First commit.

This commit is contained in:
Andrea Dell'Amico 2022-02-14 20:01:32 +01:00
parent 6059b59462
commit c07cf06b1c
Signed by: andrea.dellamico
GPG Key ID: 147ABE6CEB9E20FF
16 changed files with 1011 additions and 1 deletions

View File

@ -1,3 +1,3 @@
# ansible-playbook-sobigdata-rel
Playbook that installs the REL + PEP stack
Playbook that installs the sobigdata REL entity stack

506
ansible.cfg Normal file
View File

@ -0,0 +1,506 @@
# config file for ansible -- https://ansible.com/
# ===============================================
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first
[defaults]
# some basic default values...
#inventory = /etc/ansible/hosts
#library = /usr/share/my_modules/
#module_utils = /usr/share/my_module_utils/
#remote_tmp = ~/.ansible/tmp
#local_tmp = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks = 5
#poll_interval = 15
#sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
#transport = smart
#remote_port = 22
#module_lang = C
#module_set_locale = False
# plays will gather facts by default, which contain information about
# the remote system.
#
# smart - gather by default, but don't regather if already gathered
# implicit - gather by default, turn off with gather_facts: False
# explicit - do not gather by default, must say gather_facts: True
gathering = smart
# This only affects the gathering done by a play's gather_facts directive,
# by default gathering retrieves all facts subsets
# all - gather all subsets
# network - gather min and network facts
# hardware - gather hardware facts (longest facts to retrieve)
# virtual - gather min and virtual facts
# facter - import facts from facter
# ohai - import facts from ohai
# You can combine them using comma (ex: network,virtual)
# You can negate them using ! (ex: !hardware,!facter,!ohai)
# A minimal set of facts is always gathered.
#gather_subset = all
# some hardware related facts are collected
# with a maximum timeout of 10 seconds. This
# option lets you increase or decrease that
# timeout to something more suitable for the
# environment.
# gather_timeout = 10
# Ansible facts are available inside the ansible_facts.* dictionary
# namespace. This setting maintains the behaviour which was the default prior
# to 2.5, duplicating these variables into the main namespace, each with a
# prefix of 'ansible_'.
# This variable is set to True by default for backwards compatibility. It
# will be changed to a default of 'False' in a future release.
# ansible_facts.
# inject_facts_as_vars = True
# additional paths to search for roles in, colon separated
#roles_path = /etc/ansible/roles
# uncomment this to disable SSH key host checking
host_key_checking = False
# change the default callback, you can only have one 'stdout' type enabled at a time.
#stdout_callback = skippy
## Ansible ships with some plugins that require whitelisting,
## this is done to avoid running all of a type by default.
## These setting lists those that you want enabled for your system.
## Custom plugins should not need this unless plugin author specifies it.
# enable callback plugins, they can output to stdout but cannot be 'stdout' type.
callback_whitelist = timer,profile_roles,profile_tasks,mail
# Determine whether includes in tasks and handlers are "static" by
# default. As of 2.0, includes are dynamic by default. Setting these
# values to True will make includes behave more like they did in the
# 1.x versions.
#task_includes_static = False
#handler_includes_static = False
# Controls if a missing handler for a notification event is an error or a warning
#error_on_missing_handler = True
# change this for alternative sudo implementations
#sudo_exe = sudo
# What flags to pass to sudo
# WARNING: leaving out the defaults might create unexpected behaviours
#sudo_flags = -H -S -n
# SSH timeout
#timeout = 10
# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
#remote_user = root
remote_user = ansible
# logging is off by default unless this path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log
# default module name for /usr/bin/ansible
#module_name = command
# use this shell for commands executed under sudo
# you may need to change this to bin/bash in rare instances
# if sudo is constrained
#executable = /bin/sh
# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together? The default is 'replace' but
# this can also be set to 'merge'.
#hash_behaviour = replace
# by default, variables from roles will be visible in the global variable
# scope. To prevent this, the following option can be enabled, and only
# tasks and handlers within the role will see the variables there
#private_role_vars = yes
# list any Jinja2 extensions to enable here:
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
# if set, always use this private key file for authentication, same as
# if passing --private-key to ansible or ansible-playbook
#private_key_file = /path/to/file
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
#vault_password_file = /path/to/vault_password_file
# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
ansible_managed = Ansible managed: {file} on {host}
# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
# in some situations so the default is a static string:
#ansible_managed = Ansible managed
# by default, ansible-playbook will display "Skipping [host]" if it determines a task
# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
# messages. NOTE: the task header will still be shown regardless of whether or not the
# task is skipped.
#display_skipped_hosts = True
# by default, if a task in a playbook does not include a name: field then
# ansible-playbook will construct a header that includes the task's action but
# not the task's args. This is a security feature because ansible cannot know
# if the *module* considers an argument to be no_log at the time that the
# header is printed. If your environment doesn't have a problem securing
# stdout from ansible-playbook (or you have manually specified no_log in your
# playbook on all of the tasks where you have secret information) then you can
# safely set this to True to get more informative messages.
#display_args_to_stdout = False
# by default (as of 1.3), Ansible will raise errors when attempting to dereference
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#error_on_undefined_vars = False
# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
#system_warnings = True
# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
#deprecation_warnings = True
# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead. These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string. This will for example suggest using the git module
# instead of shelling out to the git command.
command_warnings = True
ssh_args = -o ControlMaster=auto -o ControlPersist=600s
control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
# set plugin path directories here, separate with colons
action_plugins = /usr/share/ansible/plugins/action
#cache_plugins = /usr/share/ansible/plugins/cache
callback_plugins = /usr/share/ansible/plugins/callback
connection_plugins = /usr/share/ansible/plugins/connection
lookup_plugins = /usr/share/ansible/plugins/lookup
#inventory_plugins = /usr/share/ansible/plugins/inventory
vars_plugins = /usr/share/ansible/plugins/vars
filter_plugins = /usr/share/ansible/plugins/filter
test_plugins = /usr/share/ansible/plugins/test
#terminal_plugins = /usr/share/ansible/plugins/terminal
#strategy_plugins = /usr/share/ansible/plugins/strategy
# by default, ansible will use the 'linear' strategy but you may want to try
# another one
#strategy = free
# by default callbacks are not loaded for /bin/ansible, enable this if you
# want, for example, a notification or logging callback to also apply to
# /bin/ansible runs
bin_ansible_callbacks = True
# don't like cows? that's unfortunate.
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
#nocows = 1
# set which cowsay stencil you'd like to use by default. When set to 'random',
# a random stencil will be selected for each task. The selection will be filtered
# against the `cow_whitelist` option below.
#cow_selection = default
#cow_selection = random
# when using the 'random' option for cowsay, stencils will be restricted to this list.
# it should be formatted as a comma-separated list with no spaces between names.
# NOTE: line continuations here are for formatting purposes only, as the INI parser
# in python does not support them.
#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
# don't like colors either?
# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
#nocolor = 1
# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored. This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
fact_caching = memory
#This option tells Ansible where to cache facts. The value is plugin dependent.
#For the jsonfile plugin, it should be a path to a local directory.
#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
fact_caching_connection=$HOME/.ansible/facts
# retry files
# When a playbook fails by default a .retry file will be created in ~/
# You can disable this feature by setting retry_files_enabled to False
# and you can change the location of the files by setting retry_files_save_path
retry_files_enabled = False
retry_files_save_path = ~/.ansible_retry
# squash actions
# Ansible can optimise actions that call modules with list parameters
# when looping. Instead of calling the module once per with_ item, the
# module is called once with all items at once. Currently this only works
# under limited circumstances, and only with parameters named 'name'.
#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper
# prevents logging of task data, off by default
#no_log = False
# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
no_target_syslog = False
# controls whether Ansible will raise an error or warning if a task has no
# choice but to create world readable temporary files to execute a module on
# the remote machine. This option is False by default for security. Users may
# turn this on to have behaviour more like Ansible prior to 2.1.x. See
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
# for more secure ways to fix this than enabling this option.
#allow_world_readable_tmpfiles = False
# controls the compression level of variables sent to
# worker processes. At the default of 0, no compression
# is used. This value must be an integer from 0 to 9.
#var_compression_level = 9
# controls what compression method is used for new-style ansible modules when
# they are sent to the remote system. The compression types depend on having
# support compiled into both the controller's python and the client's python.
# The names should match with the python Zipfile compression types:
# * ZIP_STORED (no compression. available everywhere)
# * ZIP_DEFLATED (uses zlib, the default)
# These values may be set per host via the ansible_module_compression inventory
# variable
#module_compression = 'ZIP_DEFLATED'
# This controls the cutoff point (in bytes) on --diff for files
# set to 0 for unlimited (RAM may suffer!).
#max_diff_size = 1048576
# This controls how ansible handles multiple --tags and --skip-tags arguments
# on the CLI. If this is True then multiple arguments are merged together. If
# it is False, then the last specified argument is used and the others are ignored.
# This option will be removed in 2.8.
#merge_multiple_cli_flags = True
# Controls showing custom stats at the end, off by default
show_custom_stats = True
# Controls which files to ignore when using a directory as inventory with
# possibly multiple sources (both static and dynamic)
inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo
# This family of modules use an alternative execution path optimized for network appliances
# only update this setting if you know how this works, otherwise it can break module execution
#network_group_modules=eos, nxos, ios, iosxr, junos, vyos
# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
# jinja2 templating language which will be run through the templating engine.
# ENABLING THIS COULD BE A SECURITY RISK
#allow_unsafe_lookups = False
# set default errors for all plays
#any_errors_fatal = False
[inventory]
# enable inventory plugins, default: 'host_list', 'script', 'yaml', 'ini', 'auto'
#enable_plugins = host_list, virtualbox, yaml, constructed
# ignore these extensions when parsing a directory as inventory source
#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
# ignore files matching these patterns when parsing a directory as inventory source
#ignore_patterns=
# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise.
#unparsed_is_failed=False
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[paramiko_connection]
# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered. Increases performance on new host additions. Setting works independently of the
# host key checking setting above.
record_host_keys=False
# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
# line to disable this behaviour.
#pty=False
# paramiko will default to looking for SSH keys initially when trying to
# authenticate to remote devices. This is a problem for some network devices
# that close the connection after a key failure. Uncomment this line to
# disable the Paramiko look for keys function
#look_for_keys = False
# When using persistent connections with Paramiko, the connection runs in a
# background process. If the host doesn't already have a valid SSH key, by
# default Ansible will prompt to add the host key. This will cause connections
# running in background processes to fail. Uncomment this line to have
# Paramiko automatically add host keys.
#host_key_auto_add = True
[ssh_connection]
# ssh arguments to use
# Leaving off ControlPersist will result in poor performance, so use
# paramiko on older platforms rather than removing it, -C controls compression use
ssh_args = -C -o ControlMaster=auto -o ControlPersist=120s
# The base directory for the ControlPath sockets.
# This is the "%(directory)s" in the control_path option
#
# Example:
# control_path_dir = /tmp/.ansible/cp
#control_path_dir = ~/.ansible/cp
# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
# port and username (empty string in the config). The hash mitigates a common problem users
# found with long hostames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
# In those cases, a "too long for Unix domain socket" ssh error would occur.
#
# Example:
#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
#control_path =
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
pipelining = True
# Control the mechanism for transferring files (old)
# * smart = try sftp and then try scp [default]
# * True = use scp only
# * False = use sftp only
#scp_if_ssh = smart
# Control the mechanism for transferring files (new)
# If set, this will override the scp_if_ssh option
# * sftp = use sftp to transfer files
# * scp = use scp to transfer files
# * piped = use 'dd' over SSH to transfer files
# * smart = try sftp, scp, and piped, in that order [default]
transfer_method = smart
# if False, sftp will not use batch mode to transfer files. This may cause some
# types of file transfer failures impossible to catch however, and should
# only be disabled if your sftp version has problems with batch mode
#sftp_batch_mode = False
# The -tt argument is passed to ssh when pipelining is not enabled because sudo
# requires a tty by default.
#use_tty = True
# Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
# For each retry attempt, there is an exponential backoff,
# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max).
retries = 3
[persistent_connection]
# Configures the persistent connection timeout value in seconds. This value is
# how long the persistent connection will remain idle before it is destroyed.
# If the connection doesn't receive a request before the timeout value
# expires, the connection is shutdown. The default value is 30 seconds.
connect_timeout = 120
# Configures the persistent connection retry timeout. This value configures the
# the retry timeout that ansible-connection will wait to connect
# to the local domain socket. This value must be larger than the
# ssh timeout (timeout) and less than persistent connection idle timeout (connect_timeout).
# The default value is 15 seconds.
#connect_retry_timeout = 15
# The command timeout value defines the amount of time to wait for a command
# or RPC call before timing out. The value for the command timeout must
# be less than the value of the persistent connection idle timeout (connect_timeout)
# The default value is 10 second.
#command_timeout = 10
[accelerate]
#accelerate_port = 5099
#accelerate_timeout = 30
#accelerate_connect_timeout = 5.0
# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
#accelerate_daemon_timeout = 30
# If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default
# is "no".
#accelerate_multi_key = yes
[selinux]
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependent context.
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p
# Set this to yes to allow libvirt_lxc connections to work without SELinux.
#libvirt_lxc_noseclabel = yes
[colors]
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan
[diff]
# Always print diff when running ( same as always running with -D/--diff )
# always = no
# Set how many context lines to show in diff
# context = 3
[ara]
api_client = http
api_timeout = 30
api_server = http://127.0.0.1:8000

4
group_vars/all/all.yml Normal file
View File

@ -0,0 +1,4 @@
---
sobigdata_rel_authorized_scopes: '/d4science.research-infrastructures.eu/SoBigData/TagMe'
sobigdata_rel_service_host: 'rel-entity-linker.d4science.org'
sobigdata_rel_pep: True

2
inventory/hosts Normal file
View File

@ -0,0 +1,2 @@
[sobigdata_rel]
docker-swarm1.int.d4science.net docker_swarm_manager_main_node=True

View File

@ -0,0 +1,19 @@
---
sobigdata_rel_compose_dir: '/srv/sobigdata_rel_stack'
sobigdata_rel_docker_stack_name: 'rel-entity-linker'
sobigdata_rel_docker_service_server_name: 'sobigdata-rel'
sobigdata_rel_docker_server_image: 'informagi/rel'
sobigdata_rel_docker_network: 'rel-entity-linker'
sobigdata_rel_service_port: 5555
# ner, ner-large
sobigdata_rel_docker_command: 'python -m REL.server --bind 0.0.0.0 --ed-model wiki/generated/model --ner-model ner --port {{ sobigdata_rel_service_port }} /workspace wiki'
sobigdata_rel_haproxy_public_net: 'haproxy-public'
sobigdata_rel_authorized_scopes: '/gcube'
sobigdata_rel_service_host: 'localhost'
sobigdata_rel_pep: True
pep_port: 80
pep_replicas: 1
nginx_pep_debug_enabled: False
nginx_pep_max_body_size: 500M
nginx_pep_body_timeout: 60s

View File

@ -0,0 +1,26 @@
galaxy_info:
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
issue_tracker_url: https://support.d4science.org/projects/d4science-operation
license: EUPL 1.2+
min_ansible_version: 2.8
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
platforms:
- name: Ubuntu
versions:
- bionic
- name: EL
versions:
- 7
galaxy_tags:
- rel
dependencies: []

View File

@ -0,0 +1,4 @@
---
- include_tasks: sobigdata-rel.yml
- include_tasks: pep.yml
when: sobigdata_rel_pep

View File

@ -0,0 +1,39 @@
---
- name: Manage the PEP configuration
block:
- name: Generate PEP config
ansible.builtin.template:
src: templates/nginx.conf.j2
dest: "{{ sobigdata_rel_compose_dir }}/nginx.conf"
- name: Generate PEP default config
ansible.builtin.template:
src: templates/nginx.default.conf.j2
dest: "{{ sobigdata_rel_compose_dir }}/nginx.default.conf"
- name: Generate pep.js
ansible.builtin.template:
src: templates/pep.js.j2
dest: "{{ sobigdata_rel_compose_dir }}/pep.js"
- name: Generate pep-docker-swarm
ansible.builtin.template:
src: templates/pep-swarm.yml.j2
dest: "{{ sobigdata_rel_compose_dir }}/rel-pep-stack.yml"
run_once: True
when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool
tags: [ 'sobigdata_rel', 'sobigdata_rel_pep' ]
- name: Run the PEP stack
block:
- name: Start the Sobigdata REL project PEP stack
ansible.builtin.docker_stack:
name: '{{ sobigdata_rel_docker_stack_name }}'
state: present
compose:
- '{{ sobigdata_rel_compose_dir }}/rel-pep-stack.yml'
run_once: True
when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool
tags: [ 'sobigdata_rel', 'sobigdata_rel_pep' ]

View File

@ -0,0 +1,29 @@
---
- name: Manage the installation of the Sobigdata REL project Docker stack
block:
- name: Create the directory where the compose file will be installed
ansible.builtin.file:
dest: '{{ sobigdata_rel_compose_dir }}'
state: directory
mode: 0750
owner: root
group: root
- name: Install the docker compose file
ansible.builtin.template:
src: sobigdata-rel-docker-compose.yml.j2
dest: '{{ sobigdata_rel_compose_dir }}/sobigdata-rel-docker-compose.yml'
owner: root
group: root
mode: 0400
- name: Start the REL project stack
docker_stack:
name: '{{ sobigdata_rel_docker_stack_name }}'
state: present
compose:
- '{{ inception_project_compose_dir }}/sobigdata-rel-docker-compose.yml'
run_once: True
when: docker_swarm_manager_main_node is defined and docker_swarm_manager_main_node | bool
tags: [ 'sobigdata_rel', 'sobigdata_rel_linker' ]

View File

@ -0,0 +1,45 @@
# Added to load njs module
load_module modules/ngx_http_js_module.so;
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
# added to import pep script
js_import pep.js;
# added to bind enforce function
js_set $authorization pep.enforce;
# added to create cache for tokens and auth calls
proxy_cache_path /var/cache/nginx/pep keys_zone=token_responses:1m max_size=2m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

View File

@ -0,0 +1,69 @@
upstream service {
ip_hash;
server {{ sobigdata_rel_docker_stack_name }}_{{ sobigdata_rel_docker_service_server_name }}:{{ sobigdata_rel_service_port }};
}
# added to import pep script
js_import pep.js;
# added to bind enforce function
js_set $authorization pep.enforce;
# variables computed by njs and which may possibly be passed among locations
js_var $auth_token;
js_var $account_record;
proxy_cache_path /tmp levels=1:2 keys_zone=social_cache:10m max_size=10g inactive=60m use_temp_path=off;
server {
listen *:80;
listen [::]:80;
server_name {{ sobigdata_rel_service_host }};
subrequest_output_buffer_size 200k;
location /health {
add_header Content-Length 0;
add_header Content-Type "text/plain";
return 200;
}
location / {
proxy_read_timeout 300;
proxy_send_timeout 300;
js_content pep.enforce;
}
location /gcube_user_info {
internal;
gunzip on;
proxy_method GET;
proxy_http_version 1.1;
proxy_set_header gcube-token "$auth_token";
proxy_pass https://api.d4science.org/rest/2/people/profile;
proxy_cache social_cache;
proxy_cache_key $auth_token;
}
location /_backend {
internal;
proxy_read_timeout 300;
proxy_send_timeout 300;
resolver 146.48.122.10;
proxy_http_version 1.1;
proxy_set_header gcube-token "$auth_token";
proxy_pass http://service$request_uri;
}
location /_accounting {
internal;
proxy_method POST;
proxy_http_version 1.1;
proxy_set_header gcube-token "$auth_token";
proxy_set_header Content-Type "application/json";
proxy_pass https://accounting-service.d4science.org/accounting-service/record;
}
}

View File

@ -0,0 +1,37 @@
version: '3.6'
services:
pep:
image: nginx:stable-alpine
networks:
- {{ sobigdata_rel_docker_network }}
- haproxy-public
deploy:
replicas: 1
placement:
constraints: [node.role == worker]
endpoint_mode: dnsrr
restart_policy:
condition: on-failure
delay: 10s
window: 120s
configs:
- source: nginxconf
target: /etc/nginx/templates/default.conf.template
- source: nginxbaseconf
target: /etc/nginx/nginx.conf
- source: pep
target: /etc/nginx/pep.js
networks:
{{ sobigdata_rel_docker_network }}:
haproxy-public:
external: true
configs:
nginxconf:
file: ./nginx.default.conf
nginxbaseconf:
file: ./nginx.conf
pep:
file: ./pep.js

View File

@ -0,0 +1,109 @@
export default { enforce };
function log(c, s){
c.request.error(s)
}
function debug(c, s){
return true ? c.request.error(s) : null
}
function enforce(r) {
var context = {
request: r
}
var allowedcontexts = ["{{ sobigdata_rel_authorized_scopes }}"]
log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + "/" + r.uri)
const token = getGCubeToken(context)
if(token != null){
debug(context, "[PEP] token is " + token)
exportVariable(context, "auth_token", token)
context.request.subrequest("/gcube_user_info")
.then(reply=>{
if (reply.status === 200) {
debug(context, "[Social Service] got response " + reply.responseBody)
var response = JSON.parse(reply.responseBody);
if(allowedcontexts.indexOf(response.result.context) === -1){
debug(context, "[PEP] Unathorized context " + response.result.context)
throw new Error("Unauthorized")
}
return response
} else {
debug(context, "[Social Service] failed " + reply.status + ":" + reply.responseBody)
throw new Error("Unauthorized")
}
}).then(userinfo => {
debug(context, "[Social Service] username is " + userinfo.result.username)
context.userinfo = userinfo
context.record = buildAccountingRecord(context)
return context.request.subrequest("/_backend", { method : context.request.method, args : context.request.args, headers : context.request.headersIn})
}).then(reply=>{
debug(context, "[REL] response status: " + reply.status)
closeAccountingRecord(context.record, (reply.status === 200 || reply.status === 201 || reply.status === 204))
context.request.subrequest("/_accounting", { detached : true, body : JSON.stringify(context.record) })
r.return(reply.status, reply.responseBody)
}).catch(e => { log(context, "Error .... " + njs.dump(e)); context.request.return(e.message === "Unauthorized" ? 403 : 500)} )
return
}
r.return(401, "Authorization required")
}
function getGCubeToken(context){
if(context.request.args.token){
return context.request.args.token;
}else if (context.request.headersIn['gcube-token']){
return context.request.headersIn['gcube-token'];
}
return null;
}
function buildAccountingRecord(context){
const t = (new Date()).getTime()
return {
"recordType": "ServiceUsageRecord",
"operationCount": 1,
"creationTime": t,
"callerHost": context.request.remoteAddress,
"serviceClass": "Application",
"callerQualifier": "TOKEN",
"consumerId": context.userinfo.result.username,
"aggregated": true,
"serviceName": "REL",
"duration": 0,
"maxInvocationTime": 0,
"scope": "{{ sobigdata_rel_authorized_scopes }}",
"host": "{{ sobigdata_rel_service_host }}",
"startTime": t,
"id": uuid(),
"calledMethod": context.request.method + " " + context.request.uri,
"endTime": 0,
"minInvocationTime": 0,
"operationResult": null
}
}
function closeAccountingRecord(record, success){
const t = (new Date()).getTime()
record.duration = t - record.startTime
record.endTime = t
record.minInvocationTime = record.duration
record.operationResult = success ? "SUCCESS" : "FAILED";
}
function uuid() {
return 'xxxxxxxx-xxxx-4xxx-8xxx-xxxxxxxxxxxx'.replace(/[x]/g, function (c) {
const r = Math.random() * 16 | 0, v = c == 'x' ? r : (r & 0x3 | 0x8);
return v.toString(16);
});
}
function exportVariable(context, name, value){
context.request.variables[name] = value
return context
}

View File

@ -0,0 +1,28 @@
version: '3.6'
networks:
{{ sobigdata_rel_docker_network }}:
services:
sobigdata-rel:
image: {{ sobigdata_rel_docker_server_image }}
networks:
- {{ sobigdata_rel_docker_network }}
command: '{{ sobigdata_rel_docker_command }}'
volumes:
- /nfs/sobigdata_rel/data/generic:/workspace/generic
- /nfs/sobigdata_rel/data/wiki:/workspace/wiki
deploy:
mode: replicated
replicas: 1
endpoint_mode: dnsrr
placement:
constraints: [node.role == worker]
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 5
window: 120s
logging:
driver: 'journald'

87
run.sh Executable file
View File

@ -0,0 +1,87 @@
#!/bin/bash
#
# The "directory/directory.yml" is the old way that we used to simplify jobs execution.
# The "directory/site.yml" is the syntax used by roles (from ansible version 1.2)
#
# Otherwise we can directly execute a single play (file)
#
PAR=50
TIMEOUT=15
PLAY=site.yml
PLAY_DIR="$( pwd )"
ANSIBLE_HOSTS=
export TMPDIR=/var/tmp/${USER}
if [ ! -d "${TMPDIR}" ] ; then
mkdir -p "${TMPDIR}"
fi
if [ -f ../ansible.cfg ] ; then
export ANSIBLE_CONFIG="../ansible.cfg"
fi
if [ -f ./ansible.cfg ] ; then
export ANSIBLE_CONFIG="./ansible.cfg"
fi
# No cows!
export ANSIBLE_NOCOWS=1
export ANSIBLE_ERROR_ON_UNDEFINED_VARS=True
export ANSIBLE_HOST_KEY_CHECKING=False
export ANSIBLE_LIBRARY="/usr/share/ansible:./modules:../modules:$ANSIBLE_LIBRARY"
# This check is not correct anymore.
# if [ ! "$(python -m ara.setup.callback_plugins)" ] ; then
# echo "the ARA plugin is missing. Run 'sudo pip install ara' on your machine"
# exit 1
# fi
# if [ ! "$(python -m ara.setup.action_plugins)" ] ; then
# echo "the ARA plugin is missing. Run 'sudo pip install ara' on your machine"
# exit 1
# fi
PLAY_OPTS="-T $TIMEOUT -f $PAR"
if [ -f "$1" ] ; then
PLAY=$1
elif [ ! -f "$PLAY" ] ; then
echo "No play file available."
exit 1
fi
if [ -f "${PLAY}" ] ; then
MAIN="${PLAY}"
shift
elif [ -f "${PLAY}.yml" ]; then
MAIN="${PLAY}.yml"
shift
fi
if [ -f "${PLAY_DIR}/hosts" ] ; then
ANSIBLE_HOSTS=${PLAY_DIR}/hosts
fi
if [ -f "${PLAY_DIR}/inventory/hosts" ] ; then
ANSIBLE_HOSTS=${PLAY_DIR}/inventory/hosts
fi
if [ -n "$ANSIBLE_HOSTS" ] ; then
PLAY_OPTS="-i $ANSIBLE_HOSTS"
fi
#echo "Find vault encrypted files if any"
if [ -d ./group_vars ] ; then
VAULT_GROUP_FILES=$( find ./group_vars -name \*vault\* )
fi
if [ -d ./host_vars ] ; then
VAULT_HOST_FILES=$( find ./host_vars -name \*vault\* )
fi
if [ -n "$VAULT_GROUP_FILES" ] || [ -n "$VAULT_HOST_FILES" ] ; then
# Vault requires a password.
# To encrypt a password for a user: python -c "from passlib.hash import sha512_crypt; print sha512_crypt.encrypt('<password>')"
echo "There are password protected encrypted files, we will ask for password before proceeding"
PLAY_OPTS="$PLAY_OPTS --ask-vault-pass"
fi
# Main
ansible-playbook $PLAY_OPTS $MAIN $@

6
site.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: sobigdata_rel
serial: 1
roles:
- { role: sobigdata-rel }