...
One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible. Ansible lets you pass in a file of overrides using the -e@/path/to/file.yml convention.
As of January 6February 2, 2017, we recommend that you override at least the following values https://gistraw.githubusercontent.com/edx/e0dconfiguration/b603381c076eb747fc807226ccf5486dmaster/rawplaybooks/f32af602a41394a26e4551bd9434a6fb5d1182f4sample_vars/passwordpasswords.yml
That file's contents look like so:
Code Block | ||
---|---|---|
| ||
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null
ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null
ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null
COMMON_HTPASSWD_PASS: !!null
COMMON_HTPASSWD_USER: !!null
COMMON_MONGO_READ_ONLY_PASS: !!null
COMMON_MYSQL_ADMIN_PASS: !!null
COMMON_MYSQL_MIGRATE_PASS: !!null
COMMON_MYSQL_READ_ONLY_PASS: !!null
...
|
This can be done easily from the bash command line. Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.
Code Block |
---|
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml > ./my-passwords.yml |
...
Code Block |
---|
ANALYTICS_API_EMAIL_HOST_PASSWORD: '58Ld0verTyG2M7ht64SzVvMb4rylWXHHzII' ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: 'tjX28dM0QhjXgySJ9JLU9io9nckodjxjJmo' ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: 'kBMlvEUqsaGFDSSzasownyDiXK9tTIcGTdZ' COMMON_HTPASSWD_PASS: 'JKhFjY8SA2LI2GdK8nK0SLM1HgzzFR4cuEb' COMMON_HTPASSWD_USER: '4xLx6FPc8Bni5MUjRbVLzvThERmSO2AIJBZ' COMMON_MONGO_READ_ONLY_PASS: 'UXfWWuXnfSb962jQ1yB4gbPaGRQ0dOZCCYh' COMMON_MYSQL_ADMIN_PASS: 'yxaLDLsZXb4FDAOpj9HD42Sr4UYBLNmLJP2' COMMON_MYSQL_MIGRATE_PASS: 'CXwSNlQ7QtK6al6MXxsrrt12PfQxfs8ydZf' COMMON_MYSQL_READ_ONLY_PASS: 'CBnZ0bxVmGGc7HEQQXWlTUc8C0MbVev6mYU' ... |
Keep the my-passwords.yml file in a safe location, ideally encrypted. If you don't have another solution for this, we recommend that you use ansible-vault, which comes with your ansible installation
...
Code Block |
---|
# Ensure your instance is upgraded to the latest Xenial sudo apt-get update -y sudo apt-get upgrade -y reboot # Installed the edx_ansible role wget https://raw.githubusercontent.com/edx/configuration/master/util/install/ansible-bootstrap.sh -O - | sudo bash # Create passwords specific to your installation. Please consider that you'll need to share these across application nodes if you have multiple # The password files will be owned by root. cd /edx/app/edx_ansible/ sudo wget https://gistraw.githubusercontent.com/edx/e0dconfiguration/b603381c076eb747fc807226ccf5486dmaster/rawplaybooks/f32af602a41394a26e4551bd9434a6fb5d1182f4sample_vars/passwordpasswords.yml while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml | sudo tee ./my-passwords.yml # Encrypt your environment specific secrets with Ansible vault. This step will prompt you to create a password # for accessing your encrypted data. It is IMPERATIVE that you do not lose or forget this password sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-vault encrypt ./my-passwords.yml # Install the native installation using your encrypted passwords cd /edx/app/edx_ansible/edx_ansible/playbooks/ sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-playbook -c local ./edx_sandbox.yml -i 'localhost,' -e@/edx/app/edx_ansible/my-passwords.yml --ask-vault-pass |
...