============================================= Playbooks for administrating WAeUP servers. ============================================= These are materials to use with our servers. For starters: the tutorial given on https://github.com/leucos/ansible-tuto is a really nice hands-on intro to `ansible`. Please read it! Vagrant ======= In `Vagrantfile` we set up a vagrant environment which provides three hosts as virtualbox: ``vh5.sample.org``, ``vh6.sample.org``, ``vh7.sample.org`` running Ubuntu 14.04. ``vh5`` represents "virtual host 5" and should reflect h5.waeup.org. The same holds for ``vh6`` and ``vh7`` accordingly. The three virtual hosts are for testing any upcoming ansible playbooks. They should be used before running playbooks on the real hosts! Initialize Vagrant Env ---------------------- You must have `vagrant` installed, if possible in a fairly recent version. I (uli) use `vagrant 1.8.1` (latest as time of writing). As Ubuntu 14.04 is pretty outdated in that respect, I had to grab a .deb package from https://www.vagrantup.com/downloads.html that could be installed with:: $ sudo dpkg -i vagrant_1.8.1_x86_64.deb When everything is in place, change into this directory and run:: $ vagrant up Bringing machine 'vh5' up with 'virtualbox' provider... Bringing machine 'vh6' up with 'virtualbox' provider... Bringing machine 'vh7' up with 'virtualbox' provider... ==> vh5: Importing base box 'ubuntu/trusty32'... ... This will fetch Vagrant virtualbox images for trusty32, i.e. Ubuntu 14.04 images, 32bit version (plays nice also on 64bit hosts). When hosts are being supplied by Hetzner or another hosting provider, then we normally get access as `root` user only. Therefore, After base init the root accounts of all hosts are enabled with password ``vagrant``. This is done by the ansible playbook in ``vagrant-provision.yml``. All three hosts provide ssh access via:: $ vagrant ssh vh0 or equivalent commands. They have a user 'vagrant' installed, which can sudo without password. After install all three hosts can also be accessed as `root` using password `vagrant` (for example vh5): $ ssh -l root 192.168.36.10 See ``Vagrantfile`` for the IP addresses set. You can halt (all) the virtual hosts with:: $ vagrant halt Ansible Environment =================== The ansible environment should provide ansible roles and playbooks for WAeUP related server administration. The general file-layout and naming should follow https://docs.ansible.com/ansible/playbooks_best_practices.html#directory-layout Bootstrapping - Freshmechs -------------------------- We call those nachines "freshmech" that are freshly delivered from the hosting provider or that were freshly provisioned by `vagrant` (see above). These machines are expected to have only a single root account and normally a (security-wise) poor SSH configuration. Bootstrapping these machines means we secure SSH, restart the SSH daemon and then add important accounts: "uli", "henrik", "ansible". To make sure, the connection to a "freshmech" works, you should at least one time login via SSH before proceeding with ansible and all bells and whistles:: ssh -l root 192.168.36.10 (with the real IP of the machine you want to reach, of course). Any host you want to "bootstrap" must be entered in a local hosts file, normally ``hosts-virtual``, with a line like this: [yet-untouched] vh5.sample.org ansible_host=192.168.36.10 ansible_user=root in the "yet-untouched" section. Afterwards try: $ ansible-playbook -i hosts-virtual --ask-pass bootstrap.yml The ``ask-pass`` parameter is needed to enter the password given by the provider on the commandline. For the local `vagrant` machines this will be `vagrant`. If run on local virtual machines, you might want to make sure that your local `known_hosts` file does not contain an old ssh host fingerprint. Otherwise you have to remove entries for:: 192.168.36.10 192.168.36.11 192.168.36.12 respectively before running `bootstrap.yml`. Alternatively you can run everything with the `ANSIBLE_HOST_KEY_CHECKING` environment variable set to ``False``:: $ ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i hosts-virtual --ask-pass bootstrap.yml This will suppress host fingerprint checking.