source: main/waeup-ansible/README.rst @ 13846

Last change on this file since 13846 was 13843, checked in by uli, 8 years ago

Tell about what we learned.
File size: 4.2 KB
Line 
1=============================================
2 Playbooks for administrating WAeUP servers.
3=============================================
4
5These are materials to use with our servers.
6
7For starters: the tutorial given on
8
9  https://github.com/leucos/ansible-tuto
10
11is a really nice hands-on intro to `ansible`. Please read it!
12
13Vagrant
14=======
15
16In `Vagrantfile` we set up a vagrant environment which provides three
17hosts as virtualbox:
18
19  ``vh5.sample.org``, ``vh6.sample.org``, ``vh7.sample.org``
20
21running Ubuntu 14.04. ``vh5`` represents "virtual host 5" and should
22reflect h5.waeup.org. The same holds for ``vh6`` and ``vh7``
23accordingly.
24
25The three virtual hosts are for testing any upcoming ansible
26playbooks. They should be used before running playbooks on the real
27hosts!
28
29
30Initialize Vagrant Env
31----------------------
32
33You must have `vagrant` installed, if possible in a fairly recent
34version. I (uli) use `vagrant 1.8.1` (latest as time of writing).  As
35Ubuntu 14.04 is pretty outdated in that respect, I had to grab a .deb
36package from
37
38  https://www.vagrantup.com/downloads.html
39
40that could be installed with::
41
42 $ sudo dpkg -i vagrant_1.8.1_x86_64.deb
43
44
45When everything is in place, change into this directory and run::
46
47  $ vagrant up
48  Bringing machine 'vh5' up with 'virtualbox' provider...
49  Bringing machine 'vh6' up with 'virtualbox' provider...
50  Bringing machine 'vh7' up with 'virtualbox' provider...
51  ==> vh5: Importing base box 'ubuntu/trusty32'...
52  ...
53
54This will fetch Vagrant virtualbox images for trusty32, i.e. Ubuntu
5514.04 images, 32bit version (plays nice also on 64bit hosts).
56
57When hosts are being supplied by Hetzner or another hosting provider,
58then we normally get access as `root` user only. Therefore, After base
59init the root accounts of all hosts are enabled with password
60``vagrant``. This is done by the ansible playbook in
61``vagrant-provision.yml``.
62
63All three hosts provide ssh access via::
64
65  $ vagrant ssh vh0
66
67or equivalent commands. They have a user 'vagrant' installed, which
68can sudo without password.
69
70After install all three hosts can also be accessed as `root` using
71password `vagrant` (for example vh5):
72
73  $ ssh -l root 192.168.36.10
74
75See ``Vagrantfile`` for the IP addresses set.
76
77You can halt (all) the virtual hosts with::
78
79  $ vagrant halt
80
81
82
83Ansible Environment
84===================
85
86The ansible environment should provide ansible roles and playbooks for
87WAeUP related server administration.
88
89The general file-layout and naming should follow
90
91  https://docs.ansible.com/ansible/playbooks_best_practices.html#directory-layout
92
93
94Bootstrapping - Freshmechs
95--------------------------
96
97We call those nachines "freshmech" that are freshly delivered from the
98hosting provider or that were freshly provisioned by `vagrant` (see
99above).
100
101These machines are expected to have only a single root account and
102normally a (security-wise) poor SSH configuration.
103
104Bootstrapping these machines means we secure SSH, restart the SSH
105daemon and then add important accounts: "uli", "henrik", "ansible".
106
107To make sure, the connection to a "freshmech" works, you should at
108least one time login via SSH before proceeding with ansible and all
109bells and whistles::
110
111  ssh -l root 192.168.36.10
112
113(with the real IP of the machine you want to reach, of course).
114
115Any host you want to "bootstrap" must be entered in a local hosts
116file, normally ``hosts-virtual``, with a line like this:
117
118  [yet-untouched]
119  vh5.sample.org ansible_host=192.168.36.10 ansible_user=root
120
121in the "yet-untouched" section.
122
123Afterwards try:
124
125  $ ansible-playbook -i hosts-virtual --ask-pass bootstrap.yml
126
127The ``ask-pass`` parameter is needed to enter the password given by
128the provider on the commandline. For the local `vagrant` machines this
129will be `vagrant`.
130
131If run on local virtual machines, you might want to make sure that
132your local `known_hosts` file does not contain an old ssh host
133fingerprint. Otherwise you have to remove entries for::
134
135  192.168.36.10
136  192.168.36.11
137  192.168.36.12
138
139respectively before running `bootstrap.yml`.
140
141Alternatively you can run everything with the
142`ANSIBLE_HOST_KEY_CHECKING` environment variable set to ``False``::
143
144  $ ANSIBLE_HOST_KEY_CHECKING=False  ansible-playbook -i hosts-virtual --ask-pass bootstrap.yml
145
146This will suppress host fingerprint checking.
Note: See TracBrowser for help on using the repository browser.