commit | author | age
|
454b0a
|
1 |
:toc2: |
GC |
2 |
|
6f95e1
|
3 |
= Preparing your Workstation to use the Ansible Playbooks |
454b0a
|
4 |
|
GC |
5 |
|
|
6 |
|
|
7 |
== Less prerequisites: Dockerfiles |
|
8 |
|
|
9 |
It is possible to run agnosticd with docker. This way you don't have to install anything (except Docker). |
|
10 |
|
|
11 |
If you want to use docker to deploy, look at the link:../tools/builds[tools/builds] Readme. |
6f95e1
|
12 |
|
S |
13 |
== Prerequisites |
|
14 |
In order to use these playbooks, you will need to set a few things up. |
|
15 |
|
|
16 |
== Software Requirements on workstation |
|
17 |
|
|
18 |
* Some deployments would require a Red Hat Customer Portal account that has |
|
19 |
appropriate subscriptions. This is not required for the playbook themselves. |
|
20 |
+ |
|
21 |
NOTE: Red Hat employee subscriptions can be used |
|
22 |
|
|
23 |
|
|
24 |
=== Software required for deployment |
|
25 |
|
|
26 |
* [Python](https://www.python.org) version 2.7.x (3.x untested and may not work) |
|
27 |
* [Python Boto](http://docs.pythonboto.org) version 2.41 or greater |
|
28 |
* [Git](http://github.com) any version would do. |
|
29 |
* [Ansible](https://github.com/ansible/ansible) version 2.1.2 or greater |
|
30 |
* [awscli bundle](https://s3.amazonaws.com/aws-cli/awscli-bundle.zip) tested with version 1.11.32 |
|
31 |
Python and the Python dependencies may be installed via your OS' package manager |
|
32 |
(eg: python2-boto on Fedora/CentOS/RHEL) or via |
|
33 |
[pip](https://pypi.python.org/pypi/pip). [Python |
|
34 |
virtualenv](https://pypi.python.org/pypi/virtualenv) can also work. |
|
35 |
|
|
36 |
.Example script to install required software |
|
37 |
[source,bash] |
|
38 |
---- |
|
39 |
|
|
40 |
# Install basic packages |
a275ab
|
41 |
yum install -y wget python python-boto unzip python2-boto3.noarch tmux git ansible |
6f95e1
|
42 |
|
S |
43 |
# Another option to configure python boto is: |
|
44 |
git clone git://github.com/boto/boto.git |
|
45 |
cd boto |
|
46 |
python setup.py install |
|
47 |
|
a984e7
|
48 |
#Install boto3 |
PS |
49 |
pip install boto3 |
6f95e1
|
50 |
|
f8ed73
|
51 |
#Install pywinrm if you plan to deploy windows VMs |
GC |
52 |
#pip install pywinrm |
|
53 |
|
6f95e1
|
54 |
# Enable epel repositories for Ansible |
S |
55 |
cd /tmp |
|
56 |
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm |
|
57 |
sudo yum -y install `ls *epel*.rpm` |
|
58 |
|
|
59 |
# Install ansible and checked install version (required 2.2.0.0) |
|
60 |
yum install -y ansible |
|
61 |
ansible --version |
|
62 |
|
|
63 |
|
|
64 |
## Install aws cli |
|
65 |
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" |
|
66 |
unzip awscli-bundle.zip |
|
67 |
sudo ./awscli-bundle/install -i /usr/local/aws -b /bin/aws |
|
68 |
aws --version |
|
69 |
|
|
70 |
---- |
|
71 |
|
0183c9
|
72 |
.Mac OS installation steps: |
739698
|
73 |
|
0183c9
|
74 |
[source,bash] |
N |
75 |
---- |
|
76 |
# Install Python3 |
|
77 |
brew install python |
|
78 |
|
|
79 |
# For python2 do |
|
80 |
brew install python@2 |
|
81 |
|
|
82 |
# Depending on whether you did python3 or python2, use the pip3 or pip command |
|
83 |
pip3 install boto3 |
|
84 |
|
|
85 |
#Install pywinrm if you plan to deploy windows VMs |
|
86 |
#pip3 install pywinrm |
|
87 |
|
|
88 |
# Install Ansible |
|
89 |
pip3 install ansible |
|
90 |
|
|
91 |
# Install awscli |
|
92 |
brew install awscli |
|
93 |
|
|
94 |
---- |
739698
|
95 |
|
6f95e1
|
96 |
== Configuring your workstation |
S |
97 |
|
|
98 |
=== Configure the EC2 Credentials |
|
99 |
|
|
100 |
* You will need to place your EC2 credentials in the ~/.aws/credentials file: |
|
101 |
[source, shell] |
|
102 |
---- |
|
103 |
mkdir ~/.aws |
|
104 |
cat << EOF >> ~/.aws/credentials |
|
105 |
[default] |
|
106 |
aws_access_key_id = AKIAJAAYOURACCESSKEY |
|
107 |
aws_secret_access_key = rT54UYOURSECRETACCESSKEY |
|
108 |
|
|
109 |
EOF |
|
110 |
---- |
|
111 |
|
|
112 |
* Add the SSH Key to the SSH Agent (optional) |
|
113 |
If your operating system has an SSH agent and you are not using your default |
|
114 |
configured SSH key, you will need to add the private key you use with your EC2 |
|
115 |
instances to your SSH agent: |
|
116 |
+ |
|
117 |
---- |
|
118 |
ssh-add <path to key file> |
|
119 |
---- |
|
120 |
|
|
121 |
NOTE: If you use an SSH config that specifies what keys to use for what |
|
122 |
hosts this step may not be necessary. |
ce1606
|
123 |
|
S |
124 |
|
|
125 |
=== AWS Permissions and Policies |
|
126 |
|
|
127 |
AWS credentials for the account above must be used with the AWS command line |
|
128 |
tool (detailed below) |
|
129 |
|
|
130 |
* An AWS IAM account with the following permissions: |
|
131 |
- Policies can be defined for Users, Groups or Roles |
|
132 |
- Navigate to: AWS Dashboard -> Identity & Access Management -> Select Users or Groups or Roles -> Permissions -> Inline Policies -> Create Policy -> Custom Policy |
|
133 |
- Policy Name: openshift (your preference) |
|
134 |
- Policy Document: |
|
135 |
+ |
|
136 |
[source,json] |
|
137 |
---- |
|
138 |
{ |
|
139 |
"Version": "2012-10-17", |
|
140 |
"Statement": [ |
|
141 |
{ |
|
142 |
"Sid": "Stmt1459269951000", |
|
143 |
"Effect": "Allow", |
|
144 |
"Action": [ |
|
145 |
"cloudformation:*", |
|
146 |
"iam:*", |
|
147 |
"route53:*", |
|
148 |
"elasticloadbalancing:*", |
|
149 |
"ec2:*", |
|
150 |
"cloudwatch:*", |
|
151 |
"autoscaling:*", |
|
152 |
"s3:*" |
|
153 |
], |
|
154 |
"Resource": [ |
|
155 |
"*" |
|
156 |
] |
|
157 |
} |
|
158 |
] |
|
159 |
} |
|
160 |
---- |
|
161 |
|
|
162 |
NOTE: Finer-grained permissions are possible, and pull requests are welcome. |
|
163 |
|
|
164 |
|
|
165 |
=== AWS existing resources |
|
166 |
|
|
167 |
* A route53 |
|
168 |
link:http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html[public hosted zone] |
|
169 |
is required for the scripts to create the various DNS entries for the |
|
170 |
resources it creates. Two DNS entries will be created for workshops: |
|
171 |
- `master.guid.domain.tld` - a DNS entry pointing to the master |
|
172 |
- `*.cloudapps.guid.domain.tld` - a wildcard DNS entry pointing to the |
|
173 |
router/infrastructure node |
|
174 |
* An EC2 SSH keypair should be created in advance and you should save the key |
|
175 |
file to your system. |
|
176 |
+ |
|
177 |
[source,bash] |
|
178 |
---- |
|
179 |
REGION=us-west-1 |
|
180 |
KEYNAME=ocpworkshop |
|
181 |
openssl genrsa -out ~/.ssh/${KEYNAME}.pem 2048 |
|
182 |
openssl rsa -in ~/.ssh/${KEYNAME}.pem -pubout > ~/.ssh/${KEYNAME}.pub |
|
183 |
chmod 400 ~/.ssh/${KEYNAME}.pub |
|
184 |
chmod 400 ~/.ssh/${KEYNAME}.pem |
|
185 |
touch ~/.ssh/config |
|
186 |
chmod 600 ~/.ssh/config |
|
187 |
aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`" |
|
188 |
---- |
|
189 |
+ |
|
190 |
CAUTION: Key pairs are created per region, you will need to specify a different keypair for each region or duplicate the keypair into every region. |
|
191 |
+ |
|
192 |
---- |
|
193 |
REGIONS="ap-southeast-1 ap-southeast-2 OTHER_REGIONS..." |
|
194 |
for REGION in `echo ${REGIONS}` ; |
|
195 |
do |
|
196 |
aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`" |
|
197 |
done |
|
198 |
---- |
928f77
|
199 |
|
6b9f19
|
200 |
== OpenStack |
NS |
201 |
|
|
202 |
---- |
|
203 |
# Install python modules needed by ansible |
|
204 |
sudo pip install openstacksdk |
|
205 |
|
|
206 |
# Install openstack CLIs |
b1c0bd
|
207 |
sudo pip install python-openstackclient python-heatclient |
6b9f19
|
208 |
---- |
NS |
209 |
|
928f77
|
210 |
=== Azure |
GC |
211 |
|
|
212 |
If you want to deploy on azure you will need the Azure client. |
|
213 |
|
|
214 |
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest[Source documentation] |
|
215 |
|
5224c4
|
216 |
.in a nutshell (tested on fedora 28) - Azure cli (system-wide) |
928f77
|
217 |
---- |
5224c4
|
218 |
|
GC |
219 |
# Install the azure-cli system-wide |
928f77
|
220 |
sudo -i |
GC |
221 |
rpm --import https://packages.microsoft.com/keys/microsoft.asc |
|
222 |
cat >> /etc/yum.repos.d/azure-cli.repo <<EOF |
|
223 |
[azure-cli] |
|
224 |
name=Azure CLI |
|
225 |
baseurl=https://packages.microsoft.com/yumrepos/azure-cli |
|
226 |
enabled=1 |
|
227 |
gpgcheck=1 |
|
228 |
gpgkey=https://packages.microsoft.com/keys/microsoft.asc |
|
229 |
EOF |
|
230 |
|
|
231 |
yum check-update |
|
232 |
yum install -y azure-cli |
|
233 |
---- |
5224c4
|
234 |
|
GC |
235 |
We recommend you install the ansible module in a virtualenv. |
|
236 |
|
|
237 |
.in a nutshell (tested on fedora 28) - Azure ansible module (use virtualenv) |
|
238 |
---- |
|
239 |
# /!\ careful this will update ansible as well |
|
240 |
# Use a virtualenv for those: |
|
241 |
pip install --upgrade pip |
|
242 |
pip install --upgrade --force ansible[azure] |
|
243 |
---- |
|
244 |
|
|
245 |
NOTE: `--force` is used here, because of a known link:https://github.com/ansible/ansible/issues/38894[issue]. |
928f77
|
246 |
|
GC |
247 |
==== Service principal |
|
248 |
|
|
249 |
It's better to use a service principal instead of your main credentials. Refer to the https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest[official documentation]. |
|
250 |
|
|
251 |
.in a nutshell |
|
252 |
---- |
5224c4
|
253 |
az login |
928f77
|
254 |
az ad sp create-for-rbac |
GC |
255 |
az login --service-principal -u <user> -p <password-or-cert> --tenant <tenant> |
|
256 |
---- |
|
257 |
|
|
258 |
.env_secret_vars.yml |
|
259 |
---- |
|
260 |
azure_service_principal: "service principal client id" |
|
261 |
azure_password: "service principal password or cert" |
|
262 |
azure_tenant: "tenant ID" |
|
263 |
azure_region: "Azure location, ex: EuropeWest" |
|
264 |
azure_subscription_id: "Subscription id" |
|
265 |
---- |
b0782b
|
266 |
|
GC |
267 |
|
|
268 |
=== Virtualenv |
|
269 |
|
|
270 |
If you want to use virtualenv, you can try & adapt this: |
|
271 |
|
|
272 |
---- |
|
273 |
cd ansible |
|
274 |
mkdir ~/virtualenv-aad |
|
275 |
virtualenv ~/virtualenv-aad -p python2.7 |
|
276 |
. ~/virtualenv-aad/bin/activate |
|
277 |
export CC=gcc-5 |
|
278 |
pip install -r requirements.txt |
|
279 |
---- |