...
Building a new machine on AWS with Ansible
Note: ansible-vault password and all current AWS keys are in shared network drive Othmer Library\Digital Collections - Internal Access\Authentication - Confidential
If you do not have access,
...
you will need to be added to the allowed group.
This assumes you have the main Ansible password inside a plain Ascii file at /your/ansible_password.txt .
- Check ansible variables in the encrypted file
$ ansible-vault edit --vault-password-file /your/ansible_password.txt group_vars/all
(will need password)- Look for # Use these temporarily for new instances
- RIght now certain values such as fedora_ip, solr_ip, and the rest will need to be determined once the box has been built and a valid IP exists.
- Generally speaking the best way to build boxes to minimize needing to go back and edit IPs is
- Fedora
- Solr
- Sufia machines (riiif, app)
- ensure your ssh key is listed under keys_to_add, this is needed for capistrano deploys and ssh access with your personal account.
- run the ansible playbook
- $ ansible-playbook create_ec2.yml --ask-vault-pass --private-key=/PATH/TO/KEY --extra-vars "role=ROLE tier=SERVICE_LEVEL" --extra-vars "@group_vars/ROLE_SERVICE_LEVEL_override"
- Use chf_prod.pem for all production level machines
- Use test.pem for all other machines
- Select the role and service level of the machine you want to build.
- OR, if you're re-running scripts on an existing machine:
- $ ansible-playbook -i hosts my_playbook.yml --ask-vault-pass [-e hosts=target]
- target can be one of the groups in the hosts file: staging, production, dev, ec2hosts
- $ ansible-playbook -i hosts my_playbook.yml --ask-vault-pass [-e hosts=target]
- $ ansible-playbook create_ec2.yml --ask-vault-pass --private-key=/PATH/TO/KEY --extra-vars "role=ROLE tier=SERVICE_LEVEL" --extra-vars "@group_vars/ROLE_SERVICE_LEVEL_override"
- Assign an elastic IP to the new box if if needs one
- Consider naming the aws volumes for 'root' and 'data' – this isn't done in the scripts (but probably could be!)
- Set up to use capistrano (below) or just deploy with capistrano (above)
- Run configure_prod.yml if on production to set up e-mail password resets, ssl, and backup procedures.
Updating boxes with Ansible
Creating a test box using Ansible
Scenario: You've changed the Ansible scripts that affect the build process for the jobs server. To make sure everything looks right, you want to spin up a new jobs2-stage on EC2 without disturbing the functioning of jobs1-stage.
Procedure:
Make sure the main Ansible password is available inside a plain text file at, e.g., /your/ansible_password.txt .
Change the "iteration" so your box has a different label from the existing jobs1-stage. (Use whichever editor you want, but some work better than others.)
EDITOR=emacs ansible-vault edit --vault-password-file /your/ansible_password.txt . group_vars/all
Find the line that mentions "iteration" and set it to an unused number.
iteration: 2
This will result in your new jobs box being labeled jobs2-stage.
List the tasks you'll be performing. This is helpful to make sure everything looks good before actually running the script.
ansible-playbook --vault-password-file /your/
Now actually create the box:
ansible-playbook --vault-password-file /your/
Note: this will modify your "hosts" file in the root directory of ansible-inventory by adding the new box's IP address to it.
In the EC2 dashboard, you'll see a new EC2 instance called jobs2-stage. You can log into it as you would any ec2 server.
Meanwhile, you want to monitor Ansible's logs while it builds the box:
Connect to the manage-prod server, using a variation on:
ssh -i ~/.ssh/chf_prod.pem ubuntu@ec2-xx-xxx-xx-xxx.compute-1.amazonaws.com
You'll find the Ansible logs in /var/log/ansible/.
When you're done, you can get rid of the box in the EC2 console (but don't get rid of the wrong box!) by selecting it, then choosing Actions > Instance State > Terminate.
New AWS Key
- Generate a new ssh key on AWS (EC2 > Keypairs)
- place it in ~/.ssh
- chmod 0600.
- useful command if you're having problems with the key: $ openssl rsa -in chf_prod.pem -check
...