Allow Prometheus and HAProxy to be installed as the non-privileged user.

Reductionist can be used with https, either with the optional Ansible playbook Step deployment or with third party certificates. Documentation updated for installation of 3rd party certificates.

Author: maxstack

deployment/site.yml

@@ -83,7 +83,7 @@
 
     - name: Set step config path
       set_fact:
-        step_config_path: "{{ ansible_facts.env.HOME }}/step"
+        step_config_path: "{{ ansible_env.HOME }}/step"
 
     - name: Stat provisioner password file
       ansible.builtin.stat:
@@ -161,7 +161,7 @@
 
     - name: Set step config path
       set_fact:
-        step_config_path: "{{ ansible_facts.env.HOME }}/step"
+        step_config_path: "{{ ansible_env.HOME }}/step"
 
     - name: Regenerate step config if requested
       ansible.builtin.file:
@@ -300,41 +300,41 @@
   hosts: prometheus
   tags:
     - prometheus
-  become: true
   tasks:
     - name: Assert that there is only one Prometheus server
       ansible.builtin.assert:
         that:
           groups['prometheus'] | length == 1
 
-    - name: Ensure /etc/prometheus directory exists
+    - name: Ensure non-privileged user's prometheus directory exists
       ansible.builtin.file:
-        path: /etc/prometheus
+        path: "{{ ansible_env.HOME }}/prometheus"
         state: directory
         mode: "0755"
 
     - name: Ensure CA certificate is copied
       ansible.builtin.copy:
         src: "{{ prometheus_cacert }}"
-        dest: /etc/prometheus/cacert.pem
+        dest: "{{ ansible_env.HOME }}/prometheus/cacert.pem"
         mode: "0644"
       register: prometheus_cacert
 
     - name: Ensure prometheus.yml is templated
       ansible.builtin.template:
         src: prometheus.yml.j2
-        dest: /etc/prometheus/prometheus.yml
+        dest: "{{ ansible_env.HOME }}/prometheus/prometheus.yml"
         mode: "0644"
       register: prometheus_yml
 
     - name: Ensure prometheus container is running
       containers.podman.podman_container:
         name: prometheus
+        privileged: true # Rocky 9 SELinux prevents visibility of the host volumes
         image: docker.io/prom/prometheus
         network: host
         restart: "{{ prometheus_yml is changed or prometheus_cacert is changed }}"
         volumes:
-          - "/etc/prometheus:/etc/prometheus:ro"
+          - "{{ ansible_env.HOME }}/prometheus:/etc/prometheus:ro"
           - "prometheus:/prometheus"
       become: false
 
@@ -406,7 +406,6 @@
   hosts: haproxy
   tags:
     - haproxy
-  become: true
   tasks:
     # Currently we are not deploying any failover mechanism such as keepalived,
     # so limit to one HAProxy server.
@@ -424,28 +423,28 @@
       register: result
       loop: "{{ query('inventory_hostnames', 'reductionist') }}"
 
-    - name: Ensure /etc/haproxy directory exists
+    - name: Ensure non-privileged user's haproxy directory exists
       ansible.builtin.file:
-        path: /etc/haproxy
+        path: "{{ ansible_env.HOME }}/haproxy"
         state: directory
         mode: "0755"
 
     - name: Ensure haproxy.cfg is templated
       ansible.builtin.template:
         src: haproxy.cfg.j2
-        dest: /etc/haproxy/haproxy.cfg
+        dest: "{{ ansible_env.HOME }}/haproxy/haproxy.cfg"
         mode: "0644"
       register: haproxy_cfg
 
     - name: Ensure haproxy container is running
       containers.podman.podman_container:
         name: haproxy
+        privileged: true # Rocky 9 SELinux prevents visibility of the host volumes
         image: docker.io/haproxy:2.8
         network: host
         restart: "{{ haproxy_cfg is changed }}"
         volumes:
-          - "/etc/haproxy:/usr/local/etc/haproxy:ro"
-      become: false
+          - "{{ ansible_env.HOME }}/haproxy:/usr/local/etc/haproxy:ro"
 
     - name: Wait for reductionist server to be accessible via HAProxy
       ansible.builtin.uri:

docs/deployment.md

@@ -136,50 +136,70 @@ ansible-galaxy collection install -r deployment/requirements.yml
 Podman will be used to run containers under the same user account used for ansible deployment.
 To install requisite system packages some tasks will require sudo `privileged` access.
 
-To run the entire playbook as an unprivileged user prompting for a sudo password:
+To run the entire playbook as a non-privileged user prompting for a sudo password:
 ```sh
 ansible-playbook -i deployment/inventory deployment/site.yml -K
 ```
 
 To run specific plays the following tags are supported and may be specified via `--tags <tag1,tag2>`:
 
-* `podman` - runs privileged tasks
+* `podman` - runs privileged tasks to install packages
 * `step-ca`
-* `step` - runs privileged tasks
+* `step` - runs privileged tasks to install and the CA certificate
 * `minio`
-* `prometheus` - runs privileged tasks
+* `prometheus`
 * `jaeger`
 * `reductionist`
-* `haproxy` - runs privileged tasks
+* `haproxy`
 
 ### Minimal deployment of Podman and the Reductionist
 
 Podman is a prerequisite for running the Reductionist.
-Podman can run containers as an **unprivileged** user, however this user must have **linger** enabled on their account to allow Podman to continue to run after logging out of the user session.
+Podman can run containers as an **non-privileged** user, however this user must have **linger** enabled on their account to allow Podman to continue to run after logging out of the user session.
 
-To enable **linger** support for the unprivileged user:
+To enable **linger** support for the non-privileged user:
 ```sh
-sudo loginctl enable-linger <unprivileged user>
+sudo loginctl enable-linger <non-privileged user>
 ```
 
-Alternatively, run the optional `podman` play to install Podman as an **unprivileged** user. The following will prompt for the sudo password to escalate privileges only for package installation and for enabling **linger** for the unprivileged user:
+Alternatively, run the optional `podman` play to install Podman as an **non-privileged** user. The following will prompt for the sudo password to escalate privileges only for package installation and for enabling **linger** for the non-privileged user:
 ```sh
 ansible-playbook -i deployment/inventory deployment/site.yml --tags podman -K
 ```
 
-Then to run the `reductionist` play, again as the **unprivileged** user:
+Then to run the `reductionist` play, again as the **non-privileged** user:
 ```sh
 ansible-playbook -i deployment/inventory deployment/site.yml --tags reductionist
 ```
 
 Podman containers require a manual restart after a system reboot.
-This requires logging into the host(s) running the Reductionist as the **unprivileged** user to run:
+This requires logging into the host(s) running the Reductionist as the **non-privileged** user to run:
 ```sh
 podman restart reductionist
 ```
 
 Automatic restart on boot can be enabled via **systemd**, not covered by this documentation.
 
+### Using SSL/TLS certificates with the Reductionist
+
+To enable **https** connections edit `deployment/group_vars/all` before deployment as set:
+
+```
+REDUCTIONIST_HTTPS: "true"
+```
+
+Note, this is the default.
+
+Create a `certs` directory under the home directory of the non-privileged deployment user.
+Ensure the following files are added to the this directory:
+
+| Filename    | Description |
+| -------- | ------- |
+| certs/key.pem  | Private key file |
+| certs/cert.pem | Certificate file including any intermediates |
+
+Certificates can be added post Reductionist deployment but the Reductionist's container will need to be restarted afterwards.
+
 ## Usage
 
 Once deployed, the Reductionist API is accessible on port 8080 by HAProxy. The Prometheus UI is accessible on port 9090 on the host running Prometheus. The Jaeger UI is accessible on port 16686 on the host running Jaeger.