sshCreate an ansible host vm
----------------------------------
installed ubuntu-12.04.2-server-amd64.iso to a 5 G virtual drive
checked openssh server as an install option
logged in, ran apt-get update, apt-get dist-upgrade
apt-get install acpi
apt-get install python-software-properties
add-apt-repository ppa:rquillo/ansible
apt-get update
apt-get install ansible
apt-get install subversion
Create SSH keys
-------------------------
All the below is cut and paste from various online resources:
If you have SSH installed, you should be able to run..
- create .ssh directory in home directory
$ mkdir .ssh
$ chmod 700 .ssh
$ ssh-keygen -t rsa -b 4096
- After following the procedure of ssh-keygen, you'll have two files, id_rsa and id_rsa.pub (the first is your private key, the second is your public key - the one you copy to remote machines)
- chmod 600 all the id_rsa* files, so no other users can read them:
$ chmod 600 ~/.ssh/id_rsa*
- On Ubuntu, you can use ssh-agent to hold the decrypted keys in memory - this means you don't have to type your keypair's password every single time. To launch the agent, you run (including the back-tick quotes, which eval the output of the ssh-agent command)
ssh-agent
---------------
- On some distros, ssh-agent is started automatically. If you run echo $SSH_AUTH_SOCK and it shows a path (probably in /tmp/) it's already setup, so you can skip the previous command. Then to add your key, you do
$ ssh-add ~/.ssh/id_rsa
and enter your passphrase. It's stored until you remove it (using the ssh-add -D command, which removes all keys from the agent)
- Since Robert beat me to the punch, couple of quick additions.
* When ssh-keygen asks for the name give ~/.ssh/dataone_ansible otherwise it will wipe out your original ssh keys for other systems.
* Be sure to give a passphrase, don't use an empty one. Even with rsa version 2, passphase-less keys are "easy" to break.
* If you have a mac (which most of you do), you don't need to worry about ssh-agent and ssh-add. These are running already so you won't need to interact with those tools directly. The first time you use ssh, you'll get a pop-up window asking for the passphrase. After that ssh-agent will remember through os x's keychains.
* The first time you use ssh to login into the system, you'll need to ssh -i ~/.ssh/dataone_ansible username@ansible-host after that ssh-agent will remember so you'll only need to do ssh username@ansible-host .
* Send me your requested account name and the ~/.ssh/dataone_ansible.pub file, not the ~/.ssh/dataone_ansible (That's your private key that you should protect.) Preferably encrypt the email with my pgp pub key for greater security.
Ansible Host Machine
================
The current dataone ansible host is ansible.dataone.org
The default host file for ansible is /etc/ansible/hosts
The default configuration file for ansible is /etc/ansible/ansible.cfg
Setup Ansible for your user (assuming waltz is the username below)
---------------------------------
waltz@dataone:~$ cd .ssh
waltz@dataone:~/.ssh$ ls
id_rsa id_rsa.pub known_hosts
waltz@utk-dataone:~/.ssh$ sftp ansible.dataone.org
Connecting to ansible.dataone.utk.edu...
sftp> cd .ssh
sftp> put id_rsa
Uploading id_rsa to /home/waltz/.ssh/id_rsa
dataone_ansible 100% 3311 3.2KB/s 00:00
sftp> put id_rsa.pub
Uploading id_rsa.pub to /home/waltz/.ssh/id_rsa.pub
(or scp id_rsa* HOST:~/.ssh )
ssh ansible.dataone.org
waltz@ansible:~$ cd .ssh
waltz@ansible:~/.ssh$ chmod 600 id_rsa
waltz@ansible:~/.ssh$ chmod 600 id_rsa.pub
waltz@ansible:~$ ssh cn-dev-orc-1.test.dataone.org
waltz@cn-dev-orc-1:~$ ls .ssh
(If .ssh has never been created, then create .ssh!, if it has been created, note if authorized_keys exists)
waltz@cn-dev-orc-1:~$ mkdir .ssh
waltz@cn-dev-orc-1:~$ chmod 700 .ssh
(open another term, or exit the one you are currently in to return to ansible.dataone.org)
waltz@ansible:~$ cd .ssh
waltz@ansible:~$ sftp cn-dev-orc-1.test.dataone.org
Connecting to cn-dev-orc-1.test.dataone.org...
sftp> cd .ssh
sftp> put.pub
Uploading id_rsa.pub to /home/waltz/.ssh/id_rsa.pub
( you have now uploaded your public key to the remote machine cn-dev-orc-1.test.dataone.org, return to cn-dev-orc-1.test.dataone.org via ssh or an open terminal)
waltz@cn-dev-orc-1:~$ cd .ssh
(before issuing the next command, if you have an authorized_keys file, then you should check there is a newline at the end of the last public key entry)
waltz@cn-dev-orc-1:~$ cat id_rsa.pub >> authorized_keys
waltz@cn-dev-orc-1:~$ chmod 600 authorized_keys
From the ansible machine, test ssh cn-dev-orc-1.test.dataone.org date command
waltz@ansible:~$ ssh -i .ssh/id_rsa cn-dev-orc-1.test.dataone.org date
cp /etc/ansible/ansible.cfg .ansible.cfg
vi .ansible.cfg
changed:
transport=smart|paramiko
to:
transport=ssh
changed:
hostfile = /etc/ansible/hosts
to:
hostfile = /home/waltz/ansible/hosts
mkdir ansible
cd ansible
cp /home/waltz/ansible/hosts .
or create one yourself
pico hosts
added:
[dev]
cn-dev-orc-1.test.dataone.org
cn-dev-unm-1.test.dataone.org
cn-dev-ucsb-1.test.dataone.org
[sandbox]
cn-sandbox-orc-1.test.dataone.org
cn-sandbox-unm-1.test.dataone.org
cn-sandbox-ucsb-1.test.dataone.org
[stage]
cn-stage-orc-1.test.dataone.org
cn-stage-unm-1.test.dataone.org
cn-stage-ucsb-1.test.dataone.org
[stage2]
cn-stage-orc-2.test.dataone.org
cn-stage-unm-2.test.dataone.org
[prod]
cn-orc-1.dataone.org
cn-unm-1.dataone.org
cn-ucsb-1.dataone.org
Test Ansible
----------------
to determine if you have ssh access on the development environment
ssh-agent bash
ssh-add ~/.ssh/id_rsa
ansible dev -i /home/waltz/ansible/hosts -m ping
success should look like:
cn-dev-orc-1.test.dataone.org | success >> {
"changed": false,
"ping": "pong"
}
cn-dev-ucsb-1.test.dataone.org | success >> {
"changed": false,
"ping": "pong"
}
cn-dev-unm-1.test.dataone.org | success >> {
"changed": false,
"ping": "pong"
}
or failure:
-----
cn-dev-ucsb-1.test.dataone.org | FAILED => failed to transfer file to /ping:
Permission denied (publickey,password).
Couldn't read packet: Connection reset by peer
----
to determine if you can execute as root on the development environment
ansible dev -i /home/waltz/ansible/hosts -a "touch /home/(username)/helloAnsible.txt" -u waltz --sudo --ask-sudo-pass
success should look like:
cn-dev-orc-1.test.dataone.org | success | rc=0 >>
cn-dev-ucsb-1.test.dataone.org | success | rc=0 >>
cn-dev-unm-1.test.dataone.org | success | rc=0 >>
the above command should restult in a file (helloAnsibles.txt) owned by root in your home directory
cd ansible
rm -rf trunk
svn export https://repository.dataone.org/software/cicore/trunk/cn-buildout/dataone-cn-ansible/src trunk
cd trunk
ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-dev-orc-1.test.dataone.org -v --u waltz -c ssh --sudo --ask-sudo-pass --module-path=modules playbooks/dev/dataone-cn-os-core.yml
The below instructions are already outdated, I am writing a shell script that will help manage ansible deployments.
Assuming your username is waltz (if not make the appropriate substitutions)
(goto your home directory)
cd
mkdir ansible
cd ansible
svn export https://repository.dataone.org/software/cicore/trunk/cn-buildout/dataone-cn-ansible/src trunk
cd trunk
ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-sandbox-ucsb-1.test.dataone.org -v --u waltz -c ssh --sudo --ask-sudo-pass --module-path=modules playbooks/sandbox/dataone-cn-os-core.yml
ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-sandbox-ucsb-1.test.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/sandbox/dataone-cn-metacat.yml
ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-sandbox-ucsb-1.test.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/sandbox/dataone-cn-portal.yml
execute ansible-playbook -i /home/waltz/ansible/hosts -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/dev/dataone-cn-os-core.yml
Production examples
ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-orc-1.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/prod/dataone-cn-portal.yml
ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-orc-1.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/prod/dataone-cn-metacat.yml
ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-orc-1.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/prod/dataone-cn-dataone.yml
New Note:
this command works to build out a basic build on a new machine
remember to take out the ssh arguments in /etc/ansible/ansible.cfg
ansible-playbook --ask-pass --ask-sudo-pass -i /home/waltz/ansible/hosts --limit=cn-dev-orc-1.test.dataone.org -vvvv --user=localadmin --sudo --module-path=/home/waltz/ansible/trunk/src/modules /home/waltz/ansible/trunk/src/playbooks/dev/initial-setup.yml