Merge pull request #9 from bedroge/master

Documentation and playbook improvements

Author: trz42

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "roles/galaxyproject.cvmfs"]
 	path = roles/cvmfs
 	url = https://github.com/galaxyproject/ansible-cvmfs
+[submodule "roles/geerlingguy.repo-epel"]
+	path = roles/geerlingguy.repo-epel
+	url = https://github.com/geerlingguy/ansible-role-repo-epel

README.md

@@ -20,30 +20,171 @@ The CVMFS layer of the EESSI project consists of the usual CVMFS infrastructure:
 
 ## Installation and configuration
 
-For the installation of all components we make use of the Ansible files provided by the Galaxy project:
-https://github.com/galaxyproject/ansible-cvmfs
-This repository is added as a submodule inside the roles directory, so make sure to use the --recursive options when cloning this repository:
+### Prerequisites
+
+The main prerequisite is Ansible (https://github.com/ansible/ansible),
+which can be easily installed via the package manager of most Linux distributions or via `pip install`.
+For more details, see the Ansible installation guide: https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html.
+
+For the installation of all components we make use of two Ansible roles: the CVMFS installation role provided by the Galaxy project (see
+https://github.com/galaxyproject/ansible-cvmfs), and a role for adding the EPEL repository (https://github.com/geerlingguy/ansible-role-repo-epel).
+Both repositories are added as a submodule inside the `roles` directory, so make sure to use the `--recursive` option when cloning this repository:
 ```
 git clone --recursive git@github.com:EESSI/cvmfs-layer.git
 ```
-Alternatively, clone this repository first, and init and update the required submodule later:
+Alternatively, clone this repository first, and init and update the required submodules later:
 ```
 git clone git@github.com:EESSI/cvmfs-layer.git
-cd cvmfs-layer/roles/cvmfs/
+cd cvmfs-layer
 git submodule init
 git submodule update
 ```
 For more information about (working with) submodules, see:
 https://git-scm.com/book/en/v2/Git-Tools-Submodules
 
-The EESSI specific settings can be found in group_vars/all.yml, and in templates we added a template for a Squid configation for the local proxy servers; this file is not included in the Galaxy repository.
+### Configuration
+
+The EESSI specific settings can be found in `group_vars/all.yml`, and in `templates` we added our own templates
+of Squid configurations for the Stratum 1 and local proxy servers.
+For all playbooks you will also need to have an appropriate Ansible `hosts` file;
+see the supplied `hosts.example` for the structure and host groups that you need for these playbooks.
+
+## Running the playbooks
 
-In order to run one of these playbooks, you will have to use a hosts file that includes at least the group of nodes for which you are running a playbook. An example of the file that shows the correct structure can be found in hosts.example.
-The playbooks can then be run as follows:
+In general, all the playbooks can be run like this:
 ```
 ansible-playbook -i hosts -b <name of playbook>.yml
 ```
-where -b means become, i.e. run with sudo. If this requires a password, include -K:
+where `-i` allows you to specify the path to your hosts file, and `-b` means "become", i.e. run with `sudo`.
+If this requires a password, include `-K`, which will ask for the `sudo` password when running the playbook:
 ```
 ansible-playbook -i hosts -b -K <name of playbook>.yml
 ```
+
+Before you run any of the commands below, make sure that you updated the file `group_vars/all.yml`
+and include the new/extra URLs of any server you want to change/add (e.g. add your Stratum 1).
+
+
+### Stratum 0
+First install the Stratum 0 server:
+```
+ansible-playbook -i hosts -b -K stratum0.yml
+```
+
+Then install the files for the configuration repository:
+```
+ansible-playbook -i hosts -b -K stratum0-deploy-cvmfs-config.yml
+```
+
+Note that there can be only one Stratum 0, so you should only run this playbook
+for testing purposes or in case we need to move or redeploy the current Stratum 0 server.
+
+### Stratum 1
+Installing a Stratum 1 requires a GEO API license key, which will be used to find
+the (geographically) closest Stratum 1 server for your client and proxies.
+More information on how to (freely) obtain this key is available in the CVMFS documentation: 
+https://cvmfs.readthedocs.io/en/stable/cpt-replica.html#geo-api-setup .
+
+You can put your license key in `group_vars/all.yml`, or add a section in your `hosts` file:
+```yaml
+[cvmfsstratum1servers:vars]
+cvmfs_geo_license_key=XXXXX
+```
+
+Furthermore, the Stratum 1 runs a Squid server. The template configuration file can be found at 
+`templates/eessi_stratum1_squid.conf.j2`.
+If you want to customize it, for instance for limiting the access to the Stratum 1,
+you can make your own version of this template file and point to it by editing the playbook or
+adding the following to `group_vars/all.yml` or the section in your `hosts` file:
+```yaml
+cvmfs_squid_conf_src=/path/to/your_stratum1_squid.conf.j2
+```
+Install the Stratum 1 using:
+```
+ansible-playbook -i hosts -b -K stratum1.yml
+```
+This will automatically make replicas of all the repositories defined in `group_vars/all.yml`.
+
+### Local proxies
+The local proxies also need a Squid configuration file; the default can be found in 
+`templates/localproxy_squid.conf.j2`.
+
+You have to define the lists of IP addresses / ranges (using CIDR notation) that are allowed to use the proxy using the variable `cvmfs_localproxy_allowed_clients`.
+You can put this, for instance, in your hosts file. See `hosts.example` for more details.
+
+If you want to customize the Squid configuration more, you can also make your own file, and point to it using `cvmfs_squid_conf_src` (see the Stratum 1 section).
+
+Do keep in mind that you should never accept proxy request from everywhere to everywhere!
+Besides having a Squid configuration with the right ACLs, it is recommended to also have a firewall that limits access to your proxy.
+
+Deploy your proxies using:
+```
+ansible-playbook -i hosts -b -K localproxy.yml
+```
+
+### Clients
+Make sure that your hosts file contains the list of hosts where the CVMFS client should be installed.
+Furthermore, you can add a vars section for the clients that contains the list of (local) proxy servers
+that your clients should use:
+```yaml
+[cvmfsclients:vars]
+cvmfs_http_proxies=["your-local.proxy:3128"]
+```
+If you just want to roll out one client without a proxy, you can leave this out.
+Finally, run the playbook:
+```
+ansible-playbook -i hosts -b -K client.yml
+```
+
+## Verification and usage
+
+### Client
+
+Once the client has been installed, you should be able to access all repositories under /cvmfs. They might not immediately show up in that directory before you have actually used them, so you might first have to run ls, e.g.:
+```
+ls /cvmfs/cvmfs-config.eessi-hpc.org
+```
+
+On the client machines you can use the `cvmfs_config` tool for different operations. For instance, you can verify the file system by running:
+```
+$ sudo cvmfs_config probe cvmfs-config.eessi-hpc.org
+Probing /cvmfs/cvmfs-config.eessi-hpc.org... OK
+```
+
+Checking for misconfigurations can be done with:
+```
+sudo cvmfs_config chksetup
+```
+
+In case of unclear issues, you can enable the debug mode and log to a file by setting the following environment variable:
+```
+CVMFS_DEBUGFILE=/some/path/to/cvmfs.log
+```
+
+### Proxy / Stratum 1
+
+In order to test your local proxy and/or Stratum 1, even without a client installed, you can use curl:
+```
+curl --proxy http://url-to-your-proxy:3128 --head http://url-to-your-stratum1/cvmfs/cvmfs-config.eessi-hpc.org/.cvmfspublished
+```
+This should return:
+```
+HTTP/1.1 200 OK
+...
+X-Cache: MISS from url-to-your-proxy
+```
+The second time you run it, you should get a cache hit:
+```
+X-Cache: HIT from url-to-your-proxy
+```
+
+### Using the CVMFS infrastructure
+
+When the infrastructure seems to work, you can try publishing some new files. This can be done by starting a transaction on the Stratum 0, adding some files, and publishing the transaction:
+```
+sudo cvmfs_server transaction pilot.eessi-hpc.org
+mkdir /cvmfs/pilot.eessi-hpc.org/testdir
+touch /cvmfs/pilot.eessi-hpc.org/testdir/testfile
+sudo cvmfs_server publish pilot.eessi-hpc.org
+```
+It might take a few minutes, but then the new file should show up at the clients.

client.yml

@@ -1,4 +1,6 @@
-- name: CVMFS
+# Install CVMFS clients.
+---
+- name: CVMFS clients
   hosts: cvmfsclients
   vars:
     eessi_cvmfs_repos_enabled: config-repo

group_vars/all.yml

@@ -7,7 +7,7 @@
 # https://github.com/EESSI/cvmfs-layer/issues/2
 #cvmfs_geo_license_key: 
 
-# Automatically configure EESSI CVMFS repos
+# Automatically configure EESSI CVMFS repos.
 eessi_cvmfs_repos_enabled: config-repo
 
 # Email address for the project, which will be put in the contact file on the config repo.
@@ -34,10 +34,17 @@ eessi_cvmfs_config_repo:
     repository: cvmfs-config.eessi-hpc.org
     stratum0: cvmfs-s0.eessi-hpc.org
     owner: "{{ cvmfs_repo_owner | default('root') }}"
+    key_dir: /etc/cvmfs/keys/eessi-hpc.org
     server_options: []
     client_options: []
 
-# Defaults for eessi-hpc.org repos
+#
+# Defaults for eessi-hpc.org repos.
+#
+
+# Public keys for the repositories, which you can find on the Stratum 0 at:
+# /etc/cvmfs/keys/*.pub
+# Note: you first have to run the stratum0.yml playbook once to generate the repositories and keys.
 eessi_cvmfs_keys:
   - path: /etc/cvmfs/keys/eessi-hpc.org/pilot.eessi-hpc.org.pub
     key: |
@@ -51,12 +58,14 @@ eessi_cvmfs_keys:
      FQIDAQAB
      -----END PUBLIC KEY-----
 
+# URLs for all the Stratum 1 servers.
 eessi_cvmfs_server_urls:
   - domain: eessi-hpc.org
     use_geoapi: true
     urls:
       - "http://cvmfs-s1-rug.eessi-hpc.org/cvmfs/@fqrn@"
 
+# Configuration of all the repositories.
 eessi_cvmfs_repositories:
   - repository: pilot.eessi-hpc.org
     stratum0: cvmfs-s0.eessi-hpc.org

hosts.example

@@ -8,11 +8,21 @@ your-stratum1.org
 your-proxy-1
 your-proxy-2
 
+[cvmfslocalproxies:vars]
+# List of clients allowed to access the proxy.
+# Add individual IPs and/or use CIDR notation.
+cvmfs_localproxy_allowed_clients = ["192.168.0.0/12", "10.0.0.15"]
+
 [cvmfsclients]
 your-client-1
 your-client-2
 
 [cvmfsclients:vars]
-cvmfs_http_proxies=["your-proxy-1:3128", "your-proxy-2:3128"]
-
-
+# List of all http proxies that should be configured for the clients.
+# Remove or comment the line if you do not want to use a proxy; in this
+# case it will be set to "DIRECT" in the client configuration.
+cvmfs_http_proxies = ["your-proxy-1:3128", "your-proxy-2:3128"]
+# The following one-liner can be used to automatically add all the hosts
+# defined in the cvmfslocalproxies group to cvmfs_http_proxes,
+# using port number 3128.
+# cvmfs_http_proxies = "{{ groups.cvmfslocalproxies | map('regex_replace', '^(.*)$', '\\1:3128') | list }}"

localproxy.yml

@@ -1,4 +1,8 @@
-- name: CVMFS
+# Install CVMFS local proxy (Squid) server(s).
+---
+- name: CVMFS local proxies.
   hosts: cvmfslocalproxies
+  vars:
+    cvmfs_squid_conf_src: eessi_localproxy_squid.conf.j2
   roles:
     - cvmfs

roles/README.md

@@ -1,4 +1,15 @@
-This roles directory contains a submodule that points to the repository of the Galaxy Ansible role for installing/configuring CVMFS, which can be found at:
+This roles directory contains submodules that point to the repositories of Ansible roles on which the EESSI playbooks depend. 
+
+## cvmfs
+
+The Galaxy Ansible role for installing/configuring CVMFS, which can be found at:
 https://github.com/galaxyproject/ansible-cvmfs
 
 We renamed the directory to "cvmfs", so we can use "cvmfs" as the name of this role in our Ansible playbooks.
+
+## geerlingguy.repo-epel
+
+Ansible role for adding the EPEL repository to RHEL/CentOS systems. The source can be found at:
+https://github.com/geerlingguy/ansible-role-repo-epel
+
+We renamed the directory to "geerlingguy.repo-epel", as this is also the name used in the Galaxy CVMFS examples.

roles/geerlingguy.repo-epel

@@ -2,7 +2,7 @@
 # Note: first deploy your Stratum 0 and make sure that group_vars/all.yml contains the right configuration,
 #       including all the keys of the repositories that have to be configured.
 ---
-- name: CVMFS
+- name: CVMFS Stratum 0 deploy config repository
   hosts: cvmfsstratum0servers
   tasks:
     - name: Start the CVMFS transaction, create directories, and copy files

stratum0-deploy-cvmfs-config.yml

@@ -1,11 +1,9 @@
-- name: CVMFS
+# Install a CVMFS Stratum 0 server.
+---
+- name: CVMFS Stratum 0
   hosts: cvmfsstratum0servers
   vars:
-    cvmfs_numfiles: 4096
-    cvmfs_server_urls:
-      - domain: eessi-hpc.org
-        urls:
-          - "http://cvmfs-s0.eessi-hpc.org/cvmfs/@fqrn@"
-    cvmfs_repositories: "{{ eessi_cvmfs_repositories }}"
+    cvmfs_repositories: "{{ eessi_cvmfs_repositories + [eessi_cvmfs_config_repo.repository] }}"
   roles:
+    - geerlingguy.repo-epel
     - cvmfs