...
One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible. Ansible lets you pass in a file of overrides using the -e@/path/to/file.yml convention.
As of January 6February 2, 2017, we recommend that you override at least the following values https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml
That file's contents look like so:
Code Block | ||
---|---|---|
| ||
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null COMMON_HTPASSWD_PASS: !!null COMMON_HTPASSWD_USER: !!null COMMON_MONGO_READ_ONLY_PASS: !!null COMMON_MYSQL_ADMIN_PASS: !!null COMMON_MYSQL_MIGRATE_PASS: !!null COMMON_MYSQL_READ_ONLY_PASS: !!null CREDENTIALS_MYSQL_PASSWORD: !!null DISCOVERY_EMAIL_HOST_PASSWORD: !!null DISCOVERY_MYSQL_PASSWORD: !!null ECOMMERCE_BROKER_PASSWORD: !!null ECOMMERCE_DATABASE_PASSWORD: !!null ECOMMERCE_WORKER_BROKER_PASSWORD: !!null EDXAPP_CELERY_PASSWORD: !!null EDXAPP_COMMENTS_SERVICE_KEY: !!null EDXAPP_EMAIL_HOST_PASSWORD: !!null EDXAPP_MONGO_PASSWORD: !!null EDXAPP_MYSQL_CSMH_PASSWORD: !!null EDXAPP_MYSQL_PASSWORD: !!null EDXAPP_MYSQL_PASSWORD_ADMIN: !!null EDXAPP_MYSQL_PASSWORD_READ_ONLY: !!null EDXAPP_MYSQL_REPLICA_PASSWORD: !!null FLOWER_BROKER_PASSWORD: !!null FORUM_API_KEY: !!null FORUM_MONGO_PASSWORD: !!null HIVE_METASTORE_DATABASE_PASSWORD: !!null INSIGHTS_DATABASE_PASSWORD: !!null INSIGHTS_EMAIL_HOST_PASSWORD: !!null JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE: !!null JENKINS_ANALYTICS_USER_PASSWORD_PLAIN: !!null MARIADB_CLUSTER_PASSWORD_ADMIN: !!null MONGO_ADMIN_PASSWORD: !!null mongo_admin_password: {{ MONGO_ADMIN_PASSWORD }} NOTIFIER_COMMENT_SERVICE_API_KEY: {{ FORUM_API_KEY }} NOTIFIER_EMAIL_PASS: !!null NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS: !!null POSTFIX_QUEUE_EXTERNAL_SMTP_PASSWORD: !!null PROGRAMS_DATABASE_PASSWORD: !!null REDIS_PASSWORD: !!null SPLUNKFORWARDER_PASSWORD: !!null SPLUNK_SMTP_PASSWORD: !!null SPLUNK_SSL_PASSWORD: !!null SWIFT_LOG_SYNC_PASSWORD: !!null XQUEUE_BASIC_AUTH_PASSWORD: !!null XQUEUE_BASIC_AUTH_USER: !!null XQUEUE_MYSQL_PASSWORD: !!null XQUEUE_RABBITMQ_PASS: !!null XSY_PASSWORD: !!null... |
This can be done easily from the bash command line. Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.
Code Block |
---|
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml > ./my-passwords.yml |
...
Code Block |
---|
ANALYTICS_API_EMAIL_HOST_PASSWORD: '58Ld0verTyG2M7ht64SzVvMb4rylWXHHzII' ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: 'tjX28dM0QhjXgySJ9JLU9io9nckodjxjJmo' ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: 'kBMlvEUqsaGFDSSzasownyDiXK9tTIcGTdZ' COMMON_HTPASSWD_PASS: 'JKhFjY8SA2LI2GdK8nK0SLM1HgzzFR4cuEb' COMMON_HTPASSWD_USER: '4xLx6FPc8Bni5MUjRbVLzvThERmSO2AIJBZ' COMMON_MONGO_READ_ONLY_PASS: 'UXfWWuXnfSb962jQ1yB4gbPaGRQ0dOZCCYh' COMMON_MYSQL_ADMIN_PASS: 'yxaLDLsZXb4FDAOpj9HD42Sr4UYBLNmLJP2' COMMON_MYSQL_MIGRATE_PASS: 'CXwSNlQ7QtK6al6MXxsrrt12PfQxfs8ydZf' COMMON_MYSQL_READ_ONLY_PASS: 'CBnZ0bxVmGGc7HEQQXWlTUc8C0MbVev6mYU' ... |
Keep the my-passwords.yml file in a safe location, ideally encrypted – you can potentially use Ansible vault for this.. If you don't have another solution for this, we recommend that you use ansible-vault, which comes with your ansible installation
Starting from a bare Ubuntu Xenial installation, you can follow these steps:
Code Block |
---|
# Ensure your instance is upgraded to the latest Xenial
sudo apt-get update -y
sudo apt-get upgrade -y
reboot
# Installed the edx_ansible role
wget https://raw.githubusercontent.com/edx/configuration/master/util/install/ansible-bootstrap.sh -O - | sudo bash
# Create passwords specific to your installation. Please consider that you'll need to share these across application nodes if you have multiple
# The password files will be owned by root.
cd /edx/app/edx_ansible/
sudo wget https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml | sudo tee ./my-passwords.yml
# Encrypt your environment specific secrets with Ansible vault. This step will prompt you to create a password
# for accessing your encrypted data. It is IMPERATIVE that you do not lose or forget this password
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-vault encrypt ./my-passwords.yml
# Install the native installation using your encrypted passwords
cd /edx/app/edx_ansible/edx_ansible/playbooks/
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-playbook -c local ./edx_sandbox.yml -i 'localhost,' -e@/edx/app/edx_ansible/my-passwords.yml --ask-vault-pass
|
When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.
...