diff options
-rw-r--r-- | README.mdwn | 29 | ||||
-rw-r--r-- | baserock_openid_provider/baserock_openid_provider/settings.py | 17 | ||||
-rw-r--r-- | baserock_openid_provider/image-config.yml (renamed from baserock_openid_provider/local.yml) | 13 | ||||
-rw-r--r-- | baserock_openid_provider/instance-config.yml | 35 | ||||
-rw-r--r-- | baserock_openid_provider/packer_template.json | 19 | ||||
-rw-r--r-- | hosts | 2 |
6 files changed, 69 insertions, 46 deletions
diff --git a/README.mdwn b/README.mdwn index deb3042d..46a5fe64 100644 --- a/README.mdwn +++ b/README.mdwn @@ -122,21 +122,21 @@ To deploy a development instance: To deploy this system to production: vim baserock_openid_provider/baserock_openid_provider/settings.py - # Edit the DATABASES['default']['HOST'] to point to the fixed IP of - # the 'database' machine. - packer build -only=production database/packer_template.json - nova boot openid_provider - --flavor dc1.1x1 --image 'baserock_openid_provider' \ - --key-name=<your-keypair> openid.baserock.org \ - --nic='net-id=d079fa3e-2558-4bcb-ad5a-279040c202b5' -Now you need to SSH into the system (via the frontend system perhaps) and run -the database migrations, before the app will work: +Edit the DATABASES['default']['HOST'] to point to the fixed IP of the +'database' machine, and check the settings. See: +https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/ - sudo -u cherokee python /srv/baserock_openid_provider/manage.py migrate + packer build -only=production baserock_openid_provider/packer_template.json -FIXME: I guess this could be done with cloud-init. + nova boot openid.baserock.org \ + --key-name <your-keypair> \ + --flavor dc1.1x1 \ + --image 'baserock_openid_provider' \ + --nic 'net-id=d079fa3e-2558-4bcb-ad5a-279040c202b5',v4-fixed-ip=192.168.222.67 \ + --user-data ./baserock-ops-team.cloud-config + ansible-playbook -i hosts baserock_openid_provider/instance-config.yml Storyboard ---------- @@ -160,6 +160,11 @@ To deploy the production version: Deployment to DataCentred ------------------------- +The following error from Packer means that you didn't set your credentials +correctly in the `OS_...` environment variables, or they were not accepted. + +> Build 'production' errored: Missing or incorrect provider + When instantiating a machine that will be public, remember that all operators who are responsible for security updates and maintenance must be given access to the machine. This can be done using a post-creation customisation script @@ -167,7 +172,7 @@ that injecting all of their SSH keys: the Baserock Ops team use the file `baserock-ops-team.cloud-config` from this repo. The the Packer tool requires a floating IP to be available at the time a system -is being deployed to OpenStack. Currently 85.199.252.152 should be used for +is being deployed to OpenStack. Currently 185.43.218.169 should be used for this. If you specify a floating IP that is in use by an existing instance, you will steal it for your own instance and probably break one of our web services. diff --git a/baserock_openid_provider/baserock_openid_provider/settings.py b/baserock_openid_provider/baserock_openid_provider/settings.py index 65092221..387c9013 100644 --- a/baserock_openid_provider/baserock_openid_provider/settings.py +++ b/baserock_openid_provider/baserock_openid_provider/settings.py @@ -18,14 +18,19 @@ BASE_DIR = os.path.dirname(os.path.dirname(__file__)) # See https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = '#k9g0dclqiqxomjk2=&fu+$n-(b$d4**5usy!%(b3#k8m)qpif' +secret_key_file = '/etc/baserock_openid_provider.secret_key.yml' +with open(secret_key_file) as f: + data = yaml.load(f) + SECRET_KEY = data['baserock_openid_provider_secret_key'] # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = True +DEBUG = False TEMPLATE_DEBUG = True -ALLOWED_HOSTS = [] +ALLOWED_HOSTS = [ + 'openid.baserock.org', +] # Application definition @@ -105,11 +110,7 @@ DATABASES = { } -# This file lives under /var/lib currently so that the user who runs -# this code can read it. That user is 'uwsgi'. Putting it in /srv would -# be fine except that it interferes with the way development deployments -# are done. -pw_file = '/var/lib/baserock_openid_provider.database_password.yml' +pw_file = '/etc/baserock_openid_provider.database_password.yml' with open(pw_file) as f: data = yaml.load(f) password = data['baserock_openid_provider_password'] diff --git a/baserock_openid_provider/local.yml b/baserock_openid_provider/image-config.yml index a09d03ba..bfae7cd5 100644 --- a/baserock_openid_provider/local.yml +++ b/baserock_openid_provider/image-config.yml @@ -1,3 +1,6 @@ +# Image configuration for Baserock OpenID provider. +# +# This playbook is run at image-creation time by Packer. --- - hosts: localhost tasks: @@ -40,18 +43,10 @@ yum: name=MySQL-python state=latest - name: install Cherokee configuration - file: src=/srv/baserock_openid_provider/cherokee.conf dest=/etc/cherokee/cherokee.conf state=link + file: src=/srv/baserock_openid_provider/cherokee.conf dest=/etc/cherokee/cherokee.conf state=link force=yes - name: create log directory for baserock_openid_provider file: path=/var/log/baserock_openid_provider owner=cherokee group=cherokee state=directory - name: create directory for static content file: path=/var/www/static owner=cherokee group=cherokee state=directory - - - name: install static content - django_manage: app_path=/srv/baserock_openid_provider command=collectstatic - - # Default configuration of Sendmail in Fedora is to only accept connections from - # localhost. This is what we want. - - name: enable and start sendmail service - service: name=sendmail enabled=yes state=started diff --git a/baserock_openid_provider/instance-config.yml b/baserock_openid_provider/instance-config.yml new file mode 100644 index 00000000..dc404594 --- /dev/null +++ b/baserock_openid_provider/instance-config.yml @@ -0,0 +1,35 @@ +# Instance configuration for Baserock OpenID provider. +# +# This playbook should be run after starting an instance of the Baserock +# OpenID Provider image. +--- +- hosts: openid.baserock.org + sudo: yes + tasks: + - name: ensure system up to date + yum: name=* state=latest + + - name: install database password + copy: src=../database/baserock_openid_provider.database_password.yml dest=/etc owner=cherokee group=cherokee mode=400 + + - name: install Django secret key + copy: src=baserock_openid_provider.secret_key.yml dest=/etc owner=cherokee group=cherokee mode=400 + + # This step could be part of image creation, except that because the secret + # key file wouldn't be available at that time, the 'manage.py' script would + # fail to run. + - name: install static content + django_manage: app_path=/srv/baserock_openid_provider command=collectstatic + sudo_user: cherokee + + - name: run database migrations + django_manage: app_path=/srv/baserock_openid_provider command=migrate + sudo_user: cherokee + + # Default configuration of Sendmail in Fedora is to only accept connections from + # localhost. This is what we want, so no extra config required. + - name: enable and start sendmail service + service: name=sendmail enabled=yes state=started + + - name: enable and start Cherokee service + service: name=cherokee enabled=yes state=restarted diff --git a/baserock_openid_provider/packer_template.json b/baserock_openid_provider/packer_template.json index a5f40761..0de9bc84 100644 --- a/baserock_openid_provider/packer_template.json +++ b/baserock_openid_provider/packer_template.json @@ -14,7 +14,7 @@ "flavor": "f0577618-9125-4948-b450-474e225bbc4c", "source_image": "742e0414-c985-4994-b307-4aafade942b3", "networks": ["d079fa3e-2558-4bcb-ad5a-279040c202b5"], - "floating_ip": "85.199.252.164", + "floating_ip": "185.43.218.169", "use_floating_ip": true, "ssh_username": "fedora" } @@ -29,17 +29,6 @@ }, { "type": "file", - "source": "database/baserock_openid_provider.database_password.yml", - "destination": "/var/tmp/baserock_openid_provider.database_password.yml" - }, - { - "type": "shell", - "inline": [ - "sudo mv /var/tmp/baserock_openid_provider.database_password.yml /var/lib" - ] - }, - { - "type": "file", "source": "baserock_openid_provider", "destination": "/srv", "only": ["production"] @@ -50,7 +39,7 @@ }, { "type": "ansible-local", - "playbook_file": "baserock_openid_provider/local.yml", + "playbook_file": "baserock_openid_provider/image-config.yml", "command": "sudo ansible-playbook" }, { @@ -65,9 +54,7 @@ "inline": [ "sudo yum install -y libselinux-python", "sudo ansible localhost -m selinux -a state=disabled", - "sudo setenforce 0", - "sudo systemctl enable cherokee", - "sudo systemctl start cherokee" + "sudo setenforce 0" ], "only": ["production"] }, @@ -18,7 +18,7 @@ mason-x86-64.baserock.org ansible_ssh_host=192.168.222.13 [fedora] frontend-haproxy ansible_ssh_host=185.43.218.170 database-mariadb ansible_ssh_host=192.168.222.30 -openid.baserock.org ansible_ssh_host=192.168.222.39 +openid.baserock.org ansible_ssh_host=192.168.222.67 storyboard.baserock.org ansible_ssh_host=192.168.222.40 [ubuntu] |