From Fedora Project Wiki
m (First Part of integrating mailing list discussion.)
No edit summary
Line 16: Line 16:
|}
|}


Goal is to explore Ansible to provide easy installation and pre-configuration for key services in Fedora Server Edition.
Goal is to explore '''Ansible''' to provide easy installation and pre-configuration for key services in Fedora Server Edition. It is all about improving, systematizing and simplifying its system management.  


This page is intended to organize and structure the discussion about improving the use of Ansible to support Fedora Server Edition system management. It is work in progress, not documentation of finished procedures.
This page is intended to organize and structure the discussion. It is work in progress, not documentation of finished procedures.


It is intended to be uses as a kind of (simple) content federation tool. We specify items to discuss here, discuss on mailing list or IRC meetings and bring their results together here.
It is intended to be uses as a kind of (simple) content federation tool. We specify items to discuss here, discuss on mailing list or IRC meetings and bring their results together here.


=== Use Cases – What do we want to achieve ===
== Use Cases – What do we want to achieve ==


==== 1. Installation of application server - the Wildfly example ====
=== 1. Installation of (Java) application server - the Wildfly example ===
 
==== Description ====
 
Wildfly is an eminently important and widely used application on Fedora Server Edition. Unfortunately, experience has shown that building a wildfly rpm package is not feasible. This does not only apply to Fedora, but also to at least most, if not all other distributions. As a consequence, the system administrator not only has to perform the software configuration - which is already complex and extensive in itself - but also its installation, including the embedding into the server ''systemd'' runtime system.
 
As a way out, many instructions for manual installation can be found, which follow different ways and installation systematics. Many are incomplete or even faulty and lead to system malfunctions.
 
'''Goal''' is to ensure a systematic, reproduceable and smooth integration into the Fedora way of installing software.
 
==== Tasks to perform ====
 
* Installation of the appropriate Java version
* Installation of backend software, specifically a database (postgresql or an alternative)
* Deploying a systemd service configuration
* Download of Wildfly software from upstream
* Installation of Wildfly in an appropriate location
* Configure Wildfly as a standalone or domain service
* Optionally connect Wildfly to a Web frontend (httpd)
 
==== Implementation ====


A role for installing and configuring Wildfly (or any other large complex piece of Software) will be really ambitious.  It could be installed via the provider’s installation method which would probably include software installed in /opt that are specific to the individual application.  Or we could perhaps develop server-ansible-roles to download all the individual component pieces, package them into rpms, submit them to the Fedora Packaging processes for inclusion into basic fedora.
A role for installing and configuring Wildfly (or any other large complex piece of Software) will be really ambitious.  It could be installed via the provider’s installation method which would probably include software installed in /opt that are specific to the individual application.  Or we could perhaps develop server-ansible-roles to download all the individual component pieces, package them into rpms, submit them to the Fedora Packaging processes for inclusion into basic fedora.
Line 30: Line 50:
I would envision continuing using rpm packages (not coprs and not flatpacks) for basic software installation.  I would envision a git-like repository maintained by the Fedora Server working group (along with other stakeholders) to provide the server-ansible-roles necessary to integrate all of the pieces together.  The key to making all of this work is good, user-focused, up-to-date documentation on the wiki, web site and in the server-ansible-roles.
I would envision continuing using rpm packages (not coprs and not flatpacks) for basic software installation.  I would envision a git-like repository maintained by the Fedora Server working group (along with other stakeholders) to provide the server-ansible-roles necessary to integrate all of the pieces together.  The key to making all of this work is good, user-focused, up-to-date documentation on the wiki, web site and in the server-ansible-roles.


===== Miscellaneous Notes =====
==== Miscellaneous Notes ====
* Experience has shown that building a wildfly rpm is not feasible. This is not only true for Fedora, but also for other distributions. As a way out, many instructions for installation can be found, which follow different ways and installation systematics.
 
** '''Goal''' is to ensure a systemtatic, reproduceable und smooth integration into the Fedora way of installing software
**  


* One idea is to provide a "wildfly-installation-preparation.rpm" that installs the systemd infrastructure and a script that informs that an installation of the software is required to use it. For installation, a script or an Ansible playbook is provided to guide the system administrator.
* One idea is to provide a "wildfly-installation-preparation.rpm" that installs the systemd infrastructure and a script that informs that an installation of the software is required to use it. For installation, a script or an Ansible playbook is provided to guide the system administrator.
Line 48: Line 68:
** not everywhere a container is a good or even a feasible solution (administrative overhead, disposable strategy, additional workflow and build environment, etc.)   
** not everywhere a container is a good or even a feasible solution (administrative overhead, disposable strategy, additional workflow and build environment, etc.)   


==== 2. Installation of a complex service using different Fedora packages - the example Mail Service ====
=== 2. Installation of a complex service using different Fedora packages - the example Mail Service ===


===== Description =====
==== Description ====
A small site without an experienced Systems Administrator wishes to  host their own email server.  This would normally involve installing postfix, sendmail or some other Message Transfer Agent (MTA).  It would also normally involve installing dovecot or some other Message Delivery Agent (MDA).  While rpms exist for the above services, the rpms contain generic configuration files that require manual “tweaking” before the services will work together as one unit.
A small site without an experienced Systems Administrator wishes to  host their own email server.  This would normally involve installing postfix, sendmail or some other Message Transfer Agent (MTA).  It would also normally involve installing dovecot or some other Message Delivery Agent (MDA).  While rpms exist for the above services, the rpms contain generic configuration files that require manual “tweaking” before the services will work together as one unit.
   
   
Line 63: Line 83:
For a site considering migration from other OS’s to Fedora, completing this process could take days if not weeks.  With all the old and outdated documentation on the web, it almost becomes a trial and error situation.  With carefully crafted server-ansible-roles, it should be a matter of instructions on how to access the server-ansible-roles repository and providing well-documented defaults/main.yml and vars/main.yml files.  The unfamiliar Systems Administrator then only needs to provide the site-specific values in the Ansible variables files.
For a site considering migration from other OS’s to Fedora, completing this process could take days if not weeks.  With all the old and outdated documentation on the web, it almost becomes a trial and error situation.  With carefully crafted server-ansible-roles, it should be a matter of instructions on how to access the server-ansible-roles repository and providing well-documented defaults/main.yml and vars/main.yml files.  The unfamiliar Systems Administrator then only needs to provide the site-specific values in the Ansible variables files.


===== Miscellaneous Notes =====
==== Miscellaneous Notes ====
* A mail service includes several different packages, e.g. Postfix, Dovecot, SpamAssassin, OpenDKIM, etc., which must be configured to work together.  
* A mail service includes several different packages, e.g. Postfix, Dovecot, SpamAssassin, OpenDKIM, etc., which must be configured to work together.  
* There are guides that often contain configuration instructions that do not apply to Fedora or packages for various reasons not available in Fedora
* There are guides that often contain configuration instructions that do not apply to Fedora or packages for various reasons not available in Fedora
Line 73: Line 93:
** We may need to develop different prototype use cases, each containing customization capabilities.  
** We may need to develop different prototype use cases, each containing customization capabilities.  


==== 3. Linux System Roles ====
=== 3. Linux System Roles ===


There is a project that provides a collection of Ansible Playbooks for typical system administration tasks:
There is a project that provides a collection of Ansible Playbooks for typical system administration tasks:
Line 88: Line 108:
# What new system-roles can we provide?  
# What new system-roles can we provide?  


=== Fedora Policy requirements ===
== Fedora Policy requirements ==


Fedora policies impose requirements on artifacts that Fedora distributes. Obviously, some of the current rules are:  
Fedora policies impose requirements on artifacts that Fedora distributes. Obviously, some of the current rules are:  
Line 99: Line 119:
We need to investigate the regulations and analyze the possibilities they provide.  
We need to investigate the regulations and analyze the possibilities they provide.  


=== How to distribute / distribution options ===
== How to distribute / distribution options ==


* downloadable from server-wg home page (??)
* downloadable from server-wg home page (??)

Revision as of 16:45, 31 May 2021

Fedora Server Ansible Team
Activists

Communicating

Goal is to explore Ansible to provide easy installation and pre-configuration for key services in Fedora Server Edition. It is all about improving, systematizing and simplifying its system management.

This page is intended to organize and structure the discussion. It is work in progress, not documentation of finished procedures.

It is intended to be uses as a kind of (simple) content federation tool. We specify items to discuss here, discuss on mailing list or IRC meetings and bring their results together here.

Use Cases – What do we want to achieve

1. Installation of (Java) application server - the Wildfly example

Description

Wildfly is an eminently important and widely used application on Fedora Server Edition. Unfortunately, experience has shown that building a wildfly rpm package is not feasible. This does not only apply to Fedora, but also to at least most, if not all other distributions. As a consequence, the system administrator not only has to perform the software configuration - which is already complex and extensive in itself - but also its installation, including the embedding into the server systemd runtime system.

As a way out, many instructions for manual installation can be found, which follow different ways and installation systematics. Many are incomplete or even faulty and lead to system malfunctions.

Goal is to ensure a systematic, reproduceable and smooth integration into the Fedora way of installing software.

Tasks to perform

  • Installation of the appropriate Java version
  • Installation of backend software, specifically a database (postgresql or an alternative)
  • Deploying a systemd service configuration
  • Download of Wildfly software from upstream
  • Installation of Wildfly in an appropriate location
  • Configure Wildfly as a standalone or domain service
  • Optionally connect Wildfly to a Web frontend (httpd)

Implementation

A role for installing and configuring Wildfly (or any other large complex piece of Software) will be really ambitious. It could be installed via the provider’s installation method which would probably include software installed in /opt that are specific to the individual application. Or we could perhaps develop server-ansible-roles to download all the individual component pieces, package them into rpms, submit them to the Fedora Packaging processes for inclusion into basic fedora.

I would envision continuing using rpm packages (not coprs and not flatpacks) for basic software installation. I would envision a git-like repository maintained by the Fedora Server working group (along with other stakeholders) to provide the server-ansible-roles necessary to integrate all of the pieces together. The key to making all of this work is good, user-focused, up-to-date documentation on the wiki, web site and in the server-ansible-roles.

Miscellaneous Notes

  • One idea is to provide a "wildfly-installation-preparation.rpm" that installs the systemd infrastructure and a script that informs that an installation of the software is required to use it. For installation, a script or an Ansible playbook is provided to guide the system administrator.
    • This idea is inspired by the postgresql dbinit process.
  • Script or Playbook ensure that all installations of this type follow the same principles and comply with the Fedora guidelines for installing Java software.

Cons

  • Fedora policies (may) prohibit this type of rpm.

Alternatives

  • prebuilt containers as a stopgap option
    • not everywhere a container is a good or even a feasible solution (administrative overhead, disposable strategy, additional workflow and build environment, etc.)

2. Installation of a complex service using different Fedora packages - the example Mail Service

Description

A small site without an experienced Systems Administrator wishes to host their own email server. This would normally involve installing postfix, sendmail or some other Message Transfer Agent (MTA). It would also normally involve installing dovecot or some other Message Delivery Agent (MDA). While rpms exist for the above services, the rpms contain generic configuration files that require manual “tweaking” before the services will work together as one unit.

One potential server-ansible-role might install the postfix rpm. Another server-ansible role might install the sendmail rpm. Yet another rpm might install the dovecot rpm. A yet-to-be-developed server-ansible-role might configure postfix and dovecot to work together. A second yet-to-be developed server-ansible-role might configure sendmail and dovecot to work together.

The site may wish to only allow for secure transmissions between the MTA and the sending User Agent (UA) as well as between the MDA and the UA. That would involve installing the the certbot rpm, requesting the necessary certificates from the Letsencrypt CA, and configuring the MTA and MDA configuration files to provide secure transmissions. A server-ansible-role could do all of this assuming the MTA was postfix and another server-ansible-role could do all of this assuming the MTA was sendmail.

The site may wish to implement Spamassassin, Clamav, DKIM, DMARC and SPF in a matter similar to that described above.

Other possibilities include configuring the MTA and MDA to host multiple virtual domains and/or virtual users. This would require installing an RPM for a database of choice and making all the necessary configuration file changes required to integrate it into the sites MTA/MDA infrastructure.

For a site considering migration from other OS’s to Fedora, completing this process could take days if not weeks. With all the old and outdated documentation on the web, it almost becomes a trial and error situation. With carefully crafted server-ansible-roles, it should be a matter of instructions on how to access the server-ansible-roles repository and providing well-documented defaults/main.yml and vars/main.yml files. The unfamiliar Systems Administrator then only needs to provide the site-specific values in the Ansible variables files.

Miscellaneous Notes

  • A mail service includes several different packages, e.g. Postfix, Dovecot, SpamAssassin, OpenDKIM, etc., which must be configured to work together.
  • There are guides that often contain configuration instructions that do not apply to Fedora or packages for various reasons not available in Fedora
    • Goal is to provide an easy way to a cross-package and coordinated configuration of a service.

Cons

  • There are so many different possible Installation options
    • We may need to develop different prototype use cases, each containing customization capabilities.

3. Linux System Roles

There is a project that provides a collection of Ansible Playbooks for typical system administration tasks:

Topics to discuss:

  1. Do the scripts play well with Fedora Server?
  2. Do we want to encourage the use of those scripts and how?
  3. How can we make them (better) usable in Fedora Server?
  4. Can we use them as a kind of base library for more complex, cross-package services?
  5. What new system-roles can we provide?

Fedora Policy requirements

Fedora policies impose requirements on artifacts that Fedora distributes. Obviously, some of the current rules are:

  • Helper rpms that only contain the systemd environment and an installation script do not comply with Fedora policy
  • Packaged Ansible roles, collections and things should be referencing packages and leverage Fedora content rather than external stuff
  • Fedora containers as well should leverage Fedora content

We need to investigate the regulations and analyze the possibilities they provide.

How to distribute / distribution options

  • downloadable from server-wg home page (??)