IBM Connections pink is based on Conductor for Containers, which provides a collection of tools to work with Docker containers and Kubernetes. To manage containers in large environments, lots of DevOps are using Ansible (an agentless software to automate administration tasks).
So why not use these tools to prepare your Connections operating system, like creating users, adding security settings or install all necessary packages to deploy DB2, Installation Manager, and WebSphere Application Server? Or use one of the available roles or tasks to automate even the installation of WebSphere, create cell and profiles …
In this session, you get the basics of Ansible and some hands-on to start the learning journey into ‘cloud’ based software management.
3. @stoeps #panagendaWebinar #ansible
Christoph Stoettner
Senior Consultant at
IBM Domino since 1999, IBM Connections since 2009
Experience in
Migrations, Deployments
Performance Analysis
Focusing in
Monitoring, Security
panagenda ConnectionsExpert
IBM Champion
panagenda
3
4. @stoeps #panagendaWebinar #ansible
Idea and history
Several attempts to deploy IBM Connections
automatically
Social Connections VII - Stockholm
Klaus Bild: Silence of the Installers
Why do we need automation?
Demos
Migration / Testing
Continous Delivery
It’s not only providing response files
4
6. @stoeps #panagendaWebinar #ansible
Automation speeds up your installation
System requirements installed
ulimits set / limits.conf configured
Increase nproc for WebSphere and IBM Domino
Easier troubleshooting
You don’t need to check all requirements and settings
You can be sure that they are set
root - nproc 16384
root - nofile 65536
root - stack 10240
6
7. @stoeps #panagendaWebinar #ansible
Possible Opensource Tools
Puppet
Great for Windows too
Enterprise Support
Cryptic
Chef
Easy to learn (if you’re ruby developer)
SaltStack
https://puppet.com/
https://www.chef.io
https://saltstack.com
7
9. @stoeps #panagendaWebinar #ansible
Comparison
Language Agent Config Communication Difficulty
Ansible Python No YAML OpenSSH
Chef Ruby, Erlang Yes Ruby SSL
Puppet Ruby Yes PuppetDSL SSL
SaltStack Python Yes YAML ZeroMQ
9
10. @stoeps #panagendaWebinar #ansible
Why should you learn Ansible?
Ansible is built for Cloud orchestration
Dynamic and static inventory
Use playbooks for multiple environments
Inventory example
It’s just YAML
Easy to keep in source control (git, svn)
[ihs]
cnx-web-60.panastoeps.local
[was-dmgr]
cnx-was-60.panastoeps.local
10
12. @stoeps #panagendaWebinar #ansible
SSH is your friend
SSH Key Authentication saves a lot of time
Create a SSH Key
Linux: ssh-keygen
Windows: puttygen.exe
SSH Key should be secured with a password
Copy the public key to the remote server
ssh-copy-id
You need to add the content of <keyname>.pub to
.ssh/authorized_keys in the home directory of the
user
12
13. @stoeps #panagendaWebinar #ansible
SSH with Windows
Putty
Download:
Putty Pageant Documentation
KiTTY
Download:
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
http://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter9.html
http://www.9bis.net/kitty/
http://www.9bis.net/kitty/?page=Download
13
14. @stoeps #panagendaWebinar #ansible
SSH with Linux
~/.ssh/config
X11Forward
Host
Used Key
SSH-Agent (configure )Autostart SSH-Agent
$> ssh-add ~/.ssh/stoeps_rsa
Enter passphrase for /home/stoeps/.ssh/stoeps_rsa:
Identity added: /home/stoeps/.ssh/stoeps_rsa
14
15. @stoeps #panagendaWebinar #ansible
Can this help with IBM Connections?
Ansible basics
Playbook is a collection of roles
Playbooks can import other playbooks
Role is a collection of tasks
Dependencies of Roles
Groups and Hostnames from Inventory
15
17. @stoeps #panagendaWebinar #ansible
1. Variable definition
2. Tasks for role
Organization of your files
Root Folder
Playbooks
Inventory
Roles
Example: Installationmanager
├── defaults
│ └── main.yml (1)
└── tasks
└── main.yml (2)
17
18. @stoeps #panagendaWebinar #ansible
1. Group ihs with one member
2. Group was-node with two members
Inventory
Groupname definition in inventory file
[ihs] (1)
cnx-web-60.panastoeps.local
[was-dmgr]
cnx-was-60.panastoeps.local
[was-node] (2)
cnx-was-60.panastoeps.local
cnx-was2-60.panastoeps.local
[db2]
cnx-db2-panastoeps.local
18
19. @stoeps #panagendaWebinar #ansible
1. All hosts of inventory, run role vm and common for all hosts
2. Hostgroups ihs and was-dmgr
3. Import playbook webserver.yml
Main playbook
Groupnames from inventory used for applying roles
Special: all
# file: site.yml
- hosts: all (1)
roles:
- common
- vm
- hosts: ihs was-dmgr (2)
roles:
- was-requirements
- installationmanager
- import_playbook: webserver.yml (3)
19
20. @stoeps #panagendaWebinar #ansible
1. hard and so limits
2. item name
3. value
Change ulimit
Configure /etc/security/limits.conf
# Increase limits.conf for IBM products
- name: Change limits.conf
pam_limits:
domain: root
limit_type: '-' (1)
limit_item: nofile (2)
value: 65536 (3)
20
22. @stoeps #panagendaWebinar #ansible
Package Management
Install prerequisists for
Installation Manager
DB2
WebSphere Application Server
Which distribution do you use?
SuSE (zypper)
Red Hat (yum)
Debian (apt)
Doesn't matter!
22
24. @stoeps #panagendaWebinar #ansible
Install prerequisists
When package names are not consistent in all used
distributions
Use when statement
- name: Install system packages for DB2
package: name={{ item }} state=latest
with_items:
- libaio.i686
- libaio.x86_64
- compat-libstdc++-33.i686
- compat-libstdc++-33.x86_64
- libstdc++.x86_64
- libstdc++.i686
- pam.i686
when: ansible_distribution == 'Red Hat Enterprise Linux'
24
25. @stoeps #panagendaWebinar #ansible
Disable IPv6
IPv6 o en is a pain in (IBM) so ware deployments
Sometimes I forget to do it on one of the servers
# Disable IPv6
- name: Disable IPv6 in sysctl
sysctl:
name={{ item }}
value=1
state=present
with_items:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
- net.ipv6.conf.lo.disable_ipv6
25
27. @stoeps #panagendaWebinar #ansible
Shell Extension To Mount Share
Mount a local folder into the VM
Just a shell command
# Mount Disk with installation sources
- name: Mount software repository
shell: umount /mnt; vmhgfs-fuse .host:/software /mnt
27
28. @stoeps #panagendaWebinar #ansible
1. Create Vault
2. Edit Vault
3. Encrypt file a erwords
Secure your configuration
You shouldn't keep passwords in cleartext
Ansible knows something named Vault
Vaults are AES256 encrypted
ansible-vault --ask-vault-pass create group_vars/all/vault.yml (1)
ansible-vault --ask-vault-pass edit group_vars/all/vault.yml (2)
ansible-vault --ask-vault-pass encrypt group_vars/all/main.yml (3)
28
29. @stoeps #panagendaWebinar #ansible
Run your Playbook
Run Playbook when vault.yml is used
Run Playbook without vault.yml
ansible-playbook -i inventory site.yml --ask-vault-pass
ansible-playbook -i inventory site.yml
29
30. @stoeps #panagendaWebinar #ansible
Create Users
IBM Connections needs a database user
lcuser
Define password in vault.yml
User creation needs a password hash!
# Content of vault.yml
lcuser_password: 'password'
- name: Create DB2 Connections Users
user:
name: lcuser
password: "{{ lcuser_password | password_hash('512') }}"
30
31. @stoeps #panagendaWebinar #ansible
IBM Installation Manager
Role get the installer from a webserver
Role originally comes from:
I use Docker with nginx to serv the file
Role contains following tasks:
Download and extract of the package
Silent Install of Installation Manager
Delete the extracted content
https://github.com/sgwilbur/ansible-ibm-installation-manager
31
32. @stoeps #panagendaWebinar #ansible
IBM Installation Manager Variables
Used Variables:
im_media_host: http://172.16.20.1
im_ibmim_install_location: /opt/IBM/InstallationManager
im_tmp_location: /tmp/im
im_version: 1.8.7.0
im_platform: linux
im_architecture: x86_64
im_version_tag: 1.8.7000.20170706_2137
32
33. @stoeps #panagendaWebinar #ansible
Installation Manager tasks
# file: roles/installationmanager/tasks/main.yml
- name: Create Temp directory
file: path={{ im_tmp_location }} state=directory mode=0755
- name: Download and extract local copy of installer
unarchive:
src: "{{ im_media_host }}/software/ibm/installation_manager/{{ im_
dest: "{{ im_tmp_location }}"
remote_src: yes
- name: Run silent install to {{ im_ibmim_install_location }}
command:
chdir={{ im_tmp_location }}
{{ im_tmp_location }}/install -acceptLicense --launcher.ini silent
creates={{ im_ibmim_install_location }}
register: install
changed_when: install.rc != 0
- name: Remove Installer
fil th {{ i t l ti }} t t b t
33
45. @stoeps #panagendaWebinar #ansible
Works with Microso Windows
WinRM / Remote Powershell
Gather facts on Windows hosts
Manage Windows packages via
Install and uninstall MSIs
Enable and disable Windows Features
Start, stop, and manage Windows services
Create and manage local users and groups
Manage and install Windows updates
Push and execute any PowerShell script
Chocolatey
45
46. @stoeps #panagendaWebinar #ansible
Administrator or Developer?
Have a look at Ansible
Saves you time
Easy to deploy and use in different environments
QA
Testing
Production
KISS
Keep it simple stupid
46