update gerrit list

[openafs-wiki.git] / admin / AnsibleOpenAFS.mdwn

# Ansible Roles for OpenAFS

The [[`ansible-openafs`|https://github.com/openafs-contrib/ansible-openafs] is
a collection of Ansible roles and playbooks to deploy OpenAFS and clients with
[[Ansible|https://www.ansible.com/]].  The roles can be used to deploy a new
Kerberos realm, install the servers, setup the initial cell, and install
OpenAFS clients in the cell.  The Ansible roles also are able to build OpenAFS
from source for testing and development.


## Platforms Supported

* OpenAFS 1.6.5+
* Ansible 2.5+
* OS Versions
    * RHEL7/CentOS7
    * Ubuntu 18.x

## Kerberos Client Role

Name: `openafs_krbclient`

Install and configure the Kerberos workstation packages.

### Role Variables

    afs_realm: EXAMPLE.COM

The Kerberos realm name.

## Kerberos Server Role

Name: `openafs_krbserver`

Install and configure the Kerberos master KDC on single host, create the
Kerberos database, the administrator's principal, and the OpenAFS service key.

### Role Variables

    afs_realm: EXAMPLE.COM

The Kerberos realm name.

    afs_kerberos_master_password: (random by default)

The secret Kerberos database master password. The password is a random string
by default. It should be set on the command line (-e) or in a group variable,
preferably encrypted with `ansible-vault`.

    afs_admin_principal: admin
    afs_admin_password: (undefined by default)

A administrator principal to be created by this role.
The password is not defined by default and must be set on the command line
(-e) or in a group variable, preferably encrypted with `ansible-vault`.

## OpenAFS Cell Role

Name: `openafs_cell`

Setup the top level volumes in the cell. This role is to be run on a single
client host.

### Role Variables

    afs_cell: example.com
    afs_realm: EXAMPLE.COM

Cell and realm names.

    afs_admin_principal: admin
    afs_admin_password: (not defined)
    afs_user_password:  (not defined)


A administrator credentials to create the regular users listed in `afs_users`
and the initial Kerberos password for those users.  The passwords are not
defined by default and must be set on the command line (-e) or in group
variables, preferably encrypted with `ansible-vault`.

    afs_kdc:

The Kerberos KDC hostname. This host must be a member of the `afs_kdcs` host group.

    afs_root_server:
    afs_root_part: a

The primary fileserver hostname and AFS fileserver partition id. The cell's
top-level volumes will be created on this fileserver partition.

    afs_volumes:

An optional list of top level volumes to be created and mounted in the cell.
This should be defined as a list of dictionaries of `name=<volume name>,
mtpt=<mount path>`, where `<mount path>` is relative to `/afs/<cell name>/`
and defaults to the `<volume-name>`.

    afs_users:

An optional list of AFS users to be created in the new cell. This should be
defined as list of dictionaries of `name=<username>`.

    afs_groups:

An optional list of AFS groups to be created in the new cell. This should be
defined as a list of dictionaries of `name=<group name>, members=<list of
usernames>`.

Example initial cell configuration:

    # contents of inventory/example.com/group_vars/all/cell.yaml
    # Initial top level volumes.
    afs_volumes:
      - name: test
        mtpt: test
    
    # Initial AFS users.
    afs_users:
      - name: user1
      - name: user2
      - name: user3
    
    # Initial AFS groups
    afs_groups:
      - name: group1
        members:
          - user1
          - user2
      - name: group2
        members:
          - user2
          - user3

## OpenAFS Client Role

Name: `openafs_client`

Install and configure the OpenAFS client packages.  Optionally, build and install from
source code.

### Role Variables

    afs_cell: example.com
    afs_desc: Example
    afs_realm:  EXAMPLE.COM

The Kerberos realm name, AFS cell name, and the cell organizational
description.

    # One of: 'package-manager', 'rsync'
    afs_client_install_method: package-manager

The method used to install the OpenAFS client binaries. Values are:

* `package-manager` :  Install client packages and a pre-built kernel module
                with  the system package manager (e.g., `yum`, `apt`).
* `rsync`:      Copy the binary files. Build the client binaries and kernel module from source
                code if needed. Installs development packages in order to
                build the OpenAFS client binaries and kernel module, if needed.

    afs_openafs_client_repourl:

The URL of a yum repo containing OpenAFS client packages for the `package-manager` install method.

    afs_client_install_dkms: no

Install kernel module with DKMS for the `package-manager` install method.

    afs_client_build_force: no
    afs_client_build_builddir: "/usr/local/src/openafs_client"
    afs_client_build_destdir: "/tmp/openafs_client"
    afs_client_build_fetch_method: "git"
    afs_client_build_git_repo: "https://github.com/openafs/openafs"
    afs_client_build_git_ref: "master"

Build options for `rsync` install method.

    afs_cacheinfo_mount: /afs
    afs_cacheinfo_cache: /usr/vice/cache
    afs_cacheinfo_size: 50000

The OpenAFS cache configuration parameters; the AFS filesystem mount point, the
cache partition, and the cache manager cache size.  The cache partition should
already exist.

    afs_afsd_opts: -dynroot -fakestat -afsdb

The OpenAFS cache manager startup options.

## OpenAFS Server Role

Name: `openafs_server`

Install and configure the OpenAFS server packages. This role installs both the
fileserver and the database servers, which can be installed on the same hosts
or different hosts.  Optionally, build and install from source code.

This role enables OpenAFS servers to operate correctly with selinux set to
enforcing mode.

### Role Variables

    afs_cell: example.com
    afs_desc: Example
    afs_realm:  EXAMPLE.COM

The Kerberos realm name, AFS cell name, and the cell organizational
description.

    afs_admin_principal:
    afs_admin_password: (undefined by default)

A administrator principal and password to be used to set the AFS service key.
The password is not defined by default and must be set on the command line (-e)
or in a group variable, preferably encrypted with `ansible-vault`.

    afs_server_install_method: package-manager

The method used to install the OpenAFS server binaries. Values are:

* `package-manager`:  Install OpenAFS server packages with yum. (default)
* `rsync`: Copy binary files. Build binares from source code if needed.

    afs_openafs_server_repourl:

The URL of a yum repo containing OpenAFS server packages.

    afs_server_build_force: no
    afs_server_build_builddir: "/usr/local/src/openafs_server"
    afs_server_build_destdir: "/tmp/openafs_server"
    afs_server_build_fetch_method: "git"
    afs_server_build_git_repo: "https://github.com/openafs/openafs"
    afs_server_build_git_ref: "master"

Build from source options for the 'rsync' install method.

    afs_selinux_mode: enforcing

The selinux enforcing mode. May be one of `enforcing`, `passive`, or
`disabled`.  When `enforcing`, update the required selinux bits to allow the
servers to properly operate.

    afs_fileserver_type: dafs

Determines which fileserver variation is setup when the host is a member of the
`afs_fileservers` group.  May be the legacy OpenAFS fileserver (`fs`), or the
modern demand-attach fileserver (`dafs`). The demand-attach (`dafs`) variant is
the default.

    afs_bosserver_opts:
    afs_ptserver_opts:
    afs_vlserver_opts:
    afs_dafileserver_opts: -L
    afs_davolserver_opts:
    afs_salvageserver_opts:
    afs_dasalvager_opts:
    afs_fileserver_opts:
    afs_volserver_opts:
    afs_salvager_opts:

The OpenAFS server command line options. See the OpenAFS man pages for the
server processes.

    afs_kdc:

The Kerberos KDC hostname.

    afs_root_server:
    afs_root_part: a

The primary fileserver hostname and AFS fileserver partition id. The cell root
volume (root.afs, root.cell) will be created on this fileserver partition.

## OpenAFS Devel Role

Name: `openafs_devel`

Install development packages and provide tasks to build an OpenAFS
binary distribution from source code.

### Role Variables

    afs_devel_build_server: yes

Build the server components.

    afs_devel_build_client: yes

Build the client components, including the OpenAFS kernel module.

    afs_devel_builddir: "/usr/local/src/openafs"

The path of the directory to perform the build.

    afs_devel_destdir: "/tmp/openafs"

The path of the directory to place the generated binary distribution.

    afs_devel_fetch_method: "git"

The method to obtain the source code. One of 'git', or 'none' (or 'skip')
Specify 'none' (or 'skip') to skip this stage.

    afs_devel_git_repo: "https://github.com/openafs/openafs"

The git url to be used to checkout the source code.

    afs_devel_git_ref: "master"

The git branch or tag to be checked out.

## OpenAFS Test Suite Role

Name: `openafs_robotest`

Install and configure a set of Robot Framework test suites for OpenAFS.

### Role Variables

TODO

## License

BSD

## Author Information

Copyright (c) 2018-2019 Sine Nomine Associates


[1]: https://www.openafs.org/
[2]: https://web.mit.edu/kerberos/