Collection of playbooks that aim in installing Trento and its third-party dependencies.
The playbooks can only be run on target nodes running SLES4SAP.
Refer to the following table for supported control and target node combinations. The specified value in the target cell is the Python interpreter version that supports the execution of the playbooks:
| Control node | SLES15-SP4 | SLES15-SP5 | SLES15-SP6 | SLES15-SP7 | SLES16 |
|---|---|---|---|---|---|
ansible9 |
python3(3.6)-only |
python3(3.6)-only |
python3(3.6)/3.11 |
python3(3.6)/3.11 |
X |
ansible11 |
X |
X |
python3.11-only |
python3.11-only |
python3(3.13)-only |
|
Note
|
On SLES 15 SP5 and below, Ansible may default to the newest
Python interpreter, causing incompatibility issues between the
playbook and the target node. To prevent this, you must explicitly set
the interpreter in vars.json: to "ansible_python_interpreter":
"/usr/bin/python3"
|
server.yml playbook installs Trento server components (Web and
Wanda) along with the supporting third-party application dependencies.
This playbook supports auto-discovery of the hosts for RabbitMQ and
Postgres in Web and Wanda. This feature is enabled when
provision_postgres and provision_rabbitmq flags are true. When
auto-discovery is active, *_host variables in app role are
ignored. If you want to use external services for these dependencies,
turn off the respective flag and specify the *_host variable in your
inventory.
This playbook requires that the host where you are going to install
Trento server components has an activated license for one of the
supported OSs, with the following modules (Change x to match your
current version):
-
Basesystem Module 15 x86_64 -
SUSEConnect -p sle-module-basesystem/15.x/x86_64 -
SUSE Package Hub 15 x86_64 -
SUSEConnect -p PackageHub/15.x/x86_64 -
(15.6 only) Legacy Module 15 x86_64 -
SUSEConnect -p sle-module-legacy/15.6/x86_64
agent.yml playbook installs and configures Trento agent.
This playbook supports auto-discovery of the host for RabbitMQ for use
in agents. This feature is enabled when provision_rabbitmq flag is
true. When auto-discovery is active, agent_rabbitmq_host variables
in agent role is ignored. If you want to use external service for
this dependency, turn off the provision_rabbitmq flag and specify the
agent_rabbitmq_host variable in your inventory.
site.yml is playbook that makes full Trento installation. It
installs both the server components and agents. Additionally, the API
key for the agents is automatically retrieved from Trento server and
passed on to the deployed agents. Thus, the value of
agent_web_api_key variables is ignored when using this playbook.
Get to the ansible directory: cd ansible
Make sure all hosts with active roles allow access from the machine that is executing the playbooks. If connecting to the machines with SSH keys, you might want to execute:
$ ssh-copy-id <username>@<ip-of-the-host>Create an inventory.yml file, defining the IP address or domain name
of the machines for each group expected in the playbook. You might use
the same machine in more than one group.
Example:
all:
children:
trento_server:
hosts:
vitellone:
ansible_host: "your-host"
ansible_user: "your-user"
ansible_ssh_private_key_file: "/home/user/.ssh/id_rsa"
postgres_hosts:
hosts:
vitellone:
ansible_host: "your-host"
ansible_user: "your-user"
ansible_password: "your-password"
rabbitmq_hosts:
hosts:
vitellone:
ansible_host: "your-host"
ansible_user: "your-user"
ansible_ssh_private_key_file: "/home/user/.ssh/id_rsa"
prometheus_hosts:
hosts:
vitellone:
ansible_host: "your-host"
ansible_user: "your-user"
ansible_ssh_private_key_file: "/home/user/.ssh/id_rsa"
agents:
hosts:
vitellone:
ansible_host: "your-host"
ansible_user: "your-user"
ansible_password: "your-password"Here, a mixture of password and SSH keys authentication is used for the hosts.
Add the desired variables to the inventory. Use either vars: section
in the inventory file itself or use host_vars/group_vars directories:
all:
children:
trento_server:
hosts: ...
postgres_hosts:
hosts: ...
rabbitmq_hosts:
hosts: ...
prometheus_hosts:
hosts: ...
agents:
hosts: ...
vars:
trento_server_name": "trento-deployment.example.com",
trento_web_admin_password: "adminpassword",
trento_web_postgres_password: "postgres",
trento_wanda_postgres_password: "postgres",
trento_rabbitmq_password: "guest",
rproxy_ssl_cert: "<paste your SSL certificate here in base64>",
rproxy_ssl_key: "<paste your SSL certificate key here in base64>"Prior to running the playbooks, tell ansible to fetch the required modules:
$ ansible-galaxy collection install -r requirements.ymlRun a playbook:
$ ansible-playbook -i path/to/inventory.yml <playbook-name.yml>|
Note
|
You could also use $ ansible-playbook -i path/to/inventory.yml <playbook-name.yml> --extra-vars "@path/to/vars.yaml"The |
You can use the docker image ghcr.io/trento-project/ansible, to run
this playbook, the image contains the playbook files ready to be
provisioned. The docker image assumes you mount an inventory file
and an extra-vars file.
Mounting your ssh socket will enable you to access the remote machines like in your local environment.
Assuming you have in the current folder a file called inventory.yml
and extra-vars.yaml
$ docker run \
-e "SSH_AUTH_SOCK=/ssh-agent" \
-v $(pwd)/inventory.yml:/playbook/inventory.yml \
-v $(pwd)/extra-vars.yaml:/playbook/extra-vars.yaml \
-v $SSH_AUTH_SOCK:/ssh-agent \
ghcr.io/trento-project/ansible:rolling /playbook/inventory.yml /playbook/extra-vars.yaml| Name | Description |
|---|---|
trento_server_name |
Domain name of the Trento web application |
trento_web_admin_password |
Password of the admin user in Web application |
trento_web_postgres_password |
Password of the Postgres user used in Web application |
trento_wanda_postgres_password |
Password of the Postgres user used in Wanda application |
trento_rabbitmq_password |
Password of the RabbitMQ user configured for the Trento project |
rproxy_ssl_cert |
String with the content of the .crt file to beused by the reverse proxy for https |
rproxy_ssl_key |
String with the content of the .key file used to generate the certificate |
| Name | Description |
|---|---|
agent_web_api_key |
API key for accessing Trento Web collection endpoint. |
The following are our optional variables, grouped by role, for which we provide default values:
Playbook variables
The following variables control whether the playbooks takes care of
provisioning third-party application dependencies by installing them
and/or configuring them. In addition to that, if their value is true
they enable a feature of the playbooks that allows for automatic
population of some variables.
| Name | Description | Default |
|---|---|---|
provision_postgres |
Whether to provision Postgres. If set to
|
true |
provision_rabbitmq |
Whether to provision RabbitMQ. If set to
|
true |
provision_proxy |
Whether to provision a Reverse Proxy to expose the
services, set to |
true |
provision_prometheus |
Whether to provision Prometheus used by Trento to store metrics send by agents |
true |
Trento meta-role
Variables in this role are a bit special. They are shared among several other roles. However, every other role has its own variable corresponding to one in this meta-role and takes it as a default value. In effect, variables in this meta-role are similar to "global defaults", and the user can freely override these defaults on a per-role basis if appropriate.
| Name | Description | Default |
|---|---|---|
trento_wanda_proxy_location |
URL Path to Wanda behind a reverse proxy |
"/wanda" |
trento_web_listen_port |
Port where the Web service is exposed |
<random value based on |
trento_wanda_listen_port |
Port where the Wanda service is exposed |
<random value based on |
trento_web_admin_username |
Username of the admin user in Web application |
"admin" |
trento_postgres_host |
The host where Postgres database is
located. Used as input for calculating
|
localhost |
trento_postgres_host_group |
Name of the host group where Postgres
database is located. If this value is not empty string, activates
auto-discovery of the Postgres host by searching it in the specified
group. Used as input for calculating
|
"" |
trento_web_postgres_username |
Name of the Postgres user used by Web application |
"web" |
trento_web_postgres_db |
Name of the Postgres database of the Web application |
"webdb" |
trento_web_postgres_event_store |
Name of the Postgres event store database of Web application |
"event_store" |
trento_wanda_postgres_username |
Name of the Postgres user used by Wanda application |
"wanda" |
trento_wanda_postgres_db |
Name of the Postgres database of Wanda application |
"wandadb" |
trento_rabbitmq_host |
The host where RabbitMQ is located. It could
include the service port. Used as input for calculating
|
localhost |
trento_rabbitmq_host_group |
Name of the host group where RabbitMQ
is located. It could include the service port. If this value is not
empty string, activates auto-discovery of the RabbitMQ host by
searching it in the specified group. Used as input for calculating
|
"" |
trento_rabbitmq_username |
Username of RabbitMQ user, this will be created by the RabbitMQ role |
"trento" |
trento_rabbitmq_vhost |
The rabbitmq vhost used for the current deployment |
"trento" |
Web role
| Name | Description | Default |
|---|---|---|
web_server_name |
Domain name of the Trento web application |
<value
of |
web_listen_port |
Port where the Web service is exposed |
<value
of |
web_admin_username |
Username of the admin user for Web application |
<value of |
web_admin_password |
Password of the admin user for Web application |
<value of |
web_oas_server_url |
Web OpenAPI server url |
|
web_postgres_host |
The host where Postgres database for Web is located. |
Default value depends on the value of
|
web_postgres_username |
Name of the postgres user used by Web application |
<value of |
web_postgres_password |
Password of the Postgres user used in Web application |
<value of |
web_postgres_db |
Name of the Postgres database of the Web application |
<value of |
web_postgres_event_store |
Name of the Postgres event store database of Web application |
<value of
|
web_amqp_protocol |
URL scheme of the AMQP protocol — either |
amqp |
web_rabbitmq_host |
The host where RabbitMQ is located. It could include the service port. |
Default value depends on the value of
|
web_rabbitmq_username |
Username used to connect to RabbitMQ |
<value of |
web_rabbitmq_password |
Password of the RabbitMQ user |
<value of
|
web_rabbitmq_vhost |
The RabbitMQ virtual host |
<value of
|
web_wanda_listen_port |
Port where the Wanda service is exposed |
<value of |
web_wanda_proxy_location |
URL Path to Wanda behind a reverse proxy |
<value of |
web_prometheus_url |
Prometheus server URL |
"http://localhost:9090" |
web_secret_key_base |
The secret for the Phoenix application |
<generated by the playbook> |
web_access_token_secret |
The secret used for access tokens JWT signature |
<generated by the playbook> |
web_refresh_token_secret |
The secret used for refresh tokens JWT signature |
<generated by the playbook> |
web_enable_charts |
Enable charts display based on Prometheus metrics |
true |
web_enable_alerting |
Enable the alerting mechanism for Web application |
null |
web_smtp_server |
IP address of the SMTP server |
null |
web_smtp_port |
Port number of SMTP server |
null |
web_smtp_user |
Username for SMTP authentication |
null |
web_smtp_password |
Password for SMTP authentication |
null |
web_alert_sender |
E-mail address used as the "from" address in alerts |
null |
web_alert_recipient |
E-mail address to receive alert notifications |
null |
web_enable_oidc |
Enable OIDC integration, this disables the username/password authentication method (self exclusive SSO type) |
false |
web_oidc_client_id |
OIDC client id, required when |
"" |
web_oidc_client_secret |
OIDC client secret, required when
|
"" |
web_oidc_server_base_url |
OIDC identity provider base url, required
when |
"" |
web_enable_oauth2 |
Enable OAUTH2 integration, this disables the username/password authentication method (self exclusive SSO type) |
false |
web_oauth2_client_id |
OAUTH2 client id, required when
|
"" |
web_oauth2_client_secret |
OAUTH2 client secret, required when
|
"" |
web_oauth2_server_base_url |
OAUTH2 identity provider base url,
required when |
"" |
web_oauth2_authorize_url |
OAUTH2 authorize url, required when
|
"" |
web_oauth2_token_url |
OAUTH2 token url, required when
|
"" |
web_oauth2_user_url |
OAUTH2 user information url, required when web_enable_oauth2` is true |
"" |
web_oauth2_scopes |
OAUTH2 scopes, required when |
"profile email" |
web_enable_saml |
Enable SAML integration, this disables the username/password authentication method (self exclusive SSO type) |
false |
web_saml_idp_id |
SAML IDP id, required when |
"" |
web_saml_idp_nameid_format |
SAML IDP name id format, used to interpret the attribute name. Whole urn string must be used |
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
web_saml_sp_dir |
SAML SP directory, where SP specific required files (such as certificates and metadata file) are placed |
/etc/trento/trento-web/saml |
web_saml_sp_id |
SAML SP id, required when |
"" |
web_saml_sp_entity_id |
SAML SP entity id |
"" |
web_saml_sp_contact_name |
SAML SP contact name |
"Trento SP Admin" |
web_saml_sp_contact_email |
SAML SP contact email |
|
web_saml_sp_org_name |
SAML SP organization name |
"Trento SP" |
web_saml_sp_org_displayname |
SAML SP organization display name |
"SAML SP build with Trento" |
web_saml_sp_org_url |
SAML SP organization url |
|
web_saml_username_attr_name |
SAML user profile "username" attribute field name. This attribute must exist in the IDP user |
"username" |
web_saml_email_attr_name |
SAML user profile "email" attribute field name. This attribute must exist in the IDP user |
"email" |
web_saml_firstname_attr_name |
SAML user profile "first name" attribute field name. This attribute must exist in the IDP user |
"firstName" |
web_saml_lastname_attr_name |
SAML user profile "last name" attribute field name. This attribute must exist in the IDP user |
"lastName" |
web_saml_metadata_url |
URL to retrieve the SAML metadata xml
file. One of |
"" |
web_saml_metadata_content |
One line string containing the SAML
metadata xml file content ( |
"" |
web_saml_sign_requests |
Sign SAML requests in the SP side |
true |
web_saml_sign_metadata |
Sign SAML metadata documents in the SP side |
true |
web_saml_signed_assertion |
Require to receive SAML assertion signed from the IDP. Set to false if the IDP doesn’t sign the assertion |
true |
web_saml_signed_envelopes |
Require to receive SAML envelopes signed from the IDP. Set to false if the IDP doesn’t sign the envelopes |
true |
Wanda role
| Name | Description | Default |
|---|---|---|
wanda_listen_port |
Port where the Wanda service is exposed |
<value of |
wanda_proxy_location |
URL Path to Wanda behind a reverse proxy |
<value of |
wanda_oas_server_url |
Wanda OpenAPI server URL |
https://<`trento_server_name`><`trento_wanda_porxy_location`>; |
wanda_postgres_host |
The host where Postgres database for Wanda is located. |
Default value depends on the value of
|
wanda_postgres_username |
Name of the Postgres user used by Wanda application |
<value of |
wanda_postgres_password |
Password of the Postgres user used in Wanda application |
<value of |
wanda_postgres_db |
Name of the Postgres database of Wanda application |
<value of |
wanda_amqp_protocol |
URL scheme of the AMQP protocol — either
|
amqp |
wanda_rabbitmq_host |
The host where RabbitMQ is located. It could include the service port. |
Default value depends on the value of
|
wanda_rabbitmq_username |
Username used to connect to RabbitMQ |
<value of |
wanda_rabbitmq_password |
Password of the RabbitMQ user |
<value of
|
wanda_rabbitmq_vhost |
The RabbitMQ virtual host |
<value of
|
wanda_secret_key_base |
The secret for the Phoenix application |
<generated by the playbook> |
Agent role
| Name | Description | Default |
|---|---|---|
agent_trento_server_url |
Trento server URL |
"http://<`trento_server_name`>" |
agent_amqp_protocol |
URL scheme of the AMQP protocol — either
|
"amqp" |
agent_rabbitmq_host |
The host where RabbitMQ is located. It could include the service port. |
Default value depends on the value of
|
agent_rabbitmq_username |
Username used to connect to RabbitMQ |
<value of |
agent_rabbitmq_password |
Password of the RabbitMQ user |
<value of
|
agent_rabbitmq_vhost |
The RabbitMQ virtual host |
<value of
|
Postgres role
| Name | Description | Default |
|---|---|---|
postgres_install |
Install postgresql in the postgres provisioning phase |
true |
postgres_web_username |
Name of the Postgres user used by Web application |
<value of |
postgres_web_password |
Password of the Postgres user used in Web application |
<value of |
postgres_web_db |
Name of the Postgres database of the Web application |
<value of |
postgres_web_event_store |
Name of the Postgres event store database of Web application |
<value of |
postgres_wanda_username |
Name of the Postgres user used by Wanda application |
<value of |
postgres_wanda_password |
Password of the Postgres user used in Wanda application |
<value of |
postgres_wanda_db |
Name of the Postgres database of Wanda application |
<value of |
Prometheus role
| Name | Description | Default |
|---|---|---|
prometheus_port |
Port where Prometheus is exposed |
9090 |
prometheus_web_url |
Base URL of Trento Web application where Prometheus scrapes for metrics |
|
prometheus_web_listen_port |
Port on which Web is exposed, to be scraped by Prometheus |
<value of |
RabbitMQ role
| Name | Description | Default |
|---|---|---|
rabbitmq_username |
Username used by various Trento applications to connect to RabbitMQ |
<value of |
rabbitmq_password |
Password of the RabbitMQ user used in various Trento applications |
<value of |
rabbitmq_vhost |
The RabbitMQ virtual host used by various Trento applications |
<value of |
rabbitmq_node_name |
Name of the RabbitMQ node |
"rabbit@localhost" |
Reverse Proxy role
| Name | Description | Default |
|---|---|---|
rproxy_install |
Whether to install reverse proxy (currently, nginx) |
true |
rproxy_server_name |
Domain name of the Trento web application |
<value of |
rproxy_web_listen_port |
Port where the Web service is exposed |
<value of |
rproxy_wanda_listen_port |
Port where the Wanda service is exposed |
<value of |
rproxy_override_default_conf |
Override the default reverse proxy configuration for one that will use the vhosts according to an opinionated directory structure |
true |
rproxy_vhost_filename |
Reverse proxy vhost filename. ".conf" suffix is added to the given name |
"trento" |
rproxy_vhost_http_listen_port |
Configure the HTTP listen port for Trento (redirects to https by default) |
"80" |
rproxy_vhost_https_listen_port |
Configure the HTTPS listen port for Trento |
"443" |
rproxy_web_upstream_name |
Web upstream name |
"web" |
rproxy_wanda_upstream_name |
Wanda upstream name |
"wanda" |
rproxy_wanda_location |
Path to forward requests to Wanda in the reverse proxy |
<value of |
rproxy_ssl_cert_as_base64 |
Whether SSL certificate is provided as base64 string |
false |
rproxy_ssl_key_as_base64 |
Whether SSL key is provided as base64 string |
false |
In order to clean up most of the applied changes and created resources,
the playbook.cleanup.yml playbook could be used. It uses the same
inventory and variables file than the main playbook.
These are the cleaned resources:
-
Stops Web and Wanda services
-
Postgresql database and users
-
Reverse proxy vhost configuration file
-
RabbitMQ vhost
-
Reverts Firewall rules
Run the playbook with:
$ ansible-playbook -i inventory.yml playbook.cleanup.ymlDisclaimer: The installed packages are not removed as most of the times they are of general usage, and this could have impact in many other services.