Date post: | 23-Jan-2018 |
Category: |
Data & Analytics |
Upload: | panagenda |
View: | 48 times |
Download: | 0 times |
@stoeps #panagendaWebinar #ansible
Automate IBM ConnectionsInstallations and moreChristoph Stoettner
1
@stoeps #panagendaWebinar #ansible
Speakers
2
@stoeps #panagendaWebinar #ansible
Christoph Stoettner
Senior Consultant at IBM Domino since 1999, IBM Connections since 2009
Experience inMigrations, Deployments
Performance Analysis
Focusing inMonitoring, Security
panagenda ConnectionsExpert
IBM Champion
panagenda
3
@stoeps #panagendaWebinar #ansible
Idea and history
Several attempts to deploy IBM Connectionsautomatically
Social Connections VII - StockholmKlaus Bild: Silence of the Installers
Why do we need automation?Demos
Migration / Testing
Continous Delivery
It’s not only providing response files
4
@stoeps #panagendaWebinar #ansible
Orient Me / IBM Private Cloud installer[master]
1.1.1.1
[worker]
2.2.2.2
...
2.2.2.9
[proxy]
3.3.3.3
5
@stoeps #panagendaWebinar #ansible
Automation speeds up your installation
System requirements installed
ulimits set / limits.conf configuredIncrease nproc for WebSphere and IBM Domino
Easier troubleshootingYou don’t need to check all requirements and settings
You can be sure that they are set
root - nproc 16384
root - nofile 65536
root - stack 10240
6
@stoeps #panagendaWebinar #ansible
Possible Opensource Tools
PuppetGreat for Windows too
Enterprise Support
Cryptic
ChefEasy to learn (if you’re ruby developer)
SaltStack
https://puppet.com/
https://www.chef.io
https://saltstack.com
7
@stoeps #panagendaWebinar #ansible
Ansible
Agentless
Uses SSH
Easy to read (Everything is YAML)
Easy to use (Extensible via modules)
Encryption and security built in
Written in Python
Supported by Red Hat and Communities
8
@stoeps #panagendaWebinar #ansible
Comparison
Language Agent Config Communication Difficulty
Ansible Python No YAML OpenSSH
Chef Ruby, Erlang Yes Ruby SSL
Puppet Ruby Yes PuppetDSL SSL
SaltStack Python Yes YAML ZeroMQ
9
@stoeps #panagendaWebinar #ansible
Why should you learn Ansible?
Ansible is built for Cloud orchestration
Dynamic and static inventoryUse playbooks for multiple environments
Inventory example
It’s just YAML
Easy to keep in source control (git, svn)
[ihs]
cnx-web-60.panastoeps.local
[was-dmgr]
cnx-was-60.panastoeps.local
10
@stoeps #panagendaWebinar #ansible
How does it work?
11
@stoeps #panagendaWebinar #ansible
SSH is your friend
SSH Key Authentication saves a lot of time
Create a SSH KeyLinux: ssh-keygen
Windows: puttygen.exe
SSH Key should be secured with a password
Copy the public key to the remote serverssh-copy-id
You need to add the content of <keyname>.pub to.ssh/authorized_keys in the home directory of theuser
12
@stoeps #panagendaWebinar #ansible
SSH with Windows
PuttyDownload:
Putty Pageant Documentation
KiTTY
Download:
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
http://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter9.html
http://www.9bis.net/kitty/
http://www.9bis.net/kitty/?page=Download
13
@stoeps #panagendaWebinar #ansible
SSH with Linux
~/.ssh/config
X11Forward
Host
Used Key
SSH-Agent (configure )Autostart SSH-Agent
$> ssh-add ~/.ssh/stoeps_rsa
Enter passphrase for /home/stoeps/.ssh/stoeps_rsa:
Identity added: /home/stoeps/.ssh/stoeps_rsa
14
@stoeps #panagendaWebinar #ansible
Can this help with IBM Connections?
Ansible basicsPlaybook is a collection of roles
Playbooks can import other playbooks
Role is a collection of tasksDependencies of Roles
Groups and Hostnames from Inventory
15
@stoeps #panagendaWebinar #ansible
Organization of your folders├── group_vars
│ └── all
├── library
├── roles
│ ├── common
│ ├── db2
│ ├── db2-requirements
│ ├── installationmanager
│ ├── tdi
│ ├── vm
│ ├── was-dmgr
│ ├── was-nd
│ ├── was-node
│ ├── was-requirements
│ └── was-suppl
└── templates
16
@stoeps #panagendaWebinar #ansible
1. Variable definition
2. Tasks for role
Organization of your files
Root FolderPlaybooks
Inventory
RolesExample: Installationmanager
├── defaults
│ └── main.yml (1)
└── tasks
└── main.yml (2)
17
@stoeps #panagendaWebinar #ansible
1. Group ihs with one member
2. Group was-node with two members
Inventory
Groupname definition in inventory file
[ihs] (1)
cnx-web-60.panastoeps.local
[was-dmgr]
cnx-was-60.panastoeps.local
[was-node] (2)
cnx-was-60.panastoeps.local
cnx-was2-60.panastoeps.local
[db2]
cnx-db2-panastoeps.local
18
@stoeps #panagendaWebinar #ansible
1. All hosts of inventory, run role vm and common for all hosts
2. Hostgroups ihs and was-dmgr
3. Import playbook webserver.yml
Main playbook
Groupnames from inventory used for applying roles
Special: all
# file: site.yml
- hosts: all (1)
roles:
- common
- vm
- hosts: ihs was-dmgr (2)
roles:
- was-requirements
- installationmanager
- import_playbook: webserver.yml (3)
19
@stoeps #panagendaWebinar #ansible
1. hard and so� limits
2. item name
3. value
Change ulimit
Configure /etc/security/limits.conf
# Increase limits.conf for IBM products
- name: Change limits.conf
pam_limits:
domain: root
limit_type: '-' (1)
limit_item: nofile (2)
value: 65536 (3)
20
@stoeps #panagendaWebinar #ansible
1. Edit sshd_config
2. Search line beginning with X11Forwarding
3. Search X11UseLocalhost
4. Handler: restart ssh
SSHD enable X11Forward# Configure SSH X11Forward
- name: Update SSH configuration to be more secure.
lineinfile:
dest: "/etc/ssh/sshd_config" (1)
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
state: present
with_items:
- regexp: "^X11Forwarding" (2)
line: "X11Forwarding yes"
- regexp: "^X11UseLocalhost" (3)
line: "X11UseLocalhost no"
notify: Restart SSH (4)
21
@stoeps #panagendaWebinar #ansible
Package Management
Install prerequisists forInstallation Manager
DB2
WebSphere Application Server
Which distribution do you use?SuSE (zypper)
Red Hat (yum)
Debian (apt)
Doesn't matter!
22
@stoeps #panagendaWebinar #ansible
1. Requirement for WebSphere manageprofiles.sh
2. VM drivers
Package Management with Ansible# Install unzip
- name: Install unzip (used in unarchive)
package:
name=unzip
state=latest
# Multiple packages
- name: Install prerequisists
package:
name={{ item }}
state=latest
with_items:
- unzip
- xauth
- psmisc (1)
- open-vm-tools (2)
23
@stoeps #panagendaWebinar #ansible
Install prerequisists
When package names are not consistent in all useddistributions
Use when statement
- name: Install system packages for DB2
package: name={{ item }} state=latest
with_items:
- libaio.i686
- libaio.x86_64
- compat-libstdc++-33.i686
- compat-libstdc++-33.x86_64
- libstdc++.x86_64
- libstdc++.i686
- pam.i686
when: ansible_distribution == 'Red Hat Enterprise Linux'
24
@stoeps #panagendaWebinar #ansible
Disable IPv6
IPv6 o�en is a pain in (IBM) so�ware deployments
Sometimes I forget to do it on one of the servers
# Disable IPv6
- name: Disable IPv6 in sysctl
sysctl:
name={{ item }}
value=1
state=present
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
25
@stoeps #panagendaWebinar #ansible
Disable Firewall, SELinux
I always disable Firewalls and Security Extensions duringdeployments
# Disable Firewall
- name: Disable Firewall
service:
name=firewalld
state=stopped
enabled=no
# Disable SELinux
- name: Disable SELinux
selinux:
state: disabled
26
@stoeps #panagendaWebinar #ansible
Shell Extension To Mount Share
Mount a local folder into the VM
Just a shell command
# Mount Disk with installation sources
- name: Mount software repository
shell: umount /mnt; vmhgfs-fuse .host:/software /mnt
27
@stoeps #panagendaWebinar #ansible
1. Create Vault
2. Edit Vault
3. Encrypt file a�erwords
Secure your configuration
You shouldn't keep passwords in cleartext
Ansible knows something named Vault
Vaults are AES256 encrypted
ansible-vault --ask-vault-pass create group_vars/all/vault.yml (1)
ansible-vault --ask-vault-pass edit group_vars/all/vault.yml (2)
ansible-vault --ask-vault-pass encrypt group_vars/all/main.yml (3)
28
@stoeps #panagendaWebinar #ansible
Run your Playbook
Run Playbook when vault.yml is used
Run Playbook without vault.yml
ansible-playbook -i inventory site.yml --ask-vault-pass
ansible-playbook -i inventory site.yml
29
@stoeps #panagendaWebinar #ansible
Create Users
IBM Connections needs a database userlcuser
Define password in vault.yml
User creation needs a password hash!
# Content of vault.yml
lcuser_password: 'password'
- name: Create DB2 Connections Users
user:
name: lcuser
password: "{{ lcuser_password | password_hash('512') }}"
30
@stoeps #panagendaWebinar #ansible
IBM Installation Manager
Role get the installer from a webserver
Role originally comes from:
I use Docker with nginx to serv the file
Role contains following tasks:Download and extract of the package
Silent Install of Installation Manager
Delete the extracted content
https://github.com/sgwilbur/ansible-ibm-installation-manager
31
@stoeps #panagendaWebinar #ansible
IBM Installation Manager Variables
Used Variables:
im_media_host: http://172.16.20.1
im_ibmim_install_location: /opt/IBM/InstallationManager
im_tmp_location: /tmp/im
im_version: 1.8.7.0
im_platform: linux
im_architecture: x86_64
im_version_tag: 1.8.7000.20170706_2137
32
@stoeps #panagendaWebinar #ansible
Installation Manager tasks# file: roles/installationmanager/tasks/main.yml
- name: Create Temp directory
file: path={{ im_tmp_location }} state=directory mode=0755
- name: Download and extract local copy of installer
unarchive:
src: "{{ im_media_host }}/software/ibm/installation_manager/{{ im_
dest: "{{ im_tmp_location }}"
remote_src: yes
- name: Run silent install to {{ im_ibmim_install_location }}
command:
chdir={{ im_tmp_location }}
{{ im_tmp_location }}/install -acceptLicense --launcher.ini silent
creates={{ im_ibmim_install_location }}
register: install
changed_when: install.rc != 0
- name: Remove Installer
fil th {{ i t l ti }} t t b t
33
@stoeps #panagendaWebinar #ansible
WebSphere Components (Variables)
Define repositories
Set properties
wasnd:
properties: "user.wasjava=java8"
dmgrhost: "cnx-was-60.panastoeps.local"
ibmrepositories: "/mnt/ibm/WebSphere/8.5.5/ND/repository.config,
/mnt/ibm/WebSphere/8.5.5/SUPPL/repository.config,
/mnt/ibm/WebSphere/8.5.5FP11/ND/repository.config,
/mnt/ibm/WebSphere/8.5.5FP11/SUPPL/repository.config,
/mnt/ibm/WebSphere/8.5.5FP11/WCT/repository.config,
/mnt/ibm/WebSphere/8.0.3.0/IBMWASJAVA/repository.config,
/mnt/ibm/WebSphere/Fixes/IFPI80729/repository.config"
34
@stoeps #panagendaWebinar #ansible
Install WebSphere Components
Copy library into your playbook directory
https://github.com/amimof/ansible-WebSphere
- name: Install WebSphere Application Server Network Deployment
ibmim:
id: "com.ibm.websphere.ND.v85 com.ibm.websphere.IBMJAVA.v80"
repositories: "{{ ibmrepositories }}"
properties: "{{ wasnd.properties }}"
- name: Update all WebSphere packages
ibmim:
id: null
state: update
repositories: "{{ ibmrepositories }}"
properties: "{{ wasnd.properties }}"
35
@stoeps #panagendaWebinar #ansible
Create Deployment Manager Profile# file: roles/was-dmgr/tasks/main.yml
- name: Create DMGR Profile
profile_dmgr:
state: present
wasdir: /opt/IBM/WebSphere/AppServer
name: Dmgr01
cell_name: CnxCell
host_name: "{{ inventory_hostname}}"
node_name: CnxCell-dmgr
username: wasadmin
password: password
# Start the Deploymentmanager to add the additional profiles
- name: Start Deployment Manager
shell:
cd /opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin; ./startManage
36
@stoeps #panagendaWebinar #ansible
Jinja2 templates
Response files as templates
Jinja2 Templating
Dynamic
Access to Variables
Save into <playbook>/templates
37
@stoeps #panagendaWebinar #ansible
Example template for DB2
Variables
Response file
db2:
install: "/mnt/ibm/db2/11.1.2FP2a"
resp:
prod: "DB2_SERVER_EDITION"
file: "/opt/ibm/db2/V11.1"
lic_agreement: "ACCEPT" # ACCEPT or DECLINE
install_type: "TYPICAL" # TYPICAL, COMPACT, CUSTOM
...
* Product Installation
LIC_AGREEMENT = {{ resp.lic_agreement }}
PROD = {{ resp.prod }}
FILE = {{ resp.file }}
INSTALL_TYPE = {{ resp.install_type }}
...
38
@stoeps #panagendaWebinar #ansible
DB2 role with template parsing
Parse response file and store in tmp
Call db2setup with this response file
- name: Parse response file
template: src=db2server.j2.rsp dest=/tmp/db2server.rsp
tags: parse
- name: Installing DB2 11.1
command: "{{ db2.install }}/db2setup -r /tmp/db2server.rsp"
register: db2_setup
args:
creates: "{{resp.file}}"
39
@stoeps #panagendaWebinar #ansible
Import DB2 license
Using a shell command
- name: Add DB2 license
shell:
cp /mnt/ibm/db2/cnx_lic/ese_u/db2/license/db2ese_u.lic /home/db2in
chown db2inst1 /home/db2inst1/db2ese_u.lic && \
su - db2inst1 -c 'db2licm -a /home/db2inst1/db2ese_u.lic'
40
@stoeps #panagendaWebinar #ansible
Install TDI 7.1.1
Tivoli Directory Integrator 7.1.1
Jinja2 Response file
# Install Tivoli Directory Integrator 7.1.1 and FP6
- name: Parse response file
template: src=tdi_install.j2.rsp dest=/tmp/tdi_install.rsp
tags: parse
# Installer search gnome or kde and gives an error on exit
# after successful installation
- name: Installing TDI 7.1.1
command: "{{ tdi.install }}/install_tdiv711_linux_x86_64.bin
-f /tmp/tdi_install.rsp -i silent"
ignore_errors: yes
41
@stoeps #panagendaWebinar #ansible
Update TDI to 7.1.1 FP6
Copy UpdateInstaller.jar
Update TDI
# Update to FP6
- name: Download and extract local copy of installer
unarchive:
src: "{{ tdi.fixpack }}/7.1.1-TIV-TDI-FP0006.zip"
dest: "{{ tdi.tmp }}"
remote_src: yes
# Copy update
- name: Copy UpdateInstaller.jar
copy:
src: "{{ tdi.tmp }}/7.1.1-TIV-TDI-FP0006/UpdateInstaller.jar"
dest: /opt/IBM/TDI/V7.1.1/maintenance
remote_src: yes
- name: Update TDI to FP6
command: "/opt/IBM/TDI/V7.1.1/bin/applyUpdates.sh -update
{{ tdi.tmp }}/7.1.1-TIV-TDI-FP0006/TDI-7.1.1-FP0006.zip"
42
@stoeps #panagendaWebinar #ansible
Run Playbook
ansible-playbook -i inventory site.yml
PLAY [all] ***********************************************************
TASK [Gathering Facts] ***********************************************
ok: [cnx-p60-doc-01.panagenda.local]
TASK [common : Disable Firewall] *************************************
ok: [cnx-p60-doc-01.panagenda.local]
TASK [common : Disable SELinux] **************************************
ok: [cnx-p60-doc-01.panagenda.local]
TASK [common : Change limits.conf] ***********************************
ok: [cnx-p60-doc-01.panagenda.local]
TASK [common : pam_limits] *******************************************
ok: [cnx-p60-doc-01.panagenda.local]
43
@stoeps #panagendaWebinar #ansible
Nearly everything is possible
Manage Docker container
Reboot your systems
Update multiple hosts at one time
44
@stoeps #panagendaWebinar #ansible
Works with Microso� Windows
WinRM / Remote Powershell
Gather facts on Windows hosts
Manage Windows packages via
Install and uninstall MSIs
Enable and disable Windows Features
Start, stop, and manage Windows services
Create and manage local users and groups
Manage and install Windows updates
Push and execute any PowerShell script
Chocolatey
45
@stoeps #panagendaWebinar #ansible
Administrator or Developer?
Have a look at AnsibleSaves you time
Easy to deploy and use in different environments
QA
Testing
Production
KISSKeep it simple stupid
46
@stoeps #panagendaWebinar #ansible
Thank You
Christoph Stoettner +49 173 8588719 christophstoettner
[email protected]@stoeps https://linkedin.com/in/christophstoettner https://slideshare.net/christophstoettner https://github.com/stoeps13 https://www.stoeps.de
47
@stoeps #panagendaWebinar #ansible
Questions?
48