Capture Agent Configuration

This repository has been moved to https://gitlab.developers.cam.ac.uk/uis/devops/lecture-capture/agent-ansible/

Ansible configuration management for Lecture Capture Captures Agents.

The Short Version

Starting with a bare machine ..

1. From bare machine to configurable host
2. Agent deployment keys
3. Updating hosts file
4. Running ansible playbook

.. capture agent can now be seen in lecture capture backend (Opencast - Locations)

From bare machine to configurable host

1. Use uisautomation/lecture-capture-agent-bootstrap to build a netboot installer image
2. Copy this to a bootable USB stick
3. Configure the PC's BIOS as described here
4. Insert the USB stick, power on and press F12 (boot menu)
5. Choose the USB stick - installation of lubuntu 18.04 will start
6. When finished, the PC will power off
7. Remove the USB stick and boot the PC
8. The PC will automatically login as the galicaster user
9. Take a note of the PC's IP address
10. Configure Power Management to prevent sleeping

Configuring a host

Agent deployment keys

Hosts are configured so that login as root is by means of a deploy key. You must have the deploy key available to your local SSH agent before you can log into the box or run the playbook. To add the deploy key to your local SSH agent:

$ alias vault="ansible-vault --vault-password-file=$PWD/secrets/open-vault"

# Decrypt deploy key
$ vault view secrets/lecture-capture-agent-deploy-main > ~/.ssh/lecture-capture-agent-deploy-main
$ chmod 0600 ~/.ssh/lecture-capture-agent-deploy-main

# Copy passphrase to clipboard

$ vault view secrets/lecture-capture-agent-deploy.passphrase | xclip -i -sel clip

# Add key to ssh-agent
$ ssh-add ~/.ssh/lecture-capture-agent-deploy-main

Lecture Capture agents boxes also have a key which can log in as the "galicaster" user without root privileges. The public and private halves of that key and the passphrase at stored in the files lecture-capture-galicaster{,.pub,.passphrase}.

Updating hosts file

To be able to specify the host when running the ansible playbook it needs adding to the appropriate hosts file for the environment (prod-hosts, test-hosts or dev-hosts).

It needs to be added in the section relevant to the video/audio hardware in the device. Currently only the following are used:

• capture-agents-v4l2-split
  • Proposed production
  • Single screen (slides/presentation)
  • Audio from 3.5mm jack
• capture-agents-magewell-split
  • Initial experimental
  • Magewell card installed

TODO: Add capture-agents-dual-v4l2-split for dual video presentation and presenter ?

Copy a commented example in the hosts file, changing the IP address to that of the desired host. The hostname doesn't matter but needs to be unique and is specified when running the playbook.

For example:

[capture-agents-v4l2-split]
uis-capture-agent-42 ansible_host=172.24.234.123 ansible_ssh_port=22

Running ansible playbook

The run-ansible-playbook.sh wrapper script pulls a Docker image with the correct version of Ansible and uses it to run the playbook. Invoke it via the following, specifying the appropriate hosts file and limiting to the hostname, e.g:

$ ./run-ansible-playbook.sh capture-agent.yml -i dev-hosts -l uis-capture-agent-42

NOTE: the run-ansible-playbook.sh wrapper will attempt to decrypt the vault password in secrets/password.asc using GPG. If your GPG key is not one of those able to decrypt this file, you cannot run the playbook.

This will configure the PC to launch galicaster on boot.

A known issue with this is that "Get Line In Source" task doesn't always resolve the line in source from pactl list sources. Re-running the playbook should resolve the line in source. Check the audio location set up in the galicaster profile to be something other than default.

Power management

TODO: make ansible do this. Possibly with xfce4-power-mananger and/or xset commands

1. Open xfce Power Manager (Menu > Preferences > Power Manager)
2. On the System tab set When inactive for to Never

(following only actually needed for PCs with screens attached, e.g. Norwich and testing)

3. On the Display tab:
   1. Set Display power management to Off
   2. Set Blank after to Never
4. On Security tab set Automatically lock the session to Never

Secrets

Secrets have been encrypted using Ansible vault. The following alias will give you a vault alias which can decrypt/encrypt vault variables.

$ cd ~/path/to/this/repo
$ alias vault="ansible-vault --vault-password-file=$PWD/secrets/open-vault"

You can check that you can decrypt secrets by decrypting the test secret:

$ vault view secrets/test-secret.txt

The vault password is GPG encrypted with the team's keys and was generated via:

$ pwgen -1 64 | gpg --encrypt --recipient [email protected] --armor

Upgrading capture agents using ansible

The capture-agent-patch.yml playbook runs the upgrade-os role over the inventory one host at a time using the serial setting. The playbook can be run as any playbook.

$ ./run-ansible-playbook.sh capture-agent-patch.yml  -i <inventory file> (-l <host list to limit to>)

This will find and apply any update and autoremove any leftover packeges. It will reboot the host if a reboot is needed.

Issue with agents time

Currently the production agent aren't able (for whatever reason) to set themselves to the correct time. Having the correct time is crucial for being able to schedule events so a simple playbook has been included to update the agents to the correct time. This playbook can be run as follows.

$ ./run-ansible-playbook.sh temp-set-date.yml -i prod-hosts

It is temporary and should be removed when the clock issue has been resolved.