-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iRODS: v0.9.8 #504
iRODS: v0.9.8 #504
Conversation
iRODS: readme update - added PN mail to todo iRODS: formatting fix - readme Update README.md iRODS: formatting - readme iRODS: edited readme
@@ -326,6 +326,16 @@ | |||
remote_ip_prefix: 0.0.0.0/0 | |||
wait: true | |||
timeout: "{{ openstack_api_timeout }}" | |||
- name: "Add rule to {{ slurm_cluster_name }}_irods security group: allow PostgreSQL inbound on port 5432." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add to the ToDo list that like for iRODS port 1247, this port for PostgreSQL should be restricted to specific machines as opposed to allowing inbound traffic from anywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, for the SQL, we should have an IP whitelist yes. Added to the TODO.
For the iRODS 1247 on the other hand: we haven't yet agreed if we really want to limit the port 1247 to SURF side server only, as there was once mentioned that we might allow users to directly access iRODS over this protocol as well (some clients support it) - instead of going through Davrods.
roles/irods/tasks/icat.yml
Outdated
- irods-database-plugin-postgres | ||
- irods-server | ||
- irods-database-plugin-postgres | ||
- irods-resource-plugin-s3-4.2.10.0-1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it necessary to hard-code the version number for this S3 plugin?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. Tested without - works. Removed in new commit.
roles/irods/tasks/icat.yml
Outdated
register: create_unattended_installation_json | ||
become: true | ||
|
||
# - name: Check if {{ irods_db_name }} database is available |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need the commented code or can this be deleted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was there, as this part was only recently changed. And was for the potential fallback. Removed now.
roles/irods/tasks/icat.yml
Outdated
|
||
# Start/stop/restart service call fails if with error if already in that state | ||
# so it's best if done via user call (as this is what the service does anyways) | ||
- name: Restart iRODS server manually via {{ irods_service_account }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Services should only be restarted if necessary. E.g. when some configuration has changed or software got updated. This should be moved to a handler
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✔️ The new commit has (tested successfully) handlers.
Why the system service was not used: (the explanation for the rest):
Sysvinit service cannot be used, as ansible calls support only start
, stop
, restarted
and reloaded
:
- the
start
does not work - even when irods is shut down, it does not start it up (repeatably) and subsequent Davrods role fails - the
restarted
repeatably fails upon new installation when service is stillstopped
(see output below, but in short: service uses lock file/var/lock/subsys/irods
that cannot remove it, as it does not exists). I am certain this is a bug in a/etc/init.d/irods
- since the
stop
andreloaded
(which does not help, nor is implemented in irods service definition file) this means the native sysvinit service call cannot be used.
My implementation avoids use of service call and directly restarts the server in the same way as the service itself would (I looked into the /etc/init.d/irods
, it is basically just /var/lib/irods/irodsctl
script). Direct call does not fail the role, and we do not need to add into ansible the wrappers to catch errors. It also only fails when there is an actual error with irods server startup.
Problem with system service restarted
call:
TASK [irods : Enable and iRODS service] *********************************************************************************************************************
fatal: [tunnel+irods-test]: FAILED! => changed=false
msg: 'Failed to restart service: irods'
rc: 1
stderr: |-
[1;33mNo iRODS servers running.[0m
rm: cannot remove ‘/var/lock/subsys/irods’: No such file or directory
stderr_lines: <omitted>
stdout: ''
stdout_lines: <omitted>
This bug can be also resolved by changing the /etc/init.d/irods
line:
if [ "$DETECTEDOS" = "RedHatCompatible" -o "$DETECTEDOS" = "SuSE" ]; then
into
if [ "$DETECTEDOS" = "RedHatCompatible" -o "$DETECTEDOS" = "SuSE" ] && [ -e /var/lock/subsys/irods ]; then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bug confirmed, going to be fixed in upcoming versions: irods/irods#6053
roles/irods/tasks/pgsql.yml
Outdated
|
||
- name: Creating irods sql user and granting privileges | ||
- name: Restarting PGSQL and making sure it is enabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use a handler
to restart services only when required.
|
||
- name: Fix the s3 authentication by creating dummy s3auth file | ||
ansible.builtin.copy: | ||
content: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When content is specified like this, we do not need the roles/irods/files/s3auth
file anymore, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct. Was doing it one way, then another. This is not needed anymore and will remove it ✅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! Some small comments/questions. See inline comments for details.
roles/irods/tasks/icat.yml
Outdated
|
||
- name: If missing, build 4096 bit DHparam /etc/irods/{{ irods_ssl_dh_params_file }} file (takes several minues ...) | ||
ansible.builtin.command: | ||
cmd: /bin/openssl dhparam -2 -out /etc/irods/{{ irods_ssl_dh_params_file }} 4096 | ||
cmd: /bin/openssl dhparam -2 -out /etc/irods/{{ irods_ssl_dh_params_file }} 2048 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment still mentions 4096 bits. Why was this downgraded? (Note that 2048 bits will take less time, but does not comply with UMCG encryption policy.)
This is a rought version. The role works runs and can be repeatedly redeployed as a working
iRODS+davrods environment, but missing the
Description of major changes:
iRODS
roles/irods/templates/unattended_install.json.j2
asinstead of having three separated files (
server_config.json.j2
,service_account_environment.j2
andhosts_config.json.j2
) it contains allthe paramateres in one file. This is because the file was generated according
to the instructions in the role/README.md - that is, it was exported with the
used of command
izonereport
on the working iCAT server.I believe this should be the recommended way anyway, instead of potentially
outdated online templates.
database
empty
database, but the installation script does try to restart service, and so this
is tried to be avoided
Davrods
Davrods templates folder contains the downloaded latest Davrods version, but
we made changes in the
Dockerfile
use of dhparam file, so it is appended at the end of the .cer file)
set up the davrods parameters
address for the Davrods. That address is using the internal (f.e.
10.10.2.123) address for the communication.
deploy-os_servers.yml
Opened the port 5432 for the PostgreSQL (for the use of live replication).
Updated README.md
Secrets