Ansible deploy on debian / docker


#1

The ansible playbooks are tested on ubuntu 14 so far. Trying to run them on a debian machine I’m following the tutorial https://github.com/openfoodfoundation/ofn-install/wiki/Setup The language-pack-en-base package can not be found since the ubuntu package repositories are missing on debian. What is it used for? Also “sudo” needs to be installed manually on debian for ansible to run.

Currently I’m stuck on the last webserver task “update unicorn”
“msg”: "Could not find the requested service “‘unicorn_openfoodnetwork’”: "}
Can debian be the reason?

vars.yml contains overlapping configuration with inventory/…
The file is not mentioned in the deployment tutorial. What is it for?

Spree::Country Germany has id 155. Is more needed for l10n than the states.yml? https://github.com/orangeman/l10n_de Transfer git repo to github.com/openfoodfoundation?

Would it make sense to deploy into docker container(s) using ubuntu images?


#2

I try to stick to ubuntu and tested containers, friends are moving to BSD
for its more integrated approach to devops- so it could help OFN in the
future… G


#3

Thx @NorthernColorado for the hint!
Running the playbooks inside a docker ubuntu container did (finally) work => https://www.fairteil.de

this has also been very helpful:

here the changes I made https://github.com/openfoodfoundation/ofn-install/compare/master...orangeman:master

Changing RAILS_ENV and re-running only the deploy playbook did not work because the monit conf.d file (for delayed job workers) and the unicorn init script both contain rails_env but are part of the provision playbook. Hence the delayed job workers, unicorn and the configured mail method had different rails environments.

https://github.com/openfoodfoundation/ofn-install/blob/master/roles/common/templates/monit.j2

setting rails_env manually and starting delayed job workers manually did work, but monit is still not working

$ monit start
/etc/monit/monitrc:290: Include failed – Success '/etc/monit/conf-enabled/*'
any ideas?

Also I had to manually start nginx, memcached, postgresql and unicorn. Is this because of docker?

What is the normal way to start everything after playbooks ran?

What is the intended purpose of vars.yml?


Early draft of a docker compose deployment
#4

@orangeman there are some great points you’ve raised here.

About the other community forum posts you list, would you be able to make a note of what in those was useful on top of the ofn-install wiki docs? Ideally the wiki docs would be complete.

There are several issues also. Might you be up for creating GH issues for those to break them down?

I think the vars.yml file is no longer needed and the example file should be removed. All that config should now be under /inventory.


#5

Thx @pmackay! I’d be glad to enhance the deploy wiki. The issues are just not clear enough to me to articulate them properly :wink: But github is probably a good place to clarify https://github.com/openfoodfoundation/ofn-install/issues?utf8=✓&q=%20is%3Aopen

After the playbooks finish is everything supposed to be readily running?
(Maybe due to docker?) I had to start nginx/memcached/unicorn/delayed_job manually. So basically the last wiki page https://github.com/openfoodfoundation/ofn-install/wiki/Deployment-with-Ansible were missing the final steps in my experience and I still don’t understand how monit is supposed to be configured to work. Currently the delayed job worker runs manually as root which seems to create permission problems during backup/rollback :confused:


#6

This is offline again. Are there any more running deployments known so far?


#7

that’s great to hear @organgeman, I’m planning to get more involved with a
pilot for the NorthernColorado local food network, so I"m eager to use this
technique as well. when all is working perfectly, its easy to test locally
and easy to get changes up to the dev brach, from where its easy to pull
changes back down to our local dev instances… toward devops nirvana! :slight_smile:


#8

running the ansible playbooks in a local docker container worked great
except for letsencrypt ssl certificate registration handshakes…
That’s why I ended up running everything on the server

A few days ago I took it offline because:

  1. letsencrypt certificate expired
    How to renew it?

  2. needed the ip for a different website

In order to host multiple sites on the same ip it would help to have the nginx reverse proxy separately outside the docker container. Nginx would then forward requests differently depending on host domain name. The ofn docker image could then be build and run locally as well since nginx takes care of letsencrypt ssl. Maybe also the postgresql database could be split out and be shared as a separate docker container…

What do you think?


#9

the changes (that made the playbooks run through) can be pulled here
https://github.com/openfoodfoundation/ofn-install/pulls

e.g. the docker file https://github.com/openfoodfoundation/ofn-install/pull/57/commits/8706b23b6263adc044d0f909193f5a86010d21be


#10

Hi Florian

  1. letsencrypt certificate expired
    How to renew it?
  • there is a way to have a cron run every 2.5 months… so that by 3 months
    time it will be current rather than expired keep it current,
    If you look on the letsentrypt site FAQ it explains, otherwise I can help
    you to know how to set up the cron tab from the command line or in your
    docker playbook ( new method for me as well ) :slight_smile:

request routing? you could do dev on amazon first year free… the idea of
containers is to separate concerns and make things more secure, but I do
understand the cost savings of setting up a shared host, and how it would
help the many groups. I would prefer to run open food network rails code on
its own machine if possible, so that it does not get interfered with by
other activities on the server., and it won’t bother other sites… :slight_smile:

  1. for me, working in Prestashop lately, it has been easiest in the devops
    world to use one vagrant machine which has a db and apache2 served files in
    the same place for dev. In the future I hope to configure a way to push my
    local changes up to two or more machines - live, dev, and db//

  2. I am still figuring out the fineries of lets enctrypt, but I think as
    line as you gave it a local name, it would encypt. it does not issue certs
    for ip addresses alone…

g


#11

The current ofn-install scripts should I think setup LetsEncrypt with renewal - have you checked or tested this?


#12

@pmackay yes the ofn-install scripts did setup letsencrypt. It worked perfectly :slight_smile: for about three months. Is it supposed to renew by itself? or do I need to trigger that manually somehow?


#13

Howdy from frozen Colorado~ @orangeman . I just looked at

and It looks like you will have to set a cron by adding something like the
following until we add it to the docker file…

FYI- I’m also working with bro ‘intrusion detection’ for better server
security, and piwik for locally managed stats… I’m not sure what ofn is
doing for those features, but they are decisions to make for any local
deployment.
bro is pretty hugely popular it seems.

crontab –e

@monthly /your_path/letsencrypt/letsencrypt-auto --config
/etc/letsencrypt/cli.ini -d yourdomain.com -d www. yourdomain.com certonly
&& service apache2 reload

Content of cli.ini:
authenticator = webroot
webroot-path = /var/www/
server = https://acme-v01.api.letsencrypt.org/directory390
https://acme-v01.api.letsencrypt.org/directory
renew-by-default
agree-dev-preview
agree-tos
email = postmaster@yourdomain.com

this is a copy of the relevant changes I found on the github commit diff
page linked above…

  • default_type “text/plain”;
  • root /etc/letsencrypt/webrootauth;
  • }

#14

Thank You @NorthernColorado


#15

These Docker tutorials might prove useful.


#16

Thx @Mike

the issues had been related to the ofn setup and not necessarily to docker. I tried running (all) the ansible scripts inside a (single) ubuntu docker container.

Docker is not intended to be used as virtual machine / compatibility layer but as small lightweight cointainers (with only one linux process) that can flexibly be composed together… OFN deployment would be comprised of many containers. The benefit would be flexibility, e.g. trying a different reverse (caching) proxy or sharing the (heavy weight) postgres database between instances, etc… @almereyda once did a promising docker deploy Early draft of a docker compose deployment but I could only get it running 95%