commit | author | age
|
eab74b
|
1 |
|
454b0a
|
2 |
:toc2: |
GC |
3 |
|
eab74b
|
4 |
== Preparing your Workstation to use Ansible Playbooks |
454b0a
|
5 |
|
eab74b
|
6 |
=== Less prerequisites: Dockerfiles |
454b0a
|
7 |
|
GC |
8 |
It is possible to run agnosticd with docker. This way you don't have to install anything (except Docker). |
|
9 |
|
|
10 |
If you want to use docker to deploy, look at the link:../tools/builds[tools/builds] Readme. |
6f95e1
|
11 |
|
eab74b
|
12 |
=== Less prerequistes: python virtualenvs |
b8e642
|
13 |
|
GC |
14 |
It is now encouraged to use python virtualenvs to develop from your laptop. |
|
15 |
|
|
16 |
Please have a look at link:../tools/virtualenvs[tools/virtualenvs]. |
|
17 |
|
eab74b
|
18 |
==== OSP cloud-provider |
b8e642
|
19 |
|
GC |
20 |
.In your home directory |
|
21 |
---- |
|
22 |
# Create the virtualenv |
|
23 |
$ virtualenv virtualenvs/openstack-ansible-2.9 |
|
24 |
Using base prefix '/usr' |
|
25 |
New python executable in /home/fridim/virtualenvs/openstack-ansible-2.9/bin/python |
|
26 |
Installing setuptools, pip, wheel... |
|
27 |
done. |
|
28 |
|
|
29 |
# Activate the virtualenv |
|
30 |
$ . virtualenvs/openstack-ansible-2.9/bin/activate |
|
31 |
(openstack-ansible-2.9) $ |
|
32 |
|
|
33 |
# Install the modules |
|
34 |
|
|
35 |
# python 2: |
|
36 |
(openstack-ansible-2.9) $ pip install -r https://raw.githubusercontent.com/redhat-cop/agnosticd/development/tools/virtualenvs/openstack-ansible-2.9-python2.txt |
|
37 |
|
|
38 |
|
|
39 |
# python 3: |
|
40 |
(openstack-ansible-2.9) $ pip install -r https://raw.githubusercontent.com/redhat-cop/agnosticd/development/tools/virtualenvs/openstack-ansible-2.9-python3.txt |
|
41 |
|
|
42 |
|
|
43 |
# latest modules (should work with both python2 and python3) |
|
44 |
(openstack-ansible-2.9) $ pip install -r https://raw.githubusercontent.com/redhat-cop/agnosticd/development/tools/virtualenvs/openstack-ansible-latest.txt |
|
45 |
---- |
|
46 |
|
eab74b
|
47 |
=== Prerequisites |
6f95e1
|
48 |
In order to use these playbooks, you will need to set a few things up. |
S |
49 |
|
eab74b
|
50 |
=== Workstation dependencies |
6f95e1
|
51 |
|
S |
52 |
* Some deployments would require a Red Hat Customer Portal account that has |
|
53 |
appropriate subscriptions. This is not required for the playbook themselves. |
|
54 |
+ |
|
55 |
NOTE: Red Hat employee subscriptions can be used |
|
56 |
|
|
57 |
|
eab74b
|
58 |
==== Software required for deployment |
6f95e1
|
59 |
|
d0e3e8
|
60 |
* https://www.python.org[Python] |
EL |
61 |
* http://docs.pythonboto.org[Python Boto] version 2.41 or greater |
|
62 |
* http://github.com[Git] any version would do. |
|
63 |
* https://github.com/ansible/ansible[Ansible] version 2.1.2 or greater |
|
64 |
* https://s3.amazonaws.com/aws-cli/awscli-bundle.zip[awscli bundle] tested with version 1.11.32 |
6f95e1
|
65 |
Python and the Python dependencies may be installed via your OS' package manager |
d0e3e8
|
66 |
(eg: python2-boto on Fedora/CentOS/RHEL) or via https://pypi.python.org/pypi/pip[pip]. https://pypi.python.org/pypi/virtualenv[Python virtualenv] can also work. |
EL |
67 |
|
|
68 |
NOTE: on Fedora, all dependencies are packaged and can be easily installed via |
|
69 |
`dnf install wget git awscli python3-boto3 ansible ansible-lint yamllint` |
|
70 |
(botocore and python will be pulled automatically through dependencies). |
|
71 |
The lint tools are optional but are recommended tools to check the quality of your code. |
6f95e1
|
72 |
|
S |
73 |
.Example script to install required software |
|
74 |
[source,bash] |
|
75 |
---- |
|
76 |
|
|
77 |
# Install basic packages |
a275ab
|
78 |
yum install -y wget python python-boto unzip python2-boto3.noarch tmux git ansible |
6f95e1
|
79 |
|
S |
80 |
# Another option to configure python boto is: |
|
81 |
git clone git://github.com/boto/boto.git |
|
82 |
cd boto |
|
83 |
python setup.py install |
|
84 |
|
a984e7
|
85 |
#Install boto3 |
PS |
86 |
pip install boto3 |
6f95e1
|
87 |
|
f8ed73
|
88 |
#Install pywinrm if you plan to deploy windows VMs |
GC |
89 |
#pip install pywinrm |
|
90 |
|
6f95e1
|
91 |
# Enable epel repositories for Ansible |
S |
92 |
cd /tmp |
|
93 |
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm |
|
94 |
sudo yum -y install `ls *epel*.rpm` |
|
95 |
|
|
96 |
# Install ansible and checked install version (required 2.2.0.0) |
|
97 |
yum install -y ansible |
|
98 |
ansible --version |
|
99 |
|
|
100 |
|
|
101 |
## Install aws cli |
|
102 |
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" |
|
103 |
unzip awscli-bundle.zip |
|
104 |
sudo ./awscli-bundle/install -i /usr/local/aws -b /bin/aws |
|
105 |
aws --version |
|
106 |
|
|
107 |
---- |
|
108 |
|
0183c9
|
109 |
.Mac OS installation steps: |
739698
|
110 |
|
0183c9
|
111 |
[source,bash] |
N |
112 |
---- |
|
113 |
# Install Python3 |
b8e642
|
114 |
brew install python |
0183c9
|
115 |
|
N |
116 |
# For python2 do |
|
117 |
brew install python@2 |
|
118 |
|
|
119 |
# Depending on whether you did python3 or python2, use the pip3 or pip command |
|
120 |
pip3 install boto3 |
|
121 |
|
|
122 |
#Install pywinrm if you plan to deploy windows VMs |
|
123 |
#pip3 install pywinrm |
|
124 |
|
|
125 |
# Install Ansible |
|
126 |
pip3 install ansible |
|
127 |
|
|
128 |
# Install awscli |
|
129 |
brew install awscli |
|
130 |
|
|
131 |
---- |
739698
|
132 |
|
eab74b
|
133 |
=== Configuring your workstation |
6f95e1
|
134 |
|
eab74b
|
135 |
==== Configure the EC2 Credentials |
6f95e1
|
136 |
|
S |
137 |
* You will need to place your EC2 credentials in the ~/.aws/credentials file: |
|
138 |
[source, shell] |
|
139 |
---- |
|
140 |
mkdir ~/.aws |
|
141 |
cat << EOF >> ~/.aws/credentials |
|
142 |
[default] |
|
143 |
aws_access_key_id = AKIAJAAYOURACCESSKEY |
|
144 |
aws_secret_access_key = rT54UYOURSECRETACCESSKEY |
|
145 |
|
|
146 |
EOF |
|
147 |
---- |
|
148 |
|
|
149 |
* Add the SSH Key to the SSH Agent (optional) |
|
150 |
If your operating system has an SSH agent and you are not using your default |
|
151 |
configured SSH key, you will need to add the private key you use with your EC2 |
|
152 |
instances to your SSH agent: |
|
153 |
+ |
|
154 |
---- |
|
155 |
ssh-add <path to key file> |
|
156 |
---- |
|
157 |
|
|
158 |
NOTE: If you use an SSH config that specifies what keys to use for what |
|
159 |
hosts this step may not be necessary. |
ce1606
|
160 |
|
S |
161 |
|
|
162 |
=== AWS Permissions and Policies |
|
163 |
|
|
164 |
AWS credentials for the account above must be used with the AWS command line |
|
165 |
tool (detailed below) |
|
166 |
|
|
167 |
* An AWS IAM account with the following permissions: |
|
168 |
- Policies can be defined for Users, Groups or Roles |
|
169 |
- Navigate to: AWS Dashboard -> Identity & Access Management -> Select Users or Groups or Roles -> Permissions -> Inline Policies -> Create Policy -> Custom Policy |
|
170 |
- Policy Name: openshift (your preference) |
|
171 |
- Policy Document: |
|
172 |
+ |
|
173 |
[source,json] |
|
174 |
---- |
|
175 |
{ |
|
176 |
"Version": "2012-10-17", |
|
177 |
"Statement": [ |
|
178 |
{ |
|
179 |
"Sid": "Stmt1459269951000", |
|
180 |
"Effect": "Allow", |
|
181 |
"Action": [ |
|
182 |
"cloudformation:*", |
|
183 |
"iam:*", |
|
184 |
"route53:*", |
|
185 |
"elasticloadbalancing:*", |
|
186 |
"ec2:*", |
|
187 |
"cloudwatch:*", |
|
188 |
"autoscaling:*", |
|
189 |
"s3:*" |
|
190 |
], |
|
191 |
"Resource": [ |
|
192 |
"*" |
|
193 |
] |
|
194 |
} |
|
195 |
] |
|
196 |
} |
|
197 |
---- |
|
198 |
|
|
199 |
NOTE: Finer-grained permissions are possible, and pull requests are welcome. |
|
200 |
|
|
201 |
|
eab74b
|
202 |
==== AWS existing resources |
ce1606
|
203 |
|
S |
204 |
* A route53 |
|
205 |
link:http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html[public hosted zone] |
|
206 |
is required for the scripts to create the various DNS entries for the |
|
207 |
resources it creates. Two DNS entries will be created for workshops: |
|
208 |
- `master.guid.domain.tld` - a DNS entry pointing to the master |
|
209 |
- `*.cloudapps.guid.domain.tld` - a wildcard DNS entry pointing to the |
|
210 |
router/infrastructure node |
|
211 |
* An EC2 SSH keypair should be created in advance and you should save the key |
|
212 |
file to your system. |
|
213 |
+ |
|
214 |
[source,bash] |
|
215 |
---- |
|
216 |
REGION=us-west-1 |
|
217 |
KEYNAME=ocpworkshop |
|
218 |
openssl genrsa -out ~/.ssh/${KEYNAME}.pem 2048 |
|
219 |
openssl rsa -in ~/.ssh/${KEYNAME}.pem -pubout > ~/.ssh/${KEYNAME}.pub |
|
220 |
chmod 400 ~/.ssh/${KEYNAME}.pub |
|
221 |
chmod 400 ~/.ssh/${KEYNAME}.pem |
|
222 |
touch ~/.ssh/config |
|
223 |
chmod 600 ~/.ssh/config |
|
224 |
aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`" |
|
225 |
---- |
|
226 |
+ |
|
227 |
CAUTION: Key pairs are created per region, you will need to specify a different keypair for each region or duplicate the keypair into every region. |
|
228 |
+ |
|
229 |
---- |
|
230 |
REGIONS="ap-southeast-1 ap-southeast-2 OTHER_REGIONS..." |
|
231 |
for REGION in `echo ${REGIONS}` ; |
|
232 |
do |
|
233 |
aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`" |
|
234 |
done |
|
235 |
---- |
928f77
|
236 |
|
eab74b
|
237 |
=== OpenStack |
6b9f19
|
238 |
|
NS |
239 |
---- |
|
240 |
# Install python modules needed by ansible |
|
241 |
sudo pip install openstacksdk |
|
242 |
|
|
243 |
# Install openstack CLIs |
b1c0bd
|
244 |
sudo pip install python-openstackclient python-heatclient |
6b9f19
|
245 |
---- |
NS |
246 |
|
d0e3e8
|
247 |
NOTE: on Fedora `dnf install python3-openstacksdk python3-openstackclient python-openstackclient-doc python-openstackclient-lang python3-heatclient python-heatclient-doc python3-dns` will do the job (you may choose to skip doc and lang packages). |
EL |
248 |
|
eab74b
|
249 |
==== Azure |
928f77
|
250 |
|
GC |
251 |
If you want to deploy on azure you will need the Azure client. |
|
252 |
|
|
253 |
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest[Source documentation] |
|
254 |
|
5224c4
|
255 |
.in a nutshell (tested on fedora 28) - Azure cli (system-wide) |
928f77
|
256 |
---- |
5224c4
|
257 |
|
GC |
258 |
# Install the azure-cli system-wide |
928f77
|
259 |
sudo -i |
GC |
260 |
rpm --import https://packages.microsoft.com/keys/microsoft.asc |
|
261 |
cat >> /etc/yum.repos.d/azure-cli.repo <<EOF |
|
262 |
[azure-cli] |
|
263 |
name=Azure CLI |
|
264 |
baseurl=https://packages.microsoft.com/yumrepos/azure-cli |
|
265 |
enabled=1 |
|
266 |
gpgcheck=1 |
|
267 |
gpgkey=https://packages.microsoft.com/keys/microsoft.asc |
|
268 |
EOF |
|
269 |
|
|
270 |
yum check-update |
|
271 |
yum install -y azure-cli |
|
272 |
---- |
5224c4
|
273 |
|
GC |
274 |
We recommend you install the ansible module in a virtualenv. |
|
275 |
|
|
276 |
.in a nutshell (tested on fedora 28) - Azure ansible module (use virtualenv) |
|
277 |
---- |
|
278 |
# /!\ careful this will update ansible as well |
|
279 |
# Use a virtualenv for those: |
|
280 |
pip install --upgrade pip |
|
281 |
pip install --upgrade --force ansible[azure] |
|
282 |
---- |
|
283 |
|
|
284 |
NOTE: `--force` is used here, because of a known link:https://github.com/ansible/ansible/issues/38894[issue]. |
928f77
|
285 |
|
eab74b
|
286 |
===== Service principal |
928f77
|
287 |
|
GC |
288 |
It's better to use a service principal instead of your main credentials. Refer to the https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest[official documentation]. |
|
289 |
|
|
290 |
.in a nutshell |
|
291 |
---- |
5224c4
|
292 |
az login |
928f77
|
293 |
az ad sp create-for-rbac |
GC |
294 |
az login --service-principal -u <user> -p <password-or-cert> --tenant <tenant> |
|
295 |
---- |
|
296 |
|
|
297 |
.env_secret_vars.yml |
|
298 |
---- |
|
299 |
azure_service_principal: "service principal client id" |
|
300 |
azure_password: "service principal password or cert" |
|
301 |
azure_tenant: "tenant ID" |
|
302 |
azure_region: "Azure location, ex: EuropeWest" |
|
303 |
azure_subscription_id: "Subscription id" |
|
304 |
---- |
b0782b
|
305 |
|
GC |
306 |
|
eab74b
|
307 |
==== Virtualenv |
b0782b
|
308 |
|
GC |
309 |
If you want to use virtualenv, you can try & adapt this: |
|
310 |
|
|
311 |
---- |
|
312 |
cd ansible |
|
313 |
mkdir ~/virtualenv-aad |
|
314 |
virtualenv ~/virtualenv-aad -p python2.7 |
|
315 |
. ~/virtualenv-aad/bin/activate |
|
316 |
export CC=gcc-5 |
|
317 |
pip install -r requirements.txt |
|
318 |
---- |