GithubHelp home page GithubHelp logo

openconext / openconext-deploy Goto Github PK

View Code? Open in Web Editor NEW
11.0 13.0 20.0 6.65 MB

Ansible-based deployment automation for the OpenConext platform

License: Apache License 2.0

Shell 10.22% PHP 0.45% HTML 0.84% Python 5.91% Perl 0.15% Jinja 82.43%
openconext deploy ansible

openconext-deploy's Introduction

Ansible-driven provisioning of the OpenConext platform.

Getting started

Deploy to a remote machine

A manual to run the deploy to a single target machine (e.g. a hosted VM) is in the wiki: Installation steps to deploy OpenConext on a single system.

Deploy with Vagrant

To run a development instance on your local machine with Vagrant and VirtualBox, follow these steps. They are based on Mac OS X and the Open Source Homebrew package manager.

It is also possible to deploy using Vagrant and libvirt/qemu (on Linux). Instructions are provided below.

Install Vagrant and VirtualBox

VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product, downloads and user manual can be found on the VirtualBox website.

Vagrant provides easy to configure, reproducible, and portable work environments built on top of industry-standard technology and controlled by a single consistent workflow to help maximize the productivity and flexibility of you and your team.

For installation instructions see the website.

You will need at least Vagrant 1.7. Do not use Vagrant 1.8.5, which contains a bug that makes that the provisioning fails with the message "Warning: Authentication failure. Retrying...". Also, more recent versions (around 1.9.1) have problems detecting the network devices inside the VM, causing vagrant to fail to connect using ssh.

To install both with Homebrew:

brew cask install vagrant
brew cask install virtualbox

With the above commands you get the latest versions. There might be incompatibilities. Vagrant will tell you and if you need a different version install cask versions and install the correct version of virtualbox and / or vagrant:

brew tap homebrew/cask-versions
brew cask install virtualbox4330101610

Install Ansible

Ansible is the configuration tool we use to describe our servers. Installation instruction can be found on the Ansible website. The minimum required version of Ansible is 2.4. To install for development with Homebrew:

brew install python
pip install --upgrade setuptools
pip install --upgrade pip
brew install ansible

Run playbooks

The VM will install everything on a two boxes for demo purposes.

To provision the VM please run:

Clone the repository:
git clone https://github.com/OpenConext/OpenConext-deploy.git
cd OpenConext-deploy
./provision vm

When the script is done, wait a little while to let all services come up and initialize themselves. Then point your browser to https://welcome.vm.openconext.org

These are the steps the above script performs:

  1. Setup a Vagrant VM and will make sure the HOSTS file is able to handle the defined base_domain
  2. Setup a MariaDB server.
  3. Inserts entities and metadata in Manage and initial load of engineblock to bootstrap.
  4. Install all Java apps for the openconext platform.
  5. Install all PHP apps for the openconext platform.
  6. Install Haproxy for loadbalacing and SSL termination on the loadbalancer machine
  7. Install mujina as IDP and SP for the VM environment.

Add hostname entries to your own /etc/hosts file

We need pseudo-DNS entries so that your browser can reach the VM-platform we just installed. So, add this very long line to your /etc/hosts file:

192.168.66.98  welcome.vm.openconext.org static.vm.openconext.org metadata.vm.openconext.org db.vm.openconext.org engine.vm.openconext.org  profile.vm.openconext.org mujina-sp.vm.openconext.org mujina-idp.vm.openconext.org teams.vm.openconext.org voot.vm.openconext.org pdp.vm.openconext.org engine-api.vm.openconext.org aa.vm.openconext.org link.vm.openconext.org manage.vm.openconext.org connect.vm.openconext.org

Here, the ip-address 192.168.66.98 refers to the address that is mentioned in ./Vagrantfile.

Enjoy your new VM!

Go to https://welcome.vm.openconext.org. To ssh to the machines use the following:

vagrant ssh lb_centos7
vagrant ssh apps_centos7

(using vagrant ssh without a VM specified leads to the Apps VM)

The lb vm contains haproxy. The apps vm contains all the applications, apache and database.

Deploy using libvirt/qemu

Instead of using Virtualbox as described above, it is also possible to use libvirt/qemu on Linux machines. This requires a number of additional steps.

  1. Make sure you have a recent version of vagrant, and that libvirt/qemu is working as expected for normal VMs (e.g., check if virt-manager works correctly to create a new VM).
  2. Install the vagrant-libvirt and vagrant-mutate plugins:
╰─▶ vagrant plugin install vagrant-libvirt
╰─▶ vagrant plugin install vagrant-mutate

(or use the version provided by your distribution). 3. Download the Openconext base CentOS7 image. This is a Virtualbox-image, so it needs to be converted to a libvirt-image using vagrant mutate:

╰─▶ vagrant box add https://build.openconext.org/vagrant_boxes/virtualbox-centos7.box --name CentOS-7.0
╰─▶ vagrant mutate CentOS-7.0 libvirt --force-virtio
  1. Vagrant should now have two variants of the CentOS-7.0 image:
╰─▶ vagrant box list
CentOS-7.0 (libvirt, 0)
CentOS-7.0 (virtualbox, 0)
  1. From a checked-out version of the OpenConext-deploy repository, run the following command to check if the boxes come up:
╰─▶ vagrant up --provider libvirt lb_centos7
╰─▶ vagrant up --provider libvirt apps_centos7

(set the environment variable VAGRANT_LOG=debug to increase verbosity of anything goes wrong. 6. You should be set to run the ./provision vm command.

Releases to vm, test, acc, prod

To update single applications - e.g. release - use tags:

./provision $env $remote_user path/to/your/secrets.yml --tags eb

Where: $env: Your environment. The vm is located in environments/vm. If you use your own repository you'll have to place it in environments_external $remote_user: The remote user with sudo permissions path/to/your/secrets.yml: The secrets used by Ansible are externalized. For the VM the secrets are in this GitHub repo. For other environments (your installation) they can be located in a separate repository.

Making changes

When making changes, please consider that people are continuously deploying vm's from master. Therefore, please do your best to keep HEAD in a working state, and make any invasive changes like adding new components or refactoring on a separate branch.

License

These files are licensed under version 2.0 of the Apache License, as described in the file LICENSE.

Support

VM

To provision the VM use the following (password is vagrant and sudo password is 

ansible-playbook -u vagrant -i ./environments/vm/inventory -K --e secrets_file=./environments/vm/secrets/vm.yml provision-vm.yml

To provision a certain role use tags:

ansible-playbook -u vagrant -i ./environments/vm/inventory -K --e secrets_file=./environments/vm/secrets/vm.yml provision-vm.yml --tags vm_only_provision_manage_eb

Setting up a development environment is described in the file DEVELOPMENT.

openconext-deploy's People

Contributors

baszoetekouw avatar dj-wasabi avatar domgon avatar drvanr avatar ejsf avatar erikflohr avatar hanswesterbeek avatar joostd avatar jweewer avatar khorben avatar lvonk avatar maartenk avatar marcvwag avatar mkodde avatar mrvanes avatar muisit avatar mvdheenux avatar nicodier avatar oharsta avatar pablothedude avatar phavekes avatar pmeulen avatar precurse avatar quartje avatar surfnet-niels avatar thijskh avatar timdebruijn avatar tvdijen avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

remold hsz-devops mroest quartje thijskh muisit surfnet-niels petermosmans deforanetworks blokjonathan marcvwag bcarroll renoutg featuretogglestudy timdebruijn ejsf sprbb domgon mvdheenux nicodier

openconext-deploy's Issues

Fix ansible deployment of authZ-server and AuthZ-admin

When deploying AuthZ and AuthZ-admin, the deploy breaks on ansible not being able to assertain of AuthZ-service and AuthZ-admin are started.
Typical error is:

TASK: [authz-server | ensure the service is started] **************************
failed: [145.100.181.45] => {"failed": true}
msg: [FAILED]

When I login to the deploy target however, the service was started correctly.

Workaround
Restarting the deploy ' fixes' this problem as the scripts detect the service is already deployed and the deployment is skipped.

Resolution
Some testing has determined that the init scripts for authZ-server and AuthZ-admin are in fact returning the correct exit code, which suggests the templating is done correctly.
We could also not find a difference between deploymens using init.d or system.d

PDP GUI failing to load in browser

Hello,

We're running the most recent Openconext-deploy PDP version (1.2.7) and I noticed an issue while trying to access pdp.<domain> today. The page loads with the following HTML:

<html lang='en'>
 <head>
 <title>PDP</title>
 <meta http-equiv="expires" content="0">
 <meta content='width=1280' id='vp' name='viewport'>
 <meta charset='utf-8'>
 <link rel="shortcut icon" href="/favicon.ico"><link href="/application-566a511212b58940d10bb2440ac4011e.css?a4803362ab9e0032c29c" rel="stylesheet"></head>
 <body>
 <div id="app"></div>
 <script type="text/javascript" src="/application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c"></script></body>
 </html>

However, the page is completely blank in the browser. There don't appear to be any noticeable errors in /var/log/messages or /var/log/pdp/pdp.log, and the Java service stays started without errors:

# systemctl status pdp
● pdp.service - pdp
   Loaded: loaded (/etc/systemd/system/pdp.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2017-08-22 19:20:02 UTC; 20min ago
 Main PID: 611 (java)
   CGroup: /system.slice/pdp.service
           └─611 /usr/lib/jvm/java-1.8.0/bin/java -Xms512m -Xmx512m -Djava.security.egd=file:///dev/urandom -jar pdp.jar

I can confirm the database connection is good using mysql -h <sql_host> -u pdp-serverrw -p pdp-server (using the same credentials as what's in /opt/pdp/application.properties. I've reinstalled PDP solely, rebooted, and created a brand new app server, without any luck.

The only error that seems to show up is the following under Developer Tools in Chrome:

application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:8580 Uncaught Error: Cannot find module "!!../../node_modules/css-loader/index.js?!../../node_modules/sass-loader/index.js?!../../node_modules/import-glob-loader/index.js!./application.sass"
    at webpackMissingModule (application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:8580)
    at Object.<anonymous> (application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:8580)
    at __webpack_require__ (application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:20)
    at Object.<anonymous> (application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:8070)
    at __webpack_require__ (application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:20)
    at Object.<anonymous> (application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:48)
    at __webpack_require__ (application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:20)
    at application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:40
    at application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:43
webpackMissingModule @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:8580
(anonymous) @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:8580
__webpack_require__ @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:20
(anonymous) @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:8070
__webpack_require__ @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:20
(anonymous) @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:48
__webpack_require__ @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:20
(anonymous) @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:40
(anonymous) @ application-a4803362ab9e0032c29c.js?a4803362ab9e0032c29c:43
DevTools failed to parse SourceMap: https://pdp.<Openconext domain>/es6-promise.map

Other NodeJS frontend applications like the Dashboard and Teams are working ok -- PDP is the only one that appears to be affected.

Any pointers on this would be great.

Thanks.

Teams appending nl:surfnet:diensten to names

We got Teams working (thank you guys for decoupling grouper/ldap from it), and noticed it's appending a surfnet name string to all group names.

In the application.properties file, it looks like defaultStemName is set to nl:surfnet:diensten, which is being appended to the group name like so: urn:collab:group:my.federation.com:nl:surfnet:diensten

The my.federation.com is settable in the application.propeties.j2 template, while the defaultStemName is not.

Should it be as simple as adding it as another configuration variable, or is there more to it than that? If it's the fomer, I can just create a pull request for you guys.

Thanks

installation failed, Vagrant insecure key detected

Running the installation script 'provision-vagrant' fails, complaining about Vagrant insecure key detected. See logs:

OpenConext-deploy-217.1 tomk$ ./provision-vagrant 
Bringing machine 'lb_centos7' up with 'virtualbox' provider...
Bringing machine 'apps_centos7' up with 'virtualbox' provider...
==> lb_centos7: Box 'CentOS-7.0' could not be found. Attempting to find and install...
    lb_centos7: Box Provider: virtualbox
    lb_centos7: Box Version: >= 0
==> lb_centos7: Box file was not detected as metadata. Adding it directly...
==> lb_centos7: Adding box 'CentOS-7.0' (v0) for provider: virtualbox
    lb_centos7: Downloading: https://build.surfconext.nl/vagrant_boxes/virtualbox-centos7.box
==> lb_centos7: Successfully added box 'CentOS-7.0' (v0) for 'virtualbox'!
==> lb_centos7: Importing base box 'CentOS-7.0'...
==> lb_centos7: Matching MAC address for NAT networking...
==> lb_centos7: Setting the name of the VM: OpenConext Engineblock Loadbalancer
==> lb_centos7: Clearing any previously set network interfaces...
==> lb_centos7: Preparing network interfaces based on configuration...
    lb_centos7: Adapter 1: nat
    lb_centos7: Adapter 2: hostonly
==> lb_centos7: Forwarding ports...
    lb_centos7: 22 (guest) => 2222 (host) (adapter 1)
==> lb_centos7: Running 'pre-boot' VM customizations...
==> lb_centos7: Booting VM...
==> lb_centos7: Waiting for machine to boot. This may take a few minutes...
    lb_centos7: SSH address: 127.0.0.1:2222
    lb_centos7: SSH username: vagrant
    lb_centos7: SSH auth method: private key
    lb_centos7: Warning: Remote connection disconnect. Retrying...
    lb_centos7: Warning: Remote connection disconnect. Retrying...
    lb_centos7: Warning: Remote connection disconnect. Retrying...
    lb_centos7: 
    lb_centos7: Vagrant insecure key detected. Vagrant will automatically replace
    lb_centos7: this with a newly generated keypair for better security.
    lb_centos7: 
    lb_centos7: Inserting generated public key within guest...
    lb_centos7: Removing insecure key from the guest if it's present...
    lb_centos7: Key inserted! Disconnecting and reconnecting using new SSH key...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
    lb_centos7: Warning: Authentication failure. Retrying...
Timed out while waiting for the machine to boot. This means that
Vagrant was unable to communicate with the guest machine within
the configured ("config.vm.boot_timeout" value) time period.

If you look above, you should be able to see the error(s) that
Vagrant had when attempting to connect to the machine. These errors
are usually good hints as to what may be wrong.

If you're using a custom box, make sure that networking is properly
working and you're able to connect to the machine. It is a common
problem that networking isn't setup properly in these boxes.
Verify that authentication configurations are also setup properly,
as well.

If the box appears to be booting properly, you may want to increase
the timeout ("config.vm.boot_timeout") value.

engine is reading stale files after symlink update

After deploying a new version of engine I see errors like the one below:
engineblock.ERROR: file_get_contents(/opt/openconext/OpenConext-engineblock-5.4.0/application/configs/attributes-v2.2.0.json): failed to open stream: No such file or directory [/opt/openconext/OpenConext-engineblock-master/library/EngineBlock/Application/DiContainer.php:241]

When updating the /opt/openconext/OpenConext-engineblock symlink is changed and old versions are removed. The error indicates that updating the symlink does not immediately switch to the new engineblock.

After restarting httpd & php-fpm the errors disappear.

please handle initialization of EB databases in the engineblock role

Currently, the Engineblock database is provisioned in the vm_only_provision_eb_sr task by overwriting the EB database with a random database dump. This causes all kinds of problems for OpenConext installs.

Please integrate database initialization for EB in the engineblock role, for example by checking of the databse already exists, and if not, creating it with sane default values.

See https://github.com/OpenConext/OpenConext-deploy/blob/master/roles/vm_only_provision_eb_sr/templates/engineblock.sql.j2 for the dump that is currently installed to provision the db.

Failed to connect to the host via ssh

The provision-vagrant script is showing errors when trying to connect to both created instances.

PLAY [all] *********************************************************************

TASK [Read vars from secrets file] *********************************************
ok: [localhost]
ok: [192.168.66.99]
ok: [192.168.66.98]

PLAY [loadbalancer:php-apps:java-apps:storage] *********************************

TASK [setup] *******************************************************************
ok: [192.168.66.99]
fatal: [192.168.66.98]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh.", "unreachable": true}

TASK [common : set timezone] ***************************************************
fatal: [192.168.66.99]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh.", "unreachable": true}
    to retry, use: --limit @/Users/tomk/Documents/Vagrant/OpenConext/OpenConext-deploy-217.1/provision-vm.retry

PLAY RECAP *********************************************************************
192.168.66.98              : ok=1    changed=0    unreachable=1    failed=0   
192.168.66.99              : ok=2    changed=0    unreachable=1    failed=0   
localhost                  : ok=1    changed=0    unreachable=0    failed=0

No website is running at https://welcome.vm.openconext.org/

Ansible Installation of the OpenConext environment (VOOT branch)

After launching the insatllation command below it fails on the error listed here after:

$ ./ansible-vm openconext-php.yml

failed: [145.100.180.77] => {"changed": true, "cmd": ["./bin/migrate"], "delta": "0:00:00.021347", "end": "2015-02-19 14:43:51.841312", "rc": 127, "start": "2015-02-19 14:43:51.819965", "stdout_lines": [], "warnings": []}
stderr: /usr/bin/env: php: No such file or directory

FATAL: all hosts have already failed -- aborting

haproxy/rsyslogd logging broken

By default, haproxy logs to syslog (via udp/127.0.0.1). However, the rsyslog role is not by default included in the template file, so that the rsyslogd is not listening to incoming network connections at all.

Adding new https certificates to you already installed OC box

Dear All,

Can you please help me to install my * certificate in existing deployment or from scratch.
I follow this steps to install.
1- I created a file in certs directory named star.prod.pem with content my 'start' certificate and intermediate CA certificates from my provider.
2 - https_key from secrets file
3 - ansible-playbook -v -i "environments/prod/inventory" -u "root" -K provision-prod.yml --extra-vars="secrets_file=environments/prod/secrets/prod.yml" --tags lb

The issue is that HaProxy doesn't accept star_haproxy.pem file but when manually add cert and privet key in star_haproxy.pem it still run with untrusted mode.

Please help.
Looking forward to your fast response.
Thanks.

proper oidc provisioning

Please implement proper provisioning of the oidc component, and get rid of the vm_only_oidc role, which requires manual administration of ansible playbooks when installing a fresh OpenConext install.

Instead of the vm-specific database import, integrate this in the regular oidc role, and add a task to check if the database has been initialized, and if not, initialize it.
An even better approach would be to handle this in the application itself, in the same way also database schema changes are handled.

Exception: Provider pdp.xacml.CustomFunctionDefinitionFactory not found

I started receiving these exception emails recently when using the v234/v235.1 OpenConext-deploy releases:

Exception reading xacml.properties
--
org.apache.openaz.xacml.util.FactoryException: Provider pdp.xacml.CustomFunctionDefinitionFactory not found

It looks like that this CustomFunctionDefinitionFactory was added to the xacml.conext.properties.j2 file about 2 months ago: https://github.com/OpenConext/OpenConext-deploy/blob/master/roles/pdp/templates/xacml.conext.properties.j2#L16 , but the latest PDP 1.2.12 release was tagged on July 6th -- This factory wasn't added until August.

So it looks like the -Deploy is adding the Factory to the properties file, but the PDP version isn't yet compiled with it. I think that explains why we're getting that exception.

Is it safe to ignore these emails for the time being until the next PDP release?

Thanks

ADFS v3.0 as an IdP <samlp:Scoping> issue

Hi guys,

I noticed that Thijs had created this issue with SimpleSAMLphp just about a month ago here:
simplesamlphp/simplesamlphp#498

Have you guys figured out any sort of workaround to get this working with OpenConext? We're trying to onboard a couple of entities that use ADFS, but we're running into the same problem.

Thanks!

Provide instructions to create a control host for ansible other then localhost

Please provide information to install ansible and deploy openconext from an other machine then localhost.
The current instructions are for localhost to be the control host.

Example:

    yum install git
    yum install gpg
    yum install ansible
    useradd openconext
    su - openconext
    git clone https://github.com/OpenConext/OpenConext-deploy.git

systemctl daemon-reload needed

Whenever a n init-script is changed, the command systemctl daemon-reload need to be run. It would be easy to add this as a handler for each role (like the example below), but I wonder if there is a way to define "global" (i.e., non-role-specific) handlers?

diff --git a/roles/teams/handlers/main.yml b/roles/teams/handlers/main.yml
index b32876e..091127a 100644
--- a/roles/teams/handlers/main.yml
+++ b/roles/teams/handlers/main.yml
@@ -1,3 +1,7 @@
 ---
+# TODO: find a way to make this generic
+- name: systemctl daemon-reload
+  command: "systemctl daemon-reload"
+
 - name: restart teams
   service: name=teams state=restarted sleep=45
diff --git a/roles/teams/tasks/main.yml b/roles/teams/tasks/main.yml
index 7037d4f..9b90384 100644
--- a/roles/teams/tasks/main.yml
+++ b/roles/teams/tasks/main.yml
@@ -4,7 +4,9 @@

 - name: copy start script
   template: src=templates/spring-boot.j2 dest=/etc/init.d/{{ springapp_service_name }} mode=0755
-  notify: restart teams
+  notify:
+    - "systemctl daemon-reload"
+    - "restart teams"

 - name: enable service
   service: name=teams enabled=yes

Running ./provision-vagrant fails on aa

Hello,

I've been trying to get a test environment going using the current code base, but keep getting the following error when I run it.

TASK [aa : wait for aa to start] ***********************************************
fatal: [192.168.66.79]: FAILED! => {"changed": false, "elapsed": 300, "failed": true, "msg": "Timeout when waiting for 127.0.0.1:9198"}

Accessing https://vm.openconext.org/ gives:

503 Service Unavailable

No server is available to handle this request.

I've poked around to see if I can figure it out, but haven't been able to yet.. Any help would be great!

Thanks,
Andrew

Here's an analysis on different pieces relating to 'aa'

[root@apps current]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 08:00:27:68:75:FA
          inet addr:192.168.66.79  Bcast:192.168.66.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe68:75fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:125468 errors:0 dropped:0 overruns:0 frame:0
          TX packets:47958 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:125161937 (119.3 MiB)  TX bytes:4089058 (3.8 MiB)

According to the aa.conf file, the port should be running locally on the apps server:

[root@apps current]# cat /etc/httpd/conf.d/aa.conf  |grep 9198
    ProxyPass /aa/api http://localhost:9198/ retry=0
    ProxyPassReverse /aa/api http://localhost:9198/

[root@apps current]# /etc/init.d/aa status
aa (pid 30497) is running...

[root@apps current]# telnet 127.0.0.1 9198
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

This is what I'm seeing in the /var/log/aa/aa.log file:

2016-03-05 00:23:33,876 DEBUG [pool-4-thread-1] a.s.UrlResourceServiceRegistry:34 - Starting refreshing SP metadata.
2016-03-05 00:23:33,877 DEBUG [pool-4-thread-1] a.s.UrlResourceServiceRegistry:51 - Fetching SP metadata entries from https://multidata.vm.openconext.org/service-providers.json
2016-03-05 00:23:33,879 ERROR [pool-4-thread-1] a.s.UrlResourceServiceRegistry:68 - Error in refreshing metadata
java.lang.RuntimeException: java.io.IOException: Server returned HTTP response code: 503 for URL: https://multidata.vm.openconext.org/service-providers.json
        at aa.serviceregistry.ClassPathResourceServiceRegistry.readValue(ClassPathResourceServiceRegistry.java:80) ~[aa-server-1.0.1-20160302.080912-1.jar!/:1.0.1-SNAPSHOT]
        at aa.serviceregistry.ClassPathResourceServiceRegistry.parseEntities(ClassPathResourceServiceRegistry.java:57) ~[aa-server-1.0.1-20160302.080912-1.jar!/:1.0.1-SNAPSHOT]
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[na:1.8.0_71]
        at java.util.Collections$2.tryAdvance(Collections.java:4717) ~[na:1.8.0_71]
        at java.util.Collections$2.forEachRemaining(Collections.java:4725) ~[na:1.8.0_71]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[na:1.8.0_71]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[na:1.8.0_71]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[na:1.8.0_71]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:1.8.0_71]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[na:1.8.0_71]
        at aa.serviceregistry.ClassPathResourceServiceRegistry.initializeMetadata(ClassPathResourceServiceRegistry.java:36) ~[aa-server-1.0.1-20160302.080912-1.jar!/:1.0.1-SNAPSHOT]
        at aa.serviceregistry.UrlResourceServiceRegistry.initializeMetadata(UrlResourceServiceRegistry.java:58) ~[aa-server-1.0.1-20160302.080912-1.jar!/:1.0.1-SNAPSHOT]
        at aa.serviceregistry.UrlResourceServiceRegistry.refreshMetataData(UrlResourceServiceRegistry.java:66) ~[aa-server-1.0.1-20160302.080912-1.jar!/:1.0.1-SNAPSHOT]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_71]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) ~[na:1.8.0_71]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) ~[na:1.8.0_71]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) ~[na:1.8.0_71]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_71]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[na:1.8.0_71]
        at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_71]
Caused by: java.io.IOException: Server returned HTTP response code: 503 for URL: https://multidata.vm.openconext.org/service-providers.json
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1840) ~[na:1.8.0_71]
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) ~[na:1.8.0_71]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) ~[na:1.8.0_71]
        at aa.serviceregistry.BasicAuthenticationUrlResource.getInputStream(BasicAuthenticationUrlResource.java:32) ~[aa-server-1.0.1-20160302.080912-1.jar!/:1.0.1-SNAPSHOT]
        at aa.serviceregistry.ClassPathResourceServiceRegistry.readValue(ClassPathResourceServiceRegistry.java:78) ~[aa-server-1.0.1-20160302.080912-1.jar!/:1.0.1-SNAPSHOT]
        ... 19 common frames omitted

No service listening on port 9198:

[root@apps current]# netstat -ln |grep 9198
[root@apps current]# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:11211               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:9876              0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:42939               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:389                 0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN
tcp        0      0 :::9291                     :::*                        LISTEN
tcp        0      0 :::11211                    :::*                        LISTEN
tcp        0      0 :::9196                     :::*                        LISTEN
tcp        0      0 :::9197                     :::*                        LISTEN
tcp        0      0 :::9199                     :::*                        LISTEN
tcp        0      0 :::111                      :::*                        LISTEN
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 ::1:25                      :::*                        LISTEN
tcp        0      0 :::33856                    :::*                        LISTEN
tcp        0      0 :::389                      :::*                        LISTEN
tcp        0      0 :::9190                     :::*                        LISTEN
tcp        0      0 :::9191                     :::*                        LISTEN
tcp        0      0 :::9290                     :::*                        LISTEN
udp        0      0 0.0.0.0:111                 0.0.0.0:*
udp        0      0 192.168.66.79:123           0.0.0.0:*
udp        0      0 10.0.2.15:123               0.0.0.0:*
udp        0      0 127.0.0.1:123               0.0.0.0:*
udp        0      0 0.0.0.0:123                 0.0.0.0:*
udp        0      0 0.0.0.0:60805               0.0.0.0:*
udp        0      0 0.0.0.0:705                 0.0.0.0:*
udp        0      0 0.0.0.0:68                  0.0.0.0:*
udp        0      0 0.0.0.0:11211               0.0.0.0:*
udp        0      0 0.0.0.0:724                 0.0.0.0:*
udp        0      0 :::111                      :::*
udp        0      0 fe80::a00:27ff:fe68:75fa:123 :::*
udp        0      0 fe80::a00:27ff:fe5e:ac7:123 :::*
udp        0      0 ::1:123                     :::*
udp        0      0 :::123                      :::*
udp        0      0 :::34307                    :::*
udp        0      0 :::46738                    :::*
udp        0      0 :::54814                    :::*
udp        0      0 :::60959                    :::*
udp        0      0 :::33956                    :::*
udp        0      0 :::54316                    :::*
udp        0      0 :::60590                    :::*
udp        0      0 :::40880                    :::*
udp        0      0 :::705                      :::*
udp        0      0 :::48453                    :::*
udp        0      0 :::11211                    :::*

Development provisioning hangs on teams

Problem
When provisioning the development environment on revision: 0af087e (and several commits 'downwards') the playbook hangs on the start the teams service task.

The timeout period of 30 seconds is reached and provisioning stops. Elongating the timeout period did not provide a workaround for this issue.

Steps to reproduce

  1. Start by setting up your development environment prerequisite described in: this development.md
  2. In the Openconnext-deploy directory:
    1. vagrant destroy
    2. rm -rf .vagrant
    3. ENV=dev vagrant up

Rename provision-vm to provision-vagarant

Please rename the files provision-vm to something like provision-vagrant.

Currently the OpenConext deploy only focusses on vagrant and test. Also it requires a Mac to install.
To remove the Mac requirement and allow installation of an OpenConext-environment on an separate VM (without Vagrant) the name provision-vm might be used in the future.

It also clarifies what the files/script are meant for.

proper oidc provisioning

Please implement proper provisioning of the oidc component, and get rid of the vm_only_oidc role, which requires manual administration of ansible playbooks when installing a fresh OpenConext install.

Instead of the vm-specific database import, integrate this in the regular oidc role, and add a task to check if the database has been initialized, and if not, initialize it.
An even better approach would be to handle this in the application itself, in the same way also database schema changes are handled.

Mujina-idp faild to start and other java app

Hi guys,
Pleass support.Mujina idp and sp and other java apps failed to start.

systemctl status mujina-idp
● mujina-idp.service - mujina-idp
Loaded: loaded (/etc/systemd/system/mujina-idp.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2017-05-11 13:26:33 CEST; 282ms ago
Process: 4149 ExecStart=/usr/lib/jvm/java-1.8.0/bin/java -Xms128m -Xmx128m -Djava.security.egd=file:///dev/urandom -jar mujina-idp-current.jar (code=exited, status=1/FAILURE)
Main PID: 4149 (code=exited, status=1/FAILURE)

May 11 13:26:26 welcome.openconext.org java[4149]: . ____ _ __ _ _
May 11 13:26:26 welcome.openconext.org java[4149]: /\ / ' __ _ () __ __ _ \ \ \
May 11 13:26:26 welcome.openconext.org java[4149]: ( ( )__ | '_ | '| | ' / ` | \ \ \
May 11 13:26:26 welcome.openconext.org java[4149]: \/ )| |)| | | | | || (| | ) ) ) )
May 11 13:26:26 welcome.openconext.org java[4149]: ' || .__|| ||| |_, | / / / /
May 11 13:26:26 welcome.openconext.org java[4149]: =========||==============|/=////
May 11 13:26:26 welcome.openconext.org java[4149]: :: Spring Boot :: (v1.5.2.RELEASE)
May 11 13:26:33 welcome.openconext.org systemd[1]: mujina-idp.service: main process exited, code=exited, status=...LURE
May 11 13:26:33 welcome.openconext.org systemd[1]: Unit mujina-idp.service entered failed state.
May 11 13:26:33 welcome.openconext.org systemd[1]: mujina-idp.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

Please also see the log service.

Error starting ApplicationContext. To display the auto-configuration report re-run your application with 'debug' enabled.
2017-05-11 13:31:40,926 ERROR [main] o.springframework.boot.SpringApplication:815 - Application startup failed
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'idpConfiguration' defined in URL [jar:file:/opt/mujina-idp/mujina-idp-5.0.3.jar!/BOOT-INF/classes!/mujina/api/IdpConfiguration.class]: Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyManager' defined in class path resource [mujina/idp/WebSecurityConfigurer.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.saml.key.JKSKeyManager]: Factory method 'keyManager' threw exception; nested exception is java.lang.IllegalArgumentException: Illegal base64 character 5f
at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:749)
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:189)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1193)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1095)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:866)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:737)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:370)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1162)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1151)
at mujina.MujinaIdpApplication.main(MujinaIdpApplication.java:15)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:50)
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:51)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'keyManager' defined in class path resource [mujina/idp/WebSecurityConfigurer.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.saml.key.JKSKeyManager]: Factory method 'keyManager' threw exception; nested exception is java.lang.IllegalArgumentException: Illegal base64 character 5f
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1173)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1067)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:513)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:208)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1138)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1066)
at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:835)
at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:741)
... 27 common frames omitted
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.saml.key.JKSKeyManager]: Factory method 'keyManager' threw exception; nested exception is java.lang.IllegalArgumentException: Illegal base64 character 5f
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189)
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588)
... 40 common frames omitted
Caused by: java.lang.IllegalArgumentException: Illegal base64 character 5f
at java.util.Base64$Decoder.decode0(Base64.java:714)
at java.util.Base64$Decoder.decode(Base64.java:526)
at mujina.saml.KeyStoreLocator.addPrivateKey(KeyStoreLocator.java:47)
at mujina.idp.WebSecurityConfigurer.keyManager(WebSecurityConfigurer.java:101)
at mujina.idp.WebSecurityConfigurer$$EnhancerBySpringCGLIB$$8675f554.CGLIB$keyManager$1()
at mujina.idp.WebSecurityConfigurer$$EnhancerBySpringCGLIB$$8675f554$$FastClassBySpringCGLIB$$5609d8f0.invoke()
at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:358)
at mujina.idp.WebSecurityConfigurer$$EnhancerBySpringCGLIB$$8675f554.keyManager()
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)

Unable to access EngineBlock5 Interface

I successfully ran the openconext centos7 engineblock5 playbooks without any Ansible errors. I'm noticing that I still can't access the main OpenContext page however. When I drill down through it through the HAProxy -> Apache error, I'm seeing the following in the pdp logs.

Any help would be great. Thanks!

Exception in thread "main" java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:62)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:54)
        ... 1 more
Caused by: java.lang.IllegalStateException: Could not evaluate condition on org.springframework.boot.actuate.autoconfigure.HealthIndicatorAutoConfiguration$DataSourcesHealthIndicatorConfiguration due to org/springframework/mail/javamail/JavaMailSenderImpl not found. Make sure your own configuration does not rely on that class. This can also happen if you are @ComponentScanning a springframework package (e.g. if you put a @ComponentScan in the default package by mistake)
        at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:55)
        at org.springframework.context.annotation.ConditionEvaluator.shouldSkip(ConditionEvaluator.java:102)
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader$TrackedConditionEvaluator.shouldSkip(ConfigurationClassBeanDefinitionReader.java:436)
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:127)
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:116)
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:333)
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:243)
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:273)
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:98)
        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:678)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:520)
        at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:118)
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:766)
        at org.springframework.boot.SpringApplication.createAndRefreshContext(SpringApplication.java:361)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:307)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1191)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1180)
        at pdp.PdpApplication.main(PdpApplication.java:47)
        ... 6 more
Caused by: java.lang.NoClassDefFoundError: org/springframework/mail/javamail/JavaMailSenderImpl
        at java.lang.Class.getDeclaredMethods0(Native Method)
        at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
        at java.lang.Class.getDeclaredMethods(Class.java:1975)
        at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:609)
        at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:521)
        at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:507)
        at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:567)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:683)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:627)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:597)
        at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1445)
        at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:975)
        at org.springframework.boot.autoconfigure.condition.BeanTypeRegistry$OptimizedBeanTypeRegistry.addBeanTypeForNonAliasDefinition(BeanTypeRegistry.java:289)
        at org.springframework.boot.autoconfigure.condition.BeanTypeRegistry$OptimizedBeanTypeRegistry.addBeanType(BeanTypeRegistry.java:278)
        at org.springframework.boot.autoconfigure.condition.BeanTypeRegistry$OptimizedBeanTypeRegistry.getNamesForType(BeanTypeRegistry.java:259)
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.collectBeanNamesForType(OnBeanCondition.java:182)
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getBeanNamesForType(OnBeanCondition.java:171)
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchingBeans(OnBeanCondition.java:139)
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchOutcome(OnBeanCondition.java:86)
        at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:47)
        ... 23 more
Caused by: java.lang.ClassNotFoundException: org.springframework.mail.javamail.JavaMailSenderImpl
        at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
        at org.springframework.boot.loader.LaunchedURLClassLoader.doLoadClass(LaunchedURLClassLoader.java:178)
        at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:142)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
        ... 43 more

database access for multiple-hosts setup

In the current templates, access to the databases is set up like this:

- name: Create database user
  mysql_user: name={{ item[0].name }} host={{ item[1] }} password={{ item[0].password }} priv={{ item[0].db_name }}.*:ALL state=present
  with_nested:
    - "{{ databases.users }}"
    - "{{ database_clients }}"

where database_clients is defined as an array of ips in the appropriate secrets file.

However, this grant a little bit too much access (i.e., access to databases for java apps is also allowed from php hosts). It would be nicer (I guess) to tie the apprioriate hosts closed to the user by specifying them in the database.users variable. I don't know ansible well enough though how to write the loop in case there are multiple hosts, for example when database.user si defined like this:

databases:
  names:
    - teams
  users:
    - { name: teamsrw, db_name: teams, hosts: [{{dbhost1}},{{dbhost2}}], password: "{{ mysql_passwords.teams }}" }

(and btw, databases.names seems superfluous, as the same information is contained in databases.users)

Component roles should register SPs and IdPs in Manage

Currently, a "fresh" Janus database is initialized in the vm_only_provision_eb_sr roleby overwriting the Janus DB with a random database dump. This causes all kinds of problems, and makes it dangerous to run a VM deploy on a VM containing actual data.

The nice way to solve this, would be using the Janus REST API to let each of the SPs and IdPs register in each respective role. I.e., when Mujina IdP is installed, as part of the tasks in the mujina-idp role, it would check in the Janus REST API (by entityid) if it is already known in Janus, and if not, register itself.

Provisioning vagrant fails with teams restart 

TASK [tomcat_app : Deploying oidc | remove current workdir] ********************
ok: [192.168.66.79]

TASK [tomcat_app : Deploying oidc | put new warfile into place] ****************
changed: [192.168.66.79]

TASK [tomcat_app : Deploying oidc | set correct permissions] *******************
changed: [192.168.66.79]

TASK [oidc : copy oidc configuration] ******************************************
changed: [192.168.66.79]

TASK [oidc : copy oidc jwks keystore configuration] ****************************
changed: [192.168.66.79]

TASK [oidc : copy oidc logging configuration] **********************************
changed: [192.168.66.79]

TASK [oidc : copy virtual host config] *****************************************
changed: [192.168.66.79]

RUNNING HANDLER [tomcat : restart tomcat] **************************************
changed: [192.168.66.79]

RUNNING HANDLER [shibboleth : restart shibd] ***********************************
changed: [192.168.66.79]

RUNNING HANDLER [teams : restart teams] ****************************************
fatal: [192.168.66.79]: FAILED! => {"changed": false, "failed": true, "msg": "[  OK  ]\r\n[FAILED]\r\n"}

Feature request: Enable deployment to separate linux host/managed host

Currently OpenConext-deploy is able to install OpenConext to the DTAP-environment of SURFconext and via vagrant to a local VM.

Please add the possibility to deploy OpenConext to a separate (user defined) linux host (managed host).
Prerequisites of the managed host are:

  • clean install with an OpenConext supported OS (e.g. CentOS 5.5)
  • ssh enabled
  • phyton 2.5+ installed (Ansible requirement)

If required running a few scripts before installation of OpenConext may be requested to run (change default passwords, specify managed host information: ip-address/username/etc)

Provisioning authz-playground fails 

TASK: [authz-playground | download snapshot] ********************************** 
failed: [192.168.66.79] => {"dest": "/opt/authz-playground/authz-playground-1.1-20151205.202004-3.jar", "failed": true, "response": "HTTP Error 404: Not Found", "state": "absent", "status_code": 404, "url": "https://build.surfconext.nl/repository/public/snapshots/org/openconext/authz-playground/1.1-SNAPSHOT/authz-playground-1.1-20151205.202004-3.jar"}
msg: Request failed

pdp api password not properly initialized

In a clean Openconext install, I see in engineblock.ini:

pdp.username = pdp_admin
pdp.password = secret

and in pdp's application.ini:

# Internal API user (e.g. EngineBlock who call the PDP to check policies
policy.enforcement.point.user.name=pdp_admin
policy.enforcement.point.user.password=R4pN3gvrf7l90dZKZTpT

which should match, but doesn't ;)

Let's Encrypt Support

Hey guys,

I wanted to see if you'd be interested in functionality with LetsEncrypt/Certbot to handle browser trusted HTTPS certificates. We're looking at developing this for us, but if there's interest from your end we could look into integrating it with the main Openconext-deploy repo.

Andrew

Engineblock5 multi-environment question

Hi guys.. I have a question regarding with how multiple environments are handled on the new version. Since we have 3 environments (dev, demo, and prod), it's nice to be able to isolate each from one another.

One thing I've found with the ./prep-env is that it creates a files/php-template/certs directory where only a single engineblock.crt file is copied to. However, this is outside of the ./environments/{ env }/ directory. If I have the development .crt file in that directory when I go to run the production playbook, the wrong cert will be used.

I'm not sure if it's a bug, or if there was a specific reason for it being setup this way. Any help would be great :)

Thanks again!

Profile broken due to missing IdP cert

In a default openconext install, profile is broken:

Sep 30 10:09:35 php openconext-profile[20240]: request.INFO: Matched route "profile.saml_consume_assertion". {"route_parameters":{"_controller":"profile.controller.saml:consumeAssertionAction","_route":"profile.saml_consume_assertion"},"request_uri":"https://profile.ozonconext.nl/authentication/consume-assertion"} []
Sep 30 10:09:35 php openconext-profile[20240]: app.INFO: SAMLResponse with id "CORTO535f5cb110e98689639f81a223c0bf78fc39d6b9" was not signed at root level, not attempting to verify the signature of the reponse itself [] []
Sep 30 10:09:35 php openconext-profile[20240]: app.INFO: Verifying signature of Assertion with id "CORTOedd4acd28934b1e3d94fa2b7de587c1768607b11" [] []
Sep 30 10:09:35 php openconext-profile[20240]: app.ERROR: Failed SAMLResponse Parsing: "No certificates or fingerprints have been configured" [] []
Sep 30 10:09:35 php openconext-profile[20240]: security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException(code: 0): Failed SAMLResponse parsing at /opt/openconext/OpenConext-profile-0.3.0/src/OpenConext/ProfileBundle/Security/Firewall/SamlListener.php:134, SAML2_Signature_MissingConfigurationException(code: 0): No certificates or fingerprints have been configured at /opt/openconext/OpenConext-profile-0.3.0/vendor/simplesamlphp/saml2/src/SAML2/Signature/ValidatorChain.php:69)"} []
Sep 30 10:09:35 php openconext-profile[20240]: request.CRITICAL: Uncaught PHP Exception Symfony\Component\Security\Core\Exception\AuthenticationException: "Failed SAMLResponse parsing" at /opt/openconext/OpenConext-profile-0.3.0/src/OpenConext/ProfileBundle/Security/Firewall/SamlListener.php line 134 {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException(code: 0): Failed SAMLResponse parsing at /opt/openconext/OpenConext-profile-0.3.0/src/OpenConext/ProfileBundle/Security/Firewall/SamlListener.php:134, SAML2_Signature_MissingConfigurationException(code: 0): No certificates or fingerprints have been configured at /opt/openconext/OpenConext-profile-0.3.0/vendor/simplesamlphp/saml2/src/SAML2/Signature/ValidatorChain.php:69)"} []
Sep 30 10:09:35 php Apache-PROFILE: 145.100.181.51 - - [30/Sep/2016:10:09:35 +0200] "POST /authentication/consume-assertion HTTP/1.1" 500 495 "https://engine.ozonconext.nl/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" "195.169.127.138"

This is caused by a missing value for saml_remote_idp_certificate in profile's parameters.yaml.

Failures when running "diy" remote VM

Hello,

I'm trying to run a build on a fresh CentOS 6.5 remote VM using the "diy" environment, but running into a couple of issues. I've followed the instructions from https://github.com/OpenConext/OpenConext-deploy/wiki/Installation-steps-to-deploy-OpenConext-on-a-single-system-other-than-the-Vagrant-VM , but am getting a couple of different errors:

TASK [mysql : Create database user] ********************************************
task path: /Users/andrew/git/OpenConext-deploy/roles/mysql/tasks/main.yml:53
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment value uses the full variable syntax ('{{databases.users}}'). This feature will be removed in a future release. Deprecation
warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [openconext.dev.cybera.ca]: FAILED! => {"failed": true, "msg": "'dict object' has no attribute 'apis'"}

Looking to see what it could be, it seems that this line is calling the .apis dict attribute:

OpenConext-deploy/group_vars/diy.yml

Line 21 in 5c935d1

- { name: apisrw, db_name: apis, password: "{{ mysql_passwords.apis }}" }

If I overwrite that line to say:

- { name: apisrw, db_name: apis, password: secret }

the playbook seems to work fine... Up until this point:

TASK [engineblock : Configure EngineBlock] *************************************
task path: /Users/andrew/git/OpenConext-deploy/roles/engineblock/tasks/main.yml:25
<openconext.dev.cybera.ca> ESTABLISH SSH CONNECTION FOR USER: centos
<openconext.dev.cybera.ca> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=30m -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=centos -o ConnectTimeout=10 -o ControlPath=/Users/andrew/.ansible/cp/ansible-ssh-%h-%p-%r -tt openconext.dev.cybera.ca '/bin/sh -c '"'"'( umask 22 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1459458500.26-234043826416806 `" && echo "` echo $HOME/.ansible/tmp/ansible-tmp-1459458500.26-234043826416806 `" )'"'"''
failed: [openconext.dev.cybera.ca] => (item=engineblock.ini) => {"failed": true, "invocation": {"module_args": {"dest": "/etc/openconext/engineblock.ini", "src": "engineblock.ini.j2"}, "module_name": "template"}, "item": "engineblock.ini", "msg": "AnsibleUndefinedVariable: 'pdp' is undefined"}

If you need any additional info, please let me know.

Thanks!

Support ansible < 1.8

We use role_path, but that was introduced in Ansible 1.8. Default apt-get install has Ansible 1.7 and can not use these playbooks. Perhaps we don't need role_path.

gen_ocdemo_certs.sh allows creating new certs for fqdn, but generate-new-passwords.sh expexts fixed name for ssl cert

If you install a single target machine version and generate certificates for a new FQDN using gen_ocdemo_certs.sh, the certs in the oc_cert/ssl directory are named after the fqdn.
However generate-new-passwords.sh expexts the certs to be named "$BASEDIR/oc_cert/ssl/star.openconext-qa.openconext.org.key". Which is a weird name anyway..

There are 3 ways for fixing this:

  1. let gen_ocdemo_certs.sh put fqdn in varable so it can be reused by generate-new-passwords.sh
  2. let gen_ocdemo_certs.sh set a symlink to the cert and let generate-new-passwords.sh use the symlink
  3. let generate-new-passwords.sh use fqdn the user is already providing.

I would prefer the last, for simplicity. Any thoughts?

CA cert download link broken

On the main welcome page of https://vm.openconext.org, it says "You have completed the OpenConext setup. Import the Certificate Authority into your browser for an optimal Conext-perience." It links to this URL: https://vm.openconext.org/openconext_ca.crt, but that link displays a 404 error.

Through nginx and haproxy, the welcome screen points to port 609 (under /var/www/welcome) on the apps server, but that file doesn't exist anywhere in that folder, or anywhere on either VM.

This is a list of the only .crt/.pem files contained on the apps server:

/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/modules/janus/vendor/swiftmailer/swiftmailer/tests/_samples/smime/encrypt2.crt
/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/modules/janus/vendor/swiftmailer/swiftmailer/tests/_samples/smime/encrypt.crt
/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/modules/janus/vendor/swiftmailer/swiftmailer/tests/_samples/smime/ca.crt
/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/modules/janus/vendor/swiftmailer/swiftmailer/tests/_samples/smime/intermediate.crt
/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/modules/janus/vendor/swiftmailer/swiftmailer/tests/_samples/smime/sign2.crt
/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/modules/janus/vendor/swiftmailer/swiftmailer/tests/_samples/smime/sign.crt
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/openconext/engineblock-metadata/tests/X509/test.pem.crt
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/openconext/engineblock-metadata/tests/X509/test2.pem.crt
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/saml2/tests/SAML2/Certificate/File/not_a_key.crt
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/saml2/tests/SAML2/Certificate/File/example.org.crt
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/simplesamlphp/modules/InfoCard/www/crt/sts.crt
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/simplesamlphp/modules/InfoCard/www/crt/CA.crt
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/simplesamlphp/modules/InfoCard/www/crt/idp.crt
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/simplesamlphp/modules/authfacebook/extlibinc/fb_ca_chain_bundle.crt
/vagrant/files/diy/certs/api.crt
/vagrant/files/diy/certs/apis.crt
/vagrant/files/diy/certs/engineblock.crt
/vagrant/files/diy-test/certs/api.crt
/vagrant/files/diy-test/certs/apis.crt
/vagrant/files/diy-test/certs/engineblock.crt
/vagrant/files/java-test/certs/api.crt
/vagrant/files/java-test/certs/apis.crt
/vagrant/files/java-vm/certs/api.crt
/vagrant/files/java-vm/certs/apis.crt
/vagrant/files/php-acc/certs/engineblock.crt
/vagrant/files/php-prod/certs/engineblock.crt
/vagrant/files/php-test/certs/engineblock.crt
/vagrant/files/php-vm/certs/engineblock.crt
/etc/openconext/engineblock.crt
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/localhost.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
/usr/share/pki/ca-trust-source/ca-bundle.trust.crt
/var/lib/tomcat6/appBase-mujina-idp/ROOT/WEB-INF/classes/idp-crt.pem
/var/lib/tomcat6/appBase-mujina-sp/ROOT/WEB-INF/classes/idp-crt.pem
/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/vendor/simplesamlphp/xmlseclibs/tests/privkey.pem
/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/vendor/simplesamlphp/xmlseclibs/tests/mycert.pem
/opt/openconext/OpenConext-serviceregistry-5.1.7/simplesamlphp-1.13.2/modules/janus/vendor/guzzle/guzzle/src/Guzzle/Http/Resources/cacert.pem
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/xmlseclibs/tests/privkey.pem
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/xmlseclibs/tests/mycert.pem
/opt/openconext/OpenConext-engineblock-4.7.5/vendor/simplesamlphp/saml2/tests/SAML2/Certificate/File/a_fake_private_key_file.pem
/lib/crda/pubkeys/linville.key.pub.pem
/lib/crda/pubkeys/key.pub.pem
/vagrant/files/diy/certs/star.connect.surfconext.nl.pem
/vagrant/files/diy-test/certs/star.connect-test.surfconext.nl.pem
/vagrant/files/java-vm/certs/api.pem
/vagrant/files/java-vm/certs/api_pkcs8.pem
/vagrant/files/java-vm/certs/apis.pem
/vagrant/files/java-vm/certs/apis_pkcs8.pem
/vagrant/files/php-vm/certs/engineblock.pem
/vagrant/files/test/certs/star.test2.surfconext.nl.pem
/vagrant/files/vm/certs/00.pem
/vagrant/files/vm/certs/star.vm.openconext.org.pem
/vagrant/files/vm/certs/star.vm.openconext.org_ca.pem
/vagrant/roles/tls/files/dh_params_default.pem
/etc/openconext/engineblock.pem
/etc/pki/tls/cert.pem
/etc/pki/tls/dh_params.pem
/etc/pki/tls/certs/star.vm.openconext.org_ca.pem
/etc/pki/tls/certs/star.vm.openconext.org.pem
/etc/pki/ca-trust/source/anchors/star.vm.openconext.org_ca.pem
/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
/etc/shibboleth/sp-cert.pem
/etc/shibboleth/sp-key.pem

Do you know which one is the proper one to use?

Thanks!

Ansible error when provisioning

Hello,

I'm trying to re-provision the Vagrant VMs again, but noticing this error is popping up with the latest git clone:

TASK [aa : download html archive] **********************************************
fatal: [192.168.66.79]: FAILED! => {"changed": false, "failed": true, "msg": "Failed to download artifact org.openconext:aa-gui:tar.gz:1.0.1 because of HTTP Error 404: Not Foundfor URL https://build.surfconext.nl/repository/public/releases/org/openconext/aa-gui/1.0.1/aa-gui-1.0.1.tar.gz"}

Looking at https://build.surfconext.nl/repository/public/releases/org/openconext/ there's no longer an aa-gui folder.. Did it get removed by accident maybe?

Thanks!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.