Rhel Tutorial 6 Homework

Introduction

Merging code. Coordinating releases. Determining build status. Maintaining updates. If you know the frustration of these processes well enough that the words themselves threaten a headache, you might want to look into Jenkins CI.

Maintaining any project, especially one developed by several team members concurrently and one that might incorporate many functions, components, languages, and environments, is a struggle at the best of times — and at the worst requires a superhuman feat to stay afloat.

Jenkins is here to help. Fundamentally a solution for continuous integration — i.e. the practice of merging all code continually into one central build — Jenkins acts as a headquarters for the operations of your project. It can monitor, regulate, compare, merge, and maintain your project in all its facets.

At its core, Jenkins does two things: automated integration and external build monitoring. This means that it can greatly simplify the process of keeping your code maintainable and keep a close and untiring eye on the quality of your builds, ensuring you don’t end up with nasty surprises when a few of your developers merge their code before it’s ready.

Let’s get down to the nitty gritty and learn exactly what Jenkins looks like and how to use it.

Prerequisites

To follow this tutorial, you will need the following:

All the commands in this tutorial should be run as a non-root user. If root access is required for the command, it will be preceded by .

System-Specific Packages vs the WAR File

Now that you know what Jenkins is, you need to understand how it is distributed. Jenkins runs on Java and comes as a WAR file — a collection of related content comprising a web application and intended to be run on a server. However, the developers of Jenkins kindly extend its ease of use through a number of system-specific packages that allow Jenkins to run as a controlled service.

A Jenkins package is available for the Red Hat family of distributions, which includes the CentOS operating systems. However, CentOS 7 in particular is a finicky breed, so it requires a different approach. Operations that work in other Red Hat-based OSes, even other CentOS versions, tend to work differently in CentOS 7, and the potential errors that result can be difficult to debug. Since the Jenkins package is generic Red Hat, rather than being differentiated for CentOS, the likelihood of running into issues is higher than on other OSs. For this reason, we won’t run Jenkins via this package. That leaves us the WAR file running through Java, which is far less convenient, requiring us to manually start and stop it through Java.

Fortunately, there’s a way around this, and even without a package, we can work with CentOS to have it treat Jenkins like a service.

Step 1 — Installing Jenkins

There are two basic ways to install Jenkins on CentOS: through a repository, or repo, and via the WAR file. Installing from a repo is the preferred method, and it's what we'll outline first.

You'll need Java to run Jenkins (either method), so if your server doesn't yet have Java, install it with:

In general, if you need a service or tool but you're not sure what package provides it, you can always check by running:

Where is the name of the service or tool you require.

Installing from the Repo

Now, run the following to download Jenkins from the Red Hat repo:

The tool downloads files into the filename specified after the "O" flag (that's a capital 'O', not a zero).

Then, import the verification key using the package manager RPM:

Finally, install Jenkins by running:

That's it! You should now be able to start Jenkins as a service:

Once the service has started, you can check its status:

This will give you a fairly lengthy readout with a lot of information on how the process started up and what it's doing, but if everything went well, you should see two lines similar to the following:

This means that the Jenkins services completed its startup and is running. You can confirm this by visiting the web interface as before, at .

Likewise, you can stop the service:

or restart it:

More information on managing services with systemctl can be found in the How To Use Systemctl to Manage Systemd Services and Units article.

Installing from the WAR File

If you choose not to install Jenkins via the repo for whatever reason, you can accomplish the same results using the WAR file, though this requires somewhat more work.

Let's first download the Jenkins WAR file to the server and run it without frills to make sure the basics work correctly with no hassle.

The most recent version of Jenkins at any given time is available on the Jenkin's mirror. You can use any tool you like to download this file. The following method employs a command line tool called :

When you're ready, start Jenkins via Java:

You should see output in the console indicating that Jenkins has started running:

You can now access the interface via the browser ().

Having confirmed that Jenkins runs successfully, end the process so that you can make changes to it to allow it to run as a service, as discussed in the next step. To end a running foreground process, press .

Step 2 — Running Jenkins as a Service

If in the previous section you opted not to install Jenkins via the repo, and instead used the WAR file, you won't yet be able to use Jenkins like a standard service. If you did use the repo, skip this step.

When we configure Jenkins the following way, it will still run through Java, but you’ll be able to treat it like a service, starting and stopping it and letting it run in the background with ease. The service will essentially be working as a wrapper.

First, make sure the WAR file you’ve downloaded is sitting in a location convenient for long-term storage and use:

Then, go to your directory, and create a new file called . The following demonstration uses the nano editor, but naturally you can use whatever editing tool you wish.

Now, add the following lines to the new file. In a moment, we’ll go over exactly what these lines accomplish.

/usr/local/bin/jenkins.war

If you've seen configuration files before (INI files or similar), you'll recognize the structure being used here. The bracketed text denotes a section heading. This means that, for instance, declares a section called "Service," and all the assignments below it contain relevant information that the system will then know how to find and relate to the section header.

A configuration file, this one included, is typically a text file – meaning it has no intrinsic meaning to the computer. Rather, the text file will be parsed by some process, and that process will use the headings and other information to find its way around. For this reason, it's technically irrelevant how a given configuration file is laid out – as long as the program which reads it can understand what everything means.

The first section, , contains only two configuration directives. The first is simply a name. It can be whatever name you'd like, but ideally it should be one that uniquely identifies the new process. The second directive states what service, if any, is necessary for the current service to start.

In the next section, the directive allows you to select what type of startup this service will use. The value indicates that the process noted in the later directive will be the primary process of the service being created. Really, is unnecessary, as is assumed when type is unspecified, but we are leaving it in for clarity.

specifies which user has control over this process, and is used to indicate that, in this case, if the process terminates but the exit code implies error, the service will be restarted. This is useful in maintaining the continuity of the service in case of unexpected crashes.

As mentioned, is the directive where we indicate what process is to become the main action of the service. This directive represents the main wrapper for Jenkins – the service will run the WAR through Java rather than treating it a foreground process.

Finally, in the section, indicates a target, called a runlevel prior to CentOS 7. It provides for the system a sense of what resources to provide this service and what amount of intensity will be required by the user.

Once your file is created and saved, you should be able to start up your new Jenkins service!

When you are ready, run:

This applies the changes you have made to this unit (actually, it applies the changes to any and all units that have been altered).

You should now be able to start Jenkins as a service:

Once the service has started, you can check its status:

This will give you a fairly lengthy readout with a lot of information on how the process started up and what it's doing, but if everything went well, you should see two lines similar to the following:

This means that the Jenkins services completed its startup and is running. You can confirm this by visiting the web interface as before, at .

Likewise, you can stop the service:

or restart it:

More information on managing services with systemctl can be found in the How To Use Systemctl to Manage Systemd Services and Units article.

Step 3 — Creating Users

Once Jenkins is running smoothly, establishing good security is the next step. From here on out, your exact actions will largely depend on your purposes for Jenkins. However, the following are general guidelines of how Jenkins can best be set up and used, along with some examples to pave the way.

Jenkins provides settings for security and role management, useful for controlling access and defining user actions. We’ll visit that briefly to introduce those concepts. To get to those settings, return to the Jenkins interface via your browser once your service is running (). You will see a menu on the left – choose Manage Jenkins from within that. This will take you to a page containing a number of options for customization. You may also notice an an alert at the top: Unsecured Jenkins allows anyone on the network to launch processes on your behalf. Consider at least enabling authentication to discourage misuse. This is Jenkins’ directive to get you to introduce some element of security to your system.

The first step to take here is to go to Configure Global Security, near top of the list of links on the manage Jenkins page. Check the option box for Enable security to bring up a group of options for this purpose. There are any number of ways to configure security on Jenkins – you can read the in-depth explanation in the Standard Security Setup section of the Use Jenkins documentation.

The most straightforward of these options, and the one we will lay out today, has Jenkins use its own database to store user configurations. Under the Access Control section that appeared when we flagged the checkbox, select Jenkins' own user database. Briefly, the other options are to link Jenkins to existing Unix users and groups, to use an organization-wide login (LDAP option), or to allow a Java servlet to manage access. Other options can be added through plugins (we’ll discuss plugins in a bit).

Whether you should allow new users to sign up largely depends on your own needs. In general, however, it pays to restrict access, and allowing users to sign up as they wish can allow a level of openness that can potentially be dangerous. To restrict this, deselect the checkbox marked Allow users to sign up. Once this setting has been turned off, only administrators can create new accounts. In a moment, you'll supply administrative privileges for a user you'll create, and we'll go into detail on adding new users, as well.

Under Authorization, select the Matrix-based security option. This allows some fine-tuning of the controls without resorting to complex setups. You'll see a user named Anonymous is already present. An anonymous user is anybody from anywhere, even when they're not logged in, which is why by default the anonymous user has no abilities. Since this is the initial setup of the Jenkins instance, you must give this user full permissions: there are no users other than anonymous right now, and you're not logged in, so turning off anonymous permissions would effectively cut you off from accessing Jenkins at all.

Use the small button to the right of the Anonymous row to select all permissions. Next, use the User/group to add input field to specify a new user for which to add permissions. Note that this does not actually create a user, but rather specifies permissions for the user you will create shortly.

Normally, you would create a new user first and then specify permissions for them in this part of the form. Since no user exists yet, you'll set up permissions and then create the user.

Enter a username and press Add. Due to a known bug, it is recommended that you keep the usernames lowercase. Give the new user all permissions the same way you did for the anonymous user. This essentially sets up a new administrator.

When you're done, press Apply and then Save.

You will be taken automatically to a signup page, from which you can create a new account. The username of the account you create should correspond to the one for which you specified permissions earlier:

When you finish, you should find yourself automatically logged in.

Return to the security page (Manage Jenkins -> Configure Global Security) and scroll down to the security matrix. Now that you've created an administrative user, you can restrict the permissions for the anonymous user. Deselect all the permissions in the anonymous row, and then click Apply and Save. Your new user will now be the only user with access to Jenkins.

If you turned off the automatic sign up earlier, you might need to manually create additional new users. Here's how:

Return to the Manage Jenkins page, scroll down to near the bottom and click on Manage Users. On the left you'll see a sidebar with links; click on Create User. Enter the information for the new user the same way as you created the first user, and click Sign up. You'll be redirected to the list of users, which will now include the new user. This user will have no permissions, so you will need to repeat the permissions process, going to Configure Global Security, using the User/group to add field to add a row to the matrix, specifying permissions, and clicking Apply and Save. For simplicity's sake, if you have multiple users to create, create them all before moving on to adding permissions.

When creating new users, keep in mind that restrictiveness can be a major security asset. You can learn more about the specific ins and outs of matrix-based security in the Matrix-based Security section of the Use Jenkins documentation.

Typically, the next step is to assign roles to your users, controlling their exact abilities. We won’t go into details in this article, but this is a good article on the subject. Be sure to save your changes after you assign roles.

Step 4 — Installing Plugins

Once Jenkins is installed, minimally configured, and reasonably secured, it's time to make it fit your needs. As found when it is first installed, Jenkins has relatively few abilities. In fact, Jenkins typifies a credo of many software developers: do one thing, and do it well. Jenkins "does one thing" by acting as a middleman for your software projects and “does it well” by providing plugins.

Plugins are add-ons that allow Jenkins to interact with a variety of outside software or otherwise extend its innate abilities. As with many areas of the Jenkins setup, the exact plugins you install will be significantly dependent on your projects.

From the main left hand side menu in Jenkins, click Manage Jenkins -> Manage Plugins. The page you land on shows plugins that are already installed but need updating – you can perform this easily by selecting the plugins you want to update and clicking the button at the bottom.

If you click on Available from this page, you will be taken to a colossal list of available plugins. Obviously, you don't want to install all possible plugins, so the next question is how to select those you will need.

As mentioned, your choice in this matter will depend on your needs and goals. Fortunately, the Jenkins wiki provides a nice rundown of plugins by topic.

This list is definitely worth perusing, but no matter your project, there are a few plugins which you almost certainly should include. Here are a few — some generic, some specific:

  1. Source control
    Git, SVN, and Team Foundation Server are some of the more common source control systems. All three of these have plugins in the Jenkins list, and others exist for less common systems as well. If you don't know what source control is, you should really learn about it and start incorporating it in your projects. Be sure to install the plugin for your source control system, so Jenkins can run builds through it and control tests.

  2. Copy Artifact
    This plugin allows you to copy components between projects, easing the pain of setting up similar projects if you lack a true dependency manager.

  3. Throttle Concurrent Builds
    If you have multiple builds running which might introduce a conflict (due to shared resources, etc), this will easily allow you to alleviate this concern.

  4. Dependency Graph Viewer
    A nifty plugin providing a graphic representation of your project dependencies.

  5. Jenkins Disk Usage
    Jenkins may be fairly lightweight, but the same can't always be said for the projects with which it integrates. This plugin lets you identify how much of your computing resources any of your jobs are consuming.

  6. Build tools
    If your project is large, you probably use a build manager, such as Maven or Ant. Jenkins provides plugins for many of these, both to link in their basic functionality and to add control for individual build steps, projection configuration, and many other aspects of your builds.

  7. Reporting
    While Jenkins provides its own reports, you can extend this functionality to many reporting tools.

  8. Additional Authentication
    If the default Jenkins abilities for security don't suite you, there are plenty of plugins to extend this – from Google logins, to active directory, to simple modifications of the existing security.

In general, if your project requires a certain tool, search the plugin list page on the wiki for the name of it or for a keyword regarding its function – chances are such a plugin exists, and this is an efficient way to find it.

Once you have selected those plugins you want to install on the Available tab, click the button marked Download now and install after restart.

Now that Jenkins is up and running the way you want it, you can start using it to power your project integration. Jenkins' capabilities are nearly endless within its domain, but the following example should serve to demonstrate both the extent of what Jenkins can do and the beginnings of how to get a Jenkins job started.

Step 5 — Creating a Simple Project

There are a lot of interesting uses you can get out of Jenkins, and even playing around with the settings can be informative. To get started, though, it helps to understand how to set up a basic task. Follow the example in this section to learn how to establish and run a straightforward job.

From the Jenkins interface home, select New Item. Enter a name and select Freestyle project.

This next page is where you specify the job configuration. As you'll quickly observe, there are a number of settings available when you create a new project. Generally, one of the more important controls is to connect to a source repo. For purposes of this introductory example, we'll skip that step.

On this configuration page you also have the option to add build steps to perform extra actions like running scripts.

This will provide you with a text box in which you can add whatever commands you need. Use this to run various tasks like server maintenance, version control, reading system settings, etc.

We'll use this section to run a script. Again, for demonstration purposes, we'll keep it extremely simple.

If you want, you can add subsequent build steps as well. Keep in mind that if any segment or individual script fails, the entire build will fail.

You can also select post-build actions to run, such as emailing the results to yourself.

Save the project, and you'll be taken to its project overview page. Here you can see information about the project, including its built history, though there won’t be any of that at the moment since this is a brand-new project.

Click Build Now on the left-hand side to start the build. You will momentarily see the build history change to indicate it is working. When done, the status icon will change again to show you the results in a concise form.

To see more information, click on that build in the build history area, whereupon you’ll be taken to a page with an overview of the build information:

The Console Output link on this page is especially useful for examining the results of the job in detail — it provides information about the actions taken during the build and displays all the console output. Especially after a failed build, this can be a useful place to look.

If you go back to Jenkins home, you'll see an overview of all projects and their information, including status (in this case there's only the one):

Status is indicated two ways, by a weather icon (on the home page dashboard, seen above) and by a colored ball (on the individual project page, seen below). The weather icon is particularly helpful as it shows you a record of multiple builds in one image.

In the image above, you see clouds, indicating that some recent builds succeeded and some failed. If all of them had succeeded, you'd see an image of a sun. If all builds had recently failed, there would be a poor weather icon.

These statuses have corresponding tooltips with explanations on hover and, coupled with the other information in the chart, cover most of what you need in an overview.

You can also rebuild the project from here by clicking (Build Now).

Of course, implementing a full-scale project setup will involve a few more steps and some fine-tuning, but it’s clear that without much effort, you can set up some very useful, very pragmatic monitors and controls for your projects. Explore Jenkins, and you’ll quickly find it to be an invaluable tool.

Conclusion

It's highly worthwhile to seek out other tutorials, articles, and videos — there are plenty out there, and the wealth of information makes setting up project integration with Jenkins practically a breeze. The tutorials hosted by the Jenkins team are worth a look.

In particular, bridging the gap between basics and fully fledged projects is a great way to improve your Jenkins skills. Try following these examples as a way to ease that transition.

Additionally, many templates exist for common types of projects, such as PHP applications and Drupal, so chances are strong you won’t even need to set up everything from scratch. So go out there, learn all you dare about Jenkins, and make your life that much easier!

RHEL 6/CentOS 6¶

If you’re just looking for a quick “one-liner” installation, check the top-level install guide. If you need a customised installation, use this guide for step-by-step instructions for installing EWC on a single system as per the Reference deployment.

Minimal Installation¶

Install libffi-devel Package¶

RHEL 6 may not ship with package, which is a dependency for EWC. If that is the case, set up the repository, following the instructions at https://access.redhat.com/solutions/265523. Or, find a version of compatible with the version installed. For example:

Use a service such as http://rpmfind.net to find the required RPM.

[ec2-user@ip-172-30-0-79 ~]$ rpm -qa libffi libffi-3.0.5-3.2.el6.x86_64 sudo yum localinstall -y ftp://rpmfind.net/linux/centos/6.9/os/x86_64/Packages/libffi-devel-3.0.5-3.2.el6.x86_64.rpm

Adjust SELinux Policies¶

If your system has SELinux in Enforcing mode, please follow these instructions to adjust SELinux policies. This is needed for successful installation. If you are not happy with these policies, you may want to tweak them according to your security practices.

  • First check if SELinux is in Enforcing mode:

  • If the previous command returns ‘Enforcing’, then run the following commands:

    # SELINUX management tools, not available for some minimal installations sudo yum install -y policycoreutils-python # Allow network access for nginx sudo setsebool -P httpd_can_network_connect 1

Note

If you see messages like “SELinux: Could not downgrade policy file”, it means you are trying to adjust policy configurations when SELinux is disabled. You can ignore this error.

Install Dependencies¶

Note

The currently preferred and supported version of MongoDB is 3.4. This is the version installed by the installer script. MongoDB 3.4 is supported in StackStorm v2.2.0 and above. Older versions of StackStorm (prior to v1.6.0) only supported MongoDB 2.x.

Install MongoDB, RabbitMQ, and PostgreSQL:

sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm # Add key and repo for the latest stable MongoDB (3.4) sudo rpm --import https://www.mongodb.org/static/pgp/server-3.4.asc sudo sh -c "cat <<EOT > /etc/yum.repos.d/mongodb-org-3.4.repo[mongodb-org-3.4]name=MongoDB Repositorybaseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.4/x86_64/gpgcheck=1enabled=1gpgkey=https://www.mongodb.org/static/pgp/server-3.4.ascEOT" sudo yum -y install mongodb-org sudo yum -y install rabbitmq-server sudo service mongod start sudo service rabbitmq-server start sudo chkconfig mongod on sudo chkconfig rabbitmq-server on # Install and configure postgres 9.4. Based on the OS type, install the ``redhat`` one or ``centos`` one.# RHEL:if grep -q "Red Hat" /etc/redhat-release;then sudo yum -y localinstall http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/pgdg-redhat94-9.4-2.noarch.rpm;fi# CentOS:if grep -q "CentOS" /etc/redhat-release;then sudo yum -y localinstall http://yum.postgresql.org/9.4/redhat/rhel-6-x86_64/pgdg-centos94-9.4-2.noarch.rpm;fi sudo yum -y install postgresql94-server postgresql94-contrib postgresql94-devel # Initialize PostgreSQL sudo service postgresql-9.4 initdb # Make localhost connections to use an MD5-encrypted password for authentication sudo sed -i "s/\(host.*all.*all.*127.0.0.1\/32.*\)ident/\1md5/" /var/lib/pgsql/9.4/data/pg_hba.conf sudo sed -i "s/\(host.*all.*all.*::1\/128.*\)ident/\1md5/" /var/lib/pgsql/9.4/data/pg_hba.conf # Start PostgreSQL service sudo service postgresql-9.4 start sudo chkconfig postgresql-9.4 on

Setup Repositories¶

The following script will detect your platform and architecture and setup the appropriate EWC repository. It will also add the the GPG key used for package signing.

curl -s https://packagecloud.io/install/repositories/StackStorm/stable/script.rpm.sh | sudo bash

Install EWC Components¶

If you are not running RabbitMQ, MongoDB or PostgreSQL on the same system, or have changed the defaults, please adjust these settings:

  • RabbitMQ connection at and
  • MongoDB at
  • PostgreSQL at

See the Configuration documentation for more information.

sudo yum install -y st2 st2mistral

Setup Datastore Encryption¶

The Key-value store allows users to store encrypted values (secrets). These are stored using symmetric encryption (AES256). To generate a crypto key, run these commands:

DATASTORE_ENCRYPTION_KEYS_DIRECTORY="/etc/st2/keys"DATASTORE_ENCRYPTION_KEY_PATH="${DATASTORE_ENCRYPTION_KEYS_DIRECTORY}/datastore_key.json" sudo mkdir -p ${DATASTORE_ENCRYPTION_KEYS_DIRECTORY} sudo st2-generate-symmetric-crypto-key --key-path ${DATASTORE_ENCRYPTION_KEY_PATH}# Make sure only st2 user can read the file sudo chgrp st2 ${DATASTORE_ENCRYPTION_KEYS_DIRECTORY} sudo chmod o-r ${DATASTORE_ENCRYPTION_KEYS_DIRECTORY} sudo chgrp st2 ${DATASTORE_ENCRYPTION_KEY_PATH} sudo chmod o-r ${DATASTORE_ENCRYPTION_KEY_PATH}# set path to the key file in the config sudo crudini --set /etc/st2/st2.conf keyvalue encryption_key_path ${DATASTORE_ENCRYPTION_KEY_PATH} sudo st2ctl restart-component st2api

Setup Mistral Database¶

Run these commands to set up the Mistral PostgreSQL database:

# Create Mistral DB in PostgreSQL cat << EHD | sudo -u postgres psqlCREATE ROLE mistral WITH CREATEDB LOGIN ENCRYPTED PASSWORD 'StackStorm';CREATE DATABASE mistral OWNER mistral;EHD# Setup Mistral DB tables, etc. /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head # Register mistral actions /opt/stackstorm/mistral/bin/mistral-db-manage --config-file /etc/mistral/mistral.conf populate

Configure SSH and SUDO¶

To run local and remote shell actions, EWC uses a special system user (by default ). For remote Linux actions, SSH is used. We recommend configuring public key-based SSH access on all remote hosts. We also recommend configuring SSH access to localhost for running examples and testing.

  • Create EWC system user, enable passwordless sudo, and set up ssh access to “localhost” so that SSH-based actions can be tested locally. You will need elevated privileges to do this:

    # Create an SSH system user (default `stanley` user may already exist) sudo useradd stanley sudo mkdir -p /home/stanley/.ssh sudo chmod 0700 /home/stanley/.ssh # Generate ssh keys sudo ssh-keygen -f /home/stanley/.ssh/stanley_rsa -P ""# Authorize key-based access sudo sh -c 'cat /home/stanley/.ssh/stanley_rsa.pub >> /home/stanley/.ssh/authorized_keys' sudo chown -R stanley:stanley /home/stanley/.ssh # Enable passwordless sudo sudo sh -c 'echo "stanley ALL=(ALL) NOPASSWD: SETENV: ALL" >> /etc/sudoers.d/st2' sudo chmod 0440 /etc/sudoers.d/st2 # Make sure `Defaults requiretty` is disabled in `/etc/sudoers` sudo sed -i -r "s/^Defaults\s+\+?requiretty/# Defaults +requiretty/g" /etc/sudoers
  • Configure SSH access and enable passwordless sudo on the remote hosts which EWC will be running remote actions on via SSH. Using the public key generated in the previous step, follow the instructions at Configure SSH. To control Windows boxes, configure access for Windows runners.

  • If you are using a different user, or path to their SSH key, you will need to change this section in :

    [system_user]user=stanleyssh_key_file=/home/stanley/.ssh/stanley_rsa

Start Services¶

  • Start services:

  • Register sensors, rules and actions:

Verify¶

The following commands will test your EWC installation. They should all complete successfully:

Use the supervisor script to manage EWC services:

At this point you have a minimal working installation, and can happily play with EWC: follow the Quick Start tutorial, deploy the examples, explore and install packs from StackStorm Exchange.

But there is no joy without a Web UI, no security without SSL or authentication, no fun without ChatOps, and no money without Extreme Workflow Composer. Read on!

st2 --version st2 -h # List the actions from a 'core' pack st2 action list --pack=core # Run a local shell command st2 run core.local -- date -R # See the execution results st2 execution list # Fire a remote comand via SSH (Requires passwordless SSH) st2 run core.remote hosts='localhost' -- uname -a # Install a pack st2 pack install st2
sudo st2ctl start|stop|status|restart|restart-component|reload|clean

Configure Authentication¶

The reference deployment uses a file-based authentication provider for simplicity. Refer to Authentication to configure and use PAM or LDAP authentication backends.

To set up authentication with file-based provider:

  • Create a user with a password:

    # Install htpasswd utility if you don't have it sudo yum -y install httpd-tools # Create a user record in a password file. sudo htpasswd -bs /etc/st2/htpasswd st2admin 'Ch@ngeMe'
  • Enable and configure authentication in :

    [auth]# ...enable=Truebackend=flat_filebackend_kwargs={"file_path": "/etc/st2/htpasswd"}# ...
  • Restart the st2api service:

    sudo st2ctl restart-component st2api
  • Authenticate, set the token environment variable, and check that it works:

    # Get an auth token to use in CLI or API st2 auth st2admin # A shortcut to authenticate and export the tokenexportST2_AUTH_TOKEN=$(st2 auth st2admin -p 'Ch@ngeMe' -t)# Check that it works st2 action list

Check out the CLI Reference to learn other convenient ways to authenticate via CLI.

Install WebUI and Setup SSL Termination¶

NGINX is used to serve WebUI static files, redirect HTTP to HTTPS, provide SSL termination, and reverse-proxy st2auth and st2api API endpoints. To set it up: install the and packages, generate certificates or place your existing certificates under , and configure nginx with EWC’s supplied site config file st2.conf.

EWC depends on Nginx version >=1.7.5. RHEL has an older version in the package repositories, so you will need to add the official Nginx repository:

If you modify ports, or url paths in the nginx configuration, make the corresponding changes in the st2web configuration at .

Use your browser to connect to and login to the WebUI.

If you are trying to access the API from outside the box and you have configured nginx according to these instructions, use .

For example:

Similarly, you can connect to auth REST endpoints with .

You can see the actual REST endpoint for a resource by adding a option to the CLI command for the appropriate resource.

For example, to see the endpoint for getting actions, invoke:

# Add key and repo for the latest stable nginx sudo rpm --import http://nginx.org/keys/nginx_signing.key sudo sh -c "cat <<EOT > /etc/yum.repos.d/nginx.repo[nginx]name=nginx repobaseurl=http://nginx.org/packages/rhel/$releasever/x86_64/gpgcheck=1enabled=1EOT"# Install st2web and nginx sudo yum -y install st2web nginx # Generate a self-signed certificate or place your existing certificate under /etc/ssl/st2 sudo mkdir -p /etc/ssl/st2 sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/st2/st2.key -out /etc/ssl/st2/st2.crt \ -days 365 -nodes -subj "/C=US/ST=California/L=Palo Alto/O=StackStorm/OU=Information \Technology/CN=$(hostname)"# Copy and enable the supplied nginx config file sudo cp /usr/share/doc/st2/conf/nginx/st2.conf /etc/nginx/conf.d/ # Disable default_server configuration in existing /etc/nginx/nginx.conf sudo sed -i 's/default_server//g' /etc/nginx/conf.d/default.conf sudo service nginx restart sudo chkconfig nginx on
curl -X GET -H 'Connection: keep-alive' -H 'User-Agent: manual/curl' -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'X-Auth-Token: <YOUR_TOKEN>' https://1.2.3.4/api/v1/actions

Setup ChatOps¶

If you already run a Hubot instance, you can install the hubot-stackstorm plugin and configure EWC environment variables, as described below. Otherwise, the easiest way to enable StackStorm ChatOps is to use the st2chatops package.

  • Validate that the pack is installed, and a notification rule is enabled:

    # Ensure chatops pack is in place ls /opt/stackstorm/packs/chatops # Create notification rule if not yet enabled st2 rule get chatops.notify || st2 rule create /opt/stackstorm/packs/chatops/rules/notify_hubot.yaml
  • Add NodeJS v6 repository:

    curl -sL https://rpm.nodesource.com/setup_6.x | sudo -E bash -
  • Install the package:

    sudo yum install -y st2chatops
  • Review and edit the configuration file to point it to your EWC installation and the Chat Service you are using. At a minimum, you should generate an API key and set the variable. By default and are expected to be on the same host. If that is not the case, please update the and variables or just point to the correct host with .

    The example configuration uses Slack. To set this up, go to the Slack web admin interface, create a Bot, and copy the authentication token into .

    If you are using a different Chat Service, set the corresponding environment variables under the section in : Slack, HipChat, Yammer, Flowdock, IRC , XMPP.

  • Start the service:

    sudo service st2chatops start # Ensure it will start on boot sudo chkconfig st2chatops on
  • Reload st2 packs to make sure the rule is registered:

    sudo st2ctl reload --register-all
  • That’s it! Go to your Chat room and begin ChatOps-ing. Read more in the ChatOps section.

A Note on Security¶

By default, when MongoDB, RabbitMQ and PostgreSQL are installed, they have authentication disabled or use a default static password. As such, after you install those services you should configure them and enable authentication with strong randomly generated passwords.

NB: If you use the EWC installation script, this is done automatically for you.

Configuring authorization and passwords for those services is out of the scope for this documentation. For more information refer to the links below:

After you enable authentication for those components, you will also need to update EWC services to use the new settings.

This means editing the following configuration options:

  1. EWC -
  • - MongoDB database username.
  • - MongoDB database password.
  • - RabbitMQ transport url ()
  1. Mistral -
  • - PostgreSQL database connection string ()
  • - RabbitMQ transport url ()

In addition, you are strongly encouraged to follow these best practices for running network services:

  • Ensure communication between services is encrypted. Enable SSL/TLS for MongoDB, RabbitMQ, and PostgreSQL.
  • Configure services to only listen on localhost, and where needed, internal IP addresses. There is usually no need for most services which are used by EWC (MongoDB, RabbitMQ, PostgreSQL) to be available on a public IP address.
  • Configure a firewall and set up a whitelist. The firewall should only allow access by those users and systems which need access to those services. API and auth services usually need to be accessible to your users, but other dependent services such as MongoDB, RabbitMQ and PostgreSQL don’t. These should not be directly accessible by users, and only EWC components should be allowed to talk to them.
  • Where possible, you should also utilize additional network-based isolation and security features such as DMZs.

The steps mentioned above are especially important for distributed production deployments where EWC components are running on multiple servers.

Upgrade to Extreme Workflow Composer¶

Extreme Workflow Composer adds Workflow Designer (a graphical tool for workflow creation/editing), RBAC and LDAP to EWC. It is deployed as a set of additional packages on top of EWC. You will need an active Extreme Workflow Composer subscription, and a license key to access Extreme Workflow Composer repositories.

To learn more about Extreme Workflow Composer, request a quote, or get an evaluation license go to stackstorm.com/product.

To install Extreme Workflow Composer, replace in the command below with the key you received when registering or purchasing, and run these commands:

What’s Next?

# Set up Extreme Workflow Composer repository access curl -s https://${EWC_LICENSE_KEY}:@packagecloud.io/install/repositories/StackStorm/enterprise/script.rpm.sh | sudo bash # Install Extreme Workflow Composer sudo yum install -y bwc-enterprise

0 Thoughts to “Rhel Tutorial 6 Homework

Leave a comment

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *