Installing Private Automation Hub

2 Installing Private Automation Hub

This chapter shows you how to set up a host and install the Private Automation Hub software and includes an option for using a remote or local database.

Installing on a Single Host

This section provides instructions for installing the Private Automation Hub on a single host where the database is local or on a remote host and assumes that you have setup a passwordless SSH connection.

To set up the host:

On the deployment host, login as the user configured with Passwordless SSH to the target host. For more information, see Set Up Passwordless SSH.
Ensure python 3.6 is installed on your host. If python 3.6 is not installed, run the following command:
```
sudo dnf install python36
```

Install the Private Automation Hub software:

sudo dnf install ol-private-automation-hub-installer

Copy the contents of the /single-node folder to a working directory.

cp -r /usr/share/ansible/collections/ansible_collections/oraclelinux/private_automation_hub/playbooks/single-node/ ~/single_node

From the working directory, create a hosts file from the hosts.singlenode.example. For example,
```
cd ~/single_node
cp hosts.singlenode.example hosts
```
Edit the hosts file as follows:
```
all:
  hosts:
    hub:
      ansible_host: <ip_address_or_hostname>
      ansible_user: <username>
```
In the previous example,
- <ip_address_or_hostname> is the IP address or host name of the target node where you want to install Private Automation Hub. This host must be reacheable using SSH from the deployment host.
  
  Note:
  Valid characters for hostnames are a to z, 0 to 9, and the hyphen (-). A hostname may not start with a hyphen.
- <username> is the username running the installer playbook commands on the target node where you want to install Private Automation Hub. This user must have sudo privileges.
If you want to configure additional installation paramaters to use during the installation, setup the installation parameter file as described in Configuring the Installation Parameter File.
Do one of the following:
- If you want to install a local database on the same host running Private Automation Hub, run the following command:
```
ansible-playbook single-node-install.yml -i hosts -e "olpah_admin_password=<admin_password> olpah_db_password=<db_password>"
```
  In the previous example, <admin_password> and <db_password> are the passwords for the default admin user and the database user account.
  Note:
  If you want to use the paramter file, add the following to the end of the command:
```
-e "@single-node-vars.yml"
```
- If you want to use an existing database on a remote host, run the following command:
  1. Log into the remote database.
  2. Create the database user accounts. For example:
```
sudo su - postgres -c "createuser -S -P pulp"
```
  3. Enter and confirm the password for the pulp user.
    
    Note:
    This must be the same <db_password> as specified in the previous step.
```
Enter password for new role: 
Enter it again: 
```
  4. Create the database instance. For example:
```
sudo su - postgres -c "createdb -O pulp pulp"
```
  5. From the single-node-install.yml file, remove the pulp_database role.
  6. Set the database hostname or IP address for the remote database (existing_db_host: <db_hostname_or_ip_address>) in the "@single-node-vars.yml" variables file. For more information about installing using the parameter file, see Configuring the Installation Parameter File.
  7. Return to the deployment server and run the following command:
```
ansible-playbook single-node-install.yml -i hosts -e "olpah_admin_password=<admin_password> olpah_db_password=<db_password>" -e "@single-node-vars.yml"
```
    In the previous example, <admin_password> and <db_password> are the passwords for the default admin user and the database user account.
The host is now ready. Using a browser, you can now log in as the admin user.
```
https://<ip_address_or_hostname>
```

Configuring the Installation Parameter File

In some cases, you may want to configure additional parameters when installing Private Automation Hub. If you are configuring extra parameters for a single host installation, edit the single-node-vars.yml parameter file.

Note:

You can configure a parameter file before or after you install Private automation Hub. If you do it after installing Private Automation Hub, then you must complete this step and rerun the playbook as described in Installing on a Single Host.

To configure extra installation parameters in a parameter file, do the following:

In the parameter file, add the extra parameters you need. For example:
```
existing_db_host: <db_hostname_or_ip_address>
pulp_pkg_repo: "<local_repo_url>"

olpah_require_content_approval: <True or False>
pulp_api_workers: <Number_of_workers>
connected_olam_controllers: [
 "https://<olam_controller_server_url1>/",
 "https://<olam_controller_server_url2>/",
 ...
]
```
- If you want to use a remote database, add the following parameter to the parameter file. For example,
```
existing_db_host: <db_hostname_or_ip_address>
```
  In the previous example, <db_hostname_or_ip_address> is the host name or IP address of the remote database.
- If you want to use a remote mirror of ULN or yum repos, add the following parameter to the parameter file. For example,
```
pulp_pkg_repo: "<local_repo_url>"
```
  In the previous example, <local_repo_url> is the url of the remote mirror repository. The url path should look similar to the following:
```
pulp_pkg_repo: "http://192.0.121.30/yum/OracleLinux/OL8/automation2/$basearch/ol8_x86_64_automation2/"
```
- If you want to enable the approval process for collection uploads, enable the following parameter in a parameter file.
```
olpah_require_content_approval: True
```
  Note:
  You can do this step before or after you install Private automation Hub. If you do it after installing Private Automation Hub, then you must complete this step and rerun the playbook as described in this procedure.
- If you want to modify the default number of Pulp API wokers available for Private Automation Hub, consider setting this value to the same number as the CPU cores as are available on the target instance. For example,
```
pulp_api_workers: 2
```
- If you want to link one or more Oracle Linux Automation Manager control server with Private Automation Hub to enable easier configuration of execution environments in Oracle Linux Automation Manager, add one or more url to the following parameter in a parameter file.
```
connected_olam_controllers: [
 "https://<olam_controller_server_url1>/",
 "https://<olam_controller_server_url2>/",
 ...
] 
```
  In the previous example, <olam_controller_server_url1> and <olam_controller_server_url2> are the urls to the control servers. You can add more of these URLs depending on the number of control servers you want to make available. The url must include https://. For more information about this feature, see Oracle Linux Automation Manager 2.1: Private Automation Hub User's Guide.
- If you want to integrate Private Automation Hub with an LDAP sever, add the LDAP parameters described in Configuring LDAP Parameters.

Configuring LDAP Parameters

To configure the LDAP parameters in the parameters file, do the following:

Edit the parameter file and add the following required LDAP related parameters to the bottom of the file:
```
#Enable galaxy_ng LDAP Integration
config_ldap: True

# LDAP Binding and Directory Look Up
auth_ldap_server_uri: "<ldap_url>"
auth_ldap_bind_dn: "<ldap_bind>"
auth_ldap_bind_password: "<ldap_bind_password>"
auth_ldap_user_search_base_dn: "cn=users,cn=accounts,dc=example,dc=com"
auth_ldap_user_search_scope: "SUBTREE"
auth_ldap_user_search_filter: "(uid=%(user)s)"
auth_ldap_group_search_base_dn: "cn=groups,cn=accounts,dc=example,dc=com"
auth_ldap_group_search_scope: "SUBTREE"
auth_ldap_group_search_filter: "(objectClass=groupofnames)"
auth_ldap_group_type_class: "django_auth_ldap.config:GroupOfNamesType"
auth_ldap_user_flags_by_group__is_superuser: "cn=superuserexample,cn=groups,cn=accounts,dc=example,dc=com"
auth_ldap_mirror_groups: False

# LDAP Backend
ldap_logging: True
auth_ldap_start_tls: True
use_galaxy_ldap_self_signed_cert: True
```
In the previous example,
- config_ldap
  Set the value of the config_ldap parameter to True to enable LDAP integration.
- auth_ldap_server_uri
  Provide the URI to access your LDAP server in the format: ldap://<host> where <host> is the host name of the LDAP server. This field is required. For example,
```
ldap://ldap1.example.com
```
  If your server uses StartTLS functionality, you can set the protocol to ldap within the URI scheme and enable the auth_ldap_start_tls option.
- auth_ldap_bind_dn
  
  Provide the Distinguished Name (DN) used to authenticate Oracle Linux Automation Manager against the LDAP server using the Bind operation. This field is required if your LDAP server does not allow anonymous access. For example:
```
uid=admin,cn=users,cn=accounts,dc=example,dc=com
```
- auth_ldap_bind_password
  Provide the Bind password for the Bind DN that you provided above.
- auth_ldap_user_search_base_dn
  
  Provide the DN where your users are listed within the directory.
- auth_ldap_user_search_scope
  
  Provide the scope to use when performing an LDAP search query on the base DN where your users are listed. Typically, the scope value is set to either one level deep, ONELEVEL, or to the entire subtree, SUBTREE.
- auth_ldap_user_search_filter
  
  Provide the search filter to be applied when performing an LDAP search query on the base DN where your users are listed. You can use the %(user)s syntax to match an attribute or key to the username value that a user provided during authentication.
- auth_ldap_group_search_base_dn
  
  Provide the base DN to use when performing an LDAP search query to determine group membership for a user.
- auth_ldap_group_search_scope
  
  Provide the scope to use when performing an LDAP search query on the base DN where groups are listed in the directory. Typically, the scope value is set to either one level deep, ONELEVEL, or to the entire subtree, SUBTREE.
- auth_ldap_group_search_filter
  
  Provide the search filter to be applied when performing an LDAP search query on the base DN where groups are listed in the directory.
- auth_ldap_group_type_class
  
  Provide an appropriate LDAP group type to define how the LDAP server determines group membership for users when attempting to authorize them. LDAP group types map onto the ObjectClasses that are defined for any groups that are listed on an LDAP server and can vary depending on the LDAP server implementation. The values for this parameter are related to the underlying Django framework and the LDAP ObjectClasses that the framework recognizes. Therefore, values are prefixed with django_auth_ldap.config:.
- auth_ldap_user_flags_by_group__is_superuser
  Any user associated with this group has superuser privileges on Private Automation Hub.
  
  Caution:
  If you make an error with this value, you cannot log into Private Automation Hub after the installation process completes. You must correct the error and run the installation process again before you can log in. If the LDAP server has not been configured with the specified superuser group yet, you cannot log into Private Automation Hub until the superuser group information has been added to the LDAP server with the exception of the locally defined admin user.
- auth_ldap_mirror_groups
  Enabling this feature mirrors LDAP groups associated with a user in Private Automation Hub whenever a user logs in to Private Automation Hub. Set this value to True if you want to enable this feature.
- ldap_logging
  
  Set the ldap_logging value to True if you want to retain a log of LDAP activity. Logging can help debug authentication issues.
- auth_ldap_start_tls
  
  If the LDAP server uses StartTLS functionality, you can set the protocol to ldap within the URI scheme used in auth_ldap_server_uri and set the auth_ldap_start_tls value to True.
- use_galaxy_ldap_self_signed_cert
  
  Set the use_galaxy_ldap_self_signed_cert value to True if the certificates used for TLS or SSL on your LDAP server are self-signed and you want to disable validation of the certificate against a CA.