ARGO-242 Ansible play for POEM service

README.md

@@ -53,6 +53,33 @@ Contains Ansible playbook for the deployment of the ARGO Web UI service. The pla
 $ ansible-playbook -v webui.yml
 ```
 
+## POEM deployment
+
+Contains Ansible playbook for the deployment of the ARGO POEM service. The play is split into four (4) roles:
+- firewall (configures iptables firewall rules)
+- repos (includes tasks for the installation of the required repository definitions)
+- has_certificate (task for uploading the certificate file onto the host under the appropriate path)
+- poem (installs and bootstraps poem service)
+
+### Things to do before deployment
+
+- Obtain a key/certificate pair from a trusted CA and after place them both under roles/has_certificate/files with names `{{inventory_hostname}}.key` and `{{inventory_hostname}}.pem` respectively. As `{{inventory_hostname}}` use the exact name used within the `inventory` file. 
+- Edit inventory and replace `poem.node` with the hostname that you intend to deploy the POEM service onto. 
+- Create a `host_vars/{{inventory_hostname}}` file and place therein the variables found within the `roles/poem/defaults/main.yml` file in order to overwrite them. 
+  - In order to generate a uuid to be used in the place of the `poem_secret` variable you may use the `uuidgen` linux cli utility. 
+
+### Prerequisites
+
+- Deploy against CentOS 6.x node
+- Make sure `libselinux-python` is installed on the target node
+- Ansible version used is `1.9.2`
+
+### How to deploy
+
+```bash
+$ ansible-playbook -v poem.yml
+```
+
 ## Full standalone deployment
 
 Contains Ansible playbook for the deployment of all ARGO components. The play is split into six (6) roles:

group_vars/all

@@ -3,4 +3,6 @@
 # Variable enabled_argo_repo specifies which RPM repository to use. 
 # To use the development repository set its value to argo-devel
 
-enabled_argo_repo: argo-prod
\ No newline at end of file
+enabled_argo_repo: argo-prod
+
+cert_dir: /etc/grid-security

group_vars/poem

+---
+
+iptables_rules:
+  input:
+    - { dport: "443",   proto: "tcp", policy: "accept"}

inventory

@@ -5,5 +5,8 @@ webapi.node
 [standalone]
 standalone.node
 
+[poem]
+poem.node
+
 [webui]
 webui.node
\ No newline at end of file

poem.yml

+---
+
+- hosts: poem
+  sudo: true
+  roles:
+    - { role: firewall, tags: firewall }
+    - { role: repos,    tags: repos    }
+    - { role: has_certificate, tags: certificate }
+    - { role: poem,     tags: poem     }

roles/poem/defaults/main.yml

+---
+
+db_path: /var/lib/poem/poemserv.db
+db_user: test
+db_pass: test123
+db_mail: foo@example.com
+
+poem_namespace: example.com.TEST
+poem_gocdb_url: goc.egi.eu
+poem_secret: bbc2ac55-e3aa-4b89-9038-e1acc4baf232
+poem_debug: "True"
+poem_timezone: Europe/Athens
\ No newline at end of file

roles/poem/tasks/main.yml

+---
+
+- name: Install CAs metapackage
+  yum: name=ca-policy-egi-core state=latest
+  tags: install_ca_bundle
+
+- name: Install poem package from argo repository
+  yum: name=poem state=latest enablerepo={{ enabled_argo_repo }}
+
+- name: Create poem.ini file
+  template: src=poem.ini.j2
+            dest=/etc/poem/poem.ini backup=yes
+            owner=root group=root mode=0644
+
+- name: Run db creation script
+  shell: poem-createdb creates={{ db_path }}
+
+- name: Start and enable httpd service
+  service: name=httpd state=started enabled=yes
+

roles/poem/templates/poem.ini.j2

+[general]
+SUPERUSER_NAME: {{ db_user }}
+SUPERUSER_PASSWORD: {{ db_pass }}
+SUPERUSER_EMAIL: {{ db_mail }}
+
+[log]
+LOG_CONFIG: /etc/poem/poem_logging.ini
+
+[others]
+POEM_NAMESPACE: {{ poem_namespace }}
+GOCDB_SERVICETYPE_URL: https://{{ poem_gocdb_url }}/gocdbpi/private/?method=get_service_types
+CIC_VO_URL: http://operations-portal.egi.eu/xml/voIDCard/public/all/true
+HOST_CERT = /etc/grid-security/hostcert.pem
+HOST_KEY = /etc/grid-security/hostkey.pem
+DEBUG: {{ poem_debug }} 
+SECRET_KEY: {{ poem_secret }}
+TIME_ZONE: {{ poem_timezone }}