README.md 6.8 KB
Newer Older
julian.gethmann's avatar
julian.gethmann committed
1
# [Ansible](https://docs.ansible.com/ansible/index.html) repository for LAS/CS NSQ computer
julian.gethmann's avatar
julian.gethmann committed
2
You need to have access to this repository (you need to add your public ssh-key (`ssh-keygen`) to your profile here).
julian.gethmann's avatar
julian.gethmann committed
3
Then you can clone the git repository to work on in locally.
julian.gethmann's avatar
julian.gethmann committed
4 5
`git clone git@git.scc.kit.edu:las/ansible.git`

6 7
Add your computer to the `hosts` file or if you are just testing add it to the local file.
Add your ``hostname`` under each role name (the name in the square brackets) you want to be run on your computer.
julian.gethmann's avatar
julian.gethmann committed
8
Also create a new file which is named
julian.gethmann's avatar
julian.gethmann committed
9
after your [fully-qualified-domain-name](https://de.wikipedia.org/wiki/Domain_(Internet)#Fully_Qualified_Domain_Name_.28FQDN.29}) (FQDN) in the `host_vars` directory including a [yaml](https://docs.ansible.com/ansible/YAMLSyntax.html) list with some host specific configuration variables, e. g. copy another similar host and adjust it.
10 11
These files do not have the `.yml` extension and do not start with `---` as most of the other yaml files do.
Then create a file named after your FQDN with the extension ``.yml`` in the main directory of ansible which includes all the roles one want to run. This step needs root privileges and therefore makes only sense for the first installation of a computer.
julian.gethmann's avatar
julian.gethmann committed
12 13 14 15

Install ansible and some dependencies: 

```
16
dnf install ansible git python3-dnf libselinux-python python3-netaddr
julian.gethmann's avatar
julian.gethmann committed
17
```
julian.gethmann's avatar
julian.gethmann committed
18 19 20
Run 

``` bash
julian.gethmann's avatar
julian.gethmann committed
21
git clone  git@git.scc.kit.edu:las-it-organisation/32-0-IT-InstructionsAndRules/ansible.git
julian.gethmann's avatar
julian.gethmann committed
22
cd ansible
julian.gethmann's avatar
julian.gethmann committed
23
sudo ansible-playbook --limit $(hostname -f) --vault-id @prompt sites.yml
julian.gethmann's avatar
julian.gethmann committed
24
```
julian.gethmann's avatar
julian.gethmann committed
25

julian.gethmann's avatar
julian.gethmann committed
26
  * If you only want some parts of the roles to be run, you can use the option `-t TAGNAME` to run only those tasks with the given tag.
julian.gethmann's avatar
julian.gethmann committed
27
  * The vault-password is known to the usual suspects.
julian.gethmann's avatar
julian.gethmann committed
28

29 30 31 32 33
Unfortunately you need to know the vault password to let ansible run.
If you have got root access to obelix, then you should try to run ansible from that host.
The repository is located at `/root/ansible` and you should pull before running ansible. The advantage is, that it is tested.
There might be a tmux running for that purpose anyway.

julian.gethmann's avatar
julian.gethmann committed
34
### Ask for new software
julian.gethmann's avatar
julian.gethmann committed
35
Open an issue in the GitLab issue tracker and use the template for softwarerequests.
36 37 38 39 40 41

If the software is in the Fedora repositories and you think it makes sense to 
install this software only on your computer, you can also provide a merge/pull 
requst by adding the software name to the list of `extra_software` in the 
`host_vars` file for your computer.

julian.gethmann's avatar
julian.gethmann committed
42 43 44 45 46
## How to get new software on your computer

## Available roles

* common.yml: basic configuration for all LAS/NSQ computers
julian.gethmann's avatar
julian.gethmann committed
47
* clients.yml: all computers not acting as a server (only) ^1
julian.gethmann's avatar
julian.gethmann committed
48
* desktop.yml: all desktop computers including laptops (having X11/Wayland)
49
* graphics.yml: fundamental graphics software (Inkscape, Gimp)
julian.gethmann's avatar
julian.gethmann committed
50 51
* python.yml: basic python_stack for scientific Python usage (including fitting) ^1
* ipynb.yml: IPython/Jupyter notebook ^1
52 53 54
* nfs.yml:
  * nfs-server: export /las-archiv1 to our network
  * lasarchiv: client side mount las126/las-archiv1
55
* admin.yml: tools for administrators
julian.gethmann's avatar
julian.gethmann committed
56
* chrome.yml: Google Chrome for Fedora (for Adobe Connect usage)
57
* dhcpd.yml: DHCPd primary and secondary server on Fedora
58
* elegant.yml: elegant (no Pelegant, yet)
julian.gethmann's avatar
julian.gethmann committed
59
* inovesa.yml: [Inovesa](https://github.com/Inovesa/Inovesa)
60 61 62 63 64 65
* kdev.yml: KDevelope (with Python PlugIn) ^1
* latex.yml: basic LaTeX installation (Arial not yet) ^1
* opera.yml: Cobham's Opera3d (client) ^2 ^3
* pycharm.yml: Cross platform Python IDE: [PyCharm](https://www.jetbrains.com/pycharm/) IDE
* remmina.yml: remmina a Remote Desktop Protocol (Windows remote) client for e. g. [rds.scc.kit.edu](https://rds.scc.kit.edu)
* ripgrep.yml: ripgrep the better grep
66
* undulator_control.yml: Install the software stack that is necessary to develop the control system for the JENA TGU experiment
67
* zotero.yml: A citation management software
68
* lab.yml: Lab infrastructure (DHCPd)
julian.gethmann's avatar
julian.gethmann committed
69

julian.gethmann's avatar
julian.gethmann committed
70
^1: (also put your FQDN to the \[common\] section in the hosts file as it depends hereon)
julian.gethmann's avatar
julian.gethmann committed
71

julian.gethmann's avatar
julian.gethmann committed
72 73 74
^3: (also put your FQDN to the \[lasarchiv\] section in the hosts file as it depends hereon)

### ^2 Opera
julian.gethmann's avatar
julian.gethmann committed
75

76
After installing Opera via ansible you must confirm the license agreement at first start and go to "Licensing -> Set License Path" and switch to `Other computer(s)` and fill in `@opera.las.kit.edu`.
julian.gethmann's avatar
julian.gethmann committed
77

julian.gethmann's avatar
julian.gethmann committed
78
# Develop new roles, extend or modify existing ones and update roles for new software
julian.gethmann's avatar
julian.gethmann committed
79 80

## Branches
julian.gethmann's avatar
julian.gethmann committed
81
All roles in the master branch should work and should not brake on any of our systems (desktop, server, simulation, notebooks). The `site.yml` should always be runnable and include all roles that are stable and not explicitly for setup purposes only.
julian.gethmann's avatar
julian.gethmann committed
82

83
For development and testing you should use development branches like `dev-latex`.
julian.gethmann's avatar
julian.gethmann committed
84

julian.gethmann's avatar
julian.gethmann committed
85
You can check the syntax of the files by running `ansible-playbook --check-syntax filename.yml` (or by using the pre-commit-hook from the Snipplets.
julian.gethmann's avatar
julian.gethmann committed
86

87
If you just want to install one or many packages you can use `kdev.yml` as a basis or if it is not interesting for others you might want to add it to your host file instead.
julian.gethmann's avatar
julian.gethmann committed
88

89 90
Be aware that the development branches here are not save and the owner might force push to them!

julian.gethmann's avatar
julian.gethmann committed
91
# Run as admin 
92
## Bootstraping
93
* Enable SSH on the new host (`lasXXX$ sudo systemctl start sshd && sudo systemctl enable sshd`)
94 95
* Add your SSH-key to the host `obelix# ssh-copy-id lasXXX.las.kit.edu`
* Install ansible dependencies: `lasXXX$ sudo dnf install ansible git python3-dnf libselinux-python python3-netaddr`
96
* Check the `hosts` file for entries of `lasXXX.las.kit.edu`
97
* Run `ansible-playbook -K --vault-id @prompt sites.yml` probably with the option `-l lasXXX.las.kit.edu`
98 99 100 101 102

## Edit encrypted files
* You can either use `ansible-vault edit --vault-id @prompt group_vars/all/vault.yml` to edit the file in your editor mentioned in the `$EDITOR` environment variable or
* you can decrypt the file `ansible-vault decrypt --vault-id @prompt group_vars/all/vault.yml`, edit the file and encrypt it again `ansible-vault encrypt --ask-vault-pass group_vars/all/vault.yml`

103
The first one is of cause the preferred one, because there is no risk to add a unencrypted file to the repo.
104 105

## Bootstrap IPA hosts
106
In this example the client to bootstrap may be `pepe` and the installation takes place from the server `obelix`.
107
The prompts `#` show that you are working at root.
108 109 110 111 112
* Add your (root's) SSH-key to the host `obelix# ssh-copy-id pepe.las.kit.edu`
* Install ansible dependencies on the client: `pepe# dnf install python3-dnf libselinux-python`
* Get a Kerberos ticket (``obelix# kinit -f admin@LAS.KIT.EDU``)
* For the host with the hostname `pepe.las.kit.edu` do the following
* edit a file ``host_vars/pepe.las.kit.edu``
113
```
114
obelix# ansible-playbook -l pepe.las.kit.edu add_ipa_host.yml --vault-id @prompt
115 116
```
and provide the root password for the new host.
117 118 119

## Decommission/Uninstall a host
* edit the ``add_ipa_host.yml`` and uncomment the uninstall step in it.