1. The docs (both in ansible.plone_server and in ansible-playbook incorrectly say this 'Defaults to:

   "PYTHON_EGG_CACHE ${buildout:directory}/var/.python-eggs"'

Actually it defaults to

"zope_i18n_compile_mo_files true"
"PYTHON_EGG_CACHE {{ plone_var_path }}/{{ plone_instance_name }}/.python-eggs"

Or actually something slightly different if using the multi-server setup.

1. When using playbook_plones, a global setting for this is ignored (probably because plone_instance_name changes per plone instance), but it's not easy to guess that's going to happen. To override this I have to set

   work_environment_vars:
   - "PYTHON_EGG_CACHE ${buildout:var-dir}/.python-eggs"
   - "PYTHONHASHSEED random"

I suggest it would be better to use the buildout variable ${buildout:var-dir} for PYTHON_EGG_CACHE instead of Ansible variables which are a bit fiddly here. Then the setting of work_environment_vars here can be simplified

In defaults/main.yml only a single site can be defined, but in templates/restart_clients.sh.j2 several sites are referenced. This is inconsistent:

• defaults/main.yml uses plone_site_id, while the template uses vh.zodb_path
• the template uses webserver_virtualhosts which is not documented anywhere in this role.

I volunteer implementing the following (incompatible) change if you agree on it:

• Convert the site-related definitions into a list of sites (scratch):

plone_default_site:
  create: yes
  site_id: Plone
  default_language: en
  extension_profiles:
plone_sites = '{{ [ plone_default_site ] }}'

and then in templates/restart_clients.sh.j2 revere to these.

As I follow up, the ansible-playbook has to be adopted, which I volunteer to do, too.

The restart clients script makes too many assumptions about the operating stack. It doesn't belong inside a role that may be used with a dramatically different stack.

I'm using ansible 2.6.1 and when I run this role (v 1.3.2) I get the following error:

The conditional check 'ansible_version is version('2.5.0', 'lt')' failed. The error was: Version comparison: '<' not supported between instances of 'str' and 'int'

Applying the following patch solves the problem:

--- main.yml.orig<----->2018-07-18 11:12:19.028597089 +0200
+++ main.yml<-->2018-07-18 10:40:43.634116606 +0200
@@ -2,7 +2,7 @@
.
 - name: Fail if Ansible is old
   fail: msg="We need updates in Ansible 2.5.0. Please update your kit. 'pip install -U Ansible'"
-  when: ansible_version is version('2.5.0', 'lt')
+  when: ansible_version.full is version('2.5.0', 'lt')
.
 - name: Fail if no plone initial password set
   fail: msg="You must set the plone_initial_password variable."

Hope you apply the patch asap.
Thank you.

Then running the role with --start-at="Run buildout", one gets the error

fatal: [test] => error while evaluating conditional: plone_autorun_buildout and instance_status.changed

The reason is that "Copy buildout template" is not run and thus instance_status is undefined.

As a work-around, the condition could be changed into

Solving this issue would require a different condition, see issue #14 .

Both the Copy buildout template and Copy requirements file tasks register the same instance_status variable. The result is that if the buildout template has changed, but the requirements file has not, the Run buildout task is never run if:

plone_always_run_buildout = false
plone_autorun_buildout = true

(which is the default).

I may be wrong, but this is the best/only way to get the initial site to have certain profiles installed.

Due to a bad setuptools release, bootstrapping buildout was failing.

I'm trying to use this with ansible-playbook to install an older Plone version, specifically 4.2.5.
No matter what I use in plone_major_version and plone_version, the versions.cfg file that is referred to in buildout.cfg's extends line is still the one for the latest version.

The good news is that upgrading to Plone 5 is really easy (see pull request).

The big question is how we want to release such an upgrade: bump the major version number? Personally, I would advocate versioning this role according to the version of Plone that is installed with it: 5.0 installs Plone 5.0, 4.3.7 installs Plone 4.3.7, etc.

I guess Run buildout needs to consider a variable registered in Copy files from the buildout extra dir

cc @Gomez

I'll probably get to this at somepoint, but not immediately.

this comes out as:

$ sudo supervisorctl
myproj_memmon                FATAL     can't find command '/usr/bin/memmon'

What's the purpose in hardcoding the path for supervisor? Is it sufficient to do the ansible equivalent of which memmon?

Because I have several things running on one machine, and I am using ansible to create/update the lot, I find it useful to have a map file containing port bases for each configuration.

In a new folder I place

- ansible.plone_server (fresh clone of master branch)
- vbox_host.cfg
- map.yml
- instance.yml

map.yml:
---
localvagrant_port_base: 11

instance1.yml:
---
- hosts: localvagrant
sudo: yes
gather_facts: no

  vars_files:
    - ansible.plone_server/defaults/main.yml
    - map.yml

  tasks:
    - include: ansible.plone_server/tasks/main.yml
      vars:
        plone_instance_name:      instance1
        plone_initial_password:   adminsecret
        plone_zeo_port:           "{{ localvagrant_port_base }}01"
        plone_client_base_port:   "{{ localvagrant_port_base }}05"

Then, I invoke the playbook for 'instance1' and I receive the following output:

campbell@campbell-np600:~/asdf$ ansible-playbook -i vbox_host.cfg instance1.yml
PLAY [localvagrant] ***********************************************************
[...]
TASK: [Copy buildout template] ************************************************
fatal: [localvagrant] => {'msg': 'TypeError: coercing to Unicode: need string or buffer, int found', 'failed': True}
fatal: [localvagrant] => {'msg': 'TypeError: coercing to Unicode: need string or buffer, int found', 'failed': True}

Putting it into {{ plone_instance_home }}/scripts hides it from the admin. Is there any reason for putting it into scripts?

Would it be interesting to allow users to compile their own python?

I created such an ansible role just for that: https://galaxy.ansible.com/gforcada/compile-python/

When running this role on a Vagrant machine I get the error shown below. It looks like ansible does not honour the sudo_user: entry.

Any idea how to solve this – except of changing the commands into `sudo ... ?, of course :-)

• ansible 1.8.1
• ansible.plone_server 1.0b6 (from galaxy)

Inventory:

test ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key ansible_ssh_user=vagrant

Shortend error message:

failed: [test] => {"changed": true, "cmd": ["bin/buildout"], "delta": "...", "end": "...", "rc": 1, "start": "...", "warnings": []}
stderr: While:
  Installing.
  Loading extensions.
Error: User attempt to give system ownership to Internet
stdout: buildout.sanitycheck: 
***********************************************************
Buildout should not be run while superuser. Doing so allows
untrusted code to be run as root.
Instead, you probably wish to do something like:
    sudu -u plone_buildout bin/buildout

I'm on Ubuntu 12.04, deploying Plone 4.3.7 and am seeing an error like this:

TASK [plone.plone_server : Bootstrap buildout] *********************************
fatal: [plone11]: FAILED! => {"changed": true, "cmd": ["../python2.7/bin/python2.7", "bootstrap.py", "--setuptools-version=8.0.4"], "delta": "0:00:00.874500", ...

If I run this outside Ansible, it looks like this:

$ sudo -u plone_buildout ../python2.7/bin/python2.7 bootstrap.py --setuptools-version=8.0.4
error: None
Traceback (most recent call last):
  File "bootstrap.py", line 172, in <module>
    "Failed to execute command:\n%s" % repr(cmd)[1:-1])
Exception: Failed to execute command:
'/usr/local/plone-4.3/highfields/../python2.7/bin/python2.7', '-c', 'from setuptools.command.easy_install import main; main()', '-mZqNxd', '/tmp/tmpnwlSux', 'zc.buildout==2.5.2'

Python on Ubuntu 12.04 is only at 2.7.3, and Setuptools on the server is up at 24.3.0, so maybe that's an issue, but I can't seem to pin it down.

The only things I've found online that looks similar are these:
pypa/setuptools#543
https://mail.python.org/pipermail/distutils-sig/2014-September/024759.html

The web port for clients beyond 1 are not correctly enumerated.

I'm getting this error when running the Plone ansible-playbook, on both the initial and a subsequent run:

TASK [plone.plone_server : Supervisor zeoclient tasks are present] *************
fatal: [redacted]: FAILED! => {"failed": true, "msg": "ERROR! ERROR! ERROR! list object has no element 1"}

• ansible-playbook: fresh clone from today
• ansible version 2.0.0.2
• I set plone_client_count: 4; not sure if that's relevant

Any idea what's wrong?

Actually since plone_create_site defaults to 'yes' it's always on, and might get away without docs
However plone_site_id also needs documenting.

I have modified the plone_zeo_port setting, and this is reflected correctly in parts/zeoserver/etc/zeo.conf. However parts/client?/etc/zope.conf always show the following:

<zodb_db main>
    # Main database
    cache-size 30000
# Blob-enabled ZEOStorage database
    <zeoclient>
      read-only false
      read-only-fallback false
      blob-dir /var/local/plone-4.3/cbt/blobstorage
      shared-blob-dir on
      server 8100
      storage 1
      name zeostorage
      var /usr/local/plone-4.3/cbt/parts/client3/var
      cache-size 128MB
    </zeoclient>
    mount-point /
</zodb_db>

I'm trying to build my own buildout out of a git repo, so in my local-configure.yml I define:

plone_buildout_git_repo: [email protected]:myrepo.git

I get the following error:

fatal: [default] => Failed to template {% if [email protected]:myrepo.git %} True {% else %} False {% endif %}: template error while templating string: unexpected char u'@' at 9

Trying with a http url instead of git is almost the same, it complains about '//' in the string...

We deploy our test servers with this role. As we need to change branches on the test server we need a full clone, instead of the depth=1.

Is there a advantage or would drop the depth a option:
https://github.com/plone/ansible.plone_server/blob/master/tasks/main.yml#L147

I usually deploy to rpm based environments, so I'll contribute my changes to a branch a then create a pull request.

In my case I updated 250MB to 300MB, but found that memmon restarted a process running at 260MB.

From a ps -ef analysis I can see that supervisord was not restarted when I ran Ansible. Reading around this, it seems there are some caveats of running supervisor update - it seems it may not restart relevant processes - in my case memmon. Perhaps we should be sending a SIGHUP to supervisord?

Brain dump of links
http://www.onurguzel.com/supervisord-restarting-and-reloading/ ( a bit old)
http://supervisord.org/running.html
Supervisor/supervisor#720

https://github.com/plone/ansible.plone_server/blob/master/templates/restart_clients.sh.j2#L15

Why is there a 40 second delay after stopping a client, and only a 10 second delay after starting?
It seems to me like it should be the other way around, as it always takes a very short time to stop, but longer to start.
On my sites, I inverted those two sleeps, anyway.

And I also add

/usr/sbin/service varnish restart
/usr/sbin/service nxinx restart

for good measure.

I get the following email daily (4 days running so far)

Cron root@myhostname test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
/etc/cron.daily/apt:
DB Update failed, database locked

Not very alarming, but I'd rather not have it

This post suggests a fix of:

 sudo apt-get remove apt-xapian-index

but upon review it seems this package is part of the default Ubuntu (14.04) install, so I'd rather not do this. The post does have good links to other discussions though.

If you've already deployed to a server with Ansible, then I presume doing this mindlessly (or otherwise) will give you a world of hurt? if so should there be a warning about this?
if not, please tell me - I'll be happy to be wrong!

In the current master and also in the tag 1.2.8 the file system permissions are broken:

root@plone-test1-deb8-32bit:/usr/local/plone-4.3/example# su plone_daemon 
$ pwd
/usr/local/plone-4.3/example
$ ./bin/client_reserved run scripts/addPloneSite.py  
Traceback (most recent call last):
  File "/usr/local/plone-4.3/example/parts/client_reserved/bin/interpreter", line 260, in <module>
    exec(_val)
  File "<string>", line 1, in <module>
  File "/usr/local/plone-4.3/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/Zope2/__init__.py", line 51, in app
    startup()
  File "/usr/local/plone-4.3/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/Zope2/__init__.py", line 47, in startup
    _startup()
  File "/usr/local/plone-4.3/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/Zope2/App/startup.py", line 81, in startup
    DB = dbtab.getDatabase('/', is_root=1)
  File "/usr/local/plone-4.3/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/Zope2/Startup/datatypes.py", line 287, in getDatabase
    db = factory.open(name, self.databases)
  File "/usr/local/plone-4.3/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/Zope2/Startup/datatypes.py", line 185, in open
    DB = self.createDB(database_name, databases)
  File "/usr/local/plone-4.3/buildout-cache/eggs/Zope2-2.13.23-py2.7.egg/Zope2/Startup/datatypes.py", line 182, in createDB
    return ZODBDatabase.open(self, databases)
  File "/usr/local/plone-4.3/buildout-cache/eggs/ZODB3-3.10.5-py2.7-linux-i686.egg/ZODB/config.py", line 101, in open
    storage = section.storage.open()
  File "/usr/local/plone-4.3/buildout-cache/eggs/ZODB3-3.10.5-py2.7-linux-i686.egg/ZODB/config.py", line 220, in open
    **options)
  File "/usr/local/plone-4.3/buildout-cache/eggs/ZODB3-3.10.5-py2.7-linux-i686.egg/ZEO/ClientStorage.py", line 387, in __init__
    self.fshelper = ZODB.blob.FilesystemHelper(blob_dir)
  File "/usr/local/plone-4.3/buildout-cache/eggs/ZODB3-3.10.5-py2.7-linux-i686.egg/ZODB/blob.py", line 330, in __init__
    layout_name = auto_layout_select(base_dir)
  File "/usr/local/plone-4.3/buildout-cache/eggs/ZODB3-3.10.5-py2.7-linux-i686.egg/ZODB/blob.py", line 516, in auto_layout_select
    for name in os.listdir(path):
OSError: [Errno 13] Permission denied: '/var/local/plone-4.3/example/blobstorage'

tag 1.2.5 works with the same playbook.
OS: Debian 32bit on DiagitalOcean

This line https://github.com/plone/ansible.plone_server/blob/master/templates/buildout.cfg.j2#L162 guarantees a collision in port numbers.

All our server use the extends cache, as it makes them more independent from third party downtimes.

We use a task like this:

- name: Copy the buildout default cfg template
  template:
    src: "buildout_default_cfg.j2"
    dest: '$home/.buildout/default.cfg'

With this template:

[buildout]
eggs-directory = $home/.buildout/eggs
download-cache = $home/.buildout/downloads
extends-cache  = $home/.buildout/extends

Should i prepare a PR for this?

Security vulnerability pre-announcement: 20200121
https://plone.org/security/announcements/20200121-preannounce

When it is released, we need to update templates/buildout.cfg.j2 for Plone 4.x/5.x.

When running through the tutorial, I kept hitting the problem fixed in #134. I had to manually edit plone/ansible-playbook/playbook.yml:13 to the following:

when: ansible_version.full is version('2.5.0', '<')

Then after running the playbook, I had to add another instance of the same issue in plone/ansible-playbook/roles/plone.plone_server/tasks/main.yml:5.

Two questions:

1. Why did the change in #134 not get used when I ran the playbook?
2. Where the heck is plone/ansible-playbook/roles/plone.plone_server/tasks/main.yml in any of the repositories, or is it generated automatically somehow?

I am testing this on Ubuntu 20.04 LTS:

TASK [plone.plone_server : Ensure required python2 packages] *******************************************************************************************************************************************************
fatal: [some.i.p.address]: FAILED! => {"changed": false, "msg": "No package matching 'python-pip' is available"}

It seems that updating to 1.1.1 including 5cce05d has left me with duplicate cron jobs. I can just remove them manually (not the Ansible way), but thought it worth noting.

root@mysite:/etc# crontab -u plone_daemon -l
#Ansible: Plone packing
30 1 * * 7 cd /usr/local/plone-4.3/zeoserver && bin/zeopack
#Ansible: Plone backup
30 2 * * * cd /usr/local/plone-4.3/zeoserver && bin/backup
#Ansible: zeoserver Plone packing
30 1 * * 7 cd /usr/local/plone-4.3/zeoserver && bin/zeopack
#Ansible: zeoserver Plone backup
30 2 * * * cd /usr/local/plone-4.3/zeoserver && bin/backup

I still use it occasionally.

When creating multiple Plones in a single playbook, the backup directly is not set correctly for instances after the first.

At some point it creates the directory defined by {{ instance_config.plone_target_path }}.

This variable is calculated from:

plone_target_path: "{{ plone_config.plone_target_path|default('/usr/local/plone-' + work_major_version) }}"

And in case plone_config.plone_target_path is not defined, it looks at:

work_major_version: "{{ work_version|truncate(length=3, end='') }}"

And here truncating "4.3.7" results in empty string, you should change the truncate filter to:

truncate(length=3, killwords=true, end='')

This is an issue in Ansible 1.9.2 (and 1.9.2.1). A fix is coming in the next release of Ansible but that isn't out yet (unless you want to use rc versions)

Installing the older 1.9.1 of Ansible fixed this for me. I had to:

apt-get remove ansible 
pip install ansible=1.9.1

Can I/we log this somewhere? (just tell me where)

Occurs on e.g. "plone.plone_server : Bootstrap buildout" when running Ansible 2.1 without being root.
(this is the case in Plone 4.3, but it looks to me like it would just give the same error on a different task in Plone 5)

Full message is:

fatal: [peacock]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

Not an error in this role, but could we advise a course of action?

Basically the options are:

• use pipelining
• Install filesystem acl support on the managed host
• always run as root
• don't use become in our tasks (not suitable for us)
• (potentially insecure) override Ansible's check by setting allow_world_readable_tmpfiles in ansible.cfg

It would be great if we could use ansible to deploy (install and cofigure) a multi-client single-server setup. All machines would be discrete units.

The blobstoragebackups directory is not readable by anyone other than plone_daemon.
That is not helpful if I am for instance trying to pull backups on to another server (remember that plone_daemon is not given an external login, and it's recommended to turn off root's login)

As the subject stated, in my cases memmon gets installed and setup in supervisor even though I set plone_client_max_memory to 0.

I found out that incuding the int filter in the supervisor_task.j2 template solves the problem, but it probably doesn't work if you set the max memory to something like 2GB. So, better, change the line:

{% if instance_config.plone_client_max_memory != 0 %}

so that it looks like:

{% if instance_config.plone_client_max_memory != '0' %}

I though that the role itself is helpful to provision development boxes, developers could use it to get a Plone env. ready on their own laptops, but having two users and a dedicated group is a bit overkilling, change that to allow a user to choose just one user and group should be easy, leaving the current behaviour (plone_buildout, plone_daemon and plone_group) as default.

I'm just tying this with plone version 4.3.10, and it pins some weird versions in buildout.cfg since the template is performing an alphabetical comparison, therefore resulting that '4.3.10' is less than '4.3.8'.

The issue is in line 51 and 242 of file templates/buildout.cfg.j2

When "Run buildout" fails, (see issue #13) re-running the role does not re-run "Run buildout". Instead this will be skipped. The reason is:

- name: Run buildout
when: plone_autorun_buildout and instance_status.changed

But instance_status.changed is only true when the buildout.cfg has changed. So we'd need some other or additional condition.

I try to use this role with the starzel.buildout: https://github.com/starzel/buildout/

To make this work, i need to run a task before "Bootstrap buildout" like:

$ ln -s local_develop.cfg local.cfg

Can i add some kind of switches for it as a PR (with good defaults)? Or is there an other way?

Hello,

I don't know why but the vw package is no longer at this url:
http://dl.fedoraproject.org/pub/epel/6/x86_64/wv-1.2.7-2.el6.x86_64.rpm

but there:
https://dl.fedoraproject.org/pub/epel/6/x86_64/Packages/w/wv-1.2.7-2.el6.x86_64.rpm

This is not the first time we hit this issue, the first time we discussed about it in the wrong project:
plone/ansible-playbook#60

I don't know how to fix this problem once and for all. Do you know if there is a version of this package for centos7 because I can't find one?

Best regards,
L00ptr

It should be possible to deploy plone with letsencrypt.
Here's a post on ansible, nginx and letsencrypt https://medium.com/@flawless_retard/generating-lets-encrypt-certificates-for-nginx-using-ansible-9fd27b90993a

It looks like we would just need to add a "letsencrypt" role.