• Home
Name Date Size #Lines LOC

..--

roles/openliberty/03-May-2024-13379

templates/03-May-2024-214151

test-local-vars/03-May-2024-3421

vars/03-May-2024-4431

.gitignoreD03-May-202426 43

README.mdD03-May-20244.9 KiB173127

VagrantfileD03-May-2024716 2523

ansible.cfgD03-May-202458 43

backup-db-playbook.ymlD03-May-20242.2 KiB7876

ccc-playbook.ymlD03-May-20242 KiB6965

certbot-playbook.ymlD03-May-2024518 1817

cldr-apps-playbook.ymlD03-May-20241.9 KiB6561

hostname-playbook.ymlD03-May-2024195 86

hostsD03-May-2024424 2720

mysql-playbook.ymlD03-May-2024367 1716

nginx-playbook.ymlD03-May-20241.4 KiB4745

openliberty-playbook.ymlD03-May-20243.1 KiB8885

packages-playbook.ymlD03-May-2024405 1815

redact-db-playbook.ymlD03-May-20242.3 KiB7673

requirements.ymlD03-May-2024382 179

server-playbook.ymlD03-May-20241.8 KiB6461

setup-playbook.ymlD03-May-2024455 129

upgrade-playbook.ymlD03-May-2024153 86

vagrant-playbook.ymlD03-May-2024210 41

README.md

1# Ansible for Survey Tool
2
3These are ansible scripts for setup and maintenance of the Survey Tool.
4
5## Scope
6
7Right now, the test setup mostly controls OpenLiberty, but not the nginx proxy
8due to public port issues (https).
9
10## Setup
11
12### Setup: Control system
13
14This is your local system, where you control the others from.
15
16- Install Ansible <https://ansible.com>
17- Install some prereqs:
18
19```shell
20ansible-galaxy install -r requirements.yml
21```
22
23- Make sure you can `ssh` into all of the needed systems. For example,
24`ssh cldr-ref.unicode.org` should succeed without needing a password.
25
26- You should be able to run `ansible all -m ping` and get something back
27like the following:
28
29```shell
30cldr-ref.unicode.org | SUCCESS => {
31    "ansible_facts": {
32        "discovered_interpreter_python": "/usr/bin/python"
33    },
34    "changed": false,
35    "ping": "pong"
36}
37```
38
39### Setup: Managed systems
40
41- Install python3. Make sure `python --version`
42or `python3 --version` returns "Python 3…"
43
44- TODO: these shouldn't be needed, but they are. Here's the entire
45install command:
46
47```shell
48sudo apt-get update && sudo apt-get install python3 python-apt python3-pymysql
49```
50
51### Setup: surveytool keypair
52
53Create a RSA keypair with no password for the buildbot:
54
55```shell
56mkdir -p ./local-vars
57ssh-keygen -t rsa -b 4096 -f ./local-vars/surveytool -P '' -C 'surveytool deploy'
58```
59
60The contents of the `local-vars/surveytool.pub` file is used for the
61`key:` parameter below in `local.yml`. The `local-vars/surveytool`
62private key is used in the secret `RSA_KEY_SURVEYTOOL`.
63
64Then setup github secrets as shown:
65
66- `SMOKETEST_HOST` -
67  hostname of smoketest
68- `SMOKETEST_PORT` -
69  port of smoketest
70- `RSA_KEY_SURVEYTOOL` -
71  contents of `local-vars/surveytool` (the secret key)
72- `SMOKETEST_KNOWNHOSTS` -
73  run `ssh-keyscan smoketest.example.com` where _smoketest.example.com_
74  is the name of the smoketest server.  Put the results into this
75  secret. One of these lines should match `~/.ssh/known_hosts` on your
76  own system when you ssh into smoketest.
77  Try `grep -i smoke ~/.ssh/known_hosts`
78
79Create a folder "cldrbackup" inside local-vars
80```shell
81mkdir -p ./local-vars/cldrbackup
82```
83
84Add three files inside local-vars/cldrbackup-vars: id_rsa, id_rsa.pub, and known_hosts. These must correspond to the public key for cldrbackup on corp.unicode.org. Copy existing versions if you have them. Otherwise, create new ones with `ssh-keygen -t rsa` and copy the public key to corp.unicode.org with `ssh-copy-id -i ~/.ssh/id_rsa cldrbackup@corp.unicode.org`
85
86### Setup: Config file
87
88- Create a file `local-vars/local.yml` matching the example values in [test-local-vars/local.yml](test-local-vars/local.yml) but with secure passwords instead of `hunter42`, ...!
89
90```yaml
91cldradmin_pw: hunter46 # needs to match cldradmin pw below
92mysql_users:
93  # this is the account used by the survey tool itself
94  # password will match /var/lib/openliberty/usr/servers/cldr/server.env
95  - name: surveytool
96    host: localhost
97    password: hunter42
98    priv: 'cldrdb.*:ALL'
99  # this is the account used for administrative tasks
100  # password will match /home/cldradmin/.my.sql
101  - name: cldradmin
102    password: hunter46
103    priv: 'cldrdb.*:ALL/*.*:PROCESS'
104    append_privs: yes
105# this is the account used for deployment
106surveytooldeploy:
107  # TODO: surveytooldeploy.password appears to be unused?
108  password: hunter43
109  # vap will match CLDR_VAP in /srv/st/config/cldr.properties
110  vap: hunter44
111  # testpw will match CLDR_TESTPW in /srv/st/config/cldr.properties
112  testpw: hunter45
113  oldversion: 39
114  newversion: 40
115  key: ssh-rsa …  ( SSH key goes here)
116  certbot_admin_email: surveytool@unicode.org
117  certbot_certs:
118    - domains:
119      - cldr-ref.unicode.org
120```
121
122## Setup: cldrcc
123
124```shell
125mkdir -p local-vars/cldrcc
126ssh-keygen -t rsa -b 2048 -C 'CLDR Commit Checker' -f local-vars/cldrcc/id_rsa
127```
128
129
130## Configure
131
132Run the setup playbook.
133
134```shell
135ansible-playbook --check setup-playbook.yml
136```
137
138This is in dry run mode. When it looks good to you, take the
139`--check` out and run it again.
140
141You can also use the `-l cldr-smoke.unicode.org` option to limit
142the operation to a single host.
143
144## Local Test
145
146- install vagrant and some provider such as virtualbox or libvirt
147
148```shell
149vagrant up
150```
151
152- To log into the new host, run `vagrant ssh`
153
154- To iterate, trying to reapply ansible, run `vagrant provision --provision-with=ansible`
155
156- to deploy ST to this, use the following:
157
158```shell
159(cd ../.. ; mvn package) # go to the tools folder and build ST (cldr-apps.war, etc.) if not already built
160vagrant ssh -- sudo -u surveytool /usr/local/bin/deploy-to-tomcat.sh $(git rev-parse HEAD) < ../../cldr-apps/target/cldr-apps.war
161```
162
163- Now you should be able to login at <http://127.0.0.1:8880/cldr-apps/>
164
165- If you need to get directly to the tomcat server, use:
166
167```shell
168vagrant ssh -- -L 9080:127.0.0.1:9080
169# leave this shell window open.
170```
171
172Then, you can go to <http://127.0.0.1:9080> and directly access tomcat.
173