iRODS: v0.9.8 #504
iRODS: v0.9.8 #504
Conversation
iRODS: readme update - added PN mail to todo iRODS: formatting fix - readme Update README.md iRODS: formatting - readme iRODS: edited readme
scimerman
requested review from
pneerincx,
Gerbenvandervries and
marieke-bijlsma
| @@ -326,6 +326,16 @@ | |||
| remote_ip_prefix: 0.0.0.0/0 | |||
| wait: true | |||
| timeout: "{{ openstack_api_timeout }}" | |||
| - name: "Add rule to {{ slurm_cluster_name }}_irods security group: allow PostgreSQL inbound on port 5432." | |||
There was a problem hiding this comment.
Maybe add to the ToDo list that like for iRODS port 1247, this port for PostgreSQL should be restricted to specific machines as opposed to allowing inbound traffic from anywhere.
There was a problem hiding this comment.
Yes, for the SQL, we should have an IP whitelist yes. Added to the TODO.
For the iRODS 1247 on the other hand: we haven't yet agreed if we really want to limit the port 1247 to SURF side server only, as there was once mentioned that we might allow users to directly access iRODS over this protocol as well (some clients support it) - instead of going through Davrods.
roles/irods/tasks/icat.yml
Outdated
| - irods-database-plugin-postgres | ||
| - irods-server | ||
| - irods-database-plugin-postgres | ||
| - irods-resource-plugin-s3-4.2.10.0-1 |
There was a problem hiding this comment.
Is it necessary to hard-code the version number for this S3 plugin?
There was a problem hiding this comment.
Correct. Tested without - works. Removed in new commit.
roles/irods/tasks/icat.yml
Outdated
| register: create_unattended_installation_json | ||
| become: true | ||
|
|
||
| # - name: Check if {{ irods_db_name }} database is available |
There was a problem hiding this comment.
Do we need the commented code or can this be deleted?
There was a problem hiding this comment.
Was there, as this part was only recently changed. And was for the potential fallback. Removed now.
roles/irods/tasks/icat.yml
Outdated
|
|
||
| # Start/stop/restart service call fails if with error if already in that state | ||
| # so it's best if done via user call (as this is what the service does anyways) | ||
| - name: Restart iRODS server manually via {{ irods_service_account }} |
There was a problem hiding this comment.
Services should only be restarted if necessary. E.g. when some configuration has changed or software got updated. This should be moved to a handler.
There was a problem hiding this comment.
✔️ The new commit has (tested successfully) handlers.
Why the system service was not used: (the explanation for the rest):
Sysvinit service cannot be used, as ansible calls support only start, stop, restarted and reloaded:
- the
startdoes not work - even when irods is shut down, it does not start it up (repeatably) and subsequent Davrods role fails - the
restartedrepeatably fails upon new installation when service is stillstopped(see output below, but in short: service uses lock file/var/lock/subsys/irodsthat cannot remove it, as it does not exists). I am certain this is a bug in a/etc/init.d/irods - since the
stopandreloaded(which does not help, nor is implemented in irods service definition file) this means the native sysvinit service call cannot be used.
My implementation avoids use of service call and directly restarts the server in the same way as the service itself would (I looked into the /etc/init.d/irods, it is basically just /var/lib/irods/irodsctl script). Direct call does not fail the role, and we do not need to add into ansible the wrappers to catch errors. It also only fails when there is an actual error with irods server startup.
Problem with system service restarted call:
TASK [irods : Enable and iRODS service] *********************************************************************************************************************
fatal: [tunnel+irods-test]: FAILED! => changed=false
msg: 'Failed to restart service: irods'
rc: 1
stderr: |-
[1;33mNo iRODS servers running.[0m
rm: cannot remove ‘/var/lock/subsys/irods’: No such file or directory
stderr_lines: <omitted>
stdout: ''
stdout_lines: <omitted>
This bug can be also resolved by changing the /etc/init.d/irods line:
if [ "$DETECTEDOS" = "RedHatCompatible" -o "$DETECTEDOS" = "SuSE" ]; then
into
if [ "$DETECTEDOS" = "RedHatCompatible" -o "$DETECTEDOS" = "SuSE" ] && [ -e /var/lock/subsys/irods ]; then
There was a problem hiding this comment.
Bug confirmed, going to be fixed in upcoming versions: irods/irods#6053
roles/irods/tasks/pgsql.yml
Outdated
|
|
||
| - name: Creating irods sql user and granting privileges | ||
| - name: Restarting PGSQL and making sure it is enabled |
There was a problem hiding this comment.
Use a handler to restart services only when required.
|
|
||
| - name: Fix the s3 authentication by creating dummy s3auth file | ||
| ansible.builtin.copy: | ||
| content: | |
There was a problem hiding this comment.
When content is specified like this, we do not need the roles/irods/files/s3auth file anymore, right?
There was a problem hiding this comment.
Correct. Was doing it one way, then another. This is not needed anymore and will remove it ✅
roles/irods/tasks/icat.yml
Outdated
|
|
||
| - name: If missing, build 4096 bit DHparam /etc/irods/{{ irods_ssl_dh_params_file }} file (takes several minues ...) | ||
| ansible.builtin.command: | ||
| cmd: /bin/openssl dhparam -2 -out /etc/irods/{{ irods_ssl_dh_params_file }} 4096 | ||
| cmd: /bin/openssl dhparam -2 -out /etc/irods/{{ irods_ssl_dh_params_file }} 2048 |
There was a problem hiding this comment.
Comment still mentions 4096 bits. Why was this downgraded? (Note that 2048 bits will take less time, but does not comply with UMCG encryption policy.)
This is a rought version. The role works runs and can be repeatedly redeployed as a working
iRODS+davrods environment, but missing the
Description of major changes:
iRODS
roles/irods/templates/unattended_install.json.j2asinstead of having three separated files (
server_config.json.j2,service_account_environment.j2andhosts_config.json.j2) it contains allthe paramateres in one file. This is because the file was generated according
to the instructions in the role/README.md - that is, it was exported with the
used of command
izonereporton the working iCAT server.I believe this should be the recommended way anyway, instead of potentially
outdated online templates.
database
empty
database, but the installation script does try to restart service, and so this
is tried to be avoided
Davrods
Davrods templates folder contains the downloaded latest Davrods version, but
we made changes in the
Dockerfile
use of dhparam file, so it is appended at the end of the .cer file)
set up the davrods parameters
address for the Davrods. That address is using the internal (f.e.
10.10.2.123) address for the communication.
deploy-os_servers.yml
Opened the port 5432 for the PostgreSQL (for the use of live replication).
Updated README.md
Secrets