majic-ansible-roles Changeset

Changeset - b55cb83f8342

Parent rev.

Child rev.

[Not reviewed]

0 1 0

Branko Majic (branko) - 21 days ago 2024-08-29 22:58:11
branko@majic.rs

Noticket: Added workaround to development process for outdated Molecule version:

- Unfortunately, the Molecule version used for running tests does not
generate valid Ruby 3.x code. For now just work around the way Hash
is unpacked in function calls to optional arguments (until the test
stack gets a revamp).

1 file changed with 14 insertions and 0 deletions:

docs/development.rst

0 comments (0 inline, 0 general)

docs/development.rst

➞

Show inline comments

 .. _development:
 Development
 ===========
 This section covers procedures and information related to development of *Majic
 Ansible Roles*.
 Preparing environment
 ---------------------
 The easiest way to get going with role development is to set-up a separate
 Python virtual environment with the necessary packages. This can be done by
 performing the following steps:
 . Ensure that the following minimum set of packages are installed via
    distribution package manager:
    - `Git <https://git-scm.com/>`_
    - `libffi <https://sourceware.org/libffi/>`_ runtime and development package.
    - `OpenSSL <https://www.openssl.org/>`_ runtime and development package.
    - `pip <https://pypi.python.org/pypi/pip/>`_
    - `virtualenv <https://pypi.python.org/pypi/virtualenv>`_
    - `virtualenvwrapper <https://virtualenvwrapper.readthedocs.io/en/latest/>`_
    - Development packages for Python.
    On Debian this can be easily done with::
      apt-get install virtualenv virtualenvwrapper git python-pip python-dev \
      libffi-dev libssl-dev
 . In order to be able to run role tests, it is necessary to install `VirtualBox
    <https://www.virtualbox.org/>`_ and `Vagrant <https://www.vagrantup.com/>`_,
    using instructions outlined on their respective websites. It is recommended
    to use latest versions available. At time of this writing the role tests have
    been successfully run on *VirtualBox 5.2.12* and *Vagrant 2.0.4*.
 . In order to allow static IPv6 addresses to be allocated to virtual
    machines during testing, it is necessary to explicitly white-list
    the range used by the tests. Once the configuration file has been
    created, however, even the VirtualBox default allowed IPv4 subnet
    needs to be in the configuration explicitly as well.
    Update the VirtulBox configuration file (and make sure it can be
    read by the user running the tests):
    :file:`/etc/vbox/networks.conf`
    ::
      * 192.168.56.0/21
      * fd00::192:168:56:0/116
 . Clone the git repository::
      git clone https://code.majic.rs/majic-ansible-roles/ ~/projects/
 . Create a separate Python virtual environment::
      mkvirtualenv majic-ansible-roles -a ~/projects/majic-ansible-roles/
 . Make sure the virtual environment has been activated, and install `pip-tools
    <https://github.com/jazzband/pip-tools>`_::
      workon majic-ansible-roles
      pip install pip-tools
 . Synchronise Python virtual environment with requirements file using
    **pip-tools**::
      workon majic-ansible-roles
      pip-sync
 . Patch the installed version of test runner (Molecule) for
    compatibility with newer versions of Vagrant (bundled Ruby):
    .. note::
       This is an unfortunate consequence of *Majic Ansible Roles*
       being dependent on an old/deprecated version of Ansible. This
       will be addressed at some point in the future when the roles are
       moved over to being compatible with latest (and supported)
       versions of Ansible.
    ::
       sed -i -e 's/ Hash\[/ **Hash[/' ~/.virtualenvs/majic-ansible-roles/lib/python3.9/site-packages/molecule/provisioner/ansible/plugins/libraries/molecule_vagrant.py
 Development conventions
 -----------------------
 In order to maintain consistency across different roles and documentation, this
 section describes development conventions that should be followed while making
 modifications.
 Task specifications
 ~~~~~~~~~~~~~~~~~~~
 When writing new and updating existing tasks, keep the following in mind:
 - Quote sensibly. If specifying paths (for example ``src``, ``dest``, ``path``
   etc in various models), quote the string to make it stand-out better and to
   avoid breakages.
 - Avoid usage of ``set_facts`` task when same functionality can be achieved via
   ``defaults/main.yml``.
 - When specifying tasks, use the fully expanded form. Do not use single-line
   form with ``param=value``.
 - When specifying ``command`` or ``shell`` tasks, in case a ``creates``
   parameter or such need to be used, specify them as part of task's ``args``
   parameter. E.g.::
     - name: Run command
       command: mycommand
       args:
         creates: "/etc/mycommand"
 - When sepcifying tasks, keep the following ordering between different task
   parameters:
   - ``name``
   - Module and its parameters.
   - ``become``
   - ``become_user``
   - ``when``
   - ``with_items`` / ``with_dict`` / ``with_nested``
   - ``wait_for``
   - ``register``
   - ``changed_when``
   - ``failed_when``
   - ``no_log``
   - ``notify``
   - Task tags.
 Running role tests directly
 ---------------------------
 Role tests are implemented using `Molecule <https://molecule.readthedocs.io/>`_,
 `Testinfra <https://testinfra.readthedocs.io/en/latest/>`_, `VirtualBox
 <https://www.virtualbox.org/>`_ and `Vagrant
 <https://www.vagrantup.com/>`_. *Molecule* and *Testinfra* are installed inside
 of Pyhton virtual environment, while *VirtualBox* and *Vagrant* need to be
 installed distribution-wide, following instructions outlined on their
 corresponding websites.
 Tests can be run directly for a single role, or for one or more roles using a
 dedicated shell script (see below). The shell script can also be used for
 generating reports in an automated environment.
 In order to run tests for a specific role, perform the following steps:
 . Switch to Python virtual environment::
      workon majic-ansible-roles
 . Change directory::
      cd roles/ROLENAME/
 . Run the default test scenario (this will normally test against
    multiple Debian versions if supported)::
      molecule test
 Running role tests via shell script
 -----------------------------------
 In order to make it easier to run tests for all roles, and eventually produce
 reports of such runs, a dedicated shell script is provided for running the
 tests.
 In order to run tests, perform the following steps:
 . Switch to Python virtual environment::
      workon majic-ansible-roles
 . Make sure you are within the root directory of Git repository.
 . Run tests for all roles and generate report::
      ./scripts/run_tests.sh -r all
    .. note::
       Optionally you can run tests for a specific set of roles, or without
       generating the report, for example ``./scripts/run_tests.sh web_server
       common``
 . Check results either from script output, or within directory
    ``test_report-YYYY_MM_DD-hh_mm_ss``. For overview of what roles have failed,
    have a look at ``summary.txt``. For details have a look at each role's
    individual report.
 .. _testsite:
 Test Site
 ---------
 *Majic Ansible Roles* comes with a small sample test site configuration which
 demonstrates use of every role. This test site also serves as starting point for
 developing new roles etc, and can be used for testing regressions/breakages.
 The test site covers everything, starting from generating the Debian preseed
 files, through bootstrap process for new nodes, and onto deployment of all
 remaining roles.
 By default, the test site uses domain ``example.com``, but it has been designed
 so it is easy to set your own domain (see below in step-by-step
 instructions). Some changes may be necessary to listed commands in that case
 (i.e. replace every occurance of ``example.com`` with your own domain).
 By default, the following hosts are used in test site (listed names
 should be resolvable towards the servers):
 - ``ldap.example.com``, acting as LDAP server
 - ``xmpp.example.com``, acting as XMPP server
 - ``mail.example.com``, acting as mail server
 - ``web.example.com``, acting as web server
 - ``backup.example.com``, acting as backup server
 - ``ws01.example.com``, acting as "workstation" (mainly demonstrating
   use of mail forwarder role)
 The web server is also set-up with one sample PHP application and two
 WSGI applications deployed via roles:
 - ``phpinfo``, used to serve information about the local PHP
   installation.
 - ``wsgihello``, small hello world application.
 - ``wsgihello2``, small hello world application using a couple of
   additional ``wsgi_website`` role parameters.
 To make the web applications reachable, make sure the web server
 (``web.example.com``) IP is also resolvable via names:
 - ``phpinfo.example.com`` (``phpinfo`` application/role)
 - ``wsgi.example.com`` (``wsgihello`` application/role)
 - ``wsgireq.example.com`` (``wsgihello2`` application/role)
 All example commands listed within this section should be ran from within the
 ``testsite`` directory in order to have proper environment available for
 playbook runs.
 A number of playbooks are provided out of the box:
 bootstrap.yml (for bootstrapping fresh nodes)
   This playbook can be used for bootstrapping fresh nodes. By default, the
   entire test site will be included in the bootstrap. If you wish to limit
   bootstrap to a single server, just run the playbook with (for example):
   .. code-block:: shell
     ansible-playbook -l ldap.example.com playbooks/bootstrap.yml
 ldap.yml
   This playbook sets-up the LDAP servers. It is included in ``site.yml``.
 mail.yml
   This playbook sets-up the mail server. It is included in ``site.yml``.
 preseed.yml
   This playbook sets-up the Debian preseed files. It is included in
   ``site.yml``.
 site.yml
   This playbook sets-up all servers, including preseed files on local host.
 web.yml
   This playbook sets-up the web server. It is included in ``site.yml``.
 xmpp.yml
   This playbook sets-up the XMPP server. It is included in ``site.yml``.
 backup.yml
   This playbook sets-up the backup server. It is included in ``site.yml``.
 The playbooks and configurations for test site make a couple of assumptions:
 * Each server will be set-up with an operating system user ``admin``, capable of
   running the sudo commands.
 * The password for operating system user ``admin`` is hard-coded to ``admin``.
 * An SSH ``authorized_keys`` file is set-up for the operating system user
   ``admin``. The SSH key stored in it will be read from location
   ``~/.ssh/id_rsa.pub`` (i.e. from home directory of user running the Ansible
   commands).
 For more details on how the playbooks and configuration have been implemented,
 feel free to browse the test site files (in directory ``testsite``).
 Deploying test site
 ~~~~~~~~~~~~~~~~~~~
 In order to deploy the test site, the following steps would normally be taken:
 . As mentioned in introduction, default domain used by test site is
    ``example.com``. To change it, perform the following steps (otherwise, just
    skip to step 2):
    a. Update the file ``hosts``. Simply replace all occurances of
       ``example.com`` with your chosen domain.
    b. Update the file ``group_vars/all.yml``, changing the value of variable
       ``testsite_domain``. This value will then be used to calculate some of
       derived values, like LDAP base DN (which will be set to something along
       the lines of ``dc=example,dc=com`` or
       ``dc=your,dc=domain,dc=components``).
 . If you do not wish to have the hassle of creating the private keys and
    issuing certificates, there is a small playbook that can help you with
    this. Just run the ``tls.yml`` playbook, and skip to step 6 (otherwise follow
    steps 3 through 5):
    .. code-block:: shell
      ansible-playbook playbooks/tls.yml
 . Create TLS private keys (relative to top level directory), making sure to
    change domain in filenames if necessary:
    - ``testsite/tls/mail.example.com_imap.key``
    - ``testsite/tls/mail.example.com_smtp.key``
    - ``testsite/tls/xmpp.example.com_xmpp.key``
    - ``testsite/tls/ldap.example.com_ldap.key``
    - ``testsite/tls/web.example.com_https.key``
    - ``testsite/tls/phpfino.example.com_https.key``
    - ``testsite/tls/wsgi.example.com_https.key``
    - ``testsite/tls/wsgireq.example.com_https.key``
 . Issue TLS certificates corresponding to the generated TLS private keys
    (correct FQDN for DNS subject alternative name **must** be used), making sure
    to change domain in filenames if necessary:
    - ``testsite/tls/mail.example.com_imap.pem`` (subject alternative name should
      be ``mail.example.com``)
    - ``testsite/tls/mail.example.com_smtp.pem`` (subject alternative name should
      be ``mail.example.com``)
    - ``testsite/tls/xmpp.example.com_xmpp.pem`` (subject alternative name should
      be ``xmpp.example.com``)
    - ``testsite/tls/ldap.example.com_ldap.pem`` (subject alternative name should
      be ``ldap.example.com``)
    - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should
      be ``web.example.com``)
    - ``testsite/tls/web.example.com_https.pem`` (subject alternative name should
      be ``web.example.com``)
    - ``testsite/tls/phpinfo.example.com_https.pem`` (subject alternative name
      should be ``phpinfo.example.com``)
    - ``testsite/tls/wsgi.example.com_https.pem`` (subject alternative name
      should be ``wsgi.example.com``)
    - ``testsite/tls/wsgireq.example.com_https.pem`` (subject alternative name
      should be ``wsgireq.example.com``)
 . Create ``PEM`` truststore file which contains all CA certificates that form
    CA chain for the issued end entity certificates from previous step at
    location ``testsite/tls/ca.pem``. It is very important to
    include the full CA chain used for LDAP server.
 . Generate SSH keys to be used by the backup server and backup clients:
   .. code-block:: shell
      mkdir ssh
      ssh-keygen -f ssh/backup_server_rsa_key -N '' -t rsa
      ssh-keygen -f ssh/backup_server_ed25519_key -N '' -t ed25519
      ssh-keygen -f ssh/backup_server_ecdsa_key -N '' -t ecdsa
      ssh-keygen -f ssh/mail.example.com -N ''
      ssh-keygen -f ssh/ldap.example.com -N ''
      ssh-keygen -f ssh/xmpp.example.com -N ''
      ssh-keygen -f ssh/web.example.com -N ''
      ssh-keygen -f ssh/backup.example.com -N ''
      ssh-keygen -f ssh/ws01.example.com -N ''
 . Set-up a local GnuPG keyring that will contain the necessary encryption and
    signing keys for the backup clients::
      mkdir ./backup_keyring
      chmod 700 ./backup_keyring
      cat << EOF | gpg2 --homedir ./backup_keyring --batch --gen-key
      Key-Type:RSA
      Key-Length:1024
      Name-Real:ldap.example.com
      Expire-Date:0
      %no-protection
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:mail.example.com
      Expire-Date:0
      %no-protection
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:web.example.com
      Expire-Date:0
      %no-protection
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:xmpp.example.com
      Expire-Date:0
      %no-protection
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:backup.example.com
      Expire-Date:0
      %no-protection
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:ws01.example.com
      Expire-Date:0
      %no-protection
      %commit
      EOF
 . Generate the preseed files:
   .. code-block:: shell
      ansible-playbook playbooks/preseed.yml
 . Install all servers using the generated preseed files. Use *Debian
 Bookworm*.
 . Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to
     remove old entries if you are redoing the process). You can easily obtain all
     the necessary fingerprints with command (don't forget to modify domain if you
     need to):
     .. code-block:: shell
       ssh-keyscan -t ed25519 mail.example.com ldap.example.com xmpp.example.com web.example.com backup.example.com ws01.example.com $(dig +short mail.example.com) $(dig +short ldap.example.com) $(dig +short xmpp.example.com) $(dig +short web.example.com) $(dig +short backup.example.com) $(dig +short ws01.example.com)
 . Invoke the ``bootstrap.yml`` playbook in order to set-up some basic
     environment for Ansible runs on all servers:
     .. code-block:: shell
        ansible-playbook playbooks/bootstrap.yml
 . Finally, apply configuration on all servers:
     .. code-block:: shell
        ansible-playbook playbooks/site.yml
 Trying the test site out
 ~~~~~~~~~~~~~~~~~~~~~~~~
 The test site ships with configuration files for a number of CLI-based
 tools/applications that can be easily used for trying the services out
 (you can otherwise set-up your own).
 Configuration files assume the default domain (``example.com``) is
 used.
 The following tools come with out-of-the-box configuration:
 - `mcabber <https://mcabber.com/>`_ (for XMPP)
 - `mutt <http://www.mutt.org/>`_ (for IMAP/SMTP)
 In order to use the configuration files, make sure that you are
 running all tools from within the ``testsite/`` directory.
 To start the XMPP CLI client (*mcabber*) with provided configuration,
 run (take note it is lower-caser ``f``)::
   mcabber -f mcabber/john.doe
   mcabber -f mcabber/jane.doe
 To start the IMAP/SMTP CLI client (*Mutt*) with provided
 configuration, run (take note it is upper-case ``F``)::
   mutt -F mutt/john.doe
   mutt -F mutt/jane.doe
 To test the provided web applications, use the following links in a
 browser:
 .. note::
    To avoid untrusted certificate errors, it is recommended to test
    the links with dedicated instance of Mozilla Firefox, and to import
    the CA certificate (``tls/ca.pem``) into it.
 - https://phpinfo.example.com/
 - https://wsgi.example.com/
 - https://wsgireq.example.com/

0 comments (0 inline, 0 general)