woensdag 4 januari 2017

Salt of the earth - Tomcat

If by now you are thoroughly fed up with installing Tomcat, I advise you to skip this post for I'm going to do exactly the same thing as in my last post, this time using Saltstack (usually mentioned somewhat behind Puppet and Chef). The point I want to make is that all these configuration management solutions can pretty much do the same and choosing one or the other is - more often than not - a matter of personal taste.

Saltstack uses a server-agent setup (although working agentless is possible as well) and is Python based. Agents are actually called minions (not to be confused with the characters from Despicable Me), facts about minions are called grains, variables are kept in a pillar and states are what gets executed on the minions. As you can see, somebody had a field day thinking all that stuff up ...

http://www.deviantart.com/art/The-Art-of-Time-121274132 
So lets get started. I'm going to work with two servers :
saltmaster - Ubuntu 14.04 LTS
saltminion01 - CentOS 6.8

Contrary to Ansible, Saltstack does run practically everything as root, so lets check we have the permissions for that. First on saltmaster :
saltmaster@saltmaster:~$ sudo apt-get install openssh-server
saltmaster@saltmaster:~$ sudo vi /etc/hosts
127.0.0.1       localhost
127.0.1.1       saltmaster
192.168.42.131  salt

Just to be clear, Saltstack (at least in the server-agent setup) does not require ssh, I'm just installing it to check my sudo permissions and because I do like to be able to access my hosts over ssh.

The new salt entry in the /etc/hosts file will allow us to use the saltmaster server as a minion too. Note that the ip is the ip of the saltmaster server itself.

Next on saltminion01 :
By default, no user is given sudo rights on CentOS 6.8, so add the user (saltminion) you will be doing salt-stuff with in the /etc/sudoers file. Note that you will require access to root to do that (chicken and egg problem there, on CentOS 7.x installations you can have a user with sudo rights by default ... which makes life somewhat easier).
[root@saltminion01 ~]# vi /etc/sudoers
...
saltminion ALL=(ALL) ALL
...

Also by default, openssh-server is installed on CentOS, but lets check that the sudo permissions are working :
[saltminion@saltminion01 ~]$ sudo yum install openssh-server
Nothing to do
[saltminion@saltminion01 ~]$ sudo vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1   saltminion01
192.168.42.131 salt saltmaster

Same thing, the salt entry will allow the minion to find the master. So lets install Saltstack now. First on saltmaster :
saltmaster@saltmaster:~$ curl -L https://bootstrap.saltstack.com -o install_salt.sh
saltmaster@saltmaster:~$ sudo sh install_salt.sh -P -M
...
salt-master stop/waiting
salt-master start/running, process 7582
salt-minion stop/waiting
salt-minion start/running, process 7589
 *  INFO: Running daemons_running()
 *  INFO: Salt installed!

And next on saltminion01 :
[saltminion@saltminion01 ~]$ curl -L https://bootstrap.saltstack.com -o install_salt.sh
[saltminion@saltminion01 ~]$ sudo sh install_salt.sh -P
...
Complete!
 *  INFO: Running install_centos_stable_post()
 *  INFO: Running install_centos_check_services()
 *  INFO: Running install_centos_restart_daemons()
Starting salt-minion daemon:                               [  OK  ]
 *  INFO: Running daemons_running()
 *  INFO: Salt installed!

We now have two minions (saltmaster itself and saltminion01). They need to be registered.
saltmaster@saltmaster:~$ sudo salt-key -A
The following keys are going to be accepted:
Unaccepted Keys:
saltminion01
saltmaster
Proceed? [n/Y] Y
Key for minion saltminion01 accepted.
Key for minion saltmaster accepted.

To conclude the installation we verify that the minions are accepting commands :
saltmaster@saltmaster:~$ sudo salt '*' test.ping
saltmaster:
    True
saltminion01:
    True

Nice, that works and wasn't all too complicated, was it ? Now, Saltstack keeps the configuration management definitions in simple YAML files. The next step is to tell the master where those files are :
saltmaster@saltmaster:~$ sudo vi /etc/salt/master
...
file_roots:
  base:
    - /home/saltmaster/salt/file/base
...
pillar_roots:
  base:
    - /home/saltmaster/salt/pillar/base
...

saltmaster@saltmaster:~$ sudo service salt-master restart
salt-master stop/waiting
salt-master start/running, process 15507

The files themselves need not be created with root, so they can live in the home-directory of the saltmaster-user and be managed by him. The actual definition (or state as they are called in Saltstack) files are in the ... salt/file/base directory, the pillar files (containing variables) are in the salt/pillar/base directory.

In this post I'll not use multiple environments, so only the default one, base, will be used.

Ansible has vaults to keep sensitive data hidden. Saltstack can work with gpg encrypted data. For that we need to generate a key though :
saltmaster@saltmaster:~$ sudo mkdir -p /etc/salt/gpgkeys
saltmaster@saltmaster:~$ sudo chmod 0700 /etc/salt/gpgkeys
saltmaster@saltmaster:~$ sudo gpg --gen-key --homedir /etc/salt/gpgkeys
...
gpg: keyring `/etc/salt/gpgkeys/secring.gpg' created
gpg: keyring `/etc/salt/gpgkeys/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
...
Real name: Salt Master
Email address: saltmaster@saltmaster
Comment: Salt Master
You selected this USER-ID:
    "Salt Master (Salt Master) <saltmaster@saltmaster>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

gpg: /etc/salt/gpgkeys/trustdb.gpg: trustdb created
gpg: key 66D7B662 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/66D7B662 2016-12-29
      Key fingerprint = 178B DF56 601E 2B34 B720  ADF1 D5EA 9462 66D7 B662
uid                  Salt Master (Salt Master) <saltmaster@saltmaster>
sub   2048R/CBFAD0F5 2016-12-29

 And our saltmaster-user needs to import the key (you have to replace the 66D7B662 in the below with the key that you generated on your system obviously) :
saltmaster@saltmaster:~$ sudo gpg --homedir /etc/salt/gpgkeys --armor --export 66D7B662 > /var/tmp/exported_pubkey.gpg
saltmaster@saltmaster:~$ gpg --import /var/tmp/exported_pubkey.gpg
gpg: /home/saltmaster/.gnupg/trustdb.gpg: trustdb created
gpg: key 66D7B662: public key "Salt Master (Salt Master) <saltmaster@saltmaster>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

 We are all set up and ready to go now. Lets start with something simple.
saltmaster@saltmaster:~$ mkdir -p salt/file/base
saltmaster@saltmaster:~$ mkdir -p salt/pillar/base
saltmaster@saltmaster:~$ vi salt/file/base/top.sls
base:
  'saltmaster':
    - master
  'saltminion*':
    - minion
saltmaster@saltmaster:~$ vi salt/file/base/master.sls
touched:
  cmd.run:
    - name: touch /var/tmp/saltmaster
    - creates:
      - /var/tmp/saltmaster
saltmaster@saltmaster:~$ vi salt/file/base/minion.sls
touched:
  cmd.run:
    - name: touch /var/tmp/saltminion
    - creates:
      - /var/tmp/saltminion

 In the top.sls file we define which minions are going to get which states applied. And next we define those states (master.sls, minion.sls). The only thing that we're actually going to do is touch a file, but the creates option tells Saltstack that it manages this file.

 Applying the states is done as follows :
saltmaster@saltmaster:~$ sudo salt '*' state.highstate
saltmaster:
----------
          ID: touched
    Function: cmd.run
        Name: touch /var/tmp/saltmaster
      Result: True
     Comment: Command "touch /var/tmp/saltmaster" run
     Started: 14:47:44.531934
    Duration: 7.843 ms
     Changes:  
              ----------
              pid:
                  16845
              retcode:
                  0
              stderr:
              stdout:

Summary for saltmaster
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time:   7.843 ms
saltminion01:
----------
          ID: touched
    Function: cmd.run
        Name: touch /var/tmp/saltminion
      Result: True
     Comment: Command "touch /var/tmp/saltminion" run
     Started: 14:47:46.566812
    Duration: 38.429 ms
     Changes:  
              ----------
              pid:
                  28048
              retcode:
                  0
              stderr:
              stdout:

Summary for saltminion01
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time:  38.429 ms
And the result is :
saltmaster@saltmaster:~$ ll /var/tmp/saltmaster
-rw-r--r-- 1 root root 0 Dez 29 14:47 /var/tmp/saltmaster
[saltminion@saltminion01 ~]$ ll /var/tmp/saltminion
-rw-r--r--. 1 root root 0 Dec 29 14:47 /var/tmp/saltminion

Running highstate again shows that Saltstack now knows about the files, the commands are not executed again :
saltmaster@saltmaster:~$ sudo salt '*' state.highstate
saltmaster:
----------
          ID: touched
    Function: cmd.run
        Name: touch /var/tmp/saltmaster
      Result: True
     Comment: All files in creates exist
     Started: 14:50:56.020363
    Duration: 0.35 ms
     Changes:  

Summary for saltmaster
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:   0.350 ms
saltminion01:
----------
          ID: touched
    Function: cmd.run
        Name: touch /var/tmp/saltminion
      Result: True
     Comment: All files in creates exist
     Started: 14:50:57.934432
    Duration: 4.667 ms
     Changes:  

Summary for saltminion01
------------
Succeeded: 1
Failed:    0
------------
Total states run:     1
Total run time:   4.667 ms

 Having states defined in single files is nice, but they can also be made up of multiple files. A bit of reorganization is in order :
saltmaster@saltmaster:~$ mkdir salt/file/base/master
saltmaster@saltmaster:~$ mkdir salt/file/base/minion
saltmaster@saltmaster:~$ mv salt/file/base/master.sls base/master/init.sls
saltmaster@saltmaster:~$ mv salt/file/base/minion.sls base/minion/init.sls
Run a highstate again and you'll see nothing has changed, we've just made things a bit more manageable.

 Time to get started on Tomcat. Variables first. As I said earlier Saltstack keeps those in pillar files and these work in exactly the same fashion as the state files :
saltmaster@saltmaster:~$ vi salt/pillar/base/top.sls
base:
  'saltminion*':
    - tomcat7
saltmaster@saltmaster:~$ mkdir salt/pillar/base/tomcat7
saltmaster@saltmaster:~$ echo -n "adminsecret" | gpg --armor --batch --trust-model always --encrypt -r 66D7B662
-----BEGIN PGP MESSAGE-----
<your PGP message will be here>
-----END PGP MESSAGE-----
saltmaster@saltmaster:~$ vi salt/pillar/base/tomcat7/init.sls
#!yaml|gpg
tomcat7_http_port: 8080
tomcat7_version: 7.0.73
tomcat7_admin_username: admin
tomcat7_admin_password: |
  -----BEGIN PGP MESSAGE-----
  <your PGP message here, note that the message is indented !!!>
  -----END PGP MESSAGE-----

Having the variables available we can move on to the actual state files :
saltmaster@saltmaster:~$ mkdir salt/file/base/tomcat7
saltmaster@saltmaster:~$ vi salt/file/base/tomcat7/init.sls
tomcat7_initial:
  # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.group.html
  group.present:
    - name: tomcat

  # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.user.html
  user.present:
    - name: tomcat
    - groups:
      - tomcat
    - require:
      - group: tomcat

  # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.archive.html
  archive.extracted:
    - name: /opt
    - source: http://archive.apache.org/dist/tomcat/tomcat-7/v{{ pillar['tomcat7_version'] }}/bin/apache-tomcat-{{ pillar['tomcat7_version'] }}.tar.gz
    - source_hash: http://archive.apache.org/dist/tomcat/tomcat-7/v{{ pillar['tomcat7_version'] }}/bin/apache-tomcat-{{ pillar['tomcat7_version'] }}.tar.gz.md5
    - user: tomcat
    - group: tomcat
    - enforce_ownership_on: /opt/apache-tomcat-{{ pillar['tomcat7_version'] }}
    - require:
      - user: tomcat
      - group: tomcat

  # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html
  file.symlink:
    - name: /usr/share/tomcat
    - user: tomcat
    - group: tomcat
    - target: /opt/apache-tomcat-{{ pillar['tomcat7_version'] }}
    - require:
      - user: tomcat
      - group: tomcat

tomcat7_tomcat-users:
  # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html
  file.managed:
    - name: /opt/apache-tomcat-{{ pillar['tomcat7_version'] }}/conf/tomcat-users.xml
    - source:
      - salt://tomcat7/tomcat-users.xml
    - user: tomcat
    - group: tomcat
    - mode: 0600
    - template: jinja
    - defaults:
        tomcat7_admin_username: {{ pillar['tomcat7_admin_username'] }}
        tomcat7_admin_password: {{ pillar['tomcat7_admin_password'] }}
    - require:
      - user: tomcat
      - group: tomcat

tomcat7_server:
  # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html
  file.managed:
    - name: /opt/apache-tomcat-{{ pillar['tomcat7_version'] }}/conf/server.xml
    - source:
      - salt://tomcat7/server.xml
    - user: tomcat
    - group: tomcat
    - mode: 0600
    - template: jinja
    - defaults:
        tomcat7_http_port: {{ pillar['tomcat7_http_port'] }}
    - require:
      - user: tomcat
      - group: tomcat

tomcat7_service:
{% if grains['init'] == 'upstart' %}

  # https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html
  file.managed:
    - name: /etc/init/tomcat7.conf
    - source:
      - salt://tomcat7/tomcat7.conf
    - user: root
    - group: root
    - mode: 0644
    - template: jinja
    - defaults:
        tomcat7_version: {{ pillar['tomcat7_version'] }}

  service.running:
    - name: tomcat7
    - enable: True
{% endif %}

 Go through it ... you'll find exactly the same things that we put in the Ansible role. Everything is done with out-of-the-box salt-state-modules (you can write your own of course and Python would be the language to use for that).

 And exactly as with the Ansible role we have three template files that live on saltmaster, are adapted with variables and then put on the minion :
/home/saltmaster/salt/file/base/tomcat7/tomcat-users.xml
/home/saltmaster/salt/file/base/tomcat7/server.xml
/home/saltmaster/salt/file/base/tomcat7/tomcat7.conf
They are exactly the same as for Ansible (with exception of the ansible_managed variable that obviously does not exist here), so I will not repeat the content.

Or wait ... there is actually one difference that has nothing to do with either Ansible or Saltstack but with the fact that our minion is running CentOS. In tomcat7.conf, you have to comment out the setuid and setgid lines and adapt the exec line as follows :
...
exec sudo -u tomcat $CATALINA_HOME/bin/catalina.sh run
...
The reason is that the upstart version on CentOS is quite old and does not know about setuid and setgid. It happens.

 Before we can execute the tomcat7 state, we've got to assign it to our minion :
saltmaster@saltmaster:~$ vi salt/file/base/top.sls
base:
  'saltmaster':
    - master
  'saltminion*':
    - minion
    - tomcat7 
And here we go :
saltmaster@saltmaster:~$ sudo salt '*' state.highstate

 As you'll see ... exactly the same as with Ansible. Cleaning up on a minion is the same too :
[saltminion@saltminion01 ~]$ sudo initctl stop tomcat7
tomcat7 stop/waiting
[saltminion@saltminion01 ~]$ sudo rm -rf /etc/init/tomcat7.conf
[saltminion@saltminion01 ~]$ sudo initctl reload-configuration
[saltminion@saltminion01 ~]$ sudo rm -rf /usr/share/tomcat
[saltminion@saltminion01 ~]$ sudo rm -rf /opt/apache-tomcat-7.0.73/
[saltminion@saltminion01 ~]$ sudo userdel tomcat
[saltminion@saltminion01 ~]$ sudo groupdel tomcat

 Well, I hope I proved my point ... and my next post will not be about Tomcat.
 
Gepost door op

dinsdag 27 december 2016

An Ansible role - Tomcat

In my previous post we set out with Ansible. This time I'm going to build on that and take a look at the concept of roles. I will create a role for installing a Tomcat 7 application server.

http://www.deviantart.com/art/The-Black-Tomcat-159041026
Now, to keep the complexity limited (this also gives me topics for future posts) I am going to make a couple of assumptions :
  • Tomcat depends on Java ... I'm going to assume Java is present and in a known location (the same for all the target hosts).
  • The target hosts have access to the internet (this allows them to download the Tomcat archive).
  • The target hosts use upstart.
I understand that because of these assumptions my example may not reflect a real-life situation. I want to keep my posts limited in size though. Rest assured that these difficulties will be addressed in later posts.

A first new concept is that of groups. Those are defined in the Ansible hosts file.
[ansible@ansibleworkstation ~]$ vi /etc/ansible/hosts
ansibleworkstation

[tomcat-servers]
athena

Quite simple, a group ... groups together hosts of the same kind. So here we have a group tomcat-servers. Note that a host can be in multiple groups.

Similar to variables for a host, there are variables for a group.
[ansible@ansibleworkstation ~]$ mkdir /etc/ansible/group_vars
[ansible@ansibleworkstation ~]$ mkdir /etc/ansible/group_vars/tomcat-servers
[ansible@ansibleworkstation ~]$ vi /etc/ansible/group_vars/tomcat-servers/vars
tomcat7_http_port: 8080
tomcat7_version: 7.0.73
tomcat7_admin_username: "{{ vault_tomcat7_admin_username }}"
tomcat7_admin_password: "{{ vault_tomcat7_admin_password }}"
[ansible@ansibleworkstation ~]$ vi /etc/ansible/group_vars/tomcat-servers/vault
vault_tomcat7_admin_username: admin
vault_tomcat7_admin_password: adminsecret
[ansible@ansibleworkstation ~]$ ansible-vault encrypt /etc/ansible/group_vars/tomcat-servers/vault

Remember that we don't want multiple vault passwords, so use the same one you used for the host variables. I think it's quite clear what the variables mean, so lets move straight on to the playbook.
[ansible@ansibleworkstation ~]$ vi /etc/ansible/playbooks/tomcat7.yml
---
- hosts: tomcat-servers
  remote_user: root
  become: yes
  become_method: sudo
  roles:
    - tomcat7

No rocket science there either, this playbook will execute the role tomcat7 on the hosts in the tomcat-servers group. Before we can run the playbook however we have to define the role. 
[ansible@ansibleworkstation ~]$ mkdir /etc/ansible/roles
[ansible@ansibleworkstation ~]$ mkdir /etc/ansible/roles/tomcat7
[ansible@ansibleworkstation ~]$ mkdir /etc/ansible/roles/tomcat7/tasks
[ansible@ansibleworkstation ~]$ vi /etc/ansible/roles/tomcat7/tasks/main.yml
---
# http://docs.ansible.com/ansible/group_module.html
- name: add group "tomcat"
  group:
    name: tomcat

# http://docs.ansible.com/ansible/user_module.html
- name: add user "tomcat"
  user:
    name: tomcat
    group: tomcat
    home: /usr/share/tomcat
    createhome: no

# http://docs.ansible.com/ansible/unarchive_module.html
- name: extract archive
  unarchive:
    remote_src: yes
    src: "http://archive.apache.org/dist/tomcat/tomcat-7/v{{ tomcat7_version }}/bin/apache-tomcat-{{ tomcat7_version }}.tar.gz"
    dest: /opt
    creates: "/opt/apache-tomcat-{{ tomcat7_version }}"

# http://docs.ansible.com/ansible/file_module.html
- name: symlink installation directory
  file:
    src: "/opt/apache-tomcat-{{ tomcat7_version }}"
    path: /usr/share/tomcat
    owner: tomcat
    group: tomcat
    state: link

# http://docs.ansible.com/ansible/file_module.html
- name: change ownership of the installation
  file:
    path: "/opt/apache-tomcat-{{ tomcat7_version }}"
    owner: tomcat
    group: tomcat
    recurse: yes
    state: directory

# http://docs.ansible.com/ansible/template_module.html
- name: configure server
  template:
    src: server.xml
    dest: "/opt/apache-tomcat-{{ tomcat7_version }}/conf"
    mode: 0600
    owner: tomcat
    group: tomcat

# http://docs.ansible.com/ansible/template_module.html
- name: configure users
  template:
    src: tomcat-users.xml
    dest: "/opt/apache-tomcat-{{ tomcat7_version }}/conf"
    mode: 0600
    owner: tomcat
    group: tomcat

# http://docs.ansible.com/ansible/template_module.html
- name: upstart script
  template:
    src: tomcat7.conf
    dest: "/etc/init"
    mode: 0644
    owner: root
    group: root
  when: ansible_service_mgr == "upstart"

# http://docs.ansible.com/ansible/service_module.html
- name: enable and start service
  service:
    name: tomcat7
    state: started
    enabled: yes

A role has tasks. Note that added a reference to the documentation for each type of task mentioned. What are the tasks ?
  • Create a group tomcat
  • Create a user tomcat
  • Download and extract the Tomcat archive (which one depends on the version variable) into /opt
  • Create a symbolic link /usr/share/tomcat to the installation.
  • Set the ownership of the installation.
  • Update server.xml based on the variables and a template.
  • Update tomcat-users.xml based on the variables and a template.
  • Install the upstart script.
  • Start Tomcat. 
If you study the tasks in detail you'll see that only existing Ansible modules are used (you can of course write your own) and that none of the tasks is complex in/by itself. There is actually only one fancy thing in there and that's the use of the when-clause to determine whether a target host has upstart or not.

 Three templates are used in the tasks (server.xml, tomcat-users.xml, tomcat7.conf). Templates are files that are modified based on available variables and facts. Note that I only show the relevant bits of the files below.
[ansible@ansibleworkstation ~]$ mkdir /etc/ansible/roles/tomcat7/templates
[ansible@ansibleworkstation ~]$ vi /etc/ansible/roles/tomcat7/templates/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
...
<!-- {{ ansible_managed }} -->
...
<tomcat-users>
  <role rolename="manager-gui"/>
  <user username="{{ tomcat7_admin_username }}" password="{{ tomcat7_admin_password }}" roles="manager-gui" />
</tomcat-users>

[ansible@ansibleworkstation ~]$ vi /etc/ansible/roles/tomcat7/templates/server.xml
<?xml version='1.0' encoding='utf-8'?>

<!-- {{ ansible_managed }} -->
...
  <Service name="Catalina">
...
    <Connector port="{{ tomcat7_http_port }}" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
...

[ansible@ansibleworkstation ~]$ vi /etc/ansible/roles/tomcat7/templates/tomcat7.conf
# {{ ansible_managed }}
description "Tomcat {{ tomcat7_version }} Server"

start on runlevel [2345]
stop on runlevel [!2345]
respawn
respawn limit 10 5

setuid tomcat
setgid tomcat

env JAVA_HOME=/usr/lib/jvm/java-8-oracle/jre
env CATALINA_HOME=/opt/apache-tomcat-{{ tomcat7_version }}
env JAVA_OPTS="-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom"
env CATALINA_OPTS="-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

exec $CATALINA_HOME/bin/catalina.sh run

# cleanup temp directory after stop
post-stop script
  rm -rf $CATALINA_HOME/temp/*
end script

And that concludes our role definition. Now we can run the playbook.
[ansible@ansibleworkstation ~]$ ansible-playbook /etc/ansible/playbooks/tomcat7.yml --ask-vault-pass

Cleanup up is not automated at the moment, so if you want to experiment a bit, here are the instructions to clean up on a target host.
ansible@athena:~$ sudo service tomcat7 stop
tomcat7 stop/waiting 
ansible@athena:~$ sudo rm -rf /etc/init/tomcat7.conf
ansible@athena:~$ sudo initctl reload-configuration
ansible@athena:~$ sudo rm -rf /usr/share/tomcat 
ansible@athena:~$ sudo rm -rf /opt/apache-tomcat-7.0.72/
ansible@athena:~$ sudo userdel tomcat
ansible@athena:~$ sudo groupdel tomcat
groupdel: group 'tomcat' does not exist

As you can see, roles are very powerful and they can be customized with your own variables or with system facts. Enjoy !
Gepost door op
Abonneren op: Posts (Atom)