README.md 8.22 KB
Newer Older
julian.gethmann's avatar
julian.gethmann committed
1
# [Ansible](https://docs.ansible.com/ansible/index.html) repository for LAS/CS NSQ computer
julian.gethmann's avatar
julian.gethmann committed
2 3 4
You need to have access to this repository (you need to add your public ssh-key (`ssh-keygen; cat ~/.ssh/id_rsa.pub`) to your profile here).
Then you can clone the git repository to work on it locally.
`git clone git@git.scc.kit.edu:las-it-organisation/32-0-IT-InstructionsAndRules/ansible.git`
julian.gethmann's avatar
julian.gethmann committed
5

julian.gethmann's avatar
julian.gethmann committed
6
Add your computer to the `hosts` file or if you are just testing add it to a `local` file.
7
Add your ``hostname`` under each role name (the name in the square brackets) you want to be run on your computer.
julian.gethmann's avatar
julian.gethmann committed
8
Also create a new file which is named
julian.gethmann's avatar
julian.gethmann committed
9
after your [fully-qualified-domain-name](https://de.wikipedia.org/wiki/Domain_(Internet)#Fully_Qualified_Domain_Name_.28FQDN.29}) (FQDN) in the `host_vars` directory including a [yaml](https://docs.ansible.com/ansible/YAMLSyntax.html) list with some host specific configuration variables, e. g. copy another similar host and adjust it.
10
These files do not have the `.yml` extension and do not start with `---` as most of the other yaml files do.
julian.gethmann's avatar
julian.gethmann committed
11

12
Install ansible and some dependencies:
julian.gethmann's avatar
julian.gethmann committed
13 14

```
15
dnf install ansible git python3-dnf libselinux-python python3-netaddr
julian.gethmann's avatar
julian.gethmann committed
16
```
17
Run
julian.gethmann's avatar
julian.gethmann committed
18 19

``` bash
julian.gethmann's avatar
julian.gethmann committed
20
git clone  git@git.scc.kit.edu:las-it-organisation/32-0-IT-InstructionsAndRules/ansible.git
julian.gethmann's avatar
julian.gethmann committed
21
cd ansible
julian.gethmann's avatar
julian.gethmann committed
22
sudo ansible-playbook --limit $(hostname -f) --vault-id @prompt sites.yml
julian.gethmann's avatar
julian.gethmann committed
23
```
julian.gethmann's avatar
julian.gethmann committed
24

julian.gethmann's avatar
julian.gethmann committed
25
  * If you only want some parts of the roles to be run, you can use the option `-t TAGNAME` to run only those tasks with the given tag.
julian.gethmann's avatar
julian.gethmann committed
26
    You might want to skip some tasks like the update (`--skip-tags update`). To find out what tags are available you can use `--list-tags`.
julian.gethmann's avatar
julian.gethmann committed
27
  * The vault-password is known to the usual suspects.
julian.gethmann's avatar
julian.gethmann committed
28

29 30
Unfortunately you need to know the vault password to let ansible run.
If you have got root access to obelix, then you should try to run ansible from that host.
julian.gethmann's avatar
julian.gethmann committed
31 32 33
The repository is located at `/root/ansible` and you should `git pull` there before running ansible. 
The advantage is, that it is tested and the ssh-keys are deployed to the workstations.
Maybe you want to run ansible from within a [tmux](https://git.scc.kit.edu/las-it-organisation/32-0-IT-InstructionsAndRules/HowTo/-/blob/master/Running%20programs%20in%20the%20background%20and%20connect%20to%20them%20again.md#screen-and-tmux) session to avoid problems with breaking ssh-connections.
34

julian.gethmann's avatar
julian.gethmann committed
35
### Ask for new software
julian.gethmann's avatar
julian.gethmann committed
36
Open an issue in the GitLab issue tracker and use the template for softwarerequests.
37

38 39 40
If the software is in the Fedora repositories and you think it makes sense to
install this software only on your computer, you can also provide a merge/pull
requst by adding the software name to the list of `extra_software` in the
41 42
`host_vars` file for your computer.

julian.gethmann's avatar
julian.gethmann committed
43 44 45 46 47
## How to get new software on your computer

## Available roles

* common.yml: basic configuration for all LAS/NSQ computers
julian.gethmann's avatar
julian.gethmann committed
48
* clients.yml: all computers not acting as a server (only) ^1
julian.gethmann's avatar
julian.gethmann committed
49
* desktop.yml: all desktop computers including laptops (having X11/Wayland)
50
* graphics.yml: fundamental graphics software (Inkscape, Gimp)
julian.gethmann's avatar
julian.gethmann committed
51 52
* python.yml: basic python_stack for scientific Python usage (including fitting) ^1
* ipynb.yml: IPython/Jupyter notebook ^1
53
* nfs.yml:
julian.gethmann's avatar
julian.gethmann committed
54 55
  * nfs-server: export /las-archiv1 to our network (currently not working, see issue #42)
  * lasarchiv: client side mount obelix/las-archiv1
julian.gethmann's avatar
julian.gethmann committed
56
* admin.yml: tools for administrators
julian.gethmann's avatar
julian.gethmann committed
57
* chrome.yml: Google Chrome for Fedora (for Adobe Connect usage)
julian.gethmann's avatar
julian.gethmann committed
58
* dhcpd.yml: base role for DHCPd (as dependency or guide)
julian.gethmann's avatar
julian.gethmann committed
59
* elegant.yml: elegant (no Pelegant, yet)
julian.gethmann's avatar
julian.gethmann committed
60
* inovesa.yml: [Inovesa](https://github.com/Inovesa/Inovesa)
61 62 63 64 65 66
* kdev.yml: KDevelope (with Python PlugIn) ^1
* latex.yml: basic LaTeX installation (Arial not yet) ^1
* opera.yml: Cobham's Opera3d (client) ^2 ^3
* pycharm.yml: Cross platform Python IDE: [PyCharm](https://www.jetbrains.com/pycharm/) IDE
* remmina.yml: remmina a Remote Desktop Protocol (Windows remote) client for e. g. [rds.scc.kit.edu](https://rds.scc.kit.edu)
* ripgrep.yml: ripgrep the better grep
67
* undulator_control.yml: Install the software stack that is necessary to develop the control system for the JENA TGU experiment
68
* zotero.yml: A citation management software
69
* lab.yml: Lab infrastructure (DHCPd)
julian.gethmann's avatar
julian.gethmann committed
70

julian.gethmann's avatar
julian.gethmann committed
71
^1: (also put your FQDN to the \[common\] section in the hosts file as it depends hereon)
julian.gethmann's avatar
julian.gethmann committed
72

julian.gethmann's avatar
julian.gethmann committed
73 74 75
^3: (also put your FQDN to the \[lasarchiv\] section in the hosts file as it depends hereon)

### ^2 Opera
julian.gethmann's avatar
julian.gethmann committed
76

77
After installing Opera via ansible you must confirm the license agreement at first start and go to "Licensing -> Set License Path" and switch to `Other computer(s)` and fill in `@opera.las.kit.edu`.
julian.gethmann's avatar
julian.gethmann committed
78

julian.gethmann's avatar
julian.gethmann committed
79
# Develop new roles, extend or modify existing ones and update roles for new software
julian.gethmann's avatar
julian.gethmann committed
80 81

## Branches
julian.gethmann's avatar
julian.gethmann committed
82
All roles in the master branch should work and should not brake on any of our systems (desktop, server, simulation, notebooks). The `sites.yml` should always be runnable and include all roles that are stable and not explicitly for setup purposes only.
julian.gethmann's avatar
julian.gethmann committed
83

84
For development and testing you should use development branches like `dev-latex`.
julian.gethmann's avatar
julian.gethmann committed
85

julian.gethmann's avatar
julian.gethmann committed
86
You can check the syntax of the files by running `ansible-playbook --check-syntax filename.yml` (or by using the pre-commit-hook from the Snipplets).
julian.gethmann's avatar
julian.gethmann committed
87

88
If you just want to install one or many packages you can use `kdev.yml` as a basis or if it is not interesting for others you might want to add it to your host file instead.
julian.gethmann's avatar
julian.gethmann committed
89

90
Be aware that the development branches here are not save and the owner might force push to them!
julian.gethmann's avatar
julian.gethmann committed
91
However they might be a good resource of hints and documentation!
92

93
# Run as admin
94
## Bootstraping
yuancun.nie's avatar
yuancun.nie committed
95 96
In this example the client to bootstrap may be `lasXXX` and the installation takes place from the server `obelix`.
The prompts `#` show that you are working at root.
97
* Enable SSH on the new host (`lasXXX$ sudo systemctl start sshd && sudo systemctl enable sshd`)
yuancun.nie's avatar
yuancun.nie committed
98 99
* Connect to the ansible server (`lasXXX$ ssh nie@obelix.las.kit.edu`)
* Become root (`obelix$ sudo -s`)
100
* Add your SSH-key to the host `obelix# ssh-copy-id lasXXX.las.kit.edu`
yuancun.nie's avatar
yuancun.nie committed
101
  * In case it does not work, you have to copy it by hand (copy the content of your key e.g. `~/.ssh/id_rsa.pub` to the new computer root's `~/.ssh/authorized_keys` file and set the access rights to 600)
102
  * and enable Key-based root login. (in `/etc/ssh/sshd_config` write `PermitRootLogin without-password`)
yuancun.nie's avatar
yuancun.nie committed
103
* Open a new terminal, install ansible dependencies on the new host: `lasXXX$ sudo dnf install sudo ansible git python3-dnf python3-netaddr python3-libselinux`
yuancun.nie's avatar
yuancun.nie committed
104 105 106 107 108 109
* Go to our ansible repository, open `hosts`, to edit the `hosts` file for entries of `lasXXX.las.kit.edu`
* Go to our ansible repository, open `host_vars`, to create a file ``lasXXX.las.kit.edu`` with similar contents as others
* Open a new terminal, Go to obelix, become root, by `ssh nie@obelix.las.kit.edu` and `sudo -s` 
* Go to ansible, by `cd /root/ansible`
* Synchronise our ansible git repository to obelix, by `git pull`
* Run `ansible-playbook --vault-id @prompt sites.yml --limit lasXXX.las.kit.edu`
110 111


yuancun.nie's avatar
yuancun.nie committed
112
### Bootstrap IPA hosts
yuancun.nie's avatar
yuancun.nie committed
113
**Warning** Please run the following commands just once! In case anything went wrong, follow the instructions of [Decommission/Uninstall a host](#decommissionuninstall-a-host)
114
* Get a Kerberos ticket (``obelix# kinit -f admin@LAS.KIT.EDU``)
yuancun.nie's avatar
yuancun.nie committed
115
* Go to ansible, by `cd /root/ansible`
116
* Run `ansible-playbook -l lasXXX.las.kit.edu add_ipa_host.yml --vault-password-file password`
yuancun.nie's avatar
yuancun.nie committed
117

118
and provide the root password for the new host.
119

julian.gethmann's avatar
julian.gethmann committed
120 121
You may also want to save and run the sudo rule for one user and computer (snippet $435) to grant someone access to that computer.

122 123
## Decommission/Uninstall a host
* edit the ``add_ipa_host.yml`` and uncomment the uninstall step in it.
124

yuancun.nie's avatar
yuancun.nie committed
125
## Edit encrypted files
126 127
* You can either use `ansible-vault edit --vault-password-file group_vars/all/vault.yml` to edit the file in your editor mentioned in the `$EDITOR` environment variable or
* you can decrypt the file `ansible-vault decrypt --vault-password-file password group_vars/all/vault.yml`, edit the file and encrypt it again `ansible-vault encrypt --ask-vault-pass group_vars/all/vault.yml`
yuancun.nie's avatar
yuancun.nie committed
128 129 130

The first one is of cause the preferred one, because there is no risk to add a unencrypted file to the repo.

131 132

# Nice to know / Random tips
yuancun.nie's avatar
yuancun.nie committed
133
 Sometimes it's annoying to wait for all the updates that are installed when running the common role. To skip this step you can add the option `--skip-tags="update"`.