is copied from host. # This also speeds up potential docker rebuilds -#RUN openssl dhparam -out /etc/ssl/certs/{{ irods_ssl_dh_params_file }} 2048 +#RUN openssl dhparam -out /etc/ssl/certs/{{ ir_ssl_dh_params_file | basename }} 2048 # copy existing key into VM -ADD config/{{ irods_ssl_certificate_key_file }} /config/{{ irods_ssl_certificate_key_file }} -ADD config/{{ irods_ssl_certificate_key_file }} /etc/ssl/private/{{ irods_ssl_certificate_key_file }} -RUN chmod 600 /config/{{ irods_ssl_certificate_key_file }} -RUN chmod 600 /etc/ssl/private/{{ irods_ssl_certificate_key_file }} +ADD config/{{ ir_ssl_certificate_key_file | basename }} /config/{{ ir_ssl_certificate_key_file | basename }} +ADD config/{{ ir_ssl_certificate_key_file | basename }} /etc/ssl/private/{{ ir_ssl_certificate_key_file | basename }} +RUN chmod 600 /config/{{ ir_ssl_certificate_key_file | basename }} +RUN chmod 600 /etc/ssl/private/{{ ir_ssl_certificate_key_file | basename }} # copy existing crt into VM -ADD config/{{ irods_ssl_certificate_chain_file }} /config/{{ irods_ssl_certificate_chain_file }} -RUN chmod 600 /config/{{ irods_ssl_certificate_chain_file }} +ADD config/{{ ir_ssl_certificate_chain_file | basename }} /config/{{ ir_ssl_certificate_chain_file | basename }} +RUN chmod 600 /config/{{ ir_ssl_certificate_chain_file | basename }} # copy existing dhparams into VM -ADD config/{{ irods_ssl_dh_params_file }} /config/{{ irods_ssl_dh_params_file }} -RUN chmod 600 /config/{{ irods_ssl_dh_params_file }} +ADD config/{{ ir_ssl_dh_params_file | basename }} /config/{{ ir_ssl_dh_params_file | basename }} +RUN chmod 600 /config/{{ ir_ssl_dh_params_file | basename }} # FIX for https://access.redhat.com/articles/1462323 # it appends the dhparam at the end of the chain file -RUN cat /config/{{ irods_ssl_certificate_chain_file }} /config/{{ irods_ssl_dh_params_file }} > /etc/ssl/certs/{{ irods_ssl_certificate_chain_file }} -RUN chmod 644 /etc/ssl/certs/{{ irods_ssl_certificate_chain_file }} +RUN cat /config/{{ ir_ssl_certificate_chain_file | basename }} /config/{{ ir_ssl_dh_params_file | basename }} > /etc/ssl/certs/{{ ir_ssl_certificate_chain_file | basename }} +RUN chmod 644 /etc/ssl/certs/{{ ir_ssl_certificate_chain_file | basename }} RUN yum install -y mod_ssl.x86_64 diff --git a/roles/irods_davrods/templates/config/davrods-vhost.conf b/roles/irods_davrods/templates/config/davrods-vhost.conf index f5cc34550..f74d4a2d6 100755 --- a/roles/irods_davrods/templates/config/davrods-vhost.conf +++ b/roles/irods_davrods/templates/config/davrods-vhost.conf @@ -17,13 +17,18 @@ ServerName {{ hostvars[inventory_hostname]['fqdn'] }} # protocol support). SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # enable only TLS 1.2 or higher - SSLCertificateFile /etc/ssl/certs/{{ irods_ssl_certificate_chain_file }} - SSLCertificateKeyFile /etc/ssl/private/{{ irods_ssl_certificate_key_file }} - #SSLOpenSSLConfCmd DHParameters /etc/ssl/certs/{{ irods_ssl_dh_params_file }} - # FIX: now works via copying dhparams file contents at the end of - # certificate chain file, as the apache 2.4.6 does not support ^ command - + # enable only TLS 1.2 or higher + SSLCertificateFile /etc/ssl/certs/{{ ir_ssl_certificate_chain_file | basename }} + SSLCertificateKeyFile /etc/ssl/private/{{ ir_ssl_certificate_key_file | basename }} + + # With recommendation from https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html#onlystrong + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + # Many ciphers defined here require a modern version (1.0.1+) of OpenSSL. Some + # require OpenSSL 1.1.0, which as of this writing was in pre-release. + SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + SSLHonorCipherOrder on + SSLCompression off + SSLSessionTickets off @@ -91,7 +96,7 @@ ServerName {{ hostvars[inventory_hostname]['fqdn'] }} # Data grid zone id of the iRODS server. # - DavRodsZone {{ irods_zone }} + DavRodsZone {{ ir_zone }} # Authentication type to use when connecting to iRODS. # diff --git a/roles/irods_davrods/templates/config/irods_environment.json b/roles/irods_davrods/templates/config/irods_environment.json index a631ef14a..faf2d7521 100644 --- a/roles/irods_davrods/templates/config/irods_environment.json +++ b/roles/irods_davrods/templates/config/irods_environment.json @@ -11,7 +11,7 @@ "irods_encryption_num_hash_rounds": 16, "irods_encryption_salt_size": 8, "irods_home": "/{{ ir_zone }}/home/rods", - "irods_host": "will_be_overwritten", + "irods_host": "will_be_overwritten_on_docker_build", "irods_match_hash_policy": "compatible", "irods_maximum_size_for_single_buffer_in_megabytes": 32, "irods_port": 1247, diff --git a/roles/irods_davrods/templates/docker-compose.yml b/roles/irods_davrods/templates/docker-compose.yml index aa7663a94..7b5bb4d4f 100644 --- a/roles/irods_davrods/templates/docker-compose.yml +++ b/roles/irods_davrods/templates/docker-compose.yml @@ -2,7 +2,7 @@ version: '2' services: davrods: ports: - - '443' + - '443:443' build: context: ./ args: diff --git a/static_inventories/nibbler_cluster.yml b/static_inventories/nibbler_cluster.yml index 537fa651c..9e7630259 100644 --- a/static_inventories/nibbler_cluster.yml +++ b/static_inventories/nibbler_cluster.yml @@ -23,15 +23,20 @@ all: hosts: irods-catalogus: fqdn: umcg-icat01.hpc.rug.nl - pgsql_server: "remote" # "local" or "remote" PostgreSQL server - ir_local_res: 'rootResc' # local iRODS resource - ir_default_res: 'surfObjStore' # default resource iRODS uploads to - ir_zone: 'nlumcg' # default main iRODS zone name - ir_db_user: '{{ ir_service_account }}' # db Username, usually same as irods_service_account - ir_db_pwd: '{{ icat_db_pwd }}' # production! vaulted pgsql password - ir_db_name: '{{ icat_db_name }}' # iRODS Database Name - ir_db_server: '{{ icat_db_server }}' # iRODS Database Server + pgsql_server: "remote" # PostgreSQL "local" or "remote" server + ir_local_res: 'rootResc' # iRODS local resource + ir_default_res: 'surfObjStore' # iRODS default resource for uploads + ir_zone: 'nlumcg' # iRODS default main zone name + ir_negotiation_key: '{{ icatV_negotiation_key }}' # iRODS Vaulted negotiation key + ir_ctrl_plane_key: '{{ icatV_ctrl_plane_key }}' # iRODS Vaulted control plane key + ir_zone_key: '{{ icatV_zone_key }}' # iRODS Vaulted zone key + ir_db_user: '{{ icatV_db_user }}' # iRODS Vaulted db username + ir_db_pwd: '{{ icatV_db_pwd }}' # iRODS Vaulted pgsql password + ir_db_name: '{{ icatV_db_name }}' # iRODS Vaulted database name + ir_db_server: '{{ icatV_db_server }}' # iRODS Vaulted database server + ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt key ir_admin_name: 'rods' # iRODS (and zone) account + ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulted main admin password tiering_install: False # True / False - if the playbook tiering.yml should be executed # ir_local_stage_res: 'demoRescStage' # Staging resource, before data moved to permanent resource # ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' @@ -39,19 +44,21 @@ all: # ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' irods-test: fqdn: umcg-icat01.hpc.rug.nl - ir_client_server_policy: 'CS_NEG_REFUSE' # communicating using (default) SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE - pgsql_server: "local" # "local" or "remote" PostgreSQL server - ir_local_res: 'demoResc' # Staging resource, before data moved to permanent resource - ir_default_res: 'demoResc' # default resource iRODS uploads to - ir_db_server: '127.0.0.1' # pgsql server location - ir_db_pwd: '{{ icat_test_db_pwd }}' # test! vaulted pgsql password - ir_admin_pwd: '{{ ir_test_admin_pwd }}' # test! vaulted irods admin password - ir_zone: 'tstzone' # default main iRODS zone name + ir_client_server_policy: 'CS_NEG_REFUSE' # test! iRODS communicating using (default) SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE + pgsql_server: "local" # test! iRODS PostgreSQL "local" or "remote" server + ir_local_res: 'demoResc' # test! iRODS Staging resource, before data moved to permanent resource + ir_default_res: 'demoResc' # test! iRODS default resource for uploads + ir_db_server: '127.0.0.1' # test! iRODS pgsql server location + ir_db_pwd: '{{ icatV_test_db_pwd }}' # test! iRODS Vaulted pgsql password + ir_db_name: 'ICAT' # test! iRODS database name + ir_admin_pwd: '{{ icatV_test_admin_pwd }}' # test! iRODS Vaulted irods admin password + ir_zone: 'tstzone' # test! iRODS default main zone name + ir_salt: 'sA+dwq_dk29DJ1' # test! iRODS salt tiering_install: True # True / False - if the playbook tiering.yml should be executed - ir_local_stage_res: 'demoRescStage' # Staging resource, before data moved to permanent resource - ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' - ir_local_perm_res: 'demoRescPerm' # Permanent resource, where it will keep data indefinitely - ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' + ir_local_stage_res: 'demoRescStage' # test! iRODS staging resource, before data moved to permanent resource + ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' # test! iRODS staging resource folder path + ir_local_perm_res: 'demoRescPerm' # test! iRODS permanent resource, where it will keep data indefinitely + ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' # test! iRODS permanent resource folder path vars: cloud_flavor: m1.large local_volume_size_extra: 20 From eb44e45706dd67b5e964ebf709678c57d0f528fc Mon Sep 17 00:00:00 2001 From: scimerman Date: Tue, 9 Aug 2022 15:26:37 +0200 Subject: [PATCH 03/11] irods: renamed Vault variables, added davrods docker unused image prune option --- group_vars/nibbler_cluster/secrets.yml | 201 +++++++++++++------------ roles/irods_davrods/tasks/davrods.yml | 16 +- 2 files changed, 113 insertions(+), 104 deletions(-) diff --git a/group_vars/nibbler_cluster/secrets.yml b/group_vars/nibbler_cluster/secrets.yml index f39c4803e..cfde16c4c 100644 --- a/group_vars/nibbler_cluster/secrets.yml +++ b/group_vars/nibbler_cluster/secrets.yml @@ -1,101 +1,102 @@ $ANSIBLE_VAULT;1.2;AES256;nibbler_cluster -62653139663861373737633132663838346663663636353030633664313562656137626565633930 -3761343333626434353365613339313239636661333035320a663131383938393966343963643139 -61333534346131373533643639636531613336663361626139366466643135376463346434616261 -6534313136663664340a613561646361373131636637363138303464303663303936386461376237 -38373836653162363034376635626338353462306165643630373566346431613961303663376462 -66636338363836626565663131643565323237656564316531646132343635626433643064396163 -30656634376661353164633061396166333635323638303039353633373663653562393739356337 -39623062336237663935666366346532366265653564323561346161393138336330343238396162 -38663233643534613231623134356365333831623433353865326331636463393333656464643333 -35623635373535613039313663636139643862326436333233396230633666383565343664393439 -61363766316363396264383130326537346437336534306533366238643632613533396333313139 -63313066656135346132333035333339356233326339303631343532646263373365623964316463 -66356563393936636264346335393361663337633533616335383539633964386462666130653966 -61653538633032333534633538653235383031613636396561616365366130373964393136353439 -62323164356131656262626361653233636538353263353336323461353235363361316265633933 -36313134356537373662663963386231623632333633646133383837663362373864336238303064 -39303263333262326661623239623934383535333632633738663039383462626562643664303665 -64373139643862373936313936653439386365333830373136343635313862303666323461396335 -35316437613436363362373966333161643966336361346462353436346232306261323962373331 -65303734306366346334363262326133643364333334326639663334666234303736373330393761 -35366632363664626665366161663336323764333938613439653739333762666565363564386638 -36393130616236386262303737643061376637663338306561396439373466613130333233323436 -31353862376432643534363064646638316335653834373834633466633834393065643533346265 -62653862356533323732623737353233323263616464306630616266393862613833306237356461 -31383831393030616135363161643938333633626561623933663434663565656361386339636231 -38656136666161613033303066643166373764306630353638393165646562626563333639653130 -61306230323839656262663738363334316432656638643561323536363864326132613136373034 -35306539323130363265303465623131363334633536313130323738626664656561303834613439 -37333035653264396539303335626562613965626465313235336465623861316163373462616462 -33386661613862626133663262663761623035643761323664323539633734663332313162626136 -38643963343162623261323965386538353765343762646330393863323234333565383733343337 -36613139636533303231353932316463666366643931343630303062383466393864613936623439 -66616435396634333231633835346336343336373235373737666133343939333263356230353336 -38373766656131353365306631366237636130636131323831343162366133396333663938353431 -35633466353737616261643432353437353664636439343833373965393765343739616537353461 -31313364383865376532333666653138633065643131633863653739363266313433396338313835 -33343233393265333933393362323230656534346164613266643163643738376139316437616264 -65363065383634643838323562613361663366393863316339396131653931643561393831343330 -66376136303430363835653865393533636634656531393131656366366463373065646332326436 -64376636353234633839666239373036306565666161353431336265633230396566343963626265 -38666431373634353039303865366136616232383061656537323232353864623437656530646266 -38643161383235666265373132626536663564373532386335313033363531666263653731326432 -30363366326531363764656162313232313932376363663035366365373565393764643131653335 -37336564313039316133343339303836333263663365326536313432623237353133396363626165 -34363063343961393262356437643761356166376437613537373066343837616236663563373063 -30663438646431663934636534633336313465343766393961383730616239386632343832303761 -31626566346636363038616537656436663531623764623737623561343563346139326333333230 -32636666333363666362633937643966376261346366653830666262323238303737346364613438 -64396161336530343638616266653034663338633639653833373962383834636137366238393165 -62333031313639383037306264646434373065616532653832626138633639353662326539393639 -34653535643465613639656530313339386131633339353330346639396432336663653431616637 -31623664663038666239633330653136636538643939666663323234383266396238303234633766 -63353034366134383233343866663762313031386466366332303564373561393861646663643936 -38373461363034323938323664353765306265653733376565616665326435376265653830376664 -66396561393065613764373137306666636530626365303063626138336430303236343634383738 -61353561306166343437653638343165623534643966333731623462613430616533323731383832 -61613462346336343233303838363532396638386162623133336562363733623763663338616236 -64356231656564343734323562343266313566336438343562623830613434663837646535353833 -38346236306331636631613933373431366133373965366663633231623964376632663731653563 -63643630353535343636636235626462303263323734393038373138326231363034336231626537 -38666139373464346164643463386332323266653138393734333765653738373763303931333466 -30363632323566313866386230383463326433373662653435373766346435303165643165383235 -36373439376238653636316461333866303333633635666439383630396437353532623964386238 -32353761373631383730313263353336303734333566303262653266626563313534306436666262 -30353166326566353534313565386661613562356265303138303434663637623262343139326139 -34396433353038663830363734353634383836656466636532646666643735386162303764366338 -64393736373935393137636439393833663066316236316434363262313062383333326637333732 -31626434376437366365346234306561396538323535303930366664383035343936303636326135 -61666265633533373932323663356639663265633762373265613836613439366161656161386661 -66363837636264326131323430346633646237613234326163396638633433623834306632646532 -30636130383038343332393364363464343833313062303134616563313539373561663632346336 -35313333623166316262393730383966343436303339343935663564333332333539313630643635 -37313738333465306533613366633039323537303536383862623365626335393533363036373665 -34643033643639663139626466616233346463353662313834323533313865306430623735303237 -32333161303737343565363364393430396537396561313964663634633563613932376465656534 -31373236353432316463303963616233353038663936643737376536333063323261663437643933 -39636636306635616630306139316462666162613663653562313736333635333765303761363834 -34323331353263613738373661366236333134663234626466333537386334653739316230653931 -36663234383735663930323132623437656662303630666466663662613465333664663664623662 -35623561313638656164613237333132636663316330346537353261336362633839643235613462 -30343238343430646164383837346134393463326464356231323539363730336461323431646366 -62303739313830326635303230333664643862393536376635613239633937316361346335343830 -65373966653536623464313336346161623537303762633737333162613132636439393732323162 -34616437333337353838626464386131636233363237386138353435303935663564616163633830 -36316263376261633934663963373465333461366463323338656231313061646135663665393738 -35396630363763323263623839313232623434633566333166396263366338333333633033326663 -66383439336239636630343537333038376132376237353864313931316466653562303664353233 -66663063363366636532616131336532613364316233653135643336613264386663396264663737 -62323563366134373031633332393534666637363832626333366339353230656636646261386333 -62393235633435663261303133656138363433373439313062383666646231653235366235636136 -36636331353762633532653965626336646130356638633665383735313231363333363362633331 -63653035363662643538303864386562353830666565633230353038666266323938653961653063 -35393265326438666361323836643061616539306638336535626434623463376165626436383933 -32633931393666613531366264656264323866633839633762303131376164373165383237333865 -63653566376333343466383832656463336162663562616331633062356664636435363563326464 -31346134663937633730373364616636656438656132616363376164306361363535366238383663 -63353864306361333066366631623338376461343733393662316139343435663866326636336631 -35346366323665613936643565623965326430653433326562373361616366636430653466613237 -31333061333664613634643939373833343139653165626566306665396663326539393634626632 -31316534653933616666 +30343333623233633436323230336132613139613966383635306163303835663439643631313430 +3066633430363831333636323062636139663638303331380a316661633366353063393637316630 +63366539663234396232313938306461633737623134643737313835303864646535623066383439 +3735373336376165300a616464366332316237326165313435636134376437313638636261346235 +61343332323636303733623833366332323165336466366134396561623662333237333830343330 +32383962336132343763373863366130316434623935653264303133363530386663613735366265 +35333338666636366663643963306331626330656430313863333261396135633237303531356236 +35336533333436656131633033626538306632353562666665316366313932333530333030366138 +61633061366664336664343564346430616361313862393732383666386462353331633261396138 +38383330326230316434663665653061363634663461353862316665643134653164303931633331 +66346439666663303931666661336134646237626436346161663237646236313938313039356162 +39313337363837373432656335666136616363386162663435363130373937613637393933396263 +30366235333033323435326265666139373038363962646331643237316233653261616563353034 +61313235386465663630386638653935663637376335636630333038613830363433376635613361 +34646665313230363738306264376331316264633561373633386539346662306233343561313939 +65373734643266303834646531343961373466633936376365383363333431663138626634396164 +63653738353564313238303737613034363564356661623032383034343264616665626433316433 +31343332636438653737386533636135306365373565616233636263323562313733653764636139 +37333366323639373335393862633839353535383864396234373832396562643737313636393334 +62663666616462383661663736646266653263303435343230386439373963346161393831626366 +32613631323562616430626131623934343637646139343065613231646432646266363339326366 +35643865336630383065353763643166326436306430383333363533363732376366353964346562 +66623964636434646666613565313761623936393735353237343234326234383866663336353637 +31623936626231316638666563316261346361316134333635343965393464343339373933333339 +32623830353531386630303865303936636636633734303731643063306234393761306532396339 +35636235656266633831363761333430633862623136313132643131363331643630626439643461 +30643937633239383232346334613835303861643734323335306336643962343461356462366636 +37666363373565656534373266393262653561646337356230653430616563393264336434623031 +62643466396561373962393361386564643366373837626662343162663662616534396362373064 +63363035316464656365343635313033643730313738316639643166363031633161313737363136 +30626461656361306166623436643435613364656264646465313538376435313037353735323762 +39313036646130666631336231613933393363343665666239643464316132333462363463616334 +34346364626135616262366363343932373233623430346630323937383934363261363039386463 +32363432366330333165383338666563316530646538636563623266396232336532303162373234 +61313963616466386363363132343035346139356639363962333832336135633135316536326231 +30653235376633643362643638363339326237393261653064656533663332306361363065376532 +32383461393432666564316137373233663362643366333737656531373238323566313632373537 +61343534383366373263626338353435623862613664363633623338356437353132643134666362 +65663938396664636631353834396430373266326531306530393066666565393333353433663061 +38636263656635383837393437386264333539326239383264356434383533613464663738626366 +61376536346231363834333763666163653365643264326539346230643566303038386132616137 +35376639653461663834316661346531623537623262333561366163663033316263613437613132 +63343833396162656137353039353164366238643065373534613734656135333232316334663635 +66303562343565343739626662636235656664333831336335656430653162376262396663393637 +61386338383736386532326638643838633736646261393830623165323232316461353539323064 +61343135386363366432653362383135316439356333316234303663663662316133356232323334 +66333461363062396234653933313931343533613366313530393336356231363133653832636331 +31343834313736616666363235363232663437626335346564623932646666336364643437376238 +36666363653763623666393363323664646134326462643237316161646537326463383135353338 +62366166623162343537623037623563306433636565363338636435323434363663626562623064 +63323838363033396433613033326630616239353735623932363532653437396563353539343465 +37663034353864306437643265373438666634613635303035383338383666386561636665633330 +62376464316433353030323934346166616636333165653964656563376433316139313230653063 +61623336656565666161346461653632303735363035626233303832653664356132646431333566 +31656333623136326536343836356235393664643765373432633932313765656237363033316334 +37356630633537376230376662393161636136363066363333613533323435316362613332366364 +32623538336238356264343937353763353063663634326362613961653764613064356634653761 +30306439633966363561303335353239616265656338323831646363373736303261383438373337 +65353634366236333836643235336262613565643431636662303966643231306337316238306131 +31326530613033356437623362623037306434323666643633643030353136346136323835663563 +31613433633763326132386538623235653764666236663731656639393866613635626636633834 +31363764633735626338316438363764376230396166373631393830393263303861633031306635 +35616439343265356365316432393131373933346637656565393266666536646564623038356265 +33393364636530353864313730376633626462363361633530306432313339633032303638636633 +30346634323130343766373137663833616536643237313935396665653739663864353864363937 +66306561303262663935333861643034646432653330363936383733393733643366663332306530 +34653033633264313863656664633630373561316331396539643535333135383632653461346132 +65333062636239366562616235623739666435316463616434373337336463376432383336353632 +63393235323430633436356564643530633039306437636238613665316534623163373666383032 +64336633663331383430343337376636376465353637386434393862363230306539363435373761 +38356130326538623437383036303764613537313631333235633632656636386533326266613063 +35306132343232373637373037653362643861653431386166626330356234666337363730616237 +38363538323834353235363261646561623334636334633966306361643138376465613738616266 +39326165353633333265303637363663306238303363373731396539353736313834653630633338 +31646130363035363865393032383962383736393738343834386638646161306666333835666230 +31656665316663333935323163626462623565333565323064333462623138616162306135326538 +64326163333139646139393764316262366165343532643837303333636565346333353235643564 +61343731346536366430376161326633333637336464386332383463306164663431653462633462 +61323130383330626566373434656362623137656236663863333536376538303361346162353163 +62626438393164366364636438326233656537666463366331326366663638303764333638383364 +31653662386533333039653735306563633364353762343966353566366536323230306466376635 +33333130366636303038303633306436636664656466323634323739623163393065636564373031 +30653164366335306166353361386530346433666335383065373031373237333638306138363439 +35353264346461663435623434386465666630353166306231356562323362636165373333623437 +33383330653062323433356166613533616464653432336336643263616161383939643236336430 +63346136333366663336623732346364663532643565666635353234333034373435313536363330 +32616533393339326162613430356230666333336265643361356562373031346466363133626238 +33643939363932656364616363363065303566636662383937656336363038636234643363636331 +36623835643666613136323834656562356135383235643261306139663539613237303664636466 +66633138323533373636306364323937383931666330383337373639346362333836623066666264 +37623737633564656231653166366366383061363932666664343265363337633639316638323532 +33623932356335636465626134303638323561323333376266353435653332396162623934316263 +63653330316437393663306636373233613036316330633035363266613232323762326237363139 +61383264356136363838643933613931653165636433353864633261643964303765383065396465 +37613938613830383362646335636239663638346666366261336362623937616635613132323332 +33353433386439653962373265313564666161386561313864663436326538396431363431363763 +39393363366363336336356564376537623164383134346565313234363232306637343533373637 +33373361336334616565666632653965346235353030373734643938613738653863663332303830 +36653038356138616236336535386262366636653732313165373964323036333632353566313562 +31653761316361616562366131373231653466383863626561386564636366643163343931633439 +3762 diff --git a/roles/irods_davrods/tasks/davrods.yml b/roles/irods_davrods/tasks/davrods.yml index 3434b3a6d..2af52a77c 100644 --- a/roles/irods_davrods/tasks/davrods.yml +++ b/roles/irods_davrods/tasks/davrods.yml @@ -22,13 +22,13 @@ when: not item.stat.exists or not item.stat.rusr become: true -- name: 'Create {{ davrods_docker_user }} group' +- name: 'Create davrods docker group' ansible.builtin.group: name: '{{ davrods_docker_user }}' state: present become: true -- name: 'Creating {{ davrods_docker_user }} user' +- name: 'Create davrods docker user' ansible.builtin.user: name: '{{ davrods_docker_user }}' groups: '{{ davrods_docker_user }},docker' @@ -55,7 +55,7 @@ become_user: '{{ davrods_docker_user }}' notify: davrods_build_up -- name: Copy a certificates into {{ davrods_docker_folder }}/config +- name: Copy a certificates into davrods docker folder ansible.builtin.copy: src: '/etc/irods/{{ item.name }}' dest: '{{ davrods_user_home_path }}/{{ davrods_docker_folder }}/config' @@ -73,7 +73,7 @@ become: true notify: davrods_build_up -- name: 'Deploy docker template files into {{ davrods_docker_folder }}' +- name: Deploy docker template files into davrods docker folder ansible.builtin.template: src: '{{ item.src }}' dest: '{{ davrods_user_home_path }}/{{ davrods_docker_folder }}/{{ item.path }}' @@ -92,4 +92,12 @@ become: true notify: davrods_build_up +- name: Prune unused davrods docker images + ansible.builtin.command: 'docker image prune -af' + changed_when: false + register: prune_result + failed_when: 'prune_result.rc > 1' + become_user: '{{ davrods_docker_user }}' + become: true + ... From 15124ad2fdfc2700cee12c323e52ea89d3ab489e Mon Sep 17 00:00:00 2001 From: scimerman Date: Tue, 9 Aug 2022 15:40:00 +0200 Subject: [PATCH 04/11] irods: typo --- roles/irods/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/irods/README.md b/roles/irods/README.md index 0d3648efc..5fa775050 100644 --- a/roles/irods/README.md +++ b/roles/irods/README.md @@ -3,7 +3,7 @@ - preconfigured irods repository - and administrative privileges on the machine -# Variables naming +# Variable naming `ir_` are all the variables that are used within this playbook From e570f97c8fe4287de490836d074df0f537e4182c Mon Sep 17 00:00:00 2001 From: scimerman Date: Wed, 10 Aug 2022 15:39:06 +0200 Subject: [PATCH 05/11] irods: sql database testing fix, unified remote and local calls --- group_vars/irods.yml | 4 +- group_vars/nibbler_cluster/secrets.yml | 202 +++++++++--------- roles/irods/tasks/icat.yml | 27 ++- roles/irods/tasks/icat_pre.yml | 14 +- roles/irods/tasks/pgsql_local.yml | 2 +- roles/irods/tasks/pgsql_remote.yml | 19 +- roles/irods/templates/pgpass | 2 + .../templates/unattended_install.json.j2 | 1 + static_inventories/nibbler_cluster.yml | 8 +- 9 files changed, 143 insertions(+), 136 deletions(-) create mode 100644 roles/irods/templates/pgpass diff --git a/group_vars/irods.yml b/group_vars/irods.yml index 3d325bdfa..8f2220eea 100644 --- a/group_vars/irods.yml +++ b/group_vars/irods.yml @@ -8,6 +8,7 @@ firewall_allowed_tcp_ports: # list of open ports on iCAT server - "20000:20199" # irods ir_version: '-4.3.0*' # if defined (empty): version will be installed (must start with '-' and end with '*') + # first install v4.2.11 and then upgrade to 4.3.0 ir_server_type: 'icat' # iRODS Server Type ir_client_server_policy: 'CS_NEG_REQUIRE' # communicating using SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE @@ -16,13 +17,12 @@ ir_ssl_certificate_key_file: 'nemi_irods/localhost-umcg01.key' # iRODS server ce ir_ssl_dh_params_file: 'dhparams.pem' # DHparam filename ir_service_account: 'irods' # iRODS linux account under which iRODS runs +ir_service_account_home: '/home/{{ ir_service_account }}' # iRODS service account user's home folder ir_admin_name: 'rods' # iRODS (and zone) account ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulte main administrator password ir_admin_home_path: '/{{ ir_zone }}/home/{{ ir_admin_name }}' # iRODS admin's home path ir_db_user: '{{ icatV_db_user }}' # iRODS Vaulted database username ir_db_pwd: '{{ icatV_db_pwd }}' # iRODS Vaulted database password -ir_db_name: '{{ icatV_db_name }}' # iRODS Vaulted database name -ir_db_server: '{{ icatV_db_server }}' # iRODS Vaulted database server ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt ir_zone: 'nlumcg' # iRODS default main iRODS zone name ir_zone_key: '{{ icatV_zone_key }}' # iRODS Vaulted zone key diff --git a/group_vars/nibbler_cluster/secrets.yml b/group_vars/nibbler_cluster/secrets.yml index cfde16c4c..f28db5de7 100644 --- a/group_vars/nibbler_cluster/secrets.yml +++ b/group_vars/nibbler_cluster/secrets.yml @@ -1,102 +1,102 @@ $ANSIBLE_VAULT;1.2;AES256;nibbler_cluster -30343333623233633436323230336132613139613966383635306163303835663439643631313430 -3066633430363831333636323062636139663638303331380a316661633366353063393637316630 -63366539663234396232313938306461633737623134643737313835303864646535623066383439 -3735373336376165300a616464366332316237326165313435636134376437313638636261346235 -61343332323636303733623833366332323165336466366134396561623662333237333830343330 -32383962336132343763373863366130316434623935653264303133363530386663613735366265 -35333338666636366663643963306331626330656430313863333261396135633237303531356236 -35336533333436656131633033626538306632353562666665316366313932333530333030366138 -61633061366664336664343564346430616361313862393732383666386462353331633261396138 -38383330326230316434663665653061363634663461353862316665643134653164303931633331 -66346439666663303931666661336134646237626436346161663237646236313938313039356162 -39313337363837373432656335666136616363386162663435363130373937613637393933396263 -30366235333033323435326265666139373038363962646331643237316233653261616563353034 -61313235386465663630386638653935663637376335636630333038613830363433376635613361 -34646665313230363738306264376331316264633561373633386539346662306233343561313939 -65373734643266303834646531343961373466633936376365383363333431663138626634396164 -63653738353564313238303737613034363564356661623032383034343264616665626433316433 -31343332636438653737386533636135306365373565616233636263323562313733653764636139 -37333366323639373335393862633839353535383864396234373832396562643737313636393334 -62663666616462383661663736646266653263303435343230386439373963346161393831626366 -32613631323562616430626131623934343637646139343065613231646432646266363339326366 -35643865336630383065353763643166326436306430383333363533363732376366353964346562 -66623964636434646666613565313761623936393735353237343234326234383866663336353637 -31623936626231316638666563316261346361316134333635343965393464343339373933333339 -32623830353531386630303865303936636636633734303731643063306234393761306532396339 -35636235656266633831363761333430633862623136313132643131363331643630626439643461 -30643937633239383232346334613835303861643734323335306336643962343461356462366636 -37666363373565656534373266393262653561646337356230653430616563393264336434623031 -62643466396561373962393361386564643366373837626662343162663662616534396362373064 -63363035316464656365343635313033643730313738316639643166363031633161313737363136 -30626461656361306166623436643435613364656264646465313538376435313037353735323762 -39313036646130666631336231613933393363343665666239643464316132333462363463616334 -34346364626135616262366363343932373233623430346630323937383934363261363039386463 -32363432366330333165383338666563316530646538636563623266396232336532303162373234 -61313963616466386363363132343035346139356639363962333832336135633135316536326231 -30653235376633643362643638363339326237393261653064656533663332306361363065376532 -32383461393432666564316137373233663362643366333737656531373238323566313632373537 -61343534383366373263626338353435623862613664363633623338356437353132643134666362 -65663938396664636631353834396430373266326531306530393066666565393333353433663061 -38636263656635383837393437386264333539326239383264356434383533613464663738626366 -61376536346231363834333763666163653365643264326539346230643566303038386132616137 -35376639653461663834316661346531623537623262333561366163663033316263613437613132 -63343833396162656137353039353164366238643065373534613734656135333232316334663635 -66303562343565343739626662636235656664333831336335656430653162376262396663393637 -61386338383736386532326638643838633736646261393830623165323232316461353539323064 -61343135386363366432653362383135316439356333316234303663663662316133356232323334 -66333461363062396234653933313931343533613366313530393336356231363133653832636331 -31343834313736616666363235363232663437626335346564623932646666336364643437376238 -36666363653763623666393363323664646134326462643237316161646537326463383135353338 -62366166623162343537623037623563306433636565363338636435323434363663626562623064 -63323838363033396433613033326630616239353735623932363532653437396563353539343465 -37663034353864306437643265373438666634613635303035383338383666386561636665633330 -62376464316433353030323934346166616636333165653964656563376433316139313230653063 -61623336656565666161346461653632303735363035626233303832653664356132646431333566 -31656333623136326536343836356235393664643765373432633932313765656237363033316334 -37356630633537376230376662393161636136363066363333613533323435316362613332366364 -32623538336238356264343937353763353063663634326362613961653764613064356634653761 -30306439633966363561303335353239616265656338323831646363373736303261383438373337 -65353634366236333836643235336262613565643431636662303966643231306337316238306131 -31326530613033356437623362623037306434323666643633643030353136346136323835663563 -31613433633763326132386538623235653764666236663731656639393866613635626636633834 -31363764633735626338316438363764376230396166373631393830393263303861633031306635 -35616439343265356365316432393131373933346637656565393266666536646564623038356265 -33393364636530353864313730376633626462363361633530306432313339633032303638636633 -30346634323130343766373137663833616536643237313935396665653739663864353864363937 -66306561303262663935333861643034646432653330363936383733393733643366663332306530 -34653033633264313863656664633630373561316331396539643535333135383632653461346132 -65333062636239366562616235623739666435316463616434373337336463376432383336353632 -63393235323430633436356564643530633039306437636238613665316534623163373666383032 -64336633663331383430343337376636376465353637386434393862363230306539363435373761 -38356130326538623437383036303764613537313631333235633632656636386533326266613063 -35306132343232373637373037653362643861653431386166626330356234666337363730616237 -38363538323834353235363261646561623334636334633966306361643138376465613738616266 -39326165353633333265303637363663306238303363373731396539353736313834653630633338 -31646130363035363865393032383962383736393738343834386638646161306666333835666230 -31656665316663333935323163626462623565333565323064333462623138616162306135326538 -64326163333139646139393764316262366165343532643837303333636565346333353235643564 -61343731346536366430376161326633333637336464386332383463306164663431653462633462 -61323130383330626566373434656362623137656236663863333536376538303361346162353163 -62626438393164366364636438326233656537666463366331326366663638303764333638383364 -31653662386533333039653735306563633364353762343966353566366536323230306466376635 -33333130366636303038303633306436636664656466323634323739623163393065636564373031 -30653164366335306166353361386530346433666335383065373031373237333638306138363439 -35353264346461663435623434386465666630353166306231356562323362636165373333623437 -33383330653062323433356166613533616464653432336336643263616161383939643236336430 -63346136333366663336623732346364663532643565666635353234333034373435313536363330 -32616533393339326162613430356230666333336265643361356562373031346466363133626238 -33643939363932656364616363363065303566636662383937656336363038636234643363636331 -36623835643666613136323834656562356135383235643261306139663539613237303664636466 -66633138323533373636306364323937383931666330383337373639346362333836623066666264 -37623737633564656231653166366366383061363932666664343265363337633639316638323532 -33623932356335636465626134303638323561323333376266353435653332396162623934316263 -63653330316437393663306636373233613036316330633035363266613232323762326237363139 -61383264356136363838643933613931653165636433353864633261643964303765383065396465 -37613938613830383362646335636239663638346666366261336362623937616635613132323332 -33353433386439653962373265313564666161386561313864663436326538396431363431363763 -39393363366363336336356564376537623164383134346565313234363232306637343533373637 -33373361336334616565666632653965346235353030373734643938613738653863663332303830 -36653038356138616236336535386262366636653732313165373964323036333632353566313562 -31653761316361616562366131373231653466383863626561386564636366643163343931633439 -3762 +32656162323535646535363230613538643538616662333635313163373864396662356339636331 +6631333030653766366138633135393532666463316337390a643239393530306434646165616330 +61396330616362633333356333663461336436383637626231346337613865653535626266616565 +3437633033396536310a646330393538333734323462373566363534303634353465613839383662 +35383833323038363139666264386336396163356131623561363939393834303139643036643437 +38613935303165323133323030386463653162323833343530346164643661313665303163346332 +66383835343635346335643963356664643565343231376164323264633634663830653664623465 +36306561366234663934353833363366376431356533633239383164383566373862666331363461 +35336431626531666464376134626636383239396538373333633338616265346161386338356165 +37383730306339373530643636343937666439333339616636393731623934373162653232356165 +64386264363763396132333235333763613339313234336431383836643339613038383966656637 +62643336616663346138643465306536336363333536373364323561646538316261303265623733 +33663536303564336339396131393434616364656632373739663861336136653935646461616362 +39376335613864343830373063626337353737306439306563303637363838353066383839336335 +30633838336630323465393538336466333437353936313439353439623730646562643563646330 +35333837396639363464646232643535353263393163333538346333373737653665663564656432 +36636137666366303039306239343433316663333036353937643130323065666631303566663061 +64643763616135356533313161336132636561316230616636613038653237306564353531376364 +64353438353765346162353665383764383362356338646164666238393865386439393831643935 +35333064383161383037316361343430346561656336663437626431653062626635636137376632 +36633439623464333135346562313938333831616438333836663039643132616439313665663536 +30363033326631666136373832393031363134393765373765613936383334626433323138626532 +61613233333431323130336330663630396530623764663037353738323061386161346631363564 +33343464613963343830623264653166376538636430383662646632333935333063616661333138 +61386232323737303830663632666561343936393537333361323730373765323434623264333432 +39303665393161646265363465653531343366653061363839333263616134323762393462383561 +31653062363165323235303031306262643765316134306561346434356362336466343961646231 +32333039636464656665343534643366616532383433373338383838653332386263643937623936 +62633365326339616361343338303630316338346632613964653136343362353539656164313163 +31646638326361333862386663373365353565396234343834383330373766323832316237646634 +65646565393237303036306430636538346636643237616162663461666232333766623230363261 +64343539636433353833616233366139303530396166623839326364663335366136653336653639 +35613939376632333732653266386564316433373730343232373137663737343635316335323034 +32633530643230366435353562303733633761613335643936613962393562353731343031383962 +38356135333737316136326466333432383836366635663730336635623937623530373965366536 +62323230656366383661663738353539376232353036396634386539613539323130623463313734 +34666666373564646638356434663639333836383962633964323133643431383464623139383764 +36363137343135336633316663653338333932613565323565346539383633363434626132383439 +31623034396661306164333935353564313631666462633264386461656236643865393935323365 +64363632346232333565613261396337646161303438613834636631333931373166353638333238 +39383763363066366137656330396136396261633130386637626636613433366234636262353662 +64653135366438393135376332386132396639623965626534613336626266663434316438616161 +65356365663438343062326630653830653835666362653536653333386531336432616633636131 +39376537366430316165323339383532336436393233616435633862393163343632363165336565 +66636564346439643065333730623639363366643137343835383461656133323534366331663463 +63303934653530373632646562343030353231646232316365636263613966623434303665336163 +66313862356436613834303435356535666431666531656130333636303061303439393439656432 +36346539656239326662633663313939663331313732623563383434643334303937353465373338 +31313630366533326662346437643036376132323136303032366465306537626666376637393062 +63633663383138653237333461633362646538313635353630373363343836366532346333393538 +33643038353565623061626230653362323034666130633233383437623566663337356562643931 +34343037653862396232316334326463616666346161663665623262633131393333353561313535 +64376665653163653932356634363163383562346530323932643662306665353131363430663765 +61386431646636303365383139363136666266653334303664316264366336303139373962666332 +31626466383531643132613534616134306665383236376564366432366539393939646431386136 +65663232383965333633613230323165306539653866663238383035383038663438613962393664 +65663165343334383536393834363134376531623964393338306432353538376266366436353731 +32623233346131323835376330383261663432343631643333323530643135666433396461383139 +35633634326534653736383666306264386238393265656432393734613430656335383939326433 +39623961613739336634616230383232396561656234336135626666343837363336373233633963 +39633533643766633232663934623837303661363466656161336632333336653462363464656661 +64643737316664373763333039666464306237663663623332313136656535303862633837363731 +31363565373163616465333936623431666337376633376565343361663930333766626338393636 +35663032326162366465336235376637616131336433623262666139373637333362633030303663 +62653137336334613366333737343735333537643534356630653364623665353332663137613832 +30303236636331383164343664393735666635303638393665623439613062663262366437653166 +66343266663966633835653931303764623331316533663633303464346335323339643465666438 +35643266386165383465666530636237353536336564376636316631643936306362336263303265 +38653834313662363730613537336262313463323566353461313837333362653035623833623666 +61386430333062306365363565353437613037663937326230613939633966376439363332653332 +33363330666130363562386234333131343337316566383939663732333561316434373233303832 +32623064616461373732316136393037333735653362323633613063336633373830303539663931 +61336336303433626665333530623330396363303538316331313537363533376364383862303564 +31386139653963353130366130633564323564633565616263376331326264396239323462353135 +34326261343962616233383632333666333061316437323136313438326465343230363433383062 +65333430383134653139343235333934303963396633363832353832636662626137333831343464 +36333339643165396164633634643561643466623365656430323365613233316661353638386663 +65353437636366663465313231623932313663326463623937613861666166333335333066363238 +64636139346131616233333131353835623032613538636331393838363666623737393130396561 +31353238336135303866343066643437633931353763306432636433316136316532613234373539 +39353539383463353666303432646562313237623830353835626563633535333237303935623937 +35383966333133643161616435653037613637326334396565616566343563646133333335643431 +35653062376230333066646165396366356534653434373837306165356165336630616435326136 +66663038643866323532393965663437613963386637653862316563356631383131313137613535 +64393730383639636663376566396164346562636235643165393035613463656666346234356436 +33306166633766363264393431336139343535353463653031323663303334633366363134626130 +64323435636630303931623434613134623536613738663365653535663030666162316631626163 +62366562373630663937326264633663666664363133613832623630336136636661353238386436 +61333437653733396266366566613937316531343737393337323331313364383338316333303335 +37633465623134383332623235356162333033303862636139666432343336303434323963353038 +36326331333364333861616362623863336462366538343564373730633337646338306233336264 +35616365313431316236616461663233383839333233306565303065333861346431663336353137 +39306339376165656664623066363034383338343761313336363461303234346164323663636131 +37623238373737626532663135356664636262356331643830613534656330663536323139633631 +65386632323434373866383636306565663362373936353364666337396666393634386436356163 +33366334623436366464636361326161386464386335343661303232633664393031376531353665 +65626362356539373531353831623163353935316439653238376136323263326663636463363464 +65656630346237316537373731303362376239333661353334646334383134663865306164316532 +36393238373265356131353438636632636261383563316532316338613232346339613533616366 +62373437376564343161636436306238383933656466633632633264343539396565366234663935 +38316334313064643861343239363964316531363063366361653962366538376365 diff --git a/roles/irods/tasks/icat.yml b/roles/irods/tasks/icat.yml index 9c90e22b2..9313d4a8b 100644 --- a/roles/irods/tasks/icat.yml +++ b/roles/irods/tasks/icat.yml @@ -8,16 +8,19 @@ register: create_unattended_installation_json become: true -- name: Collect list of tables from existing {{ ir_db_name }} - ansible.builtin.command: 'psql -d {{ ir_db_name }} -c "\dt"' +- name: Collect list of tables from existing irods database + ansible.builtin.command: 'psql -c "\dt" -U {{ ir_db_user }} -d {{ ir_db_name }} -h {{ ir_db_server }} -w' changed_when: false + failed_when: 'database_tables.rc > 0' register: database_tables - become_user: postgres + become_user: '{{ ir_service_account }}' become: true -- name: Install iRODS, if {{ ir_db_name }} is empty (no tables exist) +- name: Install iRODS, if no tables exist in the database ansible.builtin.command: sudo python /var/lib/irods/scripts/setup_irods.py --json_configuration_file=/root/unattended_install.json - when: '"No relations found." in database_tables.stdout' + when: database_tables.stdout_lines | default([]) | length > 0 and database_tables.stdout is search(".*No relations found.*") + register: install_status + failed_when: install_status.rc > 0 run_once: true async: 120 poll: 1 @@ -41,7 +44,7 @@ backup: true become: true -- name: Edit /etc/irods/core.re to set default resource to {{ ir_default_res }} +- name: Edit /etc/irods/core.re to set default resource ansible.builtin.lineinfile: name: /etc/irods/core.re search_string: 'acSetRescSchemeForCreate {msiSetDefaultResc("demoResc","null"); }' @@ -49,7 +52,7 @@ backup: true become: true -- name: Edit /etc/irods/core.re to set default replication resource to {{ ir_default_res }} +- name: Edit /etc/irods/core.re to set default replication resource ansible.builtin.lineinfile: name: /etc/irods/core.re search_string: 'acSetRescSchemeForRepl {msiSetDefaultResc("demoResc","null"); }' @@ -71,14 +74,7 @@ line: 'rm -f /var/lock/subsys/irods' backup: true become: true - -- name: Temporary bugfix of the irods python script for the remote psql over ssl - ansible.builtin.lineinfile: - name: /etc/init.d/irods - search_string: 'rm /var/lock/subsys/irods' - line: 'rm -f /var/lock/subsys/irods' - backup: true - become: true + notify: irodsctl_restart - name: Fix the s3 authentication by creating dummy s3auth file ansible.builtin.copy: @@ -96,4 +92,5 @@ - name: Force all services to restart, before we start using iRODS imeta commands ansible.builtin.meta: flush_handlers + ... diff --git a/roles/irods/tasks/icat_pre.yml b/roles/irods/tasks/icat_pre.yml index 8017347b9..d064a3220 100644 --- a/roles/irods/tasks/icat_pre.yml +++ b/roles/irods/tasks/icat_pre.yml @@ -10,6 +10,7 @@ ansible.builtin.user: name: '{{ ir_service_account }}' groups: '{{ ir_service_account }},admin' + home: '{{ ir_service_account_home }}' become: true - name: Installing the iRODS Package(s) @@ -91,7 +92,7 @@ - name: Get version of irods-server ansible.builtin.shell: | set -o pipefail - grep "irods_version" /var/lib/irods/version.json.dist | grep -oE "[0-9]\.[0-9]+\.[0-9]+" + yum list installed | grep irods-server register: irods_version changed_when: false args: @@ -118,4 +119,15 @@ become_user: '{{ ir_service_account }}' become: true when: '"4.3.0" in irods_version.stdout' + +- name: Create .pgpass file + ansible.builtin.template: + src: pgpass + dest: '{{ ir_service_account_home }}/.pgpass' + owner: '{{ ir_service_account }}' + group: '{{ ir_service_account }}' + mode: '0600' + become_user: '{{ ir_service_account }}' + become: true + ... diff --git a/roles/irods/tasks/pgsql_local.yml b/roles/irods/tasks/pgsql_local.yml index 01de0ea78..2292a6589 100644 --- a/roles/irods/tasks/pgsql_local.yml +++ b/roles/irods/tasks/pgsql_local.yml @@ -53,7 +53,7 @@ notify: irodsctl_restart become: true -- name: Creating irods sql user and granting privileges +- name: Create sql user with correct permissions postgresql_user: name: '{{ ir_db_user }}' password: '{{ ir_db_pwd }}' diff --git a/roles/irods/tasks/pgsql_remote.yml b/roles/irods/tasks/pgsql_remote.yml index f0920741d..b059fa5a8 100644 --- a/roles/irods/tasks/pgsql_remote.yml +++ b/roles/irods/tasks/pgsql_remote.yml @@ -1,18 +1,8 @@ --- -- name: 'Get {{ ir_service_account }} home directory' - ansible.builtin.shell: "set -o pipefail && getent passwd {{ ir_service_account }} | awk -F: '{ print $6 }'" - changed_when: false - register: getent_output - become: true - -- name: Store davrods_user_home_path - ansible.builtin.set_fact: - irods_home_path: "{{ getent_output.stdout }}" - # Configuring according to the https://www.postgresql.org/docs/current/libpq-ssl.html - name: Ensure that .postgresql directory exists in home and is owned by irods service user ansible.builtin.file: - path: '{{ irods_home_path }}/.postgresql' + path: '{{ ir_service_account_home }}/.postgresql' state: directory owner: '{{ ir_service_account }}' group: '{{ ir_service_account }}' @@ -23,7 +13,7 @@ - name: Create empty remote server's CA revocation list file inside .postgresql folder ansible.builtin.copy: content: '' - dest: '{{ irods_home_path }}/.postgresql/root.crl' + dest: '{{ ir_service_account_home }}/.postgresql/root.crl' force: false owner: '{{ ir_service_account }}' group: '{{ ir_service_account }}' @@ -34,7 +24,7 @@ - name: Deploy remote server's CA signing certificate as root.crt into .postgresql folder ansible.builtin.copy: src: 'files/{{ stack_name }}/{{ remote_psql_server_ca }}' - dest: "{{ irods_home_path }}/.postgresql/root.crt" + dest: "{{ ir_service_account_home }}/.postgresql/root.crt" owner: "{{ ir_service_account }}" group: "{{ ir_service_account }}" mode: '0644' @@ -55,7 +45,7 @@ - name: Deploy certificate and key to be used for psql client calls ansible.builtin.copy: src: 'files/{{ stack_name }}/{{ item.name }}' - dest: '{{ irods_home_path }}/.postgresql/{{ item.dest }}' + dest: '{{ ir_service_account_home }}/.postgresql/{{ item.dest }}' owner: '{{ ir_service_account }}' group: '{{ ir_service_account }}' mode: '{{ item.mode }}' @@ -88,4 +78,5 @@ executable: pip3 become: true become_user: '{{ ir_service_account }}' + ... diff --git a/roles/irods/templates/pgpass b/roles/irods/templates/pgpass new file mode 100644 index 000000000..bbb0009b5 --- /dev/null +++ b/roles/irods/templates/pgpass @@ -0,0 +1,2 @@ +# based from https://www.postgresql.org/docs/current/libpq-pgpass.html +{{ ir_db_server }}:{{ icatV_db_port }}:{{ ir_db_name }}:{{ ir_db_user }}:{{ ir_db_pwd }} diff --git a/roles/irods/templates/unattended_install.json.j2 b/roles/irods/templates/unattended_install.json.j2 index 9901405da..49fb412dc 100644 --- a/roles/irods/templates/unattended_install.json.j2 +++ b/roles/irods/templates/unattended_install.json.j2 @@ -54,6 +54,7 @@ }, "maximum_number_of_concurrent_rule_engine_server_processes": 4, "maximum_size_for_single_buffer_in_megabytes": 32, + "maximum_size_of_delay_queue_in_bytes": 0, "maximum_temporary_password_lifetime_in_seconds": 1000, "rule_engine_server_execution_time_in_seconds": 120, "rule_engine_server_sleep_time_in_seconds": 30, diff --git a/static_inventories/nibbler_cluster.yml b/static_inventories/nibbler_cluster.yml index 9e7630259..c6b26b4d7 100644 --- a/static_inventories/nibbler_cluster.yml +++ b/static_inventories/nibbler_cluster.yml @@ -34,9 +34,10 @@ all: ir_db_pwd: '{{ icatV_db_pwd }}' # iRODS Vaulted pgsql password ir_db_name: '{{ icatV_db_name }}' # iRODS Vaulted database name ir_db_server: '{{ icatV_db_server }}' # iRODS Vaulted database server + ir_db_port: '{{ icatV_db_port }}' # iRODS Vaulted database port ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt key ir_admin_name: 'rods' # iRODS (and zone) account - ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulted main admin password + ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulted main admin password tiering_install: False # True / False - if the playbook tiering.yml should be executed # ir_local_stage_res: 'demoRescStage' # Staging resource, before data moved to permanent resource # ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' @@ -44,14 +45,17 @@ all: # ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' irods-test: fqdn: umcg-icat01.hpc.rug.nl + ir_version: '-4.3.0*' # if defined (empty): version will be installed (must start with '-' and end with '*') + # first install v4.2.11 and then upgrade to 4.3.0 ir_client_server_policy: 'CS_NEG_REFUSE' # test! iRODS communicating using (default) SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE pgsql_server: "local" # test! iRODS PostgreSQL "local" or "remote" server ir_local_res: 'demoResc' # test! iRODS Staging resource, before data moved to permanent resource ir_default_res: 'demoResc' # test! iRODS default resource for uploads ir_db_server: '127.0.0.1' # test! iRODS pgsql server location ir_db_pwd: '{{ icatV_test_db_pwd }}' # test! iRODS Vaulted pgsql password + ir_db_user: '{{ ir_service_account }}' # test! iRODS postgres user ir_db_name: 'ICAT' # test! iRODS database name - ir_admin_pwd: '{{ icatV_test_admin_pwd }}' # test! iRODS Vaulted irods admin password + ir_admin_pwd: '{{ icatV_test_admin_pwd }}' # test! iRODS Vaulted irods admin password ir_zone: 'tstzone' # test! iRODS default main zone name ir_salt: 'sA+dwq_dk29DJ1' # test! iRODS salt tiering_install: True # True / False - if the playbook tiering.yml should be executed From 4e27332a01f4affb079c6dae17efb9857e190e60 Mon Sep 17 00:00:00 2001 From: scimerman Date: Wed, 10 Aug 2022 16:33:23 +0200 Subject: [PATCH 06/11] irods: remove unneeded backup of /etc/init.d/irods file --- roles/irods/tasks/icat.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/irods/tasks/icat.yml b/roles/irods/tasks/icat.yml index 9313d4a8b..868231106 100644 --- a/roles/irods/tasks/icat.yml +++ b/roles/irods/tasks/icat.yml @@ -72,7 +72,6 @@ name: /etc/init.d/irods search_string: 'rm /var/lock/subsys/irods' line: 'rm -f /var/lock/subsys/irods' - backup: true become: true notify: irodsctl_restart From c762dbd3e28c728de38bf1808216aea83a3a23c4 Mon Sep 17 00:00:00 2001 From: scimerman Date: Fri, 12 Aug 2022 12:52:05 +0200 Subject: [PATCH 07/11] irods: version limitation impovement --- group_vars/irods.yml | 6 ++---- roles/irods/defaults/main.yml | 3 +++ roles/irods/tasks/icat_pre.yml | 12 ++++++------ roles/irods/tasks/tiering.yml | 4 ++-- static_inventories/nibbler_cluster.yml | 8 ++++---- 5 files changed, 17 insertions(+), 16 deletions(-) diff --git a/group_vars/irods.yml b/group_vars/irods.yml index 8f2220eea..9ed828c29 100644 --- a/group_vars/irods.yml +++ b/group_vars/irods.yml @@ -7,8 +7,8 @@ firewall_allowed_tcp_ports: # list of open ports on iCAT server - "5432" # PostgreSQL - "20000:20199" # irods -ir_version: '-4.3.0*' # if defined (empty): version will be installed (must start with '-' and end with '*') - # first install v4.2.11 and then upgrade to 4.3.0 +ir_version: '4.3.0' # iRODS server most of packages - first install 4.2.11 and then upgrade to 4.3.0 +ir_version_plugin: '4.3.0.0' # iRODS plugin resource version (f.e. 4.3.0.0) ir_server_type: 'icat' # iRODS Server Type ir_client_server_policy: 'CS_NEG_REQUIRE' # communicating using SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE @@ -21,8 +21,6 @@ ir_service_account_home: '/home/{{ ir_service_account }}' # iRODS service accoun ir_admin_name: 'rods' # iRODS (and zone) account ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulte main administrator password ir_admin_home_path: '/{{ ir_zone }}/home/{{ ir_admin_name }}' # iRODS admin's home path -ir_db_user: '{{ icatV_db_user }}' # iRODS Vaulted database username -ir_db_pwd: '{{ icatV_db_pwd }}' # iRODS Vaulted database password ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt ir_zone: 'nlumcg' # iRODS default main iRODS zone name ir_zone_key: '{{ icatV_zone_key }}' # iRODS Vaulted zone key diff --git a/roles/irods/defaults/main.yml b/roles/irods/defaults/main.yml index 9b5416d66..9e15f9c03 100644 --- a/roles/irods/defaults/main.yml +++ b/roles/irods/defaults/main.yml @@ -7,6 +7,9 @@ firewall_allowed_tcp_ports: # list of open ports on iCAT server - "1248" # Control Plane Port - "5432" # PostgreSQL - "20000:20199" # irods + +ir_version: '4.3.0' # first install v4.2.11 and then upgrade to 4.3.0 +ir_version_plugin: '4.3.0.0' # iRODS plugin resource version (f.e. 4.3.0.0) ir_server_type: 'icat' # iRODS Server Type ir_client_server_policy: 'CS_NEG_REQUIRE' # communicating using (default) SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE) diff --git a/roles/irods/tasks/icat_pre.yml b/roles/irods/tasks/icat_pre.yml index d064a3220..14589d718 100644 --- a/roles/irods/tasks/icat_pre.yml +++ b/roles/irods/tasks/icat_pre.yml @@ -18,12 +18,12 @@ name: '{{ item }}' state: present loop: - - irods-server{{ ir_version }} - - irods-database-plugin-postgres{{ ir_version }} - - irods-runtime{{ ir_version }} - - irods-resource-plugin-s3{{ ir_version }} - - irods-rule-engine-plugin-python{{ ir_version }} - - irods-rule-engine-plugin-unified-storage-tiering{{ ir_version }} + - irods-server-{{ ir_version }} + - irods-database-plugin-postgres-{{ ir_version }} + - irods-runtime-{{ ir_version }} + - irods-resource-plugin-s3-{{ ir_version_plugin }} + - irods-rule-engine-plugin-python-{{ ir_version_plugin }} + - irods-rule-engine-plugin-unified-storage-tiering-{{ ir_version_plugin }} become: true - name: Make sure that the hostname is set correct FQDN name diff --git a/roles/irods/tasks/tiering.yml b/roles/irods/tasks/tiering.yml index 57851bf81..d6316458c 100644 --- a/roles/irods/tasks/tiering.yml +++ b/roles/irods/tasks/tiering.yml @@ -11,7 +11,7 @@ register: check_unified_storage - name: Get status of local stage resource - ansible.builtin.command: 'ilsresc {{ ir_local_stage_res }} ' + ansible.builtin.command: 'ilsresc {{ ir_local_stage_res }}' changed_when: false register: check_local_stage_resc failed_when: 'check_local_stage_resc.rc > 1' @@ -41,7 +41,7 @@ when: check_local_stage_resc.rc == 1 - name: Get status of local permanent resource - ansible.builtin.command: 'ilsresc {{ ir_local_perm_res }} ' + ansible.builtin.command: 'ilsresc {{ ir_local_perm_res }}' changed_when: false failed_when: check_local_perm_res.rc != 0 and check_local_perm_res.rc != 1 become_user: '{{ ir_service_account }}' diff --git a/static_inventories/nibbler_cluster.yml b/static_inventories/nibbler_cluster.yml index c6b26b4d7..76e82d82e 100644 --- a/static_inventories/nibbler_cluster.yml +++ b/static_inventories/nibbler_cluster.yml @@ -45,8 +45,8 @@ all: # ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' irods-test: fqdn: umcg-icat01.hpc.rug.nl - ir_version: '-4.3.0*' # if defined (empty): version will be installed (must start with '-' and end with '*') - # first install v4.2.11 and then upgrade to 4.3.0 + ir_version: '4.3.0' # test! iRODS first install v4.2.11 and then upgrade to 4.3.0 + ir_version_plugin: '4.3.0.0' # test! iRODS plugin resource version (f.e. 4.3.0.0) ir_client_server_policy: 'CS_NEG_REFUSE' # test! iRODS communicating using (default) SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE pgsql_server: "local" # test! iRODS PostgreSQL "local" or "remote" server ir_local_res: 'demoResc' # test! iRODS Staging resource, before data moved to permanent resource @@ -58,9 +58,9 @@ all: ir_admin_pwd: '{{ icatV_test_admin_pwd }}' # test! iRODS Vaulted irods admin password ir_zone: 'tstzone' # test! iRODS default main zone name ir_salt: 'sA+dwq_dk29DJ1' # test! iRODS salt - tiering_install: True # True / False - if the playbook tiering.yml should be executed + tiering_install: True # test! iRODS True / False - if the playbook tiering.yml should be executed ir_local_stage_res: 'demoRescStage' # test! iRODS staging resource, before data moved to permanent resource - ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' # test! iRODS staging resource folder path + ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' # test! iRODS staging resource folder path ir_local_perm_res: 'demoRescPerm' # test! iRODS permanent resource, where it will keep data indefinitely ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' # test! iRODS permanent resource folder path vars: From cda481a82e5497f734df980554c3f150b5d00038 Mon Sep 17 00:00:00 2001 From: scimerman Date: Tue, 16 Aug 2022 14:18:26 +0200 Subject: [PATCH 08/11] irods: update packages, python3, psql pgpass ... --- files/nibbler_cluster/nemi_irods/README.md | 10 ++- group_vars/irods.yml | 37 +++++----- group_vars/nibbler_cluster/ip_addresses.yml | 7 ++ roles/irods/defaults/main.yml | 18 +++++ roles/irods/tasks/icat_pre.yml | 9 +-- .../templates/unattended_install.json.j2 | 3 +- static_inventories/nibbler_cluster.yml | 71 ++++++++++--------- 7 files changed, 93 insertions(+), 62 deletions(-) diff --git a/files/nibbler_cluster/nemi_irods/README.md b/files/nibbler_cluster/nemi_irods/README.md index 7a632d870..70de23cb4 100644 --- a/files/nibbler_cluster/nemi_irods/README.md +++ b/files/nibbler_cluster/nemi_irods/README.md @@ -336,6 +336,12 @@ openssl dhparam -2 -out dhparams.pem 2048 #### DEBUGGING +Viewing irods log file in new >4.3.0 json format +```bash + $ sudo jq '[.server_timestamp,.log_message] | join(" ")' /var/log/irods/irods.log | tail -n 15 + +``` + * irods service to start/restart/stop irods service, use `service irods restart` @@ -355,8 +361,8 @@ net.ipv4.tcp_keepalive_probes = 6 ``` * check logs -``` -tail -50 /var/lib/irods/log/rods.Log.2021... +```bash + $ tail -50 /var/lib/irods/log/rods.Log.2021... ``` * restart service diff --git a/group_vars/irods.yml b/group_vars/irods.yml index 9ed828c29..d38010130 100644 --- a/group_vars/irods.yml +++ b/group_vars/irods.yml @@ -7,39 +7,38 @@ firewall_allowed_tcp_ports: # list of open ports on iCAT server - "5432" # PostgreSQL - "20000:20199" # irods -ir_version: '4.3.0' # iRODS server most of packages - first install 4.2.11 and then upgrade to 4.3.0 -ir_version_plugin: '4.3.0.0' # iRODS plugin resource version (f.e. 4.3.0.0) -ir_server_type: 'icat' # iRODS Server Type +yum_packages: '{{ yum_packages_4_3_0 }}' # List of packages are defined in role defaults +ir_server_type: 'icat' # iRODS Server Type ir_client_server_policy: 'CS_NEG_REQUIRE' # communicating using SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE ir_ssl_certificate_chain_file: 'nemi_irods/localhost_and_chain_umcg-icat01.crt' # iRODS server certificate ir_ssl_certificate_key_file: 'nemi_irods/localhost-umcg01.key' # iRODS server certificate's key -ir_ssl_dh_params_file: 'dhparams.pem' # DHparam filename +ir_ssl_dh_params_file: 'dhparams.pem' # DHparam filename -ir_service_account: 'irods' # iRODS linux account under which iRODS runs +ir_service_account: 'irods' # iRODS linux account under which iRODS runs ir_service_account_home: '/home/{{ ir_service_account }}' # iRODS service account user's home folder -ir_admin_name: 'rods' # iRODS (and zone) account -ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulte main administrator password +ir_admin_name: 'rods' # iRODS (and zone) account +ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulte main administrator password ir_admin_home_path: '/{{ ir_zone }}/home/{{ ir_admin_name }}' # iRODS admin's home path -ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt -ir_zone: 'nlumcg' # iRODS default main iRODS zone name -ir_zone_key: '{{ icatV_zone_key }}' # iRODS Vaulted zone key +ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt +ir_zone: 'nlumcg' # iRODS default main iRODS zone name +ir_zone_key: '{{ icatV_zone_key }}' # iRODS Vaulted zone key ir_negotiation_key: '{{ icatV_negotiation_key }}' # iRODS Vaulted negotiation key ir_ctrl_plane_key: '{{ icatV_ctrl_plane_key }}' # iRODS Vaulted control plane key -ir_local_res: 'rootResc' # iRODS local iRODS resource -ir_vault_path: '/var/lib/irods/Vault' # iRODS default path to store files for local resource -ir_default_res: 'surfObjStore' # iRODS default resource iRODS uploads to +ir_local_res: 'rootResc' # iRODS local iRODS resource +ir_vault_path: '/var/lib/irods/Vault' # iRODS default path to store files for local resource +ir_default_res: 'surfObjStore' # iRODS default resource iRODS uploads to -davrods_install: true # to install davrods docker -davrods_docker_folder: 'davrods_docker' # davrods docker folder name, relative to the user home directory +davrods_install: true # to install davrods docker +davrods_docker_folder: 'davrods_docker' # davrods docker folder name, relative to the user home directory davrods_default_resource: '{{ ir_default_res }}' # default resource to upload files via davrods -tiering_install: False # True / False -ir_local_stage_res: 'demoRescStaging' # Staging resource, before data moved to permanent resource +tiering_install: False # True / False +ir_local_stage_res: 'demoRescStaging' # Staging resource, before data moved to permanent resource ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' # optional, only if it is local resource -ir_local_perm_res: 'demoRescPerm' # Permanent resource, where it will keep data indefinitely +ir_local_perm_res: 'demoRescPerm' # Permanent resource, where it will keep data indefinitely ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' # optional, only if it is local resource -pgsql_server: "local" # "local" or "remote" PostgreSQL server +pgsql_server: "local" # "local" or "remote" PostgreSQL server remote_psql_server_ca: "nemi_irods/remote_psql_server_ca.crt" # (optional) remote servers's CA certificate ... diff --git a/group_vars/nibbler_cluster/ip_addresses.yml b/group_vars/nibbler_cluster/ip_addresses.yml index 0c70710aa..ffc0330fb 100644 --- a/group_vars/nibbler_cluster/ip_addresses.yml +++ b/group_vars/nibbler_cluster/ip_addresses.yml @@ -19,6 +19,13 @@ ip_addresses: nb_internal_management_13: address: 10.10.3.17 netmask: /32 + irods-test-db: + nb_internal_management: + address: 10.10.1.183 + netmask: /32 + nb_internal_management_13: + address: 10.10.3.68 + netmask: /32 nb-dai: nb_internal_management: address: 10.10.1.75 diff --git a/roles/irods/defaults/main.yml b/roles/irods/defaults/main.yml index 9e15f9c03..3d10ab0a4 100644 --- a/roles/irods/defaults/main.yml +++ b/roles/irods/defaults/main.yml @@ -8,6 +8,24 @@ firewall_allowed_tcp_ports: # list of open ports on iCAT server - "5432" # PostgreSQL - "20000:20199" # irods +yum_packages_4_2_11: + - irods-server-4.2.11-1 + - irods-database-plugin-postgres-4.2.11-1 + - irods-runtime-4.2.11-1 + - irods-resource-plugin-s3-4.2.11.2-1 + - irods-rule-engine-plugin-python-4.2.11.1-1 + - irods-rule-engine-plugin-unified-storage-tiering-4.2.11.0-1 + +yum_packages_4_3_0: + - irods-server-4.3.0-1 + - irods-database-plugin-postgres-4.3.0-1 + - irods-runtime-4.3.0-1 + - irods-resource-plugin-s3-4.3.0.0-1 + - irods-rule-engine-plugin-python-4.3.0.0-1 + - irods-rule-engine-plugin-unified-storage-tiering-4.3.0.0-1 + +yum_packages: '{{ yum_packages_4_3_0 }}' + ir_version: '4.3.0' # first install v4.2.11 and then upgrade to 4.3.0 ir_version_plugin: '4.3.0.0' # iRODS plugin resource version (f.e. 4.3.0.0) ir_server_type: 'icat' # iRODS Server Type diff --git a/roles/irods/tasks/icat_pre.yml b/roles/irods/tasks/icat_pre.yml index 14589d718..0a75b07cd 100644 --- a/roles/irods/tasks/icat_pre.yml +++ b/roles/irods/tasks/icat_pre.yml @@ -15,15 +15,8 @@ - name: Installing the iRODS Package(s) ansible.builtin.yum: - name: '{{ item }}' + name: '{{ yum_packages }}' state: present - loop: - - irods-server-{{ ir_version }} - - irods-database-plugin-postgres-{{ ir_version }} - - irods-runtime-{{ ir_version }} - - irods-resource-plugin-s3-{{ ir_version_plugin }} - - irods-rule-engine-plugin-python-{{ ir_version_plugin }} - - irods-rule-engine-plugin-unified-storage-tiering-{{ ir_version_plugin }} become: true - name: Make sure that the hostname is set correct FQDN name diff --git a/roles/irods/templates/unattended_install.json.j2 b/roles/irods/templates/unattended_install.json.j2 index 49fb412dc..fa686fe26 100644 --- a/roles/irods/templates/unattended_install.json.j2 +++ b/roles/irods/templates/unattended_install.json.j2 @@ -88,7 +88,8 @@ "db_username": "{{ ir_db_user }}"{% if pgsql_server == "remote" %}, "db_sslcert": "/etc/irods/{{ ir_ssl_certificate_chain_file }}", "db_sslkey": "/etc/irods/{{ ir_ssl_certificate_key_file }}", - {% if remote_psql_server_ca is defined %}"db_sslrootcert": "/etc/irods/{{ remote_psql_server_ca | basename }}",{% endif %} + {% if remote_psql_server_ca is defined %}"db_sslrootcert": "/etc/irods/{{ remote_psql_server_ca | basename }}", + {% endif %} "db_sslmode": "require"{% endif %} } }, diff --git a/static_inventories/nibbler_cluster.yml b/static_inventories/nibbler_cluster.yml index 76e82d82e..02dc0f246 100644 --- a/static_inventories/nibbler_cluster.yml +++ b/static_inventories/nibbler_cluster.yml @@ -23,46 +23,53 @@ all: hosts: irods-catalogus: fqdn: umcg-icat01.hpc.rug.nl - pgsql_server: "remote" # PostgreSQL "local" or "remote" server - ir_local_res: 'rootResc' # iRODS local resource - ir_default_res: 'surfObjStore' # iRODS default resource for uploads - ir_zone: 'nlumcg' # iRODS default main zone name + pgsql_server: "remote" # PostgreSQL "local" or "remote" server + ir_local_res: 'rootResc' # iRODS local resource + ir_default_res: 'surfObjStore' # iRODS default resource for uploads + ir_zone: 'nlumcg' # iRODS default main zone name ir_negotiation_key: '{{ icatV_negotiation_key }}' # iRODS Vaulted negotiation key - ir_ctrl_plane_key: '{{ icatV_ctrl_plane_key }}' # iRODS Vaulted control plane key - ir_zone_key: '{{ icatV_zone_key }}' # iRODS Vaulted zone key - ir_db_user: '{{ icatV_db_user }}' # iRODS Vaulted db username - ir_db_pwd: '{{ icatV_db_pwd }}' # iRODS Vaulted pgsql password - ir_db_name: '{{ icatV_db_name }}' # iRODS Vaulted database name - ir_db_server: '{{ icatV_db_server }}' # iRODS Vaulted database server - ir_db_port: '{{ icatV_db_port }}' # iRODS Vaulted database port - ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt key - ir_admin_name: 'rods' # iRODS (and zone) account - ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulted main admin password - tiering_install: False # True / False - if the playbook tiering.yml should be executed + ir_ctrl_plane_key: '{{ icatV_ctrl_plane_key }}' # iRODS Vaulted control plane key + ir_zone_key: '{{ icatV_zone_key }}' # iRODS Vaulted zone key + ir_db_user: '{{ icatV_db_user }}' # iRODS Vaulted db username + ir_db_pwd: '{{ icatV_db_pwd }}' # iRODS Vaulted pgsql password + ir_db_name: '{{ icatV_db_name }}' # iRODS Vaulted database name + ir_db_server: '{{ icatV_db_server }}' # iRODS Vaulted database server + ir_db_port: '{{ icatV_db_port }}' # iRODS Vaulted database port + ir_salt: '{{ icatV_salt }}' # iRODS Vaulted salt key + ir_admin_name: 'rods' # iRODS (and zone) account + ir_admin_pwd: '{{ icatV_admin_pwd }}' # iRODS Vaulted main admin password + tiering_install: False # True / False - if the playbook tiering.yml should be executed # ir_local_stage_res: 'demoRescStage' # Staging resource, before data moved to permanent resource # ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' # ir_local_perm_res: 'demoRescPerm' # Permanent resource, where it will keep data indefinitely # ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' irods-test: - fqdn: umcg-icat01.hpc.rug.nl - ir_version: '4.3.0' # test! iRODS first install v4.2.11 and then upgrade to 4.3.0 - ir_version_plugin: '4.3.0.0' # test! iRODS plugin resource version (f.e. 4.3.0.0) - ir_client_server_policy: 'CS_NEG_REFUSE' # test! iRODS communicating using (default) SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE - pgsql_server: "local" # test! iRODS PostgreSQL "local" or "remote" server - ir_local_res: 'demoResc' # test! iRODS Staging resource, before data moved to permanent resource - ir_default_res: 'demoResc' # test! iRODS default resource for uploads - ir_db_server: '127.0.0.1' # test! iRODS pgsql server location - ir_db_pwd: '{{ icatV_test_db_pwd }}' # test! iRODS Vaulted pgsql password - ir_db_user: '{{ ir_service_account }}' # test! iRODS postgres user - ir_db_name: 'ICAT' # test! iRODS database name - ir_admin_pwd: '{{ icatV_test_admin_pwd }}' # test! iRODS Vaulted irods admin password - ir_zone: 'tstzone' # test! iRODS default main zone name - ir_salt: 'sA+dwq_dk29DJ1' # test! iRODS salt - tiering_install: True # test! iRODS True / False - if the playbook tiering.yml should be executed - ir_local_stage_res: 'demoRescStage' # test! iRODS staging resource, before data moved to permanent resource + fqdn: irods-test.hpc.rug.nl + yum_packages: '{{ yum_packages_4_2_11 }}' # test iRODS List of packages are defined in role defaults + ir_client_server_policy: 'CS_NEG_REFUSE' # test iRODS communicate (default) with SSL (CS_NEG_REQUIRE) or not (CS_NEG_REFUSE) + pgsql_server: "remote" # test iRODS PostgreSQL "local" or "remote" server + ir_local_res: 'demoResc' # test iRODS Staging resource, before data moved to permanent resource + ir_default_res: 'demoResc' # test iRODS default resource for uploads + ir_db_server: '127.0.0.1' # test iRODS pgsql server location + ir_db_pwd: '{{ icatV_test_db_pwd }}' # test iRODS Vaulted pgsql password + ir_db_user: '{{ ir_service_account }}' # test iRODS postgres user + ir_db_name: 'ICAT' # test iRODS database name + ir_admin_pwd: '{{ icatV_test_admin_pwd }}' # test iRODS Vaulted irods admin password + ir_zone: 'tstzone' # test iRODS default main zone name + ir_salt: 'sA+dwq_dk29DJ1' # test iRODS salt + tiering_install: True # test iRODS True / False - if the playbook tiering.yml should be executed + ir_local_stage_res: 'demoRescStage' # test iRODS staging resource, before data moved to permanent resource ir_local_stage_res_fol: '/tmp/irods/{{ ir_local_stage_res }}' # test! iRODS staging resource folder path - ir_local_perm_res: 'demoRescPerm' # test! iRODS permanent resource, where it will keep data indefinitely + ir_local_perm_res: 'demoRescPerm' # test! iRODS permanent resource, where it will keep data indefinitely ir_local_perm_res_fol: '/tmp/irods/{{ ir_local_perm_res }}' # test! iRODS permanent resource folder path + irods-test-db: + fqdn: irods-test-db.hpc.rug.nl + cloud_flavor: m1.small # test-db CPU:1 MEM:2GB ROOTDISK:20GB + pgsql_server: "local" # test-db iRODS PostgreSQL "local" or "remote" server + ir_db_pwd: '{{ icatV_test_db_pwd }}' # test-db iRODS Vaulted pgsql password + ir_db_user: '{{ ir_service_account }}' # test-db iRODS postgres user + ir_db_name: 'ICAT' # test-db iRODS database name + ir_admin_pwd: '{{ icatV_test_admin_pwd }}' # test-db iRODS Vaulted irods admin password vars: cloud_flavor: m1.large local_volume_size_extra: 20 From 9926fd6486b22c4fdcfbf396458b6fc9b7d234cf Mon Sep 17 00:00:00 2001 From: scimerman Date: Thu, 18 Aug 2022 10:55:40 +0200 Subject: [PATCH 09/11] irods: new (internal only) postgres test machine --- group_vars/nibbler_cluster/ip_addresses.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/nibbler_cluster/ip_addresses.yml b/group_vars/nibbler_cluster/ip_addresses.yml index ffc0330fb..f163d7f98 100644 --- a/group_vars/nibbler_cluster/ip_addresses.yml +++ b/group_vars/nibbler_cluster/ip_addresses.yml @@ -21,10 +21,10 @@ ip_addresses: netmask: /32 irods-test-db: nb_internal_management: - address: 10.10.1.183 + address: 10.10.1.114 netmask: /32 nb_internal_management_13: - address: 10.10.3.68 + address: 10.10.3.97 netmask: /32 nb-dai: nb_internal_management: From 8429d50876594b86f8182d4af99fd10b31dcee30 Mon Sep 17 00:00:00 2001 From: scimerman Date: Thu, 18 Aug 2022 11:00:33 +0200 Subject: [PATCH 10/11] Cluster packages: changed to variable that can be overwritten --- roles/cluster/defaults/main.yml | 39 +++++++++++++++++++++++++++++++++ roles/cluster/tasks/main.yml | 38 +------------------------------- 2 files changed, 40 insertions(+), 37 deletions(-) create mode 100644 roles/cluster/defaults/main.yml diff --git a/roles/cluster/defaults/main.yml b/roles/cluster/defaults/main.yml new file mode 100644 index 000000000..a95be1f8b --- /dev/null +++ b/roles/cluster/defaults/main.yml @@ -0,0 +1,39 @@ +--- +cluster_common_packages: + - bash-completion + - bc + - bcc-tools + - bind-utils + - bzip2 + - cargo + - curl + - dos2unix + - figlet + - git + - git-core + - gnutls + - irods-icommands + - libsodium + - lsof + - nano + - ncdu + - ncurses-static + - net-tools + - openssl + - qt5-qtbase + - qt5-qtxmlpatterns + - readline-static + - rsync + - screen + - singularity-runtime + - singularity + - strace + - tcl-devel + - telnet + - tmux + - tree + - unzip + - urw-base35-fonts + - vim + - wget +... diff --git a/roles/cluster/tasks/main.yml b/roles/cluster/tasks/main.yml index 204baf760..43e2bbe52 100644 --- a/roles/cluster/tasks/main.yml +++ b/roles/cluster/tasks/main.yml @@ -9,43 +9,7 @@ ansible.builtin.yum: state: latest update_cache: true - name: - - bash-completion - - bc - - bcc-tools - - bind-utils - - bzip2 - - cargo - - curl - - dos2unix - - figlet - - git - - git-core - - gnutls - - irods-icommands - - libsodium - - lsof - - nano - - ncdu - - ncurses-static - - net-tools - - openssl - - qt5-qtbase - - qt5-qtxmlpatterns - - readline-static - - rsync - - screen - - singularity-runtime - - singularity - - strace - - tcl-devel - - telnet - - tmux - - tree - - unzip - - urw-base35-fonts - - vim - - wget + name: '{{ cluster_common_packages }}' tags: - software become: true From 6444e7720201c899310ba68fa399ec92346fa45b Mon Sep 17 00:00:00 2001 From: scimerman Date: Fri, 2 Sep 2022 09:34:01 +0200 Subject: [PATCH 11/11] package version limiting, updated installation --- group_vars/irods.yml | 2 +- roles/irods/defaults/main.yml | 8 +++----- roles/irods/tasks/icat.yml | 15 ++++++++++----- roles/irods/tasks/icat_pre.yml | 2 +- static_inventories/nibbler_cluster.yml | 1 + 5 files changed, 16 insertions(+), 12 deletions(-) diff --git a/group_vars/irods.yml b/group_vars/irods.yml index 7fa359282..5c591c68f 100644 --- a/group_vars/irods.yml +++ b/group_vars/irods.yml @@ -15,7 +15,7 @@ iptables_allow_irods: iptables_allow_postgres_outbound: - ANY -yum_packages: '{{ yum_packages_4_3_0 }}' # List of packages are defined in role defaults +ir_yum_packages: '{{ ir_yum_packages_4_3_0 }}' # Picked version of packages (defined in role defaults) ir_server_type: 'icat' # iRODS Server Type ir_client_server_policy: 'CS_NEG_REQUIRE' # communicating using SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE diff --git a/roles/irods/defaults/main.yml b/roles/irods/defaults/main.yml index 3d10ab0a4..19c0b278b 100644 --- a/roles/irods/defaults/main.yml +++ b/roles/irods/defaults/main.yml @@ -8,7 +8,7 @@ firewall_allowed_tcp_ports: # list of open ports on iCAT server - "5432" # PostgreSQL - "20000:20199" # irods -yum_packages_4_2_11: +ir_yum_packages_4_2_11: - irods-server-4.2.11-1 - irods-database-plugin-postgres-4.2.11-1 - irods-runtime-4.2.11-1 @@ -16,7 +16,7 @@ yum_packages_4_2_11: - irods-rule-engine-plugin-python-4.2.11.1-1 - irods-rule-engine-plugin-unified-storage-tiering-4.2.11.0-1 -yum_packages_4_3_0: +ir_yum_packages_4_3_0: - irods-server-4.3.0-1 - irods-database-plugin-postgres-4.3.0-1 - irods-runtime-4.3.0-1 @@ -24,10 +24,8 @@ yum_packages_4_3_0: - irods-rule-engine-plugin-python-4.3.0.0-1 - irods-rule-engine-plugin-unified-storage-tiering-4.3.0.0-1 -yum_packages: '{{ yum_packages_4_3_0 }}' +ir_yum_packages: '{{ ir_yum_packages_4_3_0 }}' -ir_version: '4.3.0' # first install v4.2.11 and then upgrade to 4.3.0 -ir_version_plugin: '4.3.0.0' # iRODS plugin resource version (f.e. 4.3.0.0) ir_server_type: 'icat' # iRODS Server Type ir_client_server_policy: 'CS_NEG_REQUIRE' # communicating using (default) SSL (CS_NEG_REQUIRE) or without (CS_NEG_REFUSE) diff --git a/roles/irods/tasks/icat.yml b/roles/irods/tasks/icat.yml index 868231106..1e42c0606 100644 --- a/roles/irods/tasks/icat.yml +++ b/roles/irods/tasks/icat.yml @@ -2,10 +2,11 @@ - name: create_unattended_installation_json ansible.builtin.template: src: unattended_install.json.j2 - dest: /root/unattended_install.json + dest: '{{ ir_service_account_home }}/unattended_install.json' backup: true mode: '0600' register: create_unattended_installation_json + become_user: '{{ ir_service_account }}' become: true - name: Collect list of tables from existing irods database @@ -17,14 +18,13 @@ become: true - name: Install iRODS, if no tables exist in the database - ansible.builtin.command: sudo python /var/lib/irods/scripts/setup_irods.py --json_configuration_file=/root/unattended_install.json - when: database_tables.stdout_lines | default([]) | length > 0 and database_tables.stdout is search(".*No relations found.*") + ansible.builtin.command: 'python /var/lib/irods/scripts/setup_irods.py --json_configuration_file=/{{ ir_service_account_home }}/unattended_install.json' +# when: database_tables.stdout_lines | default([]) | length > 0 and database_tables.stdout is search(".*No relations found.*") register: install_status - failed_when: install_status.rc > 0 + failed_when: install_status.rc > 0 and "Database specified already in use by iRODS." not in install_status.stderr run_once: true async: 120 poll: 1 - become_user: '{{ ir_service_account }}' become: true notify: irodsctl_restart @@ -34,6 +34,7 @@ search_string: 'acPreConnect(*OUT) { *OUT="CS_NEG_DONT_CARE"; }' line: 'acPreConnect(*OUT) { *OUT="{{ ir_client_server_policy }}"; }' backup: true + become_user: '{{ ir_service_account }}' become: true - name: Edit /etc/irods/core.re to set number of threads to 4 @@ -42,6 +43,7 @@ search_string: 'acSetNumThreads {msiSetNumThreads("default","default","default"); }' line: 'acSetNumThreads {msiSetNumThreads("default","4","default"); }' backup: true + become_user: '{{ ir_service_account }}' become: true - name: Edit /etc/irods/core.re to set default resource @@ -50,6 +52,7 @@ search_string: 'acSetRescSchemeForCreate {msiSetDefaultResc("demoResc","null"); }' line: 'acSetRescSchemeForCreate {msiSetDefaultResc("{{ ir_default_res }}","null"); }' backup: true + become_user: '{{ ir_service_account }}' become: true - name: Edit /etc/irods/core.re to set default replication resource @@ -58,6 +61,7 @@ search_string: 'acSetRescSchemeForRepl {msiSetDefaultResc("demoResc","null"); }' line: 'acSetRescSchemeForRepl {msiSetDefaultResc("{{ ir_default_res }}","null"); }' backup: true + become_user: '{{ ir_service_account }}' become: true - name: Increase systcl limits to allow longer transfers @@ -87,6 +91,7 @@ group: '{{ ir_service_account }}' become_user: '{{ ir_service_account }}' become: true + become_user: '{{ ir_service_account }}' notify: irodsctl_restart - name: Force all services to restart, before we start using iRODS imeta commands diff --git a/roles/irods/tasks/icat_pre.yml b/roles/irods/tasks/icat_pre.yml index 0a75b07cd..26d862b69 100644 --- a/roles/irods/tasks/icat_pre.yml +++ b/roles/irods/tasks/icat_pre.yml @@ -15,7 +15,7 @@ - name: Installing the iRODS Package(s) ansible.builtin.yum: - name: '{{ yum_packages }}' + name: '{{ ir_yum_packages }}' state: present become: true diff --git a/static_inventories/nibbler_cluster.yml b/static_inventories/nibbler_cluster.yml index 3ff6ff448..c7b6e9be0 100644 --- a/static_inventories/nibbler_cluster.yml +++ b/static_inventories/nibbler_cluster.yml @@ -23,6 +23,7 @@ all: hosts: irods-catalogus: fqdn: umcg-icat01.hpc.rug.nl + ir_yum_packages: '{{ ir_yum_packages_4_3_0 }}' # test iRODS List of packages are defined in role defaults pgsql_server: "remote" # PostgreSQL "local" or "remote" server ir_local_res: 'rootResc' # iRODS local resource ir_default_res: 'surfObjStore' # iRODS default resource for uploads