Repository: airavata Updated Branches: refs/heads/master 24f8b7f0f -> 45e8f654a
Moving dREG gateway to Jetstream; fixed selinux file contexts SELinux file contexts don't work with symlinks so I added a real_user_data_dir ansible variable to deal with that situation. Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/45e8f654 Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/45e8f654 Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/45e8f654 Branch: refs/heads/master Commit: 45e8f654a4bab789e272dda86d62f1969c11e227 Parents: 24f8b7f Author: Marcus Christie <[email protected]> Authored: Tue May 2 09:39:21 2017 -0400 Committer: Marcus Christie <[email protected]> Committed: Tue May 2 09:39:21 2017 -0400 ---------------------------------------------------------------------- .../dreg-production/files/pga-ssl-vhost.conf.j2 | 31 +++++++++ .../dreg-production/group_vars/pga/vars.yml | 67 ++++++++++++++++++++ .../dreg-production/group_vars/pga/vault.yml | 18 ++++++ .../inventories/scigap/dreg-production/hosts | 21 ++++++ .../scigap/production/group_vars/all/vars.yml | 1 + dev-tools/ansible/roles/pga/defaults/main.yml | 2 + .../roles/pga/tasks/install_deps_CentOS_7.yml | 1 + dev-tools/ansible/roles/pga/tasks/main.yml | 3 +- 8 files changed, 143 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/dreg-production/files/pga-ssl-vhost.conf.j2 ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/dreg-production/files/pga-ssl-vhost.conf.j2 b/dev-tools/ansible/inventories/scigap/dreg-production/files/pga-ssl-vhost.conf.j2 new file mode 100644 index 0000000..ee053cc --- /dev/null +++ b/dev-tools/ansible/inventories/scigap/dreg-production/files/pga-ssl-vhost.conf.j2 @@ -0,0 +1,31 @@ +<VirtualHost *:80> + ServerName {{ vhost_servername }} + {% if vhost_serveralias is defined %} + ServerAlias {{ vhost_serveralias }} + {% endif %} + + ## Redirect all http traffic to https + RewriteEngine On + RewriteCond %{HTTPS} off + # Don't redirect /gbrowser and /gbfile requests to HTTPS + RewriteCond %{THE_REQUEST} !\s/(gbrowser|gbfile) + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} +</VirtualHost> + +<VirtualHost *:443> + ServerName {{ vhost_servername }} + {% if vhost_serveralias is defined %} + ServerAlias {{ vhost_serveralias }} + {% endif %} + + DocumentRoot {{ doc_root_dir }}/public + <Directory "{{ doc_root_dir }}/public"> + AllowOverride All + </Directory> + ErrorLog {{ httpd_log_dir[ansible_os_family] }}/{{ gateway_id }}.error.log + CustomLog {{ httpd_log_dir[ansible_os_family] }}/{{ gateway_id }}.requests.log combined + SSLEngine on + SSLCertificateFile {{ ssl_certificate_file }} + SSLCertificateChainFile {{ ssl_certificate_chain_file }} + SSLCertificateKeyFile {{ ssl_certificate_key_file }} +</VirtualHost> http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vars.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vars.yml b/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vars.yml new file mode 100644 index 0000000..4f15b2b --- /dev/null +++ b/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vars.yml @@ -0,0 +1,67 @@ +# +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +--- + +user_data_dir: "/var/www/portals/gateway-user-data" +real_user_data_dir: "/data/gateway-user-data" +## Airavata Client related variables +airavata_server: "tls://{{ groups['api-orch'][0] }}" +airavata_port: "9930" +# FIXME: temporarily turn off SSL verification for WSO2 IS +auth_verify_peer: "false" + +pga_repo: "https://github.com/apache/airavata-php-gateway.git"; +git_branch: "dreg-gateway" +user: "pga" +group: "pga" +doc_root_dir: "/var/www/portals/{{ gateway_id }}" +vhost_servername: "dreg.dnasequence.org" +vhost_ssl: True +# TODO: have Ansible manage these files as well +ssl_certificate_file: "/etc/letsencrypt/live/dreg.dnasequence.org/cert.pem" +ssl_certificate_chain_file: "/etc/letsencrypt/live/dreg.dnasequence.org/fullchain.pem" +ssl_certificate_key_file: "/etc/letsencrypt/live/dreg.dnasequence.org/privkey.pem" +pga_ssl_vhost_template: "{{ inventory_dir }}/files/pga-ssl-vhost.conf.j2" + +## WSO2 IS related variables +tenant_domain: "dreg.cornell" +admin_username: "admin" +admin_password: "{{ vault_admin_password }}" +oauth_client_key: "{{ vault_oauth_client_key }}" +oauth_client_secret: "{{ vault_oauth_client_secret }}" +# dREG gateway automatically gives users the gateway-user role so they don't have to wait on admin approval +initial_role_name: "gateway-user" + +gateway_id: "cornelldna" +# relative to document root dir +experiment_data_dir: "{{ user_data_dir }}/cornell-dnasequence" +gateway_data_store_resource_id: "gf4.ucs.indiana.edu_61552681-96f0-462a-a36c-a62a010bffc6" +gateway_data_store_ssh_public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTs6k2lSt5nn+UF3N1rAko9WjdtHZ1xLcKxCG4+4AVMdTIeng12g+1qB5hIFiDgesT/D/nzoA27EFj5nWiYanxBySNgl1Re8kR0nEqQbR0zj1dSibmfjW+vmOZzEiNSrNoLlc4KbFgqFCRGIlZ1bWZ7yHtJ3I7xxfKhvvxCTzJ4K71v1aovnDTUYophy2lUsdOcOq84Qhv3ITZafgblz3mJSwVpnnI72IepzonzDUdcf/w0lKCl70L9MgQAZ2V4e9sQZWJLI5s1VtJsqKggtgI4goPyxXROoH9PTUZFqvvYjLGW8JVS9eZKblSKil09yckPfZCSk1i/UD/uY6O7bjf" + +## Portal related variables +super_admin_portal: "false" +admin_emails: "['[email protected]','[email protected]']" +portal_email_username: "[email protected]" +portal_email_password: "{{ vault_portal_email_password }}" +# The portal theme is included in the dreg-gateway branch of airavata-php-gateway +portal_theme: "dreg" +portal_title: "dREG DNA Sequencing" +... http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vault.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vault.yml b/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vault.yml new file mode 100644 index 0000000..eaca63b --- /dev/null +++ b/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vault.yml @@ -0,0 +1,18 @@ +$ANSIBLE_VAULT;1.1;AES256 +37653231363231666433316261313238643763633234663866393832386236643436623566303263 +3334323065363831656435383564623034393661323037300a343263316666633131366134613661 +39633030386362623966303630653462373762373034323134356539313036376563613335383135 +3962646533323362370a383064616634303730373232353663386165313666303732396635643562 +39313037323264656236323337643862636265626138656435303064353531616264633435643965 +38616138613039336666313436643635666337643533343264326637653864356563343532333262 +35323335336437333964373366653737343032306238643032343162353437666664376636353236 +32363138633432396330613832656266663734616131383735393565343133626666313766313164 +35386534313033623563613635343163633564613636636236316633623263313437626337663530 +64313166323263353266623135616236653463356439363530373630653232363863303238356265 +65363630393364636238643861386161356635666331336530626533666434373931393237643861 +33383663653439313064393735653064323836656666343366636161643938396136383234386232 +33343238636238373936663365316663653532616364636336363936316235353164636365613738 +33346462386230623735376132306663633932363838643935373539316565626435646565393833 +66623065373162623964363665646436356464643366633764323232343736353032616561643637 +30326166396262316335323463323763653930653263613162663336343863313937393934313765 +30626235653162643566366361303630616437346539333436616666313738346232 http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/dreg-production/hosts ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/dreg-production/hosts b/dev-tools/ansible/inventories/scigap/dreg-production/hosts new file mode 100644 index 0000000..bbfc7c9 --- /dev/null +++ b/dev-tools/ansible/inventories/scigap/dreg-production/hosts @@ -0,0 +1,21 @@ +--- +# inventory file : scigap production deployment + +[zookeeper] +gf5.ucs.indiana.edu + +[rabbitmq] +gf5.ucs.indiana.edu + +[database] +gf3.ucs.indiana.edu + +[api-orch] +gf5.ucs.indiana.edu + +[gfac] +gf6.ucs.indiana.edu + +[pga] +# Hosted on Jetstream +149.165.156.72 ansible_user=centos http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml b/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml index 756edea..2313795 100644 --- a/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml +++ b/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml @@ -113,6 +113,7 @@ monitor_email_password: "{{ vault_monitor_email_password }}" # PGA variables pga_repo: "https://github.com/apache/airavata-php-gateway.git"; user_data_dir: "/var/www/portals/gateway-user-data" +real_user_data_dir: "/data/gateway-user-data" ## Airavata Client related variables #airavata_server: "tls://gw77.iu.xsede.org" airavata_server: "tls://{{ groups['api-orch'][0] }}" http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/roles/pga/defaults/main.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/defaults/main.yml b/dev-tools/ansible/roles/pga/defaults/main.yml index e8f869b..f5fbad9 100644 --- a/dev-tools/ansible/roles/pga/defaults/main.yml +++ b/dev-tools/ansible/roles/pga/defaults/main.yml @@ -21,6 +21,8 @@ --- doc_root_dir: "/var/www/{{ gateway_id }}" user_data_dir: "/var/www/user_data" +# real_user_data_dir is the same as user_data_dir but without symbolic links in it +real_user_data_dir: "{{ user_data_dir }}" vhost_servername: "{{ groups['pga'][0] }}" vhost_ssl: False httpd_confd_file_location: http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml b/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml index 649d333..2c5dc9f 100644 --- a/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml +++ b/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml @@ -25,6 +25,7 @@ with_items: - git - httpd + - mod_ssl - php - php-soap - libselinux-python http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/roles/pga/tasks/main.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/tasks/main.yml b/dev-tools/ansible/roles/pga/tasks/main.yml index 36ad77c..0ea5d63 100644 --- a/dev-tools/ansible/roles/pga/tasks/main.yml +++ b/dev-tools/ansible/roles/pga/tasks/main.yml @@ -67,7 +67,8 @@ - name: set selinux context to allow read/write on the user data directory sefcontext: - target: "{{ user_data_dir }}(/.*)?" + # For SELinux file contexts, the real path without symbolic links must be used + target: "{{ real_user_data_dir }}(/.*)?" setype: httpd_sys_rw_content_t state: present become: yes
