| 1 |
#################################################################################################### |
| 2 |
Ansible Deploy Script for Master Portal |
| 3 |
#################################################################################################### |
| 4 |
|
| 5 |
|
| 6 |
What are these scripts for? |
| 7 |
---------------------------------------------------------------------------------------------------- |
| 8 |
|
| 9 |
These scripts are for deploying a Master Portal + Credential Store. To find out more about what this |
| 10 |
setup is useful for take a look at: https://wiki.nikhef.nl/grid/CILogon_Pre-Pilot_Work . You can |
| 11 |
use these scripts to deploy a Master Portal and Credential Store on two separate hosts, or into one |
| 12 |
single host. |
| 13 |
|
| 14 |
|
| 15 |
Prerequisites |
| 16 |
--------------------------------------------------------------------------------------------------- |
| 17 |
|
| 18 |
1. Your hosts should already be configured with host certificats placed in the usual |
| 19 |
/etc/grid-security location. It is further assumed that your host certificates are |
| 20 |
issued by 'TERENA eScience SSL CA 3'. If not, you will have to make some modifications |
| 21 |
to these scripts before executing them |
| 22 |
|
| 23 |
|
| 24 |
How to use these scripts? |
| 25 |
---------------------------------------------------------------------------------------------------- |
| 26 |
|
| 27 |
Before you begin executing plays make sure to decide whether you're deployment will use two separate |
| 28 |
hosts for Master Portal and Credential Store, or a single host. Fill in you machine hostname[s] into |
| 29 |
the 'hosts.inventory' file accordingly. |
| 30 |
|
| 31 |
There are three different plays you have to execute in order to set up a Master Portal. The plays |
| 32 |
you have to execute are in order as follows: |
| 33 |
|
| 34 |
1. basic-env.yml |
| 35 |
|
| 36 |
a. Check that you have the right host certificate |
| 37 |
|
| 38 |
This play contains a basic configuration that has to be done to both Master Portal and |
| 39 |
Credential Store. For single host deployments this only has to be execute once, while in |
| 40 |
case of separate hosts execute this play for both Master Portal and Credential Store |
| 41 |
hosts. |
| 42 |
|
| 43 |
This play takes care of installing some dependecies, like the epel repository, and |
| 44 |
certificate trust roots. It is assumed that your host is configured with host certificate |
| 45 |
issued by the 'TERENA eScience SSL CA 3' root certificate. If this is not the case, make |
| 46 |
sure to correctly edit this play to install the right root certificate bundle. |
| 47 |
|
| 48 |
|
| 49 |
2. credstore.yml |
| 50 |
|
| 51 |
a. Fill in required environment variables |
| 52 |
|
| 53 |
This play will configure the Credential Server host. Basically, it provides a MyProxy |
| 54 |
Server installation with some configuration. Before starting this play there are a couple |
| 55 |
important variables you should override. You can find these and their explanation in |
| 56 |
'credstore_env.yml'. |
| 57 |
|
| 58 |
b. Provide Online CA tar file |
| 59 |
|
| 60 |
MyProxy only stores credentials that it can verify, therefor it's very important to |
| 61 |
have the Online CA (which will issue user certificates) present in the trusted |
| 62 |
certificates directory (usually /etc/grid-security/certificates). Make a tarball from |
| 63 |
the Online CA in pem format, together with subject_hash links and signing_policy. Do |
| 64 |
not forget the signing policy, since MyProxy will not work without it. The result tarball |
| 65 |
should contain these files at the top level, without any direcotry structure, and it |
| 66 |
should be places under 'roles/credstore/files/' |
| 67 |
|
| 68 |
|
| 69 |
3. masterportal.yml |
| 70 |
|
| 71 |
a. Fill in the required variales |
| 72 |
|
| 73 |
Before executing this play, make sure to fill in the required variables listed and |
| 74 |
explained in the 'masterportal_env.yml' file. |
| 75 |
|
| 76 |
b. Verify deploying war files |
| 77 |
|
| 78 |
This play is about to deploy the Master Portal war files (mp-oa2-client.war and |
| 79 |
mp-oa2-server.war) and optionally the VO Portal war file (vo-portal.war). Make sure that |
| 80 |
these are present in your 'role/masterportal/files' directory. |
| 81 |
|
| 82 |
c. Tweak iptables rules |
| 83 |
|
| 84 |
There is a simple set of iptable rules being deployed by this play. Feel free to customize |
| 85 |
this to the needs of your infrastructure. Make sure to leave port 443 accessible. The |
| 86 |
iptables file can be found in 'role/masterportal/files' |
| 87 |
|
Parent Directory
| 
Revision Log