diff --git a/playbooks/molecule/resources/xnat/inventory/group_vars/container_service_host.yml b/playbooks/molecule/resources/xnat/inventory/group_vars/container_service_host.yml index cb1747d0..0d13e6f2 100644 --- a/playbooks/molecule/resources/xnat/inventory/group_vars/container_service_host.yml +++ b/playbooks/molecule/resources/xnat/inventory/group_vars/container_service_host.yml @@ -1,13 +1,13 @@ --- # mirsg.infrastructure.docker -docker_generate_certificates: true # generate TLS certs for clients +docker_generate_certificates: false # generate TLS certs for clients docker_client_hostnames: - "{{ hostvars['xnat_web']['hostname'] }}" docker_tls_verify: false -# docker<25 is required for XNAT +# docker<25 is required for XNAT for Container Service plugin < 3.5.0 # see: https://groups.google.com/g/xnat_discussion/c/yyPBkN4kayE/m/LUe5GQH5AAAJ -docker_version: 24.0.9 +docker_version: latest # mirsg.infrastructure.firewalld firewalld_internal_zone_sources: diff --git a/playbooks/molecule/resources/xnat/verify.yml b/playbooks/molecule/resources/xnat/verify.yml index 50e6ee34..8a99f92a 100644 --- a/playbooks/molecule/resources/xnat/verify.yml +++ b/playbooks/molecule/resources/xnat/verify.yml @@ -17,27 +17,6 @@ - response.server == "nginx" - response.content is search('MIRSG XNAT') -- name: Verify correct Docker version is installed - hosts: xnat_cserv - tasks: - - name: Get Docker server version - ansible.builtin.command: - cmd: "{% raw %}docker version -f '{{.Server.Version}}'{% endraw %}" - changed_when: false - register: server_version - - - name: Get Docker client version - ansible.builtin.command: - cmd: "{% raw %}docker version -f '{{.Client.Version}}'{% endraw %}" - changed_when: false - register: client_version - - - name: Check Docker server version - ansible.builtin.assert: - that: - - server_version.stdout is version( docker_version ) - - client_version.stdout is version( docker_version ) - - name: Verify container service is running hosts: localhost tasks: diff --git a/roles/docker/README.md b/roles/docker/README.md index e59c310d..ef28ced9 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -31,7 +31,7 @@ used to configure certificate creation and signing: | `docker_server_hostname` | Hostname of your Docker server. Used for the `commonName` field of the certificate signing request subject. Defaults to `"{{ ansible_host }}"` | | `docker_server_ip` | IP address of your Docker server. Defaults to `0.0.0.0` | | `docker_server_port` | Port the Docker Daemon will listen on. Defaults to `2376`. | -| `docker_tls_verify` | If `true`, require that TLS certificates can be verified by a root authority. Defaults to `true` | +| `docker_tls_verify` | If `true`, require that TLS certificates can be verified by a root authority. Defaults to `false` | | `docker_ca_key` | Filename for the CA certificate key. Defaults to `/home/docker/.docker/ca.key` | | `docker_ca_csr` | Filename for the CA certificate signing request. Defaults to `/home/docker/.docker/ca.csr` | | `docker_ca_cert` | Filename for the CA certificate. Defaults to `/home/docker/.docker/ca.pem` | diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 0dfe0816..78403f33 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -43,18 +43,6 @@ - docker-buildx-plugin - docker-compose-plugin -- name: Ensure yum-plugin-versionlock is installed - ansible.builtin.yum: - name: yum-plugin-versionlock - state: installed - -- name: Prevent docker from being updated - community.general.yum_versionlock: - state: "{{ 'absent' if docker_version == 'latest' else 'present' }}" - name: - - docker-ce - - docker-ce-cli - - name: Ensure docker service directory exists ansible.builtin.file: path: "{{ docker_service_directory }}" @@ -72,27 +60,27 @@ mode: "0644" notify: Reload docker +- name: Ensure docker config directory exists - {{ docker_config_dir }} + ansible.builtin.file: + path: "{{ docker_config_dir }}" + owner: "{{ docker_owner }}" + group: "{{ docker_group }}" + state: directory + mode: "0700" + +- name: Write docker daemon configuration file + ansible.builtin.template: + src: daemon.json.j2 + dest: "{{ docker_daemon_conf_file }}" + owner: "{{ docker_owner }}" + group: "{{ docker_group }}" + mode: "0640" + - name: Generate CA, server, and client certificates when: docker_generate_certificates notify: - Restart docker block: - - name: Ensure docker config directory exists - {{ docker_config_dir }} - ansible.builtin.file: - path: "{{ docker_config_dir }}" - owner: "{{ docker_owner }}" - group: "{{ docker_group }}" - state: directory - mode: "0700" - - - name: Write docker daemon configuration file - ansible.builtin.template: - src: daemon.json.j2 - dest: "{{ docker_daemon_conf_file }}" - owner: "{{ docker_owner }}" - group: "{{ docker_group }}" - mode: "0640" - - name: Generate CA certificate ansible.builtin.import_tasks: ca-cert.yml diff --git a/roles/docker/templates/daemon.json.j2 b/roles/docker/templates/daemon.json.j2 index 3769115e..3fc8ac4b 100644 --- a/roles/docker/templates/daemon.json.j2 +++ b/roles/docker/templates/daemon.json.j2 @@ -1,7 +1,11 @@ { + {% if docker_generate_certificates %} "hosts": ["tcp://{{ docker_server_ip }}:{{ docker_server_port }}", "unix:///var/run/docker.sock"], "tlsverify": {{ docker_tls_verify | lower }}, "tlscacert": "{{ docker_ca_cert }}", "tlscert": "{{ docker_server_cert }}", "tlskey": "{{ docker_server_key }}" + {% else %} + "hosts": ["tcp://{{ docker_server_ip }}:{{ docker_server_port }}", "unix:///var/run/docker.sock"] + {% endif %} } diff --git a/roles/provision/tasks/main.yml b/roles/provision/tasks/main.yml index 7e84e9c3..c8a80d18 100644 --- a/roles/provision/tasks/main.yml +++ b/roles/provision/tasks/main.yml @@ -18,10 +18,6 @@ ansible.builtin.yum: name: "*" state: latest - exclude: - # https://groups.google.com/g/xnat_discussion/c/yyPBkN4kayE/m/LUe5GQH5AAAJ - - docker-ce - - docker-ce-cli tags: - molecule-idempotence-notest diff --git a/roles/xnat/defaults/main.yml b/roles/xnat/defaults/main.yml index 4ea1371b..c60e6ff5 100644 --- a/roles/xnat/defaults/main.yml +++ b/roles/xnat/defaults/main.yml @@ -1,5 +1,5 @@ --- -xnat_version: 1.8.10.1 +xnat_version: 1.9.1 xnat_pipeline_version: 1.8.10 xnat_archive_dir: "{{ xnat_root_dir }}/archive" xnat_prearchive_dir: "{{ xnat_root_dir }}/prearchive" @@ -39,16 +39,17 @@ xnat_ldap_keystore_alias: "" # Plugins xnat_plugin_urls: - - https://api.bitbucket.org/2.0/repositories/xnatdev/xsync/downloads/xsync-plugin-all-1.7.0.jar - - https://api.bitbucket.org/2.0/repositories/xnatx/ldap-auth-plugin/downloads/ldap-auth-plugin-1.1.0.jar - - https://api.bitbucket.org/2.0/repositories/xnatdev/container-service/downloads/container-service-3.4.3-fat.jar - - https://api.bitbucket.org/2.0/repositories/xnatx/xnatx-batch-launch-plugin/downloads/batch-launch-0.6.0.jar + - https://api.bitbucket.org/2.0/repositories/xnatdev/xsync/downloads/xsync-plugin-all-1.8.1.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/ldap-auth-plugin/downloads/ldap-auth-plugin-1.2.1.jar + - https://api.bitbucket.org/2.0/repositories/xnatdev/container-service/downloads/container-service-3.6.1-fat.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/xnatx-batch-launch-plugin/downloads/batch-launch-0.7.0.jar - https://github.com/VUIIS/dax/raw/main/misc/xnat-plugins/dax-plugin-genProcData-1.4.2.jar - - https://api.bitbucket.org/2.0/repositories/icrimaginginformatics/ohif-viewer-xnat-plugin/downloads/ohif-viewer-3.6.2.jar - - https://api.bitbucket.org/2.0/repositories/xnatx/ml-plugin/downloads/ml-plugin-1.0.2.jar - - https://api.bitbucket.org/2.0/repositories/xnatx/datasets-plugin/downloads/datasets-plugin-1.0.3.jar + - https://api.bitbucket.org/2.0/repositories/icrimaginginformatics/ohif-viewer-xnat-plugin/downloads/ohif-viewer-3.7.0-XNAT-1.8.10.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/ml-schema-plugin/downloads/ml-schema-plugin-1.0.0.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/datasets-schema-plugin/downloads/datasets-schema-plugin-1.0.0.jar - https://api.bitbucket.org/2.0/repositories/xnatdev/xnat-image-viewer-plugin/downloads/ximgview-plugin-1.0.2.jar - https://api.bitbucket.org/2.0/repositories/xnatx/xnatx-dxm-settings-plugin/downloads/dxm-settings-plugin-1.0.jar + - https://api.bitbucket.org/2.0/repositories/xnatx/pipeline_engine_plugin/downloads/pipeline_engine_ui-1.1.0-xpl.jar xnat_plugin_bundle_urls: [] # yamllint disable-line rule:brackets xnat_plugin_packages: [] # yamllint disable-line rule:brackets diff --git a/roles/xnat_container_service/defaults/main.yml b/roles/xnat_container_service/defaults/main.yml index 0dd3dfa5..ac752a62 100644 --- a/roles/xnat_container_service/defaults/main.yml +++ b/roles/xnat_container_service/defaults/main.yml @@ -1,6 +1,7 @@ --- xnat_container_service_owner: tomcat xnat_container_service_group: tomcat +xnat_container_service_use_ssl: false xnat_container_service_certificate_directory: /usr/share/tomcat/.docker xnat_container_service_key: /usr/share/tomcat/.docker/key.pem xnat_container_service_csr: /usr/share/tomcat/.docker/docker.csr diff --git a/roles/xnat_container_service/tasks/copy_certs_to_client.yml b/roles/xnat_container_service/tasks/copy_certs_to_client.yml new file mode 100644 index 00000000..d8afea70 --- /dev/null +++ b/roles/xnat_container_service/tasks/copy_certs_to_client.yml @@ -0,0 +1,36 @@ +--- +- name: Ensure Docker certificate directory exists on the client + ansible.builtin.file: + path: "{{ xnat_container_service_certificate_directory }}" + state: directory + owner: "{{ xnat_container_service_owner }}" + group: "{{ xnat_container_service_group }}" + mode: "0700" + +- name: Copy Docker server certificate from Ansible Controller cache to client + ansible.builtin.copy: + src: "{{ xnat_container_service_certificate_cache_directory }}/ca.pem" + dest: "{{ xnat_container_service_server_ca_cert }}" + owner: "{{ xnat_container_service_owner }}" + group: "{{ xnat_container_service_group }}" + mode: "0600" + +- name: + Copy signed Docker client certificate from Ansible Controller cache to + client + ansible.builtin.copy: + src: + "{{ xnat_container_service_certificate_cache_directory }}/{{ + xnat_container_service_client_hostname }}.cert" + dest: "{{ xnat_container_service_cert }}" + owner: "{{ xnat_container_service_owner }}" + group: "{{ xnat_container_service_group }}" + mode: "0600" + +- name: Copy private key from Ansible Controller cache to client + ansible.builtin.copy: + src: "{{ xnat_container_service_certificate_cache_directory }}/key.pem" + dest: "{{ xnat_container_service_key }}" + owner: "{{ xnat_container_service_owner }}" + group: "{{ xnat_container_service_group }}" + mode: "0600" diff --git a/roles/xnat_container_service/tasks/main.yml b/roles/xnat_container_service/tasks/main.yml index af50cc5f..9da7b8a0 100644 --- a/roles/xnat_container_service/tasks/main.yml +++ b/roles/xnat_container_service/tasks/main.yml @@ -1,39 +1,7 @@ --- -- name: Ensure Docker certificate directory exists on the client - ansible.builtin.file: - path: "{{ xnat_container_service_certificate_directory }}" - state: directory - owner: "{{ xnat_container_service_owner }}" - group: "{{ xnat_container_service_group }}" - mode: "0700" - -- name: Copy Docker server certificate from Ansible Controller cache to client - ansible.builtin.copy: - src: "{{ xnat_container_service_certificate_cache_directory }}/ca.pem" - dest: "{{ xnat_container_service_server_ca_cert }}" - owner: "{{ xnat_container_service_owner }}" - group: "{{ xnat_container_service_group }}" - mode: "0600" - -- name: - Copy signed Docker client certificate from Ansible Controller cache to - client - ansible.builtin.copy: - src: - "{{ xnat_container_service_certificate_cache_directory }}/{{ - xnat_container_service_client_hostname }}.cert" - dest: "{{ xnat_container_service_cert }}" - owner: "{{ xnat_container_service_owner }}" - group: "{{ xnat_container_service_group }}" - mode: "0600" - -- name: Copy private key from Ansible Controller cache to client - ansible.builtin.copy: - src: "{{ xnat_container_service_certificate_cache_directory }}/key.pem" - dest: "{{ xnat_container_service_key }}" - owner: "{{ xnat_container_service_owner }}" - group: "{{ xnat_container_service_group }}" - mode: "0600" +- name: Copy SSL certificates to client + ansible.builtin.include_tasks: copy_certs_to_client.yml + when: xnat_container_service_use_ssl - name: Configure XNAT to talk to container service ansible.builtin.uri: @@ -45,9 +13,11 @@ body: name: "{{ xnat_container_service_name }}" host: - https://{{ xnat_container_service_hostname }}:{{ + tcp://{{ xnat_container_service_hostname }}:{{ xnat_container_service_port }} - cert-path: "{{ xnat_container_service_certificate_directory }}" + cert-path: + "{{ xnat_container_service_certificate_directory }} if {{ + xnat_container_service_use_ssl }} else ''" swarm-mode: false path-translation-xnat-prefix: "{{ xnat_container_service_path_translation_xnat_prefix }}"