alfresco / alfresco-ansible-deployment Goto Github PK

Bug description

I make new install of Alfresco 7.3 with the last github alfresco-ansible-deployment on multiple platforms like CentOS 7, CenOS 8 and Ubuntu 22.04. On all installations, I always encounter the same problem: Failure, We couldn't create user.
There are also other functions that do not work. I don't seem to have permission to use Alfresco 7.3 Community. I don't see any errors during installation and no errors in the logs. Any clues?

Target OS

Ubuntu 22.04

Ansible error

No error

Installation on VMware Ubuntu 22.04 Desktop.
git clone https://github.com/Alfresco/alfresco-ansible-deployment.git
cd alfresco-ansible-deployment/
pip install --user pipenv
sudo apt install pipenv -y
cd playbooks/
pipenv install --deploy
cd ..
pipenv run ansible-galaxy install -r requirements.yml
pipenv run ansible-playbook --ask-vault-pass playbooks/acs.yml
openssl rand -base64 21 > ~/.vault_pass.txt

export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
pipenv run ansible-playbook -e vault_init=encrypted_variables playbooks/secrets-init.yml
pipenv run ansible-playbook playbooks/acs.yml -i inventory_local.yml -e "@community-extra-vars.yml"

(I access with my web brower to /share, login with admin,admin, go to Admin Tools and try to create New User
Failure, We couldn't create user. When I submit form)

PLAY RECAP *********************************************************************************************************************************************
localhost : ok=207 changed=112 unreachable=0 failed=0 skipped=206 rescued=0 ignored=0

Hello everyone,

I am discovering Ansible, I need your expertise for this error message:

TASK [../roles/postgres : Configure postgresql client auth] *********************************************************************************************************************************************************************************
task path: /opt/ansiblealfresco/alfresco-ansible-deployment-2.0.0/roles/postgres/tasks/main.yml:41
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: root
<localhost> EXEC /bin/sh -c 'echo ~root && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1657639107.27-13718-160893885570647 `" && echo ansible-tmp-1657639107.27-13718-160893885570647="` echo /root/.ansible/tmp/ansible-tmp-1657639107.27-13718-160893885570647 `" ) && sleep 0'
<localhost> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1657639107.27-13718-160893885570647/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "msg": "AnsibleUndefinedVariable: 'unicode object' has no attribute 'local_addr'"
}

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
localhost                  : ok=17   changed=0    unreachable=0    failed=1    skipped=9    rescued=0    ignored=0

I am playing this command:

# ansible-playbook playbooks/acs.yml -i inventory_local.yml -e "@community-extra-vars.yml" -vvv

I found out the 'local_addr' is in the pg_hba.conf.j2 but i have no clue how to resolve it.

Need a little help please :D

Regards, Alexandre

Bug description

Ubuntu 20.04 doesn't have curl utility installed by default, it is causing that /opt/alfresco/alfresco-content-monitored-startup.sh is failing and will stop Alfresco in a few mins after successful startup.

I used the latest code in master branch from 29May2022.

Target OS

Ubuntu 20.04

Ansible error

NA

Users and groups are created witha static uid/gid.
If that uid/gid already exist on the target server the playbook fails ans installation stops at a very early stage.
The fact uid & gid used are 1001 makes this issue very likely to happen as 1001 would be the first uid/gid allocated to user or groups created on a newly installed system (considering most distribution will create an admin user in addtion to root during installtion). So if any additional user is added the installation will fail.

Ansible Deployment Release: (Latest) v2.1.0 (ACS 7.2.1)
OS: Ubuntu 20.04.5
vars/secret.yml :

repo_db_password: 'name1'
sync_db_password: 'name1'
reposearch_shared_secret: 'name1'
activemq_password: 'name1'

Ran the installation using pipenv without error.

1. Logged in as admin/admin
2. Pressed "Admin Tools"
3. Pressed "Users"
4. Pressed "New User"
5. Filled Out Form by answering only required questions
6. Pressed "Create User"

Error message: Failure / We couldn't create user .

Cannot find relevant Error message in logs.

Hello!I installed alfresco using ansble method of installation from this site
https://docs.alfresco.com/content-services/community/install/ansible/

When i open it in browser-there is no alfresco content application.
There is a blank window.But there should be identification window to alfresco content application.
I can enter alfresco using this link 192.168.1.161/share.But i also need alfresco content application.
How can i switch on or install alfresco content application ?This is sharing files in alfresco.
You can see on the first picture where i have no window with alfresco content application.
And on the second picture i have window with alfresco content application .I installed alfresco with docker.
But i need this application with ansible method of installation.

Bug description

I'm not sure how this situation occurred, but after updating my system to RHEL 8.6, I was unable to start nginx due to incorrect SELinux labels on /var/log/alfresco/nginx.alfresco.access.log and /var/log/alfresco/nginx.alfresco.error.log.

My solution was to add an fcontext mapping to change the type to http_log_t:

sudo semanage fcontext --add --type 'httpd_log_t' '/var/log/alfresco/nginx.*'
sudo restorecon -v /var/log/alfresco/nginx.alfresco.{access,error}.log

Target OS

RHEL 8.6

Ansible error

N/A

Proposal

Include a task to add an fcontext mapping, e.g.

- name: Allow nginx to write log files to /var/log/alfresco
  community.general.sefcontext:
    target: '/var/log/alfresco/nginx.*'
    setype: httpd_log_t
    state: present

- name: Apply new SELinux file context to filesystem
  ansible.builtin.command: restorecon -iv /var/log/alfresco/nginx.*

Hey, after installing Alfresco via Ansible I've got a strange situation with OnlyOffice integration.
It's all done by the book, but I'm getting

ERROR [web.context.ContextLoader] [main] Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'patch.updateAdminUserWhenDefault' defined in URL [jar:file:/var/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-8.423.jar!/alfresco/patch/patch-services-context.xml]: Invocation of init method failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'transformer.onlyoffice' defined in URL [jar:file:/var/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/lib/onlyoffice-integration-repo.jar!/alfresco/extension/onlyoffice-context.xml]: Could not resolve parent bean definition 'baseContentTransformer'; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'baseContentTransformer' available

I'm not sure where to look at

Hi,

It is detected that the following "sh" boot files have the path of the "setenv.sh" hard coded without using the ansible configuration path {{ config_folder }}.

The following change is proposed

## original
. /etc/opt/alfresco/setenv.sh
## change
. {{ config_folder }}/setenv.sh

Affected files

• alfresco-ansible-deployment\roles\sfs\templates\ats-shared-fs.sh
• alfresco-ansible-deployment\roles\sync\templates\syncservice.sh
• alfresco-ansible-deployment\roles\transformers\templates\ats-ate-aio.sh
• alfresco-ansible-deployment\roles\trouter\templates\ats-atr.sh

Hi,

I tried alfresco-ansible-deployment v2.0 but got the following error (I tried it on two different machines; CentOS 7.9 and Oracle Linux 8.5). I hope someone can give me hint to solve this problem.

Thank you,
Matthias

PS.: Version v1.2.0 works flawless

ERROR! 'notify' is not a valid attribute for a Block

The error appears to be in '/opt/alfresco-ansible-deployment-2.0.0/roles/nginx/tasks/vhosts.yml': line 37, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: Vhosts config
  ^ here

Bug description

In the community-extra-vars.yml extra var definition, a repository is referring to an 'enterprise' one?

Target OS

RHEL 8 (Actually Almalinux 8)

Ansible error

iirc couldn't open "{{ nexus_repository.enterprise_releases }}/integrations/alfresco-googledrive-repo-community"
(sorry I lost the accurate message but not be able to rerun right now :()

Ansible context

Paste the output of the following commands:

ansible --version

└─$ pipenv run ansible --version
ansible [core 2.12.10]
  config file = /home/jlst/Ansible/alfresco-ansible-deployment-2.2.0/ansible.cfg
  configured module search path = ['/home/jlst/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/jlst/.local/share/virtualenvs/alfresco-ansible-deployment-2.2.0-uRpBk9AW/lib/python3.9/site-packages/ansible
  ansible collection location = /home/jlst/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/jlst/.local/share/virtualenvs/alfresco-ansible-deployment-2.2.0-uRpBk9AW/bin/ansible
  python version = 3.9.13 (main, Nov 27 2022, 12:32:52) [GCC 12.2.0]
  jinja version = 3.1.2
  libyaml = True

ansible-config dump --only-changed

└─$ pipenv run ansible-config dump --only-changed
ANSIBLE_PIPELINING(/home/jlst/Ansible/alfresco-ansible-deployment-2.2.0/ansible.cfg) = True

ansible-inventory -i your_inventory_file --graph

└─$ pipenv run ansible-inventory -i my_inventory_ssh.yml --graph
@all:
  |--@activemq:
  |  |--activemq_1
  |--@adw:
  |  |--adw_1
  |--@database:
  |  |--database_1
  |--@elasticsearch:
  |--@external:
  |  |--@external_activemq:
  |  |--@external_elasticsearch:
  |  |--@other_repo_clients:
  |--@external_activemq:
  |--@external_elasticsearch:
  |--@nginx:
  |  |--nginx_1
  |--@other_repo_clients:
  |--@repository:
  |  |--repository_1
  |--@search:
  |  |--search_1
  |--@search_enterprise:
  |--@syncservice:
  |  |--syncservice_1
  |--@transformers:
  |  |--transformers_1
  |--@trusted_resource_consumers:
  |  |--@adw:
  |  |  |--adw_1
  |  |--@nginx:
  |  |  |--nginx_1
  |  |--@other_repo_clients:
  |  |--@repository:
  |  |  |--repository_1
  |--@ungrouped:

Bug description

This task can only be picked up after the issues bellow have been fixed:

• #439
• #440
• #441
• #442
• #443
• #444
• #445
• #446

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Acceptance criteria

• java do not provide a setenv.sh file
• tests are amended accordingly

Bug description

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Proposed solution

A possible way around that would be to take common env variable population out of the java role and let each role do it by directly using the systemd unit file Environment= or EnvironmentFile=. As a result:

• activemq role provides its own set of vars in a systemd unit environment file
• no more lineinfile or blockinfile task is used to amend the setenv.sh file
• script template is no more sources the setenv.sh file
• clear the molecule-idempotence-notest tag from all possible tasks in the tomcat role
• tests are amended accordingly

It could be useful to add a configuration to enable the GC logs on a file.
It can be activated on Repository Role (

On Search Role the GC logs are already activated with the default configuration, but we can have the same Repo role configuration
adding to this (

GC_LOG_OPTS: "-Xlog:gc*:file={{ logs_folder }}/solr_gc-%t.log:time,uptime,level,tags"

Hi,
I try to edit project files to install all Alfresco components (without systemd services) in a not-OS folder (like /home/alfresco/test).
It is a very hard edit. For every commit/release of this repo it is too hard to retry. I think that this "local mode" could be very useful and an important improvement for this project.
For example, for development environment, I can have multiple alfresco instance on my machine.

I hope you consider this improvement as a future milestone.

Federico

Hi, I'm trying to install alfresco through the standard package that is available on the website for installations via ansible, but when I get to download alfresco-transform-core-aio-boot-2.3.10.jar I get a huge error.
I checked the nexus repository and I can manually download the file, do you have any idea what might be going on?

error:

fatal: [transformers_1]: FAILED! => {"msg": "An unhandled exception occurred while templating '{'acs_zip_url': '{{ nexus_repository.enterprise_releases }}org/alfresco/alfresco-content-services-distribution/{{ acs.version }}/alfresco-content-services-distribution-{{ acs.version }}.zip', 'acs_zip_sha1_checksum': "{{ lookup('url', '{{ nexus_repository.enterprise_releases }}org/alfresco/alfresco-content-services-distribution/{{ acs.version }}/alfresco-content-services-distribution-{{ acs.version }}.zip.sha1', username=lookup('env', 'NEXUS_USERNAME'), password=lookup('env', 'NEXUS_PASSWORD')) }}", 'adw_zip_url': '{{ nexus_repository.enterprise_releases }}/org/alfresco/alfresco-digital-workspace/{{ adw.version }}/alfresco-digital-workspace-{{ adw.version }}.zip', 'adw_zip_sha1_checksum': "{{ lookup('url', '{{ nexus_repository.enterprise_releases }}/org/alfresco/alfresco-digital-workspace/{{ adw.version }}/alfresco-digital-workspace-{{ adw.version }}.zip.sha1', username=lookup('env', 'NEXUS_USERNAME'), password=lookup('env', 'NEXUS_PASSWORD')) }}", 'search_zip_url': '{{ nexus_repository.releases }}/org/alfresco/alfresco-search-services/{{ search.version }}/alfresco-search-services-{{ search.version }}.zip', 'search_zip_sha1_checksum': "{{ lookup('url', '{{ nexus_repository.releases }}/org/alfresco/alfresco-search-services/{{ search.version }}/alfresco-search-services-{{ search.version }}.zip.sha1', username=lookup('env', 'NEXUS_USERNAME'), password=lookup('env', 'NEXUS_PASSWORD')) }}", 'sfs_jar_url': '{{ nexus_repository.enterprise_releases }}/org/alfresco/alfresco-shared-file-store-controller/{{ sfs.version }}/alfresco-shared-file-store-controller-{{ sfs.version }}.jar', 'sfs_jar_sha1_checksum': "{{ lookup('url', '{{ nexus_repository.enterprise_releases }}/org/alfresco/alfresco-shared-file-store-controller/{{ sfs.version }}/alfresco-shared-file-store-controller-{{ sfs.version }}.jar.sha1', username=lookup('env', 'NEXUS_USERNAME'), password=lookup('env', 'NEXUS_PASSWORD')) }}", 'trouter_jar_url': '{{ nexus_repository.enterprise_releases }}/org/alfresco/alfresco-transform-router/{{ trouter.version }}/alfresco-transform-router-{{ trouter.version }}.jar', 'trouter_jar_sha1_checksum': "{{ lookup('url', '{{ nexus_repository.enterprise_releases }}/org/alfresco/alfresco-transform-router/{{ trouter.version }}/alfresco-transform-router-{{ trouter.version }}.jar.sha1', username=lookup('env', 'NEXUS_USERNAME'), password=lookup('env', 'NEXUS_PASSWORD')) }}", 'transform_jar_url': '{{ nexus_repository.releases }}/org/alfresco/alfresco-transform-core-aio-boot/{{ transform.version }}/alfresco-transform-core-aio-boot-{{ transform.version }}.jar', 'transform_jar_sha1_checksum': "{{ lookup('url', '{{ nexus_repository.releases }}/org/alfresco/alfresco-transform-core-aio-boot/{{ transform.version }}/alfresco-transform-core-aio-boot-{{ transform.version }}.jar.sha1', username=lookup('env', 'NEXUS_USERNAME'), password=lookup('env', 'NEXUS_PASSWORD')) }}", 'sync_zip_url': 'https://artifacts.alfresco.com/nexus/content/groups/private/org/alfresco/services/sync/sync-dist-6.x/{{ sync.version }}/sync-dist-6.x-{{ sync.version }}.zip', 'sync_zip_sha1_checksum': "{{ lookup('url', 'https://artifacts.alfresco.com/nexus/content/groups/private/org/alfresco/services/sync/sync-dist-6.x/{{ sync.version }}/sync-dist-6.x-{{ sync.version }}.zip.sha1', username=lookup('env', 'NEXUS_USERNAME'), password=lookup('env', 'NEXUS_PASSWORD')) }}"}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'url'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Received HTTP error for https://artifacts.alfresco.com/nexus/service/local/repositories/enterprise-releases/content/org/alfresco/alfresco-content-services-distribution/7.0.0/alfresco-content-services-distribution-7.0.0.zip.sha1 : HTTP Error 401: Unauthorized"}

Bug description

On Oracle Cloud Infrastructure, when I try to deploy the ACS inside an Ubuntu 22.04 OS, I get error when the playbook tries to download Nexus binaries. There are no problems for Apache ones.

Target OS

Ubuntu 22.04

operating_system: Canonical-Ubuntu-22.04-2023.07.20-0
image_id:
ocid1.image.oc1.eu-zurich-1.aaaaaaaarxcjh5ac763nuruhtigyuyyaeqpe6oop7mgimcuumauhcjwf6rsa

Ansible error

Here is the error:

Tuesday 22 August 2023  08:09:53 +0000 (0:00:02.139)       0:03:34.543 ********
 [started TASK: ../roles/transformers : Download ImageMagick distribution on oci/mop-alf-ce-tools]

TASK [../roles/transformers : Download ImageMagick distribution] *************************************************************************************************
failed: [oci/mop-alf-ce-tools] (item=imagemagick-distribution-ubuntu-22.04) => {"ansible_loop_var": "item", "changed": false, "dest": "/tmp/ansible_artefacts/imagemagick-distribution-7.1.0-16-ci-2-ubuntu-22.04.deb", "elapsed": 0, "item": "imagemagick-distribution-ubuntu-22.04", "msg": "Request failed: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>", "url": "https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.1.0-16-ci-2/imagemagick-distribution-7.1.0-16-ci-2-ubuntu-22.04.deb"}

The transformers group contains the host oci/mop-alf-ce-tools. When I try to run the playbook, it fails on the above error. Before that point, the playbook is able to download Apache-related binaries:

alfresco@mop-alf-ce-tools:/tmp/ansible_artefacts$ ls -l
total 249964
drwxrwxrwx  2 alfresco alfresco      4096 Aug 22 12:38 ./
drwxrwxrwt 15 root     root          4096 Aug 22 12:48 ../
-rw-------  1 ubuntu   ubuntu        1949 Aug 22 10:09 9c817fd05fc0d4ec5699b37650a2a3cdfcefb6ef.pem
-rw-rw-r--  1 ubuntu   ubuntu   191514138 Aug 22 10:08 OpenJDK11U-jdk_x64_linux_17.0.3_7.tar.gz
-rw-r--r--  1 ubuntu   ubuntu    64418725 Aug 22 10:09 apache-activemq-5.16.6-bin.tar.gz
-r--------  1 ubuntu   ubuntu        5857 Aug 22 10:09 fc87cf56fbd9dabb8063a767b49646c68856106b.p12
alfresco@mop-alf-ce-tools:/tmp/ansible_artefacts$

I created a small playbook with only 1 task which is this download and I got the following:

TASK [Download ImageMagick distribution] *************************************************************************************************************************
task path: /workspace/yak/component_types/alfresco_ecm/playbooks/transform.yml:6
failed: [oci/mop-alf-ce-tools] (item=imagemagick-distribution-ubuntu-22.04) => {
    "ansible_loop_var": "item",
    "changed": false,
    "dest": "/tmp/ansible_artefacts/imagemagick-distribution-7.1.0-16-ci-2-ubuntu-22.04.deb",
    "elapsed": 0,
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": false,
            "checksum": "sha1:71abb87a836e3defa474551352084bf475e23373",
            "ciphers": null,
            "client_cert": null,
            "client_key": null,
            "decompress": true,
            "dest": "/tmp/ansible_artefacts/imagemagick-distribution-7.1.0-16-ci-2-ubuntu-22.04.deb",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": null,
            "http_agent": "ansible-httpget",
            "mode": "0644",
            "owner": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "timeout": 10,
            "tmp_dest": null,
            "unredirected_headers": [],
            "unsafe_writes": false,
            "url": "https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.1.0-16-ci-2/imagemagick-distribution-7.1.0-16-ci-2-ubuntu-22.04.deb",
            "url_password": null,
            "url_username": null,
            "use_gssapi": false,
            "use_netrc": true,
            "use_proxy": true,
            "validate_certs": true
        }
    },
    "item": "imagemagick-distribution-ubuntu-22.04",
    "msg": "Request failed: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>",
    "url": "https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.1.0-16-ci-2/imagemagick-distribution-7.1.0-16-ci-2-ubuntu-22.04.deb"
}
  hosts: transformers
  gather_facts: true
  tasks:

PLAY RECAP *******************************************************************************************************************************************************
oci/mop-alf-ce-tools       : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Since it appears to be SSL related, I checked the protocol/cipher available on the Alfresco Nexus:

root@mop-alf-ce-tools:~# openssl s_client -connect artifacts.alfresco.com:443
CONNECTED(00000003)
...
---
SSL handshake has read 4858 bytes and written 474 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    ....

So it appears that from the target OS, I can connect to the Alfresco Nexus using TLS1.2 and "ECDHE-RSA-AES256-SHA" as cipher. Therefore I tried adding this cipher into the get_url module:

      get_url:
        url: "{{ pkg_url }}"
        checksum: "sha1:{{ lookup('url', pkg_url + '.sha1') }}"
        dest: "{{ download_location }}/{{ pkg_name }}"
        mode: "0644"
        ciphers:
          - ECDHE-RSA-AES256-SHA
      loop: "{{  imagemagick_packages }}"

After adding this list of 1 cipher, it's working correctly:

Tuesday 22 August 2023  11:17:47 +0000 (0:00:01.520)       0:00:01.547 ********
 [started TASK: Download ImageMagick distribution on oci/mop-alf-ce-tools]

TASK [Download ImageMagick distribution] *************************************************************************************************************************
changed: [oci/mop-alf-ce-tools] => (item=imagemagick-distribution-ubuntu-22.04)

PLAY RECAP *******************************************************************************************************************************************************
oci/mop-alf-ce-tools       : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

And the file is indeed there:

root@mop-alf-ce-tools:/tmp/ansible_artefacts# ls -ltr
total 253320
-rw-rw-r-- 1 ubuntu ubuntu 191514138 Aug 22 10:08 OpenJDK11U-jdk_x64_linux_17.0.3_7.tar.gz
-rw-r--r-- 1 ubuntu ubuntu  64418725 Aug 22 10:09 apache-activemq-5.16.6-bin.tar.gz
-r-------- 1 ubuntu ubuntu      5857 Aug 22 10:09 fc87cf56fbd9dabb8063a767b49646c68856106b.p12
-rw------- 1 ubuntu ubuntu      1949 Aug 22 10:09 9c817fd05fc0d4ec5699b37650a2a3cdfcefb6ef.pem
-rw-r--r-- 1 ubuntu ubuntu   3443106 Aug 22 13:17 imagemagick-distribution-7.1.0-16-ci-2-ubuntu-22.04.deb
root@mop-alf-ce-tools:/tmp/ansible_artefacts#

I don't know why exactly, but it seems that the default ciphers used by Ansible on Ubuntu 22.04 on OCI might not be compatible with the Alfresco Nexus and causing this to fail... Any idea on what to do to fix the issue permanently? We could of course add the list of ciphers from the Nexus into the Playbook, but that would be harcoding some list that might change in the future...

Bug description

I'm installing alfresco community edition 7.2 on CentOS 7 with Python 3.8 and Ansible 2.13. It fails with the following error:

TASK [../roles/repository : Ensure a list of packages installed] ***************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "It appears that a space separated string of packages was passed in as an argument. To operate on several packages, pass a comma separated string of packages or a list of packages."}

The task in roles/repository/tasks/main.yml looks like:

• name: Ensure a list of packages installed
  become: true
  package:
  name: "{{ utils_repo }} + {{ utils_storage[cs_storage.type | default('tmpfs')] }}"
  state: present

Target OS

CentOS 7

Ansible error

TASK [../roles/repository : Ensure a list of packages installed] ***************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "It appears that a space separated string of packages was passed in as an argument. To operate on several packages, pass a comma separated string of packages or a list of packages."}

Ansible context

Paste the output of the following commands:

ansible --version

ansible [core 2.13.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /root/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /root/.local/bin/ansible
  python version = 3.8.10 (default, Aug 24 2022, 18:42:19) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
  jinja version = 3.0.3
  libyaml = True

ansible-config dump --only-changed

ansible-inventory -i your_inventory_file --graph

@all:
  |--@activemq:
  |  |--@repository:
  |  |  |--localhost
  |--@adw:
  |  |--@repository:
  |  |  |--localhost
  |--@database:
  |  |--@repository:
  |  |  |--localhost
  |--@external:
  |  |--@external_activemq:
  |--@external_activemq:
  |--@nginx:
  |  |--@repository:
  |  |  |--localhost
  |--@repository:
  |  |--localhost
  |--@search:
  |  |--@repository:
  |  |  |--localhost
  |--@syncservice:
  |  |--@repository:
  |  |  |--localhost
  |--@transformers:
  |  |--@repository:
  |  |  |--localhost
  |--@ungrouped:

Task description

ℹ️ This task requires to be familiar with Alfresco and understand the architecture of its platform.

Currently playbook deploys a very basic PostgreSQL instance for the sole sake of convenience. There are other (and probably better) playbooks on galaxy to deploy PostgreSQL. We would like to rely on using 3rd party roles for deploying 3rd party components (as it's been done lately for the elasticsearch role)

Target OS

Ideally all supported OS (as in supported by the playbook)

Acceptance Criteria

• role needs to be maintained
• role must not be copied and edited
• role can be wrapped
• Role inclusion must not change the inventory structure (no new group or subgroup)
• Version of deployed ActiveMQ can be set so it matches each ACS supported matrix

In port_cfg variable there are references to a ports variable that is not defined anywhere and it's fine for users to just override values in ports_cfg when needed.

Remove any reference to ports.* and replace with plain default port value.

We have introduced a while ago a playbook which can be run before running the deployment playbook, in order to check required TCP ports are available from and to the appropriate machines.
This has been implemented within a role. Which does the following:

• checks on the destination host (where the port needs to be available) that no other service is running
• starts listening on the port
• try connecting from the source to the opened port

While the logic is fine we think it doesn't make sense to use a role for that. The purpose of this ticket is to achieve:

• Removal of the role
• Move the custom listen_port module to the main playbook
• Creation a task file and call it from the prerequisite-checks.yml playbook

Bug description

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Acceptance criteria

A possible way around that would be to take common env variable population out of the java role and let each role do it by directly using the systemd unit file Environment= or EnvironmentFile=. As a result:

• transformers role provides its own set of vars in a systemd unit environment file
• no more lineinfile or blockinfile task is used to amend the setenv.sh file
• script template is no more sources the setenv.sh file
• clear the molecule-idempotence-notest tag from all possible tasks in the transformers role
• tests are amended accordingly

I need a production installation of alfresco community addition and do not get very good performance out of the docker builds (im also just not a very big fan of docker). I wanted to try the Ansible scripts but there is no playbook for Ubuntu 20.04 When i try and follow the installation notes i get this error (see attached).

The associated Ubuntu variables for the "Include OS specific variables" tasks do not exist. As such it deployment to Ubuntu environments will fail. Per the docs (https://github.com/Alfresco/alfresco-ansible-deployment/tree/master/docs) it should be supported.

Example Task from roles/common/tasks/main.yml:

# tasks file for central
- name: Include OS specific variables
  include_vars: "{{ ansible_distribution }}{{ ansible_distribution_major_version }}.yml"

Files for RHEL and CentOS exist (e.g., RedHat7.yml and CentOS7.yml). For Ubuntu 20.04, it looks for a Ubuntu20.yml files that do not exist in the deployment repo.

Bug description

Installation of ACS 7.2 using Ansible deployment v2 has several issues. One of them is related to jinja2 once following command is executed: $ ansible-playbook playbooks/acs.yml -i inventory_ssh.yml. Error is mentioned below.

FYI, I am using WSL2 with Ubuntu 20

Expected behavior: No error and smooth installation.

Target OS

RHEL 8.3

Ansible error

TASK [../roles/nginx : Add managed vhost config files.] ********
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: jinja2.exceptions.TemplateRuntimeError: no test named 'true'
failed: [nginx_1] (item={'listen': '80', 'root': '/usr/share/nginx/html', 'index': 'index.html index.htm', 'filename': 'alfresco.conf'}) => {"ansible_loop_var": "item", "changed": false, "item": {"filename": "alfresco.conf", "index": "index.html index.htm", "listen": "80", "root": "/usr/share/nginx/html"}, "msg": "TemplateRuntimeError: no test named 'true'"}

Ansible context

ansible --version

ansible [core 2.12.4]
  config file = /home/alfresco/git/alfresco-ansible-deployment/ansible.cfg
  configured module search path = ['/home/alfresco/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/alfresco/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
  jinja version = 2.10.1
  libyaml = True

ansible-config dump --only-changed

ANSIBLE_PIPELINING(/home/alfresco/git/alfresco-ansible-deployment/ansible.cfg) = True

ansible-inventory -i your_inventory_file --graph

@all:
  |--@activemq:
  |  |--activemq_1
  |--@adw:
  |  |--adw_1
  |--@database:
  |  |--database_1
  |--@external:
  |  |--@external_activemq:
  |--@external_activemq:
  |--@nginx:
  |  |--nginx_1
  |--@repository:
  |  |--repository_1
  |--@search:
  |  |--search_1
  |--@syncservice:
  |  |--syncservice_1
  |--@transformers:
  |  |--transformers_1
  |--@ungrouped:

Bug description

After resolving issues in #328 and not handling errors reported in #329, I can see that Alfresco cannot startup because of missing environment variables.

If I start Alfresco repository by sudo systemctl start alfresco-content.service, I get error message visible using journalctl -xe:

Apr 23 11:46:40 tomcat.sh[31057]: /bin/bash: /bin/catalina.sh: No such file or directory
Apr 23 11:46:40 systemd[1]: alfresco-content.service: Control process exited, code=exited status=127
Apr 23 11:46:40 systemd[1]: alfresco-content.service: Failed with result 'exit-code'.

The same error message can be seen if I run startup command directly by alfresco user:

$ /opt/alfresco/tomcat.sh start
/bin/bash: /bin/catalina.sh: No such file or directory

The problem is caused by missing environment variables. If I run part of tomcat.sh manually, I can see that value for "CATALINA_HOME" is empty:

$ . /etc/opt/alfresco/setenv.sh
$ export CATALINA_HOME=${TOMCAT_HOME}
$ env | grep CATA
CATALINA_HOME=

The problem here is caused already by missing "TOMCAT_HOME"

Target OS

RHEL 8.3

Ansible error

The error is not visible during Ansible deploy but after that once Alfresco repository is started.

Ansible context

Same as #328

Bug description

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Acceptance criteria

A possible way around that would be to take common env variable population out of the java role and let each role do it by directly using the systemd unit file Environment= or EnvironmentFile=. As a result:

• repository role provides its own set of vars in a systemd unit environment file
• no more lineinfile or blockinfile task is used to amend the setenv.sh file
• script template is no more sources the setenv.sh file
• clear the molecule-idempotence-notest tag from all possible tasks in the repository role
• tests are amended accordingly

Bug description

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Acceptance criteria

A possible way around that would be to take common env variable population out of the java role and let each role do it by directly using the systemd unit file Environment= or EnvironmentFile=. As a result:

• tomcat role provides its own set of vars in a systemd unit environment file
• no more lineinfile or blockinfile task is used to amend the setenv.sh file
• script template is no more sources the setenv.sh file
• clear the molecule-idempotence-notest tag from all possible tasks in the tomcat role
• tests are amended accordingly

Task description

ℹ️ This task requires to be familiar with Alfresco and understand the architecture of its platform.

Currently playbook deploys a very basic Nginx instance for the sole sake of convenience. There are other (and probably better) playbooks on galaxy to deploy Nginx. We would like to rely on using 3rd party roles for deploying 3rd party components (as it's been done lately for the elasticsearch role)

Target OS

Ideally all supported OS (as in supported by the playbook)

Acceptance Criteria

• role needs to be maintained
• role must not be copied and edited
• role can be wrapped
• Role inclusion must not change the inventory structure (no new group or subgroup)

Description

Hello, could you please help to check the accuracy of deployment-guide.md line 267 as well as deployment-guide.md line 271?

line 267: it's written port 80 for the ADW, shouldn't this be 8880 instead? (or maybe it should be removed completely since ADW needs to be on the Nginx host at the moment (unless this was fixed/changed?) and therefore communications would only happen locally from Nginx to 8880 port of ADW).

line 271: the playbook prerequisite-checks.yml is currently trying to connect from the repository host to the SFS / TRouter ports but according to the doc, these 2 ports are only used locally. Do you know what would be the correct statement? I assume that the 3 ports should be accessible from the Repository since we configure these details on the alfresco-global.properties but I'm not certain.

I'm currently writing some code to handle the firewall configuration and would appreciate some help with these details, to finish the checks and possibly fix the missing elements in the doc/existing playbooks as well.

Target OS

All

Ansible error

No specific errors, just some documentation and potentially some playbook adaptation needed depending on the correct statement.

Thanks for the check and the feedback!

Bug description

The tagged scripts for the 2.1 release do not include the 7.2.x 'extra vars' script. The 7.1.x script as the name suggests is only configured to download 7.1.1.

The hyland documentation links to version 2.0 (https://docs.alfresco.com/content-services/latest/install/ansible/ -> https://nexus.alfresco.com/nexus/service/local/repositories/releases/content/org/alfresco/alfresco-ansible-deployment/2.0.0/alfresco-ansible-deployment-2.0.0.zip), so this is what most users will use, but it does not download 7.2.x components.

It was found that modifying the 7.1.x to download 7.2 components, more changes were necessary to support the new solr 'secret' functionality. I made my own changes to fix the solr config issue so I could create a PR, but I wonder if this is just down to a problem with tagging in git hub. I notice that the branch labeled next/7.3 contains files for 7.2.x. which I have yet to review.

Bug description

The install seems to work fine, however SOLR is not able to access ACS. Errors are:

2022-05-12 14:14:00.011 WARN (org.alfresco.solr.AlfrescoCoreAdminHandler@72ba28ee_Worker-21) [ ] o.a.s.t.CommitTracker Rollback performed due to ACL Tracker error
java.net.ConnectException: Connection refused (Connection refused)
at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)

Target OS

Ubuntu 20.04

Ansible error

No error. SOLR just is unable to communicate to ACS. It could be user of secret but documentation is not very descriptive. What do you have to set and where, in which yml file must you change to use secret?

Ansible context

Paste the output of the following commands:

ansible --version

ansible [core 2.12.5]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
  jinja version = 2.10.1
  libyaml = True

ansible-config dump --only-changed

ANSIBLE_PIPELINING(/home/ubuntu/Installs/alfresco-ansible-deployment-master/ansible.cfg) = True

ansible-inventory -i your_inventory_file --graph

@all:
  |--@activemq:
  |  |--@repository:
  |  |  |--localhost
  |--@adw:
  |  |--@repository:
  |  |  |--localhost
  |--@database:
  |  |--@repository:
  |  |  |--localhost
  |--@external:
  |  |--@external_activemq:
  |--@external_activemq:
  |--@nginx:
  |  |--@repository:
  |  |  |--localhost
  |--@repository:
  |  |--localhost
  |--@search:
  |  |--@repository:
  |  |  |--localhost
  |--@syncservice:
  |  |--@repository:
  |  |  |--localhost
  |--@transformers:
  |  |--@repository:
  |  |  |--localhost
  |--@ungrouped:

Bug description

ACS 7.2 installation started using $ ansible-playbook playbooks/acs.yml -i inventory_ssh.yml
Some files are owned by root and therefore cannot be used by alfresco user. Here are examples:

• Alfresco startup fails because alfresco.war and share.war are owned by root instead of alfresco user.
• ActiveMQ folders owned by root
  • f.e. /opt/apache-activemq-5.16.4/bin
• .ansible_alfresco_components.status not accessible

FYI, control node running on WSL2 with Ubuntu 20.

Workaround:

• $ sudo chown alfresco:alfresco /opt/alfresco/content-services-7.2.0/web-server/webapps/*.war
• $ sudo chown -R alfresco:alfresco /opt/apache-activemq-5.16.4/
• $ sudo chown -R alfresco:alfresco /opt/apache-tomcat-9.0.59/
• $ sudo chmod 666 /opt/alfresco/.ansible_alfresco_components.status

Target OS

RHEL 8.3

Ansible error

ActiveMQ:

RUNNING HANDLER [../roles/activemq : restart-activemq] ******
fatal: [activemq_1]: FAILED! => {"changed": false, "msg": "Unable to start service activemq: Job for activemq.service failed because the control process exited with error code.\nSee \"systemctl status activemq.service\" and \"journalctl -xe\" for details.\n"}

Repository:

RUNNING HANDLER [../roles/repository : restart-alfresco-content] *****
fatal: [repository_1]: FAILED! => {"changed": false, "msg": "Unable to start service alfresco-content: Job for alfresco-content.service failed because the control process exited with error code.\nSee \"systemctl status alfresco-content.service\" and \"journalctl -xe\" for details.\n"}

Ansible context

ansible --version

(alfresco-ansible) alfresco@XXX:~/git/alfresco-ansible-deployment$ ansible --version
ansible [core 2.12.4]
  config file = /home/alfresco/git/alfresco-ansible-deployment/ansible.cfg
  configured module search path = ['/home/alfresco/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/alfresco/git/alfresco-ansible-deployment/alfresco-ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /home/alfresco/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/alfresco/git/alfresco-ansible-deployment/alfresco-ansible/bin/ansible
  python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
  jinja version = 3.1.1
  libyaml = True

ansible-config dump --only-changed

(alfresco-ansible) alfresco@XXX:~/git/alfresco-ansible-deployment$ ansible-config dump --only-changed
ANSIBLE_PIPELINING(/home/alfresco/git/alfresco-ansible-deployment/ansible.cfg) = True

ansible-inventory -i your_inventory_file --graph

(alfresco-ansible) alfresco@XXX:~/git/alfresco-ansible-deployment$ ansible-inventory -i inventory_ssh.yml --graph
@all:
  |--@activemq:
  |  |--activemq_1
  |--@adw:
  |  |--adw_1
  |--@database:
  |  |--database_1
  |--@external:
  |  |--@external_activemq:
  |--@external_activemq:
  |--@nginx:
  |  |--nginx_1
  |--@repository:
  |  |--repository_1
  |--@search:
  |  |--search_1
  |--@syncservice:
  |  |--syncservice_1
  |--@transformers:
  |  |--transformers_1
  |--@ungrouped:

Bug description

ACS 7.3 installation started using pipenv run ansible-playbook playbooks/acs.yml -i inventory_local.yml

Workaroud/Solution: in file transformers/tasks/dependencies-deb.yml I removed the "warn" line

Target OS

Ubuntu 22.04 LTS

Ansible error

TASK [../roles/transformers : Install LibreOffice] ********************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unsupported parameters for (ansible.legacy.command) module: warn. Supported parameters include: _uses_shell, stdin_add_newline, creates, executable, chdir, argv, removes, _raw_params, stdin, strip_empty_ends."}

Ansible context

Paste the output of the following commands:

ansible --version

$ pipenv run ansible --version
ansible [core 2.14.1]
  config file = /home/lmattioli/alfresco/alfresco-ansible-deployment/ansible.cfg
  configured module search path = ['/home/lmattioli/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/lmattioli/.local/share/virtualenvs/alfresco-ansible-deployment-IsHyMbMU/lib/python3.10/site-packages/ansible
  ansible collection location = /home/lmattioli/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/lmattioli/.local/share/virtualenvs/alfresco-ansible-deployment-IsHyMbMU/bin/ansible
  python version = 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0] (/home/lmattioli/.local/share/virtualenvs/alfresco-ansible-deployment-IsHyMbMU/bin/python)
  jinja version = 3.1.2
  libyaml = True

ansible-config dump --only-changed

$ pipenv run ansible-config dump --only-changed
ANSIBLE_PIPELINING(/home/lmattioli/alfresco/alfresco-ansible-deployment/ansible.cfg) = True
CONFIG_FILE() = /home/lmattioli/alfresco/alfresco-ansible-deployment/ansible.cfg
DEFAULT_VAULT_PASSWORD_FILE(env: ANSIBLE_VAULT_PASSWORD_FILE) = /home/lmattioli/.vault_pass.txt

ansible-inventory -i your_inventory_file --graph

$ pipenv run ansible-inventory -i inventory_local.yml --graph
@all:
  |--@activemq:
  |  |--@repository:
  |  |  |--localhost
  |--@adw:
  |  |--@repository:
  |  |  |--localhost
  |--@database:
  |  |--@repository:
  |  |  |--localhost
  |--@elasticsearch:
  |--@external:
  |  |--@external_activemq:
  |  |--@external_elasticsearch:
  |  |--@other_repo_clients:
  |--@external_activemq:
  |--@external_elasticsearch:
  |--@nginx:
  |  |--@repository:
  |  |  |--localhost
  |--@other_repo_clients:
  |--@repository:
  |  |--localhost
  |--@search:
  |  |--@repository:
  |  |  |--localhost
  |--@search_enterprise:
  |--@syncservice:
  |  |--@repository:
  |  |  |--localhost
  |--@transformers:
  |  |--@repository:
  |  |  |--localhost
  |--@trusted_resource_consumers:
  |  |--@adw:
  |  |  |--@repository:
  |  |  |  |--localhost
  |  |--@nginx:
  |  |  |--@repository:
  |  |  |  |--localhost
  |  |--@other_repo_clients:
  |  |--@repository:
  |  |  |--localhost
  |--@ungrouped:

Following line in roles/transformers/vars/Redhat8.yml
imagemagick_home: "/usr/lib64/ImageMagick-{{ imagemagick_pkg.version.split('-')[0] }}"

results in
imagemagick_home: "/usr/lib64/ImageMagick-[7.1.0-7]"
as opposed to imagemagick_home: "/usr/lib64/ImageMagick-7.1.0" as intended.

My ansible version is as follows:
ansible [core 2.11.6]
config file = None
configured module search path = ['/home/ec2-user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/ec2-user/.local/lib/python3.6/site-packages/ansible
ansible collection location = /home/ec2-user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/ec2-user/.local/bin/ansible
python version = 3.6.8 (default, Aug 12 2021, 07:06:15) [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]
jinja version = 2.10.1
libyaml = True

Using regex_replace I was able to fix this.
imagemagick_home: "/usr/lib64/ImageMagick-{{ imagemagick_pkg.version | regex_replace('-.+')}}

Thanks,
Shankar

Bug description

Quick fix. I commented the warn: false line out of dependencies-rpm.yml and the play ran just fine after that.

Target OS

Centos 7
ansible [core 2.14.2]
Python 3.9.9

Ansible error

TASK [../roles/transformers : Install LibreOffice RPMs] *****************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Unsupported parameters for (ansible.legacy.command) module: warn. Supported parameters include: _raw_params, _uses_shell, argv, chdir, creates, executable, removes, stdin, stdin_add_newline, strip_empty_ends."}

PLAY RECAP **************************************************************************************************************************************************************************************
localhost                  : ok=86   changed=46   unreachable=0    failed=1    skipped=49   rescued=0    ignored=0   

Ansible context

Paste the output of the following commands:

ansible --version

ansible [core 2.14.2]
  config file = /opt/alfresco-ansible-deployment/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /root/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /bin/ansible
  python version = 3.9.9 (main, Feb  3 2023, 10:11:30) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] (/usr/local/bin/python3)
  jinja version = 3.1.2
  libyaml = True

ansible-config dump --only-changed

ANSIBLE_PIPELINING(/opt/alfresco-ansible-deployment/ansible.cfg) = True
CONFIG_FILE() = /opt/alfresco-ansible-deployment/ansible.cfg

Bug description

I'm trying to install Alfresco Community Edition on CentOS 7. I am using Python3.10, Ansible 2.12.4, and OpenSSL1.1.1. I get this error when it tries to download ImageMagick.

TASK [../roles/transformers : Download ImageMagick distribution] *************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'url'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>. Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>"}

Target OS

Cent OS 7

Ansible error

TASK [../roles/transformers : Download ImageMagick distribution] ***************
task path: /home/qoppa/Downloads/alfresco-ansible-deployment-2.0.0/roles/transformers/tasks/main.yml:24
exception during Jinja2 execution: Traceback (most recent call last):
  File "/usr/local/lib/python3.10/urllib/request.py", line 1348, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/local/lib/python3.10/http/client.py", line 1282, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1328, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1277, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1037, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.10/http/client.py", line 975, in send
    self.connect()
  File "/usr/local/lib/python3.10/site-packages/ansible/module_utils/urls.py", line 545, in connect
    self.sock = self.context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/lib/python3.10/ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/lib/python3.10/ssl.py", line 1070, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.10/ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/ansible/plugins/lookup/url.py", line 196, in run
    response = open_url(term, validate_certs=self.get_option('validate_certs'),
  File "/usr/local/lib/python3.10/site-packages/ansible/module_utils/urls.py", line 1535, in open_url
    return Request().open(method, url, data=data, headers=headers, use_proxy=use_proxy,
  File "/usr/local/lib/python3.10/site-packages/ansible/module_utils/urls.py", line 1446, in open
    return urllib_request.urlopen(request, None, timeout)
  File "/usr/local/lib/python3.10/urllib/request.py", line 216, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/local/lib/python3.10/urllib/request.py", line 519, in open
    response = self._open(req, data)
  File "/usr/local/lib/python3.10/urllib/request.py", line 536, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/local/lib/python3.10/urllib/request.py", line 496, in _call_chain
    result = func(*args)
  File "/usr/local/lib/python3.10/site-packages/ansible/module_utils/urls.py", line 558, in https_open
    return self.do_open(
  File "/usr/local/lib/python3.10/urllib/request.py", line 1351, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/ansible/template/__init__.py", line 1032, in _lookup
    ran = instance.run(loop_terms, variables=self._available_variables, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/ansible/plugins/lookup/url.py", line 213, in run
    raise AnsibleError("Failed lookup url for %s : %s" % (term, to_native(e)))
ansible.errors.AnsibleError: Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>
fatal: [localhost]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'url'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>. Failed lookup url for https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/../imagemagick/imagemagick-distribution/7.0.10-11/imagemagick-distribution-7.0.10-11-libs-linux.rpm.sha1 : <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>"
}

Ansible context

Paste the output of the following commands:

ansible --version

ansible [core 2.12.4]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.2 (main, Aug 23 2022, 16:27:21) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
  jinja version = 3.0.3
  libyaml = True

ansible-config dump --only-changed

ansible-inventory -i your_inventory_file --graph

@all:
  |--@activemq:
  |  |--@repository:
  |  |  |--localhost
  |--@adw:
  |  |--@repository:
  |  |  |--localhost
  |--@database:
  |  |--@repository:
  |  |  |--localhost
  |--@external:
  |  |--@external_activemq:
  |--@external_activemq:
  |--@nginx:
  |  |--@repository:
  |  |  |--localhost
  |--@repository:
  |  |--localhost
  |--@search:
  |  |--@repository:
  |  |  |--localhost
  |--@syncservice:
  |  |--@repository:
  |  |  |--localhost
  |--@transformers:
  |  |--@repository:
  |  |  |--localhost
  |--@ungrouped:

Ansible 2.9.6 in the Ansible deployment fails in Ubuntu 20.04
Indication is it might self resolve with a newer version.

DataDog/ansible-datadog#274

$ ansible -m service_facts localhost

fatal: [activemq_1]: FAILED! => {"changed": false, "msg": "Malformed output discovered from systemd list-unit-files: accounts-daemon.service enabled enabled "}

$ ansible --version

ansible 2.9.6
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/fgjohnson/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.8.10 (default, Jun 2 2021, 10:49:15) [GCC 9.4.0]

Bug description

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Acceptance criteria

A possible way around that would be to take common env variable population out of the java role and let each role do it by directly using the systemd unit file Environment= or EnvironmentFile=. As a result:

• trouter role provides its own set of vars in a systemd unit environment file
• no more lineinfile or blockinfile task is used to amend the setenv.sh file
• script template is no more sources the setenv.sh file
• clear the molecule-idempotence-notest tag from all possible tasks in the trouter role
• tests are amended accordingly

Bug description

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Acceptance criteria

A possible way around that would be to take common env variable population out of the java role and let each role do it by directly using the systemd unit file Environment= or EnvironmentFile=. As a result:

• sfs role provides its own set of vars in a systemd unit environment file
• no more lineinfile or blockinfile task is used to amend the setenv.sh file
• script template is no more sources the setenv.sh file
• clear the molecule-idempotence-notest tag from all possible tasks in the sfs role
• • tests are amended accordingly

Bug description

In case application user (default name is alfresco) is changed in roles/common/vars/main.yml for T-Router service then it is not able to start.
This fix is provided in #369

In my test case, I changed user from alfresco to alfresco_new but service still points to hardcoded alfresco user:

$ cat /etc/systemd/system/alfresco-transform-router.service | grep User
User=alfresco

Target OS

Tested on RHEL 8.5 and Ubuntu 20.04.4 LTS

Ansible error

RUNNING HANDLER [../roles/trouter : wait-for-aio] ************************************************
fatal: [localhost]: FAILED! => {"changed": false, "elapsed": 300, "msg": "Timeout when waiting for XXX:8090"}

Bug description

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Acceptance criteria

A possible way around that would be to take common env variable population out of the java role and let each role do it by directly using the systemd unit file Environment= or EnvironmentFile=. As a result:

• search role provides its own set of vars in a systemd unit environment file
• no more lineinfile or blockinfile task is used to amend the setenv.sh file
• script template is no more sources the setenv.sh file
• clear the molecule-idempotence-notest tag from all possible tasks in the search role
• tests are amended accordingly

Bug description

I installed Community Edition 7.2 yesterday with Ansible yesterday on Cent 0S 7. Services seemed to be up and running. I was able to create users, log in to share services, etc. But after restarting the machine I'm getting a 502 bad gateway when I visit localhost or localhost/share (the same URLs that were ok yesterday).

Is there a trick to restarting these services properly? Is there something I need to do manually? Would be nice if this was documented in the installation instructions I followed here: https://docs.alfresco.com/content-services/community/install/ansible/

When I list all services with "sudo systemctl list-unit-files" I get:

alfresco-content-monitored-startup.service static
alfresco-content.service disabled
alfresco-search.service enabled
alfresco-tengine-aio.service enabled

After starting the alfresco-content service manually I can get to myserver/share from the server only, but I can't see it on the rest of my network like I could before restarting the machine. I had to manually stop firewalld to fix this.

Would be nice if it was documented if I do need to start services manually. Also I noticed the docs (from the link above) list 6 services that start with "alfresco" whereas I only have 4. Are the docs out of date or is my installation incomplete?

Target OS

Cent OS 7

What are the needed changes in the ansible playbooks to make alfresco community runs on 443 port ?

I tried to change only the configuration of nginx, but it looks like there are some other changes to be made to the tomcat config on server.xml and alfresco-global.properties.

Task description

ℹ️ This task requires to be familiar with Alfresco and understand the architecture of its platform.

Currently playbook deploys a very basic ActiveMQ instance for the sole sake of convenience. There are other (and probably better) playbooks on galaxy to deploy ActiveMQ. We would like to rely on using 3rd party roles for deploying 3rd party components (as it's been done lately for the elasticsearch role)

Target OS

Ideally all supported OS (as in supported by the playbook)

Acceptance Criteria

• role needs to be maintained
• role must not be copied and edited
• role can be wrapped
• Role inclusion must not change the inventory structure (no new group or subgroup)
• Version of deployed ActiveMQ can be set so it matches each ACS supported matrix

Bug description

The file setenv.sh is deployed by the java role using template and amended using its dependent roles. such as tomcat, search, sync, etc…

This is problematic generally speaking (in particular for idempotence) as we want to avoid cases where one part of the playbook may interfere with what another part needs to do.

Target OS

all

Ansible error

molecule idempotence test failures (currently skipped using molecule-idempotence-notest)

Acceptance criteria

A possible way around that would be to take common env variable population out of the java role and let each role do it by directly using the systemd unit file Environment= or EnvironmentFile=. As a result:

• sync role provides its own set of vars in a systemd unit environment file
• no more lineinfile or blockinfile task is used to amend the setenv.sh file
• script template is no more sources the setenv.sh file
• clear the molecule-idempotence-notest tag from all possible tasks in the sync role
• tests are amended accordingly

Bug description

ACS 7.2 installation started using $ ansible-playbook playbooks/acs.yml -i inventory_ssh.yml
Error message mentioned below occurred in task "Copy data & config files to Unix FHS dirs". I am not sure if that is something critical because the installation continued and following tasks were executed properly.

Target OS

RHEL 8.3

Ansible error

TASK [../roles/activemq : Copy data & config files to Unix FHS dirs] ***************************************************************************
failed: [activemq_1] (item={'src': '/opt/apache-activemq-5.16.4/conf', 'dest': '/etc/opt/alfresco/activemq'}) => {"ansible_loop_var": "item", "changed": false, "item": {"dest": "/etc/opt/alfresco/activemq", "src": "/opt/apache-activemq-5.16.4/conf"}, "msg": "Source /opt/apache-activemq-5.16.4/conf not found"}
failed: [activemq_1] (item={'src': '/opt/apache-activemq-5.16.4/data', 'dest': '/var/opt/alfresco/activemq'}) => {"ansible_loop_var": "item", "changed": false, "item": {"dest": "/var/opt/alfresco/activemq", "src": "/opt/apache-activemq-5.16.4/data"}, "msg": "Source /opt/apache-activemq-5.16.4/data not found"}

Ansible context

Same output as in #328

Summary

inventory_hostname might not be the real hostname of the target host and might contain characters that aren't supported by hostnames or that can cause issues with path.

Details

As you know, inventory_hostname comes from the inventory and therefore, I believe it's a kind of free-text name, which can contain characters such as /. Recently, a lot of addition was done on the Java/PKI side and this variable is being used a lot more. In cases where such characters are being used in the inventory_hostname, then some of the commands added recently would fail.

For example:

        - name: Create private key for new certificate
          no_log: true
          become: true
          community.crypto.openssl_privatekey:
            path: /etc/pki/{{ inventory_hostname }}_{{ cert_key_type | default('') }}.key
            mode: 0600
            size: "{{ cert_key_size | default(omit) }}"
            type: "{{ cert_key_type | default(omit) }}"
            return_content: true
          register: srvkey

Because inventory_hostname is being used inside the value of a path, if this variable starts with infra/myhost, then this task would fail because the folder /etc/pki exists but not /etc/pki/infra/.

Hostname are following the regex [a-zA-Z0-9.-]* and therefore inventory_hostname might not be the real value.

For all the Search Replication role, you are also using inventory_hostname to define if the current host is a master or a slave with things such as {{ 'slave' if inventory_hostname == search_master else 'master' }} or {% if search_topology == 'replication' and inventory_hostname == search_master %}. I find these conditions to be quite strange, since that would mean that you are forcing the inventory_hostname to be exactly "search_master" no? Maybe I'm missing some things for the replication part.

Questions

Is it possible to change such occurrences of inventory_hostname so that it uses the real hostname which I believe would be more secure in terms of allowed characters? It could mean replacing most occurrences with ansible_hostname or ansible_facts['hostname'] for example (these two requires gather_facts: true). If the real hostname changes (not the inventory one), the SSL Certificate should be regenerated I assume, so using the inventory one might be a problem as well no?

Alternatively, what about using a simple hardcoded name for the PKI file instead of generating a name based on the host? Something like alf_server_cert for all the .p12, .keystore, etc... So that all hosts would have the same name for the PKI files. Maybe the customers could have their own files already present with the hostname, so the playbook could also have some issues with that. Using a dedicated name for this playbook could help with avoiding issues and making sure which files are playbook related and which ones aren't (created before/after by someone/something else).

--> If you agree to perform some changes related to this issue, I can help getting some work done & submit the associated PR.

The missing newline causes ActiveMQ to fail to start as the PATH set up gets corrupted when ansible customizes the setenv.sh template and it is deployed. The corrupted PATH causes basic linux commands to be missing and the service to fail on startup.

Environment:
Ansible Host: RHEL 7.9
Ansible Controller: Ansible 2.10.3

File: roles/java/templates/setenv.sh

Newline removed:
11fd028

Causes the customization to corrupt the setenv.sh PATH setup

• name: Add activemq_home and host to setenv script
  become: true
  become_user: "{{ username }}"
  blockinfile:
  path: "{{ config_folder }}/setenv.sh"
  marker: "# {mark} ACTIVEMQ ENV VARS"
  block: |
  export ACTIVEMQ_HOME={{ activemq_home }}
  export ACTIVEMQ_HOST={{ activemq_host }}

The deployed setenv.sh used by the ActiveMQ Service can end up like:
#!/bin/sh

export JAVA_HOME="/opt/openjdk-11.0.7"
export PATH="${JAVA_HOME}/bin:${PATH}"# BEGIN ACTIVEMQ ENV VARS
...

The ansible playbooks only support Redhat(/CentOS) at the moment. Are there any plans to also support Ubuntu (the versions from your support matrix) for the ansible deployment?