Differences between XnatInstaller and OmeroInstaller postgresql roles

[p-j-smith]

There are some differences between the XnatInstaller and and OmeroInstaller postgresql roles.

I'll list them here and, where I have an idea of how to, suggest how to handle these differences in this standalone role.

• XnatInstaller installs python libraries in the postgresql role. This could instead be done by the mirsg.install_python role.

• XnatInstaller handles some differences between RedHat 7/8 and whether the host is running on Azure. This could instead be handled by setting two variables: postgres.rpm_rhel could be set based on whether 7/8 is used; disable_postgres_rmp_gpg_check could default tofalse and set to true in the host file for any servers running on Azure.

• OmeroInstaller disables postgres and import the rpm key before using the postgresql role. This only needs to be done for Rocky 8, not Centos 7 (it errors for Centos 7 as there is no postgres running). XnatInstaller handles this within the postgres role when running Rocky 8. Would it be better to follow what OmeroInstaller does or what XnatInstaller does?

• XnatInstaller installs postgres contrib but OmeroInstaller doesn't. Is this needed? Should it be optional?

• XnatInstaller generates a postgres server certificate but OmeroInstaller doesn't. Should this be part of the postgresql role or separate? If separate, where should it go?

• OmeroInstaller has a task to create the database but XnatInstaller doesn't. Should this be made optional or done outside of the postgresql role?

• The task to add the postgres client certificate to server is different for XnatInstaller and OmeroInstaller. Which one should we follow?

[drmatthews]

XnatInstaller installs python libraries in the postgresql role. This could instead be done by the mirsg.install_python role.

Agreed this is the way forward. This step is done in the Python role for OmeroInstaller.

XnatInstaller handles some differences between RedHat 7/8 and whether the host is running on Azure. This could instead be handled by setting two variables: postgres.rpm_rhel could be set based on whether 7/8 is used; disable_postgres_rmp_gpg_check could default to false and set to true in the host file for any servers running on Azure.

Sounds like a good plan.

OmeroInstaller disables postgres and import the rpm key before using the postgresql role. This only needs to be done for Rocky 8, not Centos 7 (it errors for Centos 7 as there is no postgres running). XnatInstaller handles this within the postgres role when running Rocky 8. Would it be better to follow what OmeroInstaller does or what XnatInstaller does?

OmeroInstaller was intended to be used with Rocky8 and not CentOS7. So, we should follow what XnatInstaller does and handle both scenarios.

XnatInstaller installs postgres contrib but OmeroInstaller doesn't. Is this needed? Should it be optional?

This wasn't required on Rocky 8, so again I think we need handle both scenarios, installing it when running on CentOS7.

XnatInstaller generates a postgres server certificate but OmeroInstaller doesn't. Should this be part of the postgresql role or separate? If separate, where should it go?

In OmeroInstaller certificate generation is handled by the create_self_signed_certificate role. This role copies the generated cert to an Ansible cache folder. In the postgresql role the server cert is copied in place from the cache. Likewise, in the omero_server role the Postgresql client cert is copied into place from the cache. I think we should follow a similar patter in XnatInstaller and avoid having certificate creating in the postgresql role.

OmeroInstaller has a task to create the database but XnatInstaller doesn't. Should this be made optional or done outside of the postgresql role?

My personal opinion is that database creation can be handled by the postgresql role. However, there is an argument to be made that the postgresql role should handle installation and configuration, and isolated from user and database creation, whcih can be handled by a separate role.

The task to add the postgres client certificate to server is different for XnatInstaller and OmeroInstaller. Which one should we follow?

It gets complicated because the Postgresql client and server both need to have certs generated and then the client needs access to the server cert and vice versa. In XnatInstaller this is handled as follows:

• The client cert is created using create_pg_client_cert
• The server cert is generated in the postgresql role
• The client cert is copied to the server in the postgresql role
• The server cert is copied to the client using the add_pg_server_cert_to_client role

In OmeroInstaller I decided to create a single role for making certs. I then did the copying in the omero_server role (client to server) and it the postgresql role (server to client). Before the copying can happen though, the certs need to be retrieved from the cache. This is another point of difference - I created a single cache directory instead of one for the server and one for the client. This also meant creation of self_signed_cert variables, the naming of which is probably a bit confusing.

[p-j-smith]

Closing as I think these issues have been handled in the current release of this role. Thanks for the explanations!