Version 11 (modified by zequi, 5 years ago) (diff)


ESGF Node deployment with Ansible

Documentation of using Ansible to automate the installation of a ESGF Node.


  1. ESGF Autoinstaller -
  2. Creation of users - Create a user with name esgfuser. Is this user supposed to run the esgf services? Is it supposed to be accessible from ssh?
  3. ZFS?
  4. NFS -
  5. Hour synchronization - ntpdate -u
  6. PKI keys? - Which users can ssh?
  7. Firewall
    1. Table filter
      1. Policy - DROP
      2. iptables -A INPUT -p tcp --dport ssh -j ACCEPT -s 192.168.x.x/24

Set up from scratch

  1. Create virtual machine
  2. Set hostname (check with hostname --fqdn)
  3. Install Ansible (
  4. Execute ansible playbook
  5. Follow instructions to install ESGF node (


- name: Set up machine
  hosts: all
  become: true
  become_method: sudo
    - name: install nfs-utils autofs
        name: '{{ item }}'
        state: present
        - nfs-utils
        - autofs

    - name: test for line in /etc/idmapd.conf
      command: grep 'Domain = localadmin' /etc/idmapd.conf
      register: idmapd_check
      ignore_errors: true

    - name: add line in /etc/idmapd.conf
        dest: /etc/idmapd.conf
        line: 'Domain = localadmin'
      when: idmapd_check|failed

    - name: test for line in /etc/auto.master
      command: grep '/- /etc/auto.nfs4' /etc/auto.master
      register: auto_master_check
      ignore_errors: true

    - name: add line in /etc/auto.master
        dest: /etc/auto.master
        content: '/- /etc/auto.nfs4
      when: auto_master_check|failed

    - name: check if /etc/auto.nfs4 is ready
      command: grep '^/vols/seal/oceano/gmeteo/DATA/ESGF/UNICAN-NODE' /etc/auto.nfs4
      register: nfs4_check
      ignore_errors: true

    - name: add line in /etc/auto.nfs4
        create: yes
        state: present
        dest: /etc/auto.nfs4
        line: '/vols/seal/oceano/gmeteo/DATA/ESGF/UNICAN-NODE      -fstype=nfs4 192.168.x.x:/oceano/gmeteo/DATA/ESGF/UNICAN-NODE'
      when: nfs4_check|failed 

    - name: synchronize time
      shell: 'ntpdate -u'

    - name: create user esgfuser
        name: esgfuser
        shell: /bin/bash

    - name: allow ssh in private network
        table: filter
        chain: INPUT
        source: ''
        protocol: tcp
        in_interface: eth1
        destination_port: ssh
        jump: ACCEPT