[Upgrade Ubuntu] changes for uk_staging2

[dacook]

• First server for Upgrade Ubuntu #157
• Solves most of [Upgrade Ubuntu] uk_staging #938

ansible-playbook playbooks/fetch_secrets.yml
ansible-playbook site.yml --limit=uk_staging2  -e "ansible_user=ubuntu"

Documentation

Updated:

• https://github.com/openfoodfoundation/ofn-install/wiki/Provisioning
• https://github.com/openfoodfoundation/ofn-install/wiki/Current-servers#uk-1 (inlude note about redis version pinned)
• https://github.com/openfoodfoundation/ofn-install/wiki/Set-up-remote-deployment-for-new-server-%28GitHub-Actions%29

[dacook]

✅ Successful deployment now, after restarting and re-provisioning with the multi_redis role.

ansible-playbook playbooks/deploy.yml --limit=uk_staging2
...
staging2.openfoodnetwork.org.uk : ok=31   changed=18   unreachable=0    failed=0    skipped=7    rescued=0    ignored=0

Now to provision ofn-security. It went so well.. until right at the end:

~/projects/ofn-security $ ansible-playbook playbooks/provision.yml --limit uk_staging2
...
RUNNING HANDLER [suricata : reload suricata rules] *********************************************************************
fatal: [staging2.openfoodnetwork.org.uk]: FAILED! => {"changed": true, "cmd": ["pkill", "-USR2", "--pidfile", "/var/run/suricata.pid"], "delta": "0:00:00.010499", "end": "2024-09-19 02:03:09.584525", "msg": "non-zero return code", "rc": 1, "start": "2024-09-19 02:03:09.574026", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

It was left in "exited" state which doesn't sound good. So I manually restarted (which is the next step anyway)

ofn-admin@ov-a4c948:~$ systemctl status suricata
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (exited) since Thu 2024-09-19 02:00:06 UTC; 1h 9min ago
...
ofn-admin@ov-a4c948:~$ systemctl status suricata
● suricata.service - LSB: Next Generation IDS/IPS
     Loaded: loaded (/etc/init.d/suricata; generated)
     Active: active (running) since Thu 2024-09-19 03:11:44 UTC; 5s ago

ofn-admin@ov-a4c948:~$ tail -n1 /var/log/suricata/suricata.log
[47922 - Suricata-Main] 2024-09-19 03:11:57 Notice: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.

🤷 I'm not sure exactly what the "reload suricata rules" task is trying to do, but if suricata is functioning then I don't want to investigate!

[dacook]

The host_id variable is only used for the new relic data. I'd like to :

• rename to match the new ansible host names (with underscore instead of dash)
• add a provision task to set the server hostname with it (it would be really handy to help make clear which server you're connected to)

[dacook]

For reference, here's the error occurring for ansible built-in command service_facts:
fatal: [staging.openfoodnetwork.org.uk]: FAILED! => {"changed": false, "msg": "Malformed output discovered from systemd list-unit-files: accounts-daemon.service enabled enabled "}

Due to: ansible/ansible#68536
This is fixed in Ansible v2.10.

[dacook]

Although I'm not quite finished with uk_staging server, I think it's high time this PR is reviewed.
If further changes are required for metabase, I'll raise a new PR.

[mkllnk]

Good work.

[mkllnk]

Good call.

[mkllnk]

Ah, good one. New Ruby versions are now automatically installed during deploys. So we don't need to run Ansible for that. This is just for the initial version.

I wish that we could skip the version and take the version number from the ofn code but this role requires a version. So if we want to set up rbenv without installing ruby straight away then we can't use this role. Just one of the annoying Ansible things that we could replace with shell scripts...

[rioug]

Nice one !