|
:toc2:
|
|
== Preparing your Workstation to use Ansible Playbooks
|
|
=== Less prerequisites: Dockerfiles
|
|
It is possible to run agnosticd with docker. This way you don't have to install anything (except Docker).
|
|
If you want to use docker to deploy, look at the link:../tools/builds[tools/builds] Readme.
|
|
=== Less prerequistes: python virtualenvs
|
|
It is now encouraged to use python virtualenvs to develop from your laptop.
|
|
Please have a look at link:../tools/virtualenvs[tools/virtualenvs].
|
|
==== OSP cloud-provider
|
|
.In your home directory
|
----
|
# Create the virtualenv
|
$ virtualenv virtualenvs/openstack-ansible-2.9
|
Using base prefix '/usr'
|
New python executable in /home/fridim/virtualenvs/openstack-ansible-2.9/bin/python
|
Installing setuptools, pip, wheel...
|
done.
|
|
# Activate the virtualenv
|
$ . virtualenvs/openstack-ansible-2.9/bin/activate
|
(openstack-ansible-2.9) $
|
|
# Install the modules
|
|
# python 2:
|
(openstack-ansible-2.9) $ pip install -r https://raw.githubusercontent.com/redhat-cop/agnosticd/development/tools/virtualenvs/openstack-ansible-2.9-python2.txt
|
|
|
# python 3:
|
(openstack-ansible-2.9) $ pip install -r https://raw.githubusercontent.com/redhat-cop/agnosticd/development/tools/virtualenvs/openstack-ansible-2.9-python3.txt
|
|
|
# latest modules (should work with both python2 and python3)
|
(openstack-ansible-2.9) $ pip install -r https://raw.githubusercontent.com/redhat-cop/agnosticd/development/tools/virtualenvs/openstack-ansible-latest.txt
|
----
|
|
=== Prerequisites
|
In order to use these playbooks, you will need to set a few things up.
|
|
=== Workstation dependencies
|
|
* Some deployments would require a Red Hat Customer Portal account that has
|
appropriate subscriptions. This is not required for the playbook themselves.
|
+
|
NOTE: Red Hat employee subscriptions can be used
|
|
|
==== Software required for deployment
|
|
* https://www.python.org[Python]
|
* http://docs.pythonboto.org[Python Boto] version 2.41 or greater
|
* http://github.com[Git] any version would do.
|
* https://github.com/ansible/ansible[Ansible] version 2.1.2 or greater
|
* https://s3.amazonaws.com/aws-cli/awscli-bundle.zip[awscli bundle] tested with version 1.11.32
|
Python and the Python dependencies may be installed via your OS' package manager
|
(eg: python2-boto on Fedora/CentOS/RHEL) or via https://pypi.python.org/pypi/pip[pip]. https://pypi.python.org/pypi/virtualenv[Python virtualenv] can also work.
|
|
NOTE: on Fedora, all dependencies are packaged and can be easily installed via
|
`dnf install wget git awscli python3-boto3 ansible ansible-lint yamllint`
|
(botocore and python will be pulled automatically through dependencies).
|
The lint tools are optional but are recommended tools to check the quality of your code.
|
|
.Example script to install required software
|
[source,bash]
|
----
|
|
# Install basic packages
|
yum install -y wget python python-boto unzip python2-boto3.noarch tmux git ansible
|
|
# Another option to configure python boto is:
|
git clone git://github.com/boto/boto.git
|
cd boto
|
python setup.py install
|
|
#Install boto3
|
pip install boto3
|
|
#Install pywinrm if you plan to deploy windows VMs
|
#pip install pywinrm
|
|
# Enable epel repositories for Ansible
|
cd /tmp
|
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
|
sudo yum -y install `ls *epel*.rpm`
|
|
# Install ansible and checked install version (required 2.2.0.0)
|
yum install -y ansible
|
ansible --version
|
|
|
## Install aws cli
|
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
|
unzip awscli-bundle.zip
|
sudo ./awscli-bundle/install -i /usr/local/aws -b /bin/aws
|
aws --version
|
|
----
|
|
.Mac OS installation steps:
|
|
[source,bash]
|
----
|
# Install Python3
|
brew install python
|
|
# For python2 do
|
brew install python@2
|
|
# Depending on whether you did python3 or python2, use the pip3 or pip command
|
pip3 install boto3
|
|
#Install pywinrm if you plan to deploy windows VMs
|
#pip3 install pywinrm
|
|
# Install Ansible
|
pip3 install ansible
|
|
# Install awscli
|
brew install awscli
|
|
----
|
|
=== Configuring your workstation
|
|
==== Configure the EC2 Credentials
|
|
* You will need to place your EC2 credentials in the ~/.aws/credentials file:
|
[source, shell]
|
----
|
mkdir ~/.aws
|
cat << EOF >> ~/.aws/credentials
|
[default]
|
aws_access_key_id = AKIAJAAYOURACCESSKEY
|
aws_secret_access_key = rT54UYOURSECRETACCESSKEY
|
|
EOF
|
----
|
|
* Add the SSH Key to the SSH Agent (optional)
|
If your operating system has an SSH agent and you are not using your default
|
configured SSH key, you will need to add the private key you use with your EC2
|
instances to your SSH agent:
|
+
|
----
|
ssh-add <path to key file>
|
----
|
|
NOTE: If you use an SSH config that specifies what keys to use for what
|
hosts this step may not be necessary.
|
|
|
=== AWS Permissions and Policies
|
|
AWS credentials for the account above must be used with the AWS command line
|
tool (detailed below)
|
|
* An AWS IAM account with the following permissions:
|
- Policies can be defined for Users, Groups or Roles
|
- Navigate to: AWS Dashboard -> Identity & Access Management -> Select Users or Groups or Roles -> Permissions -> Inline Policies -> Create Policy -> Custom Policy
|
- Policy Name: openshift (your preference)
|
- Policy Document:
|
+
|
[source,json]
|
----
|
{
|
"Version": "2012-10-17",
|
"Statement": [
|
{
|
"Sid": "Stmt1459269951000",
|
"Effect": "Allow",
|
"Action": [
|
"cloudformation:*",
|
"iam:*",
|
"route53:*",
|
"elasticloadbalancing:*",
|
"ec2:*",
|
"cloudwatch:*",
|
"autoscaling:*",
|
"s3:*"
|
],
|
"Resource": [
|
"*"
|
]
|
}
|
]
|
}
|
----
|
|
NOTE: Finer-grained permissions are possible, and pull requests are welcome.
|
|
|
==== AWS existing resources
|
|
* A route53
|
link:http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html[public hosted zone]
|
is required for the scripts to create the various DNS entries for the
|
resources it creates. Two DNS entries will be created for workshops:
|
- `master.guid.domain.tld` - a DNS entry pointing to the master
|
- `*.cloudapps.guid.domain.tld` - a wildcard DNS entry pointing to the
|
router/infrastructure node
|
* An EC2 SSH keypair should be created in advance and you should save the key
|
file to your system.
|
+
|
[source,bash]
|
----
|
REGION=us-west-1
|
KEYNAME=ocpworkshop
|
openssl genrsa -out ~/.ssh/${KEYNAME}.pem 2048
|
openssl rsa -in ~/.ssh/${KEYNAME}.pem -pubout > ~/.ssh/${KEYNAME}.pub
|
chmod 400 ~/.ssh/${KEYNAME}.pub
|
chmod 400 ~/.ssh/${KEYNAME}.pem
|
touch ~/.ssh/config
|
chmod 600 ~/.ssh/config
|
aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`"
|
----
|
+
|
CAUTION: Key pairs are created per region, you will need to specify a different keypair for each region or duplicate the keypair into every region.
|
+
|
----
|
REGIONS="ap-southeast-1 ap-southeast-2 OTHER_REGIONS..."
|
for REGION in `echo ${REGIONS}` ;
|
do
|
aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`"
|
done
|
----
|
|
=== OpenStack
|
|
----
|
# Install python modules needed by ansible
|
sudo pip install openstacksdk
|
|
# Install openstack CLIs
|
sudo pip install python-openstackclient python-heatclient
|
----
|
|
NOTE: on Fedora `dnf install python3-openstacksdk python3-openstackclient python-openstackclient-doc python-openstackclient-lang python3-heatclient python-heatclient-doc python3-dns` will do the job (you may choose to skip doc and lang packages).
|
|
==== Azure
|
|
If you want to deploy on azure you will need the Azure client.
|
|
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest[Source documentation]
|
|
.in a nutshell (tested on fedora 28) - Azure cli (system-wide)
|
----
|
|
# Install the azure-cli system-wide
|
sudo -i
|
rpm --import https://packages.microsoft.com/keys/microsoft.asc
|
cat >> /etc/yum.repos.d/azure-cli.repo <<EOF
|
[azure-cli]
|
name=Azure CLI
|
baseurl=https://packages.microsoft.com/yumrepos/azure-cli
|
enabled=1
|
gpgcheck=1
|
gpgkey=https://packages.microsoft.com/keys/microsoft.asc
|
EOF
|
|
yum check-update
|
yum install -y azure-cli
|
----
|
|
We recommend you install the ansible module in a virtualenv.
|
|
.in a nutshell (tested on fedora 28) - Azure ansible module (use virtualenv)
|
----
|
# /!\ careful this will update ansible as well
|
# Use a virtualenv for those:
|
pip install --upgrade pip
|
pip install --upgrade --force ansible[azure]
|
----
|
|
NOTE: `--force` is used here, because of a known link:https://github.com/ansible/ansible/issues/38894[issue].
|
|
===== Service principal
|
|
It's better to use a service principal instead of your main credentials. Refer to the https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest[official documentation].
|
|
.in a nutshell
|
----
|
az login
|
az ad sp create-for-rbac
|
az login --service-principal -u <user> -p <password-or-cert> --tenant <tenant>
|
----
|
|
.env_secret_vars.yml
|
----
|
azure_service_principal: "service principal client id"
|
azure_password: "service principal password or cert"
|
azure_tenant: "tenant ID"
|
azure_region: "Azure location, ex: EuropeWest"
|
azure_subscription_id: "Subscription id"
|
----
|
|
|
==== Virtualenv
|
|
If you want to use virtualenv, you can try & adapt this:
|
|
----
|
cd ansible
|
mkdir ~/virtualenv-aad
|
virtualenv ~/virtualenv-aad -p python2.7
|
. ~/virtualenv-aad/bin/activate
|
export CC=gcc-5
|
pip install -r requirements.txt
|
----
|