- Used Ansible instead of Terraform
- Everything is automated except for some SSH steps
Git clone the repository and download the latest Kasm image to roles/install_common/files
To install Ansible and AWS CLI, run the following commands:
sudo apt-get update
sudo apt-get install ansible -y
sudo apt-get install awscli -y
Generate your SSH key pair using the AWS Management Console or the AWS CLI:
aws ec2 create-key-pair --key-name rachit-j-key --query 'KeyMaterial' --output text > rachit-j-key.pem
chmod 400 rachit-j-key.pem
Start up >4 AWS Instances, size greater than 50gb, and modify their security group to have the following permissions:
Each parameter in the inventory
file must be configured with the public IP addresses of the instances:
##################
# Host inventory #
##################
all:
children:
zone1:
children:
zone1_db:
hosts:
zone1_db_1:
ansible_host: <public_ip>
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: rachit-j-key.pem
# Add similar configurations for web, agent, and guac
Moreover, in the file roles/install_common/tasks/remote_db_init.yml
, you must change the {{ redis ip }}
field (line 10) to the IP of the database server. Ex:
host: "35.90.165.132" # IP CHANGED HERE
Connect to each instance using SSH and run the following commands to install Docker:
ssh -i rachit-j-key.pem ubuntu@<public_ip>
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
sudo apt-get install docker-compose -y
Finally, run the Ansible playbooks and make sure to check the output and save passwords if not already defined:
ansible-playbook -i inventory install_kasm.yml
Ensure all services are running and properly configured.
This project requires ansible 2.9.24 or greater on the host running the ansible playbook. The target systems do no not need Ansible installed.
The steps below for installing Ansible have been tested on CentOS 7.9.2009, CentOS 8.4.2105, Debian 9.13, Debian 10.10, Ubuntu 18.04.5, Ubuntu 20.04.3, and Ubuntu 22.04.2. This should function on any Linux distribution with Python3.
-
Ensure pip3 is installed
Ubuntu/Debian:
sudo apt install python3-pip
CentOS:
sudo yum install python3-pip
-
Add local bin directory to path in bashrc
echo 'PATH=$PATH:$HOME/.local/bin' >> ~/.bashrc
source ~/.bashrc
- Use pip to install ansible
python3 -m pip install --user -U pip && python3 -m pip install --user -U ansible
- Ensure that ansible version is greater than 2.9.24
ansible --version
Ubuntu 22.04.2, Debian Bullseye, Alpine 3.17, RHEL 9 and derivatives (including Fedora 37), and Arch all have a late enough version of Ansible in their repositories.
Ubuntu/Debian: sudo apt-get install -y ansible
RHEL/Fedora: sudo dnf -y install ansible-core
Alpine: sudo apk add ansible
Arch: sudo pacman -Sy --noconfirm ansible-core
This playbook will deploy Kasm Workspaces in a multi-server deployment using Ansible.
- It installs the kasm components on the systems specified in the ansible
inventory
required for the respective roles (db, web, agent, guac, proxy). - It creates a new swapfile to ensure that the total swap space matches the size
desired_swap_size
specified in the inventory file for all agents. - It enables the docker daemon to run at boot to ensure that kasm services are started after a reboot.
It has been tested on CentOS 7.9.2009, CentOS 8.4.2105, Debian 9.13, Debian 10.10, Ubuntu 18.04.5, Ubuntu 20.04.3, and Ubuntu 22.04.2 hosts.
-
Open
inventory
file and fill in the hostnames / ips for the servers that will be fulfilling the agent, web, db, and guac roles. Please take the time to get acquainted with the inventory file and it's layout. It serves as the master file controlling how this multi server installation will be deployed. Every variable in this file has been designed to scale except for the database. Regardless of deployment size there will only be one centralized databasezone1_db_1
or a remote type db that all "web" roles need direct access to. -
Ensure the variables for each host in the deployment are set properly specifically:
- ansible_host: (hostname or IP address)
- ansible_port: (ssh port)
- ansible_ssh_user: (ssh user to login as, reccomended root or a user with passwordless sudo)
- ansible_ssh_private_key_file: (full path to ssh private key file to user which can be include bash completion IE ~/.ssh/mykey)
-
Download the Kasm Workspaces installer from https://www.kasmweb.com/downloads.html and copy it to
roles/install_common/files
.Optionally, if doing an offline installation: Download and copy the workspace_images and service_images files to
roles/install_common/files
. -
Run the deployment.
ansible-playbook -i inventory install_kasm.yml
-
Make notes of the credentials generated during the installation to be able to login.
-
Login to the deployment as [email protected] using the IP of one of the web servers (eg https://192.168.1.2)
-
Navigate to the Agents tab, and enable each Agent after it checks in. (May take a few minutes)
Post installation your local inventory file will be modified with the appropriate credentials please make a copy or keep this somewhere safe
If any deployment errors occur please run the uninstall_kasm.yml playbook against the same inventory file before trying again as there might be half set credentials leading to a broken deployment, see the helper playbooks section for more information
The installation can be "scaled up" after being installed by adding any additional hosts including entire new zones. Once modified run:
ansible-playbook -i inventory install_kasm.yml
Before running the installation against a modified inventory file please ensure the credentials lines in your inventory were set and uncommented properly by the initial deployment IE:
## Credentials ##
# If left commented secure passwords will be generated during the installation and substituted in upon completion
user_password: PASSWORD
admin_password: PASSWORD
database_password: PASSWORD
redis_password: PASSWORD
manager_token: PASSWORD
registration_token: PASSWORD
A common example of adding more Docker Agents:
zone1_agent:
hosts:
zone1_agent_1:
ansible_host: zone1_agent_hostname
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
zone1_agent_2:
ansible_host: zone1_agent2_hostname
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
If you would like to scale up web/agent/guac/proxy servers as a group where the agent/guac/proxy server talk exclusively to that web server set default_web: false
in your inventory file. This requires entries with a matching integer for all hosts IE:
zone1_web:
hosts:
zone1_web_1:
ansible_host: zone1_web_hostname
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
zone1_web_2:
ansible_host: zone1_web2_hostname
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
zone1_agent:
hosts:
zone1_agent_1:
ansible_host: zone1_agent_hostname
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
zone1_agent_2:
ansible_host: zone1_agent2_hostname
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
zone1_guac:
hosts:
zone1_guac_1:
ansible_host: zone1_guac_hostname
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
hosts:
zone1_guac_2:
ansible_host: zone1_guac2_hostname
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
Included in inventory is a commeted section laying out a second zone. The names zone1 and zone2 were chosen arbitraily and can be modified to suite your needs, but all items need to follow that naming pattern IE:
# Second zone
# Optionally modify names to reference zone location IE west
west:
children:
west_web:
hosts:
west_web_1:
ansible_host: HOST_OR_IP
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
west_agent:
hosts:
west_agent_1:
ansible_host: HOST_OR_IP
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
west_guac:
hosts:
west_guac_1:
ansible_host: HOST_OR_IP
ansible_port: 22
ansible_ssh_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/id_rsa
vars:
zones:
- zone1
- west
If for any reason you have misplaced your inventory file post installation credentials for the installation can be recovered using:
- Existing Database password can be obtained by logging into a webapp host and running the following command:
sudo grep " password" /opt/kasm/current/conf/app/api.app.config.yaml
- Existing Redis password can be obtained by logging into a webapp host and running the following command:
sudo grep "redis_password" /opt/kasm/current/conf/app/api.app.config.yaml
- Existing Manager token can be obtained by logging into an agent host and running the following command:
sudo grep "token" /opt/kasm/current/conf/app/agent.app.config.yaml
In order to deploy with a dedicated remote database that is not managed by ansible you will need to provide endpoint and authentication credentials. To properly init the database superuser credentials along with the credentials the application will use to access it will need to be defined.
- First remove the
zone1_db
entry from inventory:
#zone1_db:
#hosts:
#zone1_db_1:
#ansible_host: zone1_db_hostname
#ansible_port: 22
#ansible_ssh_user: ubuntu
#ansible_ssh_private_key_file: ~/.ssh/id_rsa
- Set the relevant credentials and enpoints:
## PostgreSQL settings ##
##############################################
# PostgreSQL remote DB connection parameters #
##############################################
# The following parameters need to be set only once on database initialization
init_remote_db: true
database_master_user: postgres
database_master_password: PASSWORD
database_hostname: DATABASE_HOSTNAME
# The remaining variables can be modified to suite your needs or left as is in a normal deployment
database_user: kasmapp
database_name: kasm
database_port: 5432
database_ssl: true
## redis settings ##
# redis connection parameters if hostname is set the web role will use a remote redis server
redis_hostname: REDIS_HOSTNAME
redis_password: REDIS_PASSWORD
- Run the deployment:
ansible-playbook -i inventory install_kasm.yml
Post deployment if the install_kasm.yml
needs to be run again to make scaling changes it is important to set init_remote_db: false
this should happen automatically but best to check
- Before deployment or while scaling open
inventory
and uncomment/add the relevant lines for :
# Optional Web Proxy server
#zone1_proxy:
#hosts:
#zone1_proxy_1:
#ansible_host: zone1_proxy_hostname
#ansible_port: 22
#ansible_ssh_user: ubuntu
#ansible_ssh_private_key_file: ~/.ssh/id_rsa
- Post deployment follow the instructions here to configure the proxy for use.
It is important to use a DNS endpoint for the web
and proxy
role as during deployment the CORS settings will be linked to that domain
Using these playbooks assumes you have allready gone through the installation process and setup your inventory file properly. These playbooks run against that inventory to help administrators:
- Uninstall Kasm Workspaces (uninstall_kasm.yml)- This will completely purge your Kasm Workspaces installation on all hosts, if using a remote database that data will stay intact no remote queries will be executed. Example Usage:
ansible-playbook -i inventory uninstall_kasm.yml
- Stop Kasm Workspaces (stop_kasm.yml)- This will stop all hosts defined in inventory or optionally be limited to a zone, group or single server passing the
--limit
flag. Example Usageansible-playbook -i inventory --limit zone1_agent_1 stop_kasm.yml
- Start Kasm Workspaces (start_kasm.yml)- This will start all hosts defined in inventory or optionally be limited to a zone, group or single server passing the
--limit
flag. Example Usageansible-playbook -i inventory --limit zone1_agent_1 start_kasm.yml
- Restart Kasm Workspaces (restart_kasm.yml)- This will restart all hosts defined in inventory or optionally be limited to a zone, group or single server passing the
--limit
flag. Example Usageansible-playbook -i inventory --limit zone1_agent_1 restart_kasm.yml
- Backup Database (backup_db.yml)- This will make a backup of a managed Docker based db server, this playbook will not function with a remote db type installation. Example Usage ``ansible-playbook -i inventory backup_db.yml`
- Modify
remote_backup_dir
in inventory to change the path the remote server stores the backups - Modify
retention_days
in inventory to change the number of days that logs backups are retained on db host - Set
local_backup_dir
to define a path on the local ansible host where backups will be stored, if unset backups will only exist on the remote server
- Modify
- OS Patching (patch_os.yml)- This will update system packages and reboot on all hosts defined in inventory or optionally be limited to a zone, group or single server passing the
--limit
flag. Example Usageansible-playbook -i inventory --limit zone1_agent_1 patch_os.yml