Installing Private Automation Hub

Setting Up a Remote Database

To setup a remote Postgresql database instance on Oracle Linux 8 for Oracle Linux Automation Manager single host configuration, do the following:

Install Oracle Linux 8 on a host.

Open the database port in the firewall:

sudo firewall-cmd --add-port=5432/tcp --permanent
sudo firewall-cmd --reload

Enable the postgresql 13 module stream.
```
sudo dnf module reset postgresql
sudo dnf module enable postgresql:13
```
Note:
For more information about the Postgresql 13 life cycle, see the appendix discussing the application life cycle for stream modules in Oracle Linux: Managing Software on Oracle Linux.

Install the database.

sudo dnf install postgresql-server postgresql-contrib

Initialize the database:
```
sudo postgresql-setup --initdb
```
In the /var/lib/pgsql/data/postgresql.conf file, switch the password storage mechanism from md5 to scram-sha-256. For example, the following command makes the switch for you:
```
sudo sed -i "s/#password_encryption.*/password_encryption = scram-sha-256/"  /var/lib/pgsql/data/postgresql.conf
```
Start the database using the following command that also ensures that the database restarts in case the host restarts:
```
sudo systemctl enable --now postgresql
```
Ensure the database is running:
```
sudo systemctl status postgresql
```
Create the database user accounts. For example:
```
sudo su - postgres -c "createuser -S -P pulp"
```
Enter and confirm the password for the pulp user.
```
Enter password for new role: 
Enter it again: 
```

Create the database.

sudo su - postgres -c "createdb -O pulp pulp"

As the root user, in the /var/lib/pgsql/data/pg_hba.conf file add the following line:
```
host  all  all 0.0.0.0/0 scram-sha-256
```

As the root user, in the /var/lib/pgsql/data/postgresql.conf file in the # CONNECTIONS AND AUTHENTICATION section, a line with the text listen_addresses = followed by the IP address or host name of the database in single quotes. For example:

listen_addresses = '<IP address or host name>'

#listen_addresses = 'localhost'         # what IP address(es) to listen on;
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
#port = 5432                            # (change requires restart)

In the previous example, <IP address or hostname> is the IP address or host name of the database.

Calculate and update the memory requirements parameters using the following:
```
max_connections = 1024
shared_buffers = total_mem_mb*0.3
work_mem = total_mem_mb*0.03
maintenance_work_mem = total_mem_mb*0.04
```
In the previous example, total_mem_mb is the total memory size in megabytes of the system hosting the database server. For example, if the total available memory on the system were 18 000 MB, then this worksheet would include the following:
```
max_connections = 1024
shared_buffers = 18000*0.3
work_mem = 18000*0.03
maintenance_work_mem = 18000*0.04
```
The final numbers to add are as follows:
```
max_connections = 1024
shared_buffers = 5400MB
work_mem = 540MB
maintenance_work_mem = 720MB
```
Add the calculated values to the /var/lib/pgsql/data/postgresql.conf file.
Restart the database.
```
sudo systemctl restart postgresql
```
You're now ready to set up hosts as described in Installing on a Single Host.

Installing on a Single Host

This section provides instructions for installing the Private Automation Hub on a single host where the database is local or on a remote host and assumes that you have setup a passwordless SSH connection.

To set up the host:

On the deployment host, login as the user configured with Passwordless SSH to the target host. For more information, see Set Up Passwordless SSH.
Ensure python 3.6 is installed on your host. If python 3.6 isn't installed, run the following command:
```
sudo dnf install python36
```

Install the Private Automation Hub software:

sudo dnf install ol-private-automation-hub-installer

Copy the contents of the /single-node folder to a working directory.

cp -r /usr/share/ansible/collections/ansible_collections/oraclelinux/private_automation_hub/playbooks/single-node/ ~/single_node

From the working directory, create a hosts file from the hosts.singlenode.example. For example,
```
cd ~/single_node
cp hosts.singlenode.example hosts
```
Edit the hosts file as follows:
```
all:
  hosts:
    hub:
      ansible_host: <ip_address_or_hostname>
      ansible_user: <username>
```
In the previous example,
- <ip_address_or_hostname> is the IP address or host name of the target node where you want to install Private Automation Hub. This host must be reachable using SSH from the deployment host.
  
  Note:
  Valid characters for hostnames are a to z, 0 to 9, and the hyphen (-). A hostname may not start with a hyphen.
- <username> is the username running the installer playbook commands on the target node where you want to install Private Automation Hub. This user must have sudo privileges.
To configure other installation parameters to use during the installation, setup the installation parameter file as described in Configuring the Installation Parameter File.
Do one of the following:
- To install a local database on the same host running Private Automation Hub, run the following command:
```
ansible-playbook single-node-install.yml -i hosts -e "olpah_admin_password=<admin_password> olpah_db_password=<db_password>"
```
  In the previous example, <admin_password> and <db_password> are the passwords for the default admin user and the database user account.
  Note:
  To use the parameter file, add the following to the end of the command:
```
-e "@single-node-vars.yml"
```
- To use an existing database on a remote host, run the following command:
  1. Log into the remote database.
  2. Install the following database extension.
```
sudo dnf install postgresql-contrib
```
  3. Restart the database.
```
sudo systemctl restart postgresql
```
  4. Create the database user accounts. For example:
```
sudo su - postgres -c "createuser -S -P pulp"
```
  5. Enter and confirm the password for the pulp user.
    
    Note:
    This must be the same <db_password> as specified in the previous step.
```
Enter password for new role: 
Enter it again: 
```
  6. Create the database instance. For example:
```
sudo su - postgres -c "createdb -O pulp pulp"
```
  7. From the single-node-install.yml file, remove the pulp_database role.
  8. Set the database hostname or IP address for the remote database (existing_db_host: <db_hostname_or_ip_address>) in the "@single-node-vars.yml" variables file. For more information about installing using the parameter file, see Configuring the Installation Parameter File.
  9. Return to the deployment server and run the following command:
```
ansible-playbook single-node-install.yml -i hosts -e "olpah_admin_password=<admin_password> olpah_db_password=<db_password>" -e "@single-node-vars.yml"
```
    In the previous example, <admin_password> and <db_password> are the passwords for the default admin user and the database user account.
The host is now ready. Using a browser, you can now log in as the admin user.
```
https://<ip_address_or_hostname>
```

Configuring the Installation Parameter File

Sometimes, you might want to configure extra parameters when installing Private Automation Hub. If you're configuring extra parameters for a single host installation, edit the single-node-vars.yml parameter file.

Note:

You can configure a parameter file before or after you install Private automation Hub. If you do it after installing Private Automation Hub, then you must complete this step and rerun the playbook as described in Installing on a Single Host.

To configure extra installation parameters in a parameter file, do the following:

In the parameter file, add the extra parameters you need. For example:
```
existing_db_host: <db_hostname_or_ip_address>
pulp_pkg_repo: "<local_repo_url>"

olpah_require_content_approval: <True or False>
pulp_api_workers: <Number_of_workers>
connected_olam_controllers: [
 "https://<olam_controller_server_url1>/",
 "https://<olam_controller_server_url2>/",
 ...
]
```
- To use a remote database, add the following parameter to the parameter file. For example,
```
existing_db_host: <db_hostname_or_ip_address>
```
  In the previous example, <db_hostname_or_ip_address> is the host name or IP address of the remote database.
- To use a remote mirror of ULN or yum repositories, add the following parameter to the parameter file. For example,
```
pulp_pkg_repo: "<local_repo_url>"
```
  In the previous example, <local_repo_url> is the URL of the remote mirror repository. The URL path might look similar to the following:
```
pulp_pkg_repo: "http://<ip_address>/yum/OracleLinux/OL8/automation<version>/$basearch/ol8_x86_64_automation<version>/"
```
  In the previous example, <ip_address> is the IP address of the repository and <version> is the version of the repository.
- To enable the approval process for collection uploads, enable the following parameter in a parameter file.
```
olpah_require_content_approval: True
```
  Note:
  You can do this step before or after you install Private Automation Hub. If you do it after installing Private Automation Hub, then you must complete this step and rerun the playbook as described in this procedure.
- To change the default number of Pulp API workers available for Private Automation Hub, consider setting this value to the same number as the CPU cores as are available on the target instance. For example,
```
pulp_api_workers: 2
```
- To link one or more Oracle Linux Automation Manager control servers with Private Automation Hub to enable easier configuration of execution environments in Oracle Linux Automation Manager, add one or more URL to the following parameter in a parameter file.
```
connected_olam_controllers: [
 "https://<olam_controller_server_url1>/",
 "https://<olam_controller_server_url2>/",
 ...
] 
```
  In the previous example, <olam_controller_server_url1> and <olam_controller_server_url2> are the urls to the control servers. You can add more of these URLs depending on the number of control servers you want to make available. The URL must include https://. For more information about this feature, see Oracle Linux Automation Manager 2.2: Private Automation Hub User's Guide.
- To integrate Private Automation Hub with an LDAP sever, add the LDAP parameters described in Configuring LDAP Parameters.

Configuring LDAP Parameters

To configure the LDAP parameters in the parameters file, do the following:

Edit the parameter file and add the following required LDAP related parameters to the bottom of the file:
```
#Enable galaxy_ng LDAP Integration
config_ldap: True

# LDAP Binding and Directory Look Up
auth_ldap_server_uri: "<ldap_url>"
auth_ldap_bind_dn: "<ldap_bind>"
auth_ldap_bind_password: "<ldap_bind_password>"
auth_ldap_user_search_base_dn: "cn=users,cn=accounts,dc=example,dc=com"
auth_ldap_user_search_scope: "SUBTREE"
auth_ldap_user_search_filter: "(uid=%(user)s)"
auth_ldap_group_search_base_dn: "cn=groups,cn=accounts,dc=example,dc=com"
auth_ldap_group_search_scope: "SUBTREE"
auth_ldap_group_search_filter: "(objectClass=groupofnames)"
auth_ldap_group_type_class: "django_auth_ldap.config:GroupOfNamesType"
auth_ldap_user_flags_by_group__is_superuser: "cn=superuserexample,cn=groups,cn=accounts,dc=example,dc=com"
auth_ldap_mirror_groups: False

# LDAP Backend
ldap_logging: True
auth_ldap_start_tls: True
use_galaxy_ldap_self_signed_cert: True
```
In the previous example,
- config_ldap
  Set the value of the config_ldap parameter to True to enable LDAP integration.
- auth_ldap_server_uri
  Provide the URI to access the LDAP server in the format: ldap://<host> where <host> is the host name of the LDAP server. This field is required. For example,
```
ldap://ldap1.example.com
```
  If the server uses StartTLS functionality, you can set the protocol to ldap within the URI scheme and enable the auth_ldap_start_tls option.
- auth_ldap_bind_dn
  
  Provide the Distinguished Name (DN) used to authenticate Oracle Linux Automation Manager against the LDAP server using the Bind operation. This field is required if the LDAP server doesn't allow anonymous access. For example:
```
uid=admin,cn=users,cn=accounts,dc=example,dc=com
```
- auth_ldap_bind_password
  Provide the Bind password for the Bind DN that you provided before.
- auth_ldap_user_search_base_dn
  
  Provide the DN where your users are listed within the directory.
- auth_ldap_user_search_scope
  
  Provide the scope to use when performing an LDAP search query on the base DN where users are listed. Typically, the scope value is set to either one level deep, ONELEVEL, or to the entire subtree, SUBTREE.
- auth_ldap_user_search_filter
  
  Provide the search filter to be applied when performing an LDAP search query on the base DN where users are listed. You can use the %(user)s syntax to match an attribute or key to the username value that a user provided during authentication.
- auth_ldap_group_search_base_dn
  
  Provide the base DN to use when performing an LDAP search query to decide group membership for a user.
- auth_ldap_group_search_scope
  
  Provide the scope to use when performing an LDAP search query on the base DN where groups are listed in the directory. Typically, the scope value is set to either one level deep, ONELEVEL, or to the entire subtree, SUBTREE.
- auth_ldap_group_search_filter
  
  Provide the search filter to be applied when performing an LDAP search query on the base DN where groups are listed in the directory.
- auth_ldap_group_type_class
  
  Provide an appropriate LDAP group type to define how the LDAP server decides group membership for users when performing authorization. LDAP group types map onto the ObjectClasses that are defined for any groups that are listed on an LDAP server and can vary depending on the LDAP server implementation. The values for this parameter are related to the underlying Django framework and the LDAP ObjectClasses that the framework recognizes. Therefore, values are prefixed with django_auth_ldap.config:.
- auth_ldap_user_flags_by_group__is_superuser
  Any user associated with this group has superuser privileges on Private Automation Hub.
  
  Caution:
  If you make an error with this value, you can't log into Private Automation Hub after the installation process completes. You must correct the error and run the installation process again before you can log in. If the LDAP server hasn't been configured with the specified superuser group yet, you can't log into Private Automation Hub until the superuser group information has been added to the LDAP server except for the locally defined admin user.
- auth_ldap_mirror_groups
  Enabling this feature mirrors LDAP groups associated with a user in Private Automation Hub whenever a user logs into Private Automation Hub. Set this value to True to enable this feature.
- ldap_logging
  
  Set the ldap_logging value to True to retain a log of LDAP activity. Logging can help debug authentication issues.
- auth_ldap_start_tls
  
  If the LDAP server uses StartTLS functionality, you can set the protocol to 'ldap' within the URI scheme used in auth_ldap_server_uri and set the auth_ldap_start_tls value to True.
- use_galaxy_ldap_self_signed_cert
  
  Set the use_galaxy_ldap_self_signed_cert value to True if the certificates used for TLS or SSL on the LDAP server are self-signed and you want to disable validation of the certificate against a CA.