airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From machris...@apache.org
Subject [5/7] airavata git commit: Moving dREG gateway to Jetstream; fixed selinux file contexts
Date Tue, 09 May 2017 16:32:31 GMT
Moving dREG gateway to Jetstream; fixed selinux file contexts

SELinux file contexts don't work with symlinks so I added a
real_user_data_dir ansible variable to deal with that situation.


Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/45e8f654
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/45e8f654
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/45e8f654

Branch: refs/heads/develop
Commit: 45e8f654a4bab789e272dda86d62f1969c11e227
Parents: 24f8b7f
Author: Marcus Christie <machrist@iu.edu>
Authored: Tue May 2 09:39:21 2017 -0400
Committer: Marcus Christie <machrist@iu.edu>
Committed: Tue May 2 09:39:21 2017 -0400

----------------------------------------------------------------------
 .../dreg-production/files/pga-ssl-vhost.conf.j2 | 31 +++++++++
 .../dreg-production/group_vars/pga/vars.yml     | 67 ++++++++++++++++++++
 .../dreg-production/group_vars/pga/vault.yml    | 18 ++++++
 .../inventories/scigap/dreg-production/hosts    | 21 ++++++
 .../scigap/production/group_vars/all/vars.yml   |  1 +
 dev-tools/ansible/roles/pga/defaults/main.yml   |  2 +
 .../roles/pga/tasks/install_deps_CentOS_7.yml   |  1 +
 dev-tools/ansible/roles/pga/tasks/main.yml      |  3 +-
 8 files changed, 143 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/dreg-production/files/pga-ssl-vhost.conf.j2
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/inventories/scigap/dreg-production/files/pga-ssl-vhost.conf.j2
b/dev-tools/ansible/inventories/scigap/dreg-production/files/pga-ssl-vhost.conf.j2
new file mode 100644
index 0000000..ee053cc
--- /dev/null
+++ b/dev-tools/ansible/inventories/scigap/dreg-production/files/pga-ssl-vhost.conf.j2
@@ -0,0 +1,31 @@
+<VirtualHost *:80>
+    ServerName {{ vhost_servername }}
+    {% if vhost_serveralias is defined %}
+    ServerAlias {{ vhost_serveralias }}
+    {% endif %}
+
+    ## Redirect all http traffic to https
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    # Don't redirect /gbrowser and /gbfile requests to HTTPS
+    RewriteCond %{THE_REQUEST} !\s/(gbrowser|gbfile)
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ vhost_servername }}
+    {% if vhost_serveralias is defined %}
+    ServerAlias {{ vhost_serveralias }}
+    {% endif %}
+
+    DocumentRoot {{ doc_root_dir }}/public
+    <Directory "{{ doc_root_dir }}/public">
+       AllowOverride All
+    </Directory>
+    ErrorLog {{ httpd_log_dir[ansible_os_family] }}/{{ gateway_id }}.error.log
+    CustomLog {{ httpd_log_dir[ansible_os_family] }}/{{ gateway_id }}.requests.log combined
+    SSLEngine on
+    SSLCertificateFile {{ ssl_certificate_file }}
+    SSLCertificateChainFile {{ ssl_certificate_chain_file }}
+    SSLCertificateKeyFile {{ ssl_certificate_key_file }}
+</VirtualHost>

http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vars.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vars.yml
b/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vars.yml
new file mode 100644
index 0000000..4f15b2b
--- /dev/null
+++ b/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vars.yml
@@ -0,0 +1,67 @@
+#
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+---
+
+user_data_dir: "/var/www/portals/gateway-user-data"
+real_user_data_dir: "/data/gateway-user-data"
+## Airavata Client related variables
+airavata_server: "tls://{{ groups['api-orch'][0] }}"
+airavata_port: "9930"
+# FIXME: temporarily turn off SSL verification for WSO2 IS
+auth_verify_peer: "false"
+
+pga_repo: "https://github.com/apache/airavata-php-gateway.git"
+git_branch: "dreg-gateway"
+user: "pga"
+group: "pga"
+doc_root_dir: "/var/www/portals/{{ gateway_id }}"
+vhost_servername: "dreg.dnasequence.org"
+vhost_ssl: True
+# TODO: have Ansible manage these files as well
+ssl_certificate_file: "/etc/letsencrypt/live/dreg.dnasequence.org/cert.pem"
+ssl_certificate_chain_file: "/etc/letsencrypt/live/dreg.dnasequence.org/fullchain.pem"
+ssl_certificate_key_file: "/etc/letsencrypt/live/dreg.dnasequence.org/privkey.pem"
+pga_ssl_vhost_template: "{{ inventory_dir }}/files/pga-ssl-vhost.conf.j2"
+
+## WSO2 IS related variables
+tenant_domain: "dreg.cornell"
+admin_username: "admin"
+admin_password: "{{ vault_admin_password }}"
+oauth_client_key: "{{ vault_oauth_client_key }}"
+oauth_client_secret: "{{ vault_oauth_client_secret }}"
+# dREG gateway automatically gives users the gateway-user role so they don't have to wait
on admin approval
+initial_role_name: "gateway-user"
+
+gateway_id: "cornelldna"
+# relative to document root dir
+experiment_data_dir: "{{ user_data_dir }}/cornell-dnasequence"
+gateway_data_store_resource_id: "gf4.ucs.indiana.edu_61552681-96f0-462a-a36c-a62a010bffc6"
+gateway_data_store_ssh_public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTs6k2lSt5nn+UF3N1rAko9WjdtHZ1xLcKxCG4+4AVMdTIeng12g+1qB5hIFiDgesT/D/nzoA27EFj5nWiYanxBySNgl1Re8kR0nEqQbR0zj1dSibmfjW+vmOZzEiNSrNoLlc4KbFgqFCRGIlZ1bWZ7yHtJ3I7xxfKhvvxCTzJ4K71v1aovnDTUYophy2lUsdOcOq84Qhv3ITZafgblz3mJSwVpnnI72IepzonzDUdcf/w0lKCl70L9MgQAZ2V4e9sQZWJLI5s1VtJsqKggtgI4goPyxXROoH9PTUZFqvvYjLGW8JVS9eZKblSKil09yckPfZCSk1i/UD/uY6O7bjf"
+
+## Portal related variables
+super_admin_portal: "false"
+admin_emails: "['zw355@cornell.edu','sgg@iu.edu']"
+portal_email_username: "pga.airavata@gmail.com"
+portal_email_password: "{{ vault_portal_email_password }}"
+# The portal theme is included in the dreg-gateway branch of airavata-php-gateway
+portal_theme: "dreg"
+portal_title: "dREG DNA Sequencing"
+...

http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vault.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vault.yml
b/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vault.yml
new file mode 100644
index 0000000..eaca63b
--- /dev/null
+++ b/dev-tools/ansible/inventories/scigap/dreg-production/group_vars/pga/vault.yml
@@ -0,0 +1,18 @@
+$ANSIBLE_VAULT;1.1;AES256
+37653231363231666433316261313238643763633234663866393832386236643436623566303263
+3334323065363831656435383564623034393661323037300a343263316666633131366134613661
+39633030386362623966303630653462373762373034323134356539313036376563613335383135
+3962646533323362370a383064616634303730373232353663386165313666303732396635643562
+39313037323264656236323337643862636265626138656435303064353531616264633435643965
+38616138613039336666313436643635666337643533343264326637653864356563343532333262
+35323335336437333964373366653737343032306238643032343162353437666664376636353236
+32363138633432396330613832656266663734616131383735393565343133626666313766313164
+35386534313033623563613635343163633564613636636236316633623263313437626337663530
+64313166323263353266623135616236653463356439363530373630653232363863303238356265
+65363630393364636238643861386161356635666331336530626533666434373931393237643861
+33383663653439313064393735653064323836656666343366636161643938396136383234386232
+33343238636238373936663365316663653532616364636336363936316235353164636365613738
+33346462386230623735376132306663633932363838643935373539316565626435646565393833
+66623065373162623964363665646436356464643366633764323232343736353032616561643637
+30326166396262316335323463323763653930653263613162663336343863313937393934313765
+30626235653162643566366361303630616437346539333436616666313738346232

http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/dreg-production/hosts
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/inventories/scigap/dreg-production/hosts b/dev-tools/ansible/inventories/scigap/dreg-production/hosts
new file mode 100644
index 0000000..bbfc7c9
--- /dev/null
+++ b/dev-tools/ansible/inventories/scigap/dreg-production/hosts
@@ -0,0 +1,21 @@
+---
+# inventory file : scigap production deployment
+
+[zookeeper]
+gf5.ucs.indiana.edu
+
+[rabbitmq]
+gf5.ucs.indiana.edu
+
+[database]
+gf3.ucs.indiana.edu
+
+[api-orch]
+gf5.ucs.indiana.edu
+
+[gfac]
+gf6.ucs.indiana.edu
+
+[pga]
+# Hosted on Jetstream
+149.165.156.72 ansible_user=centos

http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml b/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml
index 756edea..2313795 100644
--- a/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml
+++ b/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml
@@ -113,6 +113,7 @@ monitor_email_password: "{{ vault_monitor_email_password }}"
 # PGA variables
 pga_repo: "https://github.com/apache/airavata-php-gateway.git"
 user_data_dir: "/var/www/portals/gateway-user-data"
+real_user_data_dir: "/data/gateway-user-data"
 ## Airavata Client related variables
 #airavata_server: "tls://gw77.iu.xsede.org"
 airavata_server: "tls://{{ groups['api-orch'][0] }}"

http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/roles/pga/defaults/main.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/roles/pga/defaults/main.yml b/dev-tools/ansible/roles/pga/defaults/main.yml
index e8f869b..f5fbad9 100644
--- a/dev-tools/ansible/roles/pga/defaults/main.yml
+++ b/dev-tools/ansible/roles/pga/defaults/main.yml
@@ -21,6 +21,8 @@
 ---
 doc_root_dir: "/var/www/{{ gateway_id }}"
 user_data_dir: "/var/www/user_data"
+# real_user_data_dir is the same as user_data_dir but without symbolic links in it
+real_user_data_dir: "{{ user_data_dir }}"
 vhost_servername: "{{ groups['pga'][0] }}"
 vhost_ssl: False
 httpd_confd_file_location:

http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml b/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml
index 649d333..2c5dc9f 100644
--- a/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml
+++ b/dev-tools/ansible/roles/pga/tasks/install_deps_CentOS_7.yml
@@ -25,6 +25,7 @@
   with_items:
     - git
     - httpd
+    - mod_ssl
     - php
     - php-soap
     - libselinux-python

http://git-wip-us.apache.org/repos/asf/airavata/blob/45e8f654/dev-tools/ansible/roles/pga/tasks/main.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/roles/pga/tasks/main.yml b/dev-tools/ansible/roles/pga/tasks/main.yml
index 36ad77c..0ea5d63 100644
--- a/dev-tools/ansible/roles/pga/tasks/main.yml
+++ b/dev-tools/ansible/roles/pga/tasks/main.yml
@@ -67,7 +67,8 @@
 
 - name: set selinux context to allow read/write on the user data directory
   sefcontext:
-    target: "{{ user_data_dir }}(/.*)?"
+    # For SELinux file contexts, the real path without symbolic links must be used
+    target: "{{ real_user_data_dir }}(/.*)?"
     setype: httpd_sys_rw_content_t
     state: present
   become: yes


Mime
View raw message