diff --git a/README.md b/README.md index 1237622..58ed8a1 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ # ansible-playbook-sobigdata-rel -Playbook that installs the REL + PEP stack \ No newline at end of file +Playbook that installs the sobigdata REL entity stack diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..637a2e7 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,506 @@ +# config file for ansible -- https://ansible.com/ +# =============================================== + +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + +[defaults] + +# some basic default values... + +#inventory = /etc/ansible/hosts +#library = /usr/share/my_modules/ +#module_utils = /usr/share/my_module_utils/ +#remote_tmp = ~/.ansible/tmp +#local_tmp = ~/.ansible/tmp +#plugin_filters_cfg = /etc/ansible/plugin_filters.yml +#forks = 5 +#poll_interval = 15 +#sudo_user = root +#ask_sudo_pass = True +#ask_pass = True +#transport = smart +#remote_port = 22 +#module_lang = C +#module_set_locale = False + +# plays will gather facts by default, which contain information about +# the remote system. +# +# smart - gather by default, but don't regather if already gathered +# implicit - gather by default, turn off with gather_facts: False +# explicit - do not gather by default, must say gather_facts: True +gathering = smart + +# This only affects the gathering done by a play's gather_facts directive, +# by default gathering retrieves all facts subsets +# all - gather all subsets +# network - gather min and network facts +# hardware - gather hardware facts (longest facts to retrieve) +# virtual - gather min and virtual facts +# facter - import facts from facter +# ohai - import facts from ohai +# You can combine them using comma (ex: network,virtual) +# You can negate them using ! (ex: !hardware,!facter,!ohai) +# A minimal set of facts is always gathered. +#gather_subset = all + +# some hardware related facts are collected +# with a maximum timeout of 10 seconds. This +# option lets you increase or decrease that +# timeout to something more suitable for the +# environment. +# gather_timeout = 10 + +# Ansible facts are available inside the ansible_facts.* dictionary +# namespace. This setting maintains the behaviour which was the default prior +# to 2.5, duplicating these variables into the main namespace, each with a +# prefix of 'ansible_'. +# This variable is set to True by default for backwards compatibility. It +# will be changed to a default of 'False' in a future release. +# ansible_facts. +# inject_facts_as_vars = True + +# additional paths to search for roles in, colon separated +#roles_path = /etc/ansible/roles + +# uncomment this to disable SSH key host checking +host_key_checking = False + +# change the default callback, you can only have one 'stdout' type enabled at a time. +#stdout_callback = skippy + + +## Ansible ships with some plugins that require whitelisting, +## this is done to avoid running all of a type by default. +## These setting lists those that you want enabled for your system. +## Custom plugins should not need this unless plugin author specifies it. + +# enable callback plugins, they can output to stdout but cannot be 'stdout' type. +callback_whitelist = timer,profile_roles,profile_tasks,mail + +# Determine whether includes in tasks and handlers are "static" by +# default. As of 2.0, includes are dynamic by default. Setting these +# values to True will make includes behave more like they did in the +# 1.x versions. +#task_includes_static = False +#handler_includes_static = False + +# Controls if a missing handler for a notification event is an error or a warning +#error_on_missing_handler = True + +# change this for alternative sudo implementations +#sudo_exe = sudo + +# What flags to pass to sudo +# WARNING: leaving out the defaults might create unexpected behaviours +#sudo_flags = -H -S -n + +# SSH timeout +#timeout = 10 + +# default user to use for playbooks if user is not specified +# (/usr/bin/ansible will use current user as default) +#remote_user = root +remote_user = ansible + +# logging is off by default unless this path is defined +# if so defined, consider logrotate +#log_path = /var/log/ansible.log + +# default module name for /usr/bin/ansible +#module_name = command + +# use this shell for commands executed under sudo +# you may need to change this to bin/bash in rare instances +# if sudo is constrained +#executable = /bin/sh + +# if inventory variables overlap, does the higher precedence one win +# or are hash values merged together? The default is 'replace' but +# this can also be set to 'merge'. +#hash_behaviour = replace + +# by default, variables from roles will be visible in the global variable +# scope. To prevent this, the following option can be enabled, and only +# tasks and handlers within the role will see the variables there +#private_role_vars = yes + +# list any Jinja2 extensions to enable here: +#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n + +# if set, always use this private key file for authentication, same as +# if passing --private-key to ansible or ansible-playbook +#private_key_file = /path/to/file + +# If set, configures the path to the Vault password file as an alternative to +# specifying --vault-password-file on the command line. +#vault_password_file = /path/to/vault_password_file + +# format of string {{ ansible_managed }} available within Jinja2 +# templates indicates to users editing templates files will be replaced. +# replacing {file}, {host} and {uid} and strftime codes with proper values. +ansible_managed = Ansible managed: {file} on {host} +# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence +# in some situations so the default is a static string: +#ansible_managed = Ansible managed + +# by default, ansible-playbook will display "Skipping [host]" if it determines a task +# should not be run on a host. Set this to "False" if you don't want to see these "Skipping" +# messages. NOTE: the task header will still be shown regardless of whether or not the +# task is skipped. +#display_skipped_hosts = True + +# by default, if a task in a playbook does not include a name: field then +# ansible-playbook will construct a header that includes the task's action but +# not the task's args. This is a security feature because ansible cannot know +# if the *module* considers an argument to be no_log at the time that the +# header is printed. If your environment doesn't have a problem securing +# stdout from ansible-playbook (or you have manually specified no_log in your +# playbook on all of the tasks where you have secret information) then you can +# safely set this to True to get more informative messages. +#display_args_to_stdout = False + +# by default (as of 1.3), Ansible will raise errors when attempting to dereference +# Jinja2 variables that are not set in templates or action lines. Uncomment this line +# to revert the behavior to pre-1.3. +#error_on_undefined_vars = False + +# by default (as of 1.6), Ansible may display warnings based on the configuration of the +# system running ansible itself. This may include warnings about 3rd party packages or +# other conditions that should be resolved if possible. +# to disable these warnings, set the following value to False: +#system_warnings = True + +# by default (as of 1.4), Ansible may display deprecation warnings for language +# features that should no longer be used and will be removed in future versions. +# to disable these warnings, set the following value to False: +#deprecation_warnings = True + +# (as of 1.8), Ansible can optionally warn when usage of the shell and +# command module appear to be simplified by using a default Ansible module +# instead. These warnings can be silenced by adjusting the following +# setting or adding warn=yes or warn=no to the end of the command line +# parameter string. This will for example suggest using the git module +# instead of shelling out to the git command. +command_warnings = True +ssh_args = -o ControlMaster=auto -o ControlPersist=600s +control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r + + +# set plugin path directories here, separate with colons +action_plugins = /usr/share/ansible/plugins/action +#cache_plugins = /usr/share/ansible/plugins/cache +callback_plugins = /usr/share/ansible/plugins/callback +connection_plugins = /usr/share/ansible/plugins/connection +lookup_plugins = /usr/share/ansible/plugins/lookup +#inventory_plugins = /usr/share/ansible/plugins/inventory +vars_plugins = /usr/share/ansible/plugins/vars +filter_plugins = /usr/share/ansible/plugins/filter +test_plugins = /usr/share/ansible/plugins/test +#terminal_plugins = /usr/share/ansible/plugins/terminal +#strategy_plugins = /usr/share/ansible/plugins/strategy + + +# by default, ansible will use the 'linear' strategy but you may want to try +# another one +#strategy = free + +# by default callbacks are not loaded for /bin/ansible, enable this if you +# want, for example, a notification or logging callback to also apply to +# /bin/ansible runs +bin_ansible_callbacks = True + + +# don't like cows? that's unfortunate. +# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 +#nocows = 1 + +# set which cowsay stencil you'd like to use by default. When set to 'random', +# a random stencil will be selected for each task. The selection will be filtered +# against the `cow_whitelist` option below. +#cow_selection = default +#cow_selection = random + +# when using the 'random' option for cowsay, stencils will be restricted to this list. +# it should be formatted as a comma-separated list with no spaces between names. +# NOTE: line continuations here are for formatting purposes only, as the INI parser +# in python does not support them. +#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\ +# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\ +# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www + +# don't like colors either? +# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 +#nocolor = 1 + +# if set to a persistent type (not 'memory', for example 'redis') fact values +# from previous runs in Ansible will be stored. This may be useful when +# wanting to use, for example, IP information from one group of servers +# without having to talk to them in the same playbook run to get their +# current IP information. +fact_caching = memory + +#This option tells Ansible where to cache facts. The value is plugin dependent. +#For the jsonfile plugin, it should be a path to a local directory. +#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0 + +fact_caching_connection=$HOME/.ansible/facts + + + +# retry files +# When a playbook fails by default a .retry file will be created in ~/ +# You can disable this feature by setting retry_files_enabled to False +# and you can change the location of the files by setting retry_files_save_path + +retry_files_enabled = False +retry_files_save_path = ~/.ansible_retry + +# squash actions +# Ansible can optimise actions that call modules with list parameters +# when looping. Instead of calling the module once per with_ item, the +# module is called once with all items at once. Currently this only works +# under limited circumstances, and only with parameters named 'name'. +#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper + +# prevents logging of task data, off by default +#no_log = False + +# prevents logging of tasks, but only on the targets, data is still logged on the master/controller +no_target_syslog = False + +# controls whether Ansible will raise an error or warning if a task has no +# choice but to create world readable temporary files to execute a module on +# the remote machine. This option is False by default for security. Users may +# turn this on to have behaviour more like Ansible prior to 2.1.x. See +# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user +# for more secure ways to fix this than enabling this option. +#allow_world_readable_tmpfiles = False + +# controls the compression level of variables sent to +# worker processes. At the default of 0, no compression +# is used. This value must be an integer from 0 to 9. +#var_compression_level = 9 + +# controls what compression method is used for new-style ansible modules when +# they are sent to the remote system. The compression types depend on having +# support compiled into both the controller's python and the client's python. +# The names should match with the python Zipfile compression types: +# * ZIP_STORED (no compression. available everywhere) +# * ZIP_DEFLATED (uses zlib, the default) +# These values may be set per host via the ansible_module_compression inventory +# variable +#module_compression = 'ZIP_DEFLATED' + +# This controls the cutoff point (in bytes) on --diff for files +# set to 0 for unlimited (RAM may suffer!). +#max_diff_size = 1048576 + +# This controls how ansible handles multiple --tags and --skip-tags arguments +# on the CLI. If this is True then multiple arguments are merged together. If +# it is False, then the last specified argument is used and the others are ignored. +# This option will be removed in 2.8. +#merge_multiple_cli_flags = True + +# Controls showing custom stats at the end, off by default +show_custom_stats = True + +# Controls which files to ignore when using a directory as inventory with +# possibly multiple sources (both static and dynamic) +inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo + +# This family of modules use an alternative execution path optimized for network appliances +# only update this setting if you know how this works, otherwise it can break module execution +#network_group_modules=eos, nxos, ios, iosxr, junos, vyos + +# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as +# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain +# jinja2 templating language which will be run through the templating engine. +# ENABLING THIS COULD BE A SECURITY RISK +#allow_unsafe_lookups = False + +# set default errors for all plays +#any_errors_fatal = False + +[inventory] +# enable inventory plugins, default: 'host_list', 'script', 'yaml', 'ini', 'auto' +#enable_plugins = host_list, virtualbox, yaml, constructed + +# ignore these extensions when parsing a directory as inventory source +#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry + +# ignore files matching these patterns when parsing a directory as inventory source +#ignore_patterns= + +# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise. +#unparsed_is_failed=False + +[privilege_escalation] +become=True +become_method=sudo +become_user=root +become_ask_pass=False + +[paramiko_connection] + +# uncomment this line to cause the paramiko connection plugin to not record new host +# keys encountered. Increases performance on new host additions. Setting works independently of the +# host key checking setting above. +record_host_keys=False + +# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this +# line to disable this behaviour. +#pty=False + +# paramiko will default to looking for SSH keys initially when trying to +# authenticate to remote devices. This is a problem for some network devices +# that close the connection after a key failure. Uncomment this line to +# disable the Paramiko look for keys function +#look_for_keys = False + +# When using persistent connections with Paramiko, the connection runs in a +# background process. If the host doesn't already have a valid SSH key, by +# default Ansible will prompt to add the host key. This will cause connections +# running in background processes to fail. Uncomment this line to have +# Paramiko automatically add host keys. +#host_key_auto_add = True + +[ssh_connection] + +# ssh arguments to use +# Leaving off ControlPersist will result in poor performance, so use +# paramiko on older platforms rather than removing it, -C controls compression use +ssh_args = -C -o ControlMaster=auto -o ControlPersist=120s + +# The base directory for the ControlPath sockets. +# This is the "%(directory)s" in the control_path option +# +# Example: +# control_path_dir = /tmp/.ansible/cp +#control_path_dir = ~/.ansible/cp + +# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname, +# port and username (empty string in the config). The hash mitigates a common problem users +# found with long hostames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format. +# In those cases, a "too long for Unix domain socket" ssh error would occur. +# +# Example: +#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r +#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r +#control_path = + +# Enabling pipelining reduces the number of SSH operations required to +# execute a module on the remote server. This can result in a significant +# performance improvement when enabled, however when using "sudo:" you must +# first disable 'requiretty' in /etc/sudoers +# +# By default, this option is disabled to preserve compatibility with +# sudoers configurations that have requiretty (the default on many distros). +# +pipelining = True + +# Control the mechanism for transferring files (old) +# * smart = try sftp and then try scp [default] +# * True = use scp only +# * False = use sftp only +#scp_if_ssh = smart + +# Control the mechanism for transferring files (new) +# If set, this will override the scp_if_ssh option +# * sftp = use sftp to transfer files +# * scp = use scp to transfer files +# * piped = use 'dd' over SSH to transfer files +# * smart = try sftp, scp, and piped, in that order [default] +transfer_method = smart + +# if False, sftp will not use batch mode to transfer files. This may cause some +# types of file transfer failures impossible to catch however, and should +# only be disabled if your sftp version has problems with batch mode +#sftp_batch_mode = False + +# The -tt argument is passed to ssh when pipelining is not enabled because sudo +# requires a tty by default. +#use_tty = True + +# Number of times to retry an SSH connection to a host, in case of UNREACHABLE. +# For each retry attempt, there is an exponential backoff, +# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max). +retries = 3 + +[persistent_connection] + +# Configures the persistent connection timeout value in seconds. This value is +# how long the persistent connection will remain idle before it is destroyed. +# If the connection doesn't receive a request before the timeout value +# expires, the connection is shutdown. The default value is 30 seconds. +connect_timeout = 120 + +# Configures the persistent connection retry timeout. This value configures the +# the retry timeout that ansible-connection will wait to connect +# to the local domain socket. This value must be larger than the +# ssh timeout (timeout) and less than persistent connection idle timeout (connect_timeout). +# The default value is 15 seconds. +#connect_retry_timeout = 15 + +# The command timeout value defines the amount of time to wait for a command +# or RPC call before timing out. The value for the command timeout must +# be less than the value of the persistent connection idle timeout (connect_timeout) +# The default value is 10 second. +#command_timeout = 10 + +[accelerate] +#accelerate_port = 5099 +#accelerate_timeout = 30 +#accelerate_connect_timeout = 5.0 + +# The daemon timeout is measured in minutes. This time is measured +# from the last activity to the accelerate daemon. +#accelerate_daemon_timeout = 30 + +# If set to yes, accelerate_multi_key will allow multiple +# private keys to be uploaded to it, though each user must +# have access to the system via SSH to add a new key. The default +# is "no". +#accelerate_multi_key = yes + +[selinux] +# file systems that require special treatment when dealing with security context +# the default behaviour that copies the existing context or uses the user default +# needs to be changed to use the file system dependent context. +#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p + +# Set this to yes to allow libvirt_lxc connections to work without SELinux. +#libvirt_lxc_noseclabel = yes + +[colors] +#highlight = white +#verbose = blue +#warn = bright purple +#error = red +#debug = dark gray +#deprecate = purple +#skip = cyan +#unreachable = red +#ok = green +#changed = yellow +#diff_add = green +#diff_remove = red +#diff_lines = cyan + + +[diff] +# Always print diff when running ( same as always running with -D/--diff ) +# always = no + +# Set how many context lines to show in diff +# context = 3 + +[ara] +api_client = http +api_timeout = 30 +api_server = http://127.0.0.1:8000 + diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml new file mode 100644 index 0000000..2ad7e01 --- /dev/null +++ b/group_vars/all/all.yml @@ -0,0 +1,4 @@ +--- +sobigdata_rel_authorized_scopes: '/d4science.research-infrastructures.eu/SoBigData/TagMe' +sobigdata_rel_service_host: 'rel-entity-linker.d4science.org' +sobigdata_rel_pep: True diff --git a/inventory/hosts b/inventory/hosts new file mode 100644 index 0000000..26de6fd --- /dev/null +++ b/inventory/hosts @@ -0,0 +1,2 @@ +[sobigdata_rel] +docker-swarm1.int.d4science.net docker_swarm_manager_main_node=True diff --git a/roles/sobigdata-rel/defaults/main.yml b/roles/sobigdata-rel/defaults/main.yml new file mode 100644 index 0000000..3bdb6c6 --- /dev/null +++ b/roles/sobigdata-rel/defaults/main.yml @@ -0,0 +1,19 @@ +--- +sobigdata_rel_compose_dir: '/srv/sobigdata_rel_stack' +sobigdata_rel_docker_stack_name: 'rel-entity-linker' +sobigdata_rel_docker_service_server_name: 'sobigdata-rel' +sobigdata_rel_docker_server_image: 'informagi/rel' +sobigdata_rel_docker_network: 'rel-entity-linker' +sobigdata_rel_service_port: 5555 +# ner, ner-large +sobigdata_rel_docker_command: 'python -m REL.server --bind 0.0.0.0 --ed-model wiki/generated/model --ner-model ner --port {{ sobigdata_rel_service_port }} /workspace wiki' +sobigdata_rel_haproxy_public_net: 'haproxy-public' + +sobigdata_rel_authorized_scopes: '/gcube' +sobigdata_rel_service_host: 'localhost' +sobigdata_rel_pep: True +pep_port: 80 +pep_replicas: 1 +nginx_pep_debug_enabled: False +nginx_pep_max_body_size: 500M +nginx_pep_body_timeout: 60s diff --git a/roles/sobigdata-rel/meta/main.yml b/roles/sobigdata-rel/meta/main.yml new file mode 100644 index 0000000..6216c22 --- /dev/null +++ b/roles/sobigdata-rel/meta/main.yml @@ -0,0 +1,26 @@ +galaxy_info: + author: Andrea Dell'Amico + description: Systems Architect + company: ISTI-CNR + + issue_tracker_url: https://support.d4science.org/projects/d4science-operation + + license: EUPL 1.2+ + + min_ansible_version: 2.8 + + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Ubuntu + versions: + - bionic + - name: EL + versions: + - 7 + + galaxy_tags: + - rel + +dependencies: [] diff --git a/roles/sobigdata-rel/tasks/main.yml b/roles/sobigdata-rel/tasks/main.yml new file mode 100644 index 0000000..00b68cd --- /dev/null +++ b/roles/sobigdata-rel/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include_tasks: sobigdata-rel.yml +- include_tasks: pep.yml + when: sobigdata_rel_pep \ No newline at end of file diff --git a/roles/sobigdata-rel/tasks/pep.yml b/roles/sobigdata-rel/tasks/pep.yml new file mode 100644 index 0000000..3e92350 --- /dev/null +++ b/roles/sobigdata-rel/tasks/pep.yml @@ -0,0 +1,39 @@ +--- +- name: Manage the PEP configuration + block: + - name: Generate PEP config + ansible.builtin.template: + src: templates/nginx.conf.j2 + dest: "{{ sobigdata_rel_compose_dir }}/nginx.conf" + + - name: Generate PEP default config + ansible.builtin.template: + src: templates/nginx.default.conf.j2 + dest: "{{ sobigdata_rel_compose_dir }}/nginx.default.conf" + + - name: Generate pep.js + ansible.builtin.template: + src: templates/pep.js.j2 + dest: "{{ sobigdata_rel_compose_dir }}/pep.js" + + - name: Generate pep-docker-swarm + ansible.builtin.template: + src: templates/pep-swarm.yml.j2 + dest: "{{ sobigdata_rel_compose_dir }}/rel-pep-stack.yml" + + run_once: True + when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool + tags: [ 'sobigdata_rel', 'sobigdata_rel_pep' ] + +- name: Run the PEP stack + block: + - name: Start the Sobigdata REL project PEP stack + ansible.builtin.docker_stack: + name: '{{ sobigdata_rel_docker_stack_name }}' + state: present + compose: + - '{{ sobigdata_rel_compose_dir }}/rel-pep-stack.yml' + + run_once: True + when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool + tags: [ 'sobigdata_rel', 'sobigdata_rel_pep' ] diff --git a/roles/sobigdata-rel/tasks/sobigdata-rel.yml b/roles/sobigdata-rel/tasks/sobigdata-rel.yml new file mode 100644 index 0000000..bebcdde --- /dev/null +++ b/roles/sobigdata-rel/tasks/sobigdata-rel.yml @@ -0,0 +1,29 @@ +--- +- name: Manage the installation of the Sobigdata REL project Docker stack + block: + - name: Create the directory where the compose file will be installed + ansible.builtin.file: + dest: '{{ sobigdata_rel_compose_dir }}' + state: directory + mode: 0750 + owner: root + group: root + + - name: Install the docker compose file + ansible.builtin.template: + src: sobigdata-rel-docker-compose.yml.j2 + dest: '{{ sobigdata_rel_compose_dir }}/sobigdata-rel-docker-compose.yml' + owner: root + group: root + mode: 0400 + + - name: Start the REL project stack + docker_stack: + name: '{{ sobigdata_rel_docker_stack_name }}' + state: present + compose: + - '{{ inception_project_compose_dir }}/sobigdata-rel-docker-compose.yml' + + run_once: True + when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool + tags: [ 'sobigdata_rel', 'sobigdata_rel_linker' ] diff --git a/roles/sobigdata-rel/templates/nginx.conf.j2 b/roles/sobigdata-rel/templates/nginx.conf.j2 new file mode 100644 index 0000000..b079900 --- /dev/null +++ b/roles/sobigdata-rel/templates/nginx.conf.j2 @@ -0,0 +1,45 @@ +# Added to load njs module +load_module modules/ngx_http_js_module.so; + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + + # added to import pep script + js_import pep.js; + + # added to bind enforce function + js_set $authorization pep.enforce; + + # added to create cache for tokens and auth calls + proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} + diff --git a/roles/sobigdata-rel/templates/nginx.default.conf.j2 b/roles/sobigdata-rel/templates/nginx.default.conf.j2 new file mode 100644 index 0000000..c8a7d99 --- /dev/null +++ b/roles/sobigdata-rel/templates/nginx.default.conf.j2 @@ -0,0 +1,69 @@ +upstream service { + ip_hash; + server {{ sobigdata_rel_docker_stack_name }}_{{ sobigdata_rel_docker_service_server_name }}:{{ sobigdata_rel_service_port }}; +} + +# added to import pep script +js_import pep.js; + +# added to bind enforce function +js_set $authorization pep.enforce; + +# variables computed by njs and which may possibly be passed among locations +js_var $auth_token; +js_var $account_record; + +proxy_cache_path /tmp levels=1:2 keys_zone=social_cache:10m max_size=10g inactive=60m use_temp_path=off; + +server { + + listen *:80; + listen [::]:80; + + server_name {{ sobigdata_rel_service_host }}; + + subrequest_output_buffer_size 200k; + + location /health { + add_header Content-Length 0; + add_header Content-Type "text/plain"; + return 200; + } + + location / { + proxy_read_timeout 300; + proxy_send_timeout 300; + js_content pep.enforce; + } + + location /gcube_user_info { + internal; + gunzip on; + proxy_method GET; + proxy_http_version 1.1; + proxy_set_header gcube-token "$auth_token"; + proxy_pass https://api.d4science.org/rest/2/people/profile; + + proxy_cache social_cache; + proxy_cache_key $auth_token; + } + + location /_backend { + internal; + proxy_read_timeout 300; + proxy_send_timeout 300; + resolver 146.48.122.10; + proxy_http_version 1.1; + proxy_set_header gcube-token "$auth_token"; + proxy_pass http://service$request_uri; + } + + location /_accounting { + internal; + proxy_method POST; + proxy_http_version 1.1; + proxy_set_header gcube-token "$auth_token"; + proxy_set_header Content-Type "application/json"; + proxy_pass https://accounting-service.d4science.org/accounting-service/record; + } +} diff --git a/roles/sobigdata-rel/templates/pep-swarm.yml.j2 b/roles/sobigdata-rel/templates/pep-swarm.yml.j2 new file mode 100644 index 0000000..982faa3 --- /dev/null +++ b/roles/sobigdata-rel/templates/pep-swarm.yml.j2 @@ -0,0 +1,37 @@ +version: '3.6' + +services: + pep: + image: nginx:stable-alpine + networks: + - {{ sobigdata_rel_docker_network }} + - haproxy-public + deploy: + replicas: 1 + placement: + constraints: [node.role == worker] + endpoint_mode: dnsrr + restart_policy: + condition: on-failure + delay: 10s + window: 120s + configs: + - source: nginxconf + target: /etc/nginx/templates/default.conf.template + - source: nginxbaseconf + target: /etc/nginx/nginx.conf + - source: pep + target: /etc/nginx/pep.js + +networks: + {{ sobigdata_rel_docker_network }}: + haproxy-public: + external: true + +configs: + nginxconf: + file: ./nginx.default.conf + nginxbaseconf: + file: ./nginx.conf + pep: + file: ./pep.js diff --git a/roles/sobigdata-rel/templates/pep.js.j2 b/roles/sobigdata-rel/templates/pep.js.j2 new file mode 100644 index 0000000..a0485bc --- /dev/null +++ b/roles/sobigdata-rel/templates/pep.js.j2 @@ -0,0 +1,109 @@ +export default { enforce }; + +function log(c, s){ + c.request.error(s) +} + +function debug(c, s){ + return true ? c.request.error(s) : null +} + +function enforce(r) { + + var context = { + request: r + } + + var allowedcontexts = ["{{ sobigdata_rel_authorized_scopes }}"] + + log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + "/" + r.uri) + + const token = getGCubeToken(context) + if(token != null){ + debug(context, "[PEP] token is " + token) + exportVariable(context, "auth_token", token) + context.request.subrequest("/gcube_user_info") + .then(reply=>{ + if (reply.status === 200) { + debug(context, "[Social Service] got response " + reply.responseBody) + var response = JSON.parse(reply.responseBody); + if(allowedcontexts.indexOf(response.result.context) === -1){ + debug(context, "[PEP] Unathorized context " + response.result.context) + throw new Error("Unauthorized") + } + return response + } else { + debug(context, "[Social Service] failed " + reply.status + ":" + reply.responseBody) + throw new Error("Unauthorized") + } + }).then(userinfo => { + debug(context, "[Social Service] username is " + userinfo.result.username) + context.userinfo = userinfo + context.record = buildAccountingRecord(context) + return context.request.subrequest("/_backend", { method : context.request.method, args : context.request.args, headers : context.request.headersIn}) + }).then(reply=>{ + debug(context, "[REL] response status: " + reply.status) + closeAccountingRecord(context.record, (reply.status === 200 || reply.status === 201 || reply.status === 204)) + context.request.subrequest("/_accounting", { detached : true, body : JSON.stringify(context.record) }) + r.return(reply.status, reply.responseBody) + }).catch(e => { log(context, "Error .... " + njs.dump(e)); context.request.return(e.message === "Unauthorized" ? 403 : 500)} ) + + return + } + + r.return(401, "Authorization required") +} + +function getGCubeToken(context){ + if(context.request.args.token){ + return context.request.args.token; + }else if (context.request.headersIn['gcube-token']){ + return context.request.headersIn['gcube-token']; + } + return null; +} + +function buildAccountingRecord(context){ + const t = (new Date()).getTime() + return { + "recordType": "ServiceUsageRecord", + "operationCount": 1, + "creationTime": t, + "callerHost": context.request.remoteAddress, + "serviceClass": "Application", + "callerQualifier": "TOKEN", + "consumerId": context.userinfo.result.username, + "aggregated": true, + "serviceName": "REL", + "duration": 0, + "maxInvocationTime": 0, + "scope": "{{ sobigdata_rel_authorized_scopes }}", + "host": "{{ sobigdata_rel_service_host }}", + "startTime": t, + "id": uuid(), + "calledMethod": context.request.method + " " + context.request.uri, + "endTime": 0, + "minInvocationTime": 0, + "operationResult": null + } +} + +function closeAccountingRecord(record, success){ + const t = (new Date()).getTime() + record.duration = t - record.startTime + record.endTime = t + record.minInvocationTime = record.duration + record.operationResult = success ? "SUCCESS" : "FAILED"; +} + +function uuid() { + return 'xxxxxxxx-xxxx-4xxx-8xxx-xxxxxxxxxxxx'.replace(/[x]/g, function (c) { + const r = Math.random() * 16 | 0, v = c == 'x' ? r : (r & 0x3 | 0x8); + return v.toString(16); + }); +} + +function exportVariable(context, name, value){ + context.request.variables[name] = value + return context +} diff --git a/roles/sobigdata-rel/templates/sobigdata-rel-docker-compose.yml.j2 b/roles/sobigdata-rel/templates/sobigdata-rel-docker-compose.yml.j2 new file mode 100644 index 0000000..7da50b4 --- /dev/null +++ b/roles/sobigdata-rel/templates/sobigdata-rel-docker-compose.yml.j2 @@ -0,0 +1,28 @@ +version: '3.6' + +networks: + {{ sobigdata_rel_docker_network }}: + +services: + sobigdata-rel: + image: {{ sobigdata_rel_docker_server_image }} + networks: + - {{ sobigdata_rel_docker_network }} + command: '{{ sobigdata_rel_docker_command }}' + volumes: + - /nfs/sobigdata_rel/data/generic:/workspace/generic + - /nfs/sobigdata_rel/data/wiki:/workspace/wiki + deploy: + mode: replicated + replicas: 1 + endpoint_mode: dnsrr + placement: + constraints: [node.role == worker] + restart_policy: + condition: on-failure + delay: 5s + max_attempts: 5 + window: 120s + logging: + driver: 'journald' + diff --git a/run.sh b/run.sh new file mode 100755 index 0000000..bb3e987 --- /dev/null +++ b/run.sh @@ -0,0 +1,87 @@ +#!/bin/bash +# +# The "directory/directory.yml" is the old way that we used to simplify jobs execution. +# The "directory/site.yml" is the syntax used by roles (from ansible version 1.2) +# +# Otherwise we can directly execute a single play (file) +# + +PAR=50 +TIMEOUT=15 +PLAY=site.yml +PLAY_DIR="$( pwd )" +ANSIBLE_HOSTS= + +export TMPDIR=/var/tmp/${USER} +if [ ! -d "${TMPDIR}" ] ; then + mkdir -p "${TMPDIR}" +fi + +if [ -f ../ansible.cfg ] ; then + export ANSIBLE_CONFIG="../ansible.cfg" +fi +if [ -f ./ansible.cfg ] ; then + export ANSIBLE_CONFIG="./ansible.cfg" +fi + +# No cows! +export ANSIBLE_NOCOWS=1 + +export ANSIBLE_ERROR_ON_UNDEFINED_VARS=True +export ANSIBLE_HOST_KEY_CHECKING=False +export ANSIBLE_LIBRARY="/usr/share/ansible:./modules:../modules:$ANSIBLE_LIBRARY" + +# This check is not correct anymore. +# if [ ! "$(python -m ara.setup.callback_plugins)" ] ; then +# echo "the ARA plugin is missing. Run 'sudo pip install ara' on your machine" +# exit 1 +# fi +# if [ ! "$(python -m ara.setup.action_plugins)" ] ; then +# echo "the ARA plugin is missing. Run 'sudo pip install ara' on your machine" +# exit 1 +# fi + +PLAY_OPTS="-T $TIMEOUT -f $PAR" + +if [ -f "$1" ] ; then + PLAY=$1 +elif [ ! -f "$PLAY" ] ; then + echo "No play file available." + exit 1 +fi + +if [ -f "${PLAY}" ] ; then + MAIN="${PLAY}" + shift +elif [ -f "${PLAY}.yml" ]; then + MAIN="${PLAY}.yml" + shift +fi + +if [ -f "${PLAY_DIR}/hosts" ] ; then + ANSIBLE_HOSTS=${PLAY_DIR}/hosts +fi +if [ -f "${PLAY_DIR}/inventory/hosts" ] ; then + ANSIBLE_HOSTS=${PLAY_DIR}/inventory/hosts +fi +if [ -n "$ANSIBLE_HOSTS" ] ; then + PLAY_OPTS="-i $ANSIBLE_HOSTS" +fi + +#echo "Find vault encrypted files if any" +if [ -d ./group_vars ] ; then + VAULT_GROUP_FILES=$( find ./group_vars -name \*vault\* ) +fi +if [ -d ./host_vars ] ; then + VAULT_HOST_FILES=$( find ./host_vars -name \*vault\* ) +fi + +if [ -n "$VAULT_GROUP_FILES" ] || [ -n "$VAULT_HOST_FILES" ] ; then + # Vault requires a password. + # To encrypt a password for a user: python -c "from passlib.hash import sha512_crypt; print sha512_crypt.encrypt('')" + echo "There are password protected encrypted files, we will ask for password before proceeding" + PLAY_OPTS="$PLAY_OPTS --ask-vault-pass" +fi + +# Main +ansible-playbook $PLAY_OPTS $MAIN $@ diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..4fe8593 --- /dev/null +++ b/site.yml @@ -0,0 +1,6 @@ +--- +- hosts: sobigdata_rel + serial: 1 + roles: + - { role: sobigdata-rel } +