This role will eventually be able to be used to completely configure an iRODS server once iRODS is installed. At the moment, it can maintain the following configuration files.
- irods_environment.json
- etc/irods/host_access_control_config.json
- etc/irods/hosts_config.json
- etc/irods/server_config.json
- etc/irods/service_account.config
iRODS 4.2.8 is installed.
The main.yml
tasks file that is called by default performs the same tasks as server.yml
, i.e., it deploys the set of files required by an iRODS server.
There are two tier-specific tasks files. client.yml
deploys the configuration files required by a client, e.g., the iCommands. Currently, it deploys the irods_environment.json file. server.yml
deploys the configuration files required by an iRODS server.
For each iRODS configuration file there is a corresponding tasks file that deploys only that configuration file. irods_environment.yml
deploys the client or clerver configuration file, irods_environment.json by default. In the etc/irods/
directory, host_access_control_config.yml
deploys host_access_control_config.json, hosts_config.yml
deploys hosts_config.json, server_config.yml
deploys server_config.json, and service_account.yml
deploys service_account.config.
The setup_irods.yml
and init_zone_user.yml
tasks files are not part of main.yml
or either of the tier-specific tasks files. setup_irods.yml
initializes the ICAT DB before calling server.yml
, and init_zone_user.yml
initializes the iRODS zone user on the inventory host.
Here are the role variables. None of them are required.
Variable | Default | Choices | Comment |
---|---|---|---|
irods_cfg_access_entries |
[] | A list of access entry objects defining who can access iRODS and from where, see below | |
irods_cfg_authentication_file |
/var/lib/irods/.irods/.irodsA | the authentication file for the client or clerver | |
irods_cfg_catalog_provider_hosts |
[ localhost ] |
a list of FQDNs or IP addresses of the catalog service providers | |
irods_cfg_catalog_service_role |
provider | consumer, provider | the role of the iRODS server, a provider directly accesses the catalog database, a consumer does not |
irods_cfg_client_default_hash_scheme |
irods_cfg_default_hash_scheme |
MD5, SHA256 | checksum scheme for the client or clerver |
irods_cfg_client_default_resource |
irods_cfg_default_resource_name but see comment |
the name of the resource used for client or clerver operations if one is not specified, on the clerver, if irods_cfg_default_resource_name is undefined, 'demoResc' will be used as the default. |
|
irods_cfg_client_encryption_algorithm |
irods_cfg_server_control_plane_encryption_algorithm |
EVP-supplied encryption algorithm for parallel transfer | |
irods_cfg_client_encryption_key_size |
32 | key size for parallel transport encryption | |
irods_cfg_client_encryption_num_hash_rounds |
irods_cfg_server_control_plane_encryption_num_hash_rounds |
number of hash rounds for parallel transfer encryption | |
irods_cfg_client_encryption_salt_size |
8 | salt size for parallel transfer encryption | |
irods_cfg_client_server_negotiation |
request_server_negotiation | none, request_server_negotiation | whether or not advanced negotiation is desired for the client or clerver |
irods_cfg_client_server_policy |
CS_NEG_DONT_CARE | CS_NEG_DONT_CARE, CS_NEG_REFUSE, CS_NEG_REQUIRE | which SSL policy for the client or clerver to use |
irods_cfg_client_xmsg_port |
the port used by the XMessage server | ||
irods_cfg_chown |
true | whether or not to make the service account the owner of the generate files | |
irods_cfg_connection_pool_refresh_time |
300 | the number of seconds after which an existing connection in a connection pool is refreshed | |
irods_cfg_cwd |
irods_cfg_home |
the initial working collection for the admin user | |
irods_cfg_database_user_password_salt |
the salt used when obfuscating user passwords stored in the catalog database | ||
irods_cfg_debug |
'' | '' or any combination of 'CAT', 'RDA', and 'SQL' | desired verbosity of the debug logging level for client or clerver. e.g., 'CATRDA' means include CAT and RDA debugging in debug log messages |
irods_cfg_default_dir_mode |
0750 | the Unix file system octal permission mode for a newly created directory | |
irods_cfg_default_file_mode |
0600 | the Unix file system octal permission mode for a newly created file | |
irods_cfg_default_hash_scheme |
SHA256 | MD5, SHA256 | the hash scheme used for file integrity checking |
irods_cfg_default_number_of_transfer_threads |
4 | the default maximum number of threads allowed for parallel transfer | |
irods_cfg_default_resource_directory |
the default Vault directory for the initial resource on server installation | ||
irods_cfg_default_resource_name |
the name of the initial resource on server installation | ||
irods_cfg_default_temporary_password_lifetime |
120 | the default number of seconds a server-side temporary password is valid | |
irods_cfg_environment_file |
home/irods_cfg_system_account_name /.irods/irods_environment.json but see comment |
the location where the iRODS environment file should be placed relative to irods_cfg_root_dir . For server configuration, the default is 'var/lib/irods/.irods/irods_environment.json' . |
|
irods_cfg_environment_variables |
{} | a set of environment variables to add to the server process environment | |
irods_cfg_federation |
[] | an array of federation objects identifying the zones this zone federates with, see below | |
irods_cfg_for_server |
false but see comment | whether or not a server is being configured. If the main or server tasks are run, this is forced to true . If the client tasks are run, this is forced to be false . |
|
irods_cfg_gsi_server_dn |
null | the distinguished name of the GSI server | |
irods_cfg_home |
/irods_cfg_zone_name /home/irods_cfg_zone_user |
the home collection of the admin user | |
irods_cfg_host |
ansible_inventory_name |
the fully qualified domain name of the server the client or clerver connects to | |
irods_cfg_host_entries |
[] | an array of host entry objects grouping host names and addresses referring to the same host, see below | |
irods_cfg_icat |
The ICAT DB configuration object. See below. If the server being configured isn't an IES, this should be null . |
||
irods_cfg_kerberos_name |
Kerberos distinguished name for KRB and GSI authentication | ||
irods_cfg_log_level |
5 | 1 - 10 | desired verbosity of logging |
irods_cfg_match_hash_policy |
compatible | compatible, strict | indicates to iRODS whether to use the hash used by the client or the data at rest, or to force the use of the default hash scheme |
irods_cfg_maximum_number_of_concurrent_rule_engine_server_processes |
4 | the maximum number of rule engine processes to run | |
irods_cfg_maximum_size_for_single_buffer |
32 | the maximum size in mebibytes for a single buffer | |
irods_cfg_maximum_temporary_password_lifetime |
1000 | the maximum number of seconds a server-side temporary password can be valid | |
irods_cfg_negotiation_key |
TEMPORARY_32byte_negotiation_key | a 32-byte encryption key shared by the zone for use in the advanced negotiation handshake at the beginning of an iRODS client connection | |
irods_cfg_pam_no_extend |
false, true, or null | set PAM password lifetime: normally 8 hours, but extended is 2 weeks | |
irods_cfg_pam_password_length |
maximum length of a PAM password | ||
irods_cfg_pam_password_max_time |
maximum allowed PAM password lifetime | ||
irods_cfg_pam_password_min_time |
minimum allowed PAM password lifetime | ||
irods_cfg_plugins_home |
directory to use for the client side plugins | ||
irods_cfg_re_additional_data_variable_mappings |
[] | an array of file names (without the .dvm extension) that will be loaded in order before core.dvm is loaded | |
irods_cfg_re_additional_function_name_mappings |
[] | an array of file names (without the .fnm extension) that will be loaded in order before core.fnm is loaded | |
irods_cfg_re_additional_rulebases |
[] | an array of file names (without the .re extension) that will be loaded in order before core.re is loaded | |
irods_cfg_root_dir |
/ | The root directory where all depositions are relative to | |
irods_cfg_rule_engine_server_sleep_time |
30 | how frequently the rule engine polls for scheduled rules when idle in seconds | |
irods_cfg_schema_validation_base_uri |
https://schemas.irods.org/configuration |
a URI or 'off' | the URI against which the iRODS server configuration is validated. 'off' means to skip validation |
irods_cfg_server_control_plane_encryption_algorithm |
AES-256-CBC | the algorithm used to encrypt control plane communications | |
irods_cfg_server_control_plane_encryption_num_hash_rounds |
16 | the number of hash rounds used in the control plane communications | |
irods_cfg_server_control_plane_key |
TEMPORARY__32byte_ctrl_plane_key | the the encryption key required for communicating with the iRODS grid control plane, must be 32 bytes | |
irods_cfg_server_control_plane_port |
1248 | the port on which the control plane operates | |
irods_cfg_server_control_plane_timeout |
10000 | the number of milliseconds before control plane times out | |
irods_cfg_server_port_range_end |
20199 | the ending of the port range available for re-connections, parallel transfer and RBUDP transfer | |
irods_cfg_server_port_range_start |
20000 | the beginning of the port range available for re-connections, parallel transfer and RBUDP transfer | |
irods_cfg_ssl_ca_certificate_file |
location of a file of trusted CA certificates in PEM format | ||
irods_cfg_ssl_ca_certificate_path |
location of a directory containing CA certificates in PEM format | ||
irods_cfg_ssl_certificate_chain_file |
the file containing the server's certificate chain | ||
irods_cfg_ssl_certificate_key_file |
private key corresponding to the server's certificate in the certificate chain file | ||
irods_cfg_ssl_dh_params_file |
the Diffie-Hellman parameter file location | ||
irods_cfg_ssl_verify_server |
hostname | cert, hostname, none | level of server certificate based authentication to perform |
irods_cfg_system_account_name |
irods | the account used to run iRODS | |
irods_cfg_system_group_name |
irods_cfg_system_account_name |
the group used to run iRODS | |
irods_cfg_transfer_buffer_size_for_parallel_transfer |
4 | the buffer size in mebibytes for parallel transfer | |
irods_cfg_transfer_chunk_size_for_parallel_transfer |
40 | the chunk size in mebibytes for parallel transfer | |
irods_cfg_validate |
true | whether or not the configuration values should be validated when the configuration files are generated | |
irods_cfg_xmsg_host |
the host name of the XMessage server | ||
irods_cfg_xmsg_port |
1279 | the port on which the XMessage server operates should it be enabled | |
irods_cfg_zone_auth_scheme |
native | gsi, krb, native, pam | the authentication scheme used by irods_cfg_zone_user |
irods_cfg_zone_key |
TEMPORARY_zone_key | the shared secret used for authentication and identification on server-to-server communication, it cannot contain hyphens (- ) |
|
irods_cfg_zone_name |
tempZone | the name of the in which the server participates | |
irods_cfg_zone_password |
rods | the password used to authenticate irods_cfg_zone_user . |
|
irods_cfg_zone_port |
1247 | the main port used by the zone for communication | |
irods_cfg_zone_user |
rods | the name of the rodsadmin user running this iRODS instance |
The irods_cfg_access_entries
variables is an array of access_entry
objects. An access_entry
object has the following fields, all of them required.
Field | Choices | Comments |
---|---|---|
address |
the IPv4 address of a host or network that is able to access | |
group |
the iRODS group able to access | |
mask |
the network mask when address is a network address |
|
user |
the iRODS user able to access |
The irods_cfg_environment_variables
variable is a dictionary where the key is the name of a server process environment variable, and the value is the value of the environment variable.
The irods_cfg_federation
variable is an array of federation
objects. A federation
object has the following fields, all of them required.
Field | Choices | Comments |
---|---|---|
catalog_provider_hosts |
a list of FQDNs or IP addresses of the catalog service providers in the federated zone | |
negotiation_key |
the 32-byte encryption key of the federated zone | |
zone_key |
the shared authentication secret with the federated zone | |
zone_name |
the name of the federated zone |
The irods_cfg_host_entries
variable is an array of host_entry
objects. A host_entry
object has the following fields, all of them required.
Field | Choices | Comments |
---|---|---|
address_type |
local, remote | indicates if this host is localhost. |
addresses |
an array of names and addresses referring to this host |
The irods_cfg_icat
variable is an icat
object. An icat
object has the following fields, none of them are required.
Field | Default | Choices | Comments |
---|---|---|---|
catalog_database_type |
postgres | mysql, oracle, postgres | the type of database iRODS is using for the iCAT. see below |
db_host |
localhost | the hostname of the DBMS | |
db_name |
ICAT | the name of the database used as the iCAT | |
db_password |
testpassword | the password used by db_username to connect to db_name |
|
db_port |
5432 | the port on which the database server is listening | |
db_username |
irods | the database user name | |
odbc_driver |
null | The ODBC driver to user, if null the driver will be automatically determined |
For catalog_database_type
, only postgres
has been fully tested.
If any of the iRODS configuration files are changed, the fact irods_cfg_made_changes
will be set to true
.
None
# Client
- hosts: webdav
vars:
irods_cfg_environment_file: etc/httpd/irods/irods_environment.json
irods_cfg_authentication_file: /etc/httpd/irods/.irodsA
irods_cfg_chown: false
irods_cfg_host: ares.iplantcollaborative.org
irods_cfg_zone_name: iplant
irods_cfg_zone_user: davrods_svc
irods_cfg_home: /iplant
tasks:
- include_role:
name: cyverse-ansible.irods-cfg
tasks_from: "{{ item }}"
with_items:
- client.yml
- init_zone_user.yml
# Catalog Service Provider
- hosts: irods_catalog_provider
roles:
- role: cyverse-ansible.irods-cfg
vars:
irods_cfg_default_hash_scheme: MD5
irods_cfg_default_number_of_transfer_threads: 16
irods_cfg_default_resource_name: CyVerseRes
irods_cfg_environment_variables:
amqp_host: amqp.cyverse.org
irods_cfg_federation:
- icat_host: irods.tacc.utexas.edu
negotiation_key: "Don't you wish! !"
zone_key: crack me
zone_name: tacc
irods_cfg_host_entries:
- address_type: local
addresses:
- ares.iplantcollaborative.org
- data.cyverse.org
- data.iplantcollaborative.org
irods_cfg_icat:
db_host: irods-db.cyverse.org
db_password: secret
db_username: icatuser
irods_cfg_negotiation_key: Just guess it .
irods_cfg_re_additional_rulebases:
- ipc_custom
irods_cfg_server_control_plane_key: "I'm not telling ."
irods_cfg_server_port_range_end: 20399
irods_cfg_transfer_buffer_size_for_parallel_transfer: 32
irods_cfg_zone_key: secret
irods_cfg_zone_name: iplant
irods_cfg_zone_user: cyverse_admin
# Catalog Service Consumer Acting as a Resource Server
- hosts: irods_resource_server
roles:
- role: cyverse-ansible.irods-cfg
vars:
irods_cfg_default_hash_scheme: MD5
irods_cfg_default_number_of_transfer_threads: 16
irods_cfg_default_resource_directory: /f2/haboob
irods_cfg_default_resource_name: haboobRes
irods_cfg_negotiation_key: Just guess it .
irods_cfg_re_additional_rulebases:
- ipc_custom
irods_cfg_server_control_plane_key: "I'm not telling ."
irods_cfg_server_port_range_end: 20399
irods_cfg_transfer_buffer_size_for_parallel_transfer: 32
irods_cfg_zone_key: secret
irods_cfg_zone_name: iplant
irods_cfg_zone_user: has_admin
See license.
Tony Edgin [email protected] CyVerse