Add ansible role for GCP #1
Conversation
keylime-ansible-gcp/playbook.yml
Outdated
| name: libselinux-python3 | ||
| state: present | ||
| roles: | ||
| - keylime-gcp |
There was a problem hiding this comment.
Can you add a new line at the end of the files? It's a pretty common thing to require and most code editors have some setting to enable it if it's not the default.
keylime-ansible-gcp/README.md
Outdated
| For details on the Rust agent, please consult the [repository](https://github.com/keylime/rust-keylime). | ||
|
|
||
| ## Usage | ||
| Run the playbook against your target remote host(s). Note: the hosts must have the vTPM enabled in the Google Cloud Console. |
There was a problem hiding this comment.
A cooler next step would be to have this playbook actually create the host(s) in GCP with all of the right settings (OS, image, vTPM, etc). It could have some parameters passed on the cmd line to override some defaults (like compute size, storage size, etc). And since almost all real world scenarios don't have the agent and the server side components (verifier, registrar, etc) running on the same host, it could create a couple of hosts, say 1 where the agent is running and 1 where the server side components are running.
I've done these kinds of playbooks before in ansible for AWS, so I'm making an assumption that they can also work for GCP.
avery-blanchard
force-pushed
the
ansible-gcp
branch
2 times, most recently
from
8ce3eea to
cabaaf4
Compare
There was a problem hiding this comment.
I did a quick test and ran into an error! Luckily for us, I am the perfect naive user here so a problem I run into is likely to be found by others as well. It's probably something I'm doing wrong, I can help troubleshoot if it's useful.
Also was wondering how does one run the tests? Can that go in the README also?
README.md
Outdated
| # keylime-cloud-environments | ||
| Setup instructions and scripts for running Keylime in cloud environments | ||
| # Keylime Cloud Environments | ||
| Setup instructions and scripts for running [Keylime](https://github.com/keylime/keylime) in cloud environments. |
There was a problem hiding this comment.
I would add a line here that says something like: each cloud environment is located in a separate directory. Navigate to these and follow the instructions in the README. (maybe with links)
keylime-ansible-gcp/README.md
Outdated
| `$ pip3 install requests google-auth` | ||
| 2. [Create a GCP service account](https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount) for ansible's use. | ||
| 3. [Create and download keys linked to this service account](https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts&zippy=%2Cservice-accounts) | ||
| 4. Add path to ssh key to ansible config (/etc/ansible/ansible.conf) \ |
There was a problem hiding this comment.
| 4. Add path to ssh key to ansible config (/etc/ansible/ansible.conf) \ | |
| 4. Add path to ssh key to ansible config (`/etc/ansible/ansible.conf`) \ |
keylime-ansible-gcp/README.md
Outdated
| [defaults] \ | ||
| private_key_file = /home/user/my_key |
There was a problem hiding this comment.
Would suggest putting this in a code block
keylime-ansible-gcp/README.md
Outdated
| 1. Install dependecies for the Ansible - GCP module | ||
| `$ pip3 install requests google-auth` | ||
| 2. [Create a GCP service account](https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount) for ansible's use. | ||
| 3. [Create and download keys linked to this service account](https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts&zippy=%2Cservice-accounts) |
There was a problem hiding this comment.
"Choose whether to download the service account's public/private key as a standard P12 file, or as a JSON file that can be loaded by a Google API client library." which one here? I ended up using P12
keylime-ansible-gcp/README.md
Outdated
| ## Configuration | ||
| 1. Install dependecies for the Ansible - GCP module | ||
| `$ pip3 install requests google-auth` | ||
| 2. [Create a GCP service account](https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount) for ansible's use. |
There was a problem hiding this comment.
It might be good to add a step about using an existing project or creating a new one, because GCP forces you to do this before you can create the service account. Or just change this step to "create/use a project in your GCP account and then [create a GCP service account]"
|
|
||
| ## Configuration | ||
| 1. Install dependecies for the Ansible - GCP module | ||
| `$ pip3 install requests google-auth` |
There was a problem hiding this comment.
Maybe add that openssl is required / helpful
keylime-ansible-gcp/README.md
Outdated
| `$ export GCP_PROJECT="<name of GCP project>"` \ | ||
| `$ export GCP_CRED_KIND="serviceaccount"`\ | ||
| `$ export GCP_CRED_FILE="<path to your service account key file>"` \ | ||
| `$ export GCP_ZONE="<zone for GCP instance>"` \ |
There was a problem hiding this comment.
I think it'd be nice to suggest a default zone and/or link to the GCP zones page
keylime-ansible-gcp/README.md
Outdated
| `$ export GCP_CRED_KIND="serviceaccount"`\ | ||
| `$ export GCP_CRED_FILE="<path to your service account key file>"` \ | ||
| `$ export GCP_ZONE="<zone for GCP instance>"` \ | ||
| `$ export GCP_REGION="<region for GCP instance>"` |
|
|
||
| ## Configuration | ||
| 1. Install dependecies for the Ansible - GCP module | ||
| `$ pip3 install requests google-auth` |
There was a problem hiding this comment.
I'd say ansible is also a dependency!
keylime-ansible-gcp/README.md
Outdated
| Run the playbook to create and set up an instance. | ||
|
|
||
| ```bash | ||
| ansible-playbook playbook.yml |
There was a problem hiding this comment.
I got this error:
[lily@localhost keylime-ansible-gcp]$ ansible-playbook playbook.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
ERROR! couldn't resolve module/action 'google.cloud.gcp_compute_disk'. This often indicates a misspelling, missing collection, or incorrect module path.
The error appears to be in '/home/lily/Repos/keylime-cloud-environments/keylime-ansible-gcp/roles/create-gcp/tasks/gcp.yml': line 1, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: Create disk mapped from Fedora image
^ here
There was a problem hiding this comment.
This looks like it may be the problem but I'm not sure what to enter for hostname / username, do you know?
avery-blanchard
force-pushed
the
ansible-gcp
branch
from
92bf857 to
107c32b
Compare
There was a problem hiding this comment.
The playbook seems to work this time in setting up the instance (from my local laptop)!! 💯
Though it does fail on
TASK [Wait to SSH into instance] ***********************************************
fatal: [localhost]: FAILED! => {"changed": false, "elapsed": 105, "msg": "Timeout when waiting for 34.152.62.86:22"}
PLAY RECAP *********************************************************************
localhost : ok=5 changed=2 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Maybe it's a network or permissions setting? Should I try from a GCP instance?
There was a problem hiding this comment.
This is working for me! Thanks for all the debugging and hard work, @avery-blanchard !
@mpeters Should we merge? Or would you like to try it? There is one step where a script parses the JSON file downloaded from GCP (this file includes a private key) and the script emits a warning before doing so. I think this should be okay but let me know if you think otherwise.
|
I'll give this a spin on Monday and then we can merge it if there isn't anything big. |
There was a problem hiding this comment.
It's looking good, but a couple of points:
-
If, as I suspect, the create-gcp role only holds tasks, then it doesn't need to be a role at all. It can just be a playbook of tasks. Not everything has to be a role and in fact, simple groups of tasks are better off as just a playbook instead of a role.
-
You moved a lot of stuff into the other ansible keylime project but I'd like to it better connected. The coolest would be to have some way to automatically apply that other role to these newly created instances. But if that seems too unwieldy, maybe just making it more explicit about how you would create an inventory file, checkout the project and run the playbooks in there.
| @@ -0,0 +1 @@ | |||
| - include: gcp.yml | |||
There was a problem hiding this comment.
What is the reason for splitting the tasks out into an include instead of directly in the main.yml?
| @@ -0,0 +1,4 @@ | |||
| --- | |||
| # Section for vars | |||
| shell_profiles: | |||
There was a problem hiding this comment.
I don't see this shell_profiles variable used anywhere.
keylime-ansible-gcp/tests/inventory
Outdated
| @@ -0,0 +1 @@ | |||
| localhost | |||
There was a problem hiding this comment.
What is the purpose of this /tests directory and this inventory file?
|
@avery-blanchard can you squash all of these commits into a single commit? That makes it easier to manage and is typical for most projects. There's no reason to keep all of the back and forth and fixes in separate commits and we'll have a nice clean history. |
Signed-off-by: Avery Blanchard <[email protected]>
avery-blanchard
force-pushed
the
ansible-gcp
branch
from
93aab03 to
34971b1
Compare
Create ansible role for deploying Keylime against a vTPM in the google cloud environment. @lkatalin