1 | ============================================= |
---|
2 | Playbooks for administrating WAeUP servers. |
---|
3 | ============================================= |
---|
4 | |
---|
5 | These are materials to use with our servers. |
---|
6 | |
---|
7 | For starters: the tutorial given on |
---|
8 | |
---|
9 | https://github.com/leucos/ansible-tuto |
---|
10 | |
---|
11 | is a really nice hands-on intro to `ansible`. Please read it! |
---|
12 | |
---|
13 | Vagrant |
---|
14 | ======= |
---|
15 | |
---|
16 | In `Vagrantfile` we set up a vagrant environment which provides three |
---|
17 | hosts as virtualbox: |
---|
18 | |
---|
19 | ``vh5.sample.org``, ``vh6.sample.org``, ``vh7.sample.org`` |
---|
20 | |
---|
21 | running Ubuntu 14.04. ``vh5`` represents "virtual host 5" and should |
---|
22 | reflect h5.waeup.org. The same holds for ``vh6`` and ``vh7`` |
---|
23 | accordingly. |
---|
24 | |
---|
25 | The three virtual hosts are for testing any upcoming ansible |
---|
26 | playbooks. They should be used before running playbooks on the real |
---|
27 | hosts! |
---|
28 | |
---|
29 | |
---|
30 | Initialize Vagrant Env |
---|
31 | ---------------------- |
---|
32 | |
---|
33 | You must have `vagrant` installed, if possible in a fairly recent |
---|
34 | version. I (uli) use `vagrant 1.8.1` (latest as time of writing). As |
---|
35 | Ubuntu 14.04 is pretty outdated in that respect, I had to grab a .deb |
---|
36 | package from |
---|
37 | |
---|
38 | https://www.vagrantup.com/downloads.html |
---|
39 | |
---|
40 | that could be installed with:: |
---|
41 | |
---|
42 | $ sudo dpkg -i vagrant_1.8.1_x86_64.deb |
---|
43 | |
---|
44 | |
---|
45 | When everything is in place, change into this directory and run:: |
---|
46 | |
---|
47 | $ vagrant up |
---|
48 | Bringing machine 'vh5' up with 'virtualbox' provider... |
---|
49 | Bringing machine 'vh6' up with 'virtualbox' provider... |
---|
50 | Bringing machine 'vh7' up with 'virtualbox' provider... |
---|
51 | ==> vh5: Importing base box 'ubuntu/trusty32'... |
---|
52 | ... |
---|
53 | |
---|
54 | This will fetch Vagrant virtualbox images for trusty32, i.e. Ubuntu |
---|
55 | 14.04 images, 32bit version (plays nice also on 64bit hosts). |
---|
56 | |
---|
57 | When hosts are being supplied by Hetzner or another hosting provider, |
---|
58 | then we normally get access as `root` user only. Therefore, After base |
---|
59 | init the root accounts of all hosts are enabled with password |
---|
60 | ``vagrant``. This is done by the ansible playbook in |
---|
61 | ``vagrant-provision.yml``. |
---|
62 | |
---|
63 | All three hosts provide ssh access via:: |
---|
64 | |
---|
65 | $ vagrant ssh vh0 |
---|
66 | |
---|
67 | or equivalent commands. They have a user 'vagrant' installed, which |
---|
68 | can sudo without password. |
---|
69 | |
---|
70 | After install all three hosts can also be accessed as `root` using |
---|
71 | password `vagrant` (for example vh5): |
---|
72 | |
---|
73 | $ ssh -l root 192.168.36.10 |
---|
74 | |
---|
75 | See ``Vagrantfile`` for the IP addresses set. |
---|
76 | |
---|
77 | You can halt (all) the virtual hosts with:: |
---|
78 | |
---|
79 | $ vagrant halt |
---|
80 | |
---|
81 | |
---|
82 | |
---|
83 | Ansible Environment |
---|
84 | =================== |
---|
85 | |
---|
86 | The ansible environment should provide ansible roles and playbooks for |
---|
87 | WAeUP related server administration. |
---|
88 | |
---|
89 | The general file-layout and naming should follow |
---|
90 | |
---|
91 | https://docs.ansible.com/ansible/playbooks_best_practices.html#directory-layout |
---|
92 | |
---|
93 | |
---|
94 | Bootstrapping - Freshmechs |
---|
95 | -------------------------- |
---|
96 | |
---|
97 | We call those machines "freshmech" that are freshly delivered from the |
---|
98 | hosting provider or that were freshly provisioned by `vagrant` (see |
---|
99 | above). |
---|
100 | |
---|
101 | These machines are expected to have only a single root account and |
---|
102 | normally a (security-wise) poor SSH configuration. |
---|
103 | |
---|
104 | Bootstrapping these machines means we secure SSH, restart the SSH |
---|
105 | daemon and then add important accounts: "uli", "henrik", "ansible". |
---|
106 | |
---|
107 | To make sure, the connection to a "freshmech" works, you should at |
---|
108 | least one time login via SSH before proceeding with ansible and all |
---|
109 | bells and whistles:: |
---|
110 | |
---|
111 | ssh -l root 192.168.36.10 |
---|
112 | |
---|
113 | (with the real IP of the machine you want to reach, of course). |
---|
114 | |
---|
115 | Any host you want to "bootstrap" must be entered in a local hosts |
---|
116 | file, normally ``hosts-virtual``, with a line like this: |
---|
117 | |
---|
118 | [yet-untouched] |
---|
119 | vh5.sample.org ansible_host=192.168.36.10 ansible_user=root |
---|
120 | |
---|
121 | in the "yet-untouched" section. |
---|
122 | |
---|
123 | Afterwards try: |
---|
124 | |
---|
125 | $ ansible-playbook -i hosts-virtual --ask-pass bootstrap.yml |
---|
126 | |
---|
127 | The ``ask-pass`` parameter is needed to enter the password given by |
---|
128 | the provider on the commandline. For the local `vagrant` machines this |
---|
129 | will be `vagrant`. |
---|
130 | |
---|
131 | If run on local virtual machines, you might want to make sure that |
---|
132 | your local `known_hosts` file does not contain an old ssh host |
---|
133 | fingerprint. Otherwise you have to remove entries for:: |
---|
134 | |
---|
135 | 192.168.36.10 |
---|
136 | 192.168.36.11 |
---|
137 | 192.168.36.12 |
---|
138 | |
---|
139 | respectively before running `bootstrap.yml`. |
---|
140 | |
---|
141 | Alternatively you can run everything with the |
---|
142 | `ANSIBLE_HOST_KEY_CHECKING` environment variable set to ``False``:: |
---|
143 | |
---|
144 | $ ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i hosts-virtual --ask-pass bootstrap.yml |
---|
145 | |
---|
146 | This will suppress host fingerprint checking. |
---|