diff --git a/R/defaults/main.yml b/R/defaults/main.yml
index a9a3abb..957e200 100644
--- a/R/defaults/main.yml
+++ b/R/defaults/main.yml
@@ -21,6 +21,15 @@ r_packages_main_state: present
r_packages_state: '{{ r_packages_main_state }}'
r_plugins_from_deb: True
r_packages_cleanup: False
+r_packages_updater: False
+# They need to be flat text files available via http
+# 1 package per line
+#r_debian_packages_list_url
+# package[:cran mirror]
+# The CRAN mirror URL is optional
+#r_cran_packages_list_url
+# user/package_name
+#r_github_packages_list_url
r_source_plugins_dest_dir: /var/cache/R
diff --git a/R/tasks/main.yml b/R/tasks/main.yml
index b03dddb..8a22d0b 100644
--- a/R/tasks/main.yml
+++ b/R/tasks/main.yml
@@ -2,3 +2,4 @@
- include: r-packages_cleanup.yml
when: r_packages_cleanup
- include: r-installation.yml
+- include: r-packages-updater.yml
diff --git a/R/tasks/r-installation.yml b/R/tasks/r-installation.yml
index f15c330..93af5b3 100644
--- a/R/tasks/r-installation.yml
+++ b/R/tasks/r-installation.yml
@@ -102,6 +102,26 @@
tags: [ 'r_software', 'r_pkg', 'r_plugins', 'r_plugins_github' ]
ignore_errors: True
+- name: Install R packages from the cran sources, specific versions. First round
+ command: >
+ Rscript --slave --no-save --no-restore-history -e "if (! ('{{ item.name }}' %in% installed.packages()[,'Package'])) { install.packages('{{ r_source_plugins_dest_dir }}/{{ item.source }}', repos = NULL, type='source'); print('Added'); } else if (packageVersion('{{ item.name }}') != '{{ item.version }}') { install.packages('{{ r_source_plugins_dest_dir }}/{{ item.source }}', repos = NULL, type='source'); print('Added'); } else { print('Already Installed'); }"
+ register: install_s_plugins_result
+ failed_when: "install_s_plugins_result.rc != 0 or 'had non-zero exit status' in install_s_plugins_result.stderr"
+ changed_when: '"Added" in install_s_plugins_result.stdout'
+ with_items: '{{ r_plugins_from_sources | default([]) }}'
+ ignore_errors: True
+ tags: [ 'r_software', 'r_pkg', 'r_plugins', 'r_plugins_version' ]
+
+- name: Install R packages from the cran sources, specific versions. Second round, to avoid circular dependencies
+ command: >
+ Rscript --slave --no-save --no-restore-history -e "if (! ('{{ item.name }}' %in% installed.packages()[,'Package'])) { install.packages('{{ r_source_plugins_dest_dir }}/{{ item.source }}', repos = NULL, type='source'); print('Added'); } else if (packageVersion('{{ item.name }}') != '{{ item.version }}') { install.packages('{{ r_source_plugins_dest_dir }}/{{ item.source }}', repos = NULL, type='source'); print('Added'); } else { print('Already Installed'); }"
+ register: install_s_plugins_result
+ failed_when: "install_s_plugins_result.rc != 0 or 'had non-zero exit status' in install_s_plugins_result.stderr"
+ changed_when: '"Added" in install_s_plugins_result.stdout'
+ with_items: '{{ r_plugins_from_sources | default([]) }}'
+ when: ( install_s_plugins_result | failed )
+ tags: [ 'r_software', 'r_pkg', 'r_plugins', 'r_plugins_version' ]
+
- name: Remove R unwanted packages
command: >
Rscript --slave --no-save --no-restore-history -e "if (! ('{{ item }}' %in% installed.packages()[,'Package'])) { print('Not installed'); } else { remove.packages(pkgs='{{ item }}'); print('Removed'); }"
@@ -111,3 +131,4 @@
with_items: '{{ r_plugins_list_to_remove | default([]) }}'
when: r_plugins_list_to_remove is defined
tags: [ 'r_software', 'r_pkg', 'r_plugins' ]
+
diff --git a/R/tasks/r-packages-updater.yml b/R/tasks/r-packages-updater.yml
new file mode 100644
index 0000000..97a1f6f
--- /dev/null
+++ b/R/tasks/r-packages-updater.yml
@@ -0,0 +1,27 @@
+---
+- block:
+ - name: Install the R packages updater script
+ template: src=update_r_packages.sh.j2 dest=/usr/local/bin/update_r_packages owner=root group=root mode=0755
+
+ - name: Cron job that installs new R packages, if any
+ cron: name="install new R packages" user=root cron_file=install-r-packages minute="*/10" job="/usr/local/bin/update_r_packages install" state=present
+
+ - name: Cron job that upgrades existing R packages and installs new ones, if any
+ cron: name="install new R packages" user=root cron_file=upgrade-r-packages hour="3" job="/usr/local/bin/update_r_packages upgrade" state=present
+
+ when: r_packages_updater
+ tags: [ 'r_software', 'r_pkg', 'r_plugins', 'r_plugins_github', 'r_cran_pkgs', 'r_github_pkgs' ]
+
+
+- block:
+ - name: Remove the R packages updater script
+ file: dest=/usr/local/bin/update_r_packages state=absent
+
+ - name: Remove the cron job that installs new R packages
+ cron: name="install new R packages" user=root minute="*/10" cron_file=install-r-packages job="/usr/local/bin/update_r_packages install" state=absent
+
+ - name: Remove the cron job that upgrades existing R packages and installs new ones
+ cron: name="install new R packages" user=root cron_file=upgrade-r-packages hour="3" job="/usr/local/bin/update_r_packages upgrade" state=absent
+
+ when: not r_packages_updater
+ tags: [ 'r_software', 'r_pkg', 'r_plugins', 'r_plugins_github', 'r_cran_pkgs', 'r_github_pkgs' ]
diff --git a/R/templates/Rprofile.site.j2 b/R/templates/Rprofile.site.j2
index 660168d..3a6136d 100644
--- a/R/templates/Rprofile.site.j2
+++ b/R/templates/Rprofile.site.j2
@@ -4,26 +4,9 @@
## Copyright (C) 2008 Dirk Eddelbuettel and GPL'ed
##
## see help(Startup) for documentation on ~/.Rprofile and Rprofile.site
- #
- # NOTE: managed by ansible
- #
-
-# ## Example of .Rprofile
-# options(width=65, digits=5)
-# options(show.signif.stars=FALSE)
-# setHook(packageEvent("grDevices", "onLoad"),
-# function(...) grDevices::ps.options(horizontal=FALSE))
-# set.seed(1234)
-# .First <- function() cat("\n Welcome to R!\n\n")
-# .Last <- function() cat("\n Goodbye!\n\n")
-
-# ## Example of Rprofile.site
-# local({
-# # add MASS to the default packages, set a CRAN mirror
-# old <- getOption("defaultPackages"); r <- getOption("repos")
-# r["CRAN"] <- "http://my.local.cran"
-# options(defaultPackages = c(old, "MASS"), repos = r)
-#})
+#
+# NOTE: managed by ansible
+#
local({r <- getOption("repos")
r["CRAN"] <- "{{ r_cran_mirror_site }}"
options(repos=r)
diff --git a/R/templates/update_r_packages.sh.j2 b/R/templates/update_r_packages.sh.j2
new file mode 100644
index 0000000..029573e
--- /dev/null
+++ b/R/templates/update_r_packages.sh.j2
@@ -0,0 +1,177 @@
+#!/bin/bash
+
+RETVAl=
+PARAMS=$#
+ACTION=$1
+PROCNUM=$$
+OLDPROC=
+OLDPROC_RUNNING=
+LOCKDIR=/var/run
+LOCK_FILE=$LOCKDIR/.update_r_pkgs.lock
+TMP_FILES_DIR=/var/tmp/r_pkgs_update
+# We cannot answer questions
+DEBIAN_FRONTEND=noninteractive
+R_CRAN_MIRROR={{ r_cran_mirror_site }}
+# - debian packages list format:
+# one package per line
+DEB_PKGS_SKIP=0
+DEBIAN_PKGS_LIST_URL={{ r_debian_packages_list_url | default('') }}
+PKGS_LIST=
+# - R packages list format:
+# name[:mirror]
+CRAN_PKGS_SKIP=0
+R_PKGS_LIST_URL={{ r_cran_packages_list_url | default('') }}
+R_PKGS_LIST=
+# - R packages from github list format:
+# - owner/package
+GITHUB_PKGS_SKIP=0
+R_PKGS_FROM_GITHUB_LIST_URL={{ r_github_packages_list_url | default('') }}
+R_PKGS_GITHUB=
+
+trap "{ logger 'update_r_packages: trap intercepted, exiting.' ; cleanup ; exit 15 }" SIGHUP SIGINT SIGTERM
+
+function cleanup() {
+ logger "update_r_packages: cleaning up"
+ rm -f $LOCK_FILE
+ rm -fr $TMP_FILES_DIR
+}
+
+function usage() {
+ if [ $PARAMS -ne 1 ] ; then
+ echo "Need at least an argument: 'upgrade' or 'install'."
+ echo "- 'upgrade' installs new packages and upgrades the existin ones when needed."
+ echo "- 'install' installs new packages."
+ cleanup
+ exit 1
+ fi
+}
+
+function get_args() {
+ if [ "$ACTION" != "upgrade" -a "$ACTION" != "install" ] ; then
+ usage
+ fi
+}
+
+function fail() {
+ logger "Something went wrong, exiting."
+ cleanup
+ exit 1
+}
+
+
+function init_env() {
+ if [ -f $LOCK_FILE ] ; then
+ OLDPROC=$( cat $LOCK_FILE )
+ OLDPROC_RUNNING=$( ps auwwx | grep -v grep | grep $OLDPROC )
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ] ; then
+ logger "update_r_packages: $OLDPROC_RUNNING"
+ logger "update_r_packages: another process is running, exiting."
+ exit 0
+ else
+ logger "update_r_packages: lock file exist but the process not. Continuing."
+ rm -fr $TMP_FILES_DIR
+ fi
+ fi
+ RETVAL=
+ echo "$PROCNUM" > $LOCK_FILE
+ mkdir -p $TMP_FILES_DIR
+}
+
+function get_data_files() {
+ # Get the packages list
+ if [ -z $DEBIAN_PKGS_LIST_URL ] ; then
+ DEB_PKGS_SKIP=1
+ logger "update_r_packages: the debian packages list is not available."
+ else
+ PKGS_LIST=$( mktemp $TMP_FILES_DIR/rdebs.XXXXXXX )
+ logger "update_r_packages: getting the debian packages list."
+ wget -q -o /dev/null -O $PKGS_LIST $DEBIAN_PKGS_LIST_URL
+ fi
+ if [ -z $R_PKGS_LIST_URL ] ; then
+ CRAN_PKGS_SKIP=1
+ logger "update_r_packages: the CRAN packages list is not available."
+ else
+ R_PKGS_LIST=$( mktemp $TMP_FILES_DIR/rpkgs.XXXXXXX )
+ logger "update_r_packages: getting the R packages list that will be installed from CRAN"
+ wget -q -o /dev/null -O $R_PKGS_LIST $R_PKGS_LIST_URL
+ fi
+ if [ -z $R_PKGS_FROM_GITHUB_LIST_URL ] ; then
+ GITHUB_PKGS_SKIP=1
+ logger "update_r_packages: the Github packages list is not available."
+ else
+ R_PKGS_GITHUB=$( mktemp $TMP_FILES_DIR/rpkgsgithub.XXXXXXX )
+ logger "update_r_packages: getting the R packages list that will be installed from github"
+ wget -q -o /dev/null -O $R_PKGS_GITHUB $R_PKGS_FROM_GITHUB_LIST_URL
+ fi
+}
+
+function debian_pkgs() {
+ if [ $DEB_PKGS_SKIP -eq 0 ] ; then
+ # Update the apt cache and install the packages in non interactive mode
+ logger "update_r_packages: Installing the debian dependencies"
+ if [ -z "$(find /var/cache/apt/pkgcache.bin -mmin -360)" ]; then
+ apt-get update -q >/dev/null 2>&1
+ else
+ logger "update_r_packages: APT cache not updated"
+ fi
+ xargs -a <(awk '/^\s*[^#]/' "$PKGS_LIST") -r -- apt-get install -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold"
+ else
+ logger "update_r_packages: skipping the debian packages installation"
+ fi
+}
+
+function r_cran_pkgs() {
+ if [ $CRAN_PKGS_SKIP -eq 0 ] ; then
+ logger "update_r_packages: Installing R packages from CRAN"
+ for l in $( cat $R_PKGS_LIST ) ; do
+ pkg=$( echo $l | cut -d : -f 1 )
+ is_mirror_ret=
+ is_mirror=$( echo $l | grep ':' )
+ is_mirror_ret=$?
+ if [ $is_mirror_ret -eq 0 ] ; then
+ mirror=$( echo $l | cut -d : -f 2 )
+ else
+ mirror=$R_CRAN_MIRROR
+ fi
+ if [ "$ACTION" == "upgrade" ] ; then
+ Rscript --slave --no-save --no-restore-history -e "install.packages(pkgs='$pkg', repos=c('$mirror/'));"
+ else
+ Rscript --slave --no-save --no-restore-history -e "if (! ('$pkg' %in% installed.packages()[,'Package'])) { install.packages(pkgs='$pkg', repos=c('$mirror/')); }"
+ fi
+ done
+ else
+ logger "update_r_packages: skipping the R CRAN packages installation"
+ fi
+}
+
+function r_github_pkgs() {
+ if [ $GITHUB_PKGS_SKIP -eq 0 ] ; then
+ logger "update_r_packages: Installing R packages from Github"
+ for l in $( cat $R_PKGS_GITHUB ) ; do
+ pkg=$( echo $l | cut -d "/" -f 2 )
+ user=$( echo $l | cut -d "/" -f 1 )
+ if [ "$ACTION" == "upgrade" ] ; then
+ Rscript --slave --no-save --no-restore-history -e "require(devtools); require(methods); install_github('$l');"
+ else
+ Rscript --slave --no-save --no-restore-history -e "if (! ('$pkg' %in% installed.packages()[,'Package'])) { require(devtools); require(methods) ; install_github('$l'); }"
+ fi
+ done
+ else
+ logger "update_r_packages: skipping the R GitHub packages installation"
+ fi
+}
+
+#########
+# Main
+#
+
+usage
+get_args
+init_env
+get_data_files
+debian_pkgs
+r_cran_pkgs
+r_github_pkgs
+cleanup
+exit 0
diff --git a/ckan/ckan/defaults/main.yml b/ckan/ckan/defaults/main.yml
index 9cf7718..a2434a2 100644
--- a/ckan/ckan/defaults/main.yml
+++ b/ckan/ckan/defaults/main.yml
@@ -55,7 +55,7 @@ ckan_ldap_username: uid
ckan_ldap_email: mail
ckan_ldap_prevent_edits: True
ckan_ldap_fallback: True
-ckan_ckanext_lire: True
+ckan_ckanext_lire: False
ckan_ckanext_lire_n: lire
ckan_ckanext_lire_url: 'https://github.com/milicp/ckanext-lire.git'
diff --git a/ckan/ckan/tasks/ckan.yml b/ckan/ckan/tasks/ckan.yml
index c42bd6c..3f0e644 100644
--- a/ckan/ckan/tasks/ckan.yml
+++ b/ckan/ckan/tasks/ckan.yml
@@ -14,6 +14,11 @@
notify: Restart CKAN
tags: [ 'ckan', 'ckan_ini' ]
+- name: Install the apache.wsgi
+ template: src=apache.wsgi.j2 dest={{ ckan_confdir }}/apache.wsgi
+ notify: Restart CKAN
+ tags: [ 'ckan', 'apache' ]
+
- name: Create the base directory for the CKAN file storage
file: dest={{ ckan_file_storage_dir }} state=directory owner={{ apache_user }} group={{ ckan_shell_user }} mode=2770
tags: ckan
diff --git a/ckan/ckan/templates/apache.wsgi.j2 b/ckan/ckan/templates/apache.wsgi.j2
new file mode 100644
index 0000000..4418d33
--- /dev/null
+++ b/ckan/ckan/templates/apache.wsgi.j2
@@ -0,0 +1,14 @@
+import os
+activate_this = os.path.join('/usr/lib/ckan/default/bin/activate_this.py')
+execfile(activate_this, dict(__file__=activate_this))
+
+from paste.deploy import loadapp
+
+config_filepath = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'production.ini')
+from paste.script.util.logging_config import fileConfig
+fileConfig(config_filepath)
+_application = loadapp('config:%s' % config_filepath)
+
+def application(environ, start_response):
+ environ['wsgi.url_scheme'] = environ.get('HTTP_X_URL_SCHEME', 'http')
+ return _application(environ, start_response)
diff --git a/gcube/authorization_service/tasks/main.yml b/gcube/authorization_service/tasks/main.yml
index 5c33207..42518db 100644
--- a/gcube/authorization_service/tasks/main.yml
+++ b/gcube/authorization_service/tasks/main.yml
@@ -11,11 +11,19 @@
- '{{ auth_instance_path }}/webapps/authorization-service.war'
when: authorization_service_upgrade or not authorization_service_install
- - name: Get the authorization service war file
- get_url: url={{ authorization_service_url }} dest={{ auth_instance_path }}/webapps/{{ authorization_service_file }}
+ # - name: Get the authorization service war file
+ # get_url: url={{ authorization_service_url }} dest={{ auth_instance_path }}/webapps/{{ authorization_service_file }}
- - name: Unpack the authorization service war file
- shell: mkdir {{ auth_instance_path }}/webapps/authorization-service ; cd {{ auth_instance_path }}/webapps/authorization-service ; jar xf {{ auth_instance_path }}/webapps/{{ authorization_service_file }}
+ # - name: Unpack the authorization service war file
+ # shell: mkdir {{ auth_instance_path }}/webapps/authorization-service ; cd {{ auth_instance_path }}/webapps/authorization-service ; jar xf {{ auth_instance_path }}/webapps/{{ authorization_service_file }}
+ # args:
+ # creates: '{{ auth_instance_path }}/webapps/authorization-service/WEB-INF/AuthorizationConfiguration.xml'
+
+ - name: Create the authorization service webapp directory
+ file: dest={{ auth_instance_path }}/webapps/authorization-service state=directory
+
+ - name: Get and unpack the authorization war file
+ unarchive: copy=no src={{ authorization_service_url }} dest={{ auth_instance_path }}/webapps/authorization-service
args:
creates: '{{ auth_instance_path }}/webapps/authorization-service/WEB-INF/AuthorizationConfiguration.xml'
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index 865908e..3281842 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -21,3 +21,7 @@ haproxy_nagios_check: False
# It's a percentage
haproxy_nagios_check_w: 70
haproxy_nagios_check_c: 90
+
+haproxy_check_interval: 3s
+haproxy_backend_maxconn: 2048
+
diff --git a/letsencrypt-acmetool-client/tasks/main.yml b/letsencrypt-acmetool-client/tasks/main.yml
index 98cbdf1..7b7a3e5 100644
--- a/letsencrypt-acmetool-client/tasks/main.yml
+++ b/letsencrypt-acmetool-client/tasks/main.yml
@@ -112,7 +112,9 @@
tags: letsencrypt
- name: Install a daily cron job to renew the certificates when needed
- cron: name="Letsencrypt certificate renewal" special_time=daily job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" user={{ letsencrypt_acme_user }}
+ become: True
+ become_user: '{{ letsencrypt_acme_user }}'
+ cron: name="Letsencrypt certificate renewal" special_time=daily job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1"
when: letsencrypt_acme_install
tags: letsencrypt
diff --git a/nginx/templates/nginx-proxy-params.conf.j2 b/nginx/templates/nginx-proxy-params.conf.j2
index 68ffc90..f8cb3b0 100644
--- a/nginx/templates/nginx-proxy-params.conf.j2
+++ b/nginx/templates/nginx-proxy-params.conf.j2
@@ -1,10 +1,14 @@
# Proxy stuff
# include /etc/nginx/snippets/nginx-proxy-params.conf;
proxy_http_version 1.1;
+{% if haproxy_ips is defined %}
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $remote_addr;
proxy_set_header X-Forwarded-Server $host;
+{% else %}
+proxy_set_header Host $host;
+{% endif %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering {{ nginx_proxy_buffering }};
diff --git a/openvpn/defaults/main.yml b/openvpn/defaults/main.yml
index bf13e47..3802691 100644
--- a/openvpn/defaults/main.yml
+++ b/openvpn/defaults/main.yml
@@ -47,10 +47,15 @@ openvpn_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
openvpn_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
openvpn_key: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
+openvpn_ha: False
+# Not a real master. It is only the host where the dh.pem and ta.key are generated
+openvpn_master_host: 'localhost'
+openvpn_is_master_host: False
+
openvpn_compression_enabled: False
openvpn_keepalive: '10 120'
-openvpn_max_clients: 50
+openvpn_max_clients: 100
openvpn_run_unprivileged: True
openvpn_unprivileged_user: nobody
openvpn_unprivileged_group: nogroup
diff --git a/openvpn/tasks/openvpn.yml b/openvpn/tasks/openvpn.yml
index b3146aa..600f039 100644
--- a/openvpn/tasks/openvpn.yml
+++ b/openvpn/tasks/openvpn.yml
@@ -71,6 +71,10 @@
template: src=openvpn.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
notify: Reload OpenVPN
+ tags: [ 'openvpn', 'openvpn_conf' ]
+
+
+- block:
- name: Create the dh file
shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 ; chmod 444 {{ openvpn_conf_dir }}/dh2048.pem
args:
@@ -81,8 +85,23 @@
args:
creates: '{{ openvpn_conf_dir }}/ta.key'
+ when: openvpn_is_master_host or not openvpn_ha
tags: [ 'openvpn', 'openvpn_conf' ]
+# Does not work right now. The error is
+# fatal: [gw2.d4science.org -> gw1.d4science.org]: FAILED! => {"changed": false, "failed": true, "msg": "Boolean root not in either boolean list"}
+# - block:
+# - name: Get the dh file from the master host
+# synchronize: src={{ openvpn_conf_dir }}/dh2048.pem dest=rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem
+# delegate_to: '{{ openvpn_master_host }}'
+
+# - name: Get the ta key from the master host
+# synchronize: src={{ openvpn_conf_dir }}/ta.key dest=rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key
+# delegate_to: '{{ openvpn_master_host }}'
+
+# when: openvpn_ha and not openvpn_is_master_host
+# tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
+
- block:
- name: Enable kernel forwarding
diff --git a/openvpn/templates/auth-ldap.pl.j2 b/openvpn/templates/auth-ldap.pl.j2
index 8bd14ae..12ec825 100644
--- a/openvpn/templates/auth-ldap.pl.j2
+++ b/openvpn/templates/auth-ldap.pl.j2
@@ -31,7 +31,7 @@ $ldap = Net::LDAP->new($opt_uri) or die("LDAP connect to $opt_uri failed!");
{% endif %}
{% if openvpn_ldap_nonanon_bind %}
-$result = $ldap->bind('{{ openvpn_ldap_binddn }}', password => '{{ openvpn_ldap_bindpwd }}');
+$result = $ldap->bind('{{ openvpn_ldap_binddn }}', password => '{{ openvpn_ldap_bindpwd | default('') }}');
{% else %}
$result = $ldap->bind($opt_binddn, password => $opt_passwd);
{% endif %}
diff --git a/orientdb/templates/orientdb-server-config.xml.j2 b/orientdb/templates/orientdb-server-config.xml.j2
index bbc1583..c856dc3 100644
--- a/orientdb/templates/orientdb-server-config.xml.j2
+++ b/orientdb/templates/orientdb-server-config.xml.j2
@@ -84,7 +84,7 @@
-
+
diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml
index c2bfe8f..a890f06 100644
--- a/postgresql/defaults/main.yml
+++ b/postgresql/defaults/main.yml
@@ -12,7 +12,7 @@ psql_pgpool_pkg_state: installed
#
# See the features matrix here: http://www.postgresql.org/about/featurematrix/
#
-psql_version: 9.4
+psql_version: 9.5
psql_db_host: localhost
psql_db_port: 5432
psql_db_size_w: 150000000
@@ -54,7 +54,7 @@ postgresql_pkgs:
psql_ansible_needed_pkgs:
- python-psycopg2
-# - libpq-dev
+
psql_db_name: db_name
psql_db_user: db_user
psql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault"
@@ -75,6 +75,7 @@ postgresql_pgpool_pkgs:
# pgpool-II
pgpool_pkgs:
- pgpool2
+ - iputils-arping
pgpool_enabled: True
pgpool_listen_addresses: 'localhost'
@@ -126,6 +127,20 @@ pgpool_memqcache_memcached_host: localhost
pgpool_memqcache_memcached_port: 11211
pgpool_memqcache_expire: 0
pgpool_memqcache_auto_cache_invalidation: 'on'
+# HA and watchdog
+pgpool_use_watchdog: 'off'
+pgpool_wd_trusted_servers: 'localhost,localhost'
+pgpool_wd_port: 9000
+pgpool_wd_priority: 1
+# Warning: setting pgpool_wd_heartbeat_mode to False enables
+# the 'query mode' that is untested and not working without manual intervention
+pgpool_wd_heartbeat_mode: True
+pgpool_wd_heartbeat_port: 9694
+pgpool_wd_heartbeat_keepalive_int: 3
+pgpool_wd_heartbeat_deadtime: 30
+pgpool_wd_heartbeat_dest0: 'localhost'
+pgpool_wd_heartbeat_dest0_port: '{{ pgpool_wd_heartbeat_port }}'
+#pgpool_wd_authkey: 'set it inside a vault file'
# SSL as a special case
pgpool_enable_ssl: False
@@ -134,6 +149,8 @@ pgpool_ssl_key: /etc/pki/pgpool2/pgpool2.key
pgpool_ssl_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
pgpool_ssl_ca_dir: /etc/ssl/certs
+pgpool_virtual_ip: 127.0.0.1
+pgpool_virtual_netmask: 24
# WAL files archiving is mandatory for pgpool recovery
psql_wal_files_archiving_enabled: '{{ psql_pgpool_install }}'
diff --git a/postgresql/files/arping_script b/postgresql/files/arping_script
new file mode 100644
index 0000000..ae7479f
--- /dev/null
+++ b/postgresql/files/arping_script
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Exec /usr/bin/arping as root via sudo
+
+RETVAL=
+CMD=/usr/bin/arping
+
+sudo $CMD $@
+RETVAL=$?
+
+exit $RETVAL
+
diff --git a/postgresql/files/ip_script b/postgresql/files/ip_script
new file mode 100644
index 0000000..225bbb7
--- /dev/null
+++ b/postgresql/files/ip_script
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Exec /sbin/ip as root via sudo
+
+RETVAL=
+CMD=/sbin/ip
+
+sudo $CMD $@
+RETVAL=$?
+
+exit $RETVAL
+
diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml
index 36fe4d1..7493541 100644
--- a/postgresql/tasks/main.yml
+++ b/postgresql/tasks/main.yml
@@ -5,8 +5,6 @@
when: psql_postgresql_install
- include: postgis.yml
when: postgres_install_gis_extensions
-- include: postgres_pgpool.yml
- when: psql_pgpool_install
- include: postgresql-config.yml
when: psql_postgresql_install
- include: postgresql-ssl-config.yml
@@ -19,6 +17,10 @@
when:
- psql_postgresql_install
- psql_db_data is defined
+- include: postgresql-service-status.yml
+ when: psql_postgresql_install
+- include: postgres_pgpool.yml
+ when: psql_pgpool_install
- include: manage_pg_db.yml
when:
- psql_postgresql_install
diff --git a/postgresql/tasks/manage_pg_db.yml b/postgresql/tasks/manage_pg_db.yml
index 01ba1e7..dd1518b 100644
--- a/postgresql/tasks/manage_pg_db.yml
+++ b/postgresql/tasks/manage_pg_db.yml
@@ -12,7 +12,7 @@
become_user: postgres
postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }}
with_items: '{{ psql_db_data | default(omit) }}'
- when: item.managedb
+ when: item.managedb | default(True)
tags: [ 'postgresql', 'postgres', 'pg_db' ]
- name: Only set a db user password. Mostly for the postgresql user
diff --git a/postgresql/tasks/packages.yml b/postgresql/tasks/packages.yml
index c9d53ac..cc61f11 100644
--- a/postgresql/tasks/packages.yml
+++ b/postgresql/tasks/packages.yml
@@ -10,13 +10,3 @@
with_items: '{{ psql_ansible_needed_pkgs }}'
tags: [ 'postgresql', 'postgres' ]
-- name: Ensure that the postgresql server is started
- service: name=postgresql state=started enabled=yes
- when: postgresql_enabled
- tags: [ 'postgresql', 'postgres' ]
-
-- name: Ensure that the postgresql server is stopped and disabled
- service: name=postgresql state=stopped enabled=no
- when: not postgresql_enabled
- tags: [ 'postgresql', 'postgres' ]
-
diff --git a/postgresql/tasks/pgpool-ii.yml b/postgresql/tasks/pgpool-ii.yml
index 03de025..90f988d 100644
--- a/postgresql/tasks/pgpool-ii.yml
+++ b/postgresql/tasks/pgpool-ii.yml
@@ -1,41 +1,80 @@
---
-- name: Install the pgpool package
- apt: name={{ item }} state={{ psql_pgpool_pkg_state }}
- with_items: '{{ pgpool_pkgs }}'
- tags: [ 'postgresql', 'postgres', 'pgpool' ]
+- block:
+ - name: Install the pgpool package
+ apt: name={{ item }} state={{ psql_pgpool_pkg_state }}
+ with_items: '{{ pgpool_pkgs }}'
-- name: Configure pcp
- #template: src=pcp.conf.j2 dest=/etc/pgpool2/pcp.conf owner=root group=postgres mode=0640
- shell: pwd=`pg_md5 {{ pcp_pwd }}` ; echo "{{ pgpool_pcp_user }}:${pwd}" > /etc/pgpool2/pcp.conf ; chmod 640 /etc/pgpool2/pcp.conf; chown root:postgres /etc/pgpool2/pcp.conf
+ - name: Configure pcp
+ #template: src=pcp.conf.j2 dest=/etc/pgpool2/pcp.conf owner=root group=postgres mode=0640
+ shell: pwd=`pg_md5 {{ pcp_pwd }}` ; echo "{{ pgpool_pcp_user }}:${pwd}" > /etc/pgpool2/pcp.conf ; chmod 640 /etc/pgpool2/pcp.conf; chown root:postgres /etc/pgpool2/pcp.conf
+
+ - name: Install the pgpool configuration file
+ template: src=pgpool.conf.j2 dest=/etc/pgpool2/pgpool.conf owner=root group=postgres mode=0640
+ notify: Restart pgpool2
+
+ - name: Give access to the remote postgresql clients
+ lineinfile: name=/etc/pgpool2/pool_hba.conf regexp="^host {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+ with_subelements:
+ - '{{ psql_db_data | default([]) }}'
+ - allowed_hosts
+ when:
+ - psql_db_data is defined
+ - item.1 is defined
+ notify: Reload pgpool2
+
+ - name: Create the pki directory to store the pgpool key
+ file: dest=/etc/pki/pgpool2 state=directory owner=postgres group=postgres mode=0750
+ when: pgpool_enable_ssl
+
+ - name: Create a pgpool accessible ssl key file if it does not exist
+ copy: src=/var/lib/acme/live/{{ ansible_fqdn }}/privkey dest=/etc/pki/pgpool2/pgpool2.key owner=postgres group=postgres mode=0400 remote_src=True
+ when: pgpool_enable_ssl
+
+ - name: Install the pool_passwd configuration file
+ shell: cd /etc/pgpool2 ; pg_md5 -m -u {{ item.user }} {{ item.pwd }} ; chown root:postgres /etc/pgpool2/pool_passwd ; chmod 660 /etc/pgpool2/pool_passwd
+ with_items: '{{ psql_db_data | default([]) }}'
+
+ - name: Install the sudoers config that permits pgpool change the network configuration during a failover
+ template: src=pgpool-wd-sudoers.j2 dest=/etc/sudoers.d/pgpool-wd owner=root group=root mode=0440
+
+ - name: Install the ip script that manage the network configuration during a failover
+ copy: src={{ item }} dest=/sbin/{{ item }} owner=root group=root mode=0755
+ with_items:
+ - ip_script
+
+ - name: Install the arping scripts that manage the network configuration during a failover
+ copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755
+ with_items:
+ - arping_script
+
+ - name: Start and enable pgpool2
+ service: name=pgpool2 state=started enabled=yes
+
+ when: pgpool_enabled
tags: [ 'postgresql', 'postgres', 'pgpool', 'pcp_conf', 'pgpool_conf' ]
-
-- name: Install the pgpool configuration file
- template: src=pgpool.conf.j2 dest=/etc/pgpool2/pgpool.conf owner=root group=postgres mode=0640
- notify: Restart pgpool2
- tags: [ 'postgresql', 'postgres', 'pgpool', 'pgpool_conf' ]
-- name: Give access to the remote postgresql clients
- lineinfile: name=/etc/pgpool2/pool_hba.conf regexp="^host {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
- with_subelements:
- - '{{ psql_db_data | default([]) }}'
- - allowed_hosts
- when:
- - psql_db_data is defined
- - item.1 is defined
- notify: Reload pgpool2
- tags: [ 'postgresql', 'postgres', 'pgpool', 'pgpool_conf' ]
-
-- name: Install the pool_passwd configuration file
- shell: cd /etc/pgpool2 ; pg_md5 -m -u {{ item.user }} {{ item.pwd }} ; chown root:postgres /etc/pgpool2/pool_passwd ; chmod 660 /etc/pgpool2/pool_passwd
- with_items: '{{ psql_db_data | default([]) }}'
- tags: [ 'postgresql', 'postgres', 'pgpool', 'pgpool_conf' ]
-
-- name: Start and enable pgpool2
- service: name=pgpool2 state=started enabled=yes
- when: pgpool_enabled
- tags: [ 'postgresql', 'postgres', 'pgpool' ]
-- name: Stop and disable pgpool2
- service: name=pgpool2 state=stopped enabled=no
+- block:
+ - name: Stop and disable pgpool2
+ service: name=pgpool2 state=stopped enabled=no
+
+ - name: Install the pgpool packages
+ apt: name={{ item }} state=absent
+ with_items: '{{ pgpool_pkgs }}'
+
+ - name: Remove the pgpool failover sudoers file
+ file: dest=/etc/sudoers.d/pgpool-wd state=absent
+
+ - name: Remove the pgpool configuration directory
+ file: dest=/etc/pgpool2 state=absent
+
+ - name: Remove the scripts that manage the network configuration during a failover
+ file: dest={{ item }} state=absent
+ with_items:
+ - /sbin/ip_script
+ - /usr/local/bin/arping_script
+
when: not pgpool_enabled
tags: [ 'postgresql', 'postgres', 'pgpool' ]
+
+
diff --git a/postgresql/tasks/postgresql-service-status.yml b/postgresql/tasks/postgresql-service-status.yml
new file mode 100644
index 0000000..0980378
--- /dev/null
+++ b/postgresql/tasks/postgresql-service-status.yml
@@ -0,0 +1,11 @@
+---
+- name: Ensure that the postgresql server is started
+ service: name=postgresql state=started enabled=yes
+ when: postgresql_enabled
+ tags: [ 'postgresql', 'postgres' ]
+
+- name: Ensure that the postgresql server is stopped and disabled
+ service: name=postgresql state=stopped enabled=no
+ when: not postgresql_enabled
+ tags: [ 'postgresql', 'postgres' ]
+
diff --git a/postgresql/tasks/postgresql-ssl-config.yml b/postgresql/tasks/postgresql-ssl-config.yml
index d7b0986..ba88988 100644
--- a/postgresql/tasks/postgresql-ssl-config.yml
+++ b/postgresql/tasks/postgresql-ssl-config.yml
@@ -1,8 +1,15 @@
---
-- name: Setup ssl in the postgresql configuration
- action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
- with_items: '{{ psql_conf_ssl_parameters }}'
- when: psql_enable_ssl
- notify: Restart postgresql
- tags: [ 'postgresql', 'postgres', 'pg_conf' ]
+- block:
+ - name: Setup ssl in the postgresql configuration
+ action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
+ with_items: '{{ psql_conf_ssl_parameters }}'
+ notify: Restart postgresql
+ - name: Create the pki directory to store the postgresql key
+ file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750
+
+ - name: Create a postgres accessible ssl key file if it does not exist
+ copy: src=/var/lib/acme/live/{{ ansible_fqdn }}/privkey dest=/etc/pki/postgresql/postgresql.key owner=postgres group=postgres mode=0400 remote_src=True
+
+ when: psql_enable_ssl
+ tags: [ 'postgresql', 'postgres', 'pg_conf' ]
diff --git a/postgresql/templates/pgpool-wd-sudoers.j2 b/postgresql/templates/pgpool-wd-sudoers.j2
new file mode 100644
index 0000000..9ba1167
--- /dev/null
+++ b/postgresql/templates/pgpool-wd-sudoers.j2
@@ -0,0 +1,3 @@
+{{ pgpool_recovery_user }} ALL=(ALL) NOPASSWD: /bin/ip
+{{ pgpool_recovery_user }} ALL=(ALL) NOPASSWD: /usr/bin/arping
+
diff --git a/postgresql/templates/pgpool.conf.j2 b/postgresql/templates/pgpool.conf.j2
index 14fc72b..dff14ac 100644
--- a/postgresql/templates/pgpool.conf.j2
+++ b/postgresql/templates/pgpool.conf.j2
@@ -437,13 +437,13 @@ client_idle_limit_in_recovery = {{ pgpool_client_idle_limit_in_recovery }}
# - Enabling -
-use_watchdog = off
+use_watchdog = {{ pgpool_use_watchdog }}
# Activates watchdog
# (change requires restart)
# -Connection to up stream servers -
-trusted_servers = ''
+trusted_servers = '{{ pgpool_wd_trusted_servers }}'
# trusted server list which are used
# to confirm network connection
# (hostA,hostB,hostC,...)
@@ -454,36 +454,36 @@ ping_path = '/bin'
# - Watchdog communication Settings -
-wd_hostname = ''
+wd_hostname = '{{ ansible_default_ipv4.address }}'
# Host name or IP address of this watchdog
# (change requires restart)
wd_port = 9000
# port number for watchdog service
# (change requires restart)
-wd_authkey = ''
+wd_authkey = '{{ pgpool_wd_authkey }}'
# Authentication key for watchdog communication
# (change requires restart)
# - Virtual IP control Setting -
-delegate_IP = ''
+delegate_IP = '{{ pgpool_virtual_ip }}'
# delegate IP address
# If this is empty, virtual IP never bring up.
# (change requires restart)
ifconfig_path = '/sbin'
# ifconfig command path
# (change requires restart)
-if_up_cmd = 'ifconfig eth0:0 inet $_IP_$ netmask 255.255.255.0'
+if_up_cmd = 'ip_script addr add {{ pgpool_virtual_ip }}/{{ pgpool_virtual_netmask }} dev {{ ansible_default_ipv4.alias }}'
# startup delegate IP command
# (change requires restart)
-if_down_cmd = 'ifconfig eth0:0 down'
+if_down_cmd = 'ip_script addr del {{ pgpool_virtual_ip }}/{{ pgpool_virtual_netmask }} dev {{ ansible_default_ipv4.alias }}'
# shutdown delegate IP command
# (change requires restart)
-arping_path = '/usr/sbin' # arping command path
+arping_path = '/usr/local/bin' # arping command path
# (change requires restart)
-arping_cmd = 'arping -U $_IP_$ -w 1'
+arping_cmd = 'arping_script -U $_IP_$ -w 1'
# arping command
# (change requires restart)
@@ -511,22 +511,25 @@ wd_interval = 10
# lifecheck interval (sec) > 0
# (change requires restart)
+wd_priority = {{ pgpool_wd_priority }}
+
+{% if pgpool_wd_heartbeat_mode %}
# -- heartbeat mode --
-wd_heartbeat_port = 9694
+wd_heartbeat_port = {{ pgpool_wd_heartbeat_port }}
# Port number for receiving heartbeat signal
# (change requires restart)
-wd_heartbeat_keepalive = 2
+wd_heartbeat_keepalive = {{ pgpool_wd_heartbeat_keepalive_int }}
# Interval time of sending heartbeat signal (sec)
# (change requires restart)
-wd_heartbeat_deadtime = 30
+wd_heartbeat_deadtime = {{ pgpool_wd_heartbeat_deadtime }}
# Deadtime interval for heartbeat signal (sec)
# (change requires restart)
-heartbeat_destination0 = 'host0_ip1'
+heartbeat_destination0 = '{{ pgpool_wd_heartbeat_dest0 }}'
# Host name or IP address of destination 0
# for sending heartbeat signal.
# (change requires restart)
-heartbeat_destination_port0 = 9694
+heartbeat_destination_port0 = {{ pgpool_wd_heartbeat_dest0_port }}
# Port number of destination 0 for sending
# heartbeat signal. Usually this is the
# same as wd_heartbeat_port.
@@ -543,6 +546,7 @@ heartbeat_device0 = ''
#heartbeat_destination_port1 = 9694
#heartbeat_device1 = ''
+{% else %}
# -- query mode --
wd_life_point = 3
@@ -561,21 +565,19 @@ wd_lifecheck_password = ''
# Password for watchdog user in lifecheck
# (change requires restart)
+
+{% endif %}
# - Other pgpool Connection Settings -
-#other_pgpool_hostname0 = 'host0'
+other_pgpool_hostname0 = '{{ pgpool_wd_heartbeat_dest0 }}'
# Host name or IP address to connect to for other pgpool 0
# (change requires restart)
-#other_pgpool_port0 = 5432
+other_pgpool_port0 = {{ pgpool_port }}
# Port number for othet pgpool 0
# (change requires restart)
-#other_wd_port0 = 9000
+other_wd_port0 = {{ pgpool_wd_port }}
# Port number for othet watchdog 0
# (change requires restart)
-#other_pgpool_hostname1 = 'host1'
-#other_pgpool_port1 = 5432
-#other_wd_port1 = 9000
-
#------------------------------------------------------------------------------
# OTHERS
diff --git a/smartgears/r_connector/defaults/main.yml b/smartgears/r_connector/defaults/main.yml
index 4f241dc..71e2360 100644
--- a/smartgears/r_connector/defaults/main.yml
+++ b/smartgears/r_connector/defaults/main.yml
@@ -10,6 +10,10 @@ r_connector_usershome: /home/
r_connector_userconfig: userconfig.csv
r_connector_adduserscript: /usr/local/bin/rusersadd
r_connector_rstudio_cookie_key: /var/lib/rstudio-server/secure-cookie-key
+r_connector_rprofile_svn_url: 'http://svn.research-infrastructures.eu/public/d4science/gcube/trunk/data-analysis/RConfiguration/RStudioConfiguration'
+r_connector_rprofile_filename: '.Rprofile'
+r_connector_rprofile_base_dir: '/srv/d4science'
+r_connector_rprofile_path: '{{ r_connector_rprofile_base_dir }}/RStudioConfiguration'
r_connector_deb_pkgs:
- ldap-utils
- nslcd
diff --git a/smartgears/r_connector/tasks/main.yml b/smartgears/r_connector/tasks/main.yml
index 54c67c0..56fe0c0 100644
--- a/smartgears/r_connector/tasks/main.yml
+++ b/smartgears/r_connector/tasks/main.yml
@@ -1,21 +1,20 @@
---
- block:
-
- name: Remove the installed R connector before upgrading
file: dest={{ item }} state=absent
with_items:
- '{{ smartgears_instance_path }}/webapps/r-connector'
- '{{ smartgears_instance_path }}/webapps/r-connector.war'
- when: smartgears_upgrade or not r_connector_install
+ when: smartgears_upgrade
- - name: Get the R connector war file
- get_url: url={{ r_connector_url }} dest={{ smartgears_instance_path }}/webapps/{{ r_connector_war_file }}
-
- - name: Unpack the R connector war file
- shell: mkdir {{ smartgears_instance_path }}/webapps/r-connector ; cd {{ smartgears_instance_path }}/webapps/r-connector ; jar xf {{ smartgears_instance_path }}/webapps/{{ r_connector_war_file }}
+ - name: Create the R connector webapp directory
+ file: dest={{ smartgears_instance_path }}/webapps/r-connector state=directory
+
+ - name: Get and unpack the R connector war file
+ unarchive: copy=no src={{ r_connector_url }} dest={{ smartgears_instance_path }}/webapps/r-connector
args:
creates: '{{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml'
-
+
- name: Obtain the permission to read the Rstudio secure cookie key
become: False
file: dest={{ r_connector_rstudio_cookie_key }} mode=640 group={{ smartgears_user }}
@@ -24,15 +23,55 @@
template: src=r-web.xml.j2 dest={{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml mode=0440
notify: Restart smartgears
- - name: Install the R add users script
- become: False
- template: src=rusersadd.j2 dest={{ r_connector_adduserscript }} owner=root group=root mode=0555
-
- name: Install the packages required to enable the LDAP PAM authentication
apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=1800
with_items: '{{ r_connector_deb_pkgs }}'
+ - name: Install the R add users script
+ become: False
+ template: src=rusersadd.j2 dest={{ r_connector_adduserscript }} owner=root group=root mode=0555
+ tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
+
+ - name: Crete the directory that will host the RConfiguration stuff
+ become: False
+ file: dest={{ r_connector_rprofile_base_dir }} owner={{ d4science_user }} group={{ d4science_user }} state=directory
+ tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
+
+ - name: Get the svn repository that provides the .Rprofile
+ subversion: repo={{ r_connector_rprofile_svn_url }} dest={{ r_connector_rprofile_path }}
+ tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
+
+ - name: Install the cron job that regulary updates the Rprofile
+ cron: name="Update the RStudioConfiguration repo" special_time=daily job="cd {{ r_connector_rprofile_path }} ; svn update >/dev/null 2>&1"
+ tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
+
become: True
become_user: '{{ smartgears_user }}'
when: r_connector_install
tags: [ 'smartgears', 'r_connector', 'tomcat' ]
+
+- block:
+ - name: Remove the installed R connector before upgrading
+ file: dest={{ item }} state=absent
+ with_items:
+ - '{{ smartgears_instance_path }}/webapps/r-connector'
+ - '{{ smartgears_instance_path }}/webapps/r-connector.war'
+
+ - name: Remove the packages required to enable the LDAP PAM authentication
+ apt: pkg={{ item }} state=absent
+ with_items: '{{ r_connector_deb_pkgs }}'
+
+ - name: Remove the connector raddusers script
+ become: False
+ file: dest={{ r_connector_adduserscript }} state=absent
+
+ - name: Remove the RConfiguration repo
+ file: dest={{ r_connector_rprofile_path }} state=absent
+
+ - name: Remove the cron job that regulary updates the Rprofile
+ cron: name="Update the RStudioConfiguration repo" job="cd {{ r_connector_rprofile_path }} ; svn update >/dev/null 2>&1" state=absent
+
+ become: True
+ become_user: '{{ smartgears_user }}'
+ when: not r_connector_install
+ tags: [ 'smartgears', 'r_connector', 'tomcat' ]
diff --git a/smartgears/r_connector/templates/rusersadd.j2 b/smartgears/r_connector/templates/rusersadd.j2
index 73dd683..c2f1e45 100755
--- a/smartgears/r_connector/templates/rusersadd.j2
+++ b/smartgears/r_connector/templates/rusersadd.j2
@@ -2,29 +2,44 @@
USER="$1"
HDIR="{{ r_connector_usershome }}$USER"
-logfile={{ smartgears_user_home }}/tomcat/logs/runuseradd.log
-exec > $logfile 2>&1
-
+# We use logger to log directly to syslog
+LOG_PREFIX="r-connector rusersadd:"
+# 0: allowed
+# 1: not allowed
+ALLOW_LOCAL_USERS=1
+RPROFILE_FILE='{{ r_connector_rprofile_path }}/{{ r_connector_rprofile_filename }}'
if [ -d $HDIR ] ; then
- #echo "user dir exist"
+ logger "$LOG_PREFIX user $HDIR directory exists"
exit 0
else
if id -u $USER >/dev/null 2>&1
then
- #"echo "ldap user first login"
- sudo /bin/su - $USER /bin/ls
- sudo /bin/chmod g+ws $HDIR
+ logger "$LOG_PREFIX ldap user $USER first login"
+ sudo /bin/mkdir -p $HDIR
+ sudo /bin/chown -R $USER $HDIR
+ sudo /bin/chmod g-wr,o-rwx $HDIR
sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
- sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
+ #sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
+ sudo /bin/chgrp {{ smartgears_user }} $HDIR
+ sudo /bin/chown {{ smartgears_user }}:{{ smartgears_user }} $HDIR/{{ r_connector_userconfig }}
+ sudo /bin/ln -s $RPROFILE_FILE $HDIR/{{ r_connector_rprofile_filename }}
exit 0
else
- #echo "user does not exist and is not ldap"
- sudo /usr/sbin/useradd -m -s /bin/false -g {{ smartgears_user }} $USER
- sudo /bin/chmod g+ws $HDIR
- sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
- sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
- sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
+ logger "$LOG_PREFIX user $USER does not exist locally and is not an ldap user"
+ if [ $ALLOW_LOCAL_USERS -eq 1 ] ; then
+ logger "$LOG_PREFIX non ldap users not allowed, refusing to create the user."
+ exit 1
+ else
+ logger "$LOG_PREFIX non ldap users allowed, adding the user $USER locally"
+ sudo /usr/sbin/useradd -m -s /bin/false -g {{ smartgears_user }} $USER
+ sudo /bin/chmod g+ws $HDIR
+ sudo /usr/bin/touch $HDIR/{{ r_connector_userconfig }}
+ sudo /bin/chmod 660 $HDIR/{{ r_connector_userconfig }}
+ sudo /bin/chgrp -R {{ smartgears_user }} $HDIR
+ sudo /bin/ln -s $RPROFILE_FILE $HDIR/{{ r_connector_rprofile_filename }}
+ exit 0
+ fi
fi
fi
diff --git a/smartgears/resource_registry/templates/config.properties.j2 b/smartgears/resource_registry/templates/config.properties.j2
index 9a3ab33..1d0638f 100644
--- a/smartgears/resource_registry/templates/config.properties.j2
+++ b/smartgears/resource_registry/templates/config.properties.j2
@@ -3,7 +3,7 @@ REMOTE_PROTOCOL={{ orientdb_remote_protocol }}
HTTP_PROTOCOL={{ orientdb_http_protocol }}
HTTP_PORT={{ orientdb_http_port }}
DB={{ orientdb_db_name }}
-USERNAME={{ orientdb_username }}
+USERNAME={{ orientdb_root_username }}
PASSWORD={{ orientdb_root_pwd }}
DEFAULT_CREATED_WRITER_USER_PASSWORD={{ orientdb_writer_password }}
DEFAULT_CREATED_READER_USER_PASSWORD={{ orientdb_reader_password }}
diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml
index 0d06e09..222336b 100644
--- a/ubuntu-deb-general/defaults/main.yml
+++ b/ubuntu-deb-general/defaults/main.yml
@@ -28,6 +28,7 @@ common_packages:
- apt-transport-https
- nano
- xmlstarlet
+ - bsdutils
# Set this variable in your playbook
# additional_packages:
@@ -110,6 +111,9 @@ default_security_limits:
- { domain: 'root', l_item: 'nofile', type: 'soft', value: '8192' }
- { domain: 'root', l_item: 'nofile', type: 'hard', value: '8192' }
+# default_rsyslog_custom_rules:
+# - ':msg, contains, "icmp6_send: no reply to icmp error" ~'
+# - ':msg, contains, "[PYTHON] Can\'t call the metric handler function for" ~'
#
# debian/ubuntu distributions controllers
diff --git a/ubuntu-deb-general/tasks/rsyslogfix.yml b/ubuntu-deb-general/tasks/rsyslogfix.yml
index 7202091..7b8d263 100644
--- a/ubuntu-deb-general/tasks/rsyslogfix.yml
+++ b/ubuntu-deb-general/tasks/rsyslogfix.yml
@@ -4,17 +4,20 @@
when:
- is_precise and ansible_kernel != "3.2.0-4-amd64"
- is_not_trusty
- notify:
- Restart rsyslog
- tags:
- - rsyslog
+ notify: Restart rsyslog
+ tags: rsyslog
- name: Enable the kernel logger on ubuntu 12.04 and kernel major version >= 3
lineinfile: dest=/etc/rsyslog.conf line="$ModLoad imklog" insertafter="^#$ModLoad imklog" backup=yes
when:
- is_precise and ansible_kernel == "3.2.0-4-amd64"
- is_trusty
- notify:
- Restart rsyslog
- tags:
- - rsyslog
+ notify: Restart rsyslog
+ tags: rsyslog
+
+- name: Install custom rsyslog rules
+ template: src=10-custom_rules.conf.j2 dest=/etc/rsyslog.d/10-custom_rules.conf owner=root group=root mode=0444
+ when: default_rsyslog_custom_rules is defined
+ notify: Restart rsyslog
+ tags: rsyslog
+
diff --git a/ubuntu-deb-general/templates/10-custom_rules.conf.j2 b/ubuntu-deb-general/templates/10-custom_rules.conf.j2
new file mode 100644
index 0000000..fc2672f
--- /dev/null
+++ b/ubuntu-deb-general/templates/10-custom_rules.conf.j2
@@ -0,0 +1,6 @@
+{% if default_rsyslog_custom_rules is defined %}
+{% for entry in default_rsyslog_custom_rules %}
+{{ entry }}
+{% endfor %}
+{% endif %}
+