通过chef client实现ArcGIS Enterprise

ArcGIS Enterprise 基础部署基本流程

• 安装ArcGIS Server，对其进行授权，创建站点并在Server Admin中启用HTTPS。
• 如果未安装，则在Linux上安装Tomcat和Java。
• 导入CA证书，或为Web服务器生成自签名证书。
• 安装和配置WA for ArcGIS Server。
• 安装Portal for ArcGIS并对其进行授权。创建初始管理帐户。
• 为Portal for ArcGIS安装和配置WA。
• 安装ArcGIS Data Store并将其注册到ArcGIS Server。
• 联合带有门户的ArcGIS Server。将其设置为托管服务器。

目标

• 修改脚本配置文件，执行脚本，完成上述一系列工作。（联网很丰满，离线很骨感）

准备工作

• 测试环境：CentOS 7、ArcGIS_Enterprise_Linux_107_166579
• 下载 arcgis-cookbooks.tar.gz
• 下载 chef-client for RedHat

注意：cookbook和chef-client版本要对应，当前最新版的arcgis-cookbook为3.4.0，已支持到最新版本的ArcGIS 10.7和10.7.1，仅支持 chef-client的13或14版本

• 管理员身份 运行 Microsoft PowerShell 启用Open-SSH客户端

PS C:\WINDOWS\system32> Add-WindowsCapability -Online -Name OpenSSH-Client

Path          :
Online        : True
RestartNeeded : False

PS C:\WINDOWS\system32>

ssh连接Linux，配置域名，新建软件目录

• 曾经连接过相同IP的机器，需要重新生成key

PS C:\WINDOWS\system32> ssh-keygen -R 192.168.137.2
# Host 192.168.137.2 found: line 3
C:\Users\XH/.ssh/known_hosts updated.
Original contents retained as C:\Users\XH/.ssh/known_hosts.old
PS C:\WINDOWS\system32> 

• ssh连接

PS C:\WINDOWS\system32> ssh root@192.168.137.2
The authenticity of host '192.168.137.2 (192.168.137.2)' can't be established.
ECDSA key fingerprint is SHA256:8sUNfxqJc4ny+TbwtC5ELa//Lr3x1CLQxnL76nwtaAo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.137.2' (ECDSA) to the list of known hosts.
root@192.168.137.2's password:
[root@lbd107 ~]#
[root@lbd107 ~]# hostnamectl set-hostname lbd107.esrichina.org.cn
[root@lbd107 ~]# hostname
lbd107.esrichina.org.cn
[root@lbd107 ~]# 
[root@lbd107 /]# cd /var
[root@lbd107 var]# mkdir software
[root@lbd107 var]

PowerShell 上传安装文件

• 复制文件 chef-client 和 cookbook 到软件目录/var/software

PS C:\WINDOWS\system32> scp d:/software/chef-14.14.25-1.el7.x86_64.rpm root@192.168.137.2:/../var/software
root@192.168.137.2's password:
chef-14.14.25-1.el7.x86_64.rpm                                                        100%   29MB  96.5MB/s   00:00
PS C:\WINDOWS\system32> scp d:/software/arcgis-3.4.0-cookbooks.tar.gz root@192.168.137.2:/../var/software
root@192.168.137.2's password:
arcgis-3.4.0-cookbooks.tar.gz                                                         100%  414KB  25.5MB/s   00:00
PS C:\WINDOWS\system32> 

• 复制文件夹 ArcGIS Enterprise 和 Lic 到软件目录/var/software

PS C:\WINDOWS\system32> scp -r d:/software/lic root@192.168.137.2:/../var/software
root@192.168.137.2's password:
ArcGISGeoAnalyticsServer_ArcGISServer_722285.ecp                                      100% 1078   263.3KB/s   00:00
ArcGISGISServerAdvanced_ArcGISServer_722288.ecp                                       100% 1802   881.2KB/s   00:00
ArcGIS_Enterprise_Portal_107.json                                                     100% 2067     1.0MB/s   00:00
PS C:\WINDOWS\system32> scp -r d:/software/arcgis root@192.168.137.2:/../var/software
root@192.168.137.2's password:
ArcGIS_DataStore_Linux_107_167719.tar.gz                                              100% 1082MB 102.7MB/s   00:10
ArcGIS_Server_Linux_107_167707.tar.gz                                                 100% 3084MB 102.8MB/s   00:30
Portal_for_ArcGIS_Linux_107_167718.tar.gz                                             100% 3811MB 106.1MB/s   00:35
Web_Adaptor_Java_Linux_107_167720.tar.gz                                              100%   73MB  98.5MB/s   00:00
PS C:\WINDOWS\system32>

安装 Linux chef-client 并配置 cookbook

• ssh连接并切换到软件目录/var/software

[root@lbd107 /]# cd /var/software
[root@lbd107 software]# ls
arcgis  arcgis-3.4.0-cookbooks.tar.gz  chef-14.14.25-1.el7.x86_64.rpm  lic

• 解压缩ArcGIS Enterprise 安装文件到/arcgis/10.7目录下

[root@lbd107 software]# cd /
[root@lbd107 /]# mkdir arcgis
[root@lbd107 /]# cd arcgis
[root@lbd107 arcgis]# mkdir 10.7
[root@lbd107 arcgis]# ls
10.7
[root@lbd107 10.7]# cd /var/software/arcgis
[root@lbd107 arcgis]# ls
ArcGIS_DataStore_Linux_107_167719.tar.gz  Portal_for_ArcGIS_Linux_107_167718.tar.gz
ArcGIS_Server_Linux_107_167707.tar.gz     Web_Adaptor_Java_Linux_107_167720.tar.gz
[root@lbd107 arcgis]# tar -zxvf ArcGIS_DataStore_Linux_107_167719.tar.gz -C /arcgis/10.7/
[root@lbd107 arcgis]# tar -zxvf ArcGIS_Server_Linux_107_167707.tar.gz -C /arcgis/10.7/
[root@lbd107 arcgis]# tar -zxvf Portal_for_ArcGIS_Linux_107_167718.tar.gz -C /arcgis/10.7/
[root@lbd107 arcgis]# tar -zxvf Web_Adaptor_Java_Linux_107_167720.tar.gz -C /arcgis/10.7/
[root@lbd107 arcgis]# cd /arcgis/10.7/
[root@lbd107 10.7]# ls
ArcGISDataStore_Linux  ArcGISServer  PortalForArcGIS  WebAdaptor
[root@lbd107 10.7]#
[root@lbd107 10.7]# cp -r /var/software/lic /arcgis/10.7/
[root@lbd107 10.7]# ls
ArcGISDataStore_Linux  ArcGISServer lic  PortalForArcGIS  WebAdaptor

• 执行安装 chef-client

[root@lbd107 10.7]# cd /var/software
[root@lbd107 software]# rpm -ivh chef-14.14.25-1.el7.x86_64.rpm
warning: chef-14.14.25-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:chef-14.14.25-1.el7              ################################# [100%]
Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io
[root@lbd107 software]#

• 解压缩 cookbook 到 /var/chef 目录

[root@lbd107 software]# cd ..
[root@lbd107 var]# mkdir chef
[root@lbd107 var]# tar zxvf /var/software/arcgis-3.4.0-cookbooks.tar.gz -C /var/chef

• 确保层级和目录正确，即 /var/chef/cookbooks/arcgis-enterprise

[root@lbd107 var]# cd chef
[root@lbd107 chef]# ls
cookbooks  misc_scripts  roles  solo.rb
[root@lbd107 chef]# cd cookbooks
[root@lbd107 cookbooks]# ls
apt                arcgis-geoevent    authbind     hostsfile        limits     openssl  windows_firewall
arcgis-desktop     arcgis-insights    esri-iis     iptables         line       s3_file
arcgis-egdb        arcgis-pro         esri-tomcat  java             ms_dotnet  tomcat
arcgis-enterprise  arcgis-repository  homebrew     java_properties  nfs        windows
[root@lbd107 cookbooks]#

• cookbook自带的食谱

[root@lbd107 cookbooks]# cd /var/chef/roles/
[root@lbd107 roles]# ls
arcgis-desktop.json                                 arcgis-enterprise-windows-with-datasources.json
arcgis-enterprise-centos-local-repository-107.json  arcgis-geoanalytics-windows.json
arcgis-enterprise-rhel.json                         arcgis-geoevent-windows.json
arcgis-enterprise-s3-download-linux-setups.json     arcgis-licensemanager.json
arcgis-enterprise-ubuntu.json                       arcgis-portal-windows-security.json
arcgis-enterprise-windows-ha-primary.json           arcgis-pro.json
arcgis-enterprise-windows-ha-secondary.json         arcgis-rasteranalytics-windows.json
arcgis-enterprise-windows.json                      arcgis-server-windows-security.json
arcgis-enterprise-windows-uninstall.json            arcgis-server-windows-services.json
[root@lbd107 roles]#

修改脚本文件

/var/chef/roles/arcgis-enterprise-rhel.json

[root@lbd107 roles]# cp arcgis-enterprise-rhel.json arcgis-enterprise-rhel-backup.json
[root@lbd107 roles]# vim arcgis-enterprise-rhel.json

{
  "java":{
    "install_flavor":"oracle",
    "jdk_version":"8",
    "oracle":{
      "accept_oracle_download_terms":true
    },
    "setup_archives":"/var/software"    
  },
  "tomcat":{
      "instance_name":"arcgis"
  },
  "arcgis":{
    "run_as_user":"arcgis",
    "version":"10.7",
    "web_server":{
      "webapp_dir":"/opt/tomcat_arcgis/webapps"
    },
    "web_adaptor":{
      "setup":"/arcgis/10.7/WebAdaptor/Setup"
    },
    "data_store":{
      "setup":"/arcgis/10.7/ArcGISDataStore_Linux/Setup"
    },
    "server":{
      "admin_username":"siteadmin",
      "admin_password":"Esri2019",
      "setup":"/arcgis/10.7/ArcGISServer/Setup",
      "authorization_file":"/arcgis/10.7/lic/ArcGISGISServerAdvanced_ArcGISServer_722288.ecp"
    },
    "portal":{
      "admin_username":"portaladmin",
      "admin_password":"Esri2019",
      "admin_email":"xx@esrichina.org.cn",
      "security_question":"Your favorite ice cream flavor?",
      "security_question_answer":"vanilla",
      "setup":"/arcgis/10.7/PortalForArcGIS/Setup",
      "authorization_file":"/arcgis/10.7/lic/ArcGIS_Enterprise_Portal_107.json",
      "user_license_type_id":"creatorUT"
    }
  },
  "run_list":[
    "recipe[arcgis-enterprise::system]",
    "recipe[esri-tomcat]",
    "recipe[iptables]",
    "recipe[arcgis-enterprise::iptables]",
    "recipe[arcgis-enterprise::portal]",
    "recipe[arcgis-enterprise::portal_wa]",
    "recipe[arcgis-enterprise::server]",
    "recipe[arcgis-enterprise::server_wa]",
    "recipe[arcgis-enterprise::datastore]",
    "recipe[arcgis-enterprise::federation]"
  ]
}

• 自动化的工作流，实现的主要步骤如下：
  —— [arcgis-enterprise::system]：创建 arcgis 用户
  —— [esri-tomcat]：在Linux上安装tomcat，生成自签名证书并导入。
  —— [iptables]"：防火墙设置
  —— [arcgis-enterprise::iptables]"：防火墙设置
  —— [arcgis-enterprise::portal]：安装Portal for ArcGIS并对其进行授权，创建初始管理帐户
  —— [arcgis-enterprise::portal_wa]：为Portal for ArcGIS安装和配置WA。
  —— [arcgis-enterprise::server]：安装ArcGIS Server并对其进行授权，创建站点并在Server Admin中启用HTTPS。
  —— [arcgis-enterprise::server_wa]：安装和配置WA for ArcGIS Server。
  —— [arcgis-enterprise::datastore]：安装ArcGIS Data Store并将其注册到ArcGIS Server。
  —— [arcgis-enterprise::federation]：联合带有门户的ArcGIS Server。将其设置为托管服务器。

以超级用户身份执行脚本

[root@lbd107 roles]# chef-solo -j /var/chef/roles/arcgis-enterprise-rhel.json

理论上到这里就该结束了，事实上并没有。跟踪cookbooks发现，当前提供的默认的Recipe，里面的部分插件是需要在联网环境下安装，包括但不限于以下几个方面：

• jdk-8u202-linux-x64.tar.gz
  
• apache-tomcat-8.0.53.tar.gz
• 通过 yum 安装 iptables
• ……

离线解决方案

妥妥的能直接联网就联网安装吧！否则相当折腾。 折腾方法往下：

JDK

Java的recipe位于/var/chef/cookbooks/java/recipes，指定执行的是oracle.rb，默认的jdk版本和checksum属性在./java/attributes/default.rb中设置，调用资源./java/resources/oracle_install.rb执行安装

• 查看JDK版本号

[root@lbd107 ~]# cd /var/chef/cookbooks/java/attributes/
[root@lbd107 attributes]# cat default.rb

# x86_64
default['java']['jdk']['8']['x86_64']['url'] = 'https://download.oracle.com/otn-pub/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jdk-8u202-linux-x64.tar.gz'
default['java']['jdk']['8']['x86_64']['checksum'] = '9a5c32411a6a06e22b69c495b7975034409fa1652d03aeb8eb5b6f59fd4594e0'

• 自行下载离线包jdk-8u202-linux-x64.tar.gz，并上传到 chef 读取的缓存目录/etc/chef/local-mode-cache/cache/

PS C:\WINDOWS\system32> scp d:/software/jdk-8u202-linux-x64.tar.gz root@192.168.137.2:/../var/software
root@192.168.137.2's password:
jdk-8u202-linux-x64.tar.gz                                                            100%  185MB  69.3MB/s   00:02
PS C:\WINDOWS\system32>

[root@lbd107 software]# cp jdk-8u202-linux-x64.tar.gz  /etc/chef/local-mode-cache/cache/jdk-8u202-linux-x64.tar.gz

• 再次执行chef-solo脚本可以顺利完成安装。

tomcat

esri-tomcat执行的是/var/chef/cookbooks/esri-tomcat/recipes/install.rb，会调用/var/chef/cookbooks/tomcat/resources/install.rb执行action :install操作。

• 查看tomcat的默认版本号

[root@lbd107 ~]# cd /var/chef/cookbooks/esri-tomcat/attributes
[root@lbd107 attributes]# cat default.rb
default['tomcat']['version'] = '8.0.53'

default['tomcat']['instance_name'] = 'arcgis'
default['tomcat']['install_path'] = '/opt/tomcat_' + node['tomcat']['instance_name'] + '_' + node['tomcat']['version']
default['tomcat']['user'] = 'tomcat_' + node['tomcat']['instance_name']
default['tomcat']['group'] = 'tomcat_' + node['tomcat']['instance_name']

default['tomcat']['ssl_enabled_protocols']='TLSv1.2,TLSv1.1,TLSv1'
default['tomcat']['keystore_file']  = ''
if ENV['TOMCAT_KEYSTORE_PASSWORD'].nil?
  default['tomcat']['keystore_password']  = ''
else
  default['tomcat']['keystore_password']  = ENV['TOMCAT_KEYSTORE_PASSWORD']
end
default['tomcat']['keystore_type']  = 'PKCS12'
default['tomcat']['domain_name']  = node['fqdn']
[root@lbd107 attributes]#

• 自行下载离线包apache-tomcat-8.0.53.tar.gz，并上传到 chef 能够读取的目录，如/tmp/。

PS C:\WINDOWS\system32> scp d:/software/apache-tomcat-8.0.53.tar.gz root@192.168.137.2:/../var/software
root@192.168.137.2's password:
apache-tomcat-8.0.53.tar.gz                                                           100% 9234KB  87.6MB/s   00:00
PS C:\WINDOWS\system32>

[root@lbd107 ~]# cd /var/software
[root@lbd107 software]# cp apache-tomcat-8.0.53.tar.gz /tmp/apache-tomcat-8.0.53.tar.gz

• 修改esri-tomcat的recipes文件，找到tomcat_install段，指定本地目录。同时设置对安装包的合法性校验checksum属性为false。

[root@lbd107 software] cd /var/chef/cookbooks/esri-tomcat/recipes
[root@lbd107 software] cp install.rb install-backup.rb
[root@lbd107 software] vim install.rb

tomcat_install instance_name do
  version node['tomcat']['version']
  verify_checksum false
  tarball_uri 'file:///tmp/apache-tomcat-8.0.53.tar.gz'
  install_path node['tomcat']['install_path']
  tomcat_user node['tomcat']['user']
  tomcat_group node['tomcat']['group']
  not if { ::File.exist?(::File.join(node['tomcat']['install_path'], 'LICENSE')) }
end

• 再次执行chef-solo脚本可以顺利完成安装

iptables

• 查看iptables 状态

[root@lbd107 ~]# rpm -qa|grep iptables
iptables-1.4.21-28.el7.x86_64
[root@lbd107 ~]# iptables
iptables v1.4.21: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@lbd107 ~]# yum info iptables
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Installed Packages
Name        : iptables
Arch        : x86_64
Version     : 1.4.21
Release     : 28.el7
Size        : 1.5 M
Repo        : installed
From repo   : anaconda
Summary     : Tools for managing Linux kernel packet filtering capabilities
URL         : http://www.netfilter.org/
License     : GPLv2
Description : The iptables utility controls the network packet filtering code in the
            : Linux kernel. If you need to set up firewalls and/or IP masquerading,
            : you should install this package.

[root@lbd107 ~]#

• 当前版本为 iptables-1.4.21-33.el7.x86_64.rpm
  安装iptables-services-1.4.21-33.el7.x86_64.rpm

结论

总体来说，在联网环境下部署还是比较方便，但是在离线环境下，虽然简化了ArcGIS相关的配置工作，却需要掌握chef-cookbook的配置文件修改技能，自行取舍吧。

参考

https://github.com/chef-cookbooks/tomcat
Deploy-a-base-ArcGIS-Enterprise-deployment-on-a-single-machine