From 800579c6db4c9358595e9cefb5bc1661f039a2f8 Mon Sep 17 00:00:00 2001 From: Scott Koranda Date: Thu, 30 Apr 2020 12:50:29 -0500 Subject: [PATCH] Update for May 2020 online training Update for the May 2020 online training. Includes an upgrade to Shibboleth IdP version 4.0 and COmanage Registry upgrade to 3.2.4. --- .gitignore | 1 + README.md | 42 +- aws_ec2.yml | 12 + hostnames.yml | 4 +- roles/common/tasks/users.yml | 2 +- roles/idp/files/attribute-resolver.xml | 6 - roles/idp/files/config-always-01.ldif | 3564 +++++++++++------ roles/idp/files/shibboleth-idp-stack.yml | 3 +- roles/idp/tasks/main.yml | 8 + roles/idp/templates/idp.properties | 14 +- roles/idp/templates/ldap.properties | 4 +- roles/idp/templates/secrets.properties | 10 + roles/idp/vars/main.yml | 20 +- .../files/comanage-registry-stack.yml | 2 +- roles/training/tasks/main.yml | 3 +- roles/training/templates/000-comanage.conf | 2 +- vars/global.yml | 9 +- 17 files changed, 2341 insertions(+), 1365 deletions(-) create mode 100644 aws_ec2.yml create mode 100644 roles/idp/templates/secrets.properties diff --git a/.gitignore b/.gitignore index c5dfa11..951d8a2 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,5 @@ share ssh_config ssh_mux* ec2.py +.vault_pass.txt .*.swp diff --git a/README.md b/README.md index b26409d..c3f717a 100644 --- a/README.md +++ b/README.md @@ -67,11 +67,9 @@ cd comanage-registry-training-deployment virtualenv -p python3.7 ./ source bin/activate pip install --upgrade pip -pip install git+https://github.com/ansible/ansible.git@devel +pip install ansible==2.9.6 pip install boto pip install boto3 -wget https://raw.githubusercontent.com/ansible/ansible/devel/contrib/inventory/ec2.py -chmod 755 ec2.py cp /path/to/AWS-Trng-1.pem . ``` @@ -79,12 +77,11 @@ Some ansible files are encrypted using `ansible-vault`. When running a playbook ansible needs to be able to find the password for the vault. -Create a file outside of the clone of this repository to hold -the vault password, e.g. +Create a file to hold the vault password, e.g. ``` -touch ~/.vault_pass.txt -chmod 600 ~/.vault_pass.txt +touch ./.vault_pass.txt +chmod 600 ./.vault_pass.txt ``` Find the vault password from and enter it into the file you just created. @@ -96,21 +93,23 @@ to set up the environment: ``` cd comanage-registry-training-deployment source bin/activate + +export ANSIBLE_CONFIG=`pwd`/ansible.cfg +export ANSIBLE_INVENTORY=`pwd`/aws_ec2.yml +export ANSIBLE_SSH_ARGS="-F `pwd`/ssh_config -C -o ControlMaster=auto -o ControlPersist=3600s" +export ANSIBLE_VAULT_PASSWORD_FILE=`pwd`/.vault_pass.txt + export AWS_ACCESS_KEY_ID='XXXXXXXX' export AWS_SECRET_ACCESS_KEY='XXXXXXXX' -export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt export AWS_REGION=us-west-2 -rm ./ssh_mux_* -kill $SSH_AGENT_PID -unset SSH_AUTH_SOCK -eval `ssh-agent -s` + ssh-add ./AWS-Trng-1.pem ``` ## Configuration Most of the configurable details, including the number of training nodes to -deploye, are set in the file +deploy, are set in the file ``` vars/global.yml @@ -124,7 +123,7 @@ Review that file before running the playbook. To provision the infrastructure execute the playbook: ``` -ansible-playbook -i ./ec2.py comanage_registry_training.yml +ansible-playbook comanage_registry_training.yml ``` ## SSH Access @@ -213,3 +212,18 @@ https://registry2.comanage.incommon.training ``` for node 2, and so on. + +## Interference from existing SSH agent + +If you find that your existing SSH agent is interfering with the SSH connections +used by ansible, it might help to start with a fresh agent when you begin your +work for the say: + +``` +cd comanage-registry-training-deployment +rm ./ssh_mux_* +kill $SSH_AGENT_PID +unset SSH_AUTH_SOCK +eval `ssh-agent -s` +ssh-add ./AWS-Trng-1.pem +``` diff --git a/aws_ec2.yml b/aws_ec2.yml new file mode 100644 index 0000000..874db25 --- /dev/null +++ b/aws_ec2.yml @@ -0,0 +1,12 @@ +--- +plugin: aws_ec2 +regions: + - us-west-2 +keyed_groups: + - prefix: tag + key: tags +hostnames: + - private-ip-address +compose: + public_fqdn: tags.public_fqdn + private_fqdn: tags.private_fqdn diff --git a/hostnames.yml b/hostnames.yml index ccdfaa3..3002305 100644 --- a/hostnames.yml +++ b/hostnames.yml @@ -7,5 +7,5 @@ tasks: - name: Set FQDN for node - command: "hostnamectl set-hostname {{ ec2_tag_private_fqdn }}" - when: ansible_facts['nodename'] != ec2_tag_private_fqdn + command: "hostnamectl set-hostname {{ private_fqdn }}" + when: ansible_facts['nodename'] != private_fqdn diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml index 44eb45f..532e2df 100644 --- a/roles/common/tasks/users.yml +++ b/roles/common/tasks/users.yml @@ -65,7 +65,7 @@ comment: COmanage Training User uid: 2000 home: /home/training - password: "$6$bvMJpaKk$glM0iapwOVJFiN7//FY9PdXLIs3sGPUkOODrQgXAaCIXP/P6kly9ZucehBryh2j10giTuNmuosQcepZ2a103T." + password: "$6$Vi9PQcxYJ.VBZ$RD.yWppXJUvqTBcicu4V1VTwcfpILQ6fisdXbl1VRwezpPr88p5ufW8fL4lmoVKgyGVgFIOQt1LL3Z0KlEOvK/" shell: /bin/bash group: training append: yes diff --git a/roles/idp/files/attribute-resolver.xml b/roles/idp/files/attribute-resolver.xml index 1992b9d..1685584 100644 --- a/roles/idp/files/attribute-resolver.xml +++ b/roles/idp/files/attribute-resolver.xml @@ -6,32 +6,26 @@ - - - - - - -ServerName https://{{ ec2_tag_public_fqdn }}:443 +ServerName https://{{ public_fqdn }}:443 UseCanonicalName On DocumentRoot /var/www/html diff --git a/vars/global.yml b/vars/global.yml index a0a1616..48c051e 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -22,7 +22,8 @@ vpc_availability_zone: ssh_bastion_instance_type: t2.nano # Most current CentOS 7 x86_64 -ssh_bastion_ami_id: ami-01ed306a12b7d1c96 +#ssh_bastion_ami_id: ami-01ed306a12b7d1c96 +ssh_bastion_ami_id: ami-0bc06212a56393ee1 ssh_bastion_user: centos ssh_bastion_device_name: /dev/sda1 ssh_bastion_volume_type: gp2 @@ -30,7 +31,8 @@ ssh_bastion_volume_size: 8 idp_node_instance_type: t2.small # Most current CentOS 7 x86_64 -idp_node_ami_id: ami-01ed306a12b7d1c96 +#idp_node_ami_id: ami-01ed306a12b7d1c96 +idp_node_ami_id: ami-0bc06212a56393ee1 idp_node_user: centos idp_node_device_name: /dev/sda1 idp_node_volume_type: gp2 @@ -41,7 +43,8 @@ training_node_count: 2 training_node_instance_type: t2.small # Most current CentOS 7 x86_64 -training_node_ami_id: ami-01ed306a12b7d1c96 +#training_node_ami_id: ami-01ed306a12b7d1c96 +training_node_ami_id: ami-0bc06212a56393ee1 training_node_user: centos training_node_device_name: /dev/sda1 training_node_volume_type: gp2