1# Ansible for Survey Tool 2 3These are ansible scripts for setup and maintenance of the Survey Tool. 4 5## Scope 6 7Right now, the test setup mostly controls OpenLiberty, but not the nginx proxy 8due to public port issues (https). 9 10## Setup 11 12### Setup: Control system 13 14This is your local system, where you control the others from. 15 16- Install Ansible <https://ansible.com> 17- Install some prereqs: 18 19```shell 20ansible-galaxy install -r requirements.yml 21``` 22 23- Make sure you can `ssh` into all of the needed systems. For example, 24`ssh cldr-ref.unicode.org` should succeed without needing a password. 25 26- You should be able to run `ansible all -m ping` and get something back 27like the following: 28 29```shell 30cldr-ref.unicode.org | SUCCESS => { 31 "ansible_facts": { 32 "discovered_interpreter_python": "/usr/bin/python" 33 }, 34 "changed": false, 35 "ping": "pong" 36} 37``` 38 39### Setup: Managed systems 40 41- Install python3. Make sure `python --version` 42or `python3 --version` returns "Python 3…" 43 44- TODO: these shouldn't be needed, but they are. Here's the entire 45install command: 46 47```shell 48sudo apt-get update && sudo apt-get install python3 python-apt python3-pymysql 49``` 50 51### Setup: surveytool keypair 52 53Create a RSA keypair with no password for the buildbot: 54 55```shell 56mkdir -p ./local-vars 57ssh-keygen -t rsa -b 4096 -f ./local-vars/surveytool -P '' -C 'surveytool deploy' 58``` 59 60The contents of the `local-vars/surveytool.pub` file is used for the 61`key:` parameter below in `local.yml`. The `local-vars/surveytool` 62private key is used in the secret `RSA_KEY_SURVEYTOOL`. 63 64Then setup github secrets as shown: 65 66- `SMOKETEST_HOST` - 67 hostname of smoketest 68- `SMOKETEST_PORT` - 69 port of smoketest 70- `RSA_KEY_SURVEYTOOL` - 71 contents of `local-vars/surveytool` (the secret key) 72- `SMOKETEST_KNOWNHOSTS` - 73 run `ssh-keyscan smoketest.example.com` where _smoketest.example.com_ 74 is the name of the smoketest server. Put the results into this 75 secret. One of these lines should match `~/.ssh/known_hosts` on your 76 own system when you ssh into smoketest. 77 Try `grep -i smoke ~/.ssh/known_hosts` 78 79Create a folder "cldrbackup" inside local-vars 80```shell 81mkdir -p ./local-vars/cldrbackup 82``` 83 84Add three files inside local-vars/cldrbackup-vars: id_rsa, id_rsa.pub, and known_hosts. These must correspond to the public key for cldrbackup on corp.unicode.org. Copy existing versions if you have them. Otherwise, create new ones with `ssh-keygen -t rsa` and copy the public key to corp.unicode.org with `ssh-copy-id -i ~/.ssh/id_rsa cldrbackup@corp.unicode.org` 85 86### Setup: Config file 87 88- Create a file `local-vars/local.yml` matching the example values in [test-local-vars/local.yml](test-local-vars/local.yml) but with secure passwords instead of `hunter42`, ...! 89 90```yaml 91cldradmin_pw: hunter46 # needs to match cldradmin pw below 92mysql_users: 93 # this is the account used by the survey tool itself 94 # password will match /var/lib/openliberty/usr/servers/cldr/server.env 95 - name: surveytool 96 host: localhost 97 password: hunter42 98 priv: 'cldrdb.*:ALL' 99 # this is the account used for administrative tasks 100 # password will match /home/cldradmin/.my.sql 101 - name: cldradmin 102 password: hunter46 103 priv: 'cldrdb.*:ALL/*.*:PROCESS' 104 append_privs: yes 105# this is the account used for deployment 106surveytooldeploy: 107 # TODO: surveytooldeploy.password appears to be unused? 108 password: hunter43 109 # vap will match CLDR_VAP in /srv/st/config/cldr.properties 110 vap: hunter44 111 # testpw will match CLDR_TESTPW in /srv/st/config/cldr.properties 112 testpw: hunter45 113 oldversion: 39 114 newversion: 40 115 key: ssh-rsa … ( SSH key goes here) 116 certbot_admin_email: surveytool@unicode.org 117 certbot_certs: 118 - domains: 119 - cldr-ref.unicode.org 120``` 121 122## Setup: cldrcc 123 124```shell 125mkdir -p local-vars/cldrcc 126ssh-keygen -t rsa -b 2048 -C 'CLDR Commit Checker' -f local-vars/cldrcc/id_rsa 127``` 128 129 130## Configure 131 132Run the setup playbook. 133 134```shell 135ansible-playbook --check setup-playbook.yml 136``` 137 138This is in dry run mode. When it looks good to you, take the 139`--check` out and run it again. 140 141You can also use the `-l cldr-smoke.unicode.org` option to limit 142the operation to a single host. 143 144## Local Test 145 146- install vagrant and some provider such as virtualbox or libvirt 147 148```shell 149vagrant up 150``` 151 152- To log into the new host, run `vagrant ssh` 153 154- To iterate, trying to reapply ansible, run `vagrant provision --provision-with=ansible` 155 156- to deploy ST to this, use the following: 157 158```shell 159(cd ../.. ; mvn package) # go to the tools folder and build ST (cldr-apps.war, etc.) if not already built 160vagrant ssh -- sudo -u surveytool /usr/local/bin/deploy-to-tomcat.sh $(git rev-parse HEAD) < ../../cldr-apps/target/cldr-apps.war 161``` 162 163- Now you should be able to login at <http://127.0.0.1:8880/cldr-apps/> 164 165- If you need to get directly to the tomcat server, use: 166 167```shell 168vagrant ssh -- -L 9080:127.0.0.1:9080 169# leave this shell window open. 170``` 171 172Then, you can go to <http://127.0.0.1:9080> and directly access tomcat. 173