Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iRODS: v0.9.8 #504

Merged
merged 22 commits into from
Dec 16, 2021
Merged

iRODS: v0.9.8 #504

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
fa57ead
added: security group iRODS open 443 port
scimerman Oct 29, 2021
c4aad84
Merged with iRODS v1
scimerman Dec 3, 2021
40de7bb
iRODS: v2 working irods & davrods - still WIP
scimerman Dec 1, 2021
a52b864
iRODS: add openstack open port for postgresql 5432 for live replication
scimerman Dec 1, 2021
81184a0
Removing stale developing test template from upstream
scimerman Dec 3, 2021
c0774ec
iRODS: minor bug fixes
scimerman Dec 3, 2021
c4b157e
iRODS: readme update
scimerman Dec 7, 2021
ebda4b9
"iRODS: fix faulty hostname lookup"
scimerman Dec 7, 2021
c576103
iRODS: split resource variable into local and default
scimerman Dec 8, 2021
d373d40
iRODS: updated README
scimerman Dec 8, 2021
9354902
iRODS: split resource variable fix
scimerman Dec 8, 2021
858275a
iRODS: fixed database hostname to use variable
scimerman Dec 8, 2021
9ab7597
fix: removed workign temporary comments
scimerman Dec 8, 2021
1df6a11
iRODS: set 4 threads in core.re
scimerman Dec 8, 2021
8bfec36
iRODS: edited irods role README.md
scimerman Dec 8, 2021
a49f261
iRODS: Davrods default resource
scimerman Dec 8, 2021
a012dad
iRODS: estetic fix - port order
scimerman Dec 8, 2021
911baac
iRODS: moved the appending of dhparams to the chain from role into th…
scimerman Dec 8, 2021
08270ed
iRODS: PR fixes added
scimerman Dec 14, 2021
7d851ac
iRODS: davrods make hosting machine independant
scimerman Dec 14, 2021
905f130
iRODS: removed empty spaces and lines
scimerman Dec 14, 2021
0ac06cc
iRODS: fixed dhparams key size from 2048 to 4096
scimerman Dec 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions roles/irods/files/s3auth
View file
Open in desktop

This file was deleted.

17 changes: 17 additions & 0 deletions roles/irods/handlers/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
- name: Restarting PGSQL and making sure it is enabled
ansible.builtin.systemd:
name: postgresql
state: restarted
enabled: true
become: true
listen: restart_postgresql

# Start/stop/restart service call fails if with error if already in that state
# so it's best if done via user call (as this is what the service does anyways)
- name: Restart iRODS server manually as {{ irods_service_account }} user
command: /var/lib/irods/irodsctl restart
become_user: '{{ irods_service_account }}'
become: true
listen: irodsctl_restart
...
46 changes: 27 additions & 19 deletions roles/irods/tasks/icat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
# installing the iRODS ICAT
- name: Create {{ irods_service_account }} group
group:
Expand All @@ -18,14 +19,15 @@
loop:
- irods-server
- irods-database-plugin-postgres
- irods-resource-plugin-s3-4.2.10.0-1
- irods-resource-plugin-s3
- irods-rule-engine-plugin-python
become: true

- name: Make sure that the hostname is set correct FQDN name
ansible.builtin.hostname:
name: '{{ irods_icat_fqdn }}'
become: true
notify: irodsctl_restart

- name: Ensure that /etc/irods directory exists and is owned by {{ irods_service_account }}
ansible.builtin.file:
Expand All @@ -51,15 +53,17 @@
- name: '{{ irods_ssl_certificate_chain_file }}'
mode: '0644'
become: true
notify: irodsctl_restart

- name: If missing, build 4096 bit DHparam /etc/irods/{{ irods_ssl_dh_params_file }} file (takes several minues ...)
ansible.builtin.command:
cmd: /bin/openssl dhparam -2 -out /etc/irods/{{ irods_ssl_dh_params_file }} 4096
cmd: /bin/openssl dhparam -2 -out /etc/irods/{{ irods_ssl_dh_params_file }} 2048
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment still mentions 4096 bits. Why was this downgraded? (Note that 2048 bits will take less time, but does not comply with UMCG encryption policy.)

creates: /etc/irods/{{ irods_ssl_dh_params_file }}
register: result
failed_when:
- result.rc != 0
become: true
notify: irodsctl_restart

- name: Set ownership of {{ irods_ssl_dh_params_file }}
ansible.builtin.file:
Expand All @@ -77,21 +81,14 @@
register: create_unattended_installation_json
become: true

# - name: Check if {{ irods_db_name }} database is available
# postgresql_ping:
# db: "{{ irods_db_name }}"
# register: check_database
# become_user: postgres
# become: true
#
- name: Create a new database "{{ irods_db_name }}" if missing
postgresql_db:
name: "{{ irods_db_name }}"
state: present
# when: check_database.is_available is false
register: db_created
become_user: postgres
become: true
notify: irodsctl_restart

- name: Creating irods sql user and granting privileges
postgresql_user:
Expand All @@ -104,7 +101,7 @@
become: true

- name: Collect list of tables from existing {{ irods_db_name }}
ansible.builtin.command: psql -d ICAT -c '\dt'
ansible.builtin.command: 'psql -d {{ irods_db_name }} -c "\dt"'
changed_when: false
register: database_tables
become_user: postgres
Expand All @@ -118,6 +115,7 @@
poll: 1
become_user: '{{ irods_service_account }}'
become: true
notify: irodsctl_restart

- name: Edit /etc/irods/core.re to enforce the use of the certificates
become: true
Expand All @@ -133,6 +131,20 @@
search_string: 'acSetNumThreads {msiSetNumThreads("default","default","default"); }'
line: 'acSetNumThreads {msiSetNumThreads("default","4","default"); }'

- name: Edit /etc/irods/core.re to set default resource to {{ irods_default_resource }}
become: true
lineinfile:
name: /etc/irods/core.re
search_string: 'acSetRescSchemeForCreate {msiSetDefaultResc("demoResc","null"); }'
line: 'acSetRescSchemeForCreate {msiSetDefaultResc("{{ irods_default_resource }}","null"); }'

- name: Edit /etc/irods/core.re to set default replication resource to {{ irods_default_resource }}
become: true
lineinfile:
name: /etc/irods/core.re
search_string: 'acSetRescSchemeForRepl {msiSetDefaultResc("demoResc","null"); }'
line: 'acSetRescSchemeForRepl {msiSetDefaultResc("{{ irods_default_resource }}","null"); }'

- name: Increase systcl limits to allow longer transfers
copy:
src: '{{ role_path }}/files/irods_fix.conf'
Expand All @@ -152,16 +164,12 @@
group: '{{ irods_service_account }}'
become_user: '{{ irods_service_account }}'
become: true
notify: irodsctl_restart

- name: Enable and iRODS service
- name: Make sure iRODS service is enabled
sysvinit:
name: irods
enabled: true
state: started
become: true

# Start/stop/restart service call fails if with error if already in that state
# so it's best if done via user call (as this is what the service does anyways)
- name: Restart iRODS server manually via {{ irods_service_account }}
command: /var/lib/irods/irodsctl restart
become_user: '{{ irods_service_account }}'
become: true
...
18 changes: 11 additions & 7 deletions roles/irods/tasks/pgsql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,27 +18,31 @@
creates: /var/lib/pgsql/data/pg_hba.conf

- name: Fixing pg_hba.conf to permit ipv4localhost password authentication
become: true
lineinfile:
name: /var/lib/pgsql/data/pg_hba.conf
regexp: "host all all 127.0.0.1/32 ident"
line: "host all all 127.0.0.1/32 md5"
backrefs: true
register: fixipv4
notify:
- restart_postgresql
become: true

- name: Fixing pg_hba.conf to permit ipv6 localhost password authentication
become: true
lineinfile:
name: /var/lib/pgsql/data/pg_hba.conf
regexp: "host all all ::1/128 ident"
line: "host all all ::1/128 md5"
backrefs: true
register: fixipv6
notify:
- restart_postgresql
become: true

- name: Restarting PGSQL and making sure it is enabled
- name: Enable postgresl service
ansible.builtin.systemd:
name: postgresql
state: restarted
state: started
enabled: true
when: fixipv4.changed and fixipv6.changed
become: true
...