Merge pull request #1215 from stvoutsin/feature/move-certbot-datanode

Notes & Change to ansible scripts to change Certificate renewal process
wfau · Nov 6, 2023 · 9352e17 · 9352e17
2 parents cbf36be + e3e357e
commit 9352e17
Show file tree

Hide file tree

Showing 4 changed files with 597 additions and 7 deletions.
diff --git a/deployments/hadoop-yarn/ansible/43-setup-ssl.yml b/deployments/hadoop-yarn/ansible/43-setup-ssl.yml
@@ -63,10 +63,3 @@
         name: nginx
         state: restarted
       become: yes
-
-    - name: "Create Cronjob to renew certificate"
-      ansible.builtin.cron:
-        name: "Renew Certificate with certbot at 4:10 everyday"
-        minute: "10"
-        hour: "4"
-        job: "sudo certbot renew --quiet"
diff --git a/notes/stv/20230919-certbot-cron-local.txt b/notes/stv/20230919-certbot-cron-local.txt
@@ -0,0 +1,149 @@
+#
+# <meta:header>
+#   <meta:licence>
+#     Copyright (c) 2023, ROE (http://www.roe.ac.uk/)
+#
+#     This information is free software: you can redistribute it and/or modify
+#     it under the terms of the GNU General Public License as published by
+#     the Free Software Foundation, either version 3 of the License, or
+#     (at your option) any later version.
+#
+#     This information is distributed in the hope that it will be useful,
+#     but WITHOUT ANY WARRANTY; without even the implied warranty of
+#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#     GNU General Public License for more details.
+#
+#     You should have received a copy of the GNU General Public License
+#     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#   </meta:licence>
+# </meta:header>
+#
+
+
+# Documentation on how to setup & use the certificate backup tool for Zeppelin (dmp.gaia.ac.uk)
+
+
+
+# Test on Local machine first
+
+
+user=fedora
+
+# -----------------------
+# Create directory for python app
+# user@local
+
+sudo mkdir /opt/certrenewer
+sudo chmod 775 /opt/certrenewer/
+sudo chown $user:root /opt/certrenewer/
+
+
+# -----------------------
+# Create logs directory
+# user@local
+
+sudo mkdir /var/log/certbot/
+sudo chown $user:root /var/log/certbot/
+
+
+
+# -----------------------
+# Clone certrenewer repo
+# user@local
+
+git clone https://github.com/stvoutsin/certrenewer /opt/certrenewer
+
+
+# -----------------------
+# Install requirements
+# user@local
+
+# First Run the following pip upgrade
+pip3 install -U pip
+
+pushd /opt/certrenewer
+
+    pip install -r requirements.txt
+
+popd
+
+
+#----------------
+# Setup cron
+# user@local
+
+# On Fedora
+
+yum install cronie
+yum install cronie-anacron
+
+
+# On Ubuntu
+
+apt-get install cron
+
+
+
+# Or, if using Ansible playbook :
+
+
+- name: "Setup Cron"
+  hosts: local
+  gather_facts: false
+  tasks:
+    - name: "Install Cron"
+      become: true
+      yum:
+        name:
+          - cronie
+          - cronie-anacron
+        update_cache: yes
+        state: present
+
+    - name: "Start Crond"
+      service:
+        name: crond
+        state: restarted
+      become: yes
+
+
+#----------------
+# Setup cron
+# user@local
+
+crontab -e
+
+
+
+# Set to run every minute:
+0 0 * * * python3  /opt/certrenewer/certrenewer/certrenewer.py --zeppelin-host iris-gaia-blue.gaia-dmp.uk --zeppelin-user fedora --data-backup-dest /tmp/certs
+
+
+
+
+#----------------
+# Check logs
+# user@local
+
+tail -f -n 1000 /var/log/certbot/app.log 
+
+>
+	2023-09-19 15:43:02,686 - INFO - Starting Renewal & Backup
+	2023-09-19 15:43:05,087 - INFO - Updated 'latest' symlink to 20230919
+	2023-09-19 15:43:05,087 - INFO - Renewal completed successfully
+
+
+
+#------------------------------------------------
+# Check that tar was copied over successfully
+# user@local
+
+ls -al /tmp/certs/latest/
+total 72
+
+.. Sep 19 15:44 certs.tar.gz
+
+
+# Success
+
+
diff --git a/notes/stv/20230920-setup-cron-renewer-datanode.txt b/notes/stv/20230920-setup-cron-renewer-datanode.txt
@@ -0,0 +1,141 @@
+#
+# <meta:header>
+#   <meta:licence>
+#     Copyright (c) 2023, ROE (http://www.roe.ac.uk/)
+#
+#     This information is free software: you can redistribute it and/or modify
+#     it under the terms of the GNU General Public License as published by
+#     the Free Software Foundation, either version 3 of the License, or
+#     (at your option) any later version.
+#
+#     This information is distributed in the hope that it will be useful,
+#     but WITHOUT ANY WARRANTY; without even the implied warranty of
+#     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#     GNU General Public License for more details.
+#
+#     You should have received a copy of the GNU General Public License
+#     along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#   </meta:licence>
+# </meta:header>
+#
+
+
+# Documentation on how to setup & use the certificate backup tool for Zeppelin (dmp.gaia.ac.uk)
+# Setup on [email protected]
+
+
+user=fedora
+
+# -----------------------
+# Create directory for python app
+# fedora@iris-gaia-data-20220411-gitstore
+
+sudo mkdir /opt/certrenewer
+sudo chmod 775 /opt/certrenewer/
+sudo chown $user:root /opt/certrenewer/
+
+
+# -----------------------
+# Create logs directory
+# fedora@iris-gaia-data-20220411-gitstore
+
+sudo mkdir /var/log/certbot/
+sudo chown $user:root /var/log/certbot/
+
+
+
+# -----------------------
+# Clone certrenewer repo
+# fedora@iris-gaia-data-20220411-gitstore
+
+git clone https://github.com/stvoutsin/certrenewer /opt/certrenewer
+
+
+# -----------------------
+# Install requirements
+# fedora@iris-gaia-data-20220411-gitstore
+
+# First Run the following pip upgrade
+pip3 install -U pip
+
+pushd /opt/certrenewer
+
+    pip install -r requirements.txt
+
+popd
+
+
+#----------------
+# Setup cron
+# fedora@iris-gaia-data-20220411-gitstore
+
+# On Fedora
+
+yum install cronie
+yum install cronie-anacron
+
+
+# On Ubuntu
+
+apt-get install cron
+
+
+
+# Or, if using Ansible playbook :
+
+
+- name: "Setup Cron"
+  hosts: local
+  gather_facts: false
+  tasks:
+    - name: "Install Cron"
+      become: true
+      yum:
+        name:
+          - cronie
+          - cronie-anacron
+        update_cache: yes
+        state: present
+
+    - name: "Start Crond"
+      service:
+        name: crond
+        state: restarted
+      become: yes
+
+
+#----------------
+# Setup cron
+# fedora@iris-gaia-data-20220411-gitstore
+
+crontab -e
+
+
+# Set to run every minute:
+0 0 * * * python3  /opt/certrenewer/certrenewer/certrenewer.py --zeppelin-host iris-gaia-blue.gaia-dmp.uk --zeppelin-user fedora --data-backup-dest /tmp/certs
+
+
+
+#----------------
+# Check logs
+# user@local
+
+tail -f -n 1000 /var/log/certbot/app.log 
+
+>
+	2023-09-20 12:24:23,412 - INFO - Starting Renewal & Backup
+	2023-09-20 12:24:24,823 - INFO - Updated 'latest' symlink to 20230920
+	2023-09-20 12:24:24,823 - INFO - Renewal completed successfully
+
+
+#------------------------------------------------
+# Check that tar was copied over successfully
+# user@local
+
+ls -al /tmp/certs/latest/
+total 72
+
+.. Sep 19 15:44 certs.tar.gz
+
+
+# Success