Skip to content
Permalink
Browse files
Updates for the March 2021 training session.
Updates for the March 2021 training session.
  • Loading branch information
skoranda committed Mar 12, 2021
1 parent 16bd353 commit ff6c8336762a09ee42dfa2706445405d5b2274ca
@@ -2,6 +2,7 @@ AWS-Trng-1.pem
bin
include
lib
lib64
share
ssh_config
ssh_mux*
@@ -64,12 +64,15 @@ To set up the environment for ansible the first time:
```
git clone https://github.com/cilogon/comanage-registry-ansible.git
cd comanage-registry-training-deployment
virtualenv -p python3.7 ./
python3 -m venv .
source bin/activate
pip install --upgrade pip
pip install ansible==2.10.1
pip install ansible==2.10.7
pip install boto
pip install boto3
ansible-galaxy collection install amazon.aws
ansible-galaxy collection install community.aws
ansible-galaxy collection install community.docker
cp /path/to/AWS-Trng-1.pem .
```

@@ -83,7 +86,7 @@ Create a file to hold the vault password, e.g.
touch ./.vault_pass.txt
chmod 600 ./.vault_pass.txt
```
Find the vault password from and enter it into the file you just created.
Find the vault password and enter it into the file you just created.

## Initialization Before Running Playbooks

@@ -112,35 +115,23 @@ Most of the configurable details, including the number of training nodes to
deploy, are set in the file

```
vars/global.yml
group_vars/all.yml
```

Review that file before running the playbook.

## Changing Training Password

The password used by trainees for SSH, authenticating to the IdP,
and for the LDAP users, needs to be set in three (3) places:
and for configuring the COmanage LDAP Provisioner is also set in the file
`group_vars/all.yml`.

1. The file `roles/common/tasks/users.yml`. Use the `mkpasswd` Linux utility to hash the
password:
```
mkpasswd --method=sha-512
```
Once you have determined the password, use the following command to
generate the encrypted version to paste into that file:

1. The LDIF files `roles/idp/files/config-always-01.ldif` and
`roles/training/files/config-always-01.ldif`. Use the `slappasswd` Linux utilty to
hash the password and then edit the file using `ansible-vault edit`:

```
/usr/sbin/slappasswd -c '$6$rounds=5000$%.86s'
```

1. The file `roles/training/vars/main.yml`. To encrypt the file use

```
ansible-vault encrypt_string 'PASSWORD' --name olc_root_dn_password
```
```
ansible-vault encrypt_string 'PASSWORD' --name comanage_training_password
```

## Provision the COmanage Training Infrastructure

@@ -182,6 +173,15 @@ ansible-playbook \
-e force_update_stack_file=yes
```

To force an update of the LDIF used by training node LDAP:

```
ansible-playbook \
training_nodes.yml \
--tags update_structure_ldif_file \
-e force_update_structure_ldif_file=yes
```

## SSH Access

Trainers may use their provisioned SSH keys to access all nodes. Each trainer
@@ -3,12 +3,6 @@
connection: local
gather_facts: False

tasks:
- name: import global variables
include_vars:
file: "vars/global.yml"

# Combine multiple playbooks
- name: configure COmanage training VPC
import_playbook: vpc.yml

@@ -0,0 +1,72 @@
---

# This encrypted version of the training password is created by running
#
# ansible-vault encrypt_string 'THE_PASSWORD' --name 'comanage_training_password'
comanage_training_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31636362373339666232313164373435343362373936613838393035663732623533616238373564
3637653337636564616131663831346531363033396266330a613162666636666235333135383631
64633832633837363263653462306361636338643964326531393133643063353738626165613132
6462336164333237340a393062353239306564303838366264636230643136393033623064343661
6431
# It should not be necessary to change the password salt.
comanage_training_password_salt: !vault |
$ANSIBLE_VAULT;1.1;AES256
39623864653434666530376532373536616136303833383862663631333439393833656436353661
3765313563653037623737373563326235646439633635640a643165313437343966376661373862
61363564353632383964393439656565326161326338323131373464313736373761666164633837
3062623335653037650a383538633936386537333865306230323162656434326634323139396461
64663664306265623839363736343361313635313638633863363131323635333466
comanage_training_region: "us-west-2"

r53_hosted_zone: incommon.training
r53_dns_domain: "comanage.{{ r53_hosted_zone }}"

# The full ARN for an X.509 wildcard certificate provisioned by the
# AWS Certificate Manager for domain *.comanage.incommong.training
aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:626413038627:certificate/162508f9-f5e4-479d-bdb8-f614d8a7ccb0"

vpc_cidr_block: 192.168.0.0/16

# We need to have at least two private subnets across two availability
# zones. The application load balancer requires it.
vpc_availability_zone:
a:
public_subnet: 192.168.10.0/24
private_subnet: 192.168.110.0/24
bastion_ip: 192.168.10.10
bastion_hostname: ssh
b:
public_subnet: 192.168.11.0/24
private_subnet: 192.168.111.0/24
bastion_ip: 192.168.11.10
bastion_hostname: ssh-b

ssh_bastion_instance_type: t2.nano
# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
ssh_bastion_ami_id: ami-0a4497cbe959da512
ssh_bastion_user: centos
ssh_bastion_device_name: /dev/sda1
ssh_bastion_volume_type: gp2
ssh_bastion_volume_size: 10

idp_node_instance_type: t2.small
# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
idp_node_ami_id: ami-0a4497cbe959da512
idp_node_user: centos
idp_node_device_name: /dev/sda1
idp_node_volume_type: gp2
idp_node_volume_size: 20

training_node_count: 2

training_node_instance_type: t2.small
# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
training_node_ami_id: ami-0a4497cbe959da512
training_node_user: centos
training_node_device_name: /dev/sda1
training_node_volume_type: gp2
training_node_volume_size: 20
@@ -15,7 +15,7 @@
idp_node_rules: "{{ idp_node_rules | default([]) | union( [{ 'proto': 'tcp' , 'ports': '8080', 'cidr_ip': '192.168.0.0/16', 'rule_desc': 'web traffic port 8080'}] ) }}"

- name: Security group COmanage IdP node
ec2_group:
amazon.aws.ec2_group:
name: "comanage-idp-node"
tags:
Name: "comanage-idp-node"
@@ -26,7 +26,7 @@
register: idp_node_sg

- name: Provision COmanage IdP node
ec2:
amazon.aws.ec2:
key_name: AWS-Trng-1
group_id: "{{ idp_node_sg.group_id }}"
instance_type: "{{ idp_node_instance_type }}"
@@ -61,7 +61,7 @@
groups: ssh_idp_node_host

- name: Create A record entry for IdP node private interface
route53:
community.aws.route53:
state: present
zone: "{{ r53_hosted_zone }}"
record: "{{ idp_node.tagged_instances[0].tags.private_fqdn }}"
@@ -40,22 +40,22 @@
user: skoranda
key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr9amUAycDrDj2f2kLkK6b5X5DYr+4kmRcYfjcOQG9capsUDh44E8C1KKKRtVZNCM4QAXjHHuIQhb7/YysH6XpjUypzHciDNyJ6f3H0Phrcu9X5HSXlPNuyHlq1rtxtuXnd/UPmrZlSuy1Kt4bjjk5EYI6XMXQjlZMet9mT8y0kB1NALGqfLm1LesjShEmKCqP97fj//jRakm661TDdphjKR7e/O6wB80BHZAUznd+4XqYoQ8wPMWFKk21ZtwNWEpgooPhwC956BmsGRXHzySct/LISNAwbQdNaxTKeWdLGvsD6uivBsbBe2egrkCB0UKzcyXTuQv3W4cElAzDFROEQ== skoranda@oregano.local"

- name: Paul Caskey
- name: Shayna Atkinson
user:
name: pcaskey
comment: Paul Caskey
uid: 1011
home: /home/pcaskey
name: satkinson
comment: Shayna Atkinson
uid: 1012
home: /home/satkinson
password: "*"
shell: /bin/bash
group: trainers
append: yes
groups: wheel

- name: Paul Caskey authorized ssh key
- name: Shayna Atkinson authorized ssh key
authorized_key:
user: pcaskey
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ3+4TSLAruT/RLBHL9aGTDeP4I0XxuqICWj1Ag8H+JVdwrRtW7uGFiFrTbqqfCsBKFIgl64C3ioRixzA4RW8SxeGQj33xJAR+B9EdJg1neIaCwPAdm0snv7A0sRU/0PltHInd2Dcm6EzjIfzyMMPc+t78p9kgyisIKxOTKTjT+Ucty3HoxL2g4Vs3o3T61aM+k1mBGPYIoJxpRkNKho/VviTkJiooemKl4w5sXAzxY7FNpJ18Ir/iUo4hk1Z2766EDObaM1CECSXrEAfo0LA6LbV9ns4BJ1xq9HS4DWxJ6rp1YJcsmihX6nBjnvkM4h+ihjZgxi4iYVWxmAX7OjLV"
user: satkinson
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RfhrA38OgbAECtlav8sRSF/v61xzmfmVBRWti9YYnW+Ik0vkJgC2pwT2dVnFYn334KQan9o2y7enCOuw0N2od/gUdtHeeUzYggS5azqHRDvOH5Q5Xx73YBdt6Vf3MGOCTS1+Beroja5Ni1+wN6HLNwN4AalLMxJbLEdCjndLmaLNHPYRN8HwLch/0M8fNHr6MEMhV1wW5tRg1s1NgNGjoBJBHJ1TLWokTFgnPlTwUaEC2jt32dOfrcKVWN6H9zfROnUM0PFsIAWnwVjsUlvesTqwVCFHVj+5nCxrmqE/zSgdFKiHxPiUtNxHBlwTFgtw3390kTI7rz1/fno177Vp"

- name: Training unix group
group:
@@ -68,11 +68,7 @@
comment: COmanage Training User
uid: 2000
home: /home/training
# The password chosen can be hashed using mkpasswd command found on most Linux deployments
#
# mkpasswd --method=sha-512
password: "$6$k72rMBqah9omQW$ii9NcQTJHJtlESDq1PyX0Xc7bqwcogk0qwZtDsSjKi9gLRirHvSTDOIUP.x3IuVsIp1jc2MQyjvRtSulYWDDq."
password: "{{ comanage_training_password | string | password_hash('sha512', comanage_training_password_salt) }}"
shell: /bin/bash
group: training
append: yes

0 comments on commit ff6c833

Please sign in to comment.