I was testing out an installation using ansible to deploy ldap and IdP on a new vm.
I specified the remote host to be installed in this file
root@ansible:/etc/ansible# less host_vars/
idp.eko-konnect.net.ng

Then executed the command below and got an error

root@ansible:/etc/ansible# ansible-playbook -i inventories/inventory.eko-konnect.net.ng idp-ldap.yml

PLAY [Configure the LDAP machine] *********************************************

GATHERING FACTS ***************************************************************
ok: [ldap.eko-konnect.net.ng]

TASK: [fmarco76.firewall | Retrieve iptables rules] ***************************
ok: [ldap.eko-konnect.net.ng]

TASK: [fmarco76.firewall | Count iptables rules] ******************************
ok: [ldap.eko-konnect.net.ng]

TASK: [fmarco76.firewall | Apply rules for the local network] *****************
skipping: [ldap.eko-konnect.net.ng] => (item=389)
skipping: [ldap.eko-konnect.net.ng] => (item=636)

TASK: [fmarco76.firewall | Apply rules for the defined network] ***************
skipping: [ldap.eko-konnect.net.ng] => (item=389)
skipping: [ldap.eko-konnect.net.ng] => (item=636)

TASK: [fmarco76.firewall | Apply nat rules] ***********************************
skipping: [ldap.eko-konnect.net.ng] => (item=389)
skipping: [ldap.eko-konnect.net.ng] => (item=636)

TASK: [fmarco76.firewall | Save iptable rules] ********************************
skipping: [ldap.eko-konnect.net.ng]

TASK: [fmarco76.firewall | Save iptable rules] ********************************
skipping: [ldap.eko-konnect.net.ng]

TASK: [ldap | Install the openldap and required Packages for RedHat] **********
ok: [ldap.eko-konnect.net.ng] => (item=openldap,openldap-servers,openldap-clients)

TASK: [ldap | Install the openldap and required Packages for Debian] **********
skipping: [ldap.eko-konnect.net.ng]

TASK: [ldap | Start ldap server] **********************************************
ok: [ldap.eko-konnect.net.ng]

TASK: [ldap | Retrieve ldap server configuration] *****************************
ok: [ldap.eko-konnect.net.ng]

TASK: [ldap | Copy modules file LDIF] *****************************************
skipping: [ldap.eko-konnect.net.ng]

TASK: [ldap | Add modules (Debian)] *******************************************
skipping: [ldap.eko-konnect.net.ng]

TASK: [ldap | Add modules (RedHat)] *******************************************
skipping: [ldap.eko-konnect.net.ng]

TASK: [ldap | Restart ldap server] ********************************************
skipping: [ldap.eko-konnect.net.ng]

TASK: [ldap | Create db LDIF] *************************************************
failed: [ldap.eko-konnect.net.ng] => {"failed": true}
msg: Aborting, target uses selinux but python bindings (libselinux-python) aren't installed!

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
to retry, use: --limit @/root/idp-ldap.retry

ldap.eko-konnect.net.ng : ok=9 changed=0 unreachable=0 failed=1

Hello Bruce,
I am using the ansible scripts you created from this site to try to build mine. After installing libselinux1-dev. I continued with my installation and got this error.

TASK: [ldap | Add Organisations to the server] ********************************
skipping: [ldap.eko-konnect.net.ng]

TASK: [ldap | Retrieve ldap default policy] ***********************************
ok: [ldap.eko-konnect.net.ng]

TASK: [ldap | Copy Default policies] ******************************************
ok: [ldap.eko-konnect.net.ng]

TASK: [ldap | Apply overlays] *************************************************
failed: [ldap.eko-konnect.net.ng] => {"changed": true, "cmd": ["ldapadd", "-x", "-w", "xxxxxxx", "-D", "cn=admin,dc=local", "-H", "ldap:///", "-f", "/tmp/ppolicy.ldif"], "delta": "0:00:00.042152", "end": "2014-10-15 12:02:23.453403", "rc": 32, "start": "2014-10-15 12:02:23.411251"}
stderr: ldap_add: No such object (32)
matched DN: dc=local
stdout: adding new entry "cn=default,ou=policies,dc=local"

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
to retry, use: --limit @/root/idp-ldap.retry

ldap.eko-konnect.net.ng : ok=18 changed=0 unreachable=0 failed=1

The LDAP directory has a superuser, which is added and configured by the ldap role.

We need to add a conditional to only perform this when the user is not already present.

- name: Create the root user
  user: ansible
  sudo: True
  command: 
# when: root user is not already in the tree

the bootsrap play is failing on the nagios-dev machine and has borked sudo access to the ansible user.

TASK: [bootstrap | include (only) my rsa key in authorized_keys] ************** 
failed: [nagios-dev.c4.csir.co.za] => {"failed": true, "md5sum": "228fc5a3cc6638e62c47bb94db711f28", "parsed": false}
>>> /etc/sudoers: /etc/sudoers.d near line 117 <<<
sudo: parse error in /etc/sudoers near line 117
sudo: no valid sudoers sources found, quitting

can't access the OpenNebula web interface yet to reset since my cert has expired.

we don't want passwords in the open, move them to a variables file

Seems like there is a problem parsing the variable hosts in the common playbook

TASK: [common | Setup SSH known hosts file] *********************************** 
fatal: [site-bdii-dev.c4.csir.co.za] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'hosts' is undefined", 'failed': True}
fatal: [site-bdii-dev.c4.csir.co.za] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'hosts' is undefined", 'failed': True}

need a way to reset the mysql passwords for the db's when we configure.

Any clues where to look?

INFO: Executing function: config_glite_ui
INFO: Executing function: config_vomses
ERROR: VOMSES parameter for VO 'sagrid.ac.za' has incorrect DN or alias
ERROR: Error during the execution of function: config_vomses
ERROR: Error during the configuration.Exiting. [FAILED]
ERROR: One of the functions returned with error without specifying its nature !

Hi Bruce,
Just reinstalled Liferay with Glassfish 3 as per document http://sourceforge.net/p/ctsciencegtwys/wiki/InstallLiferay611/ but I am getting a blank screen at http://sgw.ternet.or.tz:8080/
Can you please assist to fix with this problem?
Rgds,
Damas

Yaim is complaining that no mpi flavours are enabled, we need to add one or more to the variables file.

The Top-BDII role (at least) uses a template to configure the firewall. This task notifies the iptables restarter handler, but it is skipped.

This ticket should be closed when all site services configurations have been successfully tested.

Each service needs to have a different firewall configuration. This can be managed by a template for the iptables config file, similar to @arcimboldo https://github.com/gc3-uzh-ch/ansible-playbooks/blob/04a7a811534a2cee64991cf0c612bcd5de43a537/roles/common/templates/etc/iptables.d/rules.v4.j2

We should specify these rules in each role.

when running the preflight-check playbook, we get the following error reported by the firewall config task :

iptables: Applying firewall rules: iptables-restore: line 13 failed [FAILED]

Hi all,
Since my IdP got hacked and redeployed afresh by the same procedures at https://wiki.shibboleth.net/confluence/display/SHIB2/IdPInstall I have the problem whereby can not be able to register.
I configured the mail connector as well but still getting the same error as follows;

description: The server encountered an internal error () that prevented it from fulfilling this request."
exception: it.infn.ct.security.actions.MailException: Mail Resource not available
it.infn.ct.security.actions.AddUser.sendMail(AddUser.java:326)
it.infn.ct.security.actions.AddUser.execute(AddUser.java:70)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

You may try to register over here: https://idp.ternet.or.tz/register

Any assistant please.
Rgds,
Damas

boostrap play gives :

failed: [idp.zamren.zm] => (item=python-simplejson,iptables,iptables-persistent,mlocate,initscripts,chkconfig,openssh-client) => {"failed": true, "item": "python-simplejson,iptables,iptables-persistent,mlocate,initscripts,chkconfig,openssh-client"}
msg: No package matching 'chkconfig' is available

- name: Configure the services group
  user: ansible
  sudo: True
  template: src=services.ldif.j2 dest=/tmp/services.ldif
 # notify: ???

ldapadd or ldapmodify ?

ansible accelerated needs python-keyczar in order to work. This is installed by the preflight-check playbook, but is not found in the standard CentOS repos.

Apparently, this is kept in the EPEL repo - http://pkgs.org/centos-6/epel-i386/python-keyczar-0.71c-1.el6.noarch.rpm.html

so we need to enable the repos during preflight

This ticket should be closed when all core services deployments have been tested.

I am trying to install Liferay on tomcat. Tomcat is installed at /usr/share/tomcat then deployed the war and dependencies files of liferay. At the end i have the "Basic Configuration" page when pointing to http://sgw.ternet.or.tz:8080/ which I thought is Ok.

If I fill in the Portal name, Administrative first and last name as well and email address, clicked Finish configuration, it redirected me to http://sgw.ternet.or.tz/c/portal/setup_wizard and give me with the Error The requested URL /c/portal/setup_wizard was not found on this server.

I tried the procedures at https://www.liferay.com/documentation/liferay-portal/6.2/user-guide/-/ai/installing-liferay-on-tomcat-7-liferay-portal-6-2-user-guide-15-en

Initially I tried to follow procedures at http://sourceforge.net/p/ctsciencegtwys/wiki/InstallLiferay611/ but failed to get any interface even over port 4848 or 8080.

Any assistant please.

Pull request #84 was tested on the zamren site and failed at TASK: shibboleth-idp | Create Attribute Filters:

failed: [idp.zamren.zm] => {"failed": true, "gid": 0, "group": "root", "md5sum": "3af942ff5194b2bf6ee05aaa36a6c162", "mode": "0644", "owner": "tomcat6", "path": "/opt/shibboleth-idp/conf/attribute-filter.xml", "size": 1199, "state": "file", "uid": 107}
msg: chown failed: failed to look up user tomcat

the code is

- name: Create Attribute Filters
  copy: src=attribute-filter.xml dest={{ shibboleth_install_path }}/conf/attribute-filter.xml owner=tomcat group=root
  notify: restart tomcat

Looks we can't chown it because tomcat user should be "tomcat6"

for some reason the pbs server was set to local host on wn config.

If we had to run the bootstrap against the TERNET machines, the following changes would take place :

PLAY [Bootstrap the identity machines] **************************************** 

GATHERING FACTS *************************************************************** 
ok: [41.93.32.33]
ok: [idp.ternet.or.tz]

TASK: [bootstrap | Install prerequisite packages (RedHat)] ******************** 
changed: [idp.ternet.or.tz] => (item=python-simplejson,libselinux-python,iptables,mlocate,initscripts,chkconfig,system-config-services,openssh-clients)
changed: [41.93.32.33] => (item=python-simplejson,libselinux-python,iptables,mlocate,initscripts,chkconfig,system-config-services,openssh-clients)

TASK: [bootstrap | Install some useful packages (RedHat)] ********************* 
ok: [41.93.32.33] => (item=vim-minimal)
ok: [idp.ternet.or.tz] => (item=vim-minimal)

TASK: [bootstrap | Install prerequisite packages (Debian)] ******************** 
skipping: [41.93.32.33]
skipping: [idp.ternet.or.tz]

TASK: [bootstrap | Install some useful packages (Debian)] ********************* 
skipping: [idp.ternet.or.tz]
skipping: [41.93.32.33]

TASK: [bootstrap | create ansible user] *************************************** 
changed: [41.93.32.33]
changed: [idp.ternet.or.tz]

TASK: [bootstrap | create ansible user] *************************************** 
skipping: [41.93.32.33]
skipping: [idp.ternet.or.tz]

TASK: [bootstrap | update sudoers to ensure ansible user can sudo] ************ 
changed: [41.93.32.33]
changed: [idp.ternet.or.tz]

TASK: [bootstrap | create the authorized_keys file for the site] ************** 
changed: [41.93.32.33]
changed: [idp.ternet.or.tz]

PLAY RECAP ******************************************************************** 
41.93.32.33                : ok=6    changed=4    unreachable=0    failed=0   
idp.ternet.or.tz           : ok=6    changed=4    unreachable=0    failed=0   

The following error is obtained when running the emi-worker-node role :

Public key for CGSI-gSOAP-1.3.5-2.el6.i686.rpm is not installed

following error :

ERROR: vars from '/home/travis/build/AAROC/DevOps/Ansible/roles/ldap/vars/main.yml' are not a dict

See https://travis-ci.org/AAROC/DevOps/builds/35532386

the worker node role has to include the ssh key from the head node in the authorized_keys file

error:

error while evaluating conditional: emi_service == 'CREAM_CE' || emi_service == 'WN'

The common role has a task to enable ssh communication amongst all the nodes. Howevever, this presumes that the host keys are known.... the playbook is failing at the moment :

fatal: [site-bdii-dev.c4.csir.co.za] => {'msg': "AnsibleUndefinedVariable: One or more undefined variables: 'dict object' has no attribute 'ansible_ssh_host_key_dsa_public'", 'failed': True}

Error:

TASK: [head-node | Unload modules on restart and stop] ************************ 
changed: [ce01-node001.c4.csir.co.za]
ERROR: change handler (restart iptables) is not defined

the pool accounts have very high numbers (ops34000 for example) should be ops001

This ticket will track issues related to bootstrapping worker nodes.

failed: [ldap.zamren.zm] => {"changed": true, "cmd": ["ldapadd", "-x", "-w", "thisismyldapadminpassword", "-D", "cn=admin,dc=local", "-H", "ldap:///", "-f", "/tmp/root.ldif"], "delta": "0:00:00.017994", "end": "2014-09-30 16:25:32.181604", "rc": 21, "start": "2014-09-30 16:25:32.163610", "warnings": []}
stderr: ldap_add: Invalid syntax (21)
    additional info: o: value #0 invalid per syntax
stdout: adding new entry "dc=local"

The password that it's using is specified in the group vars, but since it says invalid syntax I don't think this is a password problem.

missing this in the VO specification

It seems that the CHAIN INPUT or other options are not recognised during the bootstrap with the result of a blocked firewall. Option need investigation.

Close when wms has been fully deployed

Please provide the list of worker nodes for the C4 production cluster.

Dear All,
I ran into this error while trying out my ldap deployment. I have created the keys on both system and i can ssh without supplying password.

ansible@ansible:/etc/ansible$ ansible-playbook -i inventories/inventory.eko-konnect.net.ng bootstrap.yml

PLAY [Bootstrap the identity machines] ****************************************

GATHERING FACTS ***************************************************************
ok: [idp.eko-konnect.net.ng]

TASK: [bootstrap | check connectivity] ****************************************
changed: [idp.eko-konnect.net.ng]

TASK: [bootstrap | use Google public DNS if necessary] ************************
skipping: [idp.eko-konnect.net.ng]

TASK: [bootstrap | Install prerequisite packages (RedHat)] ********************
skipping: [idp.eko-konnect.net.ng]

TASK: [bootstrap | Install some useful packages (RedHat)] *********************
skipping: [idp.eko-konnect.net.ng]

TASK: [bootstrap | Install prerequisite packages (Debian)] ********************
ok: [idp.eko-konnect.net.ng] => (item=python-simplejson,iptables,iptables-persistent,mlocate,initscripts,openssh-client)

TASK: [bootstrap | Install some useful packages (Debian)] *********************
ok: [idp.eko-konnect.net.ng] => (item=htop,vim)

TASK: [bootstrap | create ansible user] ***************************************
skipping: [idp.eko-konnect.net.ng]

TASK: [bootstrap | create ansible user] ***************************************
ok: [idp.eko-konnect.net.ng]

TASK: [bootstrap | update sudoers to ensure ansible user can sudo] ************
ok: [idp.eko-konnect.net.ng]

TASK: [bootstrap | create the authorized_keys file for the site] **************
failed: [idp.eko-konnect.net.ng] => {"failed": true, "gid": 1000, "group": "ansible", "mode": "0644", "owner": "ansible", "path": "/home/ansible/.ssh/authorized_keys", "size": 791, "state": "file", "uid": 1000}
msg: chown failed: failed to look up user ansible:ansible

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
to retry, use: --limit @/home/ansible/bootstrap.retry

idp.eko-konnect.net.ng : ok=6 changed=1 unreachable=0 failed=1

It seems the firewall comes up on the remote host after the bootstrap playbook and there is no connection to the host from the controller.
Any clues

root@ansible:/etc/ansible# ansible-playbook -i inventories/inventory.eko-konnect.net.ng idp-ldap.yml -vvvv

PLAY [Configure the LDAP machine] *********************************************

GATHERING FACTS ***************************************************************
<196.45.48.221> ESTABLISH CONNECTION FOR USER: ansible
<196.45.48.221> REMOTE_MODULE setup
<196.45.48.221> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'HostbasedAuthentication=yes', '-o', 'StrictHostKeyChecking=no', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=ansible', '-o', 'ConnectTimeout=10', '196.45.48.221', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1414146840.13-269485195426640 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1414146840.13-269485195426640 && echo $HOME/.ansible/tmp/ansible-tmp-1414146840.13-269485195426640'"]
fatal: [196.45.48.221] => SSH encountered an unknown error. The output was:
OpenSSH_5.9p1 Debian-5ubuntu1.3, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 196.45.48.221 [196.45.48.221] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 196.45.48.221 port 22: No route to host
ssh: connect to host 196.45.48.221 port 22: No route to host

TASK: [fmarco76.firewall | Retrieve iptables rules] ***************************
FATAL: no hosts matched or all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
to retry, use: --limit @/root/idp-ldap.retry

196.45.48.221 : ok=0 changed=0 unreachable=1 failed=0

on WMS dev play :

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
glite-lb-setup: ERROR: Can't access MySQL database. You may need to set MYSQL_USER and MYSQL_PASSWORD variables.
   ERROR: One of the functions returned with error without specifying its nature !

mysql password looks incorrect.

This will see the wn deployment working