Commit a958ce69 authored by eric pellegrini's avatar eric pellegrini

removed deprecated jupyterhub-sudospawner directory

parent 0c24c2ba
[defaults]
host_key_checking = false
interpreter_python = /usr/bin/python3
jupyter_admin_group: jupyter-admin
jupyter_admin: jupyter-admin
jupyter_admin_password: "{{ vault_jupyter_admin_password }}"
jupyter_admin_home: /jupyter-admin
conda_root: "{{ jupyter_admin_home }}/miniconda3"
conda_envs_dir: "{{ jupyter_admin_home }}/miniconda3/envs"
conda_exe: "{{ jupyter_admin_home }}/miniconda3/bin/conda"
oauth_base_url: "https://logindev.ill.fr"
oauth_authorize_url: "{{ oauth_base_url }}/auth/realms/ILL/protocol/openid-connect/auth"
oauth_access_token_url: "{{ oauth_base_url }}/auth/realms/ILL/protocol/openid-connect/token"
oauth_logout_url: "{{ oauth_base_url }}/auth/realms/ILL/protocol/openid-connect/logout"
oauth_userinfo_url: "{{ oauth_base_url }}/auth/realms/ILL/protocol/openid-connect/userinfo"
oauth_visa_jupyter_client_id: "visa-jupyter-os"
oauth_visa_jupyter_client_secret: "{{ vault_oauth_visa_jupyter_client_secret }}"
visa_jupyter_base_url: "visa-jupyter-os"
http_proxy: "http://proxy.ill.fr:8888"
https_proxy: "http://proxy.ill.fr:8888"
ftp_proxy: "http://proxy.ill.fr:8888"
no_proxy: "localhost,127.0.0.1,.ill.fr,.ill.eu"
$ANSIBLE_VAULT;1.1;AES256
66323037336239323139356166643437643738396664353361633534323332346666386665616361
6462306665393636626663323631616663613035343862310a663936636261396661306235393563
34303933393431623433336236376238353938383634656363393531313366306435313062666433
3534643464386334610a613433303134376133353262323163333965653137323263626533353563
36623037653064333032306162383339393266396637333235613338633461663734386234353866
63653162313962333937353531343766643235636135363734616136366261626132323166633838
37313838623166656634303230633662633661643937366139663539653137306364336436363830
32616436396261373630646132313366623039626133663966313263313034653130336235306265
34353462303335326132303235396439383366626631633863343031643964303333396136633931
32373561643066656566353935633963396335363135353539623239613038333533636361613661
39386631393462383537383333386631613262343066633162383239353831666639653030636364
61613635643735333466623439613332656263633738393337383465353062623963356538306130
3839
---
os_auth_url: "http://cloudsrv1.ill.fr:5000/v3"
os_username: "ansible-test"
os_password: "{{ vault_os_password }}"
os_project_name: "ansible-tests"
os_project_domain_name: "default"
os_user_domain_name: "default"
os_image_name: "Ubuntu 18.04 (bionic)"
os_key_name: "openstack-root"
os_instance_admin: "ubuntu"
os_flavor_name: "m1.small"
os_network_name: "provider"
os_security_groups:
- default
os_instances_name:
- visa-jupyter-os
$ANSIBLE_VAULT;1.1;AES256
64336666636436376338653464653335643032356330343565303831633731356131613862303062
3335306537653938383761373330636234653035656634380a663239633965383865303261663930
66656563376466626666343939663533616262386532626234663334363435333737643263313464
3530383036313061650a663537373531653635623963343164613831306332323431623062623430
66316333323931656235353534383034626339396633373932633337376138383031353166656665
6339393331323765633463303965643934336634323430303234
novaclient ansible_connection=local
---
- hosts: target
remote_user: root
become: yes
tasks:
- name: disable sudo password for every sudoers
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
- name: configure ILL proxy in OpenStack instance
blockinfile:
path: /etc/environment
block: |
http_proxy={{ http_proxy }}
https_proxy={{ https_proxy }}
ftp_proxy={{ ftp_proxy }}
no_proxy={{ no_proxy }}
HTTP_PROXY={{ http_proxy }}
HTTPS_PROXY={{ https_proxy }}
- name: create jupyter-admin group
group:
name: "{{ jupyter_admin_group }}"
- name: create jupyter admin with sudo priviledges
user:
name: "{{ jupyter_admin }}"
password: "{{ jupyter_admin_password | password_hash('sha512') }}"
state: present
shell: /bin/bash
createhome: yes
home: "{{ jupyter_admin_home }}"
group: "{{ jupyter_admin_group }}"
groups:
- sudo
- name: install public key
authorized_key:
user: "{{ jupyter_admin }}"
state: present
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
# Hack for error: "Failed to lock apt for exclusive operation"
# See https://stackoverflow.com/questions/45269225/ansible-playbook-fails-to-lock-apt/51919678#51919678
- name: disable timers for unattended upgrade, so that none will be triggered by the `date -s` call.
raw: systemctl disable --now {{item}}
loop:
- apt-daily.timer
- apt-daily-upgrade.timer
- name: reload systemctl daemon to apply the new changes
raw: systemctl daemon-reload
- name: wait for any possibly running unattended upgrade to finish
raw: systemd-run --property="After=apt-daily.service apt-daily-upgrade.service" --wait /bin/true
- name: purge unattended upgrades
raw: apt-get -y purge unattended-upgrades
---
- hosts: novaclient
pre_tasks:
- name: check for a valid ansible version
assert:
that: ansible_version.full >= "{{ ansible_min_version }}"
tasks:
- name: delete existing instance
os_server:
name: "{{ item }}"
state: absent
auth:
auth_url: "{{ os_auth_url }}"
username: "{{ os_username }}"
password: "{{ os_password }}"
project_name: "{{ os_project_name }}"
project_domain_name: "{{ os_project_domain_name }}"
user_domain_name: "{{ os_user_domain_name }}"
loop: "{{ os_instances_name }}"
- name: create instance
os_server:
state: present
auth:
auth_url: "{{ os_auth_url }}"
username: "{{ os_username }}"
password: "{{ os_password }}"
project_name: "{{ os_project_name }}"
project_domain_name: "{{ os_project_domain_name }}"
user_domain_name: "{{ os_user_domain_name }}"
name: "{{ item }}"
image: "{{ os_image_name }}"
key_name: "{{ os_key_name }}"
flavor: "{{ os_flavor_name }}"
network: "{{ os_network_name }}"
security_groups: "{{ os_security_groups }}"
timeout: 200
auto_ip: yes
loop: "{{ os_instances_name }}"
register: instances
- name: wait for SSH on the instance
command: >
ssh -oBatchMode=yes -oStrictHostKeyChecking=no "{{ os_instance_admin }}@{{item.server.public_v4}}" true
register: result
until: result is success
retries: 30
delay: 10
loop: "{{ instances.results }}"
- name: add newly created instance to host
add_host:
name: "{{ item.server.public_v4 }}"
groups: target
ansible_ssh_host: "{{ item.server.public_v4 }}"
loop: "{{ instances.results }}"
- hosts: target
remote_user: ubuntu
tasks:
- name: allow root login from ssh
replace:
path: /root/.ssh/authorized_keys
regexp: "no-port-forwarding.*ssh-rsa"
replace: "ssh-rsa"
become_user: root
become: yes
- hosts: target
remote_user: root
tasks:
- name: kill all processes owned by ubuntu user and remove the account
shell: killall -KILL -u ubuntu ; deluser ubuntu
- name: remove ubuntu home directory
file:
path: /home/ubuntu
state: absent
- name: create localhome directory
file:
path: /localhome
state: directory
- name: create jupyter-admin group
group:
name: os_admin
- name: create os_admin account with sudo priviledges
user:
name: os_admin
password: "{{ vault_os_admin_password | password_hash('sha512') }}"
state: present
shell: /bin/bash
createhome: yes
home: /localhome/
group: os_admin
groups:
- sudo
- name: install public key
authorized_key:
user: os_admin
state: present
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
---
# ansible-playbook -i inventories/hosts playbooks/deploy_jupyterhub.yaml -K --ask-vault-pass
- name: create OS instances
import_playbook: create_os_instances.yml
- name: configure OS instances
import_playbook: configure_os_instances.yml
- name: setup ILL environment
import_playbook: setup_ill_instance.yml
#- name: deploy jupyterhub/sudospawner on OS instances
#import_playbook: setup_jupyterhub.yml
---
- hosts: target
remote_user: root
become: yes
environment:
http_proxy: "{{ http_proxy }}"
https_proxy: "{{ https_proxy }}"
ftp_proxy: "{{ ftp_proxy }}"
no_proxy: "{{ no_proxy }}"
roles:
- role: roles/setup-ill-environment
---
- hosts: target
remote_user: root
become_user: "{{ jupyter_admin }}"
become: yes
environment:
http_proxy: "{{ http_proxy }}"
https_proxy: "{{ https_proxy }}"
ftp_proxy: "{{ ftp_proxy }}"
no_proxy: "{{ no_proxy }}"
roles:
- role: roles/apt-packages
become_user: root
become: yes
- role: roles/install-conda
- role: roles/setup-visa-jupyter-environment
become_method: su
become_flags: -l
- role: roles/setup-scientific-environment
become_method: su
become_flags: -l
- role: roles/setup-visa-jupyter-service
become_user: root
become: yes
- role: roles/setup-reverse-proxy
become_user: root
become: yes
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
---
- name: install apt dependencies
apt:
name: "{{ item }}"
autoclean: yes
update_cache: yes
force_apt_get: yes
loop:
- git
- apache2
---
# vars file for apt-package
\ No newline at end of file
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
- name: remove existing miniconda installer
file:
path: "{{ jupyter_admin_home }}/Miniconda3-latest-Linux-x86_64.sh"
state: absent
- name: remove miniconda3 target directory
file:
path: "{{ jupyter_admin_home }}/miniconda3"
state: absent
- name: download latest miniconda
get_url:
url: https://repo.anaconda.com/miniconda/Miniconda3-latest-Linux-x86_64.sh
dest: "{{ jupyter_admin_home }}/Miniconda3-latest-Linux-x86_64.sh"
mode: u+x
- name: install conda
command: "{{ jupyter_admin_home }}/Miniconda3-latest-Linux-x86_64.sh -b"
- name: initialize conda
command: "{{ conda_exe }} init"
- name: update conda
command: "{{ conda_exe }} update -y conda"
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
#!/bin/bash
# This file must be executable to work! chmod 755!
# Look at what a host is exporting to determine what we can mount.
# This is very simple, but it appears to work surprisingly well
key="$1"
# add "nosymlink" here if you want to suppress symlinking local filesystems
# add "nonstrict" to make it OK for some filesystems to not mount
# choose one of the two lines below depending on the NFS version in your
# environment
opts="-fstype=nfs,hard,intr,nodev,nosuid"
#opts="-fstype=nfs4,hard,intr,nodev,nosuid,async"
for P in /bin /sbin /usr/bin /usr/sbin
do
for M in showmount kshowmount
do
if [ -x $P/$M ]
then
SMNT=$P/$M
break 2
fi
done
done
[ -x $SMNT ] || exit 1
# Newer distributions get this right
SHOWMOUNT="$SMNT --no-headers -e $key"
$SHOWMOUNT | LC_ALL=C cut -d' ' -f1 | LC_ALL=C sort -u | \
awk -v key="$key" -v opts="$opts" -- '
BEGIN { ORS=""; first=1 }
{ if (first) { print opts; first=0 }; print " \\\n\t" $1, key ":" $1 }
END { if (!first) print "\n"; else exit 1 }
' | sed 's/#/\\#/g'
#!/bin/bash
# This file must be executable to work! chmod 755!
# Look at what a host is exporting to determine what we can mount.
# This is very simple, but it appears to work surprisingly well
key="$1"
# add "nosymlink" here if you want to suppress symlinking local filesystems
# add "nonstrict" to make it OK for some filesystems to not mount
# choose one of the two lines below depending on the NFS version in your
# environment
#opts="-fstype=nfs,hard,intr,nodev,nosuid"
opts="-fstype=nfs4,sec=sys,hard,intr,nodev,nosuid,async"
for P in /bin /sbin /usr/bin /usr/sbin
do
for M in showmount kshowmount
do
if [ -x $P/$M ]
then
SMNT=$P/$M
break 2
fi
done
done
[ -x $SMNT ] || exit 1
# Newer distributions get this right
SHOWMOUNT="$SMNT --no-headers -e $key"
$SHOWMOUNT | LC_ALL=C cut -d' ' -f1 | LC_ALL=C sort -u | \
awk -v key="$key" -v opts="$opts" -- '
BEGIN { ORS=""; first=1 }
{ if (first) { print opts; first=0 }; print " \\\n\t" $1, key ":" $1 }
END { if (!first) print "\n"; else exit 1 }
' | sed 's/#/\\#/g'
#
# Define default options for autofs.
#
# MASTER_MAP_NAME - default map name for the master map.
#
#MASTER_MAP_NAME="/etc/auto.master"
MASTER_MAP_NAME="ldap:ou=auto.master,ou=automount,ou=system,dc=ill,dc=fr"
#
# TIMEOUT - set the default mount timeout (default 600).
#
TIMEOUT=300
#
# NEGATIVE_TIMEOUT - set the default negative timeout for
# failed mount attempts (default 60).
#
#NEGATIVE_TIMEOUT=60
#
# MOUNT_WAIT - time to wait for a response from mount(8).
# Setting this timeout can cause problems when
# mount would otherwise wait for a server that
# is temporarily unavailable, such as when it's
# restarting. The defailt of waiting for mount(8)
# usually results in a wait of around 3 minutes.
#
#MOUNT_WAIT=-1
#
# UMOUNT_WAIT - time to wait for a response from umount(8).
#
#UMOUNT_WAIT=12
#
# BROWSE_MODE - maps are browsable by default.
#
BROWSE_MODE="no"
#
# MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by
# mount.nfs(8). Since we can't identify
# the default automatically we need to
# set it in our configuration.
#
#MOUNT_NFS_DEFAULT_PROTOCOL=3
#
# APPEND_OPTIONS - append to global options instead of replace.
#
#APPEND_OPTIONS="yes"
#
# LOGGING - set default log level "none", "verbose" or "debug"
#
LOGGING="verbose"
#
# Define server URIs
#
# LDAP_URI - space seperated list of server uris of the form
# <proto>://<server>[/] where <proto> can be ldap
# or ldaps. The option can be given multiple times.
# Map entries that include a server name override
# this option.
#
# This configuration option can also be used to
# request autofs lookup SRV RRs for a domain of
# the form <proto>:///[<domain dn>]. Note that a
# trailing "/" is not allowed when using this form.
# If the domain dn is not specified the dns domain
# name (if any) is used to construct the domain dn
# for the SRV RR lookup. The server list returned
# from an SRV RR lookup is refreshed according to
# the minimum ttl found in the SRV RR records or
# after one hour, whichever is less.
#
LDAP_URI="ldap://ldap.ill.fr"
#
# LDAP__TIMEOUT - timeout value for the synchronous API calls
# (default is LDAP library default).
#
#LDAP_TIMEOUT=-1
#
# LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8).
#