Manager node¶
Note
Execute the following commands on the seed node. Execute the commands within
the manager environment (cd environments/manager
) of the configuration
repository.
The manager node is used to manage all other nodes of the environment. The use of a dedicated system is recommended. In many environments, one of the controller nodes is used as the manager node.
You can use a different folder location for the virtual environment that will be
created by setting the environment variable VENV_PATH
. This is required for
example if your current folder path contains blank characters.
Various Ansible configurations can be adjusted via environment variables.
To query the password for using
sudo
:ANSIBLE_BECOME_ASK_PASS=True
If
secrets.yml
files are encrypted with Ansible Vault, let Ansible prompt for the password by using:ANSIBLE_ASK_VAULT_PASS=True
An overview with all parameters can be found at http://docs.ansible.com/ansible/devel/reference_appendices/config.html#environment-variables.
It is possible to manage more than one manager. In this case it may be useful to work with –limit.
If you get the error message ERROR! the playbook: osism.manager.keypair could not be found
(or similar) with one of the following commands, the installed Ansible version is too old.
In this case the local .venv
directory is deleted and then the script is executed again.
If another Ansible installation is used on the seed system instead of the local
.venv
directory, this installation must be updated accordingly.
Creation of the operator user¶
The operator user is created on each system. It is used as a service account for OSISM. All Docker containers run with this user. Ansible also uses this user to access the systems. Commands on the manager node need to be run as this user.
ANSIBLE_USER=osism ./run.sh operator
If a password is required to login to the manager node,
ANSIBLE_ASK_PASS=True
must be set.If an SSH key is required to login to the manager node, the key has to be added on the manager node to
~/.ssh/authorized_keys
in the home directory of the user specified asANSIBLE_USER
.If the error
ERROR! Attempting to decrypt but no vault secrets found
occurs,ANSIBLE_ASK_VAULT_PASS=True
has to be set.If the error
/bin/sh: 1: /usr/bin/python: not found
occurs, Python has to be installed on the manager node by executing:ANSIBLE_USER=osism ./run.sh python3
To verify the creation of the operator user, use the private key file
id_rsa.operator
. Make sure you purge all keys from ssh-agent identity cache usingssh-add -D
. You can print the list usingssh-add -l
. The list should be empty.ssh-add -D ssh -o IdentitiesOnly=yes -i environments/manager/id_rsa.operator dragon@testbed-manager
If you receive the following error message
ssh: Too many authentication failures
setANSIBLE_SSH_ARGS
environment variable to use only the operator ssh key for authentication.export ANSIBLE_SSH_ARGS="-o IdentitiesOnly=yes"
The warning message
[WARNING]: running playbook inside collection osism.manager
can be ignoredIf Ansible Vault is used, let Ansible ask for the Vault password:
export ANSIBLE_ASK_VAULT_PASS=True
A typical call to create the operator user looks like this:
ANSIBLE_BECOME_ASK_PASS=True \ ANSIBLE_ASK_VAULT_PASS=True \ ANSIBLE_ASK_PASS=True \ ANSIBLE_USER=osism \ ./run.sh operator
Configuration of the network¶
Note
Most of the parameters required for Ansible (ANSIBLE_BECOME_ASK_PASS
, ANSIBLE_ASK_PASS
,
ANSIBLE_USER
, ..) in the previous step are no longer necessary. If Ansible Vault is used,
however, ANSIBLE_ASK_VAULT_PASS
must still be set.
To prevent recurring installation of Ansible Collections, export INSTALL_ANSIBLE_ROLES=False
can be used.
The network configuration, already present on a system should be backuped before this step.
./run.sh network
Upon completion of the network configurtion, a system reboot should be performed to ensure the configuration is functional and reboot safe. Since network services are not restarted automatically, later changes to the network configuration are not effective without a manual apply of the network configuration or reboot of the nodes.
./run.sh reboot
Bootstrap¶
Note
Most of the parameters required for Ansible (ANSIBLE_BECOME_ASK_PASS
, ANSIBLE_ASK_PASS
,
ANSIBLE_USER
, ..) in the previous step are no longer necessary. If Ansible Vault is used,
however, ANSIBLE_ASK_VAULT_PASS
must still be set.
To prevent recurring installation of Ansible Collections, export INSTALL_ANSIBLE_ROLES=False
can be used.
Bootstrap the manager node:
./run.sh bootstrap
Reboot the manager node afterwards to ensure changes are boot safe:
./run.sh reboot
Deploy the configuration repository on the manager node:
./run.sh configuration
Deploy the traefik service:
./run.sh traefik
Deploy the netbox service:
./run.sh netbox
Deploy the manager service:
./run.sh manager
Ready. The manager is now prepared and you can continue with the bootstrap of the other nodes.