esgf / esgf-ansible Goto Github PK

TASK [certificate : Create vesgdev-idx.ipsl.upmc.fr Cert Own CA] ******************************************
task path: /root/tmp/esgf-ansible/roles/certificate/tasks/cert.yml:47
The full traceback is:
Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1552321721.44-143578833281545/AnsiballZ_openssl_certificate.py", line 113, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1552321721.44-143578833281545/AnsiballZ_openssl_certificate.py", line 105, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1552321721.44-143578833281545/AnsiballZ_openssl_certificate.py", line 48, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 1091, in <module>
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 1070, in main
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 617, in generate
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 487, in check
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 469, in _validate_csr
IndexError: list index out of range
fatal: [vesgdev-data.ipsl.upmc.fr]: FAILED! => {
    "changed": false, 
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDERR:

Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1552321721.44-143578833281545/AnsiballZ_openssl_certificate.py", line 113, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1552321721.44-143578833281545/AnsiballZ_openssl_certificate.py", line 105, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1552321721.44-143578833281545/AnsiballZ_openssl_certificate.py", line 48, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 1091, in <module>
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 1070, in main
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 617, in generate
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 487, in check
  File "/tmp/ansible_openssl_certificate_payload_vpLzT2/__main__.py", line 469, in _validate_csr
IndexError: list index out of range


PLAY RECAP ************************************************************************************************
vesgdev-data.ipsl.upmc.fr  : ok=105  changed=56   unreachable=0    failed=1

## Conda env installation

(Installation de pip (pour python 2.6) => pip search ansible crashes.)

PARENT_DIR='/root/tmp'
cd ${PARENT_DIR}

wget https://repo.anaconda.com/miniconda/Miniconda2-latest-Linux-x86_64.sh

chmod +x Miniconda2-latest-Linux-x86_64.sh
./Miniconda2-latest-Linux-x86_64.sh

source ${HOME}/.bashrc

conda create -y -n ansible python=2.7

conda activate ansible

pip install ansible==2.7

## esgf-ansible repo

PARENT_DIR='/root/tmp'
cd ${PARENT_DIR}

TAG_NAME='4.0.0-beta1'
git clone https://github.com/ESGF/esgf-ansible.git && cd esgf-ansible && git checkout $TAG_NAME

## Inventory

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/inventory.txt" <<EOF
[data]
vesgdev-data.ipsl.upmc.fr   ansible_connection=local

[index]
vesgdev-idx.ipsl.upmc.fr    ansible_connection=local

[idp]
vesgdev-idx.ipsl.upmc.fr   ansible_connection=local
EOF

## Host vars for vesgdev-data.ipsl.upmc.fr

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/host_vars/vesgdev-data.ipsl.upmc.fr.yml" <<EOF
### All paths in this file are on the machine
### on which Ansible itself will be run. That is,
### they are on the 'control' machine.

### Mirror Host
##
### The ESGF mirror to be used. Defaults to
### aims1.llnl.gov
##
### Choices:
## distrib-coffee.ipsl.jussieu.fr/pub
## dist.ceda.ac.uk
## aims1.llnl.gov
## esg-dn2.nsc.liu.se
##
mirror_host: distrib-coffee.ipsl.jussieu.fr/pub

### Prometheus Hosts and/or IPs
##
### This deployment deploys Prometheus exporters. These
### exporters report information and metrics about the node
### to a Prometheus server. The Prometheus server(s) must be
### specified so that it can be trusted to communicate with
### the exporters. Place your own Prometheus server here if
### applicable. This trust is at the webserver level.
##
### Information will not be collected until your host is added
### to the Prometheus server's target list. Remove the following
### lines if you would not like to participate in this, in which
### case only localhost will be trusted to access the exporters'
### information.
##
#prometheus_hosts:
#  - aims1.llnl.gov
#prometheus_ips:
#  - 10 # Trust your whole internal network

### Globus Services
##
### This information is used to connect the node
### to the Globus system. 
##
### Leave unspecified and the Globus Connect Server 
### setup steps will be skipped.
##
#globus_user:
#globus_pass:
#register_gridftp: true|false
#register_myproxy: true|false

### Keys and Certificates
# The priority for installing certs and keys goes like this:
# 1. Whatever is specified in the host_vars file will be installed,
#    whether or not the destination path is already present on the 
#    managed machine.
#
# 2. If the files are already present on the managed machine and 
#    nothing is specified in the host_vars file, the files that 
#    are present will be checked for validity. If the certificate is
#    found to be invalid, it will be removed and regenerated.
#
# 3. If no key and certificate files on the managed machine are
#    present and nothing is specified in the host_vars file, self-signed,
#    Ansible generated, certificates will be installed.

### Keys and Certificates for Globus Services
##
### The paths on the local machine to the respective 
### key/cert that have been signed by ESGF. If these
### have not been obtained for a node, leave unspecified.
##
### Leave unspecified and certificate signing requests for
### valid certs will be generated in the HOME directory
### of the root user.
##
#gftphostcert:
#gftphostkey:
#myproxycacert:
#myproxycakey:
#myproxy_signing_policy:

### Keys and Certificates for Web Services, httpd and tomcat
##
### The paths on the local machine to the respective 
### key/cert that have been signed by a commonly trusted 
### certificate authority.
##
### Leave unspecified and temporary, or LetsEncrypt (see below), 
### certificates will be generated.
##
#hostkey_src:
#hostcert_src:
#cachain_src:

### LetsEncrypt Certificates for Web Services
##
### LetsEncrypt certificates are browser trusted certificates
### that can be obtained in an automated fashion by proving
### you control the domain.
### In order for this to work your host must be publicly
### available at deployment time.
### This variable has no effect if the above host key/cert/chain
### variables for web services are specified.
##
### Leave unspecified to not attempt to retrieve LetsEncrypt certs.
##
#try_letsencrypt: true|false

### CentOS 6 iptables
##
### iptables is a tool that controls the Linux kernel's packet firewall.
### Many sites will likely wish to manage this on their own. If you are
### not familiar with this tool and would like this deployment to
### takes steps to configure the iptables for you on CentOS 6 then
### uncomment the below variable and set it to true. Otherwise your
### site will be responsible for ensuring the proper ports are open.
##
### Leave unspecified to manage iptables on CentOS 6 yourself.
##
#configure_centos6_iptables: true|false
EOF








## Host vars for vesgdev-idx.ipsl.upmc.fr

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/host_vars/vesgdev-idx.ipsl.upmc.fr.yml" <<EOF
### All paths in this file are on the machine
### on which Ansible itself will be run. That is,
### they are on the 'control' machine.

### Mirror Host
##
### The ESGF mirror to be used. Defaults to
### aims1.llnl.gov
##
### Choices:
## distrib-coffee.ipsl.jussieu.fr/pub
## dist.ceda.ac.uk
## aims1.llnl.gov
## esg-dn2.nsc.liu.se
##
mirror_host: distrib-coffee.ipsl.jussieu.fr/pub

### Prometheus Hosts and/or IPs
##
### This deployment deploys Prometheus exporters. These
### exporters report information and metrics about the node
### to a Prometheus server. The Prometheus server(s) must be
### specified so that it can be trusted to communicate with
### the exporters. Place your own Prometheus server here if
### applicable. This trust is at the webserver level.
##
### Information will not be collected until your host is added
### to the Prometheus server's target list. Remove the following
### lines if you would not like to participate in this, in which
### case only localhost will be trusted to access the exporters'
### information.
##
#prometheus_hosts:
#  - aims1.llnl.gov
#prometheus_ips:
#  - 10 # Trust your whole internal network

### Globus Services
##
### This information is used to connect the node
### to the Globus system. 
##
### Leave unspecified and the Globus Connect Server 
### setup steps will be skipped.
##
#globus_user:
#globus_pass:
#register_gridftp: true|false
#register_myproxy: true|false

### Keys and Certificates
# The priority for installing certs and keys goes like this:
# 1. Whatever is specified in the host_vars file will be installed,
#    whether or not the destination path is already present on the 
#    managed machine.
#
# 2. If the files are already present on the managed machine and 
#    nothing is specified in the host_vars file, the files that 
#    are present will be checked for validity. If the certificate is
#    found to be invalid, it will be removed and regenerated.
#
# 3. If no key and certificate files on the managed machine are
#    present and nothing is specified in the host_vars file, self-signed,
#    Ansible generated, certificates will be installed.

### Keys and Certificates for Globus Services
##
### The paths on the local machine to the respective 
### key/cert that have been signed by ESGF. If these
### have not been obtained for a node, leave unspecified.
##
### Leave unspecified and certificate signing requests for
### valid certs will be generated in the HOME directory
### of the root user.
##
#gftphostcert:
#gftphostkey:
#myproxycacert:
#myproxycakey:
#myproxy_signing_policy:

### Keys and Certificates for Web Services, httpd and tomcat
##
### The paths on the local machine to the respective 
### key/cert that have been signed by a commonly trusted 
### certificate authority.
##
### Leave unspecified and temporary, or LetsEncrypt (see below), 
### certificates will be generated.
##
#hostkey_src:
#hostcert_src:
#cachain_src:

### LetsEncrypt Certificates for Web Services
##
### LetsEncrypt certificates are browser trusted certificates
### that can be obtained in an automated fashion by proving
### you control the domain.
### In order for this to work your host must be publicly
### available at deployment time.
### This variable has no effect if the above host key/cert/chain
### variables for web services are specified.
##
### Leave unspecified to not attempt to retrieve LetsEncrypt certs.
##
#try_letsencrypt: true|false

### CentOS 6 iptables
##
### iptables is a tool that controls the Linux kernel's packet firewall.
### Many sites will likely wish to manage this on their own. If you are
### not familiar with this tool and would like this deployment to
### takes steps to configure the iptables for you on CentOS 6 then
### uncomment the below variable and set it to true. Otherwise your
### site will be responsible for ensuring the proper ports are open.
##
### Leave unspecified to manage iptables on CentOS 6 yourself.
##
#configure_centos6_iptables: true|false
EOF


## Preprocessing 

backup :
- certificate https
- certificate gridftp

* To do for vesgdev-idx

esg-node stop

rm -fr /etc/tempcerts
rm -fr /etc/certs.bak /etc/esgfcerts.bak /etc/grid-security.bak /var/lib/globus/simple_ca.bak ; cp -rp /etc/certs /etc/certs.bak ; cp -rp /etc/esgfcerts /etc/esgfcerts.bak ; cp -rp /etc/grid-security /etc/grid-security.bak ; cp -rp /var/lib/globus/simple_ca /var/lib/globus/simple_ca.bak

* To do for vesgdev-data

esg-node stop

rm -fr /etc/tempcerts
rm -fr /etc/certs.bak /etc/esgfcerts.bak /etc/grid-security.bak /var/lib/globus/simple_ca.bak ; cp -rp /etc/certs /etc/certs.bak ; cp -rp /etc/esgfcerts /etc/esgfcerts.bak ; cp -rp /etc/grid-security /etc/grid-security.bak ; cp -rp /var/lib/globus/simple_ca /var/lib/globus/simple_ca.bak

## Upgrade

export PARENT_DIR='/root/tmp'
script ${PARENT_DIR}/esgf-ansible/upgrade.log
cd ${PARENT_DIR}/esgf-ansible
source activate ansible
export ANSIBLE_NOCOLOR=true
ansible-playbook -vvv -i ${PARENT_DIR}/esgf-ansible/inventory.txt -u root --tags data --limit vesgdev-data.ipsl.upmc.fr install.yml

TASK [globus_certs : Copy certificates over if it is] **********************************************************************************************************************************************************
changed: [vesg4cds-data.ipsl.upmc.fr]
fatal: [vesg4cds-idx.ipsl.upmc.fr]: FAILED! => {
    "changed": true,
    "cmd": "cp /etc/grid-security/certificates/* /esg/gridftp_root/etc/grid-security/certificates/",
    "delta": "0:00:00.005728",
    "end": "2019-09-16 15:19:56.689950",
    "rc": 1,
    "start": "2019-09-16 15:19:56.684222"
}

STDERR:

cp: la cible « /esg/gridftp_root/etc/grid-security/certificates/ » n'est pas un répertoire

TASK [selinux : Disable SELinux] 

...

    "policy": "targeted", 
    "reboot_required": true, 
    "state": "disabled"

    Config SELinux state changed from 'permissive' to 'disabled'
    [selinux : Pause for reboot confirmation]

task path: /Users/ames4/git-repos/esgf-ansible/roles/base/tasks/config.yml:2
fatal: [esgf-test-data.llnl.gov]: FAILED! => {
    "before": "c62d6d576374263a375bf1b1436527cb7b618052",
    "changed": false
}

MSG:

Local modifications exist in repository (force=no).


PLAY RECAP *********************************************************************
esgf-test-data.llnl.gov    : ok=78   changed=7    unreachable=0    failed=1

TASK [certificate : Create vesgdev-idx.ipsl.upmc.fr Cert Own CA] ******************************************
task path: /root/tmp/esgf-ansible/roles/certificate/tasks/cert.yml:47
The full traceback is:
Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1552319967.28-83731132508851/AnsiballZ_openssl_certificate.py", line 113, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1552319967.28-83731132508851/AnsiballZ_openssl_certificate.py", line 105, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1552319967.28-83731132508851/AnsiballZ_openssl_certificate.py", line 48, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 1091, in <module>
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 1070, in main
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 617, in generate
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 487, in check
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 469, in _validate_csr
IndexError: list index out of range
fatal: [vesgdev-idx.ipsl.upmc.fr]: FAILED! => {
    "changed": false, 
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDERR:

Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1552319967.28-83731132508851/AnsiballZ_openssl_certificate.py", line 113, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1552319967.28-83731132508851/AnsiballZ_openssl_certificate.py", line 105, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1552319967.28-83731132508851/AnsiballZ_openssl_certificate.py", line 48, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 1091, in <module>
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 1070, in main
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 617, in generate
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 487, in check
  File "/tmp/ansible_openssl_certificate_payload_TOGEfY/__main__.py", line 469, in _validate_csr
IndexError: list index out of range


PLAY RECAP ************************************************************************************************
vesgdev-data.ipsl.upmc.fr  : ok=28   changed=8    unreachable=0    failed=1   
vesgdev-idx.ipsl.upmc.fr   : ok=100  changed=48   unreachable=0    failed=1

## Conda env installation

(Installation de pip (pour python 2.6) => pip search ansible crashes.)

PARENT_DIR='/root/tmp'
cd ${PARENT_DIR}

wget https://repo.anaconda.com/miniconda/Miniconda2-latest-Linux-x86_64.sh

chmod +x Miniconda2-latest-Linux-x86_64.sh
./Miniconda2-latest-Linux-x86_64.sh

source ${HOME}/.bashrc

conda create -y -n ansible python=2.7

conda activate ansible

pip install ansible==2.7

## esgf-ansible repo

PARENT_DIR='/root/tmp'
cd ${PARENT_DIR}

TAG_NAME='4.0.0-beta1'
git clone https://github.com/ESGF/esgf-ansible.git && cd esgf-ansible && git checkout $TAG_NAME

## Inventory

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/inventory.txt" <<EOF
[data]
vesgdev-data.ipsl.upmc.fr   ansible_connection=local

[index]
vesgdev-idx.ipsl.upmc.fr    ansible_connection=local

[idp]
vesgdev-idx.ipsl.upmc.fr   ansible_connection=local
EOF

## Host vars for vesgdev-data.ipsl.upmc.fr

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/host_vars/vesgdev-data.ipsl.upmc.fr.yml" <<EOF
### All paths in this file are on the machine
### on which Ansible itself will be run. That is,
### they are on the 'control' machine.

### Mirror Host
##
### The ESGF mirror to be used. Defaults to
### aims1.llnl.gov
##
### Choices:
## distrib-coffee.ipsl.jussieu.fr/pub
## dist.ceda.ac.uk
## aims1.llnl.gov
## esg-dn2.nsc.liu.se
##
mirror_host: distrib-coffee.ipsl.jussieu.fr/pub

### Prometheus Hosts and/or IPs
##
### This deployment deploys Prometheus exporters. These
### exporters report information and metrics about the node
### to a Prometheus server. The Prometheus server(s) must be
### specified so that it can be trusted to communicate with
### the exporters. Place your own Prometheus server here if
### applicable. This trust is at the webserver level.
##
### Information will not be collected until your host is added
### to the Prometheus server's target list. Remove the following
### lines if you would not like to participate in this, in which
### case only localhost will be trusted to access the exporters'
### information.
##
#prometheus_hosts:
#  - aims1.llnl.gov
#prometheus_ips:
#  - 10 # Trust your whole internal network

### Globus Services
##
### This information is used to connect the node
### to the Globus system. 
##
### Leave unspecified and the Globus Connect Server 
### setup steps will be skipped.
##
#globus_user:
#globus_pass:
#register_gridftp: true|false
#register_myproxy: true|false

### Keys and Certificates
# The priority for installing certs and keys goes like this:
# 1. Whatever is specified in the host_vars file will be installed,
#    whether or not the destination path is already present on the 
#    managed machine.
#
# 2. If the files are already present on the managed machine and 
#    nothing is specified in the host_vars file, the files that 
#    are present will be checked for validity. If the certificate is
#    found to be invalid, it will be removed and regenerated.
#
# 3. If no key and certificate files on the managed machine are
#    present and nothing is specified in the host_vars file, self-signed,
#    Ansible generated, certificates will be installed.

### Keys and Certificates for Globus Services
##
### The paths on the local machine to the respective 
### key/cert that have been signed by ESGF. If these
### have not been obtained for a node, leave unspecified.
##
### Leave unspecified and certificate signing requests for
### valid certs will be generated in the HOME directory
### of the root user.
##
#gftphostcert:
#gftphostkey:
#myproxycacert:
#myproxycakey:
#myproxy_signing_policy:

### Keys and Certificates for Web Services, httpd and tomcat
##
### The paths on the local machine to the respective 
### key/cert that have been signed by a commonly trusted 
### certificate authority.
##
### Leave unspecified and temporary, or LetsEncrypt (see below), 
### certificates will be generated.
##
#hostkey_src:
#hostcert_src:
#cachain_src:

### LetsEncrypt Certificates for Web Services
##
### LetsEncrypt certificates are browser trusted certificates
### that can be obtained in an automated fashion by proving
### you control the domain.
### In order for this to work your host must be publicly
### available at deployment time.
### This variable has no effect if the above host key/cert/chain
### variables for web services are specified.
##
### Leave unspecified to not attempt to retrieve LetsEncrypt certs.
##
#try_letsencrypt: true|false

### CentOS 6 iptables
##
### iptables is a tool that controls the Linux kernel's packet firewall.
### Many sites will likely wish to manage this on their own. If you are
### not familiar with this tool and would like this deployment to
### takes steps to configure the iptables for you on CentOS 6 then
### uncomment the below variable and set it to true. Otherwise your
### site will be responsible for ensuring the proper ports are open.
##
### Leave unspecified to manage iptables on CentOS 6 yourself.
##
#configure_centos6_iptables: true|false

gftphostcert: /etc/grid-security.bak/hostcert.pem
gftphostkey: /etc/grid-security.bak/hostkey.pem

hostkey_src: /etc/certs.bak/hostkey.pem
hostcert_src: /etc/certs.bak/hostcert.pem
cachain_src: /etc/certs.bak/cachain.pem

EOF








## Host vars for vesgdev-idx.ipsl.upmc.fr

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/host_vars/vesgdev-idx.ipsl.upmc.fr.yml" <<EOF
### All paths in this file are on the machine
### on which Ansible itself will be run. That is,
### they are on the 'control' machine.

### Mirror Host
##
### The ESGF mirror to be used. Defaults to
### aims1.llnl.gov
##
### Choices:
## distrib-coffee.ipsl.jussieu.fr/pub
## dist.ceda.ac.uk
## aims1.llnl.gov
## esg-dn2.nsc.liu.se
##
mirror_host: distrib-coffee.ipsl.jussieu.fr/pub

### Prometheus Hosts and/or IPs
##
### This deployment deploys Prometheus exporters. These
### exporters report information and metrics about the node
### to a Prometheus server. The Prometheus server(s) must be
### specified so that it can be trusted to communicate with
### the exporters. Place your own Prometheus server here if
### applicable. This trust is at the webserver level.
##
### Information will not be collected until your host is added
### to the Prometheus server's target list. Remove the following
### lines if you would not like to participate in this, in which
### case only localhost will be trusted to access the exporters'
### information.
##
#prometheus_hosts:
#  - aims1.llnl.gov
#prometheus_ips:
#  - 10 # Trust your whole internal network

### Globus Services
##
### This information is used to connect the node
### to the Globus system. 
##
### Leave unspecified and the Globus Connect Server 
### setup steps will be skipped.
##
#globus_user:
#globus_pass:
#register_gridftp: true|false
#register_myproxy: true|false

### Keys and Certificates
# The priority for installing certs and keys goes like this:
# 1. Whatever is specified in the host_vars file will be installed,
#    whether or not the destination path is already present on the 
#    managed machine.
#
# 2. If the files are already present on the managed machine and 
#    nothing is specified in the host_vars file, the files that 
#    are present will be checked for validity. If the certificate is
#    found to be invalid, it will be removed and regenerated.
#
# 3. If no key and certificate files on the managed machine are
#    present and nothing is specified in the host_vars file, self-signed,
#    Ansible generated, certificates will be installed.

### Keys and Certificates for Globus Services
##
### The paths on the local machine to the respective 
### key/cert that have been signed by ESGF. If these
### have not been obtained for a node, leave unspecified.
##
### Leave unspecified and certificate signing requests for
### valid certs will be generated in the HOME directory
### of the root user.
##
#gftphostcert:
#gftphostkey:
#myproxycacert:
#myproxycakey:
#myproxy_signing_policy:

### Keys and Certificates for Web Services, httpd and tomcat
##
### The paths on the local machine to the respective 
### key/cert that have been signed by a commonly trusted 
### certificate authority.
##
### Leave unspecified and temporary, or LetsEncrypt (see below), 
### certificates will be generated.
##
#hostkey_src:
#hostcert_src:
#cachain_src:

### LetsEncrypt Certificates for Web Services
##
### LetsEncrypt certificates are browser trusted certificates
### that can be obtained in an automated fashion by proving
### you control the domain.
### In order for this to work your host must be publicly
### available at deployment time.
### This variable has no effect if the above host key/cert/chain
### variables for web services are specified.
##
### Leave unspecified to not attempt to retrieve LetsEncrypt certs.
##
#try_letsencrypt: true|false

### CentOS 6 iptables
##
### iptables is a tool that controls the Linux kernel's packet firewall.
### Many sites will likely wish to manage this on their own. If you are
### not familiar with this tool and would like this deployment to
### takes steps to configure the iptables for you on CentOS 6 then
### uncomment the below variable and set it to true. Otherwise your
### site will be responsible for ensuring the proper ports are open.
##
### Leave unspecified to manage iptables on CentOS 6 yourself.
##
#configure_centos6_iptables: true|false

myproxycacert: /var/lib/globus/simple_ca/cacert.pem
myproxycakey: /var/lib/globus/simple_ca/private/cakey.pem
myproxy_signing_policy: /var/lib/globus/simple_ca/signing-policy

hostkey_src: /etc/certs.bak/hostkey.pem
hostcert_src: /etc/certs.bak/hostcert.pem
cachain_src: /etc/certs.bak/cachain.pem

EOF


## Preprocessing 

backup :
- certificate https
- certificate gridftp

* To do for vesgdev-idx

esg-node stop

rm -fr /etc/tempcerts
rm -fr /etc/certs.bak /etc/esgfcerts.bak /etc/grid-security.bak /var/lib/globus/simple_ca.bak ; cp -rp /etc/certs /etc/certs.bak ; cp -rp /etc/esgfcerts /etc/esgfcerts.bak ; cp -rp /etc/grid-security /etc/grid-security.bak ; cp -rp /var/lib/globus/simple_ca /var/lib/globus/simple_ca.bak

* To do for vesgdev-data

esg-node stop

rm -fr /etc/tempcerts
rm -fr /etc/certs.bak /etc/esgfcerts.bak /etc/grid-security.bak /var/lib/globus/simple_ca.bak ; cp -rp /etc/certs /etc/certs.bak ; cp -rp /etc/esgfcerts /etc/esgfcerts.bak ; cp -rp /etc/grid-security /etc/grid-security.bak ; cp -rp /var/lib/globus/simple_ca /var/lib/globus/simple_ca.bak

## Upgrade

export PARENT_DIR='/root/tmp'
script ${PARENT_DIR}/esgf-ansible/upgrade.log
cd ${PARENT_DIR}/esgf-ansible
source activate ansible
export ANSIBLE_NOCOLOR=true
ansible-playbook -vvv -i ${PARENT_DIR}/esgf-ansible/inventory.txt -u root install.yml

TASK [base : Create config directory] *****************************************************************************************************************************************************************************
ok: [vesgint-data.ipsl.upmc.fr]
ok: [vesgint-idx.ipsl.upmc.fr]
/home/esgf-watch-dog/miniconda2/envs/ansible/lib/python3.6/site-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo
/home/esgf-watch-dog/miniconda2/envs/ansible/lib/python3.6/site-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo

TASK [base : Install properties] **********************************************************************************************************************************************************************************
ok: [vesgint-data.ipsl.upmc.fr]
ok: [vesgint-idx.ipsl.upmc.fr]
/home/esgf-watch-dog/miniconda2/envs/ansible/lib/python3.6/site-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo
/home/esgf-watch-dog/miniconda2/envs/ansible/lib/python3.6/site-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo

TASK [base : Install config_type] *********************************************************************************************************************************************************************************
ok: [vesgint-data.ipsl.upmc.fr]
ok: [vesgint-idx.ipsl.upmc.fr]
/home/esgf-watch-dog/miniconda2/envs/ansible/lib/python3.6/site-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo
/home/esgf-watch-dog/miniconda2/envs/ansible/lib/python3.6/site-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo

TASK [base : Clone ESGF config repository] ************************************************************************************************************************************************************************
fatal: [vesgint-data.ipsl.upmc.fr]: FAILED! => {
    "changed": false,
    "cmd": "/usr/bin/git clone --origin origin https://github.com/ESGF/config.git /tmp/esgf-config",
    "rc": 128
}

STDERR:

fatal: destination path '/tmp/esgf-config' already exists and is not an empty directory.



MSG:

fatal: destination path '/tmp/esgf-config' already exists and is not an empty directory.
fatal: [vesgint-idx.ipsl.upmc.fr]: FAILED! => {
    "changed": false,
    "cmd": "/usr/bin/git clone --origin origin https://github.com/ESGF/config.git /tmp/esgf-config",
    "rc": 128
}

STDERR:

fatal: destination path '/tmp/esgf-config' already exists and is not an empty directory.



MSG:

fatal: destination path '/tmp/esgf-config' already exists and is not an empty directory.

TASK [certificate : Create vesgdev-idx.ipsl.upmc.fr Cert Own CA] ******************************************
task path: /root/tmp/esgf-ansible/roles/certificate/tasks/cert.yml:47
The full traceback is:
Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1552319445.47-252336077670662/AnsiballZ_openssl_certificate.py", line 113, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1552319445.47-252336077670662/AnsiballZ_openssl_certificate.py", line 105, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1552319445.47-252336077670662/AnsiballZ_openssl_certificate.py", line 48, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 1091, in <module>
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 1070, in main
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 617, in generate
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 487, in check
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 469, in _validate_csr
IndexError: list index out of range
fatal: [vesgdev-data.ipsl.upmc.fr]: FAILED! => {
    "changed": false, 
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDERR:

Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1552319445.47-252336077670662/AnsiballZ_openssl_certificate.py", line 113, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1552319445.47-252336077670662/AnsiballZ_openssl_certificate.py", line 105, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1552319445.47-252336077670662/AnsiballZ_openssl_certificate.py", line 48, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 1091, in <module>
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 1070, in main
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 617, in generate
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 487, in check
  File "/tmp/ansible_openssl_certificate_payload_q9dn8H/__main__.py", line 469, in _validate_csr
IndexError: list index out of range


PLAY RECAP ************************************************************************************************
vesgdev-data.ipsl.upmc.fr  : ok=105  changed=56   unreachable=0    failed=1   
vesgdev-idx.ipsl.upmc.fr   : ok=4    changed=0    unreachable=0    failed=1 

## Conda env installation

(Installation de pip (pour python 2.6) => pip search ansible crashes.)

PARENT_DIR='/root/tmp'
cd ${PARENT_DIR}

wget https://repo.anaconda.com/miniconda/Miniconda2-latest-Linux-x86_64.sh

chmod +x Miniconda2-latest-Linux-x86_64.sh
./Miniconda2-latest-Linux-x86_64.sh

source ${HOME}/.bashrc

conda create -y -n ansible python=2.7

conda activate ansible

pip install ansible==2.7

## esgf-ansible repo

PARENT_DIR='/root/tmp'
cd ${PARENT_DIR}

TAG_NAME='4.0.0-beta1'
git clone https://github.com/ESGF/esgf-ansible.git && cd esgf-ansible && git checkout $TAG_NAME

## Inventory

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/inventory.txt" <<EOF
[data]
vesgdev-data.ipsl.upmc.fr   ansible_connection=local

[index]
vesgdev-idx.ipsl.upmc.fr    ansible_connection=local

[idp]
vesgdev-idx.ipsl.upmc.fr   ansible_connection=local
EOF

## Host vars for vesgdev-data.ipsl.upmc.fr

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/host_vars/vesgdev-data.ipsl.upmc.fr.yml" <<EOF
### All paths in this file are on the machine
### on which Ansible itself will be run. That is,
### they are on the 'control' machine.

### Mirror Host
##
### The ESGF mirror to be used. Defaults to
### aims1.llnl.gov
##
### Choices:
## distrib-coffee.ipsl.jussieu.fr/pub
## dist.ceda.ac.uk
## aims1.llnl.gov
## esg-dn2.nsc.liu.se
##
mirror_host: distrib-coffee.ipsl.jussieu.fr/pub

### Prometheus Hosts and/or IPs
##
### This deployment deploys Prometheus exporters. These
### exporters report information and metrics about the node
### to a Prometheus server. The Prometheus server(s) must be
### specified so that it can be trusted to communicate with
### the exporters. Place your own Prometheus server here if
### applicable. This trust is at the webserver level.
##
### Information will not be collected until your host is added
### to the Prometheus server's target list. Remove the following
### lines if you would not like to participate in this, in which
### case only localhost will be trusted to access the exporters'
### information.
##
#prometheus_hosts:
#  - aims1.llnl.gov
#prometheus_ips:
#  - 10 # Trust your whole internal network

### Globus Services
##
### This information is used to connect the node
### to the Globus system. 
##
### Leave unspecified and the Globus Connect Server 
### setup steps will be skipped.
##
#globus_user:
#globus_pass:
#register_gridftp: true|false
#register_myproxy: true|false

### Keys and Certificates
# The priority for installing certs and keys goes like this:
# 1. Whatever is specified in the host_vars file will be installed,
#    whether or not the destination path is already present on the 
#    managed machine.
#
# 2. If the files are already present on the managed machine and 
#    nothing is specified in the host_vars file, the files that 
#    are present will be checked for validity. If the certificate is
#    found to be invalid, it will be removed and regenerated.
#
# 3. If no key and certificate files on the managed machine are
#    present and nothing is specified in the host_vars file, self-signed,
#    Ansible generated, certificates will be installed.

### Keys and Certificates for Globus Services
##
### The paths on the local machine to the respective 
### key/cert that have been signed by ESGF. If these
### have not been obtained for a node, leave unspecified.
##
### Leave unspecified and certificate signing requests for
### valid certs will be generated in the HOME directory
### of the root user.
##
#gftphostcert:
#gftphostkey:
#myproxycacert:
#myproxycakey:
#myproxy_signing_policy:

### Keys and Certificates for Web Services, httpd and tomcat
##
### The paths on the local machine to the respective 
### key/cert that have been signed by a commonly trusted 
### certificate authority.
##
### Leave unspecified and temporary, or LetsEncrypt (see below), 
### certificates will be generated.
##
#hostkey_src:
#hostcert_src:
#cachain_src:

### LetsEncrypt Certificates for Web Services
##
### LetsEncrypt certificates are browser trusted certificates
### that can be obtained in an automated fashion by proving
### you control the domain.
### In order for this to work your host must be publicly
### available at deployment time.
### This variable has no effect if the above host key/cert/chain
### variables for web services are specified.
##
### Leave unspecified to not attempt to retrieve LetsEncrypt certs.
##
#try_letsencrypt: true|false

### CentOS 6 iptables
##
### iptables is a tool that controls the Linux kernel's packet firewall.
### Many sites will likely wish to manage this on their own. If you are
### not familiar with this tool and would like this deployment to
### takes steps to configure the iptables for you on CentOS 6 then
### uncomment the below variable and set it to true. Otherwise your
### site will be responsible for ensuring the proper ports are open.
##
### Leave unspecified to manage iptables on CentOS 6 yourself.
##
#configure_centos6_iptables: true|false
EOF








## Host vars for vesgdev-idx.ipsl.upmc.fr

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/host_vars/vesgdev-idx.ipsl.upmc.fr.yml" <<EOF
### All paths in this file are on the machine
### on which Ansible itself will be run. That is,
### they are on the 'control' machine.

### Mirror Host
##
### The ESGF mirror to be used. Defaults to
### aims1.llnl.gov
##
### Choices:
## distrib-coffee.ipsl.jussieu.fr/pub
## dist.ceda.ac.uk
## aims1.llnl.gov
## esg-dn2.nsc.liu.se
##
mirror_host: distrib-coffee.ipsl.jussieu.fr/pub

### Prometheus Hosts and/or IPs
##
### This deployment deploys Prometheus exporters. These
### exporters report information and metrics about the node
### to a Prometheus server. The Prometheus server(s) must be
### specified so that it can be trusted to communicate with
### the exporters. Place your own Prometheus server here if
### applicable. This trust is at the webserver level.
##
### Information will not be collected until your host is added
### to the Prometheus server's target list. Remove the following
### lines if you would not like to participate in this, in which
### case only localhost will be trusted to access the exporters'
### information.
##
#prometheus_hosts:
#  - aims1.llnl.gov
#prometheus_ips:
#  - 10 # Trust your whole internal network

### Globus Services
##
### This information is used to connect the node
### to the Globus system. 
##
### Leave unspecified and the Globus Connect Server 
### setup steps will be skipped.
##
#globus_user:
#globus_pass:
#register_gridftp: true|false
#register_myproxy: true|false

### Keys and Certificates
# The priority for installing certs and keys goes like this:
# 1. Whatever is specified in the host_vars file will be installed,
#    whether or not the destination path is already present on the 
#    managed machine.
#
# 2. If the files are already present on the managed machine and 
#    nothing is specified in the host_vars file, the files that 
#    are present will be checked for validity. If the certificate is
#    found to be invalid, it will be removed and regenerated.
#
# 3. If no key and certificate files on the managed machine are
#    present and nothing is specified in the host_vars file, self-signed,
#    Ansible generated, certificates will be installed.

### Keys and Certificates for Globus Services
##
### The paths on the local machine to the respective 
### key/cert that have been signed by ESGF. If these
### have not been obtained for a node, leave unspecified.
##
### Leave unspecified and certificate signing requests for
### valid certs will be generated in the HOME directory
### of the root user.
##
#gftphostcert:
#gftphostkey:
#myproxycacert:
#myproxycakey:
#myproxy_signing_policy:

### Keys and Certificates for Web Services, httpd and tomcat
##
### The paths on the local machine to the respective 
### key/cert that have been signed by a commonly trusted 
### certificate authority.
##
### Leave unspecified and temporary, or LetsEncrypt (see below), 
### certificates will be generated.
##
#hostkey_src:
#hostcert_src:
#cachain_src:

### LetsEncrypt Certificates for Web Services
##
### LetsEncrypt certificates are browser trusted certificates
### that can be obtained in an automated fashion by proving
### you control the domain.
### In order for this to work your host must be publicly
### available at deployment time.
### This variable has no effect if the above host key/cert/chain
### variables for web services are specified.
##
### Leave unspecified to not attempt to retrieve LetsEncrypt certs.
##
#try_letsencrypt: true|false

### CentOS 6 iptables
##
### iptables is a tool that controls the Linux kernel's packet firewall.
### Many sites will likely wish to manage this on their own. If you are
### not familiar with this tool and would like this deployment to
### takes steps to configure the iptables for you on CentOS 6 then
### uncomment the below variable and set it to true. Otherwise your
### site will be responsible for ensuring the proper ports are open.
##
### Leave unspecified to manage iptables on CentOS 6 yourself.
##
#configure_centos6_iptables: true|false
EOF


## Preprocessing 

backup :
- certificate https
- certificate gridftp

* To do for vesgdev-idx

esg-node stop

rm -fr /etc/tempcerts
rm -fr /etc/certs.bak /etc/esgfcerts.bak /etc/grid-security.bak /var/lib/globus/simple_ca.bak ; cp -rp /etc/certs /etc/certs.bak ; cp -rp /etc/esgfcerts /etc/esgfcerts.bak ; cp -rp /etc/grid-security /etc/grid-security.bak ; cp -rp /var/lib/globus/simple_ca /var/lib/globus/simple_ca.bak

* To do for vesgdev-data

esg-node stop

rm -fr /etc/tempcerts
rm -fr /etc/certs.bak /etc/esgfcerts.bak /etc/grid-security.bak /var/lib/globus/simple_ca.bak ; cp -rp /etc/certs /etc/certs.bak ; cp -rp /etc/esgfcerts /etc/esgfcerts.bak ; cp -rp /etc/grid-security /etc/grid-security.bak ; cp -rp /var/lib/globus/simple_ca /var/lib/globus/simple_ca.bak

## Upgrade

export PARENT_DIR='/root/tmp'
script ${PARENT_DIR}/esgf-ansible/upgrade.log
cd ${PARENT_DIR}/esgf-ansible
source activate ansible
export ANSIBLE_NOCOLOR=true
ansible-playbook -vvv -i ${PARENT_DIR}/esgf-ansible/inventory.txt -u root install.yml

TASK [base : Create db super user] ************************************************************************
task path: /root/tmp/esgf-ansible/roles/base/tasks/postgres.yml:28
The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_postgresql_user_payload_RlmlRZ/__main__.py", line 797, in main
    db_connection = psycopg2.connect(**kw)
OperationalError: n'a pas pu se connecter au serveur : Aucun fichier ou dossier de ce type
	Le serveur est-il actif localement et accepte-t-il les connexions sur la
 	socket Unix « /tmp/.s.PGSQL.5432 » ?

fatal: [vesgdev-idx.ipsl.upmc.fr]: FAILED! => {
    "changed": false, 
    "invocation": {
        "module_args": {
            "conn_limit": null, 
            "db": "", 
            "encrypted": true, 
            "expires": null, 
            "fail_on_user": true, 
            "login_host": "", 
            "login_password": "", 
            "login_unix_socket": "", 
            "login_user": "postgres", 
            "name": "dbsuper", 
            "no_password_changes": false, 
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
            "port": "5432", 
            "priv": null, 
            "role_attr_flags": "SUPERUSER", 
            "ssl_mode": "prefer", 
            "ssl_rootcert": null, 
            "state": "present", 
            "user": "dbsuper"
        }
    }
}

MSG:

unable to connect to database: n'a pas pu se connecter au serveur : Aucun fichier ou dossier de ce type
	Le serveur est-il actif localement et accepte-t-il les connexions sur la
 	socket Unix « /tmp/.s.PGSQL.5432 » ?


PLAY RECAP ************************************************************************************************
vesgdev-data.ipsl.upmc.fr  : ok=33   changed=5    unreachable=0    failed=1   
vesgdev-idx.ipsl.upmc.fr   : ok=80   changed=44   unreachable=0    failed=1  

## Conda env installation

(Installation de pip (pour python 2.6) => pip search ansible crashes.)

PARENT_DIR='/root/tmp'
cd ${PARENT_DIR}

wget https://repo.anaconda.com/miniconda/Miniconda2-latest-Linux-x86_64.sh

chmod +x Miniconda2-latest-Linux-x86_64.sh
./Miniconda2-latest-Linux-x86_64.sh

source ${HOME}/.bashrc

conda create -n -y ansible python=2.7

conda activate ansible

pip install ansible==2.7

## esgf-ansible repo

PARENT_DIR='/root/tmp'
cd ${PARENT_DIR}

TAG_NAME='4.0.0-beta1'
git clone https://github.com/ESGF/esgf-ansible.git && cd esgf-ansible && git checkout $TAG_NAME

## Inventory

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/inventory.txt" <<EOF
[data]
vesgdev-data.ipsl.upmc.fr   ansible_connection=local

[index]
vesgdev-idx.ipsl.upmc.fr    ansible_connection=local

[idp]
vesgdev-idx.ipsl.upmc.fr   ansible_connection=local
EOF

## Host vars for vesgdev-data.ipsl.upmc.fr

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/host_vars/vesgdev-data.ipsl.upmc.fr.yml" <<EOF
### All paths in this file are on the machine
### on which Ansible itself will be run. That is,
### they are on the 'control' machine.

### Mirror Host
##
### The ESGF mirror to be used. Defaults to
### aims1.llnl.gov
##
### Choices:
## distrib-coffee.ipsl.jussieu.fr/pub
## dist.ceda.ac.uk
## aims1.llnl.gov
## esg-dn2.nsc.liu.se
##
mirror_host: distrib-coffee.ipsl.jussieu.fr/pub

### Prometheus Hosts and/or IPs
##
### This deployment deploys Prometheus exporters. These
### exporters report information and metrics about the node
### to a Prometheus server. The Prometheus server(s) must be
### specified so that it can be trusted to communicate with
### the exporters. Place your own Prometheus server here if
### applicable. This trust is at the webserver level.
##
### Information will not be collected until your host is added
### to the Prometheus server's target list. Remove the following
### lines if you would not like to participate in this, in which
### case only localhost will be trusted to access the exporters'
### information.
##
#prometheus_hosts:
#  - aims1.llnl.gov
#prometheus_ips:
#  - 10 # Trust your whole internal network

### Globus Services
##
### This information is used to connect the node
### to the Globus system. 
##
### Leave unspecified and the Globus Connect Server 
### setup steps will be skipped.
##
#globus_user:
#globus_pass:
#register_gridftp: true|false
#register_myproxy: true|false

### Keys and Certificates
# The priority for installing certs and keys goes like this:
# 1. Whatever is specified in the host_vars file will be installed,
#    whether or not the destination path is already present on the 
#    managed machine.
#
# 2. If the files are already present on the managed machine and 
#    nothing is specified in the host_vars file, the files that 
#    are present will be checked for validity. If the certificate is
#    found to be invalid, it will be removed and regenerated.
#
# 3. If no key and certificate files on the managed machine are
#    present and nothing is specified in the host_vars file, self-signed,
#    Ansible generated, certificates will be installed.

### Keys and Certificates for Globus Services
##
### The paths on the local machine to the respective 
### key/cert that have been signed by ESGF. If these
### have not been obtained for a node, leave unspecified.
##
### Leave unspecified and certificate signing requests for
### valid certs will be generated in the HOME directory
### of the root user.
##
#gftphostcert:
#gftphostkey:
#myproxycacert:
#myproxycakey:
#myproxy_signing_policy:

### Keys and Certificates for Web Services, httpd and tomcat
##
### The paths on the local machine to the respective 
### key/cert that have been signed by a commonly trusted 
### certificate authority.
##
### Leave unspecified and temporary, or LetsEncrypt (see below), 
### certificates will be generated.
##
#hostkey_src:
#hostcert_src:
#cachain_src:

### LetsEncrypt Certificates for Web Services
##
### LetsEncrypt certificates are browser trusted certificates
### that can be obtained in an automated fashion by proving
### you control the domain.
### In order for this to work your host must be publicly
### available at deployment time.
### This variable has no effect if the above host key/cert/chain
### variables for web services are specified.
##
### Leave unspecified to not attempt to retrieve LetsEncrypt certs.
##
#try_letsencrypt: true|false

### CentOS 6 iptables
##
### iptables is a tool that controls the Linux kernel's packet firewall.
### Many sites will likely wish to manage this on their own. If you are
### not familiar with this tool and would like this deployment to
### takes steps to configure the iptables for you on CentOS 6 then
### uncomment the below variable and set it to true. Otherwise your
### site will be responsible for ensuring the proper ports are open.
##
### Leave unspecified to manage iptables on CentOS 6 yourself.
##
#configure_centos6_iptables: true|false
EOF








## Host vars for vesgdev-idx.ipsl.upmc.fr

PARENT_DIR='/root/tmp'
cat > "${PARENT_DIR}/esgf-ansible/host_vars/vesgdev-idx.ipsl.upmc.fr.yml" <<EOF
### All paths in this file are on the machine
### on which Ansible itself will be run. That is,
### they are on the 'control' machine.

### Mirror Host
##
### The ESGF mirror to be used. Defaults to
### aims1.llnl.gov
##
### Choices:
## distrib-coffee.ipsl.jussieu.fr/pub
## dist.ceda.ac.uk
## aims1.llnl.gov
## esg-dn2.nsc.liu.se
##
mirror_host: distrib-coffee.ipsl.jussieu.fr/pub

### Prometheus Hosts and/or IPs
##
### This deployment deploys Prometheus exporters. These
### exporters report information and metrics about the node
### to a Prometheus server. The Prometheus server(s) must be
### specified so that it can be trusted to communicate with
### the exporters. Place your own Prometheus server here if
### applicable. This trust is at the webserver level.
##
### Information will not be collected until your host is added
### to the Prometheus server's target list. Remove the following
### lines if you would not like to participate in this, in which
### case only localhost will be trusted to access the exporters'
### information.
##
#prometheus_hosts:
#  - aims1.llnl.gov
#prometheus_ips:
#  - 10 # Trust your whole internal network

### Globus Services
##
### This information is used to connect the node
### to the Globus system. 
##
### Leave unspecified and the Globus Connect Server 
### setup steps will be skipped.
##
#globus_user:
#globus_pass:
#register_gridftp: true|false
#register_myproxy: true|false

### Keys and Certificates
# The priority for installing certs and keys goes like this:
# 1. Whatever is specified in the host_vars file will be installed,
#    whether or not the destination path is already present on the 
#    managed machine.
#
# 2. If the files are already present on the managed machine and 
#    nothing is specified in the host_vars file, the files that 
#    are present will be checked for validity. If the certificate is
#    found to be invalid, it will be removed and regenerated.
#
# 3. If no key and certificate files on the managed machine are
#    present and nothing is specified in the host_vars file, self-signed,
#    Ansible generated, certificates will be installed.

### Keys and Certificates for Globus Services
##
### The paths on the local machine to the respective 
### key/cert that have been signed by ESGF. If these
### have not been obtained for a node, leave unspecified.
##
### Leave unspecified and certificate signing requests for
### valid certs will be generated in the HOME directory
### of the root user.
##
#gftphostcert:
#gftphostkey:
#myproxycacert:
#myproxycakey:
#myproxy_signing_policy:

### Keys and Certificates for Web Services, httpd and tomcat
##
### The paths on the local machine to the respective 
### key/cert that have been signed by a commonly trusted 
### certificate authority.
##
### Leave unspecified and temporary, or LetsEncrypt (see below), 
### certificates will be generated.
##
#hostkey_src:
#hostcert_src:
#cachain_src:

### LetsEncrypt Certificates for Web Services
##
### LetsEncrypt certificates are browser trusted certificates
### that can be obtained in an automated fashion by proving
### you control the domain.
### In order for this to work your host must be publicly
### available at deployment time.
### This variable has no effect if the above host key/cert/chain
### variables for web services are specified.
##
### Leave unspecified to not attempt to retrieve LetsEncrypt certs.
##
#try_letsencrypt: true|false

### CentOS 6 iptables
##
### iptables is a tool that controls the Linux kernel's packet firewall.
### Many sites will likely wish to manage this on their own. If you are
### not familiar with this tool and would like this deployment to
### takes steps to configure the iptables for you on CentOS 6 then
### uncomment the below variable and set it to true. Otherwise your
### site will be responsible for ensuring the proper ports are open.
##
### Leave unspecified to manage iptables on CentOS 6 yourself.
##
#configure_centos6_iptables: true|false
EOF


## Preprocessing 

backup :
- certificate https
- certificate gridftp

* To do for vesgdev-idx

esg-node stop

rm -fr /etc/tempcerts
rm -fr /etc/certs.bak /etc/esgfcerts.bak /etc/grid-security.bak /var/lib/globus/simple_ca.bak ; cp -rp /etc/certs /etc/certs.bak ; cp -rp /etc/esgfcerts /etc/esgfcerts.bak ; cp -rp /etc/grid-security /etc/grid-security.bak ; cp -rp /var/lib/globus/simple_ca /var/lib/globus/simple_ca.bak

* To do for vesgdev-data

esg-node stop

rm -fr /etc/tempcerts
rm -fr /etc/certs.bak /etc/esgfcerts.bak /etc/grid-security.bak /var/lib/globus/simple_ca.bak ; cp -rp /etc/certs /etc/certs.bak ; cp -rp /etc/esgfcerts /etc/esgfcerts.bak ; cp -rp /etc/grid-security /etc/grid-security.bak ; cp -rp /var/lib/globus/simple_ca /var/lib/globus/simple_ca.bak

## Upgrade

export PARENT_DIR='/root/tmp'
script ${PARENT_DIR}/esgf-ansible/upgrade.log
cd ${PARENT_DIR}/esgf-ansible
source activate ansible
export ANSIBLE_NOCOLOR=true
ansible-playbook -vvv -i ${PARENT_DIR}/esgf-ansible/inventory.txt -u root install.yml