Initial commit.

893680cb · McConahy, Renee Margaret · 893680cb · 893680cb · 893680cb · 893680cb
Commit 893680cb authored 5 years ago by McConahy, Renee Margaret
--- a/.gitignore
+++ b/.gitignore
+/.vagrant/
--- a/Vagrantfile
+++ b/Vagrantfile
+machines = YAML.safe_load File.read("vagrant-machines.yml"),
+                          symbolize_names: true
+Vagrant.configure("2") do |config|
+  machines.each do |machine_name, machine_config|
+    config.vm.define machine_name do |machine|
+      machine.vm.box = machine_config[:vagrant_box]
+      machine.vm.hostname = machine_config[:hostname]
+      machine.vm.network "private_network", ip: machine_config[:external_ip]
+      machine.vm.provider "virtualbox" do |vb|
+        vb.memory = 2048
+        vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ]
+      end
+    end
+  end
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = "playbook.yml"
+    ansible.compatibility_mode = "2.0"
+    ansible.host_vars = machines
+    ansible.groups = {
+      "lockss": machines.keys
+    }
+  end
+end
--- a/playbook.yml
+++ b/playbook.yml
+---
+- hosts: lockss
+  become: true
+  vars:
+    lockss_db_password: pass
+    lockss_ui_password: pass
+    lockss_hostname: "{{ hostname }}"
+    lockss_ipaddr: "{{ external_ip }}"
+    lockss_external_ipaddr: "{{ external_ip }}"
+    lockss_access_subnet: 0.0.0.0/0
+    lockss_admin_email: root@localhost
+    minimum_memory_mb: 4096
+  roles:
+    - system-update
+    - minimum_memory
+    - lockss
--- a/roles/base-misc/tasks/main.yml
+++ b/roles/base-misc/tasks/main.yml
+---
+- name: Set sudo's secure_path.
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regex: ^Defaults\s+secure_path\s*=
+    line: "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:\
+           /usr/local/sbin:/usr/local/bin"
+    validate: /usr/sbin/visudo -cf %s
+- name: Install Python3.
+  package:
+    name: python3
+    state: present
+- name: Install pip (CentOS).
+  package:
+    name:
+      - python3-pip-9.*
+    state: present
+  when: ansible_distribution == "CentOS"
+- name: Install python-setuptools (CentOS).
+  package:
+    name:
+      - python-setuptools
+    state: present
+  when: ansible_distribution == "CentOS"
--- a/roles/docker-local-persist/assets/docker-volume-local-persist.service
+++ b/roles/docker-local-persist/assets/docker-volume-local-persist.service
+[Unit]
+Description=docker-volume-local-persist
+Before=docker.service
+Wants=docker.service
+[Service]
+TimeoutStartSec=0
+ExecStart=/usr/local/bin/docker-volume-local-persist
+[Install]
+WantedBy=multi-user.target
--- a/roles/docker-local-persist/meta/main.yml
+++ b/roles/docker-local-persist/meta/main.yml
+---
+dependencies:
+  - role: docker
--- a/roles/docker-local-persist/tasks/main.yml
+++ b/roles/docker-local-persist/tasks/main.yml
+---
+- name: Install local-persist binary.
+  get_url:
+    url: "{{ docker_local_persist_url }}"
+    dest: /usr/local/bin/docker-volume-local-persist
+    owner: root
+    mode: 0755
+    checksum: "{{ docker_local_persist_checksum }}"
+# Copied from <https://raw.githubusercontent.com/CWSpear/local-persist/v1.3.0/\
+# init/systemd.service>; modified for having the binary in /usr/local.
+- name: Install systemd unit for local-persist.
+  copy:
+    dest: /etc/systemd/system/docker-volume-local-persist.service
+    src: assets/docker-volume-local-persist.service
+    owner: root
+    mode: 0644
+- name: Enable and start local-persist service.
+  service:
+    name: docker-volume-local-persist
+    enabled: true
+    state: started
--- a/roles/docker-local-persist/vars/main.yml
+++ b/roles/docker-local-persist/vars/main.yml
+---
+docker_local_persist_url: "https://github.com/MatchbookLab/local-persist/\
+                           releases/download/v1.3.0/local-persist-linux-amd64"
+docker_local_persist_checksum: sha1:41a2169525575da40695451f95cfc5f2c314ab6d
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
+---
+- name: Add GPG key for Docker repository (Ubuntu).
+  apt_key:
+    state: present
+    id: "{{ docker_gpg_key['Ubuntu']['id'] }}"
+    url: "{{ docker_gpg_key['Ubuntu']['url'] }}"
+  when: ansible_distribution == "Ubuntu"
+- name: Add Docker repository (Ubuntu).
+  apt_repository:
+    repo: deb {{ docker_repo_url['Ubuntu'] }} {{ ansible_lsb.codename }} stable
+  when: ansible_distribution == "Ubuntu"
+- name: Add Docker repository (CentOS).
+  yum_repository:
+    name: docker-ce
+    description: Docker CE
+    state: present
+    baseurl: "{{ docker_repo_url['CentOS'] }}"
+    gpgkey: "{{ docker_gpg_key['CentOS']['url'] }}"
+    gpgcheck: true
+  when: ansible_distribution == "CentOS"
+- name: Install Docker (Ubuntu).
+  package:
+    name:
+      - docker-ce=5:19.03.*
+      - docker-ce-cli=5:19.03.*
+      - containerd.io=1.2.*
+      - python3-docker    # Needed for Ansible's Docker modules.
+    state: present
+  when: ansible_distribution == "Ubuntu"
+- name: Install Docker (CentOS).
+  package:
+    name:
+      - docker-ce-19.03.*
+      - docker-ce-cli-19.03.*
+      - containerd.io-1.2.*
+      - python-docker-py    # Needed for Ansible's Docker modules.
+    state: present
+  when: ansible_distribution == "CentOS"
+- name: Install python3-docker (CentOS).
+  vars:
+    ansible_python_interpreter: python3
+  pip:
+    name:
+      - docker>=2.1.0,<3.0
+    state: present
+  when: ansible_distribution == "CentOS"
+- name: Enable and start Docker service.
+  service:
+    name: docker
+    enabled: true
+    state: started
--- a/roles/docker/vars/main.yml
+++ b/roles/docker/vars/main.yml
+---
+docker_repo_url:
+  Ubuntu: https://download.docker.com/linux/ubuntu
+  CentOS: https://download.docker.com/linux/centos/7/$basearch/stable
+docker_gpg_key:
+  Ubuntu:
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+    url: https://download.docker.com/linux/ubuntu/gpg
+  CentOS:
+    id: 060A61C51B558A7F742B77AAC52FEB6B621E9F35
+    url: https://download.docker.com/linux/centos/gpg
--- a/roles/lockss/defaults/main.yml
+++ b/roles/lockss/defaults/main.yml
+---
+lockss_git_version: version-2.0-alpha
+lockss_ui_user: admin
--- a/roles/lockss/meta/main.yml
+++ b/roles/lockss/meta/main.yml
+---
+dependencies:
+  - role: base-misc
+  - role: docker
+  - role: docker-local-persist
--- a/roles/lockss/tasks/main.yml
+++ b/roles/lockss/tasks/main.yml
+---
+- name: Add the lockss group.
+  group:
+    name: lockss
+    state: present
+- name: Add the lockss user.
+  user:
+    name: lockss
+    state: present
+    group: lockss
+    comment: LOCKSS
+- name: Add the lockss user to the docker group.
+  user:
+    name: lockss
+    state: present
+    groups: docker
+    append: true
+- name: Check the storage driver used by Docker.
+  command:
+    cmd: docker info -f {% raw %}'{{.Driver}}'{% endraw %}
+  check_mode: false
+  ignore_errors: true
+  no_log: true
+  changed_when: false
+  register: r
+- name: Ensure Docker is using the OverlayFS storage driver.
+  assert:
+    that: r.stdout == "overlay2"
+    quiet: true
+- name: Init a new swarm with default parameters.
+  docker_swarm:
+    state: present
+    advertise_addr: lo
+- name: Install pystache (Ubuntu).
+  package:
+    name: python3-pystache=0.5.*
+    state: present
+  when: ansible_distribution == "Ubuntu"
+- name: Create symlink for pystache (Ubuntu).
+  file:
+    src: /usr/bin/pystache3
+    dest: /usr/local/bin/pystache
+    owner: root
+    state: link
+  when: ansible_distribution == "Ubuntu"
+- name: Install pystache (CentOS).
+  vars:
+    ansible_python_interpreter: python3
+  pip:
+    name:
+      - pystache>=0.5,<1.0
+    state: present
+  when: ansible_distribution == "CentOS"
+- name: Install python-pkg-resources (Ubuntu).
+  package:
+    name:
+      - python3-pkg-resources
+    state: present
+  when: ansible_distribution == "Ubuntu"
+- name: Install git.
+  package:
+    name: git
+    state: present
+- name: Create LOCKSS source directory.
+  file:
+    path: /usr/src/lockss
+    state: directory
+    owner: lockss
+    mode: 0755
+- name: Pull LOCKSS repository.
+  git:
+    repo: https://github.com/lockss/lockss-installer
+    dest: /usr/src/lockss
+    version: "{{ lockss_git_version }}"
+    depth: 1
+  become_user: lockss
+- name: Install ifconfig.
+  package:
+    name: net-tools
+    state: present
+- name: Install LOCKSS configuration.
+  copy:
+    dest: /usr/src/lockss/config/config.info
+    owner: lockss
+    mode: 0644
+    content: |
+      LOCKSS_CONFIG_VERSION=2
+      LOCKSS_USER=lockss
+      LOCKSS_HOSTNAME={{ lockss_hostname }}
+      LOCKSS_IPADDR={{ lockss_ipaddr }}
+      LOCKSS_EXTERNAL_IPADDR={{ lockss_external_ipaddr | default }}
+      LOCKSS_V3_PORT=9729
+      LOCKSS_ACCESS_SUBNET={{ lockss_access_subnet }}
+      LOCKSS_MAILHUB={{ lockss_mailhub_user | default("localhost") }}
+      LOCKSS_MAILHUB_USER={{ lockss_mailhub_user | default }}
+      LOCKSS_MAILHUB_PASSWORD={{ lockss_mailhub_user | default }}
+      LOCKSS_EMAIL={{ lockss_admin_email }}
+      LOCKSS_PROPS_URL=http://props.lockss.org:8001/demo/lockss.xml
+      LOCKSS_PROPS_PROXY=NONE
+      LOCKSS_PROPS_SERVER_AUTHENTICATE_KEYSTORE=
+      LOCKSS_TEST_GROUP=demo
+      LOCKSS_DATA_DIR=/var/lib/lockss
+      LOCKSS_LOGS_DIR=/var/log/lockss
+      LOCKSS_ADMIN_USER={{ lockss_ui_user }}
+      LOCKSS_ADMIN_PASSWD=SHA-256:{{ lockss_ui_password | hash('sha256') }}
+      LOCKSS_DB_PASSWD=SHA-256:{{ lockss_db_password | hash('sha256') }}
+      LOCKSS_PROXY_PORT=24670
+      LOCKSS_TMPDIR=/var/lib/lockss/tmp
+      LOCKSS_CLEAR_TMPDIR=yes
+- name: Add Docker secret for UI password.
+  vars:
+    ansible_python_interpreter: python3
+  docker_secret:
+    name: lockss_ui_pass
+    state: present
+    data: "{{ lockss_ui_password }}"
+- name: Add Docker secret for database password.
+  vars:
+    ansible_python_interpreter: python3
+  docker_secret:
+    name: lockss-postgres-pass
+    state: present
+    data: "{{ lockss_db_password }}"
+- name: Create LOCKSS data directories.
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: lockss
+    mode: 0700
+  loop:
+    - /var/lib/lockss
+    - /var/lib/lockss/tmp
+- name: Create LOCKSS log directory.
+  file:
+    path: /var/log/lockss
+    state: directory
+    owner: lockss
+    group: adm
+    mode: 02770
+# FIXME: These are not idempotent.
+# FIXME: This could probably be a handler.
+- name: Build LOCKSS configuration.
+  command:
+    cmd: scripts/generate-lockss
+    chdir: /usr/src/lockss
+  become_user: lockss
+# FIXME: LOCKSS's scripts are yucky. Should we care?
+- name: Stop running LOCKSS containers.
+  command:
+    cmd: scripts/shutdown-lockss
+    chdir: /usr/src/lockss
+  become_user: lockss
+- name: Assemble LOCKSS containers.
+  command:
+    cmd: scripts/assemble-lockss
+    chdir: /usr/src/lockss
+  become_user: lockss
+- name: Deploy LOCKSS containers.
+  command:
+    cmd: scripts/deploy-lockss
+    chdir: /usr/src/lockss
+  become_user: lockss
--- a/roles/minimum_memory/defaults/main.yml
+++ b/roles/minimum_memory/defaults/main.yml
+---
+minimum_memory_mb: 0
+swapfile_name: /swap
--- a/roles/minimum_memory/tasks/main.yml
+++ b/roles/minimum_memory/tasks/main.yml
+---
+- name: Add additional swap if necessary.
+  block:
+    - name: Check if swapfile is in use.
+      shell:
+        cmd: swapon --show=name --noheadings |
+             grep -qFx -- {{ swapfile_name | quote }}
+      check_mode: false
+      ignore_errors: true
+      no_log: true
+      changed_when: false
+      register: r
+    - name: Disable swapping to swapfile.
+      command: swapoff -- {{ swapfile_name | quote }}
+      when: not r.rc
+    - name: Create swapfile.
+      command: dd if=/dev/zero of={{ swapfile_name | quote }} bs=1024k
+               count={{ minimum_memory_mb - ansible_memtotal_mb -
+                        ansible_swaptotal_mb }}
+    - name: Set swapfile permissions.
+      file:
+        path: "{{ swapfile_name }}"
+        owner: root
+        mode: 0600
+    - name: Format swapfile.
+      command: mkswap -- {{ swapfile_name | quote }}
+    - name: Add swapfile to fstab.
+      mount:
+        src: "{{ swapfile_name }}"
+        path: none
+        fstype: swap
+        state: present
+    - name: Enable swapping for file.
+      command: swapon -- {{ swapfile_name | quote }}
+  when: ansible_memtotal_mb + ansible_swaptotal_mb < minimum_memory_mb
--- a/roles/system-update/tasks/main.yml
+++ b/roles/system-update/tasks/main.yml
+---
+- name: Install system updates for Ubuntu system
+  apt:
+    upgrade: dist
+    update_cache: yes
+  when: ansible_distribution == "Ubuntu"
+- name: Install system updates for CentOS system.
+  yum:
+    name: "*"
+    state: latest
+    update_cache: yes
+  when: ansible_distribution == "CentOS"
--- a/vagrant-machines.yml
+++ b/vagrant-machines.yml
+---
+ubuntu:
+  vagrant_box: ubuntu/bionic64
+  external_ip: 192.168.20.226
+  hostname: lockss-ubuntu.test
+centos:
+  vagrant_box: centos/7
+  external_ip: 192.168.20.227
+  hostname: lockss-centos.test