sshCreate an ansible host vm ---------------------------------- installed ubuntu-12.04.2-server-amd64.iso to a 5 G virtual drive checked openssh server as an install option logged in, ran apt-get update, apt-get dist-upgrade apt-get install acpi apt-get install python-software-properties add-apt-repository ppa:rquillo/ansible apt-get update apt-get install ansible apt-get install subversion Create SSH keys ------------------------- All the below is cut and paste from various online resources: If you have SSH installed, you should be able to run.. * create .ssh directory in home directory $ mkdir .ssh $ chmod 700 .ssh $ ssh-keygen -t rsa -b 4096 * After following the procedure of ssh-keygen, you'll have two files, id_rsa and id_rsa.pub (the first is your private key, the second is your public key - the one you copy to remote machines) * chmod 600 all the id_rsa* files, so no other users can read them: $ chmod 600 ~/.ssh/id_rsa* * On Ubuntu, you can use ssh-agent to hold the decrypted keys in memory - this means you don't have to type your keypair's password every single time. To launch the agent, you run (including the back-tick quotes, which eval the output of the ssh-agent command) * ssh-agent --------------- * On some distros, ssh-agent is started automatically. If you run echo $SSH_AUTH_SOCK and it shows a path (probably in /tmp/) it's already setup, so you can skip the previous command. Then to add your key, you do $ ssh-add ~/.ssh/id_rsa and enter your passphrase. It's stored until you remove it (using the ssh-add -D command, which removes all keys from the agent) * Since Robert beat me to the punch, couple of quick additions. * When ssh-keygen asks for the name give ~/.ssh/dataone_ansible otherwise it will wipe out your original ssh keys for other systems. * Be sure to give a passphrase, don't use an empty one. Even with rsa version 2, passphase-less keys are "easy" to break. * If you have a mac (which most of you do), you don't need to worry about ssh-agent and ssh-add. These are running already so you won't need to interact with those tools directly. The first time you use ssh, you'll get a pop-up window asking for the passphrase. After that ssh-agent will remember through os x's keychains. * The first time you use ssh to login into the system, you'll need to ssh -i ~/.ssh/dataone_ansible username@ansible-host after that ssh-agent will remember so you'll only need to do ssh username@ansible-host . * Send me your requested account name and the ~/.ssh/dataone_ansible.pub file, not the ~/.ssh/dataone_ansible (That's your private key that you should protect.) Preferably encrypt the email with my pgp pub key for greater security. Ansible Host Machine ================ The current dataone ansible host is ansible.dataone.org The default host file for ansible is /etc/ansible/hosts The default configuration file for ansible is /etc/ansible/ansible.cfg Setup Ansible for your user (assuming waltz is the username below) --------------------------------- waltz@dataone:~$ cd .ssh waltz@dataone:~/.ssh$ ls id_rsa id_rsa.pub known_hosts waltz@utk-dataone:~/.ssh$ sftp ansible.dataone.org Connecting to ansible.dataone.utk.edu... sftp> cd .ssh sftp> put id_rsa Uploading id_rsa to /home/waltz/.ssh/id_rsa dataone_ansible 100% 3311 3.2KB/s 00:00 sftp> put id_rsa.pub Uploading id_rsa.pub to /home/waltz/.ssh/id_rsa.pub (or scp id_rsa* HOST:~/.ssh ) ssh ansible.dataone.org waltz@ansible:~$ cd .ssh waltz@ansible:~/.ssh$ chmod 600 id_rsa waltz@ansible:~/.ssh$ chmod 600 id_rsa.pub waltz@ansible:~$ ssh cn-dev-orc-1.test.dataone.org waltz@cn-dev-orc-1:~$ ls .ssh (If .ssh has never been created, then create .ssh!, if it has been created, note if authorized_keys exists) waltz@cn-dev-orc-1:~$ mkdir .ssh waltz@cn-dev-orc-1:~$ chmod 700 .ssh (open another term, or exit the one you are currently in to return to ansible.dataone.org) waltz@ansible:~$ cd .ssh waltz@ansible:~$ sftp cn-dev-orc-1.test.dataone.org Connecting to cn-dev-orc-1.test.dataone.org... sftp> cd .ssh sftp> put.pub Uploading id_rsa.pub to /home/waltz/.ssh/id_rsa.pub ( you have now uploaded your public key to the remote machine cn-dev-orc-1.test.dataone.org, return to cn-dev-orc-1.test.dataone.org via ssh or an open terminal) waltz@cn-dev-orc-1:~$ cd .ssh (before issuing the next command, if you have an authorized_keys file, then you should check there is a newline at the end of the last public key entry) waltz@cn-dev-orc-1:~$ cat id_rsa.pub >> authorized_keys waltz@cn-dev-orc-1:~$ chmod 600 authorized_keys From the ansible machine, test ssh cn-dev-orc-1.test.dataone.org date command waltz@ansible:~$ ssh -i .ssh/id_rsa cn-dev-orc-1.test.dataone.org date cp /etc/ansible/ansible.cfg .ansible.cfg vi .ansible.cfg changed: transport=smart|paramiko to: transport=ssh changed: hostfile = /etc/ansible/hosts to: hostfile = /home/waltz/ansible/hosts mkdir ansible cd ansible cp /home/waltz/ansible/hosts . or create one yourself pico hosts added: [dev] cn-dev-orc-1.test.dataone.org cn-dev-unm-1.test.dataone.org cn-dev-ucsb-1.test.dataone.org [sandbox] cn-sandbox-orc-1.test.dataone.org cn-sandbox-unm-1.test.dataone.org cn-sandbox-ucsb-1.test.dataone.org [stage] cn-stage-orc-1.test.dataone.org cn-stage-unm-1.test.dataone.org cn-stage-ucsb-1.test.dataone.org [stage2] cn-stage-orc-2.test.dataone.org cn-stage-unm-2.test.dataone.org [prod] cn-orc-1.dataone.org cn-unm-1.dataone.org cn-ucsb-1.dataone.org Test Ansible ---------------- to determine if you have ssh access on the development environment ssh-agent bash ssh-add ~/.ssh/id_rsa ansible dev -i /home/waltz/ansible/hosts -m ping success should look like: cn-dev-orc-1.test.dataone.org | success >> { "changed": false, "ping": "pong" } cn-dev-ucsb-1.test.dataone.org | success >> { "changed": false, "ping": "pong" } cn-dev-unm-1.test.dataone.org | success >> { "changed": false, "ping": "pong" } or failure: ----- cn-dev-ucsb-1.test.dataone.org | FAILED => failed to transfer file to /ping: Permission denied (publickey,password). Couldn't read packet: Connection reset by peer ---- to determine if you can execute as root on the development environment ansible dev -i /home/waltz/ansible/hosts -a "touch /home/(username)/helloAnsible.txt" -u waltz --sudo --ask-sudo-pass success should look like: cn-dev-orc-1.test.dataone.org | success | rc=0 >> cn-dev-ucsb-1.test.dataone.org | success | rc=0 >> cn-dev-unm-1.test.dataone.org | success | rc=0 >> the above command should restult in a file (helloAnsibles.txt) owned by root in your home directory cd ansible rm -rf trunk svn export https://repository.dataone.org/software/cicore/trunk/cn-buildout/dataone-cn-ansible/src trunk cd trunk ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-dev-orc-1.test.dataone.org -v --u waltz -c ssh --sudo --ask-sudo-pass --module-path=modules playbooks/dev/dataone-cn-os-core.yml The below instructions are already outdated, I am writing a shell script that will help manage ansible deployments. Assuming your username is waltz (if not make the appropriate substitutions) (goto your home directory) cd mkdir ansible cd ansible svn export https://repository.dataone.org/software/cicore/trunk/cn-buildout/dataone-cn-ansible/src trunk cd trunk ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-sandbox-ucsb-1.test.dataone.org -v --u waltz -c ssh --sudo --ask-sudo-pass --module-path=modules playbooks/sandbox/dataone-cn-os-core.yml ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-sandbox-ucsb-1.test.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/sandbox/dataone-cn-metacat.yml ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-sandbox-ucsb-1.test.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/sandbox/dataone-cn-portal.yml execute ansible-playbook -i /home/waltz/ansible/hosts -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/dev/dataone-cn-os-core.yml Production examples ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-orc-1.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/prod/dataone-cn-portal.yml ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-orc-1.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/prod/dataone-cn-metacat.yml ansible-playbook -i /home/waltz/ansible/hosts --limit=cn-orc-1.dataone.org -v --u waltz --sudo --ask-sudo-pass --module-path=modules playbooks/prod/dataone-cn-dataone.yml New Note: this command works to build out a basic build on a new machine remember to take out the ssh arguments in /etc/ansible/ansible.cfg ansible-playbook --ask-pass --ask-sudo-pass -i /home/waltz/ansible/hosts --limit=cn-dev-orc-1.test.dataone.org -vvvv --user=localadmin --sudo --module-path=/home/waltz/ansible/trunk/src/modules /home/waltz/ansible/trunk/src/playbooks/dev/initial-setup.yml