...
As of January 6, 2017, we recommend that you override at least the following values https://gist.githubusercontent.com/e0d/b603381c076eb747fc807226ccf5486d/raw/0d0739620adc3795ffb18ed78a0253a69242d71f/password.yml
That file's contents look like so:
| Code Block | ||
|---|---|---|
| ||
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null COMMON_HTPASSWD_PASS: !!null COMMON_HTPASSWD_USER: !!null COMMON_MONGO_READ_ONLY_PASS: !!null COMMON_MYSQL_ADMIN_PASS: !!null COMMON_MYSQL_MIGRATE_PASS: !!null COMMON_MYSQL_READ_ONLY_PASS: !!null CREDENTIALS_MYSQL_PASSWORD: !!null DISCOVERY_EMAIL_HOST_PASSWORD: !!null DISCOVERY_MYSQL_PASSWORD: !!null ECOMMERCE_BROKER_PASSWORD: !!null ECOMMERCE_DATABASE_PASSWORD: !!null ECOMMERCE_WORKER_BROKER_PASSWORD: !!null EDXAPP_CELERY_PASSWORD: !!null EDXAPP_COMMENTS_SERVICE_KEY: !!null EDXAPP_EMAIL_HOST_PASSWORD: !!null EDXAPP_MONGO_PASSWORD: !!null EDXAPP_MYSQL_CSMH_PASSWORD: !!null EDXAPP_MYSQL_PASSWORD: !!null EDXAPP_MYSQL_PASSWORD_ADMIN: !!null EDXAPP_MYSQL_PASSWORD_READ_ONLY: !!null EDXAPP_MYSQL_REPLICA_PASSWORD: !!null FLOWER_BROKER_PASSWORD: !!null FORUM_API_KEY: !!null FORUM_MONGO_PASSWORD: !!null HIVE_METASTORE_DATABASE_PASSWORD: !!null INSIGHTS_DATABASE_PASSWORD: !!null INSIGHTS_EMAIL_HOST_PASSWORD: !!null JENKINS_ANALYTICS_GITHUB_CREDENTIAL_PASSPHRASE: !!null JENKINS_ANALYTICS_USER_PASSWORD_PLAIN: !!null MARIADB_CLUSTER_PASSWORD_ADMIN: !!null MONGO_ADMIN_PASSWORD: !!null mongo_admin_password: {{ MONGO_ADMIN_PASSWORD }} NOTIFIER_COMMENT_SERVICE_API_KEY: {{ FORUM_API_KEY }} NOTIFIER_EMAIL_PASS: !!null NOTIFIER_USER_SERVICE_HTTP_AUTH_PASS: !!null POSTFIX_QUEUE_EXTERNAL_SMTP_PASSWORD: !!null PROGRAMS_DATABASE_PASSWORD: !!null REDIS_PASSWORD: !!null SPLUNKFORWARDER_PASSWORD: !!null SPLUNK_SMTP_PASSWORD: !!null SPLUNK_SSL_PASSWORD: !!null SWIFT_LOG_SYNC_PASSWORD: !!null XQUEUE_BASIC_AUTH_PASSWORD: !!null XQUEUE_BASIC_AUTH_USER: !!null XQUEUE_MYSQL_PASSWORD: !!null XQUEUE_RABBITMQ_PASS: !!null XSY_PASSWORD: !!null |
This can be done easily from the bash command line. Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.
...
Keep the my-passwords.yml file in a safe location, ideally encrypted – you can potentially use Ansible vault for this.. If you don't have another solution for this, we recommend that you use ansible-vault, which comes with your ansible installation
Starting from a bare Ubuntu Xenial installation, you can follow these steps:
| Code Block |
|---|
sudo apt-get update -y
sudo apt-get upgrade -y
reboot
# Installed the edx_ansible role
wget https://raw.githubusercontent.com/edx/configuration/master/util/install/ansible-bootstrap.sh -O - | sudo bash
# Create passwords specific to your installation. Please consider that you'll need to share these across application nodes if you have multiple
# The password files will be owned by root.
cd /edx/app/edx_ansible/
wget https://gist.githubusercontent.com/e0d/b603381c076eb747fc807226ccf5486d/raw/0d0739620adc3795ffb18ed78a0253a69242d71f/password.yml -O - | sudo tee ./passwords.yml
while read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo $line | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml | sudo tee ./my-passwords.yml
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-vault encrypt ./my-passwords.yml
cd /edx/app/edx_ansible/edx_ansible/playbooks/
sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-playbook -c local ./edx_sandbox.yml -i 'localhost,' -e@/edx/app/edx_ansible/my-passwords.yml --ask-vault-pass
|
When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.
...