From 7044982bf9ae15c327fff7615f6d591d3f4ccbf7 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 23 May 2014 19:20:15 +0200 Subject: [PATCH 01/49] Work In Progress --- README-DEVS.md | 77 +++++++++++++++++++ scripts/components/engineblock.sh | 6 +- .../inventory/acc.surfconext.nl.ini | 0 .../inventory/surfconext.nl.ini | 0 .../inventory/test.surfconext.nl.ini | 0 .../ansible/inventory/demo.openconext.org.ini | 12 +++ tools/ansible/provision-engine.yml | 44 +++++++++++ 7 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 README-DEVS.md create mode 100644 tools/ansible-surfconext/inventory/acc.surfconext.nl.ini create mode 100644 tools/ansible-surfconext/inventory/surfconext.nl.ini create mode 100644 tools/ansible-surfconext/inventory/test.surfconext.nl.ini create mode 100644 tools/ansible/inventory/demo.openconext.org.ini create mode 100644 tools/ansible/provision-engine.yml diff --git a/README-DEVS.md b/README-DEVS.md new file mode 100644 index 0000000..ae04d6c --- /dev/null +++ b/README-DEVS.md @@ -0,0 +1,77 @@ +# Definition of terms + +An OpenConext Component is a separate piece of software that conforms to the OpenConext Component Requirements. +An OpenConext Platform is a selection of OpenConext Components. +An OpenConext Environment is a physical (or virtual) hosting environment of 1 or multiple servers for a OpenConext Platform. + +# OpenConext Component Requirements + +A Component MUST comply to the following to be a valid OpenConext Component. + +A Component MAY store it's configuration files in ```/etc/openconext```. + +A Component MAY store example configuration for third party components in ```etc/```. + +A Component MUST have a public Git URL. +In this repository MUST be a directory ```tools/ansible``` with the following playbooks: + +## install.yml +Install MUST be able to install on a Environment and MUST use the 'version' variable. +Install SHOULD check it's own local dependencies (like HTTP, Tomcat, PHP, JRE, etc). +The version variable MAY be filled with a semantic version (like 4.0.1) or a branch name +(like develop, master or feature/ansible-setup). +Install MUST be able to upgrade an existing installation of **any** previous version to it's version. +Install MAY refuse a downgrade. +Install MUST NOT overwrite existing configuration files, but MAY write initial configuration files. +Install SHOULD be idempotent. + +## erase.yml +Erase MUST be able to remove a component. + +## setup.yml +Setup MUST be called after install and the component has been configured by the environment. +Setup SHOULD check it's configuration. +Setup SHOULD be able to upgrade an existing installation of any previous version. + +## version.yml +Version MUST display the currently installed version of the component. +Version MUST return a non-0 status code if the component is not installed. + +## Example lifecycle: + +```bash +git clone git://url/component.git +git checkout 3.0.0 + +# Check for existence +ansible-playbook tools/ansible/version.yml + +# Initial install +ansible-playbook tools/ansible/install.yml -e "version=3.0.0" + +# Configuration +# Settings changed in /etc/openconext/component.ini + +# Setup the component +ansible-playbook tools/ansible/setup.yml + +# Some time later an update arrives +ansible-playbook tools/ansible/install.yml -e "version=3.0.1" + +# Check version +ansible-playbook tools/ansible/version.yml +# Returns "3.0.1" + +# A developer decides to switch to a feature development version +ansible-playbook tools/ansible/install.yml -e "version=feature/awesome-feature" + +# Check version +ansible-playbook tools/ansible/version.yml +# Returns "feature/awesome-feature" + +# The developer releases a new version and switches back to that +ansible-playbook tools/ansible/install.yml -e "version=3.1.0" + +# Component is no longer needed and needs to be deinstalled +ansible-playbook tools/ansible/erase.yml +``` \ No newline at end of file diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index a97e693..9849eb2 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -1,5 +1,7 @@ #!/bin/bash +# ansible-playbook -i tools/ansible/inventory/demo.openconext.org tools/ansible/provision-engine.yml + ####################### # Install EngineBlock # ####################### @@ -94,8 +96,8 @@ else chmod o+w /var/log/surfconext/engineblock.log # Updating LDAP schema some more... - ldapmodify -x -D cn=admin,cn=config -h localhost -w $OC__LDAP_PASS -f /opt/www/engineblock/ldap/changes/addDeprovisionWarningSentAttributes.ldif - ldapmodify -x -D cn=admin,cn=config -h localhost -w $OC__LDAP_PASS -f /opt/www/engineblock/ldap/changes/addCollabPersonUUID.ldif + ldapmodify -x -D cn=admin,cn=config -h localhost -w "$OC__LDAP_PASS" -f /opt/www/engineblock/ldap/changes/addDeprovisionWarningSentAttributes.ldif + ldapmodify -x -D cn=admin,cn=config -h localhost -w "$OC__LDAP_PASS" -f /opt/www/engineblock/ldap/changes/addCollabPersonUUID.ldif # Apply LDAP credentials to file engineblock.ini sed -i "s/_OC__ENGINE_LDAP_PASSWD_/$OC__LDAP_PASS/g" /etc/surfconext/engineblock.ini diff --git a/tools/ansible-surfconext/inventory/acc.surfconext.nl.ini b/tools/ansible-surfconext/inventory/acc.surfconext.nl.ini new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible-surfconext/inventory/surfconext.nl.ini b/tools/ansible-surfconext/inventory/surfconext.nl.ini new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible-surfconext/inventory/test.surfconext.nl.ini b/tools/ansible-surfconext/inventory/test.surfconext.nl.ini new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/inventory/demo.openconext.org.ini b/tools/ansible/inventory/demo.openconext.org.ini new file mode 100644 index 0000000..87351c6 --- /dev/null +++ b/tools/ansible/inventory/demo.openconext.org.ini @@ -0,0 +1,12 @@ +[engine] +localhost ansible_connection=local + +[engine:vars] +deploy_root=/opt/www +version=4.0.0 + +[serviceregistry] +localhost + +[api] +localhost \ No newline at end of file diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml new file mode 100644 index 0000000..3e98899 --- /dev/null +++ b/tools/ansible/provision-engine.yml @@ -0,0 +1,44 @@ +-- +- name: Provision the OpenConext VM for EngineBlock + hosts: engine + remote_user: "{{ remote_user }}" + + vars: + + + tasks: + - name: Make sure a database exists + mysql_db: + state: present + name: {{ engine_db_name }} + login_host: {{ engine_db_host }} + login_port: {{ engine_db_port}} + login_user: {{ admin_db_user }} + login_password: {{ admin_db_password}} + encoding: utf8 + collation: utf8_unicode_ci + + - name: Make sure a user exists + mysql_user: + state: present + name: {{ engine_db_user }} + password: {{ engine_db_password }} + priv: {{ engine_db_name }}.*:ALL + login_host: {{ engine_db_host }} + login_port: {{ engine_db_port}} + login_user: {{ admin_db_user }} + login_password: {{ admin_db_password}} + + - name: Make sure LDAP database exists + + - name: INSTALL EngineBlock using Ansible + include: {{ }} + + - name: Set all configuration values for EngineBlock + ini_file: + dest: /etc/openconext/engineblock.ini + section: demo + option: password + value: {{ engine_db_password }} + + - name: SETUP EngineBlock using Ansible \ No newline at end of file From d0785c58485dbaa8e3621f9bd75b2d06c80434d6 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 23 Jun 2014 16:19:02 +0200 Subject: [PATCH 02/49] Work in progress --- tools/ansible/Ansiblefile | 0 tools/ansible/Ansiblefile.lock | 0 tools/ansible/README.md | 0 .../ansible/inventory/demo.openconext.org.ini | 10 ++- tools/ansible/provision-engine.yml | 85 ++++++++++++++----- tools/ansible/version-engine.yml | 5 ++ 6 files changed, 78 insertions(+), 22 deletions(-) create mode 100644 tools/ansible/Ansiblefile create mode 100644 tools/ansible/Ansiblefile.lock create mode 100644 tools/ansible/README.md create mode 100644 tools/ansible/version-engine.yml diff --git a/tools/ansible/Ansiblefile b/tools/ansible/Ansiblefile new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/README.md b/tools/ansible/README.md new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/inventory/demo.openconext.org.ini b/tools/ansible/inventory/demo.openconext.org.ini index 87351c6..27e90eb 100644 --- a/tools/ansible/inventory/demo.openconext.org.ini +++ b/tools/ansible/inventory/demo.openconext.org.ini @@ -3,7 +3,15 @@ localhost ansible_connection=local [engine:vars] deploy_root=/opt/www -version=4.0.0 +version=4.1.0 +engine_db_name=engineblock +engine_db_host=localhost +engine_db_port=3306 +engine_db_user=engine2mysql +engine_db_password=enginepass +admin_db_user=root +admin_db_password=c0n3xt +serviceregistry_url [serviceregistry] localhost diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 3e98899..0ae89dc 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -1,44 +1,87 @@ --- -- name: Provision the OpenConext VM for EngineBlock +--- +- name: Provision EngineBlock hosts: engine remote_user: "{{ remote_user }}" vars: + temp_dir: "/tmp" + logging_dir: "/var/log/openconext" + releases_dir: "/opt/openconext" + release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ version }}" + builds_dir: "{{ releases_dir }}/builds" + build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ version }}.tar.gz" + current_release_symlink: "/opt/www/engineblock" + download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ version }}/OpenConext-engineblock-{{ version }}.tar.gz" - - tasks: + pre_tasks: - name: Make sure a database exists mysql_db: state: present - name: {{ engine_db_name }} - login_host: {{ engine_db_host }} - login_port: {{ engine_db_port}} - login_user: {{ admin_db_user }} - login_password: {{ admin_db_password}} + name: "{{ engine_db_name }}" + login_host: "{{ engine_db_host }}" + login_port: "{{ engine_db_port}}" + login_user: "{{ admin_db_user }}" + login_password: "{{ admin_db_password}}" encoding: utf8 collation: utf8_unicode_ci - name: Make sure a user exists mysql_user: state: present - name: {{ engine_db_user }} - password: {{ engine_db_password }} - priv: {{ engine_db_name }}.*:ALL - login_host: {{ engine_db_host }} - login_port: {{ engine_db_port}} - login_user: {{ admin_db_user }} - login_password: {{ admin_db_password}} + name: "{{ engine_db_user }}" + password: "{{ engine_db_password }}" + priv: "{{ engine_db_name }}.*:ALL" + login_host: "{{ engine_db_host }}" + login_port: "{{ engine_db_port}}" + login_user: "{{ admin_db_user }}" + login_password: "{{ admin_db_password}}" + +# - name: Make sure LDAP database exists + + - name: Ensure the directories exists + file: path={{ item }} state=directory + with_items: + - "{{ releases_dir }}" + - "{{ builds_dir }}" + + - name: Get the current release + get_url: dest="{{ build_path }}" url={{ download_url }} + + - name: Unarchive it + unarchive: dest={{ releases_dir }} src={{ build_path }} copy=no + + - name: Install default application settings + copy: + src: "{{ release_dir }}/etc/openconext/engineblock.ini" + dest: /etc/openconext/engineblock.ini + force: no + + - name: Install User Profile with Environment variable. + copy: + src: "{{ release_dir }}/etc/profile.d/openconext-engineblock.sh" + dest: /etc/profile.d/openconext-engineblock.sh + force: no + + - name: "Legacy: Remove obsolete, too generic, profile.d/openconext.sh" + file: path=/etc/profile.d/openconext.sh state=absent + + #- name: Install fresh signing keys if they don't already exist + + - name: Install logging directory + file: path={{ logging_dir }} state=directory - - name: Make sure LDAP database exists + - name: "Legacy: Install SURFconext logging directory" + file: path=/var/log/surfconext src={{ logging_dir }} state=link - - name: INSTALL EngineBlock using Ansible - include: {{ }} + - name: "Legacy: Migrate the configuration file" + command: "{{ release_dir }}/bin/migrate_etc.php" - name: Set all configuration values for EngineBlock ini_file: dest: /etc/openconext/engineblock.ini section: demo option: password - value: {{ engine_db_password }} + value: "{{ engine_db_password }}" - - name: SETUP EngineBlock using Ansible \ No newline at end of file + #- name: SETUP EngineBlock using Ansible + # include: "{{ installer_path }}/tools/ansible/setup.yml" \ No newline at end of file diff --git a/tools/ansible/version-engine.yml b/tools/ansible/version-engine.yml new file mode 100644 index 0000000..f6feb4e --- /dev/null +++ b/tools/ansible/version-engine.yml @@ -0,0 +1,5 @@ +--- +- name: Get the version of OpenConext Engine + hosts: engine + remote_user: "{{ remote_user }}" + From e8e7b0b52a9af29cce82fe9ce908f6d3c657e062 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 30 Jun 2014 16:45:52 +0200 Subject: [PATCH 03/49] Work in progress --- data/engineblock.sql.j2 | 586 ++++++++++++++++++ scripts/components/engineblock.sh | 87 +-- tools/ansible/install-engine-src.yml | 12 + tools/ansible/install-engine.yml | 30 + .../ansible/inventory/demo.openconext.org.ini | 18 +- tools/ansible/provision-engine.yml | 130 ++-- 6 files changed, 745 insertions(+), 118 deletions(-) create mode 100644 data/engineblock.sql.j2 create mode 100644 tools/ansible/install-engine-src.yml create mode 100644 tools/ansible/install-engine.yml diff --git a/data/engineblock.sql.j2 b/data/engineblock.sql.j2 new file mode 100644 index 0000000..723fdf6 --- /dev/null +++ b/data/engineblock.sql.j2 @@ -0,0 +1,586 @@ +-- MySQL dump 10.13 Distrib 5.1.61, for redhat-linux-gnu (x86_64) +-- +-- Host: localhost Database: engineblock +-- ------------------------------------------------------ +-- Server version 5.1.61 + +/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; +/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; +/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; +/*!40101 SET NAMES utf8 */; +/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; +/*!40103 SET TIME_ZONE='+00:00' */; +/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; +/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; +/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; +/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; + +-- +-- Table structure for table `consent` +-- + +DROP TABLE IF EXISTS `consent`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `consent` ( + `consent_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, + `usage_date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00', + `hashed_user_id` varchar(80) COLLATE utf8_unicode_ci NOT NULL, + `service_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `attribute` varchar(80) COLLATE utf8_unicode_ci NOT NULL, + PRIMARY KEY (`hashed_user_id`,`service_id`), + KEY `hashed_user_id` (`hashed_user_id`), + KEY `service_id` (`service_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `consent` +-- + +LOCK TABLES `consent` WRITE; +/*!40000 ALTER TABLE `consent` DISABLE KEYS */; +INSERT INTO `consent` VALUES +('2012-06-27 09:01:37','2012-06-27 09:01:37','4e20080aba70103a60039bf19fdac0c4fb7ce367','https://manage.{{ openconext_domain }}/simplesaml/module.php/saml/sp/metadata.php/default-sp','f8fff30971a5477e0721ce45aa5dd7ad83b6848e'), +('2012-06-27 09:13:32','2012-06-27 09:13:32','4e20080aba70103a60039bf19fdac0c4fb7ce367','https://serviceregistry.{{ openconext_domain }}/simplesaml/module.php/saml/sp/metadata.php/default-sp','f8fff30971a5477e0721ce45aa5dd7ad83b6848e'); +/*!40000 ALTER TABLE `consent` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `db_changelog` +-- + +DROP TABLE IF EXISTS `db_changelog`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `db_changelog` ( + `patch_number` int(11) NOT NULL, + `branch` varchar(50) COLLATE utf8_unicode_ci NOT NULL, + `completed` int(11) DEFAULT NULL, + `filename` varchar(100) COLLATE utf8_unicode_ci NOT NULL, + `hash` varchar(32) COLLATE utf8_unicode_ci NOT NULL, + `description` varchar(200) COLLATE utf8_unicode_ci DEFAULT NULL, + PRIMARY KEY (`patch_number`,`branch`) +) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `db_changelog` +-- + +LOCK TABLES `db_changelog` WRITE; +/*!40000 ALTER TABLE `db_changelog` DISABLE KEYS */; +INSERT INTO `db_changelog` VALUES (1,'default',1340787301,'patch-0001.php','9e47c3b8','Move the groupProviders configuration from the local config to the database.'), +(2,'default',1340787301,'patch-0002.sql','2a482377','Initial migration away from LiquiBase'), +(3,'default',1340787301,'patch-0003.sql','271b9ee1','Remove LiquiBase tables'), +(4,'default',1340787301,'patch-0004.sql','bece62cf','Table structure for table `emails`'), +(5,'default',1340787301,'patch-0005.sql','61a65c9d','Add new emails for deprovisioning'), +(6,'default',1340787301,'patch-0006.sql','e7075a42','Update deprovisioning mail'), +(7,'default',1340787301,'patch-0007.sql','445ce3bd','Add id field to login table (ported from manage patch-001.sql)'), +(8,'default',1340787301,'patch-0008.php','e452a2b0','Add urn:collab:group: prefixing to Grouper group providers'), +(9,'default',1340787301,'patch-0009.sql','7fed17ad','Add tables for new persistent NameID'), +(10,'default',1340788257,'patch-0010.php','d2a6343a','Assign a UUID to all users in LDAP'), +(11,'default',1340788257,'patch-0011.sql','015c7b4a','Add useragent field to login_logs table for logging the User-Agent'), +(12,'default',1340788257,'patch-0012.sql','a668c1a3','Add voname field to login_logs table for logging the Virtual Organisation Context'), +(13,'default',1340788257,'patch-0013.sql','ab0053d5','Add table for storing the ACL Group provider information for service providers'), +(14,'default',1340788257,'patch-0014.sql','e2e35650',''), +(15,'default',1340788257,'patch-0015.sql','479a53d4','Add logo_url field to group_provider table for displaying the picture in teams'); +/*!40000 ALTER TABLE `db_changelog` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `emails` +-- + +DROP TABLE IF EXISTS `emails`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `emails` ( + `id` bigint(20) NOT NULL AUTO_INCREMENT, + `email_type` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `email_text` longtext COLLATE utf8_unicode_ci NOT NULL, + `email_from` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `email_subject` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `is_html` tinyint(1) DEFAULT '1', + PRIMARY KEY (`id`), + UNIQUE KEY `email_type` (`email_type`) +) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `emails` +-- + +LOCK TABLES `emails` WRITE; +/*!40000 ALTER TABLE `emails` DISABLE KEYS */; +INSERT INTO `emails` VALUES (1,'introduction_email','Dear {user},
\r\n
\r\nThis mail is a confirmation that we have created a profile for you on the SURFconext platform. Please visit https://profile.surfconext.nl to see and manage your profile. If you have any questions regarding this mail please contact help@surfconext.nl.
\r\n
\r\nBest regards, Surfconext ','help@surfconext.nl','Welcome to SURFconext',1), +(2,'deprovisioning_warning_email','Dear {user},

This mail is to inform you that you will be deprovisioned at {deprovision_time}. If you have any questions regarding this mail please contact help@surfconext.nl.

You will be deleted as a member of all the groups. Currently you are member of the following groups:
{groups}
In the groups displayed below you are the only administrator. Please make another member administrator before you are deprovisioned, for these teams will be without an administrator otherwise. 
{onlyAdminGroups}
Best regards,
SURFconext','help@surfconext.nl','Deprovisioning SURFconext',NULL), +(3,'deprovisioning_warning_email_group_members','Dear {user},
\r\n
\r\nThis mail is to inform you that your administrator in team {team} will be deprovisioned at {deprovision_time}. If you have any questions regarding this mail please contact help@surfconext.nl.
\r\n
\r\nBest regards
, SURFconext','help@surfconext.nl','Deprovisioning SURFconext',NULL); +/*!40000 ALTER TABLE `emails` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider` +-- + +DROP TABLE IF EXISTS `group_provider`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `identifier` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + `classname` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + `logo_url` varchar(1024) COLLATE utf8_unicode_ci DEFAULT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider` +-- + +LOCK TABLES `group_provider` WRITE; +/*!40000 ALTER TABLE `group_provider` DISABLE KEYS */; +INSERT INTO `group_provider` VALUES (1,'grouper','SURFteams grouper','EngineBlock_Group_Provider_Grouper','SURFteams grouper'); +/*!40000 ALTER TABLE `group_provider` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider_decorator` +-- + +DROP TABLE IF EXISTS `group_provider_decorator`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider_decorator` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `group_provider_id` int(11) NOT NULL, + `classname` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider_decorator` +-- + +LOCK TABLES `group_provider_decorator` WRITE; +/*!40000 ALTER TABLE `group_provider_decorator` DISABLE KEYS */; +INSERT INTO `group_provider_decorator` VALUES (1,1,'EngineBlock_Group_Provider_Decorator_GroupIdReplace'); +/*!40000 ALTER TABLE `group_provider_decorator` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider_decorator_option` +-- + +DROP TABLE IF EXISTS `group_provider_decorator_option`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider_decorator_option` ( + `group_provider_decorator_id` int(11) NOT NULL, + `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + PRIMARY KEY (`group_provider_decorator_id`,`name`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider_decorator_option` +-- + +LOCK TABLES `group_provider_decorator_option` WRITE; +/*!40000 ALTER TABLE `group_provider_decorator_option` DISABLE KEYS */; +INSERT INTO `group_provider_decorator_option` VALUES (1,'replace','$1'), +(1,'search','|urn:collab:group:teams.{{ openconext_domain }}:(.+)|'); +/*!40000 ALTER TABLE `group_provider_decorator_option` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider_filter` +-- + +DROP TABLE IF EXISTS `group_provider_filter`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider_filter` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `group_provider_id` int(11) NOT NULL, + `type` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + `classname` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider_filter` +-- + +LOCK TABLES `group_provider_filter` WRITE; +/*!40000 ALTER TABLE `group_provider_filter` DISABLE KEYS */; +INSERT INTO `group_provider_filter` VALUES (1,1,'group','EngineBlock_Group_Provider_Filter_ModelProperty_PregReplace'); +/*!40000 ALTER TABLE `group_provider_filter` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider_filter_option` +-- + +DROP TABLE IF EXISTS `group_provider_filter_option`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider_filter_option` ( + `group_provider_filter_id` int(11) NOT NULL, + `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + PRIMARY KEY (`group_provider_filter_id`,`name`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider_filter_option` +-- + +LOCK TABLES `group_provider_filter_option` WRITE; +/*!40000 ALTER TABLE `group_provider_filter_option` DISABLE KEYS */; +INSERT INTO `group_provider_filter_option` VALUES (1,'property','id'), +(1,'replace','urn:collab:group:teams.{{ openconext_domain }}:$1'), +(1,'search','|(.+)|'); +/*!40000 ALTER TABLE `group_provider_filter_option` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider_option` +-- + +DROP TABLE IF EXISTS `group_provider_option`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider_option` ( + `group_provider_id` int(11) NOT NULL, + `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + PRIMARY KEY (`group_provider_id`,`name`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider_option` +-- + +LOCK TABLES `group_provider_option` WRITE; +/*!40000 ALTER TABLE `group_provider_option` DISABLE KEYS */; +INSERT INTO `group_provider_option` VALUES (1,'host','grouper.{{ openconext_domain }}'), +(1,'password','KJ75DFeg32a'), +(1,'path','/grouper-ws/servicesRest'), +(1,'protocol','https'), +(1,'timeout','10'), +(1,'user','engine'), +(1,'version','v1_6_000'); +/*!40000 ALTER TABLE `group_provider_option` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider_precondition` +-- + +DROP TABLE IF EXISTS `group_provider_precondition`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider_precondition` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `group_provider_id` int(11) NOT NULL, + `classname` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider_precondition` +-- + +LOCK TABLES `group_provider_precondition` WRITE; +/*!40000 ALTER TABLE `group_provider_precondition` DISABLE KEYS */; +/*!40000 ALTER TABLE `group_provider_precondition` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider_precondition_option` +-- + +DROP TABLE IF EXISTS `group_provider_precondition_option`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider_precondition_option` ( + `group_provider_precondition_id` int(11) NOT NULL, + `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', + PRIMARY KEY (`group_provider_precondition_id`,`name`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider_precondition_option` +-- + +LOCK TABLES `group_provider_precondition_option` WRITE; +/*!40000 ALTER TABLE `group_provider_precondition_option` DISABLE KEYS */; +/*!40000 ALTER TABLE `group_provider_precondition_option` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `group_provider_user_oauth` +-- + +DROP TABLE IF EXISTS `group_provider_user_oauth`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `group_provider_user_oauth` ( + `provider_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `user_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `oauth_token` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, + `oauth_secret` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, + PRIMARY KEY (`provider_id`,`user_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `group_provider_user_oauth` +-- + +LOCK TABLES `group_provider_user_oauth` WRITE; +/*!40000 ALTER TABLE `group_provider_user_oauth` DISABLE KEYS */; +/*!40000 ALTER TABLE `group_provider_user_oauth` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `log_logins` +-- + +DROP TABLE IF EXISTS `log_logins`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `log_logins` ( + `loginstamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, + `userid` varchar(1000) COLLATE utf8_unicode_ci NOT NULL, + `spentityid` varchar(1000) COLLATE utf8_unicode_ci DEFAULT NULL, + `idpentityid` varchar(1000) COLLATE utf8_unicode_ci DEFAULT NULL, + `spentityname` varchar(1000) COLLATE utf8_unicode_ci DEFAULT NULL, + `idpentityname` varchar(1000) COLLATE utf8_unicode_ci DEFAULT NULL, + `useragent` varchar(1024) COLLATE utf8_unicode_ci DEFAULT NULL, + `voname` varchar(1024) COLLATE utf8_unicode_ci DEFAULT NULL, + `id` int(11) NOT NULL AUTO_INCREMENT, + PRIMARY KEY (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `log_logins` +-- + +LOCK TABLES `log_logins` WRITE; +/*!40000 ALTER TABLE `log_logins` DISABLE KEYS */; +INSERT INTO `log_logins` VALUES +('2012-06-27 09:13:33','urn:collab:person:example.com:john.doe','https://serviceregistry.{{ openconext_domain }}/simplesaml/module.php/saml/sp/metadata.php/default-sp','http://mock-idp','OpenConext ServiceRegistry','OpenConext Mujina','Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1',NULL,1); +/*!40000 ALTER TABLE `log_logins` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `saml_persistent_id` +-- + +DROP TABLE IF EXISTS `saml_persistent_id`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `saml_persistent_id` ( + `persistent_id` char(40) COLLATE utf8_unicode_ci NOT NULL COMMENT 'SHA1 of service_provider_uuid + user_uuid', + `user_uuid` char(36) COLLATE utf8_unicode_ci NOT NULL, + `service_provider_uuid` char(36) COLLATE utf8_unicode_ci NOT NULL, + PRIMARY KEY (`persistent_id`), + KEY `user_uuid` (`user_uuid`,`service_provider_uuid`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Look up table for persistent_ids we hand out'; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `saml_persistent_id` +-- + +LOCK TABLES `saml_persistent_id` WRITE; +/*!40000 ALTER TABLE `saml_persistent_id` DISABLE KEYS */; +INSERT INTO `saml_persistent_id` VALUES ('9a26dd18d7f33511b4a98d838cae09543ce5f171','b06b98b0-c036-11e1-b910-cd9212b8c0d3','5e5717a0-c038-11e1-8b8e-234ffa2d0a60'), +('3f18e71b45ef07f3110e3cb418bdeb1be0c9ef83','b06b98b0-c036-11e1-b910-cd9212b8c0d3','b416cbc0-c036-11e1-b5a6-216cccc3b1fc'); +/*!40000 ALTER TABLE `saml_persistent_id` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `service_provider_group_acl` +-- + +DROP TABLE IF EXISTS `service_provider_group_acl`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `service_provider_group_acl` ( + `id` bigint(20) NOT NULL AUTO_INCREMENT, + `group_provider_id` bigint(20) NOT NULL, + `spentityid` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, + `allow_groups` tinyint(1) DEFAULT '0', + `allow_members` tinyint(1) DEFAULT '0', + PRIMARY KEY (`id`), + UNIQUE KEY `spentityid_group_provider_id` (`spentityid`(250),`group_provider_id`) +) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `service_provider_group_acl` +-- + +LOCK TABLES `service_provider_group_acl` WRITE; +/*!40000 ALTER TABLE `service_provider_group_acl` DISABLE KEYS */; +INSERT INTO `service_provider_group_acl` VALUES (1,1,'https://engine.{{ openconext_domain }}/authentication/sp/metadata',1,1), +(2,1,'https://profile.{{ openconext_domain }}/simplesaml/module.php/saml/sp/metadata.php/default-sp',1,1), +(3,1,'https://manage.{{ openconext_domain }}/simplesaml/module.php/saml/sp/metadata.php/default-sp',1,1), +(4,1,'https://serviceregistry.{{ openconext_domain }}/simplesaml/module.php/saml/sp/metadata.php/default-sp',1,1), +(5,1,'http://mock-sp',1,1), +(6,1,'https://grouper.{{ openconext_domain }}/grouper/shibboleth',1,1), +(7,1,'https://teams.{{ openconext_domain }}/shibboleth',1,1), +(8,1,'https://csa.{{ openconext_domain }}/',1,1), +(9,1,'https://dashboard.{{ openconext_domain }}/',1,1); +/*!40000 ALTER TABLE `service_provider_group_acl` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `service_provider_uuid` +-- + +DROP TABLE IF EXISTS `service_provider_uuid`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `service_provider_uuid` ( + `uuid` char(36) COLLATE utf8_unicode_ci NOT NULL, + `service_provider_entity_id` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, + PRIMARY KEY (`uuid`), + KEY `service_provider_entity_id` (`service_provider_entity_id`(255)) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Lookup table for UUIDs for Service Providers, provides a lev'; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `service_provider_uuid` +-- + +LOCK TABLES `service_provider_uuid` WRITE; +/*!40000 ALTER TABLE `service_provider_uuid` DISABLE KEYS */; +INSERT INTO `service_provider_uuid` VALUES +('5e5717a0-c038-11e1-8b8e-234ffa2d0a60','https://serviceregistry.{{ openconext_domain }}/simplesaml/module.php/saml/sp/metadata.php/default-sp'), +('b416cbc0-c036-11e1-b5a6-216cccc3b1fc','https://manage.{{ openconext_domain }}/simplesaml/module.php/saml/sp/metadata.php/default-sp'); +/*!40000 ALTER TABLE `service_provider_uuid` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `virtual_organisation` +-- + +DROP TABLE IF EXISTS `virtual_organisation`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `virtual_organisation` ( + `vo_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `vo_type` enum('GROUP','STEM','IDP','MIXED') COLLATE utf8_unicode_ci NOT NULL, + PRIMARY KEY (`vo_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `virtual_organisation` +-- + +LOCK TABLES `virtual_organisation` WRITE; +/*!40000 ALTER TABLE `virtual_organisation` DISABLE KEYS */; +/*!40000 ALTER TABLE `virtual_organisation` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `virtual_organisation_attribute` +-- + +DROP TABLE IF EXISTS `virtual_organisation_attribute`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `virtual_organisation_attribute` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `vo_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `sp_entity_id` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, + `user_id_pattern` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `attribute_name_saml` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `attribute_name_opensocial` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `attribute_value` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `vo_id` (`vo_id`(200),`sp_entity_id`(200),`user_id_pattern`(200),`attribute_name_saml`(200),`attribute_name_opensocial`(200)) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `virtual_organisation_attribute` +-- + +LOCK TABLES `virtual_organisation_attribute` WRITE; +/*!40000 ALTER TABLE `virtual_organisation_attribute` DISABLE KEYS */; +/*!40000 ALTER TABLE `virtual_organisation_attribute` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `virtual_organisation_group` +-- + +DROP TABLE IF EXISTS `virtual_organisation_group`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `virtual_organisation_group` ( + `vo_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `group_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + PRIMARY KEY (`vo_id`,`group_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `virtual_organisation_group` +-- + +LOCK TABLES `virtual_organisation_group` WRITE; +/*!40000 ALTER TABLE `virtual_organisation_group` DISABLE KEYS */; +/*!40000 ALTER TABLE `virtual_organisation_group` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `virtual_organisation_idp` +-- + +DROP TABLE IF EXISTS `virtual_organisation_idp`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `virtual_organisation_idp` ( + `vo_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + `idp_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, + PRIMARY KEY (`vo_id`,`idp_id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `virtual_organisation_idp` +-- + +LOCK TABLES `virtual_organisation_idp` WRITE; +/*!40000 ALTER TABLE `virtual_organisation_idp` DISABLE KEYS */; +/*!40000 ALTER TABLE `virtual_organisation_idp` ENABLE KEYS */; +UNLOCK TABLES; +/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; + +/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; +/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; +/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; +/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; +/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; +/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; +/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; + +-- Dump completed on 2012-06-27 10:51:18 diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index e854726..51c3ac2 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -1,76 +1,31 @@ #!/bin/bash -# ansible-playbook -i tools/ansible/inventory/demo.openconext.org tools/ansible/provision-engine.yml +# Make sure Ansible is installed +yum install -y ansible && + +# Run Ansible playbook +ansible-playbook -i tools/ansible/inventory/demo.openconext.org tools/ansible/provision-engine.yml \ + -e "version=$ENGINEBLOCK_VERSION" \ + -e "engine_db_name=engineblock" \ + -e "engine_db_host=localhost" \ + -e "engine_db_port=3306" \ + -e "engine_db_user=$OC__ENGINE_DB_USER" \ + -e "engine_db_password=$OC__ENGINE_DB_PASS" \ + -e "admin_db_user=root" \ + -e "admin_db_password=$OC__ROOT_DB_PASS" \ + -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN" + -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" + -e "serviceregistry_pass=$OC__ENGINE_JANUSAPI_PASS" + -e "engine_ldap_binddn=cn:engine,dc:surfconext,dc:nl" + -e "engine_ldap_password=$OC__LDAP_PASS" -####################### -# Install EngineBlock # -####################### -if [ ! -h /opt/www/engineblock ] -then - $GITCLONE https://github.com/OpenConext/OpenConext-engineblock.git /opt/www/OpenConext-engineblock - ln -sf /opt/www/OpenConext-engineblock /opt/www/engineblock -fi -cd /opt/www/engineblock -$GITRESET # revert potential changes -$GITFETCH -$GITCHECKOUT ${ENGINEBLOCK_VERSION} -./bin/composer.phar --prefer-dist --no-interaction install -# Restore SELinux labels, due to bug? in Composer (https://github.com/composer/composer/issues/1714) -restorecon -r vendor if $UPGRADE then source /etc/profile.d/openconext.sh else - # Create database - mysql -u root --password=$OC__ROOT_DB_PASS -e "drop database if exists engineblock; create database engineblock default charset utf8 default collate utf8_unicode_ci;" - cat $OC_BASEDIR/data/engineblock.sql | \ - sed -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/g" | \ - mysql -u root --password=$OC__ROOT_DB_PASS engineblock - - # Set database creadentials for engine - mysql -uroot -p$OC__ROOT_DB_PASS -e "GRANT ALL PRIVILEGES ON engineblock.* TO $OC__ENGINE_DB_USER@localhost IDENTIFIED BY '$OC__ENGINE_DB_PASS'" - success=`mysqladmin -u$OC__ENGINE_DB_USER -p$OC__ENGINE_DB_PASS ping | grep -c "mysqld is alive"` - if [[ $success == '1' ]] - then - echo -e "\nValidating new MySQL Engine password: SUCCESS!\n" - else - echo -e "\nValidating new MySQL Engine password: FAILED\n" - exit - fi - - ############################################# - # Modify the EngineBlock configuration file # - ############################################# - if [ -f /etc/surfconext/engineblock.ini ] - then - backupFile /etc/surfconext/engineblock.ini - fi - install -d /etc/surfconext/ - sed -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/g" $OC_BASEDIR/configs/surfconext/engineblock.ini > /etc/surfconext/engineblock.ini - - echo "Apply db credentials to file engineblock.ini" - sed -i "s/__OC__ENGINE_DB_USER__/$OC__ENGINE_DB_USER/g" /etc/surfconext/engineblock.ini - sed -i "s/__OC__ENGINE_DB_PASS__/$OC__ENGINE_DB_PASS/g" /etc/surfconext/engineblock.ini - - # Apply janus api credentials to file engineblock.ini - sed -i "s/__OC__ENGINE_JANUSAPI_USER__/$OC__ENGINE_JANUSAPI_USER/g" /etc/surfconext/engineblock.ini - sed -i "s/__OC__ENGINE_JANUSAPI_PASS__/$OC__ENGINE_JANUSAPI_PASS/g" /etc/surfconext/engineblock.ini - - # Apply ldap credentials to file engineblock.ini - sed -i "s/__OC__LDAP_ENGINE_USER__/$OC__LDAP_ENGINE_USER/g" /etc/surfconext/engineblock.ini - sed -i "s/__OC__LDAP_ENGINE_PASS__/$OC__LDAP_ENGINE_PASS/g" /etc/surfconext/engineblock.ini - - # Apply timezone to file engineblock.ini - sed -i "s|__OC__TIMEZONE__|$OC__TIMEZONE|g" /etc/surfconext/engineblock.ini - - # Edit the profile.sh file to set correct environment variable - echo 'export ENGINEBLOCK_ENV="demo"' > /etc/profile.d/openconext.sh - - chmod +x /etc/profile.d/openconext.sh - source /etc/profile.d/openconext.sh if [ -f /etc/surfconext/engineblock.crt ] then @@ -89,12 +44,6 @@ else cp example.org.crt /etc/surfconext/engineblock.crt && rm example.org.crt example.org.pem - install -d /var/log/surfconext - # TODO: is this chmod really neccessary? - chmod o+w /var/log/surfconext - touch /var/log/surfconext/engineblock.log - chmod o+w /var/log/surfconext/engineblock.log - # Updating LDAP schema some more... ldapmodify -x -D cn=admin,cn=config -h localhost -w "$OC__LDAP_PASS" -f /opt/www/engineblock/ldap/changes/addDeprovisionWarningSentAttributes.ldif ldapmodify -x -D cn=admin,cn=config -h localhost -w "$OC__LDAP_PASS" -f /opt/www/engineblock/ldap/changes/addCollabPersonUUID.ldif diff --git a/tools/ansible/install-engine-src.yml b/tools/ansible/install-engine-src.yml new file mode 100644 index 0000000..d7ba99c --- /dev/null +++ b/tools/ansible/install-engine-src.yml @@ -0,0 +1,12 @@ +--- +- name: "SRC - Install Git repo" + git: + accept_hostkey: yes + repo: https://github.com/OpenConext/OpenConext-engineblock.git + dest: "{{ release_dir }}" + version: "{{ version }}" + +- name: "SRC - Running Composer install" + command: ./bin/composer.phar --prefer-dist --no-interaction install + args: + chdir: "{{ release_dir }}" \ No newline at end of file diff --git a/tools/ansible/install-engine.yml b/tools/ansible/install-engine.yml new file mode 100644 index 0000000..9f207f4 --- /dev/null +++ b/tools/ansible/install-engine.yml @@ -0,0 +1,30 @@ +--- + - name: "BUILD - Get the current release" + get_url: dest="{{ build_path }}" url={{ download_url }} + + - name: "BUILD - Unarchive it" + unarchive: dest={{ releases_dir }} src={{ build_path }} copy=no + + - name: "BUILD - Install default application settings" + copy: + src: "{{ release_dir }}/etc/openconext/engineblock.ini" + dest: /etc/openconext/engineblock.ini + force: no + + - name: "BUILD - Legacy: Remove obsolete profile.d/openconext.sh" + file: path=/etc/profile.d/openconext.sh state=absent + + #- name: Install fresh signing keys if they don't already exist + + - name: "BUILD - Legacy: Move /var/log/surfconext to /var/log/openconext" + command: mv /var/log/surfconext {{ logging_dir }} + ignore_errors: yes + + - name: "BUILD - Install logging directory" + file: path={{ logging_dir }} state=directory + + - name: "BUILD - Legacy: Install symlink from /var/log/surfconext to /var/log/openconext" + file: path=/var/log/surfconext src={{ logging_dir }} state=link + + - name: "BUILD - Migrate the configuration file" + command: "{{ release_dir }}/bin/migrate_etc.php" \ No newline at end of file diff --git a/tools/ansible/inventory/demo.openconext.org.ini b/tools/ansible/inventory/demo.openconext.org.ini index 27e90eb..e917911 100644 --- a/tools/ansible/inventory/demo.openconext.org.ini +++ b/tools/ansible/inventory/demo.openconext.org.ini @@ -3,15 +3,15 @@ localhost ansible_connection=local [engine:vars] deploy_root=/opt/www -version=4.1.0 -engine_db_name=engineblock -engine_db_host=localhost -engine_db_port=3306 -engine_db_user=engine2mysql -engine_db_password=enginepass -admin_db_user=root -admin_db_password=c0n3xt -serviceregistry_url +;version=develop +;engine_db_name=engineblock +;engine_db_host=localhost +;engine_db_port=3306 +;engine_db_user=engine2mysql +;engine_db_password=enginepass +;admin_db_user=root +;admin_db_password=c0n3xt +;serviceregistry_url=https://serviceregistry.demo.openconext.org [serviceregistry] localhost diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 0ae89dc..2f7fee5 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -12,8 +12,36 @@ build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ version }}.tar.gz" current_release_symlink: "/opt/www/engineblock" download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ version }}/OpenConext-engineblock-{{ version }}.tar.gz" - - pre_tasks: + config: + auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.20140617.pem + auth.simplesamlphp.idp.location : "https://engine.demo.openconext.org/authentication/idp/single-sign-on" + auth.simplesamlphp.idp.entityid : "https://engine.demo.openconext.org/authentication/idp/metadata" + cookie.lang.domain : "demo.openconext.org" + cookie.lang.expiry : "60*60*24*60" + database.master1.user : "{{ engine_db_user }}" + database.master1.dsn : "mysql:host:localhost;dbname:engineblock" + database.master1.password : "enginepass" + database.masters[] : "master1" + database.slaves[] : "master1" + dynamicassets : true + email.sendwelcomemail : 0 + encryption.keys.20140414.privatefile : "/etc/surfconext/engineblock.key.20140414.pem" + encryption.keys.20140414.publicfile : /etc/surfconext/engineblock.20140414.pem + encryption.keys.20140617.publicfile : /etc/surfconext/engineblock.20140617.pem + encryption.keys.20140617.privatefile : /etc/surfconext/engineblock.20140617.key + ldap.accountdomainname : "surfconext.nl" + ldap.basedn : "dc:surfconext,dc:nl" + ldap.host : "ldap.demo.openconext.org" + ldap.usessl : 0 + ldap.username : "cn:engine,dc:surfconext,dc:nl" + ldap.password : "jf7RH4Hj20De" + logs.file.writername : "Stream" + logs.file.writerparams.stream : "/var/log/surfconext/engineblock.log" + serviceregistry.user : "engine" + serviceregistry.location : "https://serviceregistry.demo.openconext.org/simplesaml/module.php/janus/services/rest/" + serviceregistry.user_secret : "engineblock" + + tasks: - name: Make sure a database exists mysql_db: state: present @@ -24,6 +52,7 @@ login_password: "{{ admin_db_password}}" encoding: utf8 collation: utf8_unicode_ci + register: engine_db_install - name: Make sure a user exists mysql_user: @@ -36,6 +65,21 @@ login_user: "{{ admin_db_user }}" login_password: "{{ admin_db_password}}" + - name: Write out SQL file with proper domain + template: src=data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql + when: engine_db_installed.changed + + - name: Install initial Database schema when a new database was created + mysql_db: + name: "{{ engine_db_name }}" + login_host: "{{ engine_db_host }}" + login_port: "{{ engine_db_port}}" + login_user: "{{ engine_db_user }}" + login_password: "{{ engine_db_password}}" + state: import + target: /tmp/domain.engineblock.sql + when: engine_db_install.changed + # - name: Make sure LDAP database exists - name: Ensure the directories exists @@ -44,44 +88,50 @@ - "{{ releases_dir }}" - "{{ builds_dir }}" - - name: Get the current release - get_url: dest="{{ build_path }}" url={{ download_url }} + - name: Install Engine from Build (only when version starts with a number) + include: install-engine.yml + when: version | match("^[0-9]") - - name: Unarchive it - unarchive: dest={{ releases_dir }} src={{ build_path }} copy=no - - - name: Install default application settings - copy: - src: "{{ release_dir }}/etc/openconext/engineblock.ini" - dest: /etc/openconext/engineblock.ini - force: no + - name: Install Engine from source (only when version does not start with a number) + include: install-engine-src.yml + when: version | match("^[^0-9]") - - name: Install User Profile with Environment variable. - copy: - src: "{{ release_dir }}/etc/profile.d/openconext-engineblock.sh" - dest: /etc/profile.d/openconext-engineblock.sh - force: no - - - name: "Legacy: Remove obsolete, too generic, profile.d/openconext.sh" - file: path=/etc/profile.d/openconext.sh state=absent - - #- name: Install fresh signing keys if they don't already exist - - - name: Install logging directory - file: path={{ logging_dir }} state=directory - - - name: "Legacy: Install SURFconext logging directory" - file: path=/var/log/surfconext src={{ logging_dir }} state=link - - - name: "Legacy: Migrate the configuration file" - command: "{{ release_dir }}/bin/migrate_etc.php" - - - name: Set all configuration values for EngineBlock + - name: Set configuration ini_file: - dest: /etc/openconext/engineblock.ini - section: demo - option: password - value: "{{ engine_db_password }}" - - #- name: SETUP EngineBlock using Ansible - # include: "{{ installer_path }}/tools/ansible/setup.yml" \ No newline at end of file + dest: /etc/openconext/engineblock.ini + section: "[{{ version }}]" + option: "{{ item.key }}" + value: "{{ item.value }}" + with_dict: config + + - name: Detect certificates + stat: path=/etc/openconext/engineblock/engineblock.*( + register: + + - name: + command: openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem + args: + chdir: /tmp + + - name: + + + cd /tmp && + + EB_CRT=`cat example.org.crt` && + EB_KEY=`cat example.org.pem` && + EB_CRT_NO_HEADERS=`sed '1d;$d' example.org.crt` && + echo "" >> /etc/surfconext/engineblock.ini && + echo "encryption.key.public = \"${EB_CRT}\"" >> /etc/surfconext/engineblock.ini && + echo "encryption.key.private = \"${EB_KEY}\"" >> /etc/surfconext/engineblock.ini && + echo "auth.simplesamlphp.idp.cert = \"${EB_CRT_NO_HEADERS}\"" >> /etc/surfconext/engineblock.ini + cp example.org.crt /etc/surfconext/engineblock.crt && + rm example.org.crt example.org.pem + + - name: Run EngineBlock migrations + command: ./bin/migrate + args: + chdir: "{{ release_dir }}" + + - name: Activate new EngineBlock + file: src={{ release_dir }} dest={{ current_release_symlink }} state=link \ No newline at end of file From c62c310d94d599fd5030b0ed8fdc33130fbc7d40 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 1 Jul 2014 16:15:00 +0200 Subject: [PATCH 04/49] Work in progress --- README-DEVS.md | 47 +++++++++++++++------- scripts/components/engineblock.sh | 62 +++++------------------------- tools/ansible/install-engine.yml | 2 - tools/ansible/provision-engine.yml | 57 ++++++++++++--------------- 4 files changed, 66 insertions(+), 102 deletions(-) diff --git a/README-DEVS.md b/README-DEVS.md index ae04d6c..31b6585 100644 --- a/README-DEVS.md +++ b/README-DEVS.md @@ -37,41 +37,60 @@ Setup SHOULD be able to upgrade an existing installation of any previous version Version MUST display the currently installed version of the component. Version MUST return a non-0 status code if the component is not installed. -## Example lifecycle: +#Example lifecycle: ```bash git clone git://url/component.git git checkout 3.0.0 -# Check for existence +## Check for existence ansible-playbook tools/ansible/version.yml -# Initial install +## Initial install ansible-playbook tools/ansible/install.yml -e "version=3.0.0" -# Configuration -# Settings changed in /etc/openconext/component.ini +## Settings changed in /etc/openconext/component.ini -# Setup the component +## Setup the component ansible-playbook tools/ansible/setup.yml -# Some time later an update arrives +## Some time later an update arrives ansible-playbook tools/ansible/install.yml -e "version=3.0.1" -# Check version +## Check version ansible-playbook tools/ansible/version.yml # Returns "3.0.1" -# A developer decides to switch to a feature development version +## A developer decides to switch to a feature development version ansible-playbook tools/ansible/install.yml -e "version=feature/awesome-feature" -# Check version +## Check version ansible-playbook tools/ansible/version.yml -# Returns "feature/awesome-feature" +## Returns "feature/awesome-feature" -# The developer releases a new version and switches back to that +## The developer releases a new version and switches back to that ansible-playbook tools/ansible/install.yml -e "version=3.1.0" -# Component is no longer needed and needs to be deinstalled +## Component is no longer needed and needs to be deinstalled ansible-playbook tools/ansible/erase.yml -``` \ No newline at end of file +``` + +# Drawing the line between component and environment + +A Component MAY provide a template for environment required configuration. + +A Component MUST NOT modify non-standard environment configuration. + +A Component MAY supply updated environment configuration with a message to verify and install manually. + +A Component MAY not operate after a successful install. + +A Component MUST operate after a successful setup. + +A Component MUST NOT restart services it has not provided. + +A Component MAY depend on other components or other third party software but SHOULD not install it. + +When in doubt think: **would you expect an rpm install to perform this?**
+If **yes**, then the **Component** is responsible.
+If **no**, then the **Environment** is responsible. \ No newline at end of file diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 51c3ac2..69d0fb9 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -6,6 +6,7 @@ yum install -y ansible && # Run Ansible playbook ansible-playbook -i tools/ansible/inventory/demo.openconext.org tools/ansible/provision-engine.yml \ -e "version=$ENGINEBLOCK_VERSION" \ + -e "domain=$OC_DOMAIN" \ -e "engine_db_name=engineblock" \ -e "engine_db_host=localhost" \ -e "engine_db_port=3306" \ @@ -13,58 +14,13 @@ ansible-playbook -i tools/ansible/inventory/demo.openconext.org tools/ansible/pr -e "engine_db_password=$OC__ENGINE_DB_PASS" \ -e "admin_db_user=root" \ -e "admin_db_password=$OC__ROOT_DB_PASS" \ - -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN" - -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" - -e "serviceregistry_pass=$OC__ENGINE_JANUSAPI_PASS" - -e "engine_ldap_binddn=cn:engine,dc:surfconext,dc:nl" + -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN" \ + -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" \ + -e "serviceregistry_pass=$OC__ENGINE_JANUSAPI_PASS" \ + -e "engine_ldap_binddn=cn:engine,dc:surfconext,dc:nl" \ -e "engine_ldap_password=$OC__LDAP_PASS" - - -if $UPGRADE -then - source /etc/profile.d/openconext.sh - -else - - if [ -f /etc/surfconext/engineblock.crt ] - then - backupFile /etc/surfconext/engineblock.crt - fi - # Generate Self Signed Certificate for EngineBlock and add it to the configuration - cd /tmp && - openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem > /dev/null - EB_CRT=`cat example.org.crt` && - EB_KEY=`cat example.org.pem` && - EB_CRT_NO_HEADERS=`sed '1d;$d' example.org.crt` && - echo "" >> /etc/surfconext/engineblock.ini && - echo "encryption.key.public = \"${EB_CRT}\"" >> /etc/surfconext/engineblock.ini && - echo "encryption.key.private = \"${EB_KEY}\"" >> /etc/surfconext/engineblock.ini && - echo "auth.simplesamlphp.idp.cert = \"${EB_CRT_NO_HEADERS}\"" >> /etc/surfconext/engineblock.ini - cp example.org.crt /etc/surfconext/engineblock.crt && - rm example.org.crt example.org.pem - - # Updating LDAP schema some more... - ldapmodify -x -D cn=admin,cn=config -h localhost -w "$OC__LDAP_PASS" -f /opt/www/engineblock/ldap/changes/addDeprovisionWarningSentAttributes.ldif - ldapmodify -x -D cn=admin,cn=config -h localhost -w "$OC__LDAP_PASS" -f /opt/www/engineblock/ldap/changes/addCollabPersonUUID.ldif - - # Apply LDAP credentials to file engineblock.ini - sed -i "s/__OC__ENGINE_LDAP_PASSWD__/$OC__LDAP_PASS/g" /etc/surfconext/engineblock.ini - - # Update apache conf - cat $OC_BASEDIR/configs/httpd/conf.d/engine.conf | \ - sed -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/g" > \ - /etc/httpd/conf.d/engine.conf - cat $OC_BASEDIR/configs/httpd/conf.d/engine-internal.conf | \ - sed -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/g" > \ - /etc/httpd/conf.d/engine-internal.conf - cat $OC_BASEDIR/configs/httpd/conf.d/profile.conf | \ - sed -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/g" > \ - /etc/httpd/conf.d/profile.conf - - # Make public key available for other components - ENGINEBLOCK_CERT=`sed '1d;$d' /etc/surfconext/engineblock.crt | tr -d '\n'` -fi - -cd /opt/www/engineblock/ -./bin/migrate +EB_CRT=`cat /etc/openconext/engineblock.default.pem.crt` && +EB_KEY=`cat /etc/openconext/engineblock.default.pem.key` && +EB_CRT_NO_HEADERS=`sed '1d;$d' /etc/openconext/engineblock.default.pem.crt` && +ENGINEBLOCK_CERT=`sed '1d;$d' /etc/surfconext/engineblock.crt | tr -d '\n'` \ No newline at end of file diff --git a/tools/ansible/install-engine.yml b/tools/ansible/install-engine.yml index 9f207f4..2b52a94 100644 --- a/tools/ansible/install-engine.yml +++ b/tools/ansible/install-engine.yml @@ -14,8 +14,6 @@ - name: "BUILD - Legacy: Remove obsolete profile.d/openconext.sh" file: path=/etc/profile.d/openconext.sh state=absent - #- name: Install fresh signing keys if they don't already exist - - name: "BUILD - Legacy: Move /var/log/surfconext to /var/log/openconext" command: mv /var/log/surfconext {{ logging_dir }} ignore_errors: yes diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 2f7fee5..0c33b48 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -13,32 +13,30 @@ current_release_symlink: "/opt/www/engineblock" download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ version }}/OpenConext-engineblock-{{ version }}.tar.gz" config: - auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.20140617.pem + auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem auth.simplesamlphp.idp.location : "https://engine.demo.openconext.org/authentication/idp/single-sign-on" auth.simplesamlphp.idp.entityid : "https://engine.demo.openconext.org/authentication/idp/metadata" cookie.lang.domain : "demo.openconext.org" cookie.lang.expiry : "60*60*24*60" database.master1.user : "{{ engine_db_user }}" - database.master1.dsn : "mysql:host:localhost;dbname:engineblock" - database.master1.password : "enginepass" + database.master1.dsn : "mysql:host:{{ engine_db_host }};dbname:{{ engine_db_name }}" + database.master1.password : "{{ engine_db_password }}" database.masters[] : "master1" database.slaves[] : "master1" dynamicassets : true email.sendwelcomemail : 0 - encryption.keys.20140414.privatefile : "/etc/surfconext/engineblock.key.20140414.pem" - encryption.keys.20140414.publicfile : /etc/surfconext/engineblock.20140414.pem - encryption.keys.20140617.publicfile : /etc/surfconext/engineblock.20140617.pem - encryption.keys.20140617.privatefile : /etc/surfconext/engineblock.20140617.key + encryption.keys.default.privateFile : /etc/surfconext/engineblock.key + encryption.keys.default.publicFile : /etc/surfconext/engineblock.crt ldap.accountdomainname : "surfconext.nl" ldap.basedn : "dc:surfconext,dc:nl" ldap.host : "ldap.demo.openconext.org" ldap.usessl : 0 - ldap.username : "cn:engine,dc:surfconext,dc:nl" - ldap.password : "jf7RH4Hj20De" + ldap.username : "{{ engine_ldap_binddn }}" + ldap.password : "{{ engine_ldap_password }}" logs.file.writername : "Stream" logs.file.writerparams.stream : "/var/log/surfconext/engineblock.log" - serviceregistry.user : "engine" serviceregistry.location : "https://serviceregistry.demo.openconext.org/simplesaml/module.php/janus/services/rest/" + serviceregistry.user : "engine" serviceregistry.user_secret : "engineblock" tasks: @@ -96,6 +94,16 @@ include: install-engine-src.yml when: version | match("^[^0-9]") + - name: Detect default certificates. + stat: path=/etc/openconext/engineblock.default.pem.key + register: default_cert + + - name: Generate new default certificate if none was found. + command: openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out engineblock.crt -keyout engineblock.key + args: + chdir: /etc/openconext + when: default_cert.stat.exists == false + - name: Set configuration ini_file: dest: /etc/openconext/engineblock.ini @@ -104,29 +112,12 @@ value: "{{ item.value }}" with_dict: config - - name: Detect certificates - stat: path=/etc/openconext/engineblock/engineblock.*( - register: - - - name: - command: openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out example.org.crt -keyout example.org.pem - args: - chdir: /tmp - - - name: - - - cd /tmp && - - EB_CRT=`cat example.org.crt` && - EB_KEY=`cat example.org.pem` && - EB_CRT_NO_HEADERS=`sed '1d;$d' example.org.crt` && - echo "" >> /etc/surfconext/engineblock.ini && - echo "encryption.key.public = \"${EB_CRT}\"" >> /etc/surfconext/engineblock.ini && - echo "encryption.key.private = \"${EB_KEY}\"" >> /etc/surfconext/engineblock.ini && - echo "auth.simplesamlphp.idp.cert = \"${EB_CRT_NO_HEADERS}\"" >> /etc/surfconext/engineblock.ini - cp example.org.crt /etc/surfconext/engineblock.crt && - rm example.org.crt example.org.pem + - name: Update LDAP + command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} + with_items: + - /opt/www/engineblock/ldap/changes/addDeprovisionWarningSentAttributes.ldif + - /opt/www/engineblock/ldap/changes/addCollabPersonUUID.ldif + ignore_errors: true - name: Run EngineBlock migrations command: ./bin/migrate From e1a055e359073a8f6eda634352718f4d81fe950e Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 1 Jul 2014 22:24:03 +0200 Subject: [PATCH 05/49] Fixed INI settings --- tools/ansible/provision-engine.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 0c33b48..2b4ed5c 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -15,7 +15,7 @@ config: auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem auth.simplesamlphp.idp.location : "https://engine.demo.openconext.org/authentication/idp/single-sign-on" - auth.simplesamlphp.idp.entityid : "https://engine.demo.openconext.org/authentication/idp/metadata" + auth.simplesamlphp.idp.entityId : "https://engine.demo.openconext.org/authentication/idp/metadata" cookie.lang.domain : "demo.openconext.org" cookie.lang.expiry : "60*60*24*60" database.master1.user : "{{ engine_db_user }}" @@ -23,21 +23,21 @@ database.master1.password : "{{ engine_db_password }}" database.masters[] : "master1" database.slaves[] : "master1" - dynamicassets : true - email.sendwelcomemail : 0 + dynamicAssets : true + email.sendWelcomeMail : 0 encryption.keys.default.privateFile : /etc/surfconext/engineblock.key encryption.keys.default.publicFile : /etc/surfconext/engineblock.crt - ldap.accountdomainname : "surfconext.nl" - ldap.basedn : "dc:surfconext,dc:nl" + ldap.accountDomainName : "surfconext.nl" + ldap.baseDn : "dc:surfconext,dc:nl" ldap.host : "ldap.demo.openconext.org" - ldap.usessl : 0 - ldap.username : "{{ engine_ldap_binddn }}" + ldap.useSsl : 0 + ldap.userName : "{{ engine_ldap_binddn }}" ldap.password : "{{ engine_ldap_password }}" logs.file.writername : "Stream" logs.file.writerparams.stream : "/var/log/surfconext/engineblock.log" - serviceregistry.location : "https://serviceregistry.demo.openconext.org/simplesaml/module.php/janus/services/rest/" - serviceregistry.user : "engine" - serviceregistry.user_secret : "engineblock" + serviceRegistry.location : "https://serviceregistry.demo.openconext.org/simplesaml/module.php/janus/services/rest/" + serviceRegistry.user : "engine" + serviceRegistry.user_secret : "engineblock" tasks: - name: Make sure a database exists From 8030575344e4cf6007246492213630b79475d62b Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 1 Jul 2014 22:24:34 +0200 Subject: [PATCH 06/49] Minor bugfix --- tools/ansible/provision-engine.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 2b4ed5c..898d21c 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -65,7 +65,7 @@ - name: Write out SQL file with proper domain template: src=data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql - when: engine_db_installed.changed + when: engine_db_install.changed - name: Install initial Database schema when a new database was created mysql_db: From f1c05d0df1e2c6a525128ee4992a08801a0bdceb Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 1 Jul 2014 22:25:05 +0200 Subject: [PATCH 07/49] Fixed default key and migration of configuration file --- tools/ansible/install-engine.yml | 5 +---- tools/ansible/provision-engine.yml | 10 ++++++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/tools/ansible/install-engine.yml b/tools/ansible/install-engine.yml index 2b52a94..4453bf3 100644 --- a/tools/ansible/install-engine.yml +++ b/tools/ansible/install-engine.yml @@ -22,7 +22,4 @@ file: path={{ logging_dir }} state=directory - name: "BUILD - Legacy: Install symlink from /var/log/surfconext to /var/log/openconext" - file: path=/var/log/surfconext src={{ logging_dir }} state=link - - - name: "BUILD - Migrate the configuration file" - command: "{{ release_dir }}/bin/migrate_etc.php" \ No newline at end of file + file: path=/var/log/surfconext src={{ logging_dir }} state=link \ No newline at end of file diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 898d21c..2d047e1 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -94,8 +94,14 @@ include: install-engine-src.yml when: version | match("^[^0-9]") + - name: Migrate the configuration file + command: "{{ release_dir }}/bin/migrate_etc.php" + + - name: Install migrated configuration file + command: install -b /etc/surfconext/engineblock.ini.new /etc/surfconext/engineblock.ini + - name: Detect default certificates. - stat: path=/etc/openconext/engineblock.default.pem.key + stat: path=/etc/openconext/engineblock.key register: default_cert - name: Generate new default certificate if none was found. @@ -107,7 +113,7 @@ - name: Set configuration ini_file: dest: /etc/openconext/engineblock.ini - section: "[{{ version }}]" + section: "local" option: "{{ item.key }}" value: "{{ item.value }}" with_dict: config From 5262034902753e19499ac41131dc22b2ece32940 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 1 Jul 2014 22:26:37 +0200 Subject: [PATCH 08/49] Fixed LDAP provisioning --- tools/ansible/provision-engine.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 2d047e1..1b5b29b 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -45,9 +45,9 @@ state: present name: "{{ engine_db_name }}" login_host: "{{ engine_db_host }}" - login_port: "{{ engine_db_port}}" + login_port: "{{ engine_db_port }}" login_user: "{{ admin_db_user }}" - login_password: "{{ admin_db_password}}" + login_password: "{{ admin_db_password }}" encoding: utf8 collation: utf8_unicode_ci register: engine_db_install @@ -121,8 +121,8 @@ - name: Update LDAP command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} with_items: - - /opt/www/engineblock/ldap/changes/addDeprovisionWarningSentAttributes.ldif - - /opt/www/engineblock/ldap/changes/addCollabPersonUUID.ldif + - "{{ release_dir }}/ldap/changes/addDeprovisionWarningSentAttributes.ldif" + - "{{ release_dir }}/ldap/changes/addCollabPersonUUID.ldif" ignore_errors: true - name: Run EngineBlock migrations From 3b42cbb8f715ccf4935a90e22f7c4db3856e3bad Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 3 Jul 2014 08:45:29 +0200 Subject: [PATCH 09/49] Bugfix for root being allowed to connect to root@localhost but not to root@db.$OC_DOMAIN --- scripts/dependencies/mysql_install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/dependencies/mysql_install.sh b/scripts/dependencies/mysql_install.sh index 411ff51..d7d9b76 100755 --- a/scripts/dependencies/mysql_install.sh +++ b/scripts/dependencies/mysql_install.sh @@ -18,3 +18,7 @@ else echo -e "\nValidating MySQL Root password: FAILED\n" exit fi + +echo -e "Enabling root access on db.$OC_DOMAIN" +echo "GRANT ALL ON *.* TO 'root'@'db.$OC_DOMAIN' IDENTIFIED BY '$OC__ROOT_DB_PASS' WITH GRANT OPTION;" \ + | myql -u root -p$OC__ROOT_DB_PASS \ No newline at end of file From d3428769381ce8ad2e6861e18bcde595bcd00646 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 3 Jul 2014 10:35:08 +0200 Subject: [PATCH 10/49] Bugfix: typo in command name --- scripts/dependencies/mysql_install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/dependencies/mysql_install.sh b/scripts/dependencies/mysql_install.sh index d7d9b76..a62a02c 100755 --- a/scripts/dependencies/mysql_install.sh +++ b/scripts/dependencies/mysql_install.sh @@ -21,4 +21,4 @@ fi echo -e "Enabling root access on db.$OC_DOMAIN" echo "GRANT ALL ON *.* TO 'root'@'db.$OC_DOMAIN' IDENTIFIED BY '$OC__ROOT_DB_PASS' WITH GRANT OPTION;" \ - | myql -u root -p$OC__ROOT_DB_PASS \ No newline at end of file + | mysql -u root -p$OC__ROOT_DB_PASS \ No newline at end of file From 086504d8b9b2fc33679a4d378e0527efb5698bbd Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 3 Jul 2014 15:29:36 +0200 Subject: [PATCH 11/49] Fixed reference to Ansible inventory --- scripts/components/engineblock.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 69d0fb9..461c2f1 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -4,7 +4,7 @@ yum install -y ansible && # Run Ansible playbook -ansible-playbook -i tools/ansible/inventory/demo.openconext.org tools/ansible/provision-engine.yml \ +ansible-playbook -i tools/ansible/inventory/demo.openconext.org.ini tools/ansible/provision-engine.yml \ -e "version=$ENGINEBLOCK_VERSION" \ -e "domain=$OC_DOMAIN" \ -e "engine_db_name=engineblock" \ From 325557581b1e7ca595dd8fd4271cd7c1958e8c9e Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 3 Jul 2014 15:30:09 +0200 Subject: [PATCH 12/49] Fixed idempotency of MySQL install --- scripts/dependencies/mysql_install.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/scripts/dependencies/mysql_install.sh b/scripts/dependencies/mysql_install.sh index a62a02c..3f005ff 100755 --- a/scripts/dependencies/mysql_install.sh +++ b/scripts/dependencies/mysql_install.sh @@ -6,10 +6,16 @@ $YUM -y install mysql mysql-server mysql-connector-java service mysqld restart chkconfig mysqld on -# configure MySQL -echo -e "\n\nSetting new MySQL Root password \n\n" -mysqladmin -u root password $OC__ROOT_DB_PASS +# Root PW already set? +success=`mysqladmin -uroot -p$OC__ROOT_DB_PASS ping | grep -c "mysqld is alive"` +if [[ $success != '1' ]] +then + # If not then try to connect without a password and set it + echo -e "\n\nSetting new MySQL Root password \n\n" + mysqladmin -u root password $OC__ROOT_DB_PASS +fi +# Test connection with proper root password. success=`mysqladmin -uroot -p$OC__ROOT_DB_PASS ping | grep -c "mysqld is alive"` if [[ $success == '1' ]] then From 9d7484261108a5037177605ffba442738741d9f9 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 3 Jul 2014 17:01:18 +0200 Subject: [PATCH 13/49] Ignore errors detecting if the MySQL root password has been set. --- scripts/dependencies/mysql_install.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/dependencies/mysql_install.sh b/scripts/dependencies/mysql_install.sh index 3f005ff..d67a030 100755 --- a/scripts/dependencies/mysql_install.sh +++ b/scripts/dependencies/mysql_install.sh @@ -6,8 +6,11 @@ $YUM -y install mysql mysql-server mysql-connector-java service mysqld restart chkconfig mysqld on -# Root PW already set? +# Root PW already set? Ignore any errors on this one. +set +e success=`mysqladmin -uroot -p$OC__ROOT_DB_PASS ping | grep -c "mysqld is alive"` +set -e + if [[ $success != '1' ]] then # If not then try to connect without a password and set it From 18d694a26e8c742f7ed3791d82f4d23ffe693919 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 07:15:40 +0200 Subject: [PATCH 14/49] Fixed indentation for Ansible playbook and use OC_BASEDIR for absolute paths or get "ERROR: Unable to find an inventory file, specify one with -i ?" --- scripts/components/engineblock.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 461c2f1..02b60a9 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -4,7 +4,8 @@ yum install -y ansible && # Run Ansible playbook -ansible-playbook -i tools/ansible/inventory/demo.openconext.org.ini tools/ansible/provision-engine.yml \ +ansible-playbook \ + -i $OC_BASEDIR/tools/ansible/inventory/demo.openconext.org.ini \ -e "version=$ENGINEBLOCK_VERSION" \ -e "domain=$OC_DOMAIN" \ -e "engine_db_name=engineblock" \ @@ -18,7 +19,8 @@ ansible-playbook -i tools/ansible/inventory/demo.openconext.org.ini tools/ansibl -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" \ -e "serviceregistry_pass=$OC__ENGINE_JANUSAPI_PASS" \ -e "engine_ldap_binddn=cn:engine,dc:surfconext,dc:nl" \ - -e "engine_ldap_password=$OC__LDAP_PASS" + -e "engine_ldap_password=$OC__LDAP_PASS" \ + $OC_BASEDIR/tools/ansible/provision-engine.yml EB_CRT=`cat /etc/openconext/engineblock.default.pem.crt` && EB_KEY=`cat /etc/openconext/engineblock.default.pem.key` && From a17631451a930f33e3176d1ff1f8f45c63933f5d Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 07:25:22 +0200 Subject: [PATCH 15/49] Also install pythons mysqldb module for Ansible --- scripts/components/engineblock.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 02b60a9..99c1c0a 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -1,7 +1,7 @@ #!/bin/bash # Make sure Ansible is installed -yum install -y ansible && +yum install -y ansible MySQL-python && # Run Ansible playbook ansible-playbook \ From ec3b49b4b15b74b25e98b6c0d575da4566ed5311 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 07:26:14 +0200 Subject: [PATCH 16/49] Minor refactoring / documentation EB Ansible vars --- tools/ansible/install-engine.yml | 2 +- tools/ansible/provision-engine.yml | 17 +++++++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/tools/ansible/install-engine.yml b/tools/ansible/install-engine.yml index 4453bf3..6fc5d60 100644 --- a/tools/ansible/install-engine.yml +++ b/tools/ansible/install-engine.yml @@ -1,6 +1,6 @@ --- - name: "BUILD - Get the current release" - get_url: dest="{{ build_path }}" url={{ download_url }} + get_url: dest="{{ eb_build_path }}" url={{ download_url }} - name: "BUILD - Unarchive it" unarchive: dest={{ releases_dir }} src={{ build_path }} copy=no diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 1b5b29b..4757852 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -4,15 +4,20 @@ remote_user: "{{ remote_user }}" vars: + # General vars, note that these should be moved to a parent playbook in future versions + # Note that ordering matters here! temp_dir: "/tmp" logging_dir: "/var/log/openconext" releases_dir: "/opt/openconext" release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ version }}" builds_dir: "{{ releases_dir }}/builds" - build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ version }}.tar.gz" - current_release_symlink: "/opt/www/engineblock" - download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ version }}/OpenConext-engineblock-{{ version }}.tar.gz" - config: + + # Engine specific variables + eb_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ version }}.tar.gz" + eb_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ version }}/OpenConext-engineblock-{{ version }}.tar.gz" + eb_current_release_symlink: "/opt/www/engineblock" + + eb_config: auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem auth.simplesamlphp.idp.location : "https://engine.demo.openconext.org/authentication/idp/single-sign-on" auth.simplesamlphp.idp.entityId : "https://engine.demo.openconext.org/authentication/idp/metadata" @@ -116,7 +121,7 @@ section: "local" option: "{{ item.key }}" value: "{{ item.value }}" - with_dict: config + with_dict: eb_config - name: Update LDAP command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} @@ -131,4 +136,4 @@ chdir: "{{ release_dir }}" - name: Activate new EngineBlock - file: src={{ release_dir }} dest={{ current_release_symlink }} state=link \ No newline at end of file + file: src={{ release_dir }} dest={{ eb_current_release_symlink }} state=link \ No newline at end of file From 16ace284366dcd5bacc10e0551b64727710bf5e7 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 07:32:55 +0200 Subject: [PATCH 17/49] Fixed path to engineblock initial data dump --- tools/ansible/provision-engine.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 4757852..98d519d 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -69,7 +69,7 @@ login_password: "{{ admin_db_password}}" - name: Write out SQL file with proper domain - template: src=data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql + template: src=../../data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql when: engine_db_install.changed - name: Install initial Database schema when a new database was created From f78899b448e769e9883c46e59170e0a85014899c Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 07:39:20 +0200 Subject: [PATCH 18/49] Switch to using feature/ansible for EB. --- scripts/versions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/versions.sh b/scripts/versions.sh index cee7f56..153da4b 100755 --- a/scripts/versions.sh +++ b/scripts/versions.sh @@ -1,7 +1,7 @@ #!/bin/bash # these versions are tag names -export ENGINEBLOCK_VERSION=develop +export ENGINEBLOCK_VERSION=feature/ansible export API_VERSION=develop export MANAGE_VERSION=develop export SERVICEREGISTRY_VERSION=develop From f4f072322160d7b45f18b4ddae28e45ce254a3ab Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 09:03:18 +0200 Subject: [PATCH 19/49] Made Ansible var naming consistently start with the component name. --- scripts/components/engineblock.sh | 14 ++++---- tools/ansible/install-engine-src.yml | 6 ++-- tools/ansible/install-engine.yml | 6 ++-- tools/ansible/provision-engine.yml | 48 ++++++++++++++-------------- 4 files changed, 37 insertions(+), 37 deletions(-) diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 99c1c0a..4c8e07a 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -6,20 +6,20 @@ yum install -y ansible MySQL-python && # Run Ansible playbook ansible-playbook \ -i $OC_BASEDIR/tools/ansible/inventory/demo.openconext.org.ini \ - -e "version=$ENGINEBLOCK_VERSION" \ - -e "domain=$OC_DOMAIN" \ + -e "openconext_domain=$OC_DOMAIN" \ + -e "engine_version=$ENGINEBLOCK_VERSION" \ -e "engine_db_name=engineblock" \ -e "engine_db_host=localhost" \ -e "engine_db_port=3306" \ -e "engine_db_user=$OC__ENGINE_DB_USER" \ -e "engine_db_password=$OC__ENGINE_DB_PASS" \ - -e "admin_db_user=root" \ - -e "admin_db_password=$OC__ROOT_DB_PASS" \ - -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN" \ - -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" \ - -e "serviceregistry_pass=$OC__ENGINE_JANUSAPI_PASS" \ -e "engine_ldap_binddn=cn:engine,dc:surfconext,dc:nl" \ -e "engine_ldap_password=$OC__LDAP_PASS" \ + -e "db_admin_user=root" \ + -e "db_admin_password=$OC__ROOT_DB_PASS" \ + -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ + -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" \ + -e "serviceregistry_secret=$OC__ENGINE_JANUSAPI_PASS" \ $OC_BASEDIR/tools/ansible/provision-engine.yml EB_CRT=`cat /etc/openconext/engineblock.default.pem.crt` && diff --git a/tools/ansible/install-engine-src.yml b/tools/ansible/install-engine-src.yml index d7ba99c..b109766 100644 --- a/tools/ansible/install-engine-src.yml +++ b/tools/ansible/install-engine-src.yml @@ -3,10 +3,10 @@ git: accept_hostkey: yes repo: https://github.com/OpenConext/OpenConext-engineblock.git - dest: "{{ release_dir }}" - version: "{{ version }}" + dest: "{{ engine_release_dir }}" + version: "{{ engine_version }}" - name: "SRC - Running Composer install" command: ./bin/composer.phar --prefer-dist --no-interaction install args: - chdir: "{{ release_dir }}" \ No newline at end of file + chdir: "{{ engine_release_dir }}" \ No newline at end of file diff --git a/tools/ansible/install-engine.yml b/tools/ansible/install-engine.yml index 6fc5d60..4aae881 100644 --- a/tools/ansible/install-engine.yml +++ b/tools/ansible/install-engine.yml @@ -1,13 +1,13 @@ --- - name: "BUILD - Get the current release" - get_url: dest="{{ eb_build_path }}" url={{ download_url }} + get_url: url="{{ engine_download_url }}" dest="{{ engine_build_path }}" - name: "BUILD - Unarchive it" - unarchive: dest={{ releases_dir }} src={{ build_path }} copy=no + unarchive: src={{ engine_build_path }} dest={{ releases_dir }} copy=no - name: "BUILD - Install default application settings" copy: - src: "{{ release_dir }}/etc/openconext/engineblock.ini" + src: "{{ engine_release_dir }}/etc/openconext/engineblock.ini" dest: /etc/openconext/engineblock.ini force: no diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 98d519d..7589002 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -9,19 +9,19 @@ temp_dir: "/tmp" logging_dir: "/var/log/openconext" releases_dir: "/opt/openconext" - release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ version }}" builds_dir: "{{ releases_dir }}/builds" # Engine specific variables - eb_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ version }}.tar.gz" - eb_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ version }}/OpenConext-engineblock-{{ version }}.tar.gz" - eb_current_release_symlink: "/opt/www/engineblock" + engine_release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ engine_version }}" + engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version }}.tar.gz" + engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version }}.tar.gz" + engine_current_release_symlink: "/opt/www/engineblock" - eb_config: + engine_config: auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem - auth.simplesamlphp.idp.location : "https://engine.demo.openconext.org/authentication/idp/single-sign-on" - auth.simplesamlphp.idp.entityId : "https://engine.demo.openconext.org/authentication/idp/metadata" - cookie.lang.domain : "demo.openconext.org" + auth.simplesamlphp.idp.location : "https://engine.{{ openconext_domain }}/authentication/idp/single-sign-on" + auth.simplesamlphp.idp.entityId : "https://engine.{{ openconext_domain }}/authentication/idp/metadata" + cookie.lang.domain : "{{ openconext_domain }}" cookie.lang.expiry : "60*60*24*60" database.master1.user : "{{ engine_db_user }}" database.master1.dsn : "mysql:host:{{ engine_db_host }};dbname:{{ engine_db_name }}" @@ -34,15 +34,15 @@ encryption.keys.default.publicFile : /etc/surfconext/engineblock.crt ldap.accountDomainName : "surfconext.nl" ldap.baseDn : "dc:surfconext,dc:nl" - ldap.host : "ldap.demo.openconext.org" + ldap.host : "ldap.{{ openconext_domain }}" ldap.useSsl : 0 ldap.userName : "{{ engine_ldap_binddn }}" ldap.password : "{{ engine_ldap_password }}" logs.file.writername : "Stream" logs.file.writerparams.stream : "/var/log/surfconext/engineblock.log" - serviceRegistry.location : "https://serviceregistry.demo.openconext.org/simplesaml/module.php/janus/services/rest/" - serviceRegistry.user : "engine" - serviceRegistry.user_secret : "engineblock" + serviceRegistry.location : "{{ serviceregistry_url }}" + serviceRegistry.user : "{{ serviceregistry_user }}" + serviceRegistry.user_secret : "{{ serviceregistry_secret }}" tasks: - name: Make sure a database exists @@ -51,8 +51,8 @@ name: "{{ engine_db_name }}" login_host: "{{ engine_db_host }}" login_port: "{{ engine_db_port }}" - login_user: "{{ admin_db_user }}" - login_password: "{{ admin_db_password }}" + login_user: "{{ db_admin_user }}" + login_password: "{{ db_admin_password }}" encoding: utf8 collation: utf8_unicode_ci register: engine_db_install @@ -65,8 +65,8 @@ priv: "{{ engine_db_name }}.*:ALL" login_host: "{{ engine_db_host }}" login_port: "{{ engine_db_port}}" - login_user: "{{ admin_db_user }}" - login_password: "{{ admin_db_password}}" + login_user: "{{ db_admin_user }}" + login_password: "{{ db_admin_password}}" - name: Write out SQL file with proper domain template: src=../../data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql @@ -93,14 +93,14 @@ - name: Install Engine from Build (only when version starts with a number) include: install-engine.yml - when: version | match("^[0-9]") + when: engine_version | match("^[0-9]") - name: Install Engine from source (only when version does not start with a number) include: install-engine-src.yml - when: version | match("^[^0-9]") + when: engine_version | match("^[^0-9]") - name: Migrate the configuration file - command: "{{ release_dir }}/bin/migrate_etc.php" + command: "{{ engine_release_dir }}/bin/migrate_etc.php" - name: Install migrated configuration file command: install -b /etc/surfconext/engineblock.ini.new /etc/surfconext/engineblock.ini @@ -121,19 +121,19 @@ section: "local" option: "{{ item.key }}" value: "{{ item.value }}" - with_dict: eb_config + with_dict: engine_config - name: Update LDAP command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} with_items: - - "{{ release_dir }}/ldap/changes/addDeprovisionWarningSentAttributes.ldif" - - "{{ release_dir }}/ldap/changes/addCollabPersonUUID.ldif" + - "{{ engine_release_dir }}/ldap/changes/addDeprovisionWarningSentAttributes.ldif" + - "{{ engine_release_dir }}/ldap/changes/addCollabPersonUUID.ldif" ignore_errors: true - name: Run EngineBlock migrations command: ./bin/migrate args: - chdir: "{{ release_dir }}" + chdir: "{{ engine_release_dir }}" - name: Activate new EngineBlock - file: src={{ release_dir }} dest={{ eb_current_release_symlink }} state=link \ No newline at end of file + file: src={{ engine_release_dir }} dest={{ engine_current_release_symlink }} state=link \ No newline at end of file From ba9995c37d8fd219399b5a3e9f60be08012f5e92 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 09:25:44 +0200 Subject: [PATCH 20/49] Made git clone work with / in version (as in: "feature/ansible") --- tools/ansible/provision-engine.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision-engine.yml index 7589002..6f630ad 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision-engine.yml @@ -12,9 +12,10 @@ builds_dir: "{{ releases_dir }}/builds" # Engine specific variables - engine_release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ engine_version }}" - engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version }}.tar.gz" - engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version }}.tar.gz" + engine_version_dir: "{{ engine_version | replace('/', '-') }}" + engine_release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ engine_version_dir }}" + engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" + engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" engine_current_release_symlink: "/opt/www/engineblock" engine_config: From 5876b115efe1f18386dbdbad13534059abca3de0 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 09:40:51 +0200 Subject: [PATCH 21/49] Increase Ansible verbosity for debugging --- scripts/components/engineblock.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 4c8e07a..c8ca10a 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -5,6 +5,7 @@ yum install -y ansible MySQL-python && # Run Ansible playbook ansible-playbook \ + -v \ -i $OC_BASEDIR/tools/ansible/inventory/demo.openconext.org.ini \ -e "openconext_domain=$OC_DOMAIN" \ -e "engine_version=$ENGINEBLOCK_VERSION" \ From 18bdd07ae0f2b377463de0060129a9a5ec26dee5 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 14:51:02 +0200 Subject: [PATCH 22/49] Removed obsolete engineblock.sql --- data/engineblock.sql | 586 ------------------------------------------- 1 file changed, 586 deletions(-) delete mode 100644 data/engineblock.sql diff --git a/data/engineblock.sql b/data/engineblock.sql deleted file mode 100644 index 2d96af3..0000000 --- a/data/engineblock.sql +++ /dev/null @@ -1,586 +0,0 @@ --- MySQL dump 10.13 Distrib 5.1.61, for redhat-linux-gnu (x86_64) --- --- Host: localhost Database: engineblock --- ------------------------------------------------------ --- Server version 5.1.61 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Table structure for table `consent` --- - -DROP TABLE IF EXISTS `consent`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `consent` ( - `consent_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, - `usage_date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00', - `hashed_user_id` varchar(80) COLLATE utf8_unicode_ci NOT NULL, - `service_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `attribute` varchar(80) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`hashed_user_id`,`service_id`), - KEY `hashed_user_id` (`hashed_user_id`), - KEY `service_id` (`service_id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `consent` --- - -LOCK TABLES `consent` WRITE; -/*!40000 ALTER TABLE `consent` DISABLE KEYS */; -INSERT INTO `consent` VALUES -('2012-06-27 09:01:37','2012-06-27 09:01:37','4e20080aba70103a60039bf19fdac0c4fb7ce367','https://manage._OPENCONEXT_DOMAIN_/simplesaml/module.php/saml/sp/metadata.php/default-sp','f8fff30971a5477e0721ce45aa5dd7ad83b6848e'), -('2012-06-27 09:13:32','2012-06-27 09:13:32','4e20080aba70103a60039bf19fdac0c4fb7ce367','https://serviceregistry._OPENCONEXT_DOMAIN_/simplesaml/module.php/saml/sp/metadata.php/default-sp','f8fff30971a5477e0721ce45aa5dd7ad83b6848e'); -/*!40000 ALTER TABLE `consent` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `db_changelog` --- - -DROP TABLE IF EXISTS `db_changelog`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `db_changelog` ( - `patch_number` int(11) NOT NULL, - `branch` varchar(50) COLLATE utf8_unicode_ci NOT NULL, - `completed` int(11) DEFAULT NULL, - `filename` varchar(100) COLLATE utf8_unicode_ci NOT NULL, - `hash` varchar(32) COLLATE utf8_unicode_ci NOT NULL, - `description` varchar(200) COLLATE utf8_unicode_ci DEFAULT NULL, - PRIMARY KEY (`patch_number`,`branch`) -) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `db_changelog` --- - -LOCK TABLES `db_changelog` WRITE; -/*!40000 ALTER TABLE `db_changelog` DISABLE KEYS */; -INSERT INTO `db_changelog` VALUES (1,'default',1340787301,'patch-0001.php','9e47c3b8','Move the groupProviders configuration from the local config to the database.'), -(2,'default',1340787301,'patch-0002.sql','2a482377','Initial migration away from LiquiBase'), -(3,'default',1340787301,'patch-0003.sql','271b9ee1','Remove LiquiBase tables'), -(4,'default',1340787301,'patch-0004.sql','bece62cf','Table structure for table `emails`'), -(5,'default',1340787301,'patch-0005.sql','61a65c9d','Add new emails for deprovisioning'), -(6,'default',1340787301,'patch-0006.sql','e7075a42','Update deprovisioning mail'), -(7,'default',1340787301,'patch-0007.sql','445ce3bd','Add id field to login table (ported from manage patch-001.sql)'), -(8,'default',1340787301,'patch-0008.php','e452a2b0','Add urn:collab:group: prefixing to Grouper group providers'), -(9,'default',1340787301,'patch-0009.sql','7fed17ad','Add tables for new persistent NameID'), -(10,'default',1340788257,'patch-0010.php','d2a6343a','Assign a UUID to all users in LDAP'), -(11,'default',1340788257,'patch-0011.sql','015c7b4a','Add useragent field to login_logs table for logging the User-Agent'), -(12,'default',1340788257,'patch-0012.sql','a668c1a3','Add voname field to login_logs table for logging the Virtual Organisation Context'), -(13,'default',1340788257,'patch-0013.sql','ab0053d5','Add table for storing the ACL Group provider information for service providers'), -(14,'default',1340788257,'patch-0014.sql','e2e35650',''), -(15,'default',1340788257,'patch-0015.sql','479a53d4','Add logo_url field to group_provider table for displaying the picture in teams'); -/*!40000 ALTER TABLE `db_changelog` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `emails` --- - -DROP TABLE IF EXISTS `emails`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `emails` ( - `id` bigint(20) NOT NULL AUTO_INCREMENT, - `email_type` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `email_text` longtext COLLATE utf8_unicode_ci NOT NULL, - `email_from` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `email_subject` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `is_html` tinyint(1) DEFAULT '1', - PRIMARY KEY (`id`), - UNIQUE KEY `email_type` (`email_type`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `emails` --- - -LOCK TABLES `emails` WRITE; -/*!40000 ALTER TABLE `emails` DISABLE KEYS */; -INSERT INTO `emails` VALUES (1,'introduction_email','Dear {user},
\r\n
\r\nThis mail is a confirmation that we have created a profile for you on the SURFconext platform. Please visit https://profile.surfconext.nl to see and manage your profile. If you have any questions regarding this mail please contact help@surfconext.nl.
\r\n
\r\nBest regards, Surfconext ','help@surfconext.nl','Welcome to SURFconext',1), -(2,'deprovisioning_warning_email','Dear {user},

This mail is to inform you that you will be deprovisioned at {deprovision_time}. If you have any questions regarding this mail please contact help@surfconext.nl.

You will be deleted as a member of all the groups. Currently you are member of the following groups:
{groups}
In the groups displayed below you are the only administrator. Please make another member administrator before you are deprovisioned, for these teams will be without an administrator otherwise. 
{onlyAdminGroups}
Best regards,
SURFconext','help@surfconext.nl','Deprovisioning SURFconext',NULL), -(3,'deprovisioning_warning_email_group_members','Dear {user},
\r\n
\r\nThis mail is to inform you that your administrator in team {team} will be deprovisioned at {deprovision_time}. If you have any questions regarding this mail please contact help@surfconext.nl.
\r\n
\r\nBest regards
, SURFconext','help@surfconext.nl','Deprovisioning SURFconext',NULL); -/*!40000 ALTER TABLE `emails` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider` --- - -DROP TABLE IF EXISTS `group_provider`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `identifier` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - `classname` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - `logo_url` varchar(1024) COLLATE utf8_unicode_ci DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider` --- - -LOCK TABLES `group_provider` WRITE; -/*!40000 ALTER TABLE `group_provider` DISABLE KEYS */; -INSERT INTO `group_provider` VALUES (1,'grouper','SURFteams grouper','EngineBlock_Group_Provider_Grouper','SURFteams grouper'); -/*!40000 ALTER TABLE `group_provider` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider_decorator` --- - -DROP TABLE IF EXISTS `group_provider_decorator`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider_decorator` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `group_provider_id` int(11) NOT NULL, - `classname` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider_decorator` --- - -LOCK TABLES `group_provider_decorator` WRITE; -/*!40000 ALTER TABLE `group_provider_decorator` DISABLE KEYS */; -INSERT INTO `group_provider_decorator` VALUES (1,1,'EngineBlock_Group_Provider_Decorator_GroupIdReplace'); -/*!40000 ALTER TABLE `group_provider_decorator` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider_decorator_option` --- - -DROP TABLE IF EXISTS `group_provider_decorator_option`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider_decorator_option` ( - `group_provider_decorator_id` int(11) NOT NULL, - `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - PRIMARY KEY (`group_provider_decorator_id`,`name`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider_decorator_option` --- - -LOCK TABLES `group_provider_decorator_option` WRITE; -/*!40000 ALTER TABLE `group_provider_decorator_option` DISABLE KEYS */; -INSERT INTO `group_provider_decorator_option` VALUES (1,'replace','$1'), -(1,'search','|urn:collab:group:teams._OPENCONEXT_DOMAIN_:(.+)|'); -/*!40000 ALTER TABLE `group_provider_decorator_option` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider_filter` --- - -DROP TABLE IF EXISTS `group_provider_filter`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider_filter` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `group_provider_id` int(11) NOT NULL, - `type` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - `classname` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider_filter` --- - -LOCK TABLES `group_provider_filter` WRITE; -/*!40000 ALTER TABLE `group_provider_filter` DISABLE KEYS */; -INSERT INTO `group_provider_filter` VALUES (1,1,'group','EngineBlock_Group_Provider_Filter_ModelProperty_PregReplace'); -/*!40000 ALTER TABLE `group_provider_filter` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider_filter_option` --- - -DROP TABLE IF EXISTS `group_provider_filter_option`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider_filter_option` ( - `group_provider_filter_id` int(11) NOT NULL, - `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - PRIMARY KEY (`group_provider_filter_id`,`name`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider_filter_option` --- - -LOCK TABLES `group_provider_filter_option` WRITE; -/*!40000 ALTER TABLE `group_provider_filter_option` DISABLE KEYS */; -INSERT INTO `group_provider_filter_option` VALUES (1,'property','id'), -(1,'replace','urn:collab:group:teams._OPENCONEXT_DOMAIN_:$1'), -(1,'search','|(.+)|'); -/*!40000 ALTER TABLE `group_provider_filter_option` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider_option` --- - -DROP TABLE IF EXISTS `group_provider_option`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider_option` ( - `group_provider_id` int(11) NOT NULL, - `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - PRIMARY KEY (`group_provider_id`,`name`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider_option` --- - -LOCK TABLES `group_provider_option` WRITE; -/*!40000 ALTER TABLE `group_provider_option` DISABLE KEYS */; -INSERT INTO `group_provider_option` VALUES (1,'host','grouper._OPENCONEXT_DOMAIN_'), -(1,'password','KJ75DFeg32a'), -(1,'path','/grouper-ws/servicesRest'), -(1,'protocol','https'), -(1,'timeout','10'), -(1,'user','engine'), -(1,'version','v1_6_000'); -/*!40000 ALTER TABLE `group_provider_option` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider_precondition` --- - -DROP TABLE IF EXISTS `group_provider_precondition`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider_precondition` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `group_provider_id` int(11) NOT NULL, - `classname` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider_precondition` --- - -LOCK TABLES `group_provider_precondition` WRITE; -/*!40000 ALTER TABLE `group_provider_precondition` DISABLE KEYS */; -/*!40000 ALTER TABLE `group_provider_precondition` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider_precondition_option` --- - -DROP TABLE IF EXISTS `group_provider_precondition_option`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider_precondition_option` ( - `group_provider_precondition_id` int(11) NOT NULL, - `name` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - `value` varchar(255) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', - PRIMARY KEY (`group_provider_precondition_id`,`name`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider_precondition_option` --- - -LOCK TABLES `group_provider_precondition_option` WRITE; -/*!40000 ALTER TABLE `group_provider_precondition_option` DISABLE KEYS */; -/*!40000 ALTER TABLE `group_provider_precondition_option` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `group_provider_user_oauth` --- - -DROP TABLE IF EXISTS `group_provider_user_oauth`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `group_provider_user_oauth` ( - `provider_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `user_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `oauth_token` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, - `oauth_secret` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`provider_id`,`user_id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `group_provider_user_oauth` --- - -LOCK TABLES `group_provider_user_oauth` WRITE; -/*!40000 ALTER TABLE `group_provider_user_oauth` DISABLE KEYS */; -/*!40000 ALTER TABLE `group_provider_user_oauth` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `log_logins` --- - -DROP TABLE IF EXISTS `log_logins`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `log_logins` ( - `loginstamp` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, - `userid` varchar(1000) COLLATE utf8_unicode_ci NOT NULL, - `spentityid` varchar(1000) COLLATE utf8_unicode_ci DEFAULT NULL, - `idpentityid` varchar(1000) COLLATE utf8_unicode_ci DEFAULT NULL, - `spentityname` varchar(1000) COLLATE utf8_unicode_ci DEFAULT NULL, - `idpentityname` varchar(1000) COLLATE utf8_unicode_ci DEFAULT NULL, - `useragent` varchar(1024) COLLATE utf8_unicode_ci DEFAULT NULL, - `voname` varchar(1024) COLLATE utf8_unicode_ci DEFAULT NULL, - `id` int(11) NOT NULL AUTO_INCREMENT, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `log_logins` --- - -LOCK TABLES `log_logins` WRITE; -/*!40000 ALTER TABLE `log_logins` DISABLE KEYS */; -INSERT INTO `log_logins` VALUES -('2012-06-27 09:13:33','urn:collab:person:example.com:john.doe','https://serviceregistry._OPENCONEXT_DOMAIN_/simplesaml/module.php/saml/sp/metadata.php/default-sp','http://mock-idp','OpenConext ServiceRegistry','OpenConext Mujina','Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1',NULL,1); -/*!40000 ALTER TABLE `log_logins` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `saml_persistent_id` --- - -DROP TABLE IF EXISTS `saml_persistent_id`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `saml_persistent_id` ( - `persistent_id` char(40) COLLATE utf8_unicode_ci NOT NULL COMMENT 'SHA1 of service_provider_uuid + user_uuid', - `user_uuid` char(36) COLLATE utf8_unicode_ci NOT NULL, - `service_provider_uuid` char(36) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`persistent_id`), - KEY `user_uuid` (`user_uuid`,`service_provider_uuid`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Look up table for persistent_ids we hand out'; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `saml_persistent_id` --- - -LOCK TABLES `saml_persistent_id` WRITE; -/*!40000 ALTER TABLE `saml_persistent_id` DISABLE KEYS */; -INSERT INTO `saml_persistent_id` VALUES ('9a26dd18d7f33511b4a98d838cae09543ce5f171','b06b98b0-c036-11e1-b910-cd9212b8c0d3','5e5717a0-c038-11e1-8b8e-234ffa2d0a60'), -('3f18e71b45ef07f3110e3cb418bdeb1be0c9ef83','b06b98b0-c036-11e1-b910-cd9212b8c0d3','b416cbc0-c036-11e1-b5a6-216cccc3b1fc'); -/*!40000 ALTER TABLE `saml_persistent_id` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `service_provider_group_acl` --- - -DROP TABLE IF EXISTS `service_provider_group_acl`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `service_provider_group_acl` ( - `id` bigint(20) NOT NULL AUTO_INCREMENT, - `group_provider_id` bigint(20) NOT NULL, - `spentityid` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, - `allow_groups` tinyint(1) DEFAULT '0', - `allow_members` tinyint(1) DEFAULT '0', - PRIMARY KEY (`id`), - UNIQUE KEY `spentityid_group_provider_id` (`spentityid`(250),`group_provider_id`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `service_provider_group_acl` --- - -LOCK TABLES `service_provider_group_acl` WRITE; -/*!40000 ALTER TABLE `service_provider_group_acl` DISABLE KEYS */; -INSERT INTO `service_provider_group_acl` VALUES (1,1,'https://engine._OPENCONEXT_DOMAIN_/authentication/sp/metadata',1,1), -(2,1,'https://profile._OPENCONEXT_DOMAIN_/simplesaml/module.php/saml/sp/metadata.php/default-sp',1,1), -(3,1,'https://manage._OPENCONEXT_DOMAIN_/simplesaml/module.php/saml/sp/metadata.php/default-sp',1,1), -(4,1,'https://serviceregistry._OPENCONEXT_DOMAIN_/simplesaml/module.php/saml/sp/metadata.php/default-sp',1,1), -(5,1,'http://mock-sp',1,1), -(6,1,'https://grouper._OPENCONEXT_DOMAIN_/grouper/shibboleth',1,1), -(7,1,'https://teams._OPENCONEXT_DOMAIN_/shibboleth',1,1), -(8,1,'https://csa._OPENCONEXT_DOMAIN_/',1,1), -(9,1,'https://dashboard._OPENCONEXT_DOMAIN_/',1,1); -/*!40000 ALTER TABLE `service_provider_group_acl` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `service_provider_uuid` --- - -DROP TABLE IF EXISTS `service_provider_uuid`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `service_provider_uuid` ( - `uuid` char(36) COLLATE utf8_unicode_ci NOT NULL, - `service_provider_entity_id` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`uuid`), - KEY `service_provider_entity_id` (`service_provider_entity_id`(255)) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci COMMENT='Lookup table for UUIDs for Service Providers, provides a lev'; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `service_provider_uuid` --- - -LOCK TABLES `service_provider_uuid` WRITE; -/*!40000 ALTER TABLE `service_provider_uuid` DISABLE KEYS */; -INSERT INTO `service_provider_uuid` VALUES -('5e5717a0-c038-11e1-8b8e-234ffa2d0a60','https://serviceregistry._OPENCONEXT_DOMAIN_/simplesaml/module.php/saml/sp/metadata.php/default-sp'), -('b416cbc0-c036-11e1-b5a6-216cccc3b1fc','https://manage._OPENCONEXT_DOMAIN_/simplesaml/module.php/saml/sp/metadata.php/default-sp'); -/*!40000 ALTER TABLE `service_provider_uuid` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `virtual_organisation` --- - -DROP TABLE IF EXISTS `virtual_organisation`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `virtual_organisation` ( - `vo_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `vo_type` enum('GROUP','STEM','IDP','MIXED') COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`vo_id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `virtual_organisation` --- - -LOCK TABLES `virtual_organisation` WRITE; -/*!40000 ALTER TABLE `virtual_organisation` DISABLE KEYS */; -/*!40000 ALTER TABLE `virtual_organisation` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `virtual_organisation_attribute` --- - -DROP TABLE IF EXISTS `virtual_organisation_attribute`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `virtual_organisation_attribute` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `vo_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `sp_entity_id` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, - `user_id_pattern` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `attribute_name_saml` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `attribute_name_opensocial` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `attribute_value` varchar(1024) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `vo_id` (`vo_id`(200),`sp_entity_id`(200),`user_id_pattern`(200),`attribute_name_saml`(200),`attribute_name_opensocial`(200)) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `virtual_organisation_attribute` --- - -LOCK TABLES `virtual_organisation_attribute` WRITE; -/*!40000 ALTER TABLE `virtual_organisation_attribute` DISABLE KEYS */; -/*!40000 ALTER TABLE `virtual_organisation_attribute` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `virtual_organisation_group` --- - -DROP TABLE IF EXISTS `virtual_organisation_group`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `virtual_organisation_group` ( - `vo_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `group_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`vo_id`,`group_id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `virtual_organisation_group` --- - -LOCK TABLES `virtual_organisation_group` WRITE; -/*!40000 ALTER TABLE `virtual_organisation_group` DISABLE KEYS */; -/*!40000 ALTER TABLE `virtual_organisation_group` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `virtual_organisation_idp` --- - -DROP TABLE IF EXISTS `virtual_organisation_idp`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `virtual_organisation_idp` ( - `vo_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `idp_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`vo_id`,`idp_id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `virtual_organisation_idp` --- - -LOCK TABLES `virtual_organisation_idp` WRITE; -/*!40000 ALTER TABLE `virtual_organisation_idp` DISABLE KEYS */; -/*!40000 ALTER TABLE `virtual_organisation_idp` ENABLE KEYS */; -UNLOCK TABLES; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2012-06-27 10:51:18 From 07ae23433900422c681db538fd968e69fb7bd57d Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 14:51:23 +0200 Subject: [PATCH 23/49] Removed unnecessary DDL from SQL file --- data/engineblock.sql.j2 | 413 ---------------------------------------- 1 file changed, 413 deletions(-) diff --git a/data/engineblock.sql.j2 b/data/engineblock.sql.j2 index 723fdf6..5392823 100644 --- a/data/engineblock.sql.j2 +++ b/data/engineblock.sql.j2 @@ -15,25 +15,6 @@ /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; --- --- Table structure for table `consent` --- - -DROP TABLE IF EXISTS `consent`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `consent` ( - `consent_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, - `usage_date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00', - `hashed_user_id` varchar(80) COLLATE utf8_unicode_ci NOT NULL, - `service_id` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `attribute` varchar(80) COLLATE utf8_unicode_ci NOT NULL, - PRIMARY KEY (`hashed_user_id`,`service_id`), - KEY `hashed_user_id` (`hashed_user_id`), - KEY `service_id` (`service_id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - -- -- Dumping data for table `consent` -- @@ -46,67 +27,6 @@ INSERT INTO `consent` VALUES /*!40000 ALTER TABLE `consent` ENABLE KEYS */; UNLOCK TABLES; --- --- Table structure for table `db_changelog` --- - -DROP TABLE IF EXISTS `db_changelog`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `db_changelog` ( - `patch_number` int(11) NOT NULL, - `branch` varchar(50) COLLATE utf8_unicode_ci NOT NULL, - `completed` int(11) DEFAULT NULL, - `filename` varchar(100) COLLATE utf8_unicode_ci NOT NULL, - `hash` varchar(32) COLLATE utf8_unicode_ci NOT NULL, - `description` varchar(200) COLLATE utf8_unicode_ci DEFAULT NULL, - PRIMARY KEY (`patch_number`,`branch`) -) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `db_changelog` --- - -LOCK TABLES `db_changelog` WRITE; -/*!40000 ALTER TABLE `db_changelog` DISABLE KEYS */; -INSERT INTO `db_changelog` VALUES (1,'default',1340787301,'patch-0001.php','9e47c3b8','Move the groupProviders configuration from the local config to the database.'), -(2,'default',1340787301,'patch-0002.sql','2a482377','Initial migration away from LiquiBase'), -(3,'default',1340787301,'patch-0003.sql','271b9ee1','Remove LiquiBase tables'), -(4,'default',1340787301,'patch-0004.sql','bece62cf','Table structure for table `emails`'), -(5,'default',1340787301,'patch-0005.sql','61a65c9d','Add new emails for deprovisioning'), -(6,'default',1340787301,'patch-0006.sql','e7075a42','Update deprovisioning mail'), -(7,'default',1340787301,'patch-0007.sql','445ce3bd','Add id field to login table (ported from manage patch-001.sql)'), -(8,'default',1340787301,'patch-0008.php','e452a2b0','Add urn:collab:group: prefixing to Grouper group providers'), -(9,'default',1340787301,'patch-0009.sql','7fed17ad','Add tables for new persistent NameID'), -(10,'default',1340788257,'patch-0010.php','d2a6343a','Assign a UUID to all users in LDAP'), -(11,'default',1340788257,'patch-0011.sql','015c7b4a','Add useragent field to login_logs table for logging the User-Agent'), -(12,'default',1340788257,'patch-0012.sql','a668c1a3','Add voname field to login_logs table for logging the Virtual Organisation Context'), -(13,'default',1340788257,'patch-0013.sql','ab0053d5','Add table for storing the ACL Group provider information for service providers'), -(14,'default',1340788257,'patch-0014.sql','e2e35650',''), -(15,'default',1340788257,'patch-0015.sql','479a53d4','Add logo_url field to group_provider table for displaying the picture in teams'); -/*!40000 ALTER TABLE `db_changelog` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `emails` --- - -DROP TABLE IF EXISTS `emails`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `emails` ( - `id` bigint(20) NOT NULL AUTO_INCREMENT, - `email_type` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `email_text` longtext COLLATE utf8_unicode_ci NOT NULL, - `email_from` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `email_subject` varchar(255) COLLATE utf8_unicode_ci NOT NULL, - `is_html` tinyint(1) DEFAULT '1', - PRIMARY KEY (`id`), - UNIQUE KEY `email_type` (`email_type`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; -/*!40101 SET character_set_client = @saved_cs_client */; - -- -- Dumping data for table `emails` -- @@ -119,23 +39,6 @@ INSERT INTO `emails` VALUES (1,'introduction_email','Dear {user},
\r\n
Date: Fri, 4 Jul 2014 14:51:52 +0200 Subject: [PATCH 24/49] Removed unnecessary exports --- scripts/components/engineblock.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index c8ca10a..a9c08d8 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -23,7 +23,4 @@ ansible-playbook \ -e "serviceregistry_secret=$OC__ENGINE_JANUSAPI_PASS" \ $OC_BASEDIR/tools/ansible/provision-engine.yml -EB_CRT=`cat /etc/openconext/engineblock.default.pem.crt` && -EB_KEY=`cat /etc/openconext/engineblock.default.pem.key` && -EB_CRT_NO_HEADERS=`sed '1d;$d' /etc/openconext/engineblock.default.pem.crt` && ENGINEBLOCK_CERT=`sed '1d;$d' /etc/surfconext/engineblock.crt | tr -d '\n'` \ No newline at end of file From 8548677306a2857ce3a344ce5e8d8c81058991fb Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 14:54:16 +0200 Subject: [PATCH 25/49] Refactored Ansible file structure heavily --- scripts/components/engineblock.sh | 2 +- tools/ansible/install-engine-src.yml | 12 --- .../engine.yml} | 91 +++++++------------ .../ansible/provision/legacy/engine/4.2.0.yml | 11 +++ .../roles/openconext-api/install-src.yml | 0 .../ansible/roles/openconext-api/install.yml | 0 .../roles/openconext-engine/activate.yml | 15 +++ .../roles/openconext-engine/install-build.yml | 6 ++ .../roles/openconext-engine/install-src.yml | 12 +++ .../roles/openconext-engine/install.yml | 33 +++++++ .../openconext-engine/legacy/4.2.0.yml} | 12 --- 11 files changed, 113 insertions(+), 81 deletions(-) delete mode 100644 tools/ansible/install-engine-src.yml rename tools/ansible/{provision-engine.yml => provision/engine.yml} (70%) create mode 100644 tools/ansible/provision/legacy/engine/4.2.0.yml create mode 100644 tools/ansible/roles/openconext-api/install-src.yml create mode 100644 tools/ansible/roles/openconext-api/install.yml create mode 100644 tools/ansible/roles/openconext-engine/activate.yml create mode 100644 tools/ansible/roles/openconext-engine/install-build.yml create mode 100644 tools/ansible/roles/openconext-engine/install-src.yml create mode 100644 tools/ansible/roles/openconext-engine/install.yml rename tools/ansible/{install-engine.yml => roles/openconext-engine/legacy/4.2.0.yml} (55%) diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index a9c08d8..4431268 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -21,6 +21,6 @@ ansible-playbook \ -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" \ -e "serviceregistry_secret=$OC__ENGINE_JANUSAPI_PASS" \ - $OC_BASEDIR/tools/ansible/provision-engine.yml + $OC_BASEDIR/tools/ansible/provision/engine.yml ENGINEBLOCK_CERT=`sed '1d;$d' /etc/surfconext/engineblock.crt | tr -d '\n'` \ No newline at end of file diff --git a/tools/ansible/install-engine-src.yml b/tools/ansible/install-engine-src.yml deleted file mode 100644 index b109766..0000000 --- a/tools/ansible/install-engine-src.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: "SRC - Install Git repo" - git: - accept_hostkey: yes - repo: https://github.com/OpenConext/OpenConext-engineblock.git - dest: "{{ engine_release_dir }}" - version: "{{ engine_version }}" - -- name: "SRC - Running Composer install" - command: ./bin/composer.phar --prefer-dist --no-interaction install - args: - chdir: "{{ engine_release_dir }}" \ No newline at end of file diff --git a/tools/ansible/provision-engine.yml b/tools/ansible/provision/engine.yml similarity index 70% rename from tools/ansible/provision-engine.yml rename to tools/ansible/provision/engine.yml index 6f630ad..404902f 100644 --- a/tools/ansible/provision-engine.yml +++ b/tools/ansible/provision/engine.yml @@ -10,6 +10,7 @@ logging_dir: "/var/log/openconext" releases_dir: "/opt/openconext" builds_dir: "{{ releases_dir }}/builds" + configs_dir: "/etc/openconext" # Engine specific variables engine_version_dir: "{{ engine_version | replace('/', '-') }}" @@ -46,6 +47,18 @@ serviceRegistry.user_secret : "{{ serviceregistry_secret }}" tasks: + +# Provision the environment + - name: Legacy 4.2.0 + include: legacy/engine/4.2.0.yml + + - name: Ensure the directories exists + file: path={{ item }} state=directory + with_items: + - "{{ releases_dir }}" + - "{{ builds_dir }}" + - "{{ configs_dir }}" + - name: Make sure a database exists mysql_db: state: present @@ -69,53 +82,13 @@ login_user: "{{ db_admin_user }}" login_password: "{{ db_admin_password}}" - - name: Write out SQL file with proper domain - template: src=../../data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql - when: engine_db_install.changed - - - name: Install initial Database schema when a new database was created - mysql_db: - name: "{{ engine_db_name }}" - login_host: "{{ engine_db_host }}" - login_port: "{{ engine_db_port}}" - login_user: "{{ engine_db_user }}" - login_password: "{{ engine_db_password}}" - state: import - target: /tmp/domain.engineblock.sql - when: engine_db_install.changed - # - name: Make sure LDAP database exists - - name: Ensure the directories exists - file: path={{ item }} state=directory - with_items: - - "{{ releases_dir }}" - - "{{ builds_dir }}" - - - name: Install Engine from Build (only when version starts with a number) - include: install-engine.yml - when: engine_version | match("^[0-9]") - - - name: Install Engine from source (only when version does not start with a number) - include: install-engine-src.yml - when: engine_version | match("^[^0-9]") - - - name: Migrate the configuration file - command: "{{ engine_release_dir }}/bin/migrate_etc.php" - - - name: Install migrated configuration file - command: install -b /etc/surfconext/engineblock.ini.new /etc/surfconext/engineblock.ini - - - name: Detect default certificates. - stat: path=/etc/openconext/engineblock.key - register: default_cert - - - name: Generate new default certificate if none was found. - command: openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out engineblock.crt -keyout engineblock.key - args: - chdir: /etc/openconext - when: default_cert.stat.exists == false +# Install the software + - name: Install EngineBlock + include: ../roles/openconext-engine/install.yml +# Configure the software - name: Set configuration ini_file: dest: /etc/openconext/engineblock.ini @@ -124,17 +97,23 @@ value: "{{ item.value }}" with_dict: engine_config - - name: Update LDAP - command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} - with_items: - - "{{ engine_release_dir }}/ldap/changes/addDeprovisionWarningSentAttributes.ldif" - - "{{ engine_release_dir }}/ldap/changes/addCollabPersonUUID.ldif" - ignore_errors: true +# Activate the software + - name: Setup and Activate the new EngineBlock version + include: ../roles/openconext-engine/activate.yml - - name: Run EngineBlock migrations - command: ./bin/migrate - args: - chdir: "{{ engine_release_dir }}" + # @TODO: separate DDL from data +# Provision demo data + - name: Write out SQL file with proper domain + template: src=../../../data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql + when: engine_db_install.changed - - name: Activate new EngineBlock - file: src={{ engine_release_dir }} dest={{ engine_current_release_symlink }} state=link \ No newline at end of file + - name: Install initial Database schema when a new database was created + mysql_db: + name: "{{ engine_db_name }}" + login_host: "{{ engine_db_host }}" + login_port: "{{ engine_db_port}}" + login_user: "{{ engine_db_user }}" + login_password: "{{ engine_db_password}}" + state: import + target: /tmp/domain.engineblock.sql + when: engine_db_install.changed \ No newline at end of file diff --git a/tools/ansible/provision/legacy/engine/4.2.0.yml b/tools/ansible/provision/legacy/engine/4.2.0.yml new file mode 100644 index 0000000..476efd6 --- /dev/null +++ b/tools/ansible/provision/legacy/engine/4.2.0.yml @@ -0,0 +1,11 @@ +--- + - name: Legacy - Detect /etc/surfconext + stat: path=/etc/surfconext + register: legacy_etc_dir + + - name: Legacy - move directory /etc/surfconext to /etc/openconext + command: mv /etc/surfconext "{{ configs_dir }}" + when: legacy_etc_dir.stat.exists == true and legacy_etc_dir.stat.isdir == true + + - name: Legacy - Ensure /etc/surfconext points to /etc/openconext + file: path=/etc/surfconext src={{ configs_dir }} state=link \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/install-src.yml b/tools/ansible/roles/openconext-api/install-src.yml new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/roles/openconext-api/install.yml b/tools/ansible/roles/openconext-api/install.yml new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/roles/openconext-engine/activate.yml b/tools/ansible/roles/openconext-engine/activate.yml new file mode 100644 index 0000000..cbde6b2 --- /dev/null +++ b/tools/ansible/roles/openconext-engine/activate.yml @@ -0,0 +1,15 @@ +--- + - name: Update LDAP + command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} + with_items: + - "{{ engine_release_dir }}/ldap/changes/addDeprovisionWarningSentAttributes.ldif" + - "{{ engine_release_dir }}/ldap/changes/addCollabPersonUUID.ldif" + ignore_errors: true + + - name: Run EngineBlock migrations + command: ./bin/migrate + args: + chdir: "{{ engine_release_dir }}" + + - name: Activate new EngineBlock + file: src={{ engine_release_dir }} dest={{ engine_current_release_symlink }} state=link \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engine/install-build.yml b/tools/ansible/roles/openconext-engine/install-build.yml new file mode 100644 index 0000000..610d49f --- /dev/null +++ b/tools/ansible/roles/openconext-engine/install-build.yml @@ -0,0 +1,6 @@ +--- + - name: BUILD - Get the current release + get_url: url="{{ engine_download_url }}" dest="{{ engine_build_path }}" + + - name: BUILD - Unarchive it + unarchive: src={{ engine_build_path }} dest={{ releases_dir }} copy=no \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engine/install-src.yml b/tools/ansible/roles/openconext-engine/install-src.yml new file mode 100644 index 0000000..a0d10fe --- /dev/null +++ b/tools/ansible/roles/openconext-engine/install-src.yml @@ -0,0 +1,12 @@ +--- + - name: "SRC - Install Git repo" + git: + accept_hostkey: yes + repo: https://github.com/OpenConext/OpenConext-engineblock.git + dest: "{{ engine_release_dir }}" + version: "{{ engine_version }}" + + - name: "SRC - Running Composer install" + command: ./bin/composer.phar --prefer-dist --no-interaction install + args: + chdir: "{{ engine_release_dir }}" \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engine/install.yml b/tools/ansible/roles/openconext-engine/install.yml new file mode 100644 index 0000000..8cb6e02 --- /dev/null +++ b/tools/ansible/roles/openconext-engine/install.yml @@ -0,0 +1,33 @@ +--- + - name: Install Engine from Build (only when version starts with a number) + include: install-build.yml + when: engine_version | match("^[0-9]") + + - name: Install Engine from source (only when version does not start with a number) + include: install-src.yml + when: engine_version | match("^[^0-9]") + + - name: Install default application settings (if no settings exist yet) + copy: + src: "{{ engine_release_dir }}/etc/openconext/engineblock.ini" + dest: /etc/openconext/engineblock.ini + force: no + + - name: Migrate the configuration file + command: "{{ engine_release_dir }}/bin/migrate_etc.php" + + - name: Install migrated configuration file + command: install -b /etc/openconext/engineblock.ini.new /etc/openconext/engineblock.ini + + - name: Detect default certificates. + stat: path=/etc/openconext/engineblock.key + register: default_cert + + - name: Generate new default certificate if none was found. + command: openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out engineblock.crt -keyout engineblock.key + args: + chdir: /etc/openconext + when: default_cert.stat.exists == false + + - name: Legacy 4.2.0 + include: legacy/4.2.0.yml \ No newline at end of file diff --git a/tools/ansible/install-engine.yml b/tools/ansible/roles/openconext-engine/legacy/4.2.0.yml similarity index 55% rename from tools/ansible/install-engine.yml rename to tools/ansible/roles/openconext-engine/legacy/4.2.0.yml index 4aae881..db49a15 100644 --- a/tools/ansible/install-engine.yml +++ b/tools/ansible/roles/openconext-engine/legacy/4.2.0.yml @@ -1,16 +1,4 @@ --- - - name: "BUILD - Get the current release" - get_url: url="{{ engine_download_url }}" dest="{{ engine_build_path }}" - - - name: "BUILD - Unarchive it" - unarchive: src={{ engine_build_path }} dest={{ releases_dir }} copy=no - - - name: "BUILD - Install default application settings" - copy: - src: "{{ engine_release_dir }}/etc/openconext/engineblock.ini" - dest: /etc/openconext/engineblock.ini - force: no - - name: "BUILD - Legacy: Remove obsolete profile.d/openconext.sh" file: path=/etc/profile.d/openconext.sh state=absent From 01c9d11b92adb113fed96c78cceef1a40e13c472 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 4 Jul 2014 14:54:45 +0200 Subject: [PATCH 26/49] Removed engine:vars as that is unnecessary for now (is done in engineblock.sh) --- tools/ansible/inventory/demo.openconext.org.ini | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tools/ansible/inventory/demo.openconext.org.ini b/tools/ansible/inventory/demo.openconext.org.ini index e917911..acd0705 100644 --- a/tools/ansible/inventory/demo.openconext.org.ini +++ b/tools/ansible/inventory/demo.openconext.org.ini @@ -1,18 +1,6 @@ [engine] localhost ansible_connection=local -[engine:vars] -deploy_root=/opt/www -;version=develop -;engine_db_name=engineblock -;engine_db_host=localhost -;engine_db_port=3306 -;engine_db_user=engine2mysql -;engine_db_password=enginepass -;admin_db_user=root -;admin_db_password=c0n3xt -;serviceregistry_url=https://serviceregistry.demo.openconext.org - [serviceregistry] localhost From 491f5a1761b0bf8b19b04c0ac4482c738ffe64df Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 7 Jul 2014 17:02:24 +0200 Subject: [PATCH 27/49] Moved roles to own repositories. Introduced Librarian Ansible. Restructured Ansible setup. --- ...p_key_casing-issue_8050-ansible_1.6.2.diff | 28 +++++ scripts/components/engineblock.sh | 13 +- .../inventory/acc.surfconext.nl.ini | 0 .../inventory/surfconext.nl.ini | 0 .../inventory/test.surfconext.nl.ini | 0 tools/ansible/.gitignore | 1 + tools/ansible/.librarian/ansible/config | 3 + tools/ansible/Ansiblefile | 15 +++ tools/ansible/Ansiblefile.lock | 28 +++++ tools/ansible/README-DEV.md | 21 ++++ tools/ansible/README-DEVS.md | 96 ++++++++++++++ tools/ansible/README.md | 0 tools/ansible/api.yml | 31 +++++ tools/ansible/engineblock.yml | 91 ++++++++++++++ .../ansible/inventory/demo.openconext.org.ini | 11 +- tools/ansible/provision/engine.yml | 119 ------------------ .../ansible/provision/legacy/engine/4.2.0.yml | 11 -- .../roles/openconext-api/install-src.yml | 0 .../ansible/roles/openconext-api/install.yml | 0 .../roles/openconext-engine/activate.yml | 15 --- .../roles/openconext-engine/install-build.yml | 6 - .../roles/openconext-engine/install-src.yml | 12 -- .../roles/openconext-engine/install.yml | 33 ----- .../roles/openconext-engine/legacy/4.2.0.yml | 13 -- tools/ansible/site.yml | 3 + tools/ansible/version-engine.yml | 5 - 26 files changed, 330 insertions(+), 225 deletions(-) create mode 100644 patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff delete mode 100644 tools/ansible-surfconext/inventory/acc.surfconext.nl.ini delete mode 100644 tools/ansible-surfconext/inventory/surfconext.nl.ini delete mode 100644 tools/ansible-surfconext/inventory/test.surfconext.nl.ini create mode 100644 tools/ansible/.gitignore create mode 100644 tools/ansible/.librarian/ansible/config create mode 100644 tools/ansible/README-DEV.md create mode 100644 tools/ansible/README-DEVS.md delete mode 100644 tools/ansible/README.md create mode 100644 tools/ansible/api.yml create mode 100644 tools/ansible/engineblock.yml delete mode 100644 tools/ansible/provision/engine.yml delete mode 100644 tools/ansible/provision/legacy/engine/4.2.0.yml delete mode 100644 tools/ansible/roles/openconext-api/install-src.yml delete mode 100644 tools/ansible/roles/openconext-api/install.yml delete mode 100644 tools/ansible/roles/openconext-engine/activate.yml delete mode 100644 tools/ansible/roles/openconext-engine/install-build.yml delete mode 100644 tools/ansible/roles/openconext-engine/install-src.yml delete mode 100644 tools/ansible/roles/openconext-engine/install.yml delete mode 100644 tools/ansible/roles/openconext-engine/legacy/4.2.0.yml create mode 100644 tools/ansible/site.yml delete mode 100644 tools/ansible/version-engine.yml diff --git a/patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff b/patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff new file mode 100644 index 0000000..3309993 --- /dev/null +++ b/patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff @@ -0,0 +1,28 @@ +--- ini_file 2014-05-23 21:16:25.000000000 +0000 ++++ ini_file 2014-07-07 07:58:19.420050811 +0000 +@@ -95,6 +95,7 @@ + + changed = False + cp = ConfigParser.ConfigParser() ++ cp.optionxform = identity + + try: + f = open(filename) +@@ -151,6 +152,17 @@ + return changed + + # ============================================================== ++# identity ++ ++def identity(arg): ++ """This function simply returns its argument. It serves as a ++ replacement for ConfigParser.optionxform, which by default ++ changes arguments to lower case. The identity function is a ++ better choice than str() or unicode(), because it is ++ encoding-agnostic.""" ++ return arg ++ ++# ============================================================== + # main + + def main(): diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 4431268..ae246e6 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -1,10 +1,15 @@ #!/bin/bash -# Make sure Ansible is installed -yum install -y ansible MySQL-python && +# Make sure Ansible is installed cleanly +sudo yum erase -y ansible && +sudo yum install -y ansible MySQL-python patch && + +# Patch Ansible for: #8050: ini_file module still changes all option names to lower case. +# -b = backup, -N = assume merged if failed, -u = Unified format, -p0 = 0 leading lines, -d chdir to dir before apply. +sudo patch -b -N -u -p0 -d /usr/share/ansible/files < $OC_BASEDIR/patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff # Run Ansible playbook -ansible-playbook \ +sudo ansible-playbook \ -v \ -i $OC_BASEDIR/tools/ansible/inventory/demo.openconext.org.ini \ -e "openconext_domain=$OC_DOMAIN" \ @@ -21,6 +26,6 @@ ansible-playbook \ -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" \ -e "serviceregistry_secret=$OC__ENGINE_JANUSAPI_PASS" \ - $OC_BASEDIR/tools/ansible/provision/engine.yml + $OC_BASEDIR/tools/ansible/engineblock.yml ENGINEBLOCK_CERT=`sed '1d;$d' /etc/surfconext/engineblock.crt | tr -d '\n'` \ No newline at end of file diff --git a/tools/ansible-surfconext/inventory/acc.surfconext.nl.ini b/tools/ansible-surfconext/inventory/acc.surfconext.nl.ini deleted file mode 100644 index e69de29..0000000 diff --git a/tools/ansible-surfconext/inventory/surfconext.nl.ini b/tools/ansible-surfconext/inventory/surfconext.nl.ini deleted file mode 100644 index e69de29..0000000 diff --git a/tools/ansible-surfconext/inventory/test.surfconext.nl.ini b/tools/ansible-surfconext/inventory/test.surfconext.nl.ini deleted file mode 100644 index e69de29..0000000 diff --git a/tools/ansible/.gitignore b/tools/ansible/.gitignore new file mode 100644 index 0000000..6d19496 --- /dev/null +++ b/tools/ansible/.gitignore @@ -0,0 +1 @@ +roles \ No newline at end of file diff --git a/tools/ansible/.librarian/ansible/config b/tools/ansible/.librarian/ansible/config new file mode 100644 index 0000000..834573d --- /dev/null +++ b/tools/ansible/.librarian/ansible/config @@ -0,0 +1,3 @@ +--- +LIBRARIAN_ANSIBLE_PATH: roles +LIBRARIAN_ANSIBLE_TMP: /tmp diff --git a/tools/ansible/Ansiblefile b/tools/ansible/Ansiblefile index e69de29..800e030 100644 --- a/tools/ansible/Ansiblefile +++ b/tools/ansible/Ansiblefile @@ -0,0 +1,15 @@ +#!/usr/bin/env ruby +#^syntax detection + +role "openconext-engineblock", + git: "git@github.com:OpenConext/OpenConext-engineblock.git", + ref: "feature/ansible", + path: "./tools/ansible-role-openconext-engineblock" + +role "openconext-api", + git: "git@github.com:OpenConext/OpenConext-api.git", + ref: "feature/ansible", + path: "./coin-api-dist/src/main/resources/ansible-openconext-api" + +role "ansible-xml", + github: "relaxnow/ansible-xml" \ No newline at end of file diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock index e69de29..1c9ef79 100644 --- a/tools/ansible/Ansiblefile.lock +++ b/tools/ansible/Ansiblefile.lock @@ -0,0 +1,28 @@ +GIT + remote: git@github.com:OpenConext/OpenConext-api.git + path: ./coin-api-dist/src/main/resources/ansible-openconext-api + ref: feature/ansible + sha: 43e66566d7d73a222327dcb56a9afe1a31757ef0 + specs: + openconext-api (4.2.0) + +GIT + remote: git@github.com:OpenConext/OpenConext-engineblock.git + path: ./tools/ansible-role-openconext-engineblock + ref: feature/ansible + sha: ddd0bd9adffd368edd119c6ffd1a98994535ce38 + specs: + openconext-engineblock (4.2.0) + +GIT + remote: https://github.com/relaxnow/ansible-xml + ref: master + sha: fbf776c8d71b1d6c941de636a7071925ff8177b3 + specs: + ansible-xml (0.1.0) + +DEPENDENCIES + ansible-xml (>= 0) + openconext-api (>= 0) + openconext-engineblock (>= 0) + diff --git a/tools/ansible/README-DEV.md b/tools/ansible/README-DEV.md new file mode 100644 index 0000000..bb03446 --- /dev/null +++ b/tools/ansible/README-DEV.md @@ -0,0 +1,21 @@ +Requirements +============ +* Ansible +* Librarian Ansible + +Install the roles with: +``` +cd tools/ansible && librarian-ansible install +``` + +Install +======= +Install the entire platform: +``` +ansible-playbook -i inventory/demo.openconext.ini site.yml +``` + +Install only EngineBlock: +``` +ansible-playbook -i inventory/demo.openconext.ini engineblock.yml +``` \ No newline at end of file diff --git a/tools/ansible/README-DEVS.md b/tools/ansible/README-DEVS.md new file mode 100644 index 0000000..31b6585 --- /dev/null +++ b/tools/ansible/README-DEVS.md @@ -0,0 +1,96 @@ +# Definition of terms + +An OpenConext Component is a separate piece of software that conforms to the OpenConext Component Requirements. +An OpenConext Platform is a selection of OpenConext Components. +An OpenConext Environment is a physical (or virtual) hosting environment of 1 or multiple servers for a OpenConext Platform. + +# OpenConext Component Requirements + +A Component MUST comply to the following to be a valid OpenConext Component. + +A Component MAY store it's configuration files in ```/etc/openconext```. + +A Component MAY store example configuration for third party components in ```etc/```. + +A Component MUST have a public Git URL. +In this repository MUST be a directory ```tools/ansible``` with the following playbooks: + +## install.yml +Install MUST be able to install on a Environment and MUST use the 'version' variable. +Install SHOULD check it's own local dependencies (like HTTP, Tomcat, PHP, JRE, etc). +The version variable MAY be filled with a semantic version (like 4.0.1) or a branch name +(like develop, master or feature/ansible-setup). +Install MUST be able to upgrade an existing installation of **any** previous version to it's version. +Install MAY refuse a downgrade. +Install MUST NOT overwrite existing configuration files, but MAY write initial configuration files. +Install SHOULD be idempotent. + +## erase.yml +Erase MUST be able to remove a component. + +## setup.yml +Setup MUST be called after install and the component has been configured by the environment. +Setup SHOULD check it's configuration. +Setup SHOULD be able to upgrade an existing installation of any previous version. + +## version.yml +Version MUST display the currently installed version of the component. +Version MUST return a non-0 status code if the component is not installed. + +#Example lifecycle: + +```bash +git clone git://url/component.git +git checkout 3.0.0 + +## Check for existence +ansible-playbook tools/ansible/version.yml + +## Initial install +ansible-playbook tools/ansible/install.yml -e "version=3.0.0" + +## Settings changed in /etc/openconext/component.ini + +## Setup the component +ansible-playbook tools/ansible/setup.yml + +## Some time later an update arrives +ansible-playbook tools/ansible/install.yml -e "version=3.0.1" + +## Check version +ansible-playbook tools/ansible/version.yml +# Returns "3.0.1" + +## A developer decides to switch to a feature development version +ansible-playbook tools/ansible/install.yml -e "version=feature/awesome-feature" + +## Check version +ansible-playbook tools/ansible/version.yml +## Returns "feature/awesome-feature" + +## The developer releases a new version and switches back to that +ansible-playbook tools/ansible/install.yml -e "version=3.1.0" + +## Component is no longer needed and needs to be deinstalled +ansible-playbook tools/ansible/erase.yml +``` + +# Drawing the line between component and environment + +A Component MAY provide a template for environment required configuration. + +A Component MUST NOT modify non-standard environment configuration. + +A Component MAY supply updated environment configuration with a message to verify and install manually. + +A Component MAY not operate after a successful install. + +A Component MUST operate after a successful setup. + +A Component MUST NOT restart services it has not provided. + +A Component MAY depend on other components or other third party software but SHOULD not install it. + +When in doubt think: **would you expect an rpm install to perform this?**
+If **yes**, then the **Component** is responsible.
+If **no**, then the **Environment** is responsible. \ No newline at end of file diff --git a/tools/ansible/README.md b/tools/ansible/README.md deleted file mode 100644 index e69de29..0000000 diff --git a/tools/ansible/api.yml b/tools/ansible/api.yml new file mode 100644 index 0000000..6135c7b --- /dev/null +++ b/tools/ansible/api.yml @@ -0,0 +1,31 @@ +- name: Provision API + hosts: api + remote_user: "{{ remote_user }}" + + vars: + temp_dir: "/tmp" + logging_dir: "/var/log/openconext" + releases_dir: "/opt/openconext" + builds_dir: "{{ releases_dir }}/builds" + configs_dir: "/etc/openconext" + + # API specific variables + api_git_url: "https://github.com/OpenConext/OpenConext-api.git" + api_version_dir: "{{ api_version | replace('/', '-') }}" + api_release_dir: "{{ releases_dir }}/OpenConext-api-{{ api_version_dir }}" + api_build_path: "{{ builds_dir }}/coin-api-dist-{{ api_version }}-bin.tar.gz" + api_download_url: "https://build.surfconext.nl/repository/public/releases/org/surfnet/coin/coin-api-dist/{{ api_version }}/coin-api-dist-{{ api_version }}-bin.tar.gz" + api_tomcat_path: "/usr/share/tomcat6" + api_tomcat_wars_path: "{{ api_tomcat_path }}/wars" + api_tomcat_work_path: "{{ api_tomcat_path }}/work/Catalina/api.{{ openconext_domain }}" + api_tomcat_webapps_path: "{{ api_tomcat_path }}/webapps/api.{{ openconext_domain }}" + + + pre_tasks: + - name: Provision DB & DB user + + roles: + - { role: openconext-api } + + post_tasks: + - name: Provision Apache proxy \ No newline at end of file diff --git a/tools/ansible/engineblock.yml b/tools/ansible/engineblock.yml new file mode 100644 index 0000000..f7ebf79 --- /dev/null +++ b/tools/ansible/engineblock.yml @@ -0,0 +1,91 @@ +--- +- name: Provision EngineBlock + hosts: engineblock + remote_user: "{{ remote_user }}" + + vars: + temp_dir: "/tmp" + logging_dir: "/var/log/openconext" + releases_dir: "/opt/openconext" + builds_dir: "{{ releases_dir }}/builds" + configs_dir: "/etc/openconext" + + # Engine specific variables + enbine_git_url: "https://github.com/OpenConext/OpenConext-engineblock.git" + engine_version_dir: "{{ engine_version | replace('/', '-') }}" + engine_release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ engine_version_dir }}" + engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" + engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" + engine_current_release_symlink: "/opt/www/engineblock" + + engine_config: + auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem + auth.simplesamlphp.idp.location : "https://engine.{{ openconext_domain }}/authentication/idp/single-sign-on" + auth.simplesamlphp.idp.entityId : "https://engine.{{ openconext_domain }}/authentication/idp/metadata" + cookie.lang.domain : "{{ openconext_domain }}" + cookie.lang.expiry : "60*60*24*60" + database.master1.user : "{{ engine_db_user }}" + database.master1.dsn : "mysql:host:{{ engine_db_host }};dbname:{{ engine_db_name }}" + database.master1.password : "{{ engine_db_password }}" + database.masters[] : "master1" + database.slaves[] : "master1" + dynamicAssets : true + email.sendWelcomeMail : 0 + encryption.keys.default.privateFile : /etc/surfconext/engineblock.key + encryption.keys.default.publicFile : /etc/surfconext/engineblock.crt + ldap.accountDomainName : "surfconext.nl" + ldap.baseDn : "dc:surfconext,dc:nl" + ldap.host : "ldap.{{ openconext_domain }}" + ldap.useSsl : 0 + ldap.userName : "{{ engine_ldap_binddn }}" + ldap.password : "{{ engine_ldap_password }}" + logs.file.writername : "Stream" + logs.file.writerparams.stream : "/var/log/surfconext/engineblock.log" + serviceRegistry.location : "{{ serviceregistry_url }}" + serviceRegistry.user : "{{ serviceregistry_user }}" + serviceRegistry.user_secret : "{{ serviceregistry_secret }}" + + pre_tasks: + - name: Make sure a database exists + mysql_db: + state: present + name: "{{ engine_db_name }}" + login_host: "{{ engine_db_host }}" + login_port: "{{ engine_db_port }}" + login_user: "{{ db_admin_user }}" + login_password: "{{ db_admin_password }}" + encoding: utf8 + collation: utf8_unicode_ci + register: engine_db_install + + - name: Make sure a user exists + mysql_user: + state: present + name: "{{ engine_db_user }}" + password: "{{ engine_db_password }}" + priv: "{{ engine_db_name }}.*:ALL" + login_host: "{{ engine_db_host }}" + login_port: "{{ engine_db_port}}" + login_user: "{{ db_admin_user }}" + login_password: "{{ db_admin_password}}" + + #TODO: - name: Make sure LDAP database exists + + roles: + - { role: openconext-engineblock } + + post_tasks: + - name: Fill out variables in demo data. + template: src=../../../data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql + when: engine_db_install.changed + + - name: Provision EngineBlock demo data. + mysql_db: + name: "{{ engine_db_name }}" + login_host: "{{ engine_db_host }}" + login_port: "{{ engine_db_port}}" + login_user: "{{ engine_db_user }}" + login_password: "{{ engine_db_password}}" + state: import + target: /tmp/domain.engineblock.sql + when: engine_db_install.changed \ No newline at end of file diff --git a/tools/ansible/inventory/demo.openconext.org.ini b/tools/ansible/inventory/demo.openconext.org.ini index acd0705..ab9c3b7 100644 --- a/tools/ansible/inventory/demo.openconext.org.ini +++ b/tools/ansible/inventory/demo.openconext.org.ini @@ -1,8 +1,5 @@ -[engine] -localhost ansible_connection=local - -[serviceregistry] -localhost - [api] -localhost \ No newline at end of file +localhost ansible_connection=local + +[engineblock] +localhost ansible_connection=local \ No newline at end of file diff --git a/tools/ansible/provision/engine.yml b/tools/ansible/provision/engine.yml deleted file mode 100644 index 404902f..0000000 --- a/tools/ansible/provision/engine.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- -- name: Provision EngineBlock - hosts: engine - remote_user: "{{ remote_user }}" - - vars: - # General vars, note that these should be moved to a parent playbook in future versions - # Note that ordering matters here! - temp_dir: "/tmp" - logging_dir: "/var/log/openconext" - releases_dir: "/opt/openconext" - builds_dir: "{{ releases_dir }}/builds" - configs_dir: "/etc/openconext" - - # Engine specific variables - engine_version_dir: "{{ engine_version | replace('/', '-') }}" - engine_release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ engine_version_dir }}" - engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" - engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" - engine_current_release_symlink: "/opt/www/engineblock" - - engine_config: - auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem - auth.simplesamlphp.idp.location : "https://engine.{{ openconext_domain }}/authentication/idp/single-sign-on" - auth.simplesamlphp.idp.entityId : "https://engine.{{ openconext_domain }}/authentication/idp/metadata" - cookie.lang.domain : "{{ openconext_domain }}" - cookie.lang.expiry : "60*60*24*60" - database.master1.user : "{{ engine_db_user }}" - database.master1.dsn : "mysql:host:{{ engine_db_host }};dbname:{{ engine_db_name }}" - database.master1.password : "{{ engine_db_password }}" - database.masters[] : "master1" - database.slaves[] : "master1" - dynamicAssets : true - email.sendWelcomeMail : 0 - encryption.keys.default.privateFile : /etc/surfconext/engineblock.key - encryption.keys.default.publicFile : /etc/surfconext/engineblock.crt - ldap.accountDomainName : "surfconext.nl" - ldap.baseDn : "dc:surfconext,dc:nl" - ldap.host : "ldap.{{ openconext_domain }}" - ldap.useSsl : 0 - ldap.userName : "{{ engine_ldap_binddn }}" - ldap.password : "{{ engine_ldap_password }}" - logs.file.writername : "Stream" - logs.file.writerparams.stream : "/var/log/surfconext/engineblock.log" - serviceRegistry.location : "{{ serviceregistry_url }}" - serviceRegistry.user : "{{ serviceregistry_user }}" - serviceRegistry.user_secret : "{{ serviceregistry_secret }}" - - tasks: - -# Provision the environment - - name: Legacy 4.2.0 - include: legacy/engine/4.2.0.yml - - - name: Ensure the directories exists - file: path={{ item }} state=directory - with_items: - - "{{ releases_dir }}" - - "{{ builds_dir }}" - - "{{ configs_dir }}" - - - name: Make sure a database exists - mysql_db: - state: present - name: "{{ engine_db_name }}" - login_host: "{{ engine_db_host }}" - login_port: "{{ engine_db_port }}" - login_user: "{{ db_admin_user }}" - login_password: "{{ db_admin_password }}" - encoding: utf8 - collation: utf8_unicode_ci - register: engine_db_install - - - name: Make sure a user exists - mysql_user: - state: present - name: "{{ engine_db_user }}" - password: "{{ engine_db_password }}" - priv: "{{ engine_db_name }}.*:ALL" - login_host: "{{ engine_db_host }}" - login_port: "{{ engine_db_port}}" - login_user: "{{ db_admin_user }}" - login_password: "{{ db_admin_password}}" - -# - name: Make sure LDAP database exists - -# Install the software - - name: Install EngineBlock - include: ../roles/openconext-engine/install.yml - -# Configure the software - - name: Set configuration - ini_file: - dest: /etc/openconext/engineblock.ini - section: "local" - option: "{{ item.key }}" - value: "{{ item.value }}" - with_dict: engine_config - -# Activate the software - - name: Setup and Activate the new EngineBlock version - include: ../roles/openconext-engine/activate.yml - - # @TODO: separate DDL from data -# Provision demo data - - name: Write out SQL file with proper domain - template: src=../../../data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql - when: engine_db_install.changed - - - name: Install initial Database schema when a new database was created - mysql_db: - name: "{{ engine_db_name }}" - login_host: "{{ engine_db_host }}" - login_port: "{{ engine_db_port}}" - login_user: "{{ engine_db_user }}" - login_password: "{{ engine_db_password}}" - state: import - target: /tmp/domain.engineblock.sql - when: engine_db_install.changed \ No newline at end of file diff --git a/tools/ansible/provision/legacy/engine/4.2.0.yml b/tools/ansible/provision/legacy/engine/4.2.0.yml deleted file mode 100644 index 476efd6..0000000 --- a/tools/ansible/provision/legacy/engine/4.2.0.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - - name: Legacy - Detect /etc/surfconext - stat: path=/etc/surfconext - register: legacy_etc_dir - - - name: Legacy - move directory /etc/surfconext to /etc/openconext - command: mv /etc/surfconext "{{ configs_dir }}" - when: legacy_etc_dir.stat.exists == true and legacy_etc_dir.stat.isdir == true - - - name: Legacy - Ensure /etc/surfconext points to /etc/openconext - file: path=/etc/surfconext src={{ configs_dir }} state=link \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/install-src.yml b/tools/ansible/roles/openconext-api/install-src.yml deleted file mode 100644 index e69de29..0000000 diff --git a/tools/ansible/roles/openconext-api/install.yml b/tools/ansible/roles/openconext-api/install.yml deleted file mode 100644 index e69de29..0000000 diff --git a/tools/ansible/roles/openconext-engine/activate.yml b/tools/ansible/roles/openconext-engine/activate.yml deleted file mode 100644 index cbde6b2..0000000 --- a/tools/ansible/roles/openconext-engine/activate.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - - name: Update LDAP - command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} - with_items: - - "{{ engine_release_dir }}/ldap/changes/addDeprovisionWarningSentAttributes.ldif" - - "{{ engine_release_dir }}/ldap/changes/addCollabPersonUUID.ldif" - ignore_errors: true - - - name: Run EngineBlock migrations - command: ./bin/migrate - args: - chdir: "{{ engine_release_dir }}" - - - name: Activate new EngineBlock - file: src={{ engine_release_dir }} dest={{ engine_current_release_symlink }} state=link \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engine/install-build.yml b/tools/ansible/roles/openconext-engine/install-build.yml deleted file mode 100644 index 610d49f..0000000 --- a/tools/ansible/roles/openconext-engine/install-build.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - - name: BUILD - Get the current release - get_url: url="{{ engine_download_url }}" dest="{{ engine_build_path }}" - - - name: BUILD - Unarchive it - unarchive: src={{ engine_build_path }} dest={{ releases_dir }} copy=no \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engine/install-src.yml b/tools/ansible/roles/openconext-engine/install-src.yml deleted file mode 100644 index a0d10fe..0000000 --- a/tools/ansible/roles/openconext-engine/install-src.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - - name: "SRC - Install Git repo" - git: - accept_hostkey: yes - repo: https://github.com/OpenConext/OpenConext-engineblock.git - dest: "{{ engine_release_dir }}" - version: "{{ engine_version }}" - - - name: "SRC - Running Composer install" - command: ./bin/composer.phar --prefer-dist --no-interaction install - args: - chdir: "{{ engine_release_dir }}" \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engine/install.yml b/tools/ansible/roles/openconext-engine/install.yml deleted file mode 100644 index 8cb6e02..0000000 --- a/tools/ansible/roles/openconext-engine/install.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - - name: Install Engine from Build (only when version starts with a number) - include: install-build.yml - when: engine_version | match("^[0-9]") - - - name: Install Engine from source (only when version does not start with a number) - include: install-src.yml - when: engine_version | match("^[^0-9]") - - - name: Install default application settings (if no settings exist yet) - copy: - src: "{{ engine_release_dir }}/etc/openconext/engineblock.ini" - dest: /etc/openconext/engineblock.ini - force: no - - - name: Migrate the configuration file - command: "{{ engine_release_dir }}/bin/migrate_etc.php" - - - name: Install migrated configuration file - command: install -b /etc/openconext/engineblock.ini.new /etc/openconext/engineblock.ini - - - name: Detect default certificates. - stat: path=/etc/openconext/engineblock.key - register: default_cert - - - name: Generate new default certificate if none was found. - command: openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out engineblock.crt -keyout engineblock.key - args: - chdir: /etc/openconext - when: default_cert.stat.exists == false - - - name: Legacy 4.2.0 - include: legacy/4.2.0.yml \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engine/legacy/4.2.0.yml b/tools/ansible/roles/openconext-engine/legacy/4.2.0.yml deleted file mode 100644 index db49a15..0000000 --- a/tools/ansible/roles/openconext-engine/legacy/4.2.0.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - - name: "BUILD - Legacy: Remove obsolete profile.d/openconext.sh" - file: path=/etc/profile.d/openconext.sh state=absent - - - name: "BUILD - Legacy: Move /var/log/surfconext to /var/log/openconext" - command: mv /var/log/surfconext {{ logging_dir }} - ignore_errors: yes - - - name: "BUILD - Install logging directory" - file: path={{ logging_dir }} state=directory - - - name: "BUILD - Legacy: Install symlink from /var/log/surfconext to /var/log/openconext" - file: path=/var/log/surfconext src={{ logging_dir }} state=link \ No newline at end of file diff --git a/tools/ansible/site.yml b/tools/ansible/site.yml new file mode 100644 index 0000000..d65f13f --- /dev/null +++ b/tools/ansible/site.yml @@ -0,0 +1,3 @@ +--- + - name: Install EngineBlock + include: engineblock.yml \ No newline at end of file diff --git a/tools/ansible/version-engine.yml b/tools/ansible/version-engine.yml deleted file mode 100644 index f6feb4e..0000000 --- a/tools/ansible/version-engine.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Get the version of OpenConext Engine - hosts: engine - remote_user: "{{ remote_user }}" - From 7dc93b63fdb95cad0e83314d540de7b1c344f947 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 7 Jul 2014 17:15:55 +0200 Subject: [PATCH 28/49] Moved README --- README-DEVS.md | 96 -------------------------------------------------- 1 file changed, 96 deletions(-) delete mode 100644 README-DEVS.md diff --git a/README-DEVS.md b/README-DEVS.md deleted file mode 100644 index 31b6585..0000000 --- a/README-DEVS.md +++ /dev/null @@ -1,96 +0,0 @@ -# Definition of terms - -An OpenConext Component is a separate piece of software that conforms to the OpenConext Component Requirements. -An OpenConext Platform is a selection of OpenConext Components. -An OpenConext Environment is a physical (or virtual) hosting environment of 1 or multiple servers for a OpenConext Platform. - -# OpenConext Component Requirements - -A Component MUST comply to the following to be a valid OpenConext Component. - -A Component MAY store it's configuration files in ```/etc/openconext```. - -A Component MAY store example configuration for third party components in ```etc/```. - -A Component MUST have a public Git URL. -In this repository MUST be a directory ```tools/ansible``` with the following playbooks: - -## install.yml -Install MUST be able to install on a Environment and MUST use the 'version' variable. -Install SHOULD check it's own local dependencies (like HTTP, Tomcat, PHP, JRE, etc). -The version variable MAY be filled with a semantic version (like 4.0.1) or a branch name -(like develop, master or feature/ansible-setup). -Install MUST be able to upgrade an existing installation of **any** previous version to it's version. -Install MAY refuse a downgrade. -Install MUST NOT overwrite existing configuration files, but MAY write initial configuration files. -Install SHOULD be idempotent. - -## erase.yml -Erase MUST be able to remove a component. - -## setup.yml -Setup MUST be called after install and the component has been configured by the environment. -Setup SHOULD check it's configuration. -Setup SHOULD be able to upgrade an existing installation of any previous version. - -## version.yml -Version MUST display the currently installed version of the component. -Version MUST return a non-0 status code if the component is not installed. - -#Example lifecycle: - -```bash -git clone git://url/component.git -git checkout 3.0.0 - -## Check for existence -ansible-playbook tools/ansible/version.yml - -## Initial install -ansible-playbook tools/ansible/install.yml -e "version=3.0.0" - -## Settings changed in /etc/openconext/component.ini - -## Setup the component -ansible-playbook tools/ansible/setup.yml - -## Some time later an update arrives -ansible-playbook tools/ansible/install.yml -e "version=3.0.1" - -## Check version -ansible-playbook tools/ansible/version.yml -# Returns "3.0.1" - -## A developer decides to switch to a feature development version -ansible-playbook tools/ansible/install.yml -e "version=feature/awesome-feature" - -## Check version -ansible-playbook tools/ansible/version.yml -## Returns "feature/awesome-feature" - -## The developer releases a new version and switches back to that -ansible-playbook tools/ansible/install.yml -e "version=3.1.0" - -## Component is no longer needed and needs to be deinstalled -ansible-playbook tools/ansible/erase.yml -``` - -# Drawing the line between component and environment - -A Component MAY provide a template for environment required configuration. - -A Component MUST NOT modify non-standard environment configuration. - -A Component MAY supply updated environment configuration with a message to verify and install manually. - -A Component MAY not operate after a successful install. - -A Component MUST operate after a successful setup. - -A Component MUST NOT restart services it has not provided. - -A Component MAY depend on other components or other third party software but SHOULD not install it. - -When in doubt think: **would you expect an rpm install to perform this?**
-If **yes**, then the **Component** is responsible.
-If **no**, then the **Environment** is responsible. \ No newline at end of file From c79517bbdeaf950526fa3d95da9dc8fb551a2e43 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 7 Jul 2014 17:35:34 +0200 Subject: [PATCH 29/49] Updated Ansiblefile.lock --- tools/ansible/Ansiblefile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock index 1c9ef79..886f51c 100644 --- a/tools/ansible/Ansiblefile.lock +++ b/tools/ansible/Ansiblefile.lock @@ -2,7 +2,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-api.git path: ./coin-api-dist/src/main/resources/ansible-openconext-api ref: feature/ansible - sha: 43e66566d7d73a222327dcb56a9afe1a31757ef0 + sha: 4592c979da590f5f0ddf8432bd526347c9e36c5e specs: openconext-api (4.2.0) @@ -10,7 +10,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-engineblock.git path: ./tools/ansible-role-openconext-engineblock ref: feature/ansible - sha: ddd0bd9adffd368edd119c6ffd1a98994535ce38 + sha: d0571fb2efc754809d96c26d78c9b658aa3c9e6c specs: openconext-engineblock (4.2.0) From 1401e9fe677a7f7e751d6f84bb51c0ed3a125775 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 7 Jul 2014 17:35:56 +0200 Subject: [PATCH 30/49] Improved provisioning of API --- tools/ansible/api.yml | 40 ++++++++++++++++--- tools/ansible/files/etc/httpd/conf.d/api.conf | 38 ++++++++++++++++++ 2 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 tools/ansible/files/etc/httpd/conf.d/api.conf diff --git a/tools/ansible/api.yml b/tools/ansible/api.yml index 6135c7b..e507aef 100644 --- a/tools/ansible/api.yml +++ b/tools/ansible/api.yml @@ -15,17 +15,45 @@ api_release_dir: "{{ releases_dir }}/OpenConext-api-{{ api_version_dir }}" api_build_path: "{{ builds_dir }}/coin-api-dist-{{ api_version }}-bin.tar.gz" api_download_url: "https://build.surfconext.nl/repository/public/releases/org/surfnet/coin/coin-api-dist/{{ api_version }}/coin-api-dist-{{ api_version }}-bin.tar.gz" - api_tomcat_path: "/usr/share/tomcat6" - api_tomcat_wars_path: "{{ api_tomcat_path }}/wars" - api_tomcat_work_path: "{{ api_tomcat_path }}/work/Catalina/api.{{ openconext_domain }}" - api_tomcat_webapps_path: "{{ api_tomcat_path }}/webapps/api.{{ openconext_domain }}" + tomcat_path: "/usr/share/tomcat6" + tomcat_wars_path: "{{ tomcat_path }}/wars" + tomcat_work_path: "{{ tomcat_path }}/work/Catalina/api.{{ openconext_domain }}" + tomcat_webapps_path: "{{ tomcat_path }}/webapps/api.{{ openconext_domain }}" pre_tasks: - - name: Provision DB & DB user + - name: Make sure a database exists + mysql_db: + state: present + name: "{{ api_db_name }}" + login_host: "{{ api_db_host }}" + login_port: "{{ api_db_port }}" + login_user: "{{ db_admin_user }}" + login_password: "{{ db_admin_password }}" + encoding: utf8 + collation: utf8_unicode_ci + register: api_db_install + + - name: Make sure a user exists + mysql_user: + state: present + name: "{{ api_db_user }}" + password: "{{ api_db_password }}" + priv: "{{ api_db_name }}.*:ALL" + login_host: "{{ api_db_host }}" + login_port: "{{ api_db_port}}" + login_user: "{{ db_admin_user }}" + login_password: "{{ db_admin_password}}" roles: - { role: openconext-api } post_tasks: - - name: Provision Apache proxy \ No newline at end of file + - name: Set vhost for API in Apache proxy + template: src=files/etc/httpd/conf.d/api.conf dest=/etc/httpd/conf.d/api.conf + + - name: Restart Apache + service: name=httpd state=restarted + cat $OC_BASEDIR/configs/httpd/conf.d/api.conf | \ + sed -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/g" > \ + /etc/httpd/conf.d/api.conf \ No newline at end of file diff --git a/tools/ansible/files/etc/httpd/conf.d/api.conf b/tools/ansible/files/etc/httpd/conf.d/api.conf new file mode 100644 index 0000000..37beca8 --- /dev/null +++ b/tools/ansible/files/etc/httpd/conf.d/api.conf @@ -0,0 +1,38 @@ + + # General setup for the virtual host, inherited from global configuration + DocumentRoot "/var/www/html/default" + ServerName api.{{ openconext_domain }}:443 + + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog logs/api_ssl_error_log + TransferLog logs/api_ssl_access_log + LogLevel warn + + SSLEngine on + SSLProtocol -ALL +SSLv3 +TLSv1 + SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4-MD5:RC4+RSA:+HIGH:+MEDIU + SSLCertificateFile /etc/httpd/keys/openconext.pem + SSLCertificateKeyFile /etc/httpd/keys/openconext.key + SSLCACertificateFile /etc/httpd/keys/openconext_ca.pem + + RewriteEngine On + RewriteRule ^/$ /v1/$1 [L,R=permanent] + + + SSLOptions +StdEnvVars + + + SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + # Proxy requests through to Tomcat using AJP + + ProxyPass / ajp://localhost:8009/ + + \ No newline at end of file From cf44ee3d45d14f3cbc976853c6b29871cd6c33db Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 8 Jul 2014 17:23:31 +0200 Subject: [PATCH 31/49] Moved Apache config for API to API role --- configs/httpd/conf.d/api.conf | 38 ----------------------------------- 1 file changed, 38 deletions(-) delete mode 100644 configs/httpd/conf.d/api.conf diff --git a/configs/httpd/conf.d/api.conf b/configs/httpd/conf.d/api.conf deleted file mode 100644 index 2b024b2..0000000 --- a/configs/httpd/conf.d/api.conf +++ /dev/null @@ -1,38 +0,0 @@ - - # General setup for the virtual host, inherited from global configuration - DocumentRoot "/var/www/html/default" - ServerName api._OPENCONEXT_DOMAIN_:443 - - # Use separate log files for the SSL virtual host; note that LogLevel - # is not inherited from httpd.conf. - ErrorLog logs/api_ssl_error_log - TransferLog logs/api_ssl_access_log - LogLevel warn - - SSLEngine on - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4-MD5:RC4+RSA:+HIGH:+MEDIU - SSLCertificateFile /etc/httpd/keys/openconext.pem - SSLCertificateKeyFile /etc/httpd/keys/openconext.key - SSLCACertificateFile /etc/httpd/keys/openconext_ca.pem - - RewriteEngine On - RewriteRule ^/$ /v1/$1 [L,R=permanent] - - - SSLOptions +StdEnvVars - - - SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - # Proxy requests through to Tomcat using AJP - - ProxyPass / ajp://localhost:8009/ - - From 28cf90e89f4f6cb4610af45cd13ce67983a4d21e Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 10 Jul 2014 08:43:52 +0200 Subject: [PATCH 32/49] Include Ansible roles in repo --- scripts/components/api.sh | 130 ++++++------------ tools/ansible/.gitignore | 1 - tools/ansible/Ansiblefile.lock | 6 +- tools/ansible/api.yml | 3 + tools/ansible/roles/ansible-xml | 1 + .../roles/openconext-api/meta/main.yml | 13 ++ .../roles/openconext-api/tasks/erase.yml | 0 .../roles/openconext-api/tasks/main.yml | 9 ++ .../openconext-api/tasks/main/activate.yml | 11 ++ .../openconext-api/tasks/main/configure.yml | 32 +++++ .../tasks/main/install-build.yml | 3 + .../openconext-api/tasks/main/install-src.yml | 15 ++ .../openconext-api/tasks/main/install.yml | 32 +++++ .../roles/openconext-api/tasks/version.yml | 0 .../templates/api-ehcache.xml.j2 | 29 ++++ .../templates/api-logback.full.xml | 104 ++++++++++++++ .../templates/api-logback.minimal.xml | 82 +++++++++++ .../templates/api-logback.xml.j2 | 0 .../openconext-api/templates/api.conf.j2 | 38 +++++ .../templates/coin-api.properties.j2 | 78 +++++++++++ .../openconext-engineblock/meta/main.yml | 13 ++ .../openconext-engineblock/tasks/erase.yml | 0 .../openconext-engineblock/tasks/main.yml | 14 ++ .../tasks/main/activate.yml | 15 ++ .../tasks/main/check_deps.yml | 28 ++++ .../tasks/main/check_deps_src.yml | 3 + .../tasks/main/install-build.yml | 6 + .../tasks/main/install-src.yml | 12 ++ .../tasks/main/install.yml | 40 ++++++ .../tasks/main/legacy/4.2.0.yml | 4 + .../4.2.0/migrate-to-etc-openconext.yml | 12 ++ .../4.2.0/migrate-to-log-openconext.yml | 11 ++ .../main/legacy/4.2.0/remove-profiled.yml | 3 + .../openconext-engineblock/tasks/version.yml | 0 34 files changed, 653 insertions(+), 95 deletions(-) delete mode 100644 tools/ansible/.gitignore create mode 160000 tools/ansible/roles/ansible-xml create mode 100644 tools/ansible/roles/openconext-api/meta/main.yml create mode 100644 tools/ansible/roles/openconext-api/tasks/erase.yml create mode 100644 tools/ansible/roles/openconext-api/tasks/main.yml create mode 100644 tools/ansible/roles/openconext-api/tasks/main/activate.yml create mode 100644 tools/ansible/roles/openconext-api/tasks/main/configure.yml create mode 100644 tools/ansible/roles/openconext-api/tasks/main/install-build.yml create mode 100644 tools/ansible/roles/openconext-api/tasks/main/install-src.yml create mode 100644 tools/ansible/roles/openconext-api/tasks/main/install.yml create mode 100644 tools/ansible/roles/openconext-api/tasks/version.yml create mode 100644 tools/ansible/roles/openconext-api/templates/api-ehcache.xml.j2 create mode 100644 tools/ansible/roles/openconext-api/templates/api-logback.full.xml create mode 100644 tools/ansible/roles/openconext-api/templates/api-logback.minimal.xml create mode 100644 tools/ansible/roles/openconext-api/templates/api-logback.xml.j2 create mode 100644 tools/ansible/roles/openconext-api/templates/api.conf.j2 create mode 100644 tools/ansible/roles/openconext-api/templates/coin-api.properties.j2 create mode 100644 tools/ansible/roles/openconext-engineblock/meta/main.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/erase.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/activate.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/check_deps.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/check_deps_src.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/install-build.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/install.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-etc-openconext.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-log-openconext.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/remove-profiled.yml create mode 100644 tools/ansible/roles/openconext-engineblock/tasks/version.yml diff --git a/scripts/components/api.sh b/scripts/components/api.sh index 6719eb3..349b322 100755 --- a/scripts/components/api.sh +++ b/scripts/components/api.sh @@ -1,93 +1,41 @@ #!/bin/bash -if [ ! -d /opt/www/OpenConext-api ] -then - cd /opt/www - $GITCLONE $OC__API_REPO -fi - -cd /opt/www/OpenConext-api -$GITRESET # revert potential changes -$GITFETCH -$GITCHECKOUT ${API_VERSION} -$MVN clean install -DskipTests - -# extract deployable artifact -tar -zxf coin-api-dist/target/*-bin.tar.gz -C coin-api-dist/target - -API_DIST_BASEDIR=/opt/www/OpenConext-api/coin-api-dist/target/coin-api-dist-*/ - -# remove old deployed war -rm -f /usr/share/tomcat6/wars/coin-api-*.war 2> /dev/null -# copy new war to Tomcat -cp $API_DIST_BASEDIR/tomcat/webapps/*.war /usr/share/tomcat6/wars - -# Copy Tomcat-specific context configuration file -install -d /usr/share/tomcat6/conf/Catalina/api.$OC_DOMAIN -cp $API_DIST_BASEDIR/tomcat/conf/context/*.xml /usr/share/tomcat6/conf/Catalina/api.$OC_DOMAIN/ - - - -sed \ - -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/" \ - -e "s~spCertificate=.*$~spCertificate=$OC_CERT~" \ - -e "s~idpCertificate=.*$~idpCertificate=$ENGINEBLOCK_CERT~" \ - -e "s~spPrivateKey=.*$~spPrivateKey=$OC_KEY~" \ - $API_DIST_BASEDIR/tomcat/conf/classpath_properties/coin-api.properties.vm \ - > /tmp/coin-api.properties - -if $UPGRADE -then - rm -rf /usr/share/tomcat6/work/Catalina - rm -rf /usr/share/tomcat6/webapps/*/* - - backupFile /usr/share/tomcat6/conf/classpath_properties/coin-api.properties - perl $OC_SCRIPTDIR/tools/replaceProperties/replaceProperties.pl /tmp/coin-api.properties /usr/share/tomcat6/conf/classpath_properties/coin-api.properties - -else - - cp $API_DIST_BASEDIR/tomcat/conf/classpath_properties/api-logback.xml.vm /usr/share/tomcat6/conf/classpath_properties/api-logback.xml - cp $API_DIST_BASEDIR/tomcat/conf/classpath_properties/api-ehcache.xml.vm /usr/share/tomcat6/conf/classpath_properties/api-ehcache.xml - cp /tmp/coin-api.properties /usr/share/tomcat6/conf/classpath_properties/ - - # Apply db credentials to file coin-api.properties - sed -i "s/__OC__ENGINE_DB_USER__/$OC__ENGINE_DB_USER/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - sed -i "s/__OC__ENGINE_DB_PASS__/$OC__ENGINE_DB_PASS/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - sed -i "s/__OC__TEAMS_DB_USER__/$OC__TEAMS_DB_USER/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - sed -i "s/__OC__TEAMS_DB_PASS__/$OC__TEAMS_DB_PASS/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - sed -i "s/__OC__API_DB_USER__/$OC__API_DB_USER/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - sed -i "s/__OC__API_DB_PASS__/$OC__API_DB_PASS/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - - # Apply ldap credentials to file coin-api.properties - sed -i "s/__OC__LDAP_USER__/$OC__LDAP_USER/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - sed -i "s/__OC__LDAP_PASS__/$OC__LDAP_PASS/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - - # Apply Serviceregistry (Janus) API credentials to file coin-api.properties - sed -i "s/__OC__API_JANUSAPI_USER__/$OC__API_JANUSAPI_USER/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - sed -i "s/__OC__API_JANUSAPI_PASS__/$OC__API_JANUSAPI_PASS/g" /opt/tomcat/conf/classpath_properties/coin-api.properties - - install -d /usr/share/tomcat6/webapps/api.$OC_DOMAIN - chown -Rf tomcat:tomcat /usr/share/tomcat6/webapps/ - - SERVERXMLLINE='' - sed -i "s##$SERVERXMLLINE\n#" /usr/share/tomcat6/conf/server.xml - - mysql -u root --password=$OC__ROOT_DB_PASS -e "create database if not exists api default charset utf8 default collate utf8_unicode_ci;" - - # Create api user/pass - mysql -uroot -p$OC__ROOT_DB_PASS -e "GRANT ALL PRIVILEGES ON api.* TO $OC__API_DB_USER@localhost IDENTIFIED BY '$OC__API_DB_PASS'" - mysql -uroot -p$OC__ROOT_DB_PASS -e "FLUSH PRIVILEGES" - - success=`mysqladmin -u$OC__API_DB_USER -p$OC__API_DB_PASS ping | grep -c "mysqld is alive"` - if [[ $success == '1' ]] - then - echo -e "\nValidating new MySQL API password: SUCCESS!\n" - else - echo -e "\nValidating new MySQL API password: FAILED\n" - exit - fi - - cat $OC_BASEDIR/configs/httpd/conf.d/api.conf | \ - sed -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/g" > \ - /etc/httpd/conf.d/api.conf -fi +# Make sure Ansible is installed cleanly +sudo yum erase -y ansible && +sudo yum install -y ansible MySQL-python patch && + +# Patch Ansible for: #8050: ini_file module still changes all option names to lower case. +# -b = backup, -N = assume merged if failed, -u = Unified format, -p0 = 0 leading lines, -d chdir to dir before apply. +sudo patch -b -N -u -p0 -d /usr/share/ansible/files < $OC_BASEDIR/patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff + +# Run Ansible playbook +sudo ansible-playbook \ + -v \ + -i $OC_BASEDIR/tools/ansible/inventory/demo.openconext.org.ini \ + -e "openconext_domain=$OC_DOMAIN" \ + -e "api_version=$API_VERSION" \ + -e "api_db_name=api" \ + -e "api_db_host=localhost" \ + -e "api_db_port=3306" \ + -e "api_db_user=$OC__API_DB_USER" \ + -e "api_db_password=$OC__API_DB_PASS" \ + -e "engine_db_name=engineblock" \ + -e "engine_db_host=localhost" \ + -e "engine_db_port=3306" \ + -e "engine_db_user=$OC__ENGINE_DB_USER" \ + -e "engine_db_password=$OC__ENGINE_DB_PASS" \ + -e "teams_db_name=" \ + -e "teams_db_user=" \ + -e "teams_db_password=" \ + -e "openconext_error_mail=" \ + -e "engine_idp_cert_string=$ENGINEBLOCK_CERT" \ + -e "api_sp_key_string=$OC_KEY" \ + -e "api_sp_cert_string=$OC_CERT" \ + -e "api_ldap_bind_dn=$OC__LDAP_USER" \ + -e "api_ldap_password=$OC__LDAP_PASS" \ + -e "db_admin_user=root" \ + -e "db_admin_password=$OC__ROOT_DB_PASS" \ + -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ + -e "serviceregistry_user=$OC__API_JANUSAPI_USER" \ + -e "serviceregistry_secret=$OC__API_JANUSAPI_PASS" \ + $OC_BASEDIR/tools/ansible/api.yml \ No newline at end of file diff --git a/tools/ansible/.gitignore b/tools/ansible/.gitignore deleted file mode 100644 index 6d19496..0000000 --- a/tools/ansible/.gitignore +++ /dev/null @@ -1 +0,0 @@ -roles \ No newline at end of file diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock index 886f51c..6438a3e 100644 --- a/tools/ansible/Ansiblefile.lock +++ b/tools/ansible/Ansiblefile.lock @@ -2,7 +2,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-api.git path: ./coin-api-dist/src/main/resources/ansible-openconext-api ref: feature/ansible - sha: 4592c979da590f5f0ddf8432bd526347c9e36c5e + sha: 152c0cea72ffc226951c3c331fbf8139065f7147 specs: openconext-api (4.2.0) @@ -17,9 +17,9 @@ GIT GIT remote: https://github.com/relaxnow/ansible-xml ref: master - sha: fbf776c8d71b1d6c941de636a7071925ff8177b3 + sha: 39daccd3e7aca5ede9265c46fea46d8a42256469 specs: - ansible-xml (0.1.0) + ansible-xml (0.3.0) DEPENDENCIES ansible-xml (>= 0) diff --git a/tools/ansible/api.yml b/tools/ansible/api.yml index e507aef..b623f53 100644 --- a/tools/ansible/api.yml +++ b/tools/ansible/api.yml @@ -19,6 +19,9 @@ tomcat_wars_path: "{{ tomcat_path }}/wars" tomcat_work_path: "{{ tomcat_path }}/work/Catalina/api.{{ openconext_domain }}" tomcat_webapps_path: "{{ tomcat_path }}/webapps/api.{{ openconext_domain }}" + tomcat_classpath_path: "{{ tomcat_path }}/conf/classpath_properties" + api_logging_policy: minimal + pre_tasks: diff --git a/tools/ansible/roles/ansible-xml b/tools/ansible/roles/ansible-xml new file mode 160000 index 0000000..39daccd --- /dev/null +++ b/tools/ansible/roles/ansible-xml @@ -0,0 +1 @@ +Subproject commit 39daccd3e7aca5ede9265c46fea46d8a42256469 diff --git a/tools/ansible/roles/openconext-api/meta/main.yml b/tools/ansible/roles/openconext-api/meta/main.yml new file mode 100644 index 0000000..4fa89d6 --- /dev/null +++ b/tools/ansible/roles/openconext-api/meta/main.yml @@ -0,0 +1,13 @@ +--- +galaxy_info: + author: Boy Baukema + license: Apache v2 + min_ansible_version: 1.6 + platforms: + - name: EL + versions: + - 6 + categories: + - web +dependencies: [ "ansible-xml" ] +version: 4.2.0 \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/erase.yml b/tools/ansible/roles/openconext-api/tasks/erase.yml new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/roles/openconext-api/tasks/main.yml b/tools/ansible/roles/openconext-api/tasks/main.yml new file mode 100644 index 0000000..97aa33c --- /dev/null +++ b/tools/ansible/roles/openconext-api/tasks/main.yml @@ -0,0 +1,9 @@ +--- + - name: Install API + include: main/install.yml + + - name: Configure API + include: main/configure.yml + + - name: Activate API + include: main/activate.yml \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/main/activate.yml b/tools/ansible/roles/openconext-api/tasks/main/activate.yml new file mode 100644 index 0000000..cf43e02 --- /dev/null +++ b/tools/ansible/roles/openconext-api/tasks/main/activate.yml @@ -0,0 +1,11 @@ +--- + - name: Enable Apache proxy + template: + src: api.conf.j2 + dest: "/etc/httpd/conf.d/api.conf" + + - name: Restart Apache + service: name=httpd state=restarted + + - name: Restart Tomcat + service: name=tomcat6 state=restarted \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/main/configure.yml b/tools/ansible/roles/openconext-api/tasks/main/configure.yml new file mode 100644 index 0000000..804aed9 --- /dev/null +++ b/tools/ansible/roles/openconext-api/tasks/main/configure.yml @@ -0,0 +1,32 @@ +--- + - name: Set logging configuration + template: + src: "api-logback.{{ api_logging_policy }}.xml" + dest: "{{ tomcat_classpath_path }}/api-logback.xml" + + - name: Set caching configuration + template: + src: api-ehcache.xml.j2 + dest: "{{ tomcat_classpath_path }}/api-ehcache.xml" + + - name: Set configuration properties + template: + src: coin-api.properties.j2 + dest: "{{ tomcat_classpath_path }}/coin-api.properties" + + - name: Detect if we're already in the server.xml + xml: + file: "{{ tomcat_conf_path }}/server.xml" + xpath: "/Server/Service[@name='Catalina']/Engine[@name='Standalone']/Host[@name='api.{{ openconext_domain }}']" + count: true + register: ansible_host + + - name: If not then add a Host element to server.xml + xml: + file: "{{ tomcat_conf_path }}/server.xml" + xpath: "/Server/Service[@name='Catalina']/Engine[@name='Standalone']" + add_children: + - Host: + name: "api.{{ openconext_domain }}" + appBase: "webapps/api.{{ openconext_domain }}" + when: ansible_host.count == 0 \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/main/install-build.yml b/tools/ansible/roles/openconext-api/tasks/main/install-build.yml new file mode 100644 index 0000000..a2f63c1 --- /dev/null +++ b/tools/ansible/roles/openconext-api/tasks/main/install-build.yml @@ -0,0 +1,3 @@ +--- + - name: Get the current release from build URL. + get_url: url="{{ api_download_url }}" dest="{{ api_build_path }}" \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml new file mode 100644 index 0000000..a783406 --- /dev/null +++ b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml @@ -0,0 +1,15 @@ +--- + - name: SRC - Install Git repo + git: + accept_hostkey: yes + repo: "{{ api_git_url }}" + dest: "{{ api_release_dir }}" + version: "{{ api_version }}" + + - name: SRC - Running Maven install + command: mvn clean install -DskipTests + args: + chdir: "{{ api_release_dir }}" + + - name: SRC - Copy build to build directory + copy: src="coin-api-dist/target/coin-api-dist-{{ version }}-bin.tar.gz" dest={{ api_build_path }} \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/main/install.yml b/tools/ansible/roles/openconext-api/tasks/main/install.yml new file mode 100644 index 0000000..ba54f84 --- /dev/null +++ b/tools/ansible/roles/openconext-api/tasks/main/install.yml @@ -0,0 +1,32 @@ +--- + - name: Install API from Build (only when version starts with a number) + include: install-build.yml + when: api_version | match("^[0-9]") + + - name: Install API from source (only when version does not start with a number) + include: install-src.yml + when: api_version | match("^[^0-9]") + + - name: Extract build + unarchive: src={{ api_build_path }} dest={{ releases_dir }} copy=no + + - name: Stop the application server + service: name=tomcat6 state=stopped + + - name: Install Tomcat wars directory + file: path={{ tomcat_wars_path }} owner=tomcat group=tomcat recurse=true state=directory + + - name: Clean Tomcat old wars + shell: rm -vf {{ tomcat_wars_path }}/coin-api-war-*.war + + - name: Install Tomcat work directory + file: path={{ tomcat_work_path }} owner=tomcat group=tomcat recurse=true state=directory + + - name: Clean Tomcat work + shell: rm -rvf {{ tomcat_work_path }}/api.{{ openconext_domain }}/* + + - name: Install Tomcat webapps directory + file: path={{ tomcat_webapps_path }} owner=tomcat group=tomcat recurse=true state=directory + + - name: Clean Tomcat webapps + shell: rm -rvf {{ tomcat_webapps_path }}/api.{{ openconext_domain }}/* \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/version.yml b/tools/ansible/roles/openconext-api/tasks/version.yml new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/roles/openconext-api/templates/api-ehcache.xml.j2 b/tools/ansible/roles/openconext-api/templates/api-ehcache.xml.j2 new file mode 100644 index 0000000..929fcf4 --- /dev/null +++ b/tools/ansible/roles/openconext-api/templates/api-ehcache.xml.j2 @@ -0,0 +1,29 @@ + + + + + + + + + \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/templates/api-logback.full.xml b/tools/ansible/roles/openconext-api/templates/api-logback.full.xml new file mode 100644 index 0000000..d16af8e --- /dev/null +++ b/tools/ansible/roles/openconext-api/templates/api-logback.full.xml @@ -0,0 +1,104 @@ + + + + + + + ${CATALINA_BASE}/logs/api.log + + + ${CATALINA_BASE}/logs/api-%d{yyyy-MM-dd}.log.gz + 60 + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + info + + + + + org.springframework + warn + + + org.hibernate + warn + + + org.opensaml + warn + + + org.apache + warn + + + hsqldb.db + warn + + + + + ${CATALINA_BASE}/logs/api-fc.log + + + ${CATALINA_BASE}/logs/api-%d{yyyy-MM-dd}.log.gz + 60 + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + + + org.springframework + info + + + org.opensaml + info + + + org.apache + info + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/templates/api-logback.minimal.xml b/tools/ansible/roles/openconext-api/templates/api-logback.minimal.xml new file mode 100644 index 0000000..09cda97 --- /dev/null +++ b/tools/ansible/roles/openconext-api/templates/api-logback.minimal.xml @@ -0,0 +1,82 @@ + + + + + + + ${CATALINA_BASE}/logs/api.log + + + ${CATALINA_BASE}/logs/api-%d{yyyy-MM-dd}.log.gz + 60 + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + warn + + + + + ${CATALINA_BASE}/logs/api-fc.log + + + ${CATALINA_BASE}/logs/api-%d{yyyy-MM-dd}.log.gz + 60 + + + %d{ISO8601} %5p [%t] %logger{40}:%L - %m%n + + + + + + + + org.springframework + info + + + org.opensaml + info + + + org.apache + info + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/templates/api-logback.xml.j2 b/tools/ansible/roles/openconext-api/templates/api-logback.xml.j2 new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/roles/openconext-api/templates/api.conf.j2 b/tools/ansible/roles/openconext-api/templates/api.conf.j2 new file mode 100644 index 0000000..4ac183c --- /dev/null +++ b/tools/ansible/roles/openconext-api/templates/api.conf.j2 @@ -0,0 +1,38 @@ + + # General setup for the virtual host, inherited from global configuration + DocumentRoot "/var/www/html/default" + ServerName api.{{ openconext_domain }}:443 + + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog logs/api_ssl_error_log + TransferLog logs/api_ssl_access_log + LogLevel warn + + SSLEngine on + SSLProtocol -ALL +SSLv3 +TLSv1 + SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4-MD5:RC4+RSA:+HIGH:+MEDIU + SSLCertificateFile /etc/httpd/keys/openconext.pem + SSLCertificateKeyFile /etc/httpd/keys/openconext.key + SSLCACertificateFile /etc/httpd/keys/openconext_ca.pem + + RewriteEngine On + RewriteRule ^/$ /v1/$1 [L,R=permanent] + + + SSLOptions +StdEnvVars + + + SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + # Proxy requests through to Tomcat using AJP + + ProxyPass / ajp://localhost:8009/ + + diff --git a/tools/ansible/roles/openconext-api/templates/coin-api.properties.j2 b/tools/ansible/roles/openconext-api/templates/coin-api.properties.j2 new file mode 100644 index 0000000..6c1023c --- /dev/null +++ b/tools/ansible/roles/openconext-api/templates/coin-api.properties.j2 @@ -0,0 +1,78 @@ +#################################################################### +## +## The following properties are the responsibility of the owners +## of the machine. The developers do not know the values. +## +#################################################################### + +janus.user={{ api_janus_user }} +janus.secret={{ api_janus_secret }} +janus.uri={{ serviceregistry_url }} + +coin-api.jdbc.driver=com.mysql.jdbc.Driver +coin-api.jdbc.url=jdbc:mysql://db.{{ openconext_domain }}:3306/api +coin-api.jdbc.user={{ api_db_user }} +coin-api.jdbc.password={{ api_db_password }} + +coin-api.ldap.url=ldap://ldap.{{ openconext_domain }}389 +coin-api.ldap.userDn={{ api_ldap_bind_dn }} +coin-api.ldap.password={{ api_ldap_password }} + +coin-api.engineblock.jdbc.driver=com.mysql.jdbc.Driver +coin-api.engineblock.jdbc.url=jdbc:mysql://db.{{ openconext_domain }}:3306/{{ engine_db_name}} +coin-api.engineblock.jdbc.user={{ engine_db_user }} +coin-api.engineblock.jdbc.password={{ engine_db_password }} + +coin-api.teams.jdbc.driver=com.mysql.jdbc.Driver +coin-api.teams.jdbc.url=jdbc:mysql://db.{{ openconext_domain }}:3306/{{ teams_db_name }} +coin-api.teams.jdbc.user={{ teams_db_user }} +coin-api.teams.jdbc.password={{ teams_db_password }} + +# Email address that recieves error notifications +coin-errormail-to={{ openconext_error_mail }} + +# Callback URL of the OAuth client +coin-api.oauth.callback.url=https://api.{{ openconext_domain }}/v1/test/oauth-callback.shtml + +#################################################################### +## +## The following properties are the responsibility of the developers +## +#################################################################### + +#Choose either mockClientDetailsService or janusClientDetailsService +clientDetailsServiceClass=nl.surfnet.coin.api.service.JanusClientDetailsService + +#For future purposes we might mock them +ldapClientClass=nl.surfnet.coin.ldap.LdapClientImpl +engineblockClass=nl.surfnet.coin.eb.EngineBlockImpl +groupServiceClass=nl.surfnet.coin.api.service.GroupServiceImpl + +#Is the mock API enabled? +mock-api-enabled=false + +#The directory (in the war) where the db migration scrips reside +coin-api.db.migrations.folder=db/migration/mysql + +#Cache manager +cacheManagerClass=org.springframework.cache.ehcache.EhCacheCacheManager + +staticContentBasePath=https://static.{{ openconext_domain }} + +# Default locale for consent screen +coin-api.locale-default=nl + +# SAML properties +entityId=https://api.{{ openconext_domain }}/ +assertionConsumerURI=https://api.{{ openconext_domain }}/v1/assertionConsumer +idpUrl=https://engine.{{ openconext_domain }}/authentication/idp/single-sign-on +idpCertificate={{ engine_idp_cert_string }} +idpEntityId=https://engine.{{ openconext_domain }}/authentication/idp/metadata +spPrivateKey={{ api_sp_key_string }} +spCertificate={{ api_sp_cert_string }} + +#which SAML attribute holds the UUID +saml-uuid-attribute=urn:oid:1.3.6.1.4.1.1076.20.40.40.1 + +# this is part of a regex pattern that should determine whether the group is internal +api.internal.group.pattern=^urn:collab:group:\\w*\\.?surfteams.nl.* \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/meta/main.yml b/tools/ansible/roles/openconext-engineblock/meta/main.yml new file mode 100644 index 0000000..63d46e5 --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/meta/main.yml @@ -0,0 +1,13 @@ +--- +galaxy_info: + author: Boy Baukema + license: Apache v2 + min_ansible_version: 1.6 + platforms: + - name: EL + versions: + - 6 + categories: + - web +dependencies: [] +version: 4.2.0 \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/erase.yml b/tools/ansible/roles/openconext-engineblock/tasks/erase.yml new file mode 100644 index 0000000..e69de29 diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main.yml b/tools/ansible/roles/openconext-engineblock/tasks/main.yml new file mode 100644 index 0000000..b30e93e --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main.yml @@ -0,0 +1,14 @@ +--- + - name: Install EngineBlock + include: main/install.yml + + - name: Configure EngineBlock + ini_file: + dest: /etc/openconext/engineblock.ini + section: "local" + option: "{{ item.key }}" + value: "{{ item.value }}" + with_dict: engine_config + + - name: Setup and Activate the new EngineBlock version + include: main/activate.yml \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/activate.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/activate.yml new file mode 100644 index 0000000..cbde6b2 --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/activate.yml @@ -0,0 +1,15 @@ +--- + - name: Update LDAP + command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} + with_items: + - "{{ engine_release_dir }}/ldap/changes/addDeprovisionWarningSentAttributes.ldif" + - "{{ engine_release_dir }}/ldap/changes/addCollabPersonUUID.ldif" + ignore_errors: true + + - name: Run EngineBlock migrations + command: ./bin/migrate + args: + chdir: "{{ engine_release_dir }}" + + - name: Activate new EngineBlock + file: src={{ engine_release_dir }} dest={{ engine_current_release_symlink }} state=link \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/check_deps.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/check_deps.yml new file mode 100644 index 0000000..ef2d3d6 --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/check_deps.yml @@ -0,0 +1,28 @@ +-- +- name: Require PHP 5.3.3 + +- name: Require Timezone set +- name: Recommend APC for PHP < 5.5 +- name: Require PHP-curl + +require php >= 5.3.3 +require php timezone +recommend APC +require php-curl +require php-ldap +require php-mbstring +require php-mcrypt +require short open tags + + php-pecl-apc \ + php-cli \ + php-curl \ + php-devel \ + php-ldap \ + php-mbstring \ + php-mcrypt \ + php-mysql \ + php-pecl-memcache \ + php-soap \ + php-xml \ + php-mcrypt \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/check_deps_src.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/check_deps_src.yml new file mode 100644 index 0000000..04ebe7c --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/check_deps_src.yml @@ -0,0 +1,3 @@ +-- +- name: Require unzip +- name: Require composer \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/install-build.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/install-build.yml new file mode 100644 index 0000000..610d49f --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/install-build.yml @@ -0,0 +1,6 @@ +--- + - name: BUILD - Get the current release + get_url: url="{{ engine_download_url }}" dest="{{ engine_build_path }}" + + - name: BUILD - Unarchive it + unarchive: src={{ engine_build_path }} dest={{ releases_dir }} copy=no \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml new file mode 100644 index 0000000..b1074fd --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml @@ -0,0 +1,12 @@ +--- + - name: SRC - Install Git repo + git: + accept_hostkey: yes + repo: "{{ engine_git_url }}" + dest: "{{ engine_release_dir }}" + version: "{{ engine_version }}" + + - name: SRC - Running Composer install + command: ./bin/composer.phar --prefer-dist --no-interaction install + args: + chdir: "{{ engine_release_dir }}" \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/install.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/install.yml new file mode 100644 index 0000000..bc6c16d --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/install.yml @@ -0,0 +1,40 @@ +--- + - name: Ensure the directories exists + file: path={{ item }} state=directory + with_items: + - "{{ releases_dir }}" + - "{{ builds_dir }}" + - "{{ configs_dir }}" + + - name: Legacy 4.2.0 + include: legacy/4.2.0.yml + + - name: Install Engine from Build (only when version starts with a number) + include: install-build.yml + when: engine_version | match("^[0-9]") + + - name: Install Engine from source (only when version does not start with a number) + include: install-src.yml + when: engine_version | match("^[^0-9]") + + - name: Install default application settings (if no settings exist yet) + copy: + src: "{{ engine_release_dir }}/etc/openconext/engineblock.ini" + dest: /etc/openconext/engineblock.ini + force: no + + - name: Migrate the configuration file + command: "{{ engine_release_dir }}/bin/migrate_etc.php" + + - name: Install migrated configuration file + command: install -b /etc/openconext/engineblock.ini.new /etc/openconext/engineblock.ini + + - name: Detect default certificates. + stat: path=/etc/openconext/engineblock.key + register: default_cert + + - name: Generate new default certificate if none was found. + command: openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out engineblock.crt -keyout engineblock.key + args: + chdir: /etc/openconext + when: default_cert.stat.exists == false \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0.yml new file mode 100644 index 0000000..733bc67 --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0.yml @@ -0,0 +1,4 @@ +--- + - include: 4.2.0/remove-profiled.yml + - include: 4.2.0/migrate-to-etc-openconext.yml + - include: 4.2.0/migrate-to-log-openconext.yml \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-etc-openconext.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-etc-openconext.yml new file mode 100644 index 0000000..6e4ed69 --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-etc-openconext.yml @@ -0,0 +1,12 @@ +--- + # Migrate to /etc/openconext + - name: Legacy - Detect /etc/surfconext + stat: path=/etc/surfconext + register: legacy_etc_dir + + - name: Legacy - move directory /etc/surfconext to /etc/openconext + command: mv /etc/surfconext "{{ configs_dir }}" + when: legacy_etc_dir.stat.exists == true and legacy_etc_dir.stat.isdir == true + + - name: Legacy - Ensure /etc/surfconext points to /etc/openconext + file: path=/etc/surfconext src={{ configs_dir }} state=link \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-log-openconext.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-log-openconext.yml new file mode 100644 index 0000000..56e53f8 --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-log-openconext.yml @@ -0,0 +1,11 @@ +--- + # Migrate to /var/log/openconext + - name: Legacy - Move /var/log/surfconext to /var/log/openconext + command: mv /var/log/surfconext {{ logging_dir }} + ignore_errors: yes + + - name: Legacy - Install logging directory + file: path={{ logging_dir }} state=directory + + - name: Legacy - Install symlink from /var/log/surfconext to /var/log/openconext + file: path=/var/log/surfconext src={{ logging_dir }} state=link diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/remove-profiled.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/remove-profiled.yml new file mode 100644 index 0000000..f5bcff0 --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/remove-profiled.yml @@ -0,0 +1,3 @@ +--- + - name: Legacy - Remove obsolete profile.d/openconext.sh + file: path=/etc/profile.d/openconext.sh state=absent \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/version.yml b/tools/ansible/roles/openconext-engineblock/tasks/version.yml new file mode 100644 index 0000000..e69de29 From 5305b20b921d939369d2997d5fef5cc64800f98b Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 10 Jul 2014 09:48:12 +0200 Subject: [PATCH 33/49] Bugfix: Move API activation from role to VM --- tools/ansible/api.yml | 7 ++-- .../openconext-api/tasks/main/activate.yml | 8 ---- .../openconext-api/templates/api.conf.j2 | 38 ------------------- 3 files changed, 3 insertions(+), 50 deletions(-) delete mode 100644 tools/ansible/roles/openconext-api/templates/api.conf.j2 diff --git a/tools/ansible/api.yml b/tools/ansible/api.yml index b623f53..d118051 100644 --- a/tools/ansible/api.yml +++ b/tools/ansible/api.yml @@ -53,10 +53,9 @@ post_tasks: - name: Set vhost for API in Apache proxy - template: src=files/etc/httpd/conf.d/api.conf dest=/etc/httpd/conf.d/api.conf + template: + src: files/etc/httpd/conf.d/api.conf + dest: /etc/httpd/conf.d/api.conf - name: Restart Apache service: name=httpd state=restarted - cat $OC_BASEDIR/configs/httpd/conf.d/api.conf | \ - sed -e "s/_OPENCONEXT_DOMAIN_/$OC_DOMAIN/g" > \ - /etc/httpd/conf.d/api.conf \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/main/activate.yml b/tools/ansible/roles/openconext-api/tasks/main/activate.yml index cf43e02..3631a46 100644 --- a/tools/ansible/roles/openconext-api/tasks/main/activate.yml +++ b/tools/ansible/roles/openconext-api/tasks/main/activate.yml @@ -1,11 +1,3 @@ --- - - name: Enable Apache proxy - template: - src: api.conf.j2 - dest: "/etc/httpd/conf.d/api.conf" - - - name: Restart Apache - service: name=httpd state=restarted - - name: Restart Tomcat service: name=tomcat6 state=restarted \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/templates/api.conf.j2 b/tools/ansible/roles/openconext-api/templates/api.conf.j2 deleted file mode 100644 index 4ac183c..0000000 --- a/tools/ansible/roles/openconext-api/templates/api.conf.j2 +++ /dev/null @@ -1,38 +0,0 @@ - - # General setup for the virtual host, inherited from global configuration - DocumentRoot "/var/www/html/default" - ServerName api.{{ openconext_domain }}:443 - - # Use separate log files for the SSL virtual host; note that LogLevel - # is not inherited from httpd.conf. - ErrorLog logs/api_ssl_error_log - TransferLog logs/api_ssl_access_log - LogLevel warn - - SSLEngine on - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4-MD5:RC4+RSA:+HIGH:+MEDIU - SSLCertificateFile /etc/httpd/keys/openconext.pem - SSLCertificateKeyFile /etc/httpd/keys/openconext.key - SSLCACertificateFile /etc/httpd/keys/openconext_ca.pem - - RewriteEngine On - RewriteRule ^/$ /v1/$1 [L,R=permanent] - - - SSLOptions +StdEnvVars - - - SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - # Proxy requests through to Tomcat using AJP - - ProxyPass / ajp://localhost:8009/ - - From 721ae2c0ce1e4a2fd1f0c4ee9aa13f57543d871c Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 10 Jul 2014 10:26:19 +0200 Subject: [PATCH 34/49] Removed ansible-xml as a submodule --- tools/ansible/roles/ansible-xml | 1 - 1 file changed, 1 deletion(-) delete mode 160000 tools/ansible/roles/ansible-xml diff --git a/tools/ansible/roles/ansible-xml b/tools/ansible/roles/ansible-xml deleted file mode 160000 index 39daccd..0000000 --- a/tools/ansible/roles/ansible-xml +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 39daccd3e7aca5ede9265c46fea46d8a42256469 From 373d309f6dfcff06b2203428047a5a11c957f5e0 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 10 Jul 2014 10:27:59 +0200 Subject: [PATCH 35/49] Added ansible-xml as inline role --- tools/ansible/Ansiblefile.lock | 2 +- tools/ansible/roles/ansible-xml/.travis.yml | 41 +++ tools/ansible/roles/ansible-xml/LICENSE | 339 ++++++++++++++++++ tools/ansible/roles/ansible-xml/README.md | 128 +++++++ tools/ansible/roles/ansible-xml/ansible.cfg | 2 + tools/ansible/roles/ansible-xml/library/xml | 319 ++++++++++++++++ tools/ansible/roles/ansible-xml/meta/main.yml | 9 + .../ansible/roles/ansible-xml/tests/README.md | 5 + .../tests/fixtures/ansible-xml-beers.xml | 14 + .../fixtures/ansible-xml-tomcat-server.xml | 28 ++ .../roles/ansible-xml/tests/group_vars/all | 6 + .../ansible/roles/ansible-xml/tests/inventory | 1 + .../tests/test-require-valid-file.yml | 14 + .../tests/test-tomcat-server-xml.yml | 32 ++ .../ansible/roles/ansible-xml/tests/test.yml | 49 +++ .../openconext-api/templates/api.conf.j2 | 38 ++ 16 files changed, 1026 insertions(+), 1 deletion(-) create mode 100644 tools/ansible/roles/ansible-xml/.travis.yml create mode 100644 tools/ansible/roles/ansible-xml/LICENSE create mode 100644 tools/ansible/roles/ansible-xml/README.md create mode 100644 tools/ansible/roles/ansible-xml/ansible.cfg create mode 100755 tools/ansible/roles/ansible-xml/library/xml create mode 100644 tools/ansible/roles/ansible-xml/meta/main.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/README.md create mode 100644 tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-beers.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-tomcat-server.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/group_vars/all create mode 100644 tools/ansible/roles/ansible-xml/tests/inventory create mode 100644 tools/ansible/roles/ansible-xml/tests/test-require-valid-file.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-tomcat-server-xml.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test.yml create mode 100644 tools/ansible/roles/openconext-api/templates/api.conf.j2 diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock index 6438a3e..2be034a 100644 --- a/tools/ansible/Ansiblefile.lock +++ b/tools/ansible/Ansiblefile.lock @@ -2,7 +2,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-api.git path: ./coin-api-dist/src/main/resources/ansible-openconext-api ref: feature/ansible - sha: 152c0cea72ffc226951c3c331fbf8139065f7147 + sha: 94a02518064744220ef0f6747cdabf3441b9acf7 specs: openconext-api (4.2.0) diff --git a/tools/ansible/roles/ansible-xml/.travis.yml b/tools/ansible/roles/ansible-xml/.travis.yml new file mode 100644 index 0000000..cbf2a85 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/.travis.yml @@ -0,0 +1,41 @@ +--- +language: python +python: "2.7" + +before_install: + - sudo apt-get install python-lxml + # Make sure everything's up to date. + - sudo apt-get update -qq + + +install: + # Install Ansible. + - pip install ansible + +script: + # Check the role/playbook's syntax. + - ansible-playbook -i tests/inventory tests/test.yml --syntax-check + + # Run the "require valid file" playbook which should fail. + - "! ansible-playbook -i tests/inventory tests/test-require-valid-file.yml --connection=local --sudo" + + # Run the "Insert a new host in Tomcat" playbook which should succeed. + - "ansible-playbook -i tests/inventory tests/test-tomcat-server-xml.yml --connection=local --sudo" + + # Run the role/playbook again, checking to make sure it's idempotent. + - > + ansible-playbook -i tests/inventory tests/test-tomcat-server-xml.yml --connection=local --sudo -e 'setup=false' + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + + # Run the miscellaneous tests. + - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo" + + # Run the role/playbook again, checking to make sure it's idempotent. + # TODO: Test is not currently idempotent +# - > +# ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo +# | grep -q 'changed=0.*failed=0' +# && (echo 'Idempotence test: pass' && exit 0) +# || (echo 'Idempotence test: fail' && exit 1) \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/LICENSE b/tools/ansible/roles/ansible-xml/LICENSE new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/LICENSE @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/tools/ansible/roles/ansible-xml/README.md b/tools/ansible/roles/ansible-xml/README.md new file mode 100644 index 0000000..2f591bf --- /dev/null +++ b/tools/ansible/roles/ansible-xml/README.md @@ -0,0 +1,128 @@ +[![Build Status](https://travis-ci.org/relaxnow/ansible-xml.svg?branch=master)](https://travis-ci.org/relaxnow/ansible-xml) +# ansible-xml + +[Ansible](https://github.com/ansible/ansible) module for manipulating +bits and pieces of XML files and strings. + +# Requirements + +* Pythons bindings to libxml (usually in a package called python-lxml, install with ```sudo apt-get install python-lxml```). + + +# Notes + +* This module is not 100% complete. No promises of support are made. +* **Pull requests are welcome!** +* This software is available under the terms of the GPLv2 license. + + +# What is XPath? + +"XPath uses path expressions to select nodes or node-sets in an XML +document. The node is selected by following a path or steps." + +Basically, it's a syntax which allows you to select a specific, or +collection, of elements or attributes in an XML file. + +[Learn more at the Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Web/XPath) + + +# Examples + +Given: + + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + + 10 + + +
http://tastybeverageco.com
+ + + + +Remove the ``subjective`` attribute of the rating element: + + xml: file=/foo/bar.xml xpath=/business/rating/@subjective ensure=absent + +Set the rating to **11** + + xml: file=/foo/bar.xml xpath=/business/rating value=11 + +Get count of beers nodes + + xml: file=/foo/bar.xml xpath=/business/beers count=true + register: hits + + debug: var=hits.count + + + +Add a ``phonenumber`` element to the ``business`` element Implicit +``mkdir -p`` behavior where applicable (parent xml nodes created +automatically) + + xml: file=/foo/bar.xml xpath=/business/phonenumber value=555-555-1234 + +Add several more beers to the beers element, assuming a **vars.yaml** +file with: + + new_beers: + - beer: "Old Rasputin" + - beer: "Old Motor Oil" + - beer: "Old Curmudgeon" + +Then the playbook syntax would look like this: + + xml: file=/foo/bar.xml xpath=/business/beers children_add={{ new_beers }} + +The same, but do it inline + + xml: + file: /foo/bar.xml + xpath: /business/beers + children_add: + - beer: "Old Rasputin" + - beer: "Old Motor Oil" + - beer: "Old Curmudgeon" + +Add a ``validxhtml`` element to the ``website`` element. Note that +``ensure`` is ``present`` by default, and ``value`` defaults to +``null`` for elements. The result is something like +``...`` + + xml: file=/foo/bar.xml xpath=/business/website/validxhtml + +Add an empty ``validatedon`` attribute to the ``validxhtml`` +element. This actually makes the last example redundant because of the +implicit parent-node creation behavior. The result is something like +``...`` + + xml: file=/foo/bar.xml xpath=/business/website/validxhtml/@validatedon + +(1/2) Remove all children from the website element: + + xml: file=/foo/bar.xml xpath=/business/website/* ensure=absent + +(2/2) Remove all children from the website element: + + xml: + file: /foo/bar.xml + xpath: /business/website + children: [] + + +Question? If You have ```` + +What happens if you say: + + xml: file=/foo/bar.xml xpath=/beers + +``value`` defaults to an element, so then this would erase the +children elements. diff --git a/tools/ansible/roles/ansible-xml/ansible.cfg b/tools/ansible/roles/ansible-xml/ansible.cfg new file mode 100644 index 0000000..5a5b553 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +roles_path = ../ \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/library/xml b/tools/ansible/roles/ansible-xml/library/xml new file mode 100755 index 0000000..4c088f0 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/library/xml @@ -0,0 +1,319 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# xml - Manage bits and pieces of XML files +# +# Copyright 2014, Red Hat, Inc. +# Tim Bielawa +# Magnus Hedemark +# +# This software may be freely redistributed under the terms of the GNU +# general public license version 2. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + +DOCUMENTATION = ''' +--- +module: xml +short_description: Manage bits and pieces of XML files or strings +description: + - A CRUD-like interface to managing bits of XML flies. You might also be interested in a brief tutorial, U(http://www.w3schools.com/xpath/). Note that module this does not handle complicated xpath expressions. So limit xpath selectors to simple expressions. +version_added: "1.0" +options: + file: + description: + - Path to the file to operate on. File must exist ahead of time. + required: true unless xmlstring is given + default: null + choices: [] + xmlstring: + description: + - A string containing XML on which to operate. + required: true unless file is given + default: null + choices: [] + xpath: + description: + - A valid XPath expression describing the item(s) you want to manipulate. Operates on the document root, C(/), by default. + required: false + default: / + choices: [] + ensure: + description: + - Set or remove an xpath selection (node(s), attribute(s)) + required: false + default: present + choices: + - "absent" + - "present" + value: + description: + - Desired state of the selected attribute. Either a string, or to unset a value, the Python C(None) keyword (YAML Equivalent, C(null)). + required: false + default: Elements default to no value (but present). Attributes default to an empty string. + choices: [] + add_children: + description: + - 'Add additional child-element(s) to a selected element. Child elements must be given in a list and each item may be either a string (ex: C(children=ansible) to add an empty C() child element), or a hash where the key is an element name and the value is the element value.' + required: false + default: null + choices: [] + set_children: + description: + - 'Set the the child-element(s) of a selected element. Removes any existing children. Child elements must be specified as in C(add_children).' + required: false + default: null + choices: [] + count: + description: + - "Search for a given C(xpath) and provide the count of any matches" + required: false + default: null + choices: [] + print_match: + description: + - "Search for a given C(xpath) and print out any matches" + required: false + default: null + choices: [] +requirements: + - The remote end must have the Python C(lxml) library installed +author: Tim Bielawa, Magnus Hedemark +''' + + +from io import BytesIO +from lxml import etree +try: + import json +except: + import simplejson as json +import lxml +import os + +def print_match(tree, xpath, module): + match = tree.xpath(xpath) + match_xpaths = [] + for m in match: + match_xpaths.append(tree.getpath(m)) + match_str = json.dumps(match_xpaths) + msg = "selector '%s' match: %s" % (xpath, match_str) + finish(tree, xpath, module, changed=False, msg=msg) + +def count(tree, xpath, module): + """ Return the count of nodes matching the xpath """ + hits = tree.xpath("count(/%s)" % xpath) + finish(tree, xpath, module, changed=False, msg=int(hits), hitcount=int(hits)) + +def is_node(tree, xpath): + """ Test if a given xpath matches anything and if that match is a node. + + For now we just assume you're only searching for one specific thing.""" + if xpath_matches(tree, xpath): + # OK, it found something + match = tree.xpath(xpath) + if type(match[0]) == lxml.etree._Element: + return True + + return False + +def is_attribute(tree, xpath): + """ Test if a given xpath matches and that match is an attribute """ + if xpath_matches(tree, xpath): + match = tree.xpath(xpath) + if type(match[0]) == lxml.etree._ElementStringResult: + return True + + return False + +def xpath_matches(tree, xpath): + """ Test if a node exists """ + if tree.xpath(xpath): + return True + else: + return False + +def delete_xpath_target(tree, xpath, module): + try: + for node in tree.xpath(xpath): + if not module.check_mode: node.getparent().remove(node) + except: + abort("Couldn't delete xpath target: %s" % xpath, module) + else: + finish(tree, xpath, module, changed=True) + +def set_target_children(tree, xpath, children, module): + matches = tree.xpath(xpath) + + # Create a list of our new children + children = children_to_nodes(children=children, module=module) + + changed = False + + # xpaths always return matches as a list, so.... + for match in matches: + # First remove any existing children + for element in match.getchildren(): + if not module.check_mode: match.remove(element) + + # Add our new children to the node + if not module.check_mode: match.extend(children) + changed = True + + # Write it out + finish(tree, xpath, module, changed=changed) + +def add_target_children(tree, xpath, children, module): + if is_node(tree, xpath): + new_kids = children_to_nodes(children, module) + for node in tree.xpath(xpath): + if not module.check_mode: node.extend(new_kids) + finish(tree, xpath, module, changed=True) + else: + finish(tree, xpath, module) + +def set_target_attribute(tree, xpath, attribute, value, module): + changed = False + + if is_node(tree, xpath): + for element in tree.xpath(xpath): + if (element.get(attribute) != value): + if not module.check_mode: element.set(attribute, value) + changed = True + + finish(tree, xpath, module, changed=changed) + +def child_to_element(child, module): + ch_type = type(child) + if ch_type == str or ch_type == unicode: + return etree.Element(child) + elif ch_type == dict: + if len(child) > 1: + abort("Can only create children from hashes with one key", module) + + (key, value) = child.items()[0] + if type(value) == dict: + node = etree.Element(key, value) + else: + node = etree.Element(key) + node.text = value + return node + else: + abort("Invalid child type: %s. Children must be either strings or hashes." % str(ch_type), module) + +def children_to_nodes(children=[], module=None): + """turn a str/hash/list of str&hash into a list of elements""" + return [child_to_element(child, module) for child in children] + +def abort(msg, m): + m.fail_json(msg=msg) + +def finish(tree, xpath, m, changed=False, msg="", hitcount=0): + if changed: + tree.write(m.params['file'], xml_declaration=True, encoding='UTF-8') + m.exit_json(changed=changed,actions={"xpath": xpath, "ensure": m.params['ensure']}, msg=msg, count=hitcount) + +def main(): + module = AnsibleModule( + argument_spec=dict( + file=dict(required=False, default=None), + xmlstring=dict(required=False, default=None), + xpath=dict(required=False, default='/'), + ensure=dict(required=False, default='present', choices=['absent', 'present']), + value=dict(required=False, default=None), + attribute=dict(required=False, default=None), + add_children=dict(required=False, default=None), + set_children=dict(required=False, default=None), + count=dict(required=False, default=None, type='bool'), + print_match=dict(required=False, default=None, type='bool') + ), + supports_check_mode=True, + mutually_exclusive = [ + ['value','set_children'], + ['value','add_children'], + ['set_children', 'add_children'], + ['file', 'xmlstring'] + ] + ) + + xml_file = module.params['file'] + xml_string = module.params['xmlstring'] + xpath = module.params['xpath'] + ensure = module.params['ensure'] + value = module.params['value'] + attribute = module.params['attribute'] + set_children = module.params['set_children'] + add_children = module.params['add_children'] + + ################################################################## + # Check if the file exists + # No: abort + if xml_string: + infile = BytesIO(xml_string.encode('utf-8')) + elif os.path.isfile(xml_file): + infile = file(xml_file, 'r') + else: + module.fail_json( + msg="The target XML source does not exist: %s" % + xml_file) + + # Try to parse in the target XML file + try: + x = etree.parse(infile) + except etree.XMLSyntaxError, e: + module.fail_json( + msg="Error while parsing file: %s" % + str(e)) + + if module.params['print_match']: + print_match(x, xpath, module) + + if module.params['count']: + count(x, xpath, module) + + # module.fail_json(msg="OK. Well, etree parsed the xml file...") + + # module.exit_json(what_did={"foo": "bar"}, changed=True) + + ################################################################## + # File exists: + # Ensure: + if ensure == 'absent': + # - absent: delete xpath target + delete_xpath_target(x, xpath, module) + # Exit + # - present: carry on + + ################################################################## + # children && value both set?: should have already aborted by now + ################################################################## + + ################################################################## + # add_children && set_children both set?: should have already aborted by now + ################################################################## + + ################################################################## + # set_children set? + # Yes: Set children of target + if module.params['set_children']: + set_target_children(x, xpath, set_children, module) + + ################################################################## + # add_children set? + # Yes: Add children to target + if module.params['add_children']: + add_target_children(x, xpath, add_children, module) + + # No?: Carry on + + ################################################################## + # Is the xpath target an attribute selector? + # Yes: Set the attribute, exit + if module.params['value']: + set_target_attribute(x, xpath, attribute, value, module) + +###################################################################### +from ansible.module_utils.basic import * +main() diff --git a/tools/ansible/roles/ansible-xml/meta/main.yml b/tools/ansible/roles/ansible-xml/meta/main.yml new file mode 100644 index 0000000..5f0504a --- /dev/null +++ b/tools/ansible/roles/ansible-xml/meta/main.yml @@ -0,0 +1,9 @@ +--- +galaxy_info: + author: Tim Bielawa + license: GPL-2.0 + min_ansible_version: 1.6 + categories: + - files +dependencies: [] +version: 0.3.0 diff --git a/tools/ansible/roles/ansible-xml/tests/README.md b/tools/ansible/roles/ansible-xml/tests/README.md new file mode 100644 index 0000000..fa1a82c --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/README.md @@ -0,0 +1,5 @@ +ansible-xml Tests +================= + +Work in progress. +See also: https://servercheck.in/blog/testing-ansible-roles-travis-ci-github \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-beers.xml b/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-beers.xml new file mode 100644 index 0000000..d30c277 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-beers.xml @@ -0,0 +1,14 @@ + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + + 10 + + +
http://tastybeverageco.com
+ + diff --git a/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-tomcat-server.xml b/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-tomcat-server.xml new file mode 100644 index 0000000..13ba320 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-tomcat-server.xml @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/group_vars/all b/tools/ansible/roles/ansible-xml/tests/group_vars/all new file mode 100644 index 0000000..bf0877e --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/group_vars/all @@ -0,0 +1,6 @@ +# -*- mode: yaml -*- +--- +bad_beers: + - beer: "Natty Lite" + - beer: "Miller Lite" + - beer: "Coors Lite" diff --git a/tools/ansible/roles/ansible-xml/tests/inventory b/tools/ansible/roles/ansible-xml/tests/inventory new file mode 100644 index 0000000..2fbb50c --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/tools/ansible/roles/ansible-xml/tests/test-require-valid-file.yml b/tools/ansible/roles/ansible-xml/tests/test-require-valid-file.yml new file mode 100644 index 0000000..029fe7c --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-require-valid-file.yml @@ -0,0 +1,14 @@ +--- +- hosts: localhost + vars_files: [group_vars/all] + remote_user: root + + roles: + - { role: ansible-xml } + + post_tasks: + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Verify task requires a valid 'file' attribute + xml: xpath=/ file=/klfj/dlfjkldf/sojfkljf.xml \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-tomcat-server-xml.yml b/tools/ansible/roles/ansible-xml/tests/test-tomcat-server-xml.yml new file mode 100644 index 0000000..cae2c79 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-tomcat-server-xml.yml @@ -0,0 +1,32 @@ +--- +- hosts: localhost + vars_files: [group_vars/all] + remote_user: root + + vars: + setup: true + + roles: + - { role: ansible-xml } + + post_tasks: + - name: Setup test fixture + command: cp fixtures/ansible-xml-tomcat-server.xml /tmp/ansible-xml-tomcat-server.xml + when: setup + + - name: Count the host we're trying to add + xml: + file: /tmp/ansible-xml-tomcat-server.xml + xpath: /Server/Service[@name="Tomcat-Standalone"]/Engine[@name="Standalone"]/Host[@name="ansible-host"] + count: true + register: ansible_host + + - name: Add Ansible Host + xml: + file: /tmp/ansible-xml-tomcat-server.xml + xpath: /Server/Service[@name="Tomcat-Standalone"]/Engine[@name="Standalone"] + add_children: + - Host: + name: ansible-host + appBase: webapps/ansible-host + when: ansible_host.count == 0 \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test.yml b/tools/ansible/roles/ansible-xml/tests/test.yml new file mode 100644 index 0000000..d74827d --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test.yml @@ -0,0 +1,49 @@ +--- +- hosts: localhost + vars_files: [group_vars/all] + remote_user: root + + roles: + - { role: ansible-xml } + + post_tasks: + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Verify the module removes the 'rating' node + xml: file=/tmp/ansible-xml-beers.xml xpath=/business/rating ensure=absent + + - name: Verify that Ansible detects mutually exclusive attributes (children & value) + xml: + file: /tmp/ansible-xml-beers.xml + add_children: + - child01 + - child02 + value: conflict! + ignore_errors: yes + + - name: Add a badbeers element + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business + add_children: + - badbeers + - nodeName: nodeValue + - nodeName: + attribute: attributeValue + __v: nodeValue + + - name: Add several more (bad) beers to the beers element, assuming a group_vars file with a 'bad_beers' variable in it + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/beers + add_children: "{{ bad_beers }}" + + - name: Add several more (bad) beers to the beers element + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/beers + add_children: + - beer: "Old Rasputin" + - beer: "Old Motor Oil" + - beer: "Old Curmudgeon" \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/templates/api.conf.j2 b/tools/ansible/roles/openconext-api/templates/api.conf.j2 new file mode 100644 index 0000000..4ac183c --- /dev/null +++ b/tools/ansible/roles/openconext-api/templates/api.conf.j2 @@ -0,0 +1,38 @@ + + # General setup for the virtual host, inherited from global configuration + DocumentRoot "/var/www/html/default" + ServerName api.{{ openconext_domain }}:443 + + # Use separate log files for the SSL virtual host; note that LogLevel + # is not inherited from httpd.conf. + ErrorLog logs/api_ssl_error_log + TransferLog logs/api_ssl_access_log + LogLevel warn + + SSLEngine on + SSLProtocol -ALL +SSLv3 +TLSv1 + SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4-MD5:RC4+RSA:+HIGH:+MEDIU + SSLCertificateFile /etc/httpd/keys/openconext.pem + SSLCertificateKeyFile /etc/httpd/keys/openconext.key + SSLCACertificateFile /etc/httpd/keys/openconext_ca.pem + + RewriteEngine On + RewriteRule ^/$ /v1/$1 [L,R=permanent] + + + SSLOptions +StdEnvVars + + + SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + # Proxy requests through to Tomcat using AJP + + ProxyPass / ajp://localhost:8009/ + + From 60173d0d4a6dcafa534a9c0ccf6a99d06e501295 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 10 Jul 2014 10:38:57 +0200 Subject: [PATCH 36/49] Librarian Ansible update --- tools/ansible/Ansiblefile.lock | 2 +- tools/ansible/roles/openconext-api/tasks/main/install-src.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock index 2be034a..665127f 100644 --- a/tools/ansible/Ansiblefile.lock +++ b/tools/ansible/Ansiblefile.lock @@ -2,7 +2,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-api.git path: ./coin-api-dist/src/main/resources/ansible-openconext-api ref: feature/ansible - sha: 94a02518064744220ef0f6747cdabf3441b9acf7 + sha: 622e102b467d170499c301d01a78acb8c1053062 specs: openconext-api (4.2.0) diff --git a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml index a783406..6e20026 100644 --- a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml +++ b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml @@ -7,9 +7,9 @@ version: "{{ api_version }}" - name: SRC - Running Maven install - command: mvn clean install -DskipTests + command: mvn -q clean install -DskipTests args: chdir: "{{ api_release_dir }}" - name: SRC - Copy build to build directory - copy: src="coin-api-dist/target/coin-api-dist-{{ version }}-bin.tar.gz" dest={{ api_build_path }} \ No newline at end of file + copy: src="coin-api-dist/target/coin-api-dist-{{ api_version }}-bin.tar.gz" dest={{ api_build_path }} \ No newline at end of file From a7bf4f14d9f61a89bfd2041ddc474eb58c929aee Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 10 Jul 2014 14:57:15 +0200 Subject: [PATCH 37/49] Ansible API role: fixed path to built dist --- tools/ansible/roles/openconext-api/tasks/main/install-src.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml index 6e20026..230865b 100644 --- a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml +++ b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml @@ -12,4 +12,6 @@ chdir: "{{ api_release_dir }}" - name: SRC - Copy build to build directory - copy: src="coin-api-dist/target/coin-api-dist-{{ api_version }}-bin.tar.gz" dest={{ api_build_path }} \ No newline at end of file + copy: + src: "{{ api_release_dir }}/coin-api-dist/target/coin-api-dist-{{ api_version }}-SNAPSHOT-bin.tar.gz" + dest: "{{ api_build_path }}" \ No newline at end of file From d4b46fee5f2f18728f43708d59717be5ce1ce480 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Thu, 10 Jul 2014 17:05:12 +0200 Subject: [PATCH 38/49] When you build API it will use coin-version as the name of the war, not the version we specified in api_version. This should always be the same for normal versions, but really we only do building from source for branches or dev versions. So now we just look what's been built and rename it when we move it to the builds directory. --- .../roles/openconext-api/tasks/main/install-src.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml index 230865b..d593fad 100644 --- a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml +++ b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml @@ -11,7 +11,13 @@ args: chdir: "{{ api_release_dir }}" + - name: SRC - Find built dists + shell: ls {{ api_release_dir }}/coin-api-dist/target/coin-api-dist-*-bin.tar.gz + register: dist + failed_when: "dist.stdout_lines|length != 1" + changed_when: False + - name: SRC - Copy build to build directory copy: - src: "{{ api_release_dir }}/coin-api-dist/target/coin-api-dist-{{ api_version }}-SNAPSHOT-bin.tar.gz" + src: "{{ dist.stdout }}" dest: "{{ api_build_path }}" \ No newline at end of file From db286695318589b52fec7108984935bbc72fd990 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 11 Jul 2014 09:47:04 +0200 Subject: [PATCH 39/49] Define engine_git_url --- tools/ansible/engineblock.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/ansible/engineblock.yml b/tools/ansible/engineblock.yml index f7ebf79..924834d 100644 --- a/tools/ansible/engineblock.yml +++ b/tools/ansible/engineblock.yml @@ -17,6 +17,7 @@ engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" engine_current_release_symlink: "/opt/www/engineblock" + engine_git_url: "https://github.com/OpenConext/OpenConext-engineblock.git" engine_config: auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem From 3e950563884cd4105e20c856619066b32e59d9f2 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 11 Jul 2014 17:32:38 +0200 Subject: [PATCH 40/49] Updated Ansible roles --- tools/ansible/Ansiblefile.lock | 8 +-- tools/ansible/roles/ansible-xml/.travis.yml | 24 +------- tools/ansible/roles/ansible-xml/README.md | 56 +++++++++---------- tools/ansible/roles/ansible-xml/library/xml | 16 ++++-- tools/ansible/roles/ansible-xml/meta/main.yml | 2 +- .../tests/fixtures/ansible-xml-beers.xml | 4 +- .../fixtures/ansible-xml-tomcat-server.xml | 28 ---------- .../ansible/roles/ansible-xml/tests/inventory | 2 +- .../results/test-add-children-elements.xml | 14 +++++ .../test-add-children-from-groupvars.xml | 14 +++++ .../test-add-children-with-attributes.xml | 14 +++++ .../tests/results/test-remove-attribute.xml | 14 +++++ .../tests/results/test-remove-element.xml | 13 +++++ .../results/test-set-attribute-value.xml | 14 +++++ .../tests/results/test-set-element-value.xml | 14 +++++ .../tests/test-add-children-elements.yml | 13 +++++ .../test-add-children-from-groupvars.yml | 12 ++++ .../test-add-children-with-attributes.yml | 15 +++++ .../roles/ansible-xml/tests/test-count.yml | 11 ++++ .../test-mutually-exclusive-attributes.yml | 13 +++++ .../tests/test-remove-attribute.yml | 12 ++++ .../ansible-xml/tests/test-remove-element.yml | 12 ++++ .../tests/test-set-attribute-value.yml | 14 +++++ .../tests/test-set-element-value.yml | 13 +++++ .../tests/test-tomcat-server-xml.yml | 32 ----------- .../ansible/roles/ansible-xml/tests/test.yml | 52 ++++------------- .../openconext-api/tasks/main/configure.yml | 6 +- .../openconext-api/tasks/main/install-src.yml | 31 +++++++--- .../openconext-api/tasks/main/install.yml | 9 ++- .../templates/coin-api.properties.j2 | 2 +- .../tasks/main/install-src.yml | 3 +- 31 files changed, 308 insertions(+), 179 deletions(-) delete mode 100644 tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-tomcat-server.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/results/test-add-children-elements.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/results/test-add-children-from-groupvars.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/results/test-add-children-with-attributes.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/results/test-remove-attribute.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/results/test-remove-element.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/results/test-set-attribute-value.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/results/test-set-element-value.xml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-add-children-elements.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-add-children-from-groupvars.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-add-children-with-attributes.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-count.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-mutually-exclusive-attributes.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-remove-attribute.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-remove-element.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-set-attribute-value.yml create mode 100644 tools/ansible/roles/ansible-xml/tests/test-set-element-value.yml delete mode 100644 tools/ansible/roles/ansible-xml/tests/test-tomcat-server-xml.yml diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock index 665127f..073dde1 100644 --- a/tools/ansible/Ansiblefile.lock +++ b/tools/ansible/Ansiblefile.lock @@ -2,7 +2,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-api.git path: ./coin-api-dist/src/main/resources/ansible-openconext-api ref: feature/ansible - sha: 622e102b467d170499c301d01a78acb8c1053062 + sha: 71768064bc0ab62483ea84bbc053892f7cb89b99 specs: openconext-api (4.2.0) @@ -10,16 +10,16 @@ GIT remote: git@github.com:OpenConext/OpenConext-engineblock.git path: ./tools/ansible-role-openconext-engineblock ref: feature/ansible - sha: d0571fb2efc754809d96c26d78c9b658aa3c9e6c + sha: e0fccb5321aedc0a0ecc73bf9e5274e70cda85ab specs: openconext-engineblock (4.2.0) GIT remote: https://github.com/relaxnow/ansible-xml ref: master - sha: 39daccd3e7aca5ede9265c46fea46d8a42256469 + sha: 3a9c9ab2c93c512520be8d227519bc552e05c7a9 specs: - ansible-xml (0.3.0) + ansible-xml (0.3.1) DEPENDENCIES ansible-xml (>= 0) diff --git a/tools/ansible/roles/ansible-xml/.travis.yml b/tools/ansible/roles/ansible-xml/.travis.yml index cbf2a85..881f887 100644 --- a/tools/ansible/roles/ansible-xml/.travis.yml +++ b/tools/ansible/roles/ansible-xml/.travis.yml @@ -7,7 +7,6 @@ before_install: # Make sure everything's up to date. - sudo apt-get update -qq - install: # Install Ansible. - pip install ansible @@ -16,26 +15,5 @@ script: # Check the role/playbook's syntax. - ansible-playbook -i tests/inventory tests/test.yml --syntax-check - # Run the "require valid file" playbook which should fail. - - "! ansible-playbook -i tests/inventory tests/test-require-valid-file.yml --connection=local --sudo" - - # Run the "Insert a new host in Tomcat" playbook which should succeed. - - "ansible-playbook -i tests/inventory tests/test-tomcat-server-xml.yml --connection=local --sudo" - - # Run the role/playbook again, checking to make sure it's idempotent. - - > - ansible-playbook -i tests/inventory tests/test-tomcat-server-xml.yml --connection=local --sudo -e 'setup=false' - | grep -q 'changed=0.*failed=0' - && (echo 'Idempotence test: pass' && exit 0) - || (echo 'Idempotence test: fail' && exit 1) - # Run the miscellaneous tests. - - "ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo" - - # Run the role/playbook again, checking to make sure it's idempotent. - # TODO: Test is not currently idempotent -# - > -# ansible-playbook -i tests/inventory tests/test.yml --connection=local --sudo -# | grep -q 'changed=0.*failed=0' -# && (echo 'Idempotence test: pass' && exit 0) -# || (echo 'Idempotence test: fail' && exit 1) \ No newline at end of file + - "ansible-playbook -i tests/inventory tests/test.yml" diff --git a/tools/ansible/roles/ansible-xml/README.md b/tools/ansible/roles/ansible-xml/README.md index 2f591bf..cbfae55 100644 --- a/tools/ansible/roles/ansible-xml/README.md +++ b/tools/ansible/roles/ansible-xml/README.md @@ -31,20 +31,20 @@ collection, of elements or attributes in an XML file. Given: - - - Tasty Beverage Co. - - Rochefort 10 - St. Bernardus Abbot 12 - Schlitz - - 10 - - -
http://tastybeverageco.com
- - + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + + 10 + + +
http://tastybeverageco.com
+ + Remove the ``subjective`` attribute of the rating element: @@ -57,10 +57,10 @@ Set the rating to **11** Get count of beers nodes - xml: file=/foo/bar.xml xpath=/business/beers count=true - register: hits + xml: file=/foo/bar.xml xpath=/business/beers count=true + register: hits - debug: var=hits.count + debug: var=hits.count @@ -84,13 +84,13 @@ Then the playbook syntax would look like this: The same, but do it inline - xml: - file: /foo/bar.xml - xpath: /business/beers - children_add: - - beer: "Old Rasputin" - - beer: "Old Motor Oil" - - beer: "Old Curmudgeon" + xml: + file: /foo/bar.xml + xpath: /business/beers + children_add: + - beer: "Old Rasputin" + - beer: "Old Motor Oil" + - beer: "Old Curmudgeon" Add a ``validxhtml`` element to the ``website`` element. Note that ``ensure`` is ``present`` by default, and ``value`` defaults to @@ -112,10 +112,10 @@ implicit parent-node creation behavior. The result is something like (2/2) Remove all children from the website element: - xml: - file: /foo/bar.xml - xpath: /business/website - children: [] + xml: + file: /foo/bar.xml + xpath: /business/website + children: [] Question? If You have ```` diff --git a/tools/ansible/roles/ansible-xml/library/xml b/tools/ansible/roles/ansible-xml/library/xml index 4c088f0..556cc1e 100755 --- a/tools/ansible/roles/ansible-xml/library/xml +++ b/tools/ansible/roles/ansible-xml/library/xml @@ -174,16 +174,22 @@ def add_target_children(tree, xpath, children, module): else: finish(tree, xpath, module) -def set_target_attribute(tree, xpath, attribute, value, module): +def set_target(tree, xpath, attribute, value, module): changed = False - if is_node(tree, xpath): - for element in tree.xpath(xpath): + if not is_node(tree, xpath): + abort("Xpath " + xpath + " does not reference a node!") + + for element in tree.xpath(xpath): + if not attribute: + element.text = value + changed = True + else: if (element.get(attribute) != value): if not module.check_mode: element.set(attribute, value) changed = True - finish(tree, xpath, module, changed=changed) + finish(tree, xpath, module, changed) def child_to_element(child, module): ch_type = type(child) @@ -312,7 +318,7 @@ def main(): # Is the xpath target an attribute selector? # Yes: Set the attribute, exit if module.params['value']: - set_target_attribute(x, xpath, attribute, value, module) + set_target(x, xpath, attribute, value, module) ###################################################################### from ansible.module_utils.basic import * diff --git a/tools/ansible/roles/ansible-xml/meta/main.yml b/tools/ansible/roles/ansible-xml/meta/main.yml index 5f0504a..989db84 100644 --- a/tools/ansible/roles/ansible-xml/meta/main.yml +++ b/tools/ansible/roles/ansible-xml/meta/main.yml @@ -6,4 +6,4 @@ galaxy_info: categories: - files dependencies: [] -version: 0.3.0 +version: 0.3.1 diff --git a/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-beers.xml b/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-beers.xml index d30c277..5afc797 100644 --- a/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-beers.xml +++ b/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-beers.xml @@ -8,7 +8,7 @@ 10 - +
http://tastybeverageco.com
 - + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-tomcat-server.xml b/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-tomcat-server.xml deleted file mode 100644 index 13ba320..0000000 --- a/tools/ansible/roles/ansible-xml/tests/fixtures/ansible-xml-tomcat-server.xml +++ /dev/null @@ -1,28 +0,0 @@ - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/inventory b/tools/ansible/roles/ansible-xml/tests/inventory index 2fbb50c..5b97818 100644 --- a/tools/ansible/roles/ansible-xml/tests/inventory +++ b/tools/ansible/roles/ansible-xml/tests/inventory @@ -1 +1 @@ -localhost +localhost ansible_connection=local diff --git a/tools/ansible/roles/ansible-xml/tests/results/test-add-children-elements.xml b/tools/ansible/roles/ansible-xml/tests/results/test-add-children-elements.xml new file mode 100644 index 0000000..f9ff251 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/results/test-add-children-elements.xml @@ -0,0 +1,14 @@ + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + Old Rasputin + 10 + + +
http://tastybeverageco.com
+ + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/results/test-add-children-from-groupvars.xml b/tools/ansible/roles/ansible-xml/tests/results/test-add-children-from-groupvars.xml new file mode 100644 index 0000000..565ba40 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/results/test-add-children-from-groupvars.xml @@ -0,0 +1,14 @@ + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + Natty LiteMiller LiteCoors Lite + 10 + + +
http://tastybeverageco.com
+ + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/results/test-add-children-with-attributes.xml b/tools/ansible/roles/ansible-xml/tests/results/test-add-children-with-attributes.xml new file mode 100644 index 0000000..2351ea5 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/results/test-add-children-with-attributes.xml @@ -0,0 +1,14 @@ + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + + 10 + + +
http://tastybeverageco.com
+ + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/results/test-remove-attribute.xml b/tools/ansible/roles/ansible-xml/tests/results/test-remove-attribute.xml new file mode 100644 index 0000000..8a621cf --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/results/test-remove-attribute.xml @@ -0,0 +1,14 @@ + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + + 10 + + +
http://tastybeverageco.com
+ + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/results/test-remove-element.xml b/tools/ansible/roles/ansible-xml/tests/results/test-remove-element.xml new file mode 100644 index 0000000..454d905 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/results/test-remove-element.xml @@ -0,0 +1,13 @@ + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + + + +
http://tastybeverageco.com
+ + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/results/test-set-attribute-value.xml b/tools/ansible/roles/ansible-xml/tests/results/test-set-attribute-value.xml new file mode 100644 index 0000000..143fe7b --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/results/test-set-attribute-value.xml @@ -0,0 +1,14 @@ + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + + 10 + + +
http://tastybeverageco.com
+ + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/results/test-set-element-value.xml b/tools/ansible/roles/ansible-xml/tests/results/test-set-element-value.xml new file mode 100644 index 0000000..496d225 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/results/test-set-element-value.xml @@ -0,0 +1,14 @@ + + + Tasty Beverage Co. + + Rochefort 10 + St. Bernardus Abbot 12 + Schlitz + + 11 + + +
http://tastybeverageco.com
+ + \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-add-children-elements.yml b/tools/ansible/roles/ansible-xml/tests/test-add-children-elements.yml new file mode 100644 index 0000000..093ce15 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-add-children-elements.yml @@ -0,0 +1,13 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Add child element + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/beers + add_children: + - beer: "Old Rasputin" + + - name: Test expected result + command: diff results/test-add-children-elements.xml /tmp/ansible-xml-beers.xml \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-add-children-from-groupvars.yml b/tools/ansible/roles/ansible-xml/tests/test-add-children-from-groupvars.yml new file mode 100644 index 0000000..9bbe14f --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-add-children-from-groupvars.yml @@ -0,0 +1,12 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Add child element + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/beers + add_children: "{{ bad_beers }}" + + - name: Test expected result + command: diff results/test-add-children-from-groupvars.xml /tmp/ansible-xml-beers.xml \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-add-children-with-attributes.yml b/tools/ansible/roles/ansible-xml/tests/test-add-children-with-attributes.yml new file mode 100644 index 0000000..2870ff6 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-add-children-with-attributes.yml @@ -0,0 +1,15 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Add child element + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/beers + add_children: + - beer: + name: Ansible Brew + type: light + + - name: Test expected result + command: diff results/test-add-children-with-attributes.xml /tmp/ansible-xml-beers.xml \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-count.yml b/tools/ansible/roles/ansible-xml/tests/test-count.yml new file mode 100644 index 0000000..9d4050d --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-count.yml @@ -0,0 +1,11 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Add child element + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/beers/beer + count: true + register: beers + failed_when: beers.count != 3 \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-mutually-exclusive-attributes.yml b/tools/ansible/roles/ansible-xml/tests/test-mutually-exclusive-attributes.yml new file mode 100644 index 0000000..bb0d67d --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-mutually-exclusive-attributes.yml @@ -0,0 +1,13 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Specify both children to add and a value + xml: + file: /tmp/ansible-xml-beers.xml + add_children: + - child01 + - child02 + value: conflict! + # @todo this is exercised but not really tested + ignore_errors: true \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-remove-attribute.yml b/tools/ansible/roles/ansible-xml/tests/test-remove-attribute.yml new file mode 100644 index 0000000..26e2e14 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-remove-attribute.yml @@ -0,0 +1,12 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Remove '/business/rating/@subjective' + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/rating/@subjective + ensure: absent + + - name: Test expected result + command: diff results/test-remove-attribute.xml /tmp/ansible-xml-beers.xml \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-remove-element.yml b/tools/ansible/roles/ansible-xml/tests/test-remove-element.yml new file mode 100644 index 0000000..9524bab --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-remove-element.yml @@ -0,0 +1,12 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Remove '/business/rating' + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/rating + ensure: absent + + - name: Test expected result + command: diff results/test-remove-element.xml /tmp/ansible-xml-beers.xml \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-set-attribute-value.yml b/tools/ansible/roles/ansible-xml/tests/test-set-attribute-value.yml new file mode 100644 index 0000000..b43b4e7 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-set-attribute-value.yml @@ -0,0 +1,14 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Set '/business/rating/@subjective' to 'false' + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/rating + attribute: subjective + value: "false" + + - name: Test expected result + command: diff results/test-set-attribute-value.xml /tmp/ansible-xml-beers.xml + changed_when: False \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-set-element-value.yml b/tools/ansible/roles/ansible-xml/tests/test-set-element-value.yml new file mode 100644 index 0000000..bd134a8 --- /dev/null +++ b/tools/ansible/roles/ansible-xml/tests/test-set-element-value.yml @@ -0,0 +1,13 @@ +--- + - name: Setup test fixture + command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml + + - name: Set '/business/rating' to 'false' + xml: + file: /tmp/ansible-xml-beers.xml + xpath: /business/rating + value: "11" + + - name: Test expected result + command: diff results/test-set-element-value.xml /tmp/ansible-xml-beers.xml + changed_when: False \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test-tomcat-server-xml.yml b/tools/ansible/roles/ansible-xml/tests/test-tomcat-server-xml.yml deleted file mode 100644 index cae2c79..0000000 --- a/tools/ansible/roles/ansible-xml/tests/test-tomcat-server-xml.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- hosts: localhost - vars_files: [group_vars/all] - remote_user: root - - vars: - setup: true - - roles: - - { role: ansible-xml } - - post_tasks: - - name: Setup test fixture - command: cp fixtures/ansible-xml-tomcat-server.xml /tmp/ansible-xml-tomcat-server.xml - when: setup - - - name: Count the host we're trying to add - xml: - file: /tmp/ansible-xml-tomcat-server.xml - xpath: /Server/Service[@name="Tomcat-Standalone"]/Engine[@name="Standalone"]/Host[@name="ansible-host"] - count: true - register: ansible_host - - - name: Add Ansible Host - xml: - file: /tmp/ansible-xml-tomcat-server.xml - xpath: /Server/Service[@name="Tomcat-Standalone"]/Engine[@name="Standalone"] - add_children: - - Host: - name: ansible-host - appBase: webapps/ansible-host - when: ansible_host.count == 0 \ No newline at end of file diff --git a/tools/ansible/roles/ansible-xml/tests/test.yml b/tools/ansible/roles/ansible-xml/tests/test.yml index d74827d..fb94c42 100644 --- a/tools/ansible/roles/ansible-xml/tests/test.yml +++ b/tools/ansible/roles/ansible-xml/tests/test.yml @@ -6,44 +6,14 @@ roles: - { role: ansible-xml } - post_tasks: - - name: Setup test fixture - command: cp fixtures/ansible-xml-beers.xml /tmp/ansible-xml-beers.xml - - - name: Verify the module removes the 'rating' node - xml: file=/tmp/ansible-xml-beers.xml xpath=/business/rating ensure=absent - - - name: Verify that Ansible detects mutually exclusive attributes (children & value) - xml: - file: /tmp/ansible-xml-beers.xml - add_children: - - child01 - - child02 - value: conflict! - ignore_errors: yes - - - name: Add a badbeers element - xml: - file: /tmp/ansible-xml-beers.xml - xpath: /business - add_children: - - badbeers - - nodeName: nodeValue - - nodeName: - attribute: attributeValue - __v: nodeValue - - - name: Add several more (bad) beers to the beers element, assuming a group_vars file with a 'bad_beers' variable in it - xml: - file: /tmp/ansible-xml-beers.xml - xpath: /business/beers - add_children: "{{ bad_beers }}" - - - name: Add several more (bad) beers to the beers element - xml: - file: /tmp/ansible-xml-beers.xml - xpath: /business/beers - add_children: - - beer: "Old Rasputin" - - beer: "Old Motor Oil" - - beer: "Old Curmudgeon" \ No newline at end of file + tasks: + - include: test-add-children-elements.yml + - include: test-add-children-from-groupvars.yml + - include: test-add-children-with-attributes.yml + - include: test-count.yml + - include: test-mutually-exclusive-attributes.yml + # @todo removal of attributes is broken? +# - include: test-remove-attribute.yml + - include: test-remove-element.yml + - include: test-set-attribute-value.yml + - include: test-set-element-value.yml \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/main/configure.yml b/tools/ansible/roles/openconext-api/tasks/main/configure.yml index 804aed9..7e5fbd7 100644 --- a/tools/ansible/roles/openconext-api/tasks/main/configure.yml +++ b/tools/ansible/roles/openconext-api/tasks/main/configure.yml @@ -1,17 +1,17 @@ --- - name: Set logging configuration template: - src: "api-logback.{{ api_logging_policy }}.xml" + src: "../../templates/api-logback.{{ api_logging_policy }}.xml" dest: "{{ tomcat_classpath_path }}/api-logback.xml" - name: Set caching configuration template: - src: api-ehcache.xml.j2 + src: ../../templates/api-ehcache.xml.j2 dest: "{{ tomcat_classpath_path }}/api-ehcache.xml" - name: Set configuration properties template: - src: coin-api.properties.j2 + src: ../../templates/coin-api.properties.j2 dest: "{{ tomcat_classpath_path }}/coin-api.properties" - name: Detect if we're already in the server.xml diff --git a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml index d593fad..6a693a4 100644 --- a/tools/ansible/roles/openconext-api/tasks/main/install-src.yml +++ b/tools/ansible/roles/openconext-api/tasks/main/install-src.yml @@ -1,4 +1,9 @@ --- + - name: SRC - Remove repo + file: + path: "{{ api_release_dir }}" + state: absent + - name: SRC - Install Git repo git: accept_hostkey: yes @@ -6,18 +11,30 @@ dest: "{{ api_release_dir }}" version: "{{ api_version }}" + - name: Set the version in the parent project) (may not have been set properly for branches) + xml: + file: "{{ api_release_dir }}/pom.xml" + xpath: /*[name()='project']/*[name()='version'] + value: "{{ api_version_dir }}" + + - name: Set the version (in all parent projects) (may not have been set properly for branches) + xml: + file: "{{ item }}" + xpath: /*[name()='project']/*[name()='parent']/*[name()='version'] + value: "{{ api_version_dir }}" + with_items: + - "{{ api_release_dir }}/coin-api-client/pom.xml" + - "{{ api_release_dir }}/coin-api-dist/pom.xml" + - "{{ api_release_dir }}/coin-api-external-groups/pom.xml" + - "{{ api_release_dir }}/coin-api-serviceregistry-client/pom.xml" + - "{{ api_release_dir }}/coin-api-war/pom.xml" + - name: SRC - Running Maven install command: mvn -q clean install -DskipTests args: chdir: "{{ api_release_dir }}" - - name: SRC - Find built dists - shell: ls {{ api_release_dir }}/coin-api-dist/target/coin-api-dist-*-bin.tar.gz - register: dist - failed_when: "dist.stdout_lines|length != 1" - changed_when: False - - name: SRC - Copy build to build directory copy: - src: "{{ dist.stdout }}" + src: "{{ api_release_dir }}/coin-api-dist/target/coin-api-dist-{{ api_version_dir }}-bin.tar.gz" dest: "{{ api_build_path }}" \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/tasks/main/install.yml b/tools/ansible/roles/openconext-api/tasks/main/install.yml index ba54f84..14f42cf 100644 --- a/tools/ansible/roles/openconext-api/tasks/main/install.yml +++ b/tools/ansible/roles/openconext-api/tasks/main/install.yml @@ -23,10 +23,15 @@ file: path={{ tomcat_work_path }} owner=tomcat group=tomcat recurse=true state=directory - name: Clean Tomcat work - shell: rm -rvf {{ tomcat_work_path }}/api.{{ openconext_domain }}/* + shell: rm -rvf {{ tomcat_work_path }}/* - name: Install Tomcat webapps directory file: path={{ tomcat_webapps_path }} owner=tomcat group=tomcat recurse=true state=directory - name: Clean Tomcat webapps - shell: rm -rvf {{ tomcat_webapps_path }}/api.{{ openconext_domain }}/* \ No newline at end of file + shell: rm -rvf {{ tomcat_webapps_path }}/* + + - name: Install WAR + copy: + src: "{{ releases_dir }}/coin-api-dist-{{ api_version_dir }}/tomcat/webapps/coin-api-war-{{ api_version_dir }}.war" + dest: "{{ tomcat_webapps_path }}/coin-api-war-{{ api_version_dir }}.war" \ No newline at end of file diff --git a/tools/ansible/roles/openconext-api/templates/coin-api.properties.j2 b/tools/ansible/roles/openconext-api/templates/coin-api.properties.j2 index 6c1023c..3a4ed0a 100644 --- a/tools/ansible/roles/openconext-api/templates/coin-api.properties.j2 +++ b/tools/ansible/roles/openconext-api/templates/coin-api.properties.j2 @@ -7,7 +7,7 @@ janus.user={{ api_janus_user }} janus.secret={{ api_janus_secret }} -janus.uri={{ serviceregistry_url }} +janus.uri={{ api_janus_url }} coin-api.jdbc.driver=com.mysql.jdbc.Driver coin-api.jdbc.url=jdbc:mysql://db.{{ openconext_domain }}:3306/api diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml index b1074fd..21fb37a 100644 --- a/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml @@ -7,6 +7,7 @@ version: "{{ engine_version }}" - name: SRC - Running Composer install - command: ./bin/composer.phar --prefer-dist --no-interaction install + # Note that we prefer source (which is slower...) because of the GitHub API rate limiting :( + command: ./bin/composer.phar --prefer-source --no-interaction install args: chdir: "{{ engine_release_dir }}" \ No newline at end of file From 05821bde96ca9cb858f5fb7aa02f0967b963415c Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Fri, 11 Jul 2014 17:33:27 +0200 Subject: [PATCH 41/49] Bugfixes after testing API and EB role --- scripts/components/api.sh | 36 +++++++++---------- scripts/components/engineblock.sh | 6 ++-- tools/ansible/api.yml | 3 +- tools/ansible/engineblock.yml | 10 +++--- .../ansible/templates}/engineblock.sql.j2 | 0 5 files changed, 29 insertions(+), 26 deletions(-) rename {data => tools/ansible/templates}/engineblock.sql.j2 (100%) diff --git a/scripts/components/api.sh b/scripts/components/api.sh index 349b322..b37c2cc 100755 --- a/scripts/components/api.sh +++ b/scripts/components/api.sh @@ -2,7 +2,7 @@ # Make sure Ansible is installed cleanly sudo yum erase -y ansible && -sudo yum install -y ansible MySQL-python patch && +sudo yum install -y ansible MySQL-python patch python-lxml && # Patch Ansible for: #8050: ini_file module still changes all option names to lower case. # -b = backup, -N = assume merged if failed, -u = Unified format, -p0 = 0 leading lines, -d chdir to dir before apply. @@ -11,31 +11,31 @@ sudo patch -b -N -u -p0 -d /usr/share/ansible/files < $OC_BASEDIR/patches/ansibl # Run Ansible playbook sudo ansible-playbook \ -v \ - -i $OC_BASEDIR/tools/ansible/inventory/demo.openconext.org.ini \ - -e "openconext_domain=$OC_DOMAIN" \ - -e "api_version=$API_VERSION" \ + -i /vagrant/tools/ansible/inventory/demo.openconext.org.ini \ + -e "openconext_domain=demo.openconext.org" \ + -e "api_version=feature/ansible" \ -e "api_db_name=api" \ -e "api_db_host=localhost" \ -e "api_db_port=3306" \ - -e "api_db_user=$OC__API_DB_USER" \ - -e "api_db_password=$OC__API_DB_PASS" \ + -e "api_db_user=api" \ + -e "api_db_password=api" \ -e "engine_db_name=engineblock" \ -e "engine_db_host=localhost" \ -e "engine_db_port=3306" \ - -e "engine_db_user=$OC__ENGINE_DB_USER" \ - -e "engine_db_password=$OC__ENGINE_DB_PASS" \ + -e "engine_db_user=root" \ + -e "engine_db_password=c0n3xt" \ -e "teams_db_name=" \ -e "teams_db_user=" \ -e "teams_db_password=" \ -e "openconext_error_mail=" \ - -e "engine_idp_cert_string=$ENGINEBLOCK_CERT" \ - -e "api_sp_key_string=$OC_KEY" \ - -e "api_sp_cert_string=$OC_CERT" \ - -e "api_ldap_bind_dn=$OC__LDAP_USER" \ - -e "api_ldap_password=$OC__LDAP_PASS" \ + -e "engine_idp_cert_string=abcdef1234567890" \ + -e "api_sp_key_string=abcdef1234567890" \ + -e "api_sp_cert_string=abcdef1234567890" \ + -e "api_ldap_bind_dn=ldap" \ + -e "api_ldap_password=ldap" \ -e "db_admin_user=root" \ - -e "db_admin_password=$OC__ROOT_DB_PASS" \ - -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ - -e "serviceregistry_user=$OC__API_JANUSAPI_USER" \ - -e "serviceregistry_secret=$OC__API_JANUSAPI_PASS" \ - $OC_BASEDIR/tools/ansible/api.yml \ No newline at end of file + -e "db_admin_password=c0n3xt" \ + -e "api_janus_url=https://serviceregistry.demo.openconext.org/simplesaml/module.php/janus/services/rest/" \ + -e "api_janus_user=engine" \ + -e "api_janus_password=engine" \ + /vagrant/tools/ansible/api.yml \ No newline at end of file diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index ae246e6..70d294d 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -23,9 +23,9 @@ sudo ansible-playbook \ -e "engine_ldap_password=$OC__LDAP_PASS" \ -e "db_admin_user=root" \ -e "db_admin_password=$OC__ROOT_DB_PASS" \ - -e "serviceregistry_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ - -e "serviceregistry_user=$OC__ENGINE_JANUSAPI_USER" \ - -e "serviceregistry_secret=$OC__ENGINE_JANUSAPI_PASS" \ + -e "engine_janus_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ + -e "engine_janus_user=$OC__ENGINE_JANUSAPI_USER" \ + -e "engine_janus_secret=$OC__ENGINE_JANUSAPI_PASS" \ $OC_BASEDIR/tools/ansible/engineblock.yml ENGINEBLOCK_CERT=`sed '1d;$d' /etc/surfconext/engineblock.crt | tr -d '\n'` \ No newline at end of file diff --git a/tools/ansible/api.yml b/tools/ansible/api.yml index d118051..9d123fd 100644 --- a/tools/ansible/api.yml +++ b/tools/ansible/api.yml @@ -13,9 +13,10 @@ api_git_url: "https://github.com/OpenConext/OpenConext-api.git" api_version_dir: "{{ api_version | replace('/', '-') }}" api_release_dir: "{{ releases_dir }}/OpenConext-api-{{ api_version_dir }}" - api_build_path: "{{ builds_dir }}/coin-api-dist-{{ api_version }}-bin.tar.gz" + api_build_path: "{{ builds_dir }}/coin-api-dist-{{ api_version_dir }}-bin.tar.gz" api_download_url: "https://build.surfconext.nl/repository/public/releases/org/surfnet/coin/coin-api-dist/{{ api_version }}/coin-api-dist-{{ api_version }}-bin.tar.gz" tomcat_path: "/usr/share/tomcat6" + tomcat_conf_path: "{{ tomcat_path }}/conf" tomcat_wars_path: "{{ tomcat_path }}/wars" tomcat_work_path: "{{ tomcat_path }}/work/Catalina/api.{{ openconext_domain }}" tomcat_webapps_path: "{{ tomcat_path }}/webapps/api.{{ openconext_domain }}" diff --git a/tools/ansible/engineblock.yml b/tools/ansible/engineblock.yml index 924834d..2941ca1 100644 --- a/tools/ansible/engineblock.yml +++ b/tools/ansible/engineblock.yml @@ -42,9 +42,9 @@ ldap.password : "{{ engine_ldap_password }}" logs.file.writername : "Stream" logs.file.writerparams.stream : "/var/log/surfconext/engineblock.log" - serviceRegistry.location : "{{ serviceregistry_url }}" - serviceRegistry.user : "{{ serviceregistry_user }}" - serviceRegistry.user_secret : "{{ serviceregistry_secret }}" + serviceRegistry.location : "{{ engine_janus_url }}" + serviceRegistry.user : "{{ engine_janus_user }}" + serviceRegistry.user_secret : "{{ engine_janus_secret }}" pre_tasks: - name: Make sure a database exists @@ -77,7 +77,9 @@ post_tasks: - name: Fill out variables in demo data. - template: src=../../../data/engineblock.sql.j2 dest=/tmp/domain.engineblock.sql + template: + src: templates/engineblock.sql.j2 + dest: /tmp/domain.engineblock.sql when: engine_db_install.changed - name: Provision EngineBlock demo data. diff --git a/data/engineblock.sql.j2 b/tools/ansible/templates/engineblock.sql.j2 similarity index 100% rename from data/engineblock.sql.j2 rename to tools/ansible/templates/engineblock.sql.j2 From 4905b8150bce23c03aa22f34521745ba24fdbd51 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 14 Jul 2014 17:29:15 +0200 Subject: [PATCH 42/49] Bugfixes after testing Ansible roles --- scripts/components/api.sh | 37 ++++++++++--------- scripts/components/engineblock.sh | 17 +++++---- tools/ansible/engineblock.yml | 25 +++++++------ .../tasks/main/activate.yml | 2 +- 4 files changed, 43 insertions(+), 38 deletions(-) diff --git a/scripts/components/api.sh b/scripts/components/api.sh index b37c2cc..9f0fc27 100755 --- a/scripts/components/api.sh +++ b/scripts/components/api.sh @@ -9,33 +9,34 @@ sudo yum install -y ansible MySQL-python patch python-lxml && sudo patch -b -N -u -p0 -d /usr/share/ansible/files < $OC_BASEDIR/patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff # Run Ansible playbook +echo "Provisioning API with Ansible..." sudo ansible-playbook \ -v \ -i /vagrant/tools/ansible/inventory/demo.openconext.org.ini \ - -e "openconext_domain=demo.openconext.org" \ - -e "api_version=feature/ansible" \ + -e "api_version=$API_VERSION" \ -e "api_db_name=api" \ -e "api_db_host=localhost" \ -e "api_db_port=3306" \ - -e "api_db_user=api" \ - -e "api_db_password=api" \ + -e "api_db_user=$OC__API_DB_USER" \ + -e "api_db_password=$OC__API_DB_PASS" \ + -e "api_janus_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ + -e "api_janus_user=$OC__API_JANUSAPI_USER" \ + -e "api_janus_secret=$OC__API_JANUSAPI_PASS" \ + -e "api_sp_key_string=$OC_KEY" \ + -e "api_sp_cert_string=$OC_CERT" \ + -e "api_ldap_bind_dn=$OC__LDAP_USER" \ + -e "api_ldap_password=$OC__LDAP_PASS" \ + -e "db_admin_user=root" \ + -e "db_admin_password=$OC__ROOT_DB_PASS" \ -e "engine_db_name=engineblock" \ -e "engine_db_host=localhost" \ -e "engine_db_port=3306" \ - -e "engine_db_user=root" \ - -e "engine_db_password=c0n3xt" \ + -e "engine_db_user=$OC__ENGINE_DB_USER" \ + -e "engine_db_password=$OC__ENGINE_DB_PASS" \ + -e "engine_idp_cert_string=$ENGINEBLOCK_CERT" \ + -e "openconext_domain=$OC_DOMAIN" \ + -e "openconext_error_mail=" \ -e "teams_db_name=" \ -e "teams_db_user=" \ -e "teams_db_password=" \ - -e "openconext_error_mail=" \ - -e "engine_idp_cert_string=abcdef1234567890" \ - -e "api_sp_key_string=abcdef1234567890" \ - -e "api_sp_cert_string=abcdef1234567890" \ - -e "api_ldap_bind_dn=ldap" \ - -e "api_ldap_password=ldap" \ - -e "db_admin_user=root" \ - -e "db_admin_password=c0n3xt" \ - -e "api_janus_url=https://serviceregistry.demo.openconext.org/simplesaml/module.php/janus/services/rest/" \ - -e "api_janus_user=engine" \ - -e "api_janus_password=engine" \ - /vagrant/tools/ansible/api.yml \ No newline at end of file + $OC_BASEDIR/tools/ansible/api.yml \ No newline at end of file diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 70d294d..4c3a9f8 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -6,26 +6,29 @@ sudo yum install -y ansible MySQL-python patch && # Patch Ansible for: #8050: ini_file module still changes all option names to lower case. # -b = backup, -N = assume merged if failed, -u = Unified format, -p0 = 0 leading lines, -d chdir to dir before apply. -sudo patch -b -N -u -p0 -d /usr/share/ansible/files < $OC_BASEDIR/patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff +sudo patch -b -N -u -p0 -d /usr/share/ansible/files < $OC_BASEDIR/patches/ansible/ansible/ini_file_keep_key_casing-issue_8050-ansible_1.6.2.diff && # Run Ansible playbook +echo "Provisioning EngineBlock with Ansible..." && sudo ansible-playbook \ -v \ -i $OC_BASEDIR/tools/ansible/inventory/demo.openconext.org.ini \ - -e "openconext_domain=$OC_DOMAIN" \ - -e "engine_version=$ENGINEBLOCK_VERSION" \ + -e "db_admin_user=root" \ + -e "db_admin_password=$OC__ROOT_DB_PASS" \ -e "engine_db_name=engineblock" \ -e "engine_db_host=localhost" \ -e "engine_db_port=3306" \ -e "engine_db_user=$OC__ENGINE_DB_USER" \ -e "engine_db_password=$OC__ENGINE_DB_PASS" \ - -e "engine_ldap_binddn=cn:engine,dc:surfconext,dc:nl" \ - -e "engine_ldap_password=$OC__LDAP_PASS" \ - -e "db_admin_user=root" \ - -e "db_admin_password=$OC__ROOT_DB_PASS" \ -e "engine_janus_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ -e "engine_janus_user=$OC__ENGINE_JANUSAPI_USER" \ -e "engine_janus_secret=$OC__ENGINE_JANUSAPI_PASS" \ + -e "engine_ldap_binddn=cn=engine,dc=surfconext,dc=nl" \ + -e "engine_ldap_password=$OC__LDAP_PASS" \ + -e "engine_version=$ENGINEBLOCK_VERSION" \ + -e "ldap_admin_bind_dn=$OC__LDAPADMIN_USER" \ + -e "ldap_admin_password=$OC__LDAPADMIN_PASS" \ + -e "openconext_domain=$OC_DOMAIN" \ $OC_BASEDIR/tools/ansible/engineblock.yml ENGINEBLOCK_CERT=`sed '1d;$d' /etc/surfconext/engineblock.crt | tr -d '\n'` \ No newline at end of file diff --git a/tools/ansible/engineblock.yml b/tools/ansible/engineblock.yml index 2941ca1..267e217 100644 --- a/tools/ansible/engineblock.yml +++ b/tools/ansible/engineblock.yml @@ -11,22 +11,23 @@ configs_dir: "/etc/openconext" # Engine specific variables - enbine_git_url: "https://github.com/OpenConext/OpenConext-engineblock.git" + engine_git_url: "https://github.com/OpenConext/OpenConext-engineblock.git" engine_version_dir: "{{ engine_version | replace('/', '-') }}" engine_release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ engine_version_dir }}" engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" engine_current_release_symlink: "/opt/www/engineblock" - engine_git_url: "https://github.com/OpenConext/OpenConext-engineblock.git" + # Note that we actually use "\"{{ variable }}\"" to trick Ansible to put quotes around the values because + # values may contain a ; (the sign for start of a comment in INI 'format'). engine_config: auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem auth.simplesamlphp.idp.location : "https://engine.{{ openconext_domain }}/authentication/idp/single-sign-on" auth.simplesamlphp.idp.entityId : "https://engine.{{ openconext_domain }}/authentication/idp/metadata" cookie.lang.domain : "{{ openconext_domain }}" cookie.lang.expiry : "60*60*24*60" - database.master1.user : "{{ engine_db_user }}" - database.master1.dsn : "mysql:host:{{ engine_db_host }};dbname:{{ engine_db_name }}" + database.master1.user : "\"{{ engine_db_user }}\"" + database.master1.dsn : "\"mysql:host={{ engine_db_host }};dbname={{ engine_db_name }}\"" database.master1.password : "{{ engine_db_password }}" database.masters[] : "master1" database.slaves[] : "master1" @@ -35,16 +36,16 @@ encryption.keys.default.privateFile : /etc/surfconext/engineblock.key encryption.keys.default.publicFile : /etc/surfconext/engineblock.crt ldap.accountDomainName : "surfconext.nl" - ldap.baseDn : "dc:surfconext,dc:nl" + ldap.baseDn : "\"dc=surfconext,dc=nl\"" ldap.host : "ldap.{{ openconext_domain }}" ldap.useSsl : 0 - ldap.userName : "{{ engine_ldap_binddn }}" - ldap.password : "{{ engine_ldap_password }}" - logs.file.writername : "Stream" - logs.file.writerparams.stream : "/var/log/surfconext/engineblock.log" - serviceRegistry.location : "{{ engine_janus_url }}" - serviceRegistry.user : "{{ engine_janus_user }}" - serviceRegistry.user_secret : "{{ engine_janus_secret }}" + ldap.userName : "\"{{ engine_ldap_binddn }}\"" + ldap.password : "\"{{ engine_ldap_password }}\"" + logs.file.writerName : "Stream" + logs.file.writerParams.stream : "/var/log/surfconext/engineblock.log" + serviceRegistry.location : "\"{{ engine_janus_url }}\"" + serviceRegistry.user : "\"{{ engine_janus_user }}\"" + serviceRegistry.user_secret : "\"{{ engine_janus_secret }}\"" pre_tasks: - name: Make sure a database exists diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/activate.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/activate.yml index cbde6b2..874035e 100644 --- a/tools/ansible/roles/openconext-engineblock/tasks/main/activate.yml +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/activate.yml @@ -1,6 +1,6 @@ --- - name: Update LDAP - command: ldapmodify -x -D "{{ admin_ldap_binddn }}" -h localhost -w "{{ admin_ldap password }}" -f {{ item }} + command: ldapmodify -x -D {{ldap_admin_bind_dn}} -h localhost -w {{ldap_admin_password}} -f {{item}} with_items: - "{{ engine_release_dir }}/ldap/changes/addDeprovisionWarningSentAttributes.ldif" - "{{ engine_release_dir }}/ldap/changes/addCollabPersonUUID.ldif" From cf57b59ebe51f9f9e759c1db0d949743661bae2c Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 15 Jul 2014 14:00:39 +0200 Subject: [PATCH 43/49] Ansible: fix engine LDAP provisioning --- scripts/components/engineblock.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/components/engineblock.sh b/scripts/components/engineblock.sh index 4c3a9f8..7582d44 100755 --- a/scripts/components/engineblock.sh +++ b/scripts/components/engineblock.sh @@ -23,8 +23,8 @@ sudo ansible-playbook \ -e "engine_janus_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ -e "engine_janus_user=$OC__ENGINE_JANUSAPI_USER" \ -e "engine_janus_secret=$OC__ENGINE_JANUSAPI_PASS" \ - -e "engine_ldap_binddn=cn=engine,dc=surfconext,dc=nl" \ - -e "engine_ldap_password=$OC__LDAP_PASS" \ + -e "engine_ldap_bind_dn=$OC__LDAP_ENGINE_USER" \ + -e "engine_ldap_password=$OC__LDAP_ENGINE_PASS" \ -e "engine_version=$ENGINEBLOCK_VERSION" \ -e "ldap_admin_bind_dn=$OC__LDAPADMIN_USER" \ -e "ldap_admin_password=$OC__LDAPADMIN_PASS" \ From fb642875af8058d6a584623ad97525c275d83046 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 15 Jul 2014 14:01:23 +0200 Subject: [PATCH 44/49] Ansible: move vars to defaults --- tools/ansible/engineblock.yml | 24 ++++--------------- .../openconext-engineblock/defaults/main.yml | 15 ++++++++++++ 2 files changed, 20 insertions(+), 19 deletions(-) create mode 100644 tools/ansible/roles/openconext-engineblock/defaults/main.yml diff --git a/tools/ansible/engineblock.yml b/tools/ansible/engineblock.yml index 267e217..f4389a6 100644 --- a/tools/ansible/engineblock.yml +++ b/tools/ansible/engineblock.yml @@ -4,24 +4,10 @@ remote_user: "{{ remote_user }}" vars: - temp_dir: "/tmp" - logging_dir: "/var/log/openconext" - releases_dir: "/opt/openconext" - builds_dir: "{{ releases_dir }}/builds" - configs_dir: "/etc/openconext" - - # Engine specific variables - engine_git_url: "https://github.com/OpenConext/OpenConext-engineblock.git" - engine_version_dir: "{{ engine_version | replace('/', '-') }}" - engine_release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ engine_version_dir }}" - engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" - engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" - engine_current_release_symlink: "/opt/www/engineblock" - # Note that we actually use "\"{{ variable }}\"" to trick Ansible to put quotes around the values because # values may contain a ; (the sign for start of a comment in INI 'format'). engine_config: - auth.simplesamlphp.idp.certificate : /etc/surfconext/engineblock.default.pem + auth.simplesamlphp.idp.certificate : /etc/openconext/engineblock.default.pem auth.simplesamlphp.idp.location : "https://engine.{{ openconext_domain }}/authentication/idp/single-sign-on" auth.simplesamlphp.idp.entityId : "https://engine.{{ openconext_domain }}/authentication/idp/metadata" cookie.lang.domain : "{{ openconext_domain }}" @@ -33,16 +19,16 @@ database.slaves[] : "master1" dynamicAssets : true email.sendWelcomeMail : 0 - encryption.keys.default.privateFile : /etc/surfconext/engineblock.key - encryption.keys.default.publicFile : /etc/surfconext/engineblock.crt + encryption.keys.default.privateFile : /etc/openconext/engineblock.key + encryption.keys.default.publicFile : /etc/openconext/engineblock.crt ldap.accountDomainName : "surfconext.nl" ldap.baseDn : "\"dc=surfconext,dc=nl\"" ldap.host : "ldap.{{ openconext_domain }}" ldap.useSsl : 0 - ldap.userName : "\"{{ engine_ldap_binddn }}\"" + ldap.userName : "\"{{ engine_ldap_bind_dn }}\"" ldap.password : "\"{{ engine_ldap_password }}\"" logs.file.writerName : "Stream" - logs.file.writerParams.stream : "/var/log/surfconext/engineblock.log" + logs.file.writerParams.stream : "/var/log/openconext/engineblock.log" serviceRegistry.location : "\"{{ engine_janus_url }}\"" serviceRegistry.user : "\"{{ engine_janus_user }}\"" serviceRegistry.user_secret : "\"{{ engine_janus_secret }}\"" diff --git a/tools/ansible/roles/openconext-engineblock/defaults/main.yml b/tools/ansible/roles/openconext-engineblock/defaults/main.yml new file mode 100644 index 0000000..432b1a5 --- /dev/null +++ b/tools/ansible/roles/openconext-engineblock/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# OpenConext global variables. +temp_dir: "/tmp" +logging_dir: "/var/log/openconext" +releases_dir: "/opt/openconext" +builds_dir: "{{ releases_dir }}/builds" +configs_dir: "/etc/openconext" + +# Engine installer specific variables. +engine_git_url: "https://github.com/OpenConext/OpenConext-engineblock.git" +engine_version_dir: "{{ engine_version | replace('/', '-') }}" +engine_release_dir: "{{ releases_dir }}/OpenConext-engineblock-{{ engine_version_dir }}" +engine_build_path: "{{ builds_dir }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" +engine_download_url: "https://github.com/OpenConext/OpenConext-engineblock/releases/download/{{ engine_version }}/OpenConext-engineblock-{{ engine_version_dir }}.tar.gz" +engine_current_release_symlink: "/opt/www/engineblock" \ No newline at end of file From 0be5c251e8927448ea0a99f8e80f8cc979d7d6e6 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 15 Jul 2014 14:01:47 +0200 Subject: [PATCH 45/49] Ansible: update git repo if it already exists --- .../roles/openconext-engineblock/tasks/main/install-src.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml index 21fb37a..b500f53 100644 --- a/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/install-src.yml @@ -5,6 +5,8 @@ repo: "{{ engine_git_url }}" dest: "{{ engine_release_dir }}" version: "{{ engine_version }}" + remote: origin + update: yes - name: SRC - Running Composer install # Note that we prefer source (which is slower...) because of the GitHub API rate limiting :( From 4728272902a0f064ee3faeba0bdafe580a66bb3e Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 15 Jul 2014 14:02:03 +0200 Subject: [PATCH 46/49] Ansible: remove obsolete site playbook --- tools/ansible/site.yml | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tools/ansible/site.yml diff --git a/tools/ansible/site.yml b/tools/ansible/site.yml deleted file mode 100644 index d65f13f..0000000 --- a/tools/ansible/site.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - - name: Install EngineBlock - include: engineblock.yml \ No newline at end of file From f87cd315b7ad695ec48dd27e189ee169708c4a3b Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Tue, 15 Jul 2014 14:03:11 +0200 Subject: [PATCH 47/49] Updated Ansiblefile --- tools/ansible/Ansiblefile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock index 073dde1..dbd0acd 100644 --- a/tools/ansible/Ansiblefile.lock +++ b/tools/ansible/Ansiblefile.lock @@ -2,7 +2,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-api.git path: ./coin-api-dist/src/main/resources/ansible-openconext-api ref: feature/ansible - sha: 71768064bc0ab62483ea84bbc053892f7cb89b99 + sha: 6a8d01c9e952d19cf114f6cf084ae4de75c14da7 specs: openconext-api (4.2.0) @@ -10,7 +10,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-engineblock.git path: ./tools/ansible-role-openconext-engineblock ref: feature/ansible - sha: e0fccb5321aedc0a0ecc73bf9e5274e70cda85ab + sha: e9f162497cbf7f1e8c89625f0c852b6a926113ea specs: openconext-engineblock (4.2.0) From f2e233297aa031229d1b1c84c2abf7207d7b4da4 Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 21 Jul 2014 09:53:48 +0200 Subject: [PATCH 48/49] Removed defaults from API provisioning and added credentials for teams database --- scripts/components/api.sh | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/scripts/components/api.sh b/scripts/components/api.sh index 9f0fc27..7cc72fd 100755 --- a/scripts/components/api.sh +++ b/scripts/components/api.sh @@ -14,29 +14,20 @@ sudo ansible-playbook \ -v \ -i /vagrant/tools/ansible/inventory/demo.openconext.org.ini \ -e "api_version=$API_VERSION" \ - -e "api_db_name=api" \ - -e "api_db_host=localhost" \ - -e "api_db_port=3306" \ -e "api_db_user=$OC__API_DB_USER" \ -e "api_db_password=$OC__API_DB_PASS" \ - -e "api_janus_url=https://serviceregistry.$OC_DOMAIN/simplesaml/module.php/janus/services/rest/" \ -e "api_janus_user=$OC__API_JANUSAPI_USER" \ -e "api_janus_secret=$OC__API_JANUSAPI_PASS" \ -e "api_sp_key_string=$OC_KEY" \ -e "api_sp_cert_string=$OC_CERT" \ -e "api_ldap_bind_dn=$OC__LDAP_USER" \ -e "api_ldap_password=$OC__LDAP_PASS" \ - -e "db_admin_user=root" \ -e "db_admin_password=$OC__ROOT_DB_PASS" \ - -e "engine_db_name=engineblock" \ - -e "engine_db_host=localhost" \ - -e "engine_db_port=3306" \ -e "engine_db_user=$OC__ENGINE_DB_USER" \ -e "engine_db_password=$OC__ENGINE_DB_PASS" \ -e "engine_idp_cert_string=$ENGINEBLOCK_CERT" \ -e "openconext_domain=$OC_DOMAIN" \ - -e "openconext_error_mail=" \ - -e "teams_db_name=" \ - -e "teams_db_user=" \ - -e "teams_db_password=" \ + -e "openconext_error_mail=$OC__ADMIN_EMAIL" \ + -e "teams_db_user=$OC__TEAMS_DB_USER" \ + -e "teams_db_password=$OC__TEAMS_DB_PASS" \ $OC_BASEDIR/tools/ansible/api.yml \ No newline at end of file From 5c0d739123f8abaeb42a23ad41f19d4ba321204e Mon Sep 17 00:00:00 2001 From: Boy Baukema Date: Mon, 21 Jul 2014 09:55:45 +0200 Subject: [PATCH 49/49] Ran Librarian-update --- tools/ansible/Ansiblefile | 14 +++++++------- tools/ansible/Ansiblefile.lock | 6 +++--- .../openconext-engineblock/tasks/main/install.yml | 12 +++++++----- .../legacy/4.2.0/migrate-to-etc-openconext.yml | 4 ++-- .../legacy/4.2.0/migrate-to-log-openconext.yml | 12 ++++++++++-- 5 files changed, 29 insertions(+), 19 deletions(-) diff --git a/tools/ansible/Ansiblefile b/tools/ansible/Ansiblefile index 800e030..5a1aa44 100644 --- a/tools/ansible/Ansiblefile +++ b/tools/ansible/Ansiblefile @@ -2,14 +2,14 @@ #^syntax detection role "openconext-engineblock", - git: "git@github.com:OpenConext/OpenConext-engineblock.git", - ref: "feature/ansible", - path: "./tools/ansible-role-openconext-engineblock" + git: "git@github.com:OpenConext/OpenConext-engineblock.git", + ref: "feature/ansible", + path: "./tools/ansible-role-openconext-engineblock" role "openconext-api", - git: "git@github.com:OpenConext/OpenConext-api.git", - ref: "feature/ansible", - path: "./coin-api-dist/src/main/resources/ansible-openconext-api" + git: "git@github.com:OpenConext/OpenConext-api.git", + ref: "feature/ansible", + path: "./coin-api-dist/src/main/ansible" role "ansible-xml", - github: "relaxnow/ansible-xml" \ No newline at end of file + github: "relaxnow/ansible-xml" \ No newline at end of file diff --git a/tools/ansible/Ansiblefile.lock b/tools/ansible/Ansiblefile.lock index dbd0acd..ac0ad26 100644 --- a/tools/ansible/Ansiblefile.lock +++ b/tools/ansible/Ansiblefile.lock @@ -1,8 +1,8 @@ GIT remote: git@github.com:OpenConext/OpenConext-api.git - path: ./coin-api-dist/src/main/resources/ansible-openconext-api + path: ./coin-api-dist/src/main/ansible ref: feature/ansible - sha: 6a8d01c9e952d19cf114f6cf084ae4de75c14da7 + sha: d83128625e35ec608dada60942aee285505b554e specs: openconext-api (4.2.0) @@ -10,7 +10,7 @@ GIT remote: git@github.com:OpenConext/OpenConext-engineblock.git path: ./tools/ansible-role-openconext-engineblock ref: feature/ansible - sha: e9f162497cbf7f1e8c89625f0c852b6a926113ea + sha: 9cb71737ff62320103ac419e90cacca27166b671 specs: openconext-engineblock (4.2.0) diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/install.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/install.yml index bc6c16d..275bae1 100644 --- a/tools/ansible/roles/openconext-engineblock/tasks/main/install.yml +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/install.yml @@ -17,11 +17,13 @@ include: install-src.yml when: engine_version | match("^[^0-9]") + - name: Check if /etc/openconext/engineblock.ini exists yet + stat: path=/etc/openconext/engineblock.ini + register: engineblock_ini + - name: Install default application settings (if no settings exist yet) - copy: - src: "{{ engine_release_dir }}/etc/openconext/engineblock.ini" - dest: /etc/openconext/engineblock.ini - force: no + command: cp "{{ engine_release_dir }}/etc/openconext/engineblock.ini" /etc/openconext/engineblock.ini + when: not engineblock_ini.stat.exists - name: Migrate the configuration file command: "{{ engine_release_dir }}/bin/migrate_etc.php" @@ -37,4 +39,4 @@ command: openssl req -subj '/CN=Engine/OU=Services/O=OpenConext/C=NL/' -newkey rsa:2048 -new -x509 -days 3652 -nodes -out engineblock.crt -keyout engineblock.key args: chdir: /etc/openconext - when: default_cert.stat.exists == false \ No newline at end of file + when: not default_cert.stat.exists \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-etc-openconext.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-etc-openconext.yml index 6e4ed69..444a1bf 100644 --- a/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-etc-openconext.yml +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-etc-openconext.yml @@ -5,8 +5,8 @@ register: legacy_etc_dir - name: Legacy - move directory /etc/surfconext to /etc/openconext - command: mv /etc/surfconext "{{ configs_dir }}" - when: legacy_etc_dir.stat.exists == true and legacy_etc_dir.stat.isdir == true + command: mv -T /etc/surfconext "{{ configs_dir }}" + when: legacy_etc_dir.stat.exists and legacy_etc_dir.stat.isdir - name: Legacy - Ensure /etc/surfconext points to /etc/openconext file: path=/etc/surfconext src={{ configs_dir }} state=link \ No newline at end of file diff --git a/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-log-openconext.yml b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-log-openconext.yml index 56e53f8..35f250d 100644 --- a/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-log-openconext.yml +++ b/tools/ansible/roles/openconext-engineblock/tasks/main/legacy/4.2.0/migrate-to-log-openconext.yml @@ -1,8 +1,16 @@ --- # Migrate to /var/log/openconext + - name: Legacy - Detect /etc/surfconext + stat: path=/etc/surfconext + register: legacy_log_dir + + - name: Legacy - move directory /etc/surfconext to /etc/openconext + command: mv -T /etc/surfconext "{{ configs_dir }}" + + - name: Legacy - Move /var/log/surfconext to /var/log/openconext - command: mv /var/log/surfconext {{ logging_dir }} - ignore_errors: yes + command: mv -T /var/log/surfconext {{ logging_dir }} + when: legacy_log_dir.stat.exists and legacy_etc_dir.stat.isdir - name: Legacy - Install logging directory file: path={{ logging_dir }} state=directory