Introduction

Plone's Ansible Playbook can completely provision a remote server to run a full-stack, production-ready Plone server, including:

  • Plone in a cluster configuration;
  • Automatic starting and process control of the Plone cluster with supervisor;
  • Load balancing of the cluster with HAProxy;
  • Caching with Varnish;
  • Nginx as a world-facing reverse proxy and URL rewrite engine;
  • An outgoing-mail-only mail server using Postfix;
  • Monitoring and log analysis with munin-node, logwatch and fail2ban.
  • Use of a local VirtualBox provisioned via Vagrant to test and model your remote server.

An Ansible playbook and roles describe the desired condition of the server. The playbook is used both for initial provisioning and for updating.

Note

If you want to take more control of your playbook, the Plone server role is available by itself, and is listed on Ansible Galaxy.

TL;DR

  1. Install a current version of Ansible;
  2. If you wish to test locally, install Vagrant and VirtualBox;
  3. Check out or download a copy of this package;
  4. Run ansible-galaxy -p roles -r requirements.txt install to install required roles;
  5. Copy one of the sample*.yml files to local-configure.yml and edit as needed.
  6. To test in a local virtual machine, run vagrant up or vagrant provision;
  7. To deploy, create an Ansible inventory file for the remote host (look at vbox_host.cfg for an example) and run ansible-playbook --ask-sudo-pass -i myhost.cfg playbook.yml;
  8. Set a real password for your Plone instance on the target server;
  9. Set up appropriate firewalls.

Automated-server provisioning

The goal of an automated-server provisioning system like Ansible is a completely reproducible server configuration. If you wish to achieve this goal, discipline yourself to never changing configuration on your target machines via login.

That doesn't mean you never log in to your provisioned server. It just means that when you do, you resist changing configuration options directly. Instead, change your playbook, test your changes against a test server, then use your playbook to update the target server.

We chose Ansible for our provisioning tool because:

  1. It requires no client component on the remote machine. Everything is done via ssh.
  2. It's YAML configuration files use structure and syntax that will be familiar to Python programmers. YAML basically represents a Python data structure in an outline. Conditional and loop expressions are in Python. Templating via Jinja2 is simple and clean.
  3. Ansible's documentation is excellent and complete.
  4. Ansible is easily extended by roles. Many basic roles are available on Ansible Galaxy.

If you need to log in

You should not need to. But if you do, you should know:

  1. The Plone zeoserver and zeoclient processes should be run under the plone_daemon login; they will normally be controlled via supervisor;
  2. Run buildout as plone_buildout.