diff --git a/CHANGELOG.md b/CHANGELOG.md index c7ab787b..5659ccc4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,24 @@ Notable changes between versions. +## 1.4.3 + +### Services Updated + +- This release contains several bugfixes & improvements for the Docker flavor of Tapis Deployer. +- [ Systems: 1.4.1 to 1.4.2 (tapis/systems)](https://github.com/tapis-project/tapis-systems/blob/1.4.2/CHANGELOG.md) +- [ Apps: 1.4.1 to 1.4.2 (tapis/apps)](https://github.com/tapis-project/tapis-apps/blob/1.4.2/CHANGELOG.md) +- [ Notifications: 1.4.0 to 1.4.1 (tapis/notifications, notifications-dispatcher)](https://github.com/tapis-project/tapis-notifications/blob/1.4.1/CHANGELOG.md) +- [ Files: 1.4.2 to 1.4.3 (tapis/tapis-files, tapis/tapis-files-workers)](https://github.com/tapis-project/tapis-files/blob/dev/CHANGELOG.md) +- [ Jobs: 1.4.2 to 1.4.3 (tapis/jobsworker, jobsmigrate, jobsapi)](https://github.com/tapis-project/tapis-jobs/blob/dev/tapis-jobsapi/CHANGELOG.md) +- [ Globus-Proxy: 1.4.2 to 1.4.3 (tapis/globus-proxy)](https://github.com/tapis-project/globus-proxy/blob/dev/CHANGELOG.md) + + +### Breaking Changes for Deployer Admins + +- This is ONLY for Docker Tapis installs updating; it is NOT applicable to Kubernetes installs: Some components' Postgres directory volume mounts have moved within the `tapisdatadir` and may need to be moved on disk before starting the containers. Each component should now follow a similar structure, e.g. for authenticator: `tapisdatadir/authenticator/postgres/data` should contain the Postgres data, such as the `PG_VERSION` file, `pg_wal` directory, etc. + + ## 1.4.2 ### Services Updated diff --git a/playbooks/generate-single-component.yml b/playbooks/generate-single-component.yml index 0c3da2f4..94299acc 100644 --- a/playbooks/generate-single-component.yml +++ b/playbooks/generate-single-component.yml @@ -7,6 +7,11 @@ tapisctl_action: 'generate' tasks: + + - name: debug + debug: + var: tapisflavor + - name: Set default values for vars include_role: name: get_defaults diff --git a/playbooks/roles/actors/templates/docker/burnup b/playbooks/roles/actors/templates/docker/burnup index d2dacb10..6d06115a 100755 --- a/playbooks/roles/actors/templates/docker/burnup +++ b/playbooks/roles/actors/templates/docker/burnup @@ -3,9 +3,9 @@ echo "burnup actors:" mkdir -p {{ tapisdatadir }}/actors -myuid=`id -u` -docker run -it --rm -v {{ tapisdatadir }}/actors:/actors tapis/ubutil2204:1.4.0 chown $myuid /actors +MYUID=`id -u` +docker run -it --rm -v {{ tapisdatadir }}/actors:/actors tapis/ubutil2204:1.4.0 chown $MYUID /actors -python3 {{ tapisdir }}/admin/util/parse_skexport -c actors -d {{ tapisdatadir }} +python3 ../admin/util/parse_skexport -c actors -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/actors/templates/docker/docker-compose.yml b/playbooks/roles/actors/templates/docker/docker-compose.yml index e0c6eebf..ac1fd6fe 100644 --- a/playbooks/roles/actors/templates/docker/docker-compose.yml +++ b/playbooks/roles/actors/templates/docker/docker-compose.yml @@ -66,9 +66,6 @@ services: hard: 65535 networks: - tapis - depends_on: - actors-mongo: - condition: service_started actors-nginx: container_name: actors-nginx @@ -77,7 +74,7 @@ services: - tapis volumes: # - ./config-local.json:/home/tapis/config.json - - "{{ tapisdir }}/actors/actors-config.json:/etc/nginx/sites-enabled/flask-project" + - "./actors-config.json:/etc/nginx/sites-enabled/flask-project" # # - ./images/nginx/nginx.conf:/etc/nginx/nginx.conf # # - ./images/nginx/sites-enabled:/etc/nginx/sites-enabled restart: always @@ -92,7 +89,7 @@ services: # - "127.0.0.1:5000:5000" volumes: # - ./config-local.json:/home/tapis/config.json - - "{{ tapisdir }}/actors/actors-config.json:/home/tapis/config.json" + - "./actors-config.json:/home/tapis/config.json" # - ./abaco.log:/home/tapis/runtime_files/logs/service.log # - ./runtime_files/certs:/home/tapis/runtime_files/certs environment: @@ -115,7 +112,7 @@ services: image: {{ actors_core_image }} volumes: # - ./config-local.json:/home/tapis/config.json - - "{{ tapisdir }}/actors/actors-config.json:/home/tapis/config.json" + - "./actors-config.json:/home/tapis/config.json" # - ./abaco.log:/home/tapis/runtime_files/logs/service.log # - ./runtime_files/certs:/home/tapis/runtime_files/certs # ports: @@ -141,7 +138,7 @@ services: image: {{ actors_core_image }} volumes: # - ./config-local.json:/home/tapis/config.json - - "{{ tapisdir }}/actors/actors-config.json:/home/tapis/config.json" + - "./actors-config.json:/home/tapis/config.json" # - ./abaco.log:/home/tapis/runtime_files/logs/service.log # - ./runtime_files/certs:/home/tapis/runtime_files/certs ports: @@ -168,7 +165,7 @@ services: command: "python3 -u /home/tapis/actors/spawner.py" volumes: # - ./config-local.json:/home/tapis/config.json - - "{{ tapisdir }}/actors/actors-config.json:/home/tapis/config.json" + - "./actors-config.json:/home/tapis/config.json" # - /var/run/docker.sock:/var/run/docker.sock # - ./abaco.log:/home/tapis/runtime_files/logs/service.log # - ./runtime_files/certs:/home/tapis/runtime_files/certs @@ -193,7 +190,7 @@ services: volumes: - /:/host # - ./config-local.json:/home/tapis/config.json - - "{{ tapisdir }}/actors/actors-config.json:/home/tapis/config.json" + - "./actors-config.json:/home/tapis/config.json" - /var/run/docker.sock:/var/run/docker.sock # - ./abaco.log:/home/tapis/runtime_files/logs/service.log # - ./runtime_files/certs:/home/tapis/runtime_files/certs @@ -220,7 +217,7 @@ services: command: "python3 -u /home/tapis/actors/events.py" volumes: # - ./config-local.json:/home/tapis/config.json - - "{{ tapisdir }}/actors/actors-config.json:/home/tapis/config.json" + - "./actors-config.json:/home/tapis/config.json" # - /var/run/docker.sock:/var/run/docker.sock # - ./abaco.log:/home/tapis/runtime_files/logs/service.log # - ./runtime_files/certs:/home/tapis/runtime_files/certs @@ -286,7 +283,7 @@ services: - tapis volumes: # - ./config-local.json:/home/tapis/config.json - - "{{ tapisdir }}/actors/actors-config.json:/home/tapis/config.json" + - "./actors-config.json:/home/tapis/config.json" # - ./abaco.log:/home/tapis/runtime_files/logs/service.log # - ./runtime_files/certs:/home/tapis/runtime_files/certs # ports: diff --git a/playbooks/roles/admin/templates/docker/util/parse_skexport b/playbooks/roles/admin/templates/docker/util/parse_skexport index 02fa0947..c739af13 100644 --- a/playbooks/roles/admin/templates/docker/util/parse_skexport +++ b/playbooks/roles/admin/templates/docker/util/parse_skexport @@ -51,8 +51,6 @@ notifications = {"PGADMIN_DEFAULT_PASSWORD": "DBCREDENTIAL_PGADMIN_NOTIFICATIONS "TAPIS_SERVICE_PASSWORD": "SERVICEPWD_NOTIFICATIONS_PASSWORD", "service_password": "SERVICEPWD_NOTIFICATIONS_PASSWORD"} - - pgrest = {"":""} pods = {"":""} proxy = {"":""} @@ -62,7 +60,7 @@ security = {"TAPIS_SK_VAULT_SECRET_ID": "", # these two are populated later with "TAPIS_PASSWORD": "DBCREDENTIAL_POSTGRES_SK_POSTGRES_TAPISSECDB_TAPIS_PASSWORD", "POSTGRES_PASSWORD": "DBCREDENTIAL_POSTGRES_SK_POSTGRES_TAPISSECDB_POSTGRES_PASSWORD", "PW" : "DBCREDENTIAL_POSTGRES_SK_POSTGRES_TAPISSECDB_POSTGRES_PASSWORD", - "TPW" : "DBCREDENTIAL_POSTGRES_SK_POSTGRES_TAPISSECDB_POSTGRES_PASSWORD"} + "TPW" : "DBCREDENTIAL_POSTGRES_SK_POSTGRES_TAPISSECDB_TAPIS_PASSWORD"} skadmin = {"":""} streams = {"":""} @@ -98,23 +96,26 @@ args = parser.parse_args() # normalize component name component = args.comp.replace('-', '_') +# expand directory vars with things like ~ and $HOME +tapisdatadir_absolute = os.path.expanduser(os.path.expandvars(args.dir)) + # ensure data dir exists for component try: if args.verbose: - print(f"trying makedir with {os.path.join(args.dir + '/' + args.comp)}") - os.makedirs(os.path.join(args.dir + '/' + args.comp)) + print(f"trying makedir with {os.path.join(tapisdatadir_absolute + '/' + args.comp)}") + os.makedirs(os.path.join(tapisdatadir_absolute + '/' + args.comp)) if args.verbose: print(f'success') except FileExistsError: if args.verbose: - print(f"error making {os.path.join(args.dir + '/' + args.comp)}, already exists. Ignoring") + print(f"error making {os.path.join(tapisdatadir_absolute + '/' + args.comp)}, already exists. Ignoring") pass #ignore file exists, supposed to be created already anyway # set local vars -infile = args.dir + '/skadmin/env' +infile = tapisdatadir_absolute + '/skadmin/env' local = locals()[component] try: - outfile = open(args.dir + '/' + args.comp + '/env', 'w') + outfile = open((tapisdatadir_absolute + '/' + args.comp + '/env'), 'w') if args.verbose: print(f'successfuly opened {outfile}') except Exception as e: @@ -131,7 +132,7 @@ if args.verbose: # populate vault values for security if component == 'security': - vault_token = open('{{ tapisdatadir }}/vault/vault-token').read() + vault_token = open(tapisdatadir_absolute + '/vault/vault-token').read() headers = {'X-Vault-Token': f'{vault_token}'} r = requests.post('http://localhost:8200/v1/auth/approle/role/sk/secret-id', headers=headers) diff --git a/playbooks/roles/apps/defaults/main/images.yml b/playbooks/roles/apps/defaults/main/images.yml index 39cb9989..244993a9 100644 --- a/playbooks/roles/apps/defaults/main/images.yml +++ b/playbooks/roles/apps/defaults/main/images.yml @@ -1,3 +1,3 @@ -apps_api_image: tapis/apps:1.4.1 +apps_api_image: tapis/apps:1.4.2 apps_postgres_image: postgres:12.4 apps_pgadmin_image: dpage/pgadmin4:6.20 diff --git a/playbooks/roles/apps/templates/docker/burndown b/playbooks/roles/apps/templates/docker/burndown index 90957904..18c1e2ab 100755 --- a/playbooks/roles/apps/templates/docker/burndown +++ b/playbooks/roles/apps/templates/docker/burndown @@ -2,4 +2,6 @@ echo "burndown apps:" +export UID_GID="$(id -u):$(id -g)" + docker compose down diff --git a/playbooks/roles/apps/templates/docker/burnup b/playbooks/roles/apps/templates/docker/burnup index 9d6511bf..39814f65 100755 --- a/playbooks/roles/apps/templates/docker/burnup +++ b/playbooks/roles/apps/templates/docker/burnup @@ -3,13 +3,15 @@ echo "burnup apps:" mkdir -p {{ tapisdatadir }}/apps -myuid=`id -u` -export UID=`id -u` -export GID=`id -g` +mkdir -p {{ tapisdatadir }}/apps/postgres -docker run -it --rm -v {{ tapisdatadir }}/apps:/apps tapis/ubutil2204:1.4.0 chown $myuid /apps +MYUID=`id -u` -python3 {{ tapisdir }}/admin/util/parse_skexport -c apps -d {{ tapisdatadir }} +export UID_GID="$(id -u):$(id -g)" + +docker run -it --rm -v {{ tapisdatadir }}/apps:/apps tapis/ubutil2204:1.4.0 chown $MYUID /apps + +python3 ../admin/util/parse_skexport -c apps -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/apps/templates/docker/docker-compose.yml b/playbooks/roles/apps/templates/docker/docker-compose.yml index f0064bd3..e4fc3071 100644 --- a/playbooks/roles/apps/templates/docker/docker-compose.yml +++ b/playbooks/roles/apps/templates/docker/docker-compose.yml @@ -7,7 +7,7 @@ networks: services: apps-api: container_name: apps-api - user: ${UID}:${GID} + user: ${UID_GID} image: {{ apps_api_image }} networks: - tapis @@ -50,7 +50,7 @@ services: - {{ tapisdatadir }}/apps/env volumes: - {{ tapisdatadir }}/apps/postgres:/pgdata - - {{ tapisdir }}/apps/apps-init-db-sh:/init-db + - ./apps-init-db-sh:/init-db command: bash -c "cp /init-db /local_initdb && echo 100 && chown $(whoami) /local_initdb && echo 200 && chmod +x /local_initdb && echo 300 && /local_initdb" depends_on: apps-postgres: diff --git a/playbooks/roles/authenticator/templates/docker/burnup b/playbooks/roles/authenticator/templates/docker/burnup index bc3c4f76..d36c1b50 100755 --- a/playbooks/roles/authenticator/templates/docker/burnup +++ b/playbooks/roles/authenticator/templates/docker/burnup @@ -1,11 +1,13 @@ #!/bin/bash echo "burnup authenticator:" -python3 {{ tapisdir }}/admin/util/parse_skexport -c authenticator -d {{ tapisdatadir }} + mkdir -p {{ tapisdatadir }}/authenticator mkdir -p {{ tapisdatadir }}/authenticator/postgres mkdir -p {{ tapisdatadir }}/authenticator/api mkdir -p {{ tapisdatadir }}/authenticator/ldap +python3 ../admin/util/parse_skexport -c authenticator -d {{ tapisdatadir }} + docker compose up -d diff --git a/playbooks/roles/authenticator/templates/docker/docker-compose.yml b/playbooks/roles/authenticator/templates/docker/docker-compose.yml index 9d60f84d..2a35b2fc 100644 --- a/playbooks/roles/authenticator/templates/docker/docker-compose.yml +++ b/playbooks/roles/authenticator/templates/docker/docker-compose.yml @@ -10,9 +10,9 @@ services: networks: - tapis env_file: - - "{{ tapisdatadir }}/authenticator/env" + - {{ tapisdatadir }}/authenticator/env volumes: - - "{{ tapisdir }}/authenticator/authenticator-config.json:/home/tapis/config.json" + - ./authenticator-config.json:/home/tapis/config.json depends_on: authenticator-postgres: condition: service_healthy @@ -28,16 +28,16 @@ services: networks: - tapis environment: - # - PGDATA=/pgdata/data + - PGDATA=/pgdata/data - POSTGRES_USER=authenticator - POSTGRES_DB=authenticator - POSTGRES_HOST_AUTH_METHOD=trust env_file: - - "{{ tapisdatadir }}/authenticator/env" + - {{ tapisdatadir }}/authenticator/env volumes: - - "{{ tapisdatadir }}/authenticator/postgres:/var/lib/postgresql/data" + - {{ tapisdatadir }}/authenticator/postgres:/pgdata healthcheck: - test: pg_isready -U postgres + test: pg_isready -U authenticator interval: 5s timeout: 5s retries: 5 @@ -49,7 +49,7 @@ services: networks: - tapis env_file: - - "{{ tapisdatadir }}/authenticator/env" + - {{ tapisdatadir }}/authenticator/env depends_on: authenticator-postgres: condition: service_healthy @@ -57,7 +57,7 @@ services: condition: service_started command: ['upgrade'] volumes: - - "{{ tapisdir }}/authenticator/authenticator-config.json:/home/tapis/config.json" + - ./authenticator-config.json:/home/tapis/config.json authenticator-ldap: @@ -69,9 +69,9 @@ services: - LDAP_DOMAIN=tapis - LDAP_ORGANISATION=Tapis env_file: - - "{{ tapisdatadir }}/authenticator/env" + - {{ tapisdatadir }}/authenticator/env volumes: - - "{{ tapisdatadir }}/authenticator/ldap:/data/ldap" + - {{ tapisdatadir }}/authenticator/ldap:/data/ldap depends_on: authenticator-postgres: condition: service_healthy diff --git a/playbooks/roles/baseburnup/defaults/main/vars.yml b/playbooks/roles/baseburnup/defaults/main/vars.yml index 6b8076fe..c36d5392 100644 --- a/playbooks/roles/baseburnup/defaults/main/vars.yml +++ b/playbooks/roles/baseburnup/defaults/main/vars.yml @@ -1,4 +1,4 @@ -baseburnup_tapis_deployer_version: 1.4.2 +baseburnup_tapis_deployer_version: 1.4.3 baseburnup_service_url: "{{ global_service_url }}" baseburnup_vault_url: "{{ global_vault_url }}" diff --git a/playbooks/roles/baseburnup/templates/docker/burndown b/playbooks/roles/baseburnup/templates/docker/burndown index 03a39735..5c527ce5 100755 --- a/playbooks/roles/baseburnup/templates/docker/burndown +++ b/playbooks/roles/baseburnup/templates/docker/burndown @@ -1,6 +1,5 @@ #!/bin/bash -set -e # global Tapis burndown script @@ -70,6 +69,11 @@ cd $mydir_absolute/systems ./burndown {% endif %} +{% if "apps" in components_to_deploy %} +cd $mydir_absolute/apps +./burndown +{% endif %} + ### primary services {% if "tenants" in components_to_deploy %} diff --git a/playbooks/roles/baseburnup/templates/docker/burnup b/playbooks/roles/baseburnup/templates/docker/burnup index 247e0ffb..30a59ebd 100755 --- a/playbooks/roles/baseburnup/templates/docker/burnup +++ b/playbooks/roles/baseburnup/templates/docker/burnup @@ -31,14 +31,22 @@ echo "Start: top-level-burnup" mkdir -p {{ tapisdatadir }} -{%- if "tapisflavor" == "docker" %} +{% if tapisflavor == "docker" %} ### Docker-specific setup -docker network inspect tapis || docker network create tapis +if ! docker network inspect tapis >& /dev/null +then + echo "Creating docker tapis network:" + docker network create tapis +fi {% endif %} ### init / setup +{% if "proxy" in components_to_deploy %} +burnup_or_exit proxy +{% endif %} + {% if "vault" in components_to_deploy %} burnup_or_exit vault {% endif %} @@ -54,10 +62,6 @@ burnup_or_exit skadmin burnup_or_exit tenants {% endif %} -{% if "proxy" in components_to_deploy %} -burnup_or_exit proxy -{% endif %} - {% if "security" in components_to_deploy %} burnup_or_exit security {% endif %} @@ -89,6 +93,11 @@ burnup_or_exit systems burnup_or_exit apps {% endif %} +{% if "notifications" in components_to_deploy %} +burnup_or_exit notifications +{% endif %} + + ## tertiary services # actors @@ -101,10 +110,6 @@ burnup_or_exit apps # monitoring -{% if "notifications" in components_to_deploy %} -burnup_or_exit notifications -{% endif %} - # pgrest # pgrest-a2cps-dev diff --git a/playbooks/roles/baseburnup/templates/docker/docker-compose.yml b/playbooks/roles/baseburnup/templates/docker/docker-compose.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/playbooks/roles/files/defaults/main/images.yml b/playbooks/roles/files/defaults/main/images.yml index 2b82eeef..5dced09d 100644 --- a/playbooks/roles/files/defaults/main/images.yml +++ b/playbooks/roles/files/defaults/main/images.yml @@ -1,5 +1,5 @@ -files_api_image: tapis/tapis-files:1.4.2 -files_workers_image: tapis/tapis-files-workers:1.4.2 +files_api_image: tapis/tapis-files:1.4.3 +files_workers_image: tapis/tapis-files-workers:1.4.3 files_postgres_image: postgres:11 files_migrations_image: postgres:11 files_minio_image: minio/minio diff --git a/playbooks/roles/files/defaults/main/vars.yml b/playbooks/roles/files/defaults/main/vars.yml index a4297d3d..aa2dcc22 100644 --- a/playbooks/roles/files/defaults/main/vars.yml +++ b/playbooks/roles/files/defaults/main/vars.yml @@ -1,7 +1,7 @@ --- -files_args: ["-Xdebug", "-Xmx3g", "-agentlib:jdwp=transport=dt_socket,server=y,address=*:8000,suspend=n", "-cp", "target/tapis-files.jar:target/dependencies/*", "edu.utexas.tacc.tapis.files.api.FilesApplication"] -files_commands: ["java", "-Xmx3g", "-cp", "target/tapis-files.jar:target/dependencies/*", "edu.utexas.tacc.tapis.files.lib.transfers.TransfersApp"] +files_args: ["-Xdebug", "-Xmx3g", "-agentlib:jdwp=transport=dt_socket,server=y,address=*:8000,suspend=n", "-Dlogback.configurationFile=target/classes/logback.xml", "-cp", "target/tapis-files.jar:target/dependencies/*", "edu.utexas.tacc.tapis.files.api.FilesApplication"] +files_commands: ["java", "-Xmx3g", "-Dlogback.configurationFile=target/classes/logback.xml", "-cp", "target/tapis-files.jar:target/dependencies/*", "edu.utexas.tacc.tapis.files.lib.transfers.TransfersApp"] files_node_selector: null files_rabbitmq_hostname: files-rabbitmq files_service_name: files diff --git a/playbooks/roles/files/templates/docker/burndown b/playbooks/roles/files/templates/docker/burndown index 467b256e..f13b0939 100755 --- a/playbooks/roles/files/templates/docker/burndown +++ b/playbooks/roles/files/templates/docker/burndown @@ -2,4 +2,6 @@ echo "burndown files:" +export UID_GID="$(id -u):$(id -g)" + docker compose down diff --git a/playbooks/roles/files/templates/docker/burnup b/playbooks/roles/files/templates/docker/burnup index d0886560..193e6a18 100755 --- a/playbooks/roles/files/templates/docker/burnup +++ b/playbooks/roles/files/templates/docker/burnup @@ -8,12 +8,13 @@ mkdir -p {{ tapisdatadir }}/files/postgres mkdir -p {{ tapisdatadir }}/files/minio mkdir -p {{ tapisdatadir }}/files/irods -myuid=`id -u` -export UID=`id -u` -export GID=`id -g` -docker run -it --rm -v {{ tapisdatadir }}/files:/files tapis/ubutil2204:1.4.0 chown $myuid /files +MYUID=`id -u` -python3 {{ tapisdir }}/admin/util/parse_skexport -c files -d {{ tapisdatadir }} +export UID_GID="$(id -u):$(id -g)" + +docker run -it --rm -v {{ tapisdatadir }}/files:/files tapis/ubutil2204:1.4.0 chown $MYUID /files + +python3 ../admin/util/parse_skexport -c files -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/files/templates/docker/docker-compose.yml b/playbooks/roles/files/templates/docker/docker-compose.yml index 6a523c52..e80a8a95 100644 --- a/playbooks/roles/files/templates/docker/docker-compose.yml +++ b/playbooks/roles/files/templates/docker/docker-compose.yml @@ -16,12 +16,9 @@ services: - tapis healthcheck: test: rabbitmq-diagnostics -q ping - interval: 5s - timeout: 5s + interval: 30s + timeout: 30s retries: 3 - depends_on: - files-postgres: - condition: service_healthy files-postgres: container_name: files-postgres @@ -31,7 +28,7 @@ services: - POSTGRES_DATABASE=tapisfiles - PGDATA=/pgdata/data volumes: - - {{ tapisdatadir }}/files/postgres:/pgdata/data + - {{ tapisdatadir }}/files/postgres:/pgdata networks: - tapis env_file: @@ -49,7 +46,7 @@ services: files-postgres: condition: service_healthy volumes: - - {{ tapisdir }}/files/files-init-db-sh:/files-init-db-sh + - ./files-init-db-sh:/files-init-db-sh networks: - tapis command: chmod +x files-init-db-sh; /files-init-db-sh @@ -78,7 +75,7 @@ services: files-workers: container_name: files-workers - user: ${UID}:${GID} + user: ${UID_GID} image: {{ files_workers_image }} networks: - tapis @@ -101,18 +98,18 @@ services: - RABBITMQ_HOSTNAME=files-rabbitmq - RABBITMQ_USERNAME=tapisfiles - RABBITMQ_VHOST=tapisfiles - command: ["java", "-Xmx3g", "-cp", "target/tapis-files.jar:target/dependencies/*", "edu.utexas.tacc.tapis.files.lib.transfers.TransfersApp"] + command: ["java", "-Xmx3g", "-Dlogback.configurationFile=target/classes/logback.xml", "-cp", "target/tapis-files.jar:target/dependencies/*", "edu.utexas.tacc.tapis.files.lib.transfers.TransfersApp"] depends_on: files-api: condition: service_started files-api: - user: ${UID}:${GID} + user: ${UID_GID} container_name: files-api image: {{ files_api_image }} networks: - tapis - command: ["java", "-Xdebug", "-Xmx3g", "-agentlib:jdwp=transport=dt_socket,server=y,address=*:8000,suspend=n", "-cp", "target/tapis-files.jar:target/dependencies/*", "edu.utexas.tacc.tapis.files.api.FilesApplication"] + command: ["java", "-Xdebug", "-Xmx3g", "-agentlib:jdwp=transport=dt_socket,server=y,address=*:8000,suspend=n", "-Dlogback.configurationFile=target/classes/logback.xml", "-cp", "target/tapis-files.jar:target/dependencies/*", "edu.utexas.tacc.tapis.files.api.FilesApplication"] env_file: - {{ tapisdatadir }}/files/env environment: diff --git a/playbooks/roles/globus-proxy/defaults/main/images.yml b/playbooks/roles/globus-proxy/defaults/main/images.yml index dd86559c..dbdac788 100644 --- a/playbooks/roles/globus-proxy/defaults/main/images.yml +++ b/playbooks/roles/globus-proxy/defaults/main/images.yml @@ -1 +1 @@ -globus_proxy_api_image: tapis/globus-proxy:1.4.0 +globus_proxy_api_image: tapis/globus-proxy:1.4.3 diff --git a/playbooks/roles/globus-proxy/templates/docker/docker-compose.yml b/playbooks/roles/globus-proxy/templates/docker/docker-compose.yml index 558c130f..be9c52fe 100644 --- a/playbooks/roles/globus-proxy/templates/docker/docker-compose.yml +++ b/playbooks/roles/globus-proxy/templates/docker/docker-compose.yml @@ -1,6 +1,7 @@ networks: tapis: name: tapis + external: true services: globus-proxy: @@ -9,7 +10,7 @@ services: networks: - tapis volumes: - - {{ tapisdir }}/globus-proxy/globus-proxy-config.json:/home/tapis/config.json + - ./globus-proxy-config.json:/home/tapis/config.json ports: - 127.0.0.1:5000:5000 diff --git a/playbooks/roles/jobs/defaults/main/images.yml b/playbooks/roles/jobs/defaults/main/images.yml index e58b5c4d..32260c1d 100644 --- a/playbooks/roles/jobs/defaults/main/images.yml +++ b/playbooks/roles/jobs/defaults/main/images.yml @@ -1,6 +1,6 @@ -jobs_api_image: tapis/jobsapi:1.4.2 -jobs_migrations_image: tapis/jobsmigrate:1.4.2 -jobs_worker_image: tapis/jobsworker:1.4.2 +jobs_api_image: tapis/jobsapi:1.4.3 +jobs_migrations_image: tapis/jobsmigrate:1.4.3 +jobs_worker_image: tapis/jobsworker:1.4.3 jobs_postgres_image: postgres:12.4 jobs_pgadmin_image: dpage/pgadmin4:6.20 jobs_rabbitmq_management_image: rabbitmq:3.8.11-management diff --git a/playbooks/roles/jobs/templates/docker/burndown b/playbooks/roles/jobs/templates/docker/burndown index c7394fef..630c62e2 100755 --- a/playbooks/roles/jobs/templates/docker/burndown +++ b/playbooks/roles/jobs/templates/docker/burndown @@ -2,4 +2,6 @@ echo "burndown jobs:" +export UID_GID="$(id -u):$(id -g)" + docker compose down diff --git a/playbooks/roles/jobs/templates/docker/burnup b/playbooks/roles/jobs/templates/docker/burnup index 32ba2084..d6933348 100755 --- a/playbooks/roles/jobs/templates/docker/burnup +++ b/playbooks/roles/jobs/templates/docker/burnup @@ -3,13 +3,14 @@ echo "burnup jobs:" mkdir -p {{ tapisdatadir }}/jobs +mkdir -p {{ tapisdatadir }}/jobs/postgres -# myuid=`id -u` -export UID=`id -u` -export GID=`id -g` -docker run -it --rm -v {{ tapisdatadir }}/jobs:/jobs tapis/ubutil2204:1.4.0 chown $UID /jobs +export MYUID="$(id -u)" +export UID_GID="$(id -u):$(id -g)" -python3 {{ tapisdir }}/admin/util/parse_skexport -c jobs -d {{ tapisdatadir }} +docker run -it --rm -v {{ tapisdatadir }}/jobs:/jobs tapis/ubutil2204:1.4.0 chown $MYUID /jobs + +python3 ../admin/util/parse_skexport -c jobs -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/jobs/templates/docker/docker-compose.yml b/playbooks/roles/jobs/templates/docker/docker-compose.yml index 8cead02c..07e7c385 100644 --- a/playbooks/roles/jobs/templates/docker/docker-compose.yml +++ b/playbooks/roles/jobs/templates/docker/docker-compose.yml @@ -8,7 +8,7 @@ networks: services: jobs-api: container_name: jobs-api - user: ${UID}:${GID} + user: ${UID_GID} networks: - tapis image: {{ jobs_api_image }} @@ -47,7 +47,7 @@ services: env_file: - {{ tapisdatadir }}/jobs/env volumes: - - {{ tapisdatadir }}/jobs/jobs-pg-data:/pgdata/data + - {{ tapisdatadir }}/jobs/postgres:/pgdata healthcheck: test: pg_isready -U postgres interval: 5s @@ -93,9 +93,6 @@ services: - {{ tapisdatadir }}/jobs/jobs-rabbitmq-data:/var/lib/rabbitmq/mnesia networks: - tapis - depends_on: - jobs-migrations: - condition: service_completed_successfully healthcheck: test: rabbitmq-diagnostics -q ping interval: 30s @@ -103,7 +100,7 @@ services: retries: 3 jobs-altqueue: - user: ${UID}:${GID} + user: ${UID_GID} container_name: jobs-altqueue image: {{ jobs_worker_image }} networks: @@ -131,7 +128,7 @@ services: jobs-recovery: container_name: jobs-recovery - user: ${UID}:${GID} + user: ${UID_GID} image: {{ jobs_worker_image }} environment: - TAPIS_SITE_ID={{ jobs_service_site_id }} @@ -158,7 +155,7 @@ services: jobs-deadletter: container_name: jobs-deadletter - user: ${UID}:${GID} + user: ${UID_GID} image: {{ jobs_worker_image }} environment: - TAPIS_SITE_ID={{ jobs_service_site_id }} @@ -185,7 +182,7 @@ services: jobs-eventqueue: container_name: jobs-eventqueue - user: ${UID}:${GID} + user: ${UID_GID} image: {{ jobs_worker_image }} environment: - TAPIS_SITE_ID={{ jobs_service_site_id }} @@ -212,7 +209,7 @@ services: jobs-workers: container_name: jobs-workers - user: ${UID}:${GID} + user: ${UID_GID} image: {{ jobs_worker_image }} environment: {% if jobs_node_name == true -%} diff --git a/playbooks/roles/notifications/defaults/main/images.yml b/playbooks/roles/notifications/defaults/main/images.yml index ecce0b57..cb85ba01 100644 --- a/playbooks/roles/notifications/defaults/main/images.yml +++ b/playbooks/roles/notifications/defaults/main/images.yml @@ -1,5 +1,5 @@ notifications_postgres_image: postgres:12.4 notifications_pgadmin_image: dpage/pgadmin4:6.20 notifications_rabbitmq_image: rabbitmq:3.8.11-management -notifications_api_image: tapis/notifications:1.4.0 -notifications_dispatcher_image: tapis/notifications-dispatcher:1.4.0 +notifications_api_image: tapis/notifications:1.4.1 +notifications_dispatcher_image: tapis/notifications-dispatcher:1.4.1 diff --git a/playbooks/roles/notifications/templates/docker/burndown b/playbooks/roles/notifications/templates/docker/burndown index cf303edd..672b1c5e 100755 --- a/playbooks/roles/notifications/templates/docker/burndown +++ b/playbooks/roles/notifications/templates/docker/burndown @@ -2,4 +2,6 @@ echo "burndown meta:" +export UID_GID="$(id -u):$(id -g)" + docker compose down diff --git a/playbooks/roles/notifications/templates/docker/burnup b/playbooks/roles/notifications/templates/docker/burnup index 1e0c2b7f..299ccb2a 100755 --- a/playbooks/roles/notifications/templates/docker/burnup +++ b/playbooks/roles/notifications/templates/docker/burnup @@ -3,11 +3,13 @@ echo "burnup notifications:" mkdir -p {{ tapisdatadir }}/notifications -myuid=`id -u` -export UID=`id -u` -export GID=`id -g` -docker run -it --rm -v {{ tapisdatadir }}/notifications:/notifications tapis/ubutil2204:1.4.0 chown $myuid /notifications +mkdir -p {{ tapisdatadir }}/notifications/postgres -python3 {{ tapisdir }}/admin/util/parse_skexport -c notifications -d {{ tapisdatadir }} +MYUID=`id -u` +export UID_GID="$(id -u):$(id -g)" + +docker run -it --rm -v {{ tapisdatadir }}/notifications:/notifications tapis/ubutil2204:1.4.0 chown $MYUID /notifications + +python3 ../admin/util/parse_skexport -c notifications -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/notifications/templates/docker/docker-compose.yml b/playbooks/roles/notifications/templates/docker/docker-compose.yml index e4349a19..82c31335 100644 --- a/playbooks/roles/notifications/templates/docker/docker-compose.yml +++ b/playbooks/roles/notifications/templates/docker/docker-compose.yml @@ -9,7 +9,7 @@ services: notifications-api: container_name: notifications-api - user: ${UID}:${GID} + user: ${UID_GID} image: {{ notifications_api_image }} environment: - TAPIS_SITE_ID={{ notifications_service_site_id }} @@ -35,7 +35,7 @@ services: image: {{ notifications_postgres_image }} command: bash -c "chmod +x /tmp/notifications-init-db-sh && /tmp/notifications-init-db-sh" volumes: - - {{ tapisdir }}/notifications/notifications-init-db-sh:/tmp/notifications-init-db-sh + - ./notifications-init-db-sh:/tmp/notifications-init-db-sh env_file: - {{ tapisdatadir }}/notifications/env networks: @@ -54,31 +54,31 @@ services: networks: - tapis volumes: - - {{ tapisdatadir }}/notifications/pgdata:/pgdata/data + - {{ tapisdatadir }}/notifications/postgres:/pgdata healthcheck: test: ["CMD-SHELL", "pg_isready -U postgres"] interval: 5s timeout: 5s retries: 5 - notifications-pgadmin: - container_name: notifications-pgadmin - image: {{ notifications_pgadmin_image }} - environment: - - PGADMIN_DEFAULT_EMAIL=wow@example.com - env_file: - - {{ tapisdatadir }}/notifications/env - networks: - - tapis - depends_on: - notifications-postgres: - condition: service_healthy - notifications-rabbitmq: - condition: service_healthy +# notifications-pgadmin: +# container_name: notifications-pgadmin +# image: {{ notifications_pgadmin_image }} +# environment: +# - PGADMIN_DEFAULT_EMAIL=wow@example.com +# env_file: +# - {{ tapisdatadir }}/notifications/env +# networks: +# - tapis +# depends_on: +# notifications-postgres: +# condition: service_healthy +# notifications-rabbitmq: +# condition: service_healthy notifications-dispatcher: container_name: notifications-dispatcher - user: ${UID}:${GID} + user: ${UID_GID} image: {{ notifications_dispatcher_image }} environment: - TAPIS_SITE_ID={{ notifications_service_site_id }} @@ -115,11 +115,6 @@ services: - tapis healthcheck: test: rabbitmq-diagnostics check_running - interval: 5s - timeout: 5s + interval: 30s + timeout: 30s retries: 3 - depends_on: - notifications-postgres: - condition: service_healthy - notifications-init-db: - condition: service_completed_successfully \ No newline at end of file diff --git a/playbooks/roles/proxy/templates/docker/docker-compose.yml b/playbooks/roles/proxy/templates/docker/docker-compose.yml index 0eeb5ac8..0db909f9 100644 --- a/playbooks/roles/proxy/templates/docker/docker-compose.yml +++ b/playbooks/roles/proxy/templates/docker/docker-compose.yml @@ -1,6 +1,7 @@ networks: tapis: name: tapis + external: true services: diff --git a/playbooks/roles/proxy/templates/docker/nginx.conf b/playbooks/roles/proxy/templates/docker/nginx.conf index 026de888..4198321c 100644 --- a/playbooks/roles/proxy/templates/docker/nginx.conf +++ b/playbooks/roles/proxy/templates/docker/nginx.conf @@ -106,8 +106,13 @@ http { resolver 127.0.0.11 valid=10s; resolver_timeout 5s; +{% if "pods" in components_to_deploy %} listen 8443 ssl http2; listen [::]:8443 ssl http2; +{% else %} + listen 443 ssl http2; + listen [::]:443 ssl http2; +{% endif %} server_name {{ proxy_nginx_server_name }}; diff --git a/playbooks/roles/security/templates/docker/burndown b/playbooks/roles/security/templates/docker/burndown index d9d63b68..1bd6f34a 100755 --- a/playbooks/roles/security/templates/docker/burndown +++ b/playbooks/roles/security/templates/docker/burndown @@ -2,5 +2,7 @@ echo "burndown security:" +export UID_GID="$(id -u):$(id -g)" + docker compose down diff --git a/playbooks/roles/security/templates/docker/burnup b/playbooks/roles/security/templates/docker/burnup index 104550c1..a6e8cfb7 100755 --- a/playbooks/roles/security/templates/docker/burnup +++ b/playbooks/roles/security/templates/docker/burnup @@ -3,89 +3,11 @@ echo "burnup security:" mkdir -p {{ tapisdatadir }}/security +mkdir -p {{ tapisdatadir }}/security/postgres -# export POSTGRES_PASSWORD=`grep DBCREDENTIAL_POSTGRES_SK_POSTGRES_TAPISSECDB_POSTGRES_PASSWORD {{ tapisdatadir }}/skadmin/env | awk -F= '{print $2}' | tr -d " \t\n\r"` +python3 ../admin/util/parse_skexport -c security -d {{ tapisdatadir }} -# start database - -# docker compose up -d sk-postgres sk-pgadmin -# if [ $? -ne 0 ] -# then -# echo "SK-ERROR: postgres failed to start." -# exit 1 -# fi - -# db setup / migration step - -# export PW=`grep DBCREDENTIAL_POSTGRES_SK_POSTGRES_TAPISSECDB_POSTGRES_PASSWORD {{ tapisdatadir }}/skadmin/env | awk -F= '{print $2}' | tr -d " \t\n\r"` -# export TPW=`grep DBCREDENTIAL_POSTGRES_SK_POSTGRES_TAPISSECDB_TAPIS_PASSWORD {{ tapisdatadir }}/skadmin/env | awk -F= '{print $2}' | tr -d " \t\n\r"` - - -# docker run --name security-migration -it --rm --net tapis \ -# --env HOST=sk-postgres \ -# --env PORT=5432 \ -# --env USER=postgres \ -# --env PW \ -# --env TPW \ -# {{ security_migrations_image }} -# if [ $? -ne 0 ] -# then -# echo "SK-ERROR: migration failed." -# exit 1 -# fi - - -# start api - -# export VAULT_TOKEN=`cat {{ tapisdatadir }}/vault/vault-token` - -# if [ -z "$VAULT_TOKEN" ] -# then -# echo "\$VAULT_TOKEN is empty. Exiting." -# exit 1 -# fi - -# export VAULT_SECRETID=`docker run --name skadmin-presetup -it --rm --net tapis --env VAULT_TOKEN \ -# {{ security_util_image }} curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" http://localhost:8200/v1/auth/approle/role/sk/secret-id | jq -r .data.secret_id` - -# # export VAULT_SECRETID=`curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" http://localhost:8200/v1/auth/approle/role/sk/secret-id | jq -r .data.secret_id` - -# if [ -z "$VAULT_SECRETID" ] -# then -# echo "\$VAULT_SECRETID is empty. Exiting." -# exit 1 -# fi - -# export TAPIS_SK_VAULT_SECRET_ID=$VAULT_SECRETID - -# export VAULT_ROLEID=`docker run --name skadmin-presetup -it --rm --net tapis --env VAULT_TOKEN \ -# {{ security_util_image }} curl -s -X GET -H "X-Vault-Token: $VAULT_TOKEN" http://localhost:8200/v1/auth/approle/role/sk/role-id | jq -r .data.role_id` - -# # export VAULT_ROLEID=`curl -s -X GET -H "X-Vault-Token: $VAULT_TOKEN" http://localhost:8200/v1/auth/approle/role/sk/role-id | jq -r .data.role_id` -# if [ -z "$VAULT_ROLEID" ] - -# then -# echo "\$VAULT_ROLEID is empty. Exiting." -# exit 1 -# fi - -# export TAPIS_SK_VAULT_ROLE_ID=$VAULT_ROLEID - -# export TAPIS_PASSWORD=$TPW -# export TAPIS_DB_PASSWORD=$TPW - -# docker compose up -d security-api -# if [ $? -ne 0 ] -# then -# echo "SK-ERROR: security-api failed to start." -# exit 1 -# fi - -mkdir -p {{ tapisdatadir }}/security -python3 {{ tapisdir }}/admin/util/parse_skexport -c security -d {{ tapisdatadir }} - -export UID=`id -u` -export GID=`id -g` +export UID_GID="$(id -u):$(id -g)" docker compose up -d diff --git a/playbooks/roles/security/templates/docker/docker-compose.yml b/playbooks/roles/security/templates/docker/docker-compose.yml index 32ad859a..a570ef1f 100644 --- a/playbooks/roles/security/templates/docker/docker-compose.yml +++ b/playbooks/roles/security/templates/docker/docker-compose.yml @@ -12,7 +12,7 @@ services: networks: - tapis volumes: - - {{ tapisdatadir }}/security/postgres:/pgdata/data + - {{ tapisdatadir }}/security/postgres:/pgdata environment: - PGDATA=/pgdata/data env_file: @@ -23,16 +23,17 @@ services: timeout: 5s retries: 5 - sk-pgadmin: - container_name: sk-pgadmin - image: {{ security_pgadmin_image }} - environment: - - PGADMIN_DEFAULT_EMAIL=wow@example.com - - PGADMIN_DEFAULT_PASSWORD=password - env_file: - - {{ tapisdatadir }}/security/env - networks: - - tapis +# Do not start pgadmin by default +# sk-pgadmin: +# container_name: sk-pgadmin +# image: {{ security_pgadmin_image }} +# environment: +# - PGADMIN_DEFAULT_EMAIL=wow@example.com +# - PGADMIN_DEFAULT_PASSWORD=password +# env_file: +# - {{ tapisdatadir }}/security/env +# networks: +# - tapis security-migrations: container_name: security-migrations @@ -52,7 +53,7 @@ services: security-api: container_name: security-api - user: ${UID}:${GID} + user: ${UID_GID} image: {{ security_api_image }} environment: - TAPIS_SITE_ID={{ security_service_site_id }} @@ -63,7 +64,7 @@ services: - TAPIS_DB_USER=tapis - TAPIS_DB_JDBC_URL=jdbc:postgresql://sk-postgres:5432/tapissecdb - TAPIS_REQUEST_LOGGING_FILTER_PREFIXES=/v3/security - - TAPIS_REQUEST_LOGGING_IGNORE_SUFFIXES=/healthcheck;/ready;/hello + - TAPIS_REQUEST_LOGGING_IGNORE_SUFFIXES="/healthcheck;/ready;/hello" - TAPIS_LOG_DIRECTORY=/opt/tomcat/logs - CATALINA_OPTS=-Xms{{security_heap_min}} -Xmx{{security_heap_max}} --add-opens java.base/java.time=ALL-UNNAMED env_file: diff --git a/playbooks/roles/skadmin/tasks/start-docker.yml b/playbooks/roles/skadmin/tasks/start-docker.yml deleted file mode 100644 index 6ddbebfa..00000000 --- a/playbooks/roles/skadmin/tasks/start-docker.yml +++ /dev/null @@ -1,94 +0,0 @@ -#Enable V2 Key/Value Secrets -#curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/mounts/secret -d '{"type": "kv-v2"}' | /usr/bin/jq -# curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/mounts/secret -d '{"type": "kv-v2"}' -- name: create mount - block: - - name: Enable V2 Key/Value Secrets - ansible.builtin.uri: - url: "{{skadmin_vault_url}}/v1/sys/mounts/secret" - method: POST - headers: - X-Vault-Token: "{{ lookup('ansible.builtin.file', '{{ tapisdatadir }}/vault/vault-token') }}" - body: '{"type": "kv-v2"}' - register: skadmin_mount_result - rescue: - - name: ignore path already in use - ansible.builtin.debug: - msg: "failed mounting secret to vault due to: {{skadmin_mount_result.json.errors}}" - failed_when: "'path is already in use at secret' not in {{skadmin_mount_result.json.errors}}" - - # echo "debug110" - # #Check the mounts: - # #curl -s -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/mounts | /usr/bin/jq - # curl -s -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/mounts - - - name: '110' - ansible.builtin.uri: - url: "{{skadmin_vault_url}}/v1/sys/mounts" - headers: - X-Vault-Token: "{{ lookup('ansible.builtin.file', '{{ tapisdatadir }}/vault/vault-token') }}" - - # echo "debug120" - # #Enable Approle Authentication - # #curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/auth/approle -d '{"type": "approle"}' | /usr/bin/jq - # curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/auth/approle -d '{"type": "approle"}' - - - name: '120' - ansible.builtin.uri: - url: "{{skadmin_vault_url}}/v1/sys/auth/approle" - method: POST - headers: - X-Vault-Token: "{{ lookup('ansible.builtin.file', '{{ tapisdatadir }}/vault/vault-token') }}" - body: '{"type": "approle"}' - - # echo "debug130" - # #Check authenticators: - # #curl -s -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/auth | /usr/bin/jq - # curl -s -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/auth - - - name: '130' - ansible.builtin.uri: - url: "{{skadmin_vault_url}}/v1/sys/auth" - headers: - X-Vault-Token: "{{ lookup('ansible.builtin.file', '{{ tapisdatadir }}/vault/vault-token') }}" - - # echo "debug140" - # #Enable userpass authentication - # #curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/auth/userpass -d '{"type": "userpass"}' | /usr/bin/jq - # curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/sys/auth/userpass -d '{"type": "userpass"}' - - - name: '140' - ansible.builtin.uri: - url: "{{skadmin_vault_url}}/v1/sys/auth/userpass" - method: POST - headers: - X-Vault-Token: "{{ lookup('ansible.builtin.file', '{{ tapisdatadir }}/vault/vault-token') }}" - body: '{"type": "userpass"}' - - # echo "debug100" - # curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" --data @/tmp/sk-roles/sk-role.json {{skadmin_vault_url}}/v1/auth/approle/role/sk - - - name: 'create sk role' - ansible.builtin.uri: - url: "{{skadmin_vault_url}}/v1/auth/approle/role/sk" - method: POST - headers: - X-Vault-Token: "{{ lookup('ansible.builtin.file', '{{ tapisdatadir }}/vault/vault-token') }}" - src: "{{ tapisdir }}/skadmin/tapis-vault/roles/sk-role.json" - - # echo "debug101" - # curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" --data @/tmp/sk-roles/sk-admin-role.json {{skadmin_vault_url}}/v1/auth/approle/role/sk-admin - - - name: 'create sk-admin role' - ansible.builtin.uri: - url: "{{skadmin_vault_url}}/v1/auth/approle/role/sk-admin" - method: POST - headers: - X-Vault-Token: "{{ lookup('ansible.builtin.file', '{{ tapisdatadir }}/vault/vault-token') }}" - src: "{{ tapisdir }}/skadmin/tapis-vault/roles/sk-admin-role.json" - - # echo "debug130" - # #echo "vault-token:" - # #echo $VAULT_TOKEN - # echo "sk secret-id:" - # curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" {{skadmin_vault_url}}/v1/auth/approle/role/sk/secret-id | jq -r .data.secret_id \ No newline at end of file diff --git a/playbooks/roles/skadmin/templates/docker/burnup b/playbooks/roles/skadmin/templates/docker/burnup index 7337161b..512954c6 100755 --- a/playbooks/roles/skadmin/templates/docker/burnup +++ b/playbooks/roles/skadmin/templates/docker/burnup @@ -12,11 +12,30 @@ mkdir -p {{ tapisdatadir }}/skadmin # exit 0 #fi -# one way to check if skadmin has succeeded -if [ -s {{ tapisdatadir }}/skadmin/env ] +if [ "$( docker container inspect -f {% raw %}'{{.State.Running}}'{% endraw %} vault )" != "true" ] +then + echo "Vault container, which is required by skadmin, is not running. Exiting." + exit 1 +fi + +# check if skadmin is already done +if [ -f {{ tapisdatadir }}/skadmin/env ] then - echo "{{ tapisdatadir }}/skadmin/env is populated, so we assume skadmin is done. Skipping the rest of skadmin burnup." - exit 0 + if [ -s {{ tapisdatadir }}/skadmin/env ] + then + echo "{{ tapisdatadir }}/skadmin/env is populated, so we assume skadmin is done. Skipping the rest of skadmin burnup." + exit 0 + fi +fi + +# mv skadmin env file out of the way if it is empty +if [ -f {{ tapisdatadir }}/skadmin/env ] +then + if [ $(wc -l < "{{ tapisdatadir }}/skadmin/env") -lt 2 ] + then + echo "WARN: {{ tapisdatadir }}/skadmin/env is present but empty. Moving it out of the way." + mv {{ tapisdatadir }}/skadmin/env {{ tapisdatadir }}/skadmin/env.bak + fi fi @@ -25,20 +44,17 @@ export SKEXPORT_PARMS="-vtok $VAULT_TOKEN -vurl {{ skadmin_vault_url }} -noskip" # create vault roles and policies docker run --name skadmin-presetup -it --rm --net tapis --env VAULT_TOKEN --env SKEXPORT_PARMS \ --v {{ tapisdir }}/skadmin/create-sk-roles:/tmp/create-sk-roles \ --v {{ tapisdir }}/skadmin/tapis-vault/policies/sk:/tmp/sk-policies \ --v {{ tapisdir }}/skadmin/tapis-vault/policies/sk-admin:/tmp/sk-admin-policies \ --v {{ tapisdir }}/skadmin/tapis-vault/roles:/tmp/sk-roles \ +-v ./create-sk-roles:/tmp/create-sk-roles \ +-v ./tapis-vault/policies/sk:/tmp/sk-policies \ +-v ./tapis-vault/policies/sk-admin:/tmp/sk-admin-policies \ +-v ./tapis-vault/roles:/tmp/sk-roles \ {{ skadmin_util_image }} /tmp/create-sk-roles -# {{ tapisdir }}/skadmin/create-sk-roles export VAULT_SECRETID=`docker run --name skadmin-presetup -it --rm --net tapis --env VAULT_TOKEN \ {{ skadmin_util_image }} curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/auth/approle/role/sk/secret-id | jq -r .data.secret_id` -# export VAULT_SECRETID=`curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/auth/approle/role/sk/secret-id | jq -r .data.secret_id` export VAULT_ROLEID=`docker run --name skadmin-presetup -it --rm --net tapis --env VAULT_TOKEN \ {{ skadmin_util_image }} curl -s -X GET -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/auth/approle/role/sk/role-id | jq -r .data.role_id` -# export VAULT_ROLEID=`curl -s -X GET -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/auth/approle/role/sk/role-id | jq -r .data.role_id` if [ -z "$VAULT_SECRETID" ] then @@ -54,10 +70,9 @@ fi # create tapis passwords in vault docker run --name skadmin-init -it --rm --net tapis --env VAULT_ROLEID --env VAULT_SECRETID \ --v {{ tapisdir }}/skadmin/initialLoad:/tmp/initialLoad \ --v {{ tapisdir }}/skadmin/run-sk-admin:/tmp/run-sk-admin \ +-v ./initialLoad:/tmp/initialLoad \ +-v ./run-sk-admin:/tmp/run-sk-admin \ {{ skadmin_securityadmin_image }} /tmp/run-sk-admin -# {{ tapisdir }}/skadmin/run-sk-admin {%- if site_type == 2 %} @@ -68,5 +83,4 @@ cd $here/../admin # export tapis passwords to env file -mkdir -p {{ tapisdatadir }}/skadmin docker run --name skadmin-export -it --rm --net tapis --env SKEXPORT_PARMS {{ skadmin_securityexport_image }} > {{ tapisdatadir }}/skadmin/env diff --git a/playbooks/roles/skadmin/templates/docker/docker-compose.yml b/playbooks/roles/skadmin/templates/docker/docker-compose.yml deleted file mode 100644 index 68da3867..00000000 --- a/playbooks/roles/skadmin/templates/docker/docker-compose.yml +++ /dev/null @@ -1,64 +0,0 @@ - -networks: - tapis: - name: tapis - external: true - - -services: - vault-roles: - container_name: vault-roles - image: {{ skadmin_util_image }} - networks: - - tapis - environment: - - SKEXPORT_PARMS=-vtok $VAULT_TOKEN -vurl {{ skadmin_vault_url }} -noskip - - VTOK - - VAULT_TOKEN - volumes: - - {{ tapisdir }}/skadmin/create-sk-roles:/tmp/create-sk-roles - - {{ tapisdir }}/skadmin/tapis-vault/policies/sk:/tmp/sk-policies - - {{ tapisdir }}/skadmin/tapis-vault/policies/sk-admin:/tmp/sk-admin-policies - - {{ tapisdir }}/skadmin/tapis-vault/roles:/tmp/sk-roles - - {{ tapisdatadir }}/vault/vault-token:/.VTOK - command: /tmp/create-sk-roles - - -# create vault roles and policies -# docker run --name skadmin-presetup -it --rm --net tapis --env VAULT_TOKEN --env SKEXPORT_PARMS \ -# -v {{ tapisdir }}/skadmin/create-sk-roles:/tmp/create-sk-roles \ -# -v {{ tapisdir }}/skadmin/tapis-vault/policies/sk:/tmp/sk-policies \ -# -v {{ tapisdir }}/skadmin/tapis-vault/policies/sk-admin:/tmp/sk-admin-policies \ -# -v {{ tapisdir }}/skadmin/tapis-vault/roles:/tmp/sk-roles \ -# {{ skadmin_util_image }} /tmp/create-sk-roles - -# export VAULT_SECRETID=`docker run --name skadmin-presetup -it --rm --net tapis --env VAULT_TOKEN \ -# {{ skadmin_util_image }} curl -s -X POST -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/auth/approle/role/sk/secret-id | jq -r .data.secret_id` - -# export VAULT_ROLEID=`docker run --name skadmin-presetup -it --rm --net tapis --env VAULT_TOKEN \ -# {{ skadmin_util_image }} curl -s -X GET -H "X-Vault-Token: $VAULT_TOKEN" http://vault:8200/v1/auth/approle/role/sk/role-id | jq -r .data.role_id` - -# create tapis passwords in vault -# docker run --name skadmin-init -it --rm --net tapis --env VAULT_ROLEID --env VAULT_SECRETID \ -# -v {{ tapisdir }}/skadmin/initialLoad:/tmp/initialLoad \ -# -v {{ tapisdir }}/skadmin/run-sk-admin:/tmp/run-sk-admin \ -# {{ skadmin_securityadmin_image }} /tmp/run-sk-admin -# vault-passwords: -# container_name: vault-passwords -# image: {{ skadmin_util_image }} -# networks: -# - tapis -# env_file: -# - {{ tapisdatadir }}/vault/vault-token - - -# {%- if site_type == 2 %} -# echo "Collecting public keys for associate site tenants. Please send these to your tenants admin before next steps in deployment." -# cd $here/../admin -# ./get-assocsite-publickeys -# {%- endif %} - - -# # export tapis passwords to env file -# mkdir -p {{ tapisdatadir }}/skadmin -# docker run --name skadmin-export -it --rm --net tapis --env SKEXPORT_PARMS {{ skadmin_securityexport_image }} > {{ tapisdatadir }}/skadmin/env diff --git a/playbooks/roles/systems/defaults/main/images.yml b/playbooks/roles/systems/defaults/main/images.yml index 91694d2d..0fb79ba1 100644 --- a/playbooks/roles/systems/defaults/main/images.yml +++ b/playbooks/roles/systems/defaults/main/images.yml @@ -1,3 +1,3 @@ systems_pgadmin_image: dpage/pgadmin4:6.20 systems_postgres_image: postgres:12.4 -systems_api_image: tapis/systems:1.4.1 +systems_api_image: tapis/systems:1.4.2 diff --git a/playbooks/roles/systems/templates/docker/burndown b/playbooks/roles/systems/templates/docker/burndown index 56fa6deb..9dbb8244 100755 --- a/playbooks/roles/systems/templates/docker/burndown +++ b/playbooks/roles/systems/templates/docker/burndown @@ -2,4 +2,6 @@ echo "burndown systems:" +export UID_GID="$(id -u):$(id -g)" + docker compose down diff --git a/playbooks/roles/systems/templates/docker/burnup b/playbooks/roles/systems/templates/docker/burnup index e536ea44..2b8d9108 100755 --- a/playbooks/roles/systems/templates/docker/burnup +++ b/playbooks/roles/systems/templates/docker/burnup @@ -3,12 +3,14 @@ echo "burnup systems:" mkdir -p {{ tapisdatadir }}/systems -myuid=`id -u` -docker run -it --rm -v {{ tapisdatadir }}/systems:/systems tapis/ubutil2204:1.4.0 chown $myuid /systems +mkdir -p {{ tapisdatadir }}/systems/postgres -export UID=`id -u` -export GID=`id -g` -python3 {{ tapisdir }}/admin/util/parse_skexport -c systems -d {{ tapisdatadir }} +MYUID=`id -u` +docker run -it --rm -v {{ tapisdatadir }}/systems:/systems tapis/ubutil2204:1.4.0 chown $MYUID /systems + +export UID_GID="$(id -u):$(id -g)" + +python3 ../admin/util/parse_skexport -c systems -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/systems/templates/docker/docker-compose.yml b/playbooks/roles/systems/templates/docker/docker-compose.yml index 8209bcb7..34fe7fff 100644 --- a/playbooks/roles/systems/templates/docker/docker-compose.yml +++ b/playbooks/roles/systems/templates/docker/docker-compose.yml @@ -6,7 +6,7 @@ networks: services: systems-api: container_name: systems-api - user: ${UID}:${GID} + user: ${UID_GID} image: {{ systems_api_image }} networks: - tapis @@ -31,9 +31,9 @@ services: env_file: {{ tapisdatadir }}/systems/env environment: - - PGDATA=/pdgata/data + - PGDATA=/pgdata/data volumes: - - {{ tapisdatadir }}/systems/postgres:/pgdata/data + - {{ tapisdatadir }}/systems/postgres:/pgdata healthcheck: test: ["CMD-SHELL", "pg_isready -U postgres"] interval: 5s @@ -46,7 +46,7 @@ services: networks: - tapis volumes: - - {{ tapisdir }}/systems/systems-init-db-sh:/init-db + - ./systems-init-db-sh:/init-db env_file: {{ tapisdatadir }}/systems/env command: bash -c "cp /init-db /local_initdb && echo 100 && chown $(whoami) /local_initdb && echo 200 && chmod +x /local_initdb && echo 300 && /local_initdb" diff --git a/playbooks/roles/tapisui/templates/docker/burnup b/playbooks/roles/tapisui/templates/docker/burnup index 0ab5c3b0..921dbd63 100755 --- a/playbooks/roles/tapisui/templates/docker/burnup +++ b/playbooks/roles/tapisui/templates/docker/burnup @@ -3,9 +3,9 @@ echo "burnup tapisui:" # mkdir -p {{ tapisdatadir }}/tapisui -# myuid=`id -u` -# docker run -it --rm -v {{ tapisdatadir }}/tapisui:/tapisui tapis/ubutil2204:1.4.0 chown $myuid /tapisui +# MYUID=`id -u` +# docker run -it --rm -v {{ tapisdatadir }}/tapisui:/tapisui tapis/ubutil2204:1.4.0 chown $MYUID /tapisui -# python3 {{ tapisdir }}/admin/util/parse_skexport -c tapisui -d {{ tapisdatadir }} +# python3 ../admin/util/parse_skexport -c tapisui -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/tenants/templates/docker/burnup b/playbooks/roles/tenants/templates/docker/burnup index 749b6e05..e22cfcbb 100755 --- a/playbooks/roles/tenants/templates/docker/burnup +++ b/playbooks/roles/tenants/templates/docker/burnup @@ -3,9 +3,11 @@ echo "burnup tenants:" mkdir -p {{ tapisdatadir }}/tenants -myuid=`id -u` -docker run -it --rm -v {{ tapisdatadir }}/tenants:/tenants tapis/ubutil2204:1.4.0 chown $myuid /tenants -python3 {{ tapisdir }}/admin/util/parse_skexport -c tenants -d {{ tapisdatadir }} +mkdir -p {{ tapisdatadir }}/tenants/postgres + +MYUID=`id -u` +docker run -it --rm -v {{ tapisdatadir }}/tenants:/tenants tapis/ubutil2204:1.4.0 chown $MYUID /tenants +python3 ../admin/util/parse_skexport -c tenants -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/tenants/templates/docker/docker-compose.yml b/playbooks/roles/tenants/templates/docker/docker-compose.yml index 066aa633..9a51a008 100644 --- a/playbooks/roles/tenants/templates/docker/docker-compose.yml +++ b/playbooks/roles/tenants/templates/docker/docker-compose.yml @@ -11,8 +11,8 @@ services: container_name: tenants-postgres image: {{ tenants_postgres_image }} volumes: - - "{{ tapisdatadir }}/tenants/postgres:/pgdata/data" - - "{{ tapisdir }}/tenants/tenants-config.json:/home/tapis/config.json" + - {{ tapisdatadir }}/tenants/postgres:/pgdata + - ./tenants-config.json:/home/tapis/config.json networks: - tapis environment: @@ -32,7 +32,7 @@ services: container_name: tenants-migrations image: {{ tenants_migrations_image }} volumes: - - "{{ tapisdir }}/tenants/tenants-config.json:/home/tapis/config.json" + - "./tenants-config.json:/home/tapis/config.json" networks: - tapis depends_on: @@ -51,8 +51,8 @@ services: image: {{ tenants_api_image }} volumes: # - ./service.log:/home/tapis/service.log - - "{{ tapisdir }}/tenants/tenants-config.json:/home/tapis/config.json" - - "{{ tapisdir }}/tenants/tenants-service.log:/home/tapis/service.log" + - "./tenants-config.json:/home/tapis/config.json" + - "./tenants-service.log:/home/tapis/service.log" networks: - tapis environment: diff --git a/playbooks/roles/tokens/templates/docker/burnup b/playbooks/roles/tokens/templates/docker/burnup index 5795cb69..48bdffd5 100755 --- a/playbooks/roles/tokens/templates/docker/burnup +++ b/playbooks/roles/tokens/templates/docker/burnup @@ -4,9 +4,9 @@ echo "burnup tokens:" # Read secrets from env file mkdir -p {{ tapisdatadir }}/tokens -myuid=`id -u` -docker run -it --rm -v {{ tapisdatadir }}/tokens:/tokens tapis/ubutil2204:1.4.0 chown $myuid /tokens -python3 {{ tapisdir }}/admin/util/parse_skexport -c tokens -d {{ tapisdatadir }} +MYUID=`id -u` +docker run -it --rm -v {{ tapisdatadir }}/tokens:/tokens tapis/ubutil2204:1.4.0 chown $MYUID /tokens +python3 ../admin/util/parse_skexport -c tokens -d {{ tapisdatadir }} docker compose up -d diff --git a/playbooks/roles/tokens/templates/docker/docker-compose.yml b/playbooks/roles/tokens/templates/docker/docker-compose.yml index 357c84ea..7f9f9d8d 100644 --- a/playbooks/roles/tokens/templates/docker/docker-compose.yml +++ b/playbooks/roles/tokens/templates/docker/docker-compose.yml @@ -10,8 +10,8 @@ services: container_name: tokens-api image: {{ tokens_api_image }} volumes: - - '{{ tapisdir }}/tokens/tokens-config.json:/home/tapis/config.json' - - '{{ tapisdir }}/admin/verification/tokens-test:/home/tapis/healthcheck' + - ./tokens-config.json:/home/tapis/config.json + - ../admin/verification/tokens-test:/home/tapis/healthcheck networks: - tapis env_file: diff --git a/playbooks/roles/tokens/templates/docker/tokens-config.json b/playbooks/roles/tokens/templates/docker/tokens-config.json index 8e415cb7..3a811d23 100644 --- a/playbooks/roles/tokens/templates/docker/tokens-config.json +++ b/playbooks/roles/tokens/templates/docker/tokens-config.json @@ -7,7 +7,7 @@ "log_level": "INFO", "use_allservices_password": {{tokens_use_allservices_password|to_json}}, {% if tokens_use_allservices_password == true %} - "allservices_password": "{{tokens_allservices_password}}" + "allservices_password": "{{tokens_allservices_password}}", {% endif %} "use_sk": true } diff --git a/playbooks/roles/vault/templates/docker/burnup b/playbooks/roles/vault/templates/docker/burnup index 737b0c15..c064c810 100755 --- a/playbooks/roles/vault/templates/docker/burnup +++ b/playbooks/roles/vault/templates/docker/burnup @@ -6,11 +6,11 @@ echo "burnup vault:" mkdir -p {{ tapisdatadir }}/vault/data -myuid=`id -u` +MYUID=`id -u` -docker run -it --rm -v {{ tapisdatadir }}/vault:/vault tapis/ubutil2204:1.4.0 chown $myuid /vault +docker run -it --rm -v {{ tapisdatadir }}/vault:/vault tapis/ubutil2204:1.4.0 chown $MYUID /vault -docker run -it -v {{ tapisdatadir }}/vault:/vault {{ vault_image }} chown -R 100:1000 /vault/data +docker run -it --rm -v {{ tapisdatadir }}/vault:/vault {{ vault_image }} chown -R 100:1000 /vault/data docker compose up -d if [ $? -ne 0 ] @@ -95,4 +95,9 @@ then echo "Vault should be up and unsealed." fi +# give vault some time to get fully booted up before the following services try to use it +sleep 30 + exit 0 + + diff --git a/playbooks/roles/vault/templates/docker/docker-compose.yml b/playbooks/roles/vault/templates/docker/docker-compose.yml index 12fa199a..dbe24a2e 100644 --- a/playbooks/roles/vault/templates/docker/docker-compose.yml +++ b/playbooks/roles/vault/templates/docker/docker-compose.yml @@ -15,10 +15,9 @@ services: environment: - VAULT_ADDR=http://0.0.0.0:8200 volumes: - # - '{{ vault_dir }}/vault-config.json:/vault/config/vault.hcl' - - '{{ vault_dir }}/vault.hcl:/vault/config/vault.hcl' - - '{{ vault_data_dir }}/data:/vault/data' - - '{{ tapisdatadir }}/vault/certs:/vault/certs/' + - ./vault.hcl:/vault/config/vault.hcl + - {{ vault_data_dir }}/data:/vault/data + - {{ vault_data_dir }}/certs:/vault/certs networks: - tapis diff --git a/playbooks/start-docker.yml b/playbooks/start-docker.yml deleted file mode 100644 index ded29cc8..00000000 --- a/playbooks/start-docker.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: Start docker action for Tapis components - hosts: all - - vars: - tapisctl_action: 'start-docker' - - tasks: - - - name: - fail: - msg: Required var 'tapisctl_action' is not defined. - when: tapisctl_action is not defined - tags: - - debug - - - name: print vars - ansible.builtin.debug: - msg: "{{ vars }}" - when: tapisctl_action is not defined - tags: - - debug - - ### tapis components - - - name: start tapis components - include_role: - name: '{{ comp }}' - loop: '{{ components_to_deploy }}' - loop_control: - loop_var: comp - \ No newline at end of file