JFrog Help Center

Our new portal is coming soon!
Documentation + Knowledge Base





JFrog Help Center - A new knowledge experience is coming your way soon!


Skip to end of metadata
Go to start of metadata

Overview

JFrog’s Ansible Collection includes several Ansible roles for JFrog Artifactory, JFrog Xray, JFrog Distribution, JFrog Insight, and PostgreSQL (optional) that allow you to install the latest JFrog Platform in many different configurations - from simple single server installations to redundant and highly available setups - this collection provides the flexibility for any architecture.

In addition, the Ansible Collection includes optional roles for a PostgreSQL database and NGINX, which also allows you to add those components (refer to the example inventory and playbook files that are included in the Collection and that address most of the popular use cases).

Setting up Ansible and the JFrog Ansible Collection

There are several ways to install Ansible depending on your system; Ansible uses SSH to connect to hosts, so the best practice is to set up SSH key pairs and place the public key on the hosts (refer to the Ansible documentation for information on how to set this up). Some cloud providers also make this easier by setting up the SSH keys for you.

The JFrog Ansible Platform Collection consists of the following:

  • ansible_collections directory: This directory contains the Ansible Collection package with the Ansible roles for the following products:
    • Artifactory
    • Xray
    • Distribution
    • Insight
  • examples directory: This directory contains example playbooks for various architectures

Pipelines is not supported in this installation.

System Requirements

Before installing the JFrog Ansible Collection, refer to System Requirements for information on supported platforms, supported browsers, required ports and other requirements. 

Important

Each JFrog product must be installed on a separate box.

From 10.11.x collection and above if you use fully qualified collection name (FQCN), run the following command to install collection dependencies.

ansible-galaxy collection install community.postgresql community.general ansible.posix
When installing the JFrog Platform, you must run the installation as a root user or provide sudo access to a non-root user. 

Operating Systems

The JFrog Ansible Collection can be installed on the following operating systems:

  • Ubuntu LTS versions (16.04/18.04/20.4)
  • Centos/RHEL 7.x/8.x
  • Debian  9.x/10.x

For the specific supported versions, see the System Requirements Matrix.

Page Contents

Installation

Single Node Installation

The following installation installs the JFrog Platform as single product (single node) installations and not as clusters/HA.

  1. Install the Ansible Collection from the Ansible Galaxy.

    ansible-galaxy collection install jfrog.platform

  2. Verify that you reference the Ansible Collection in your playbook when using these roles.

    ---
- hosts: artifactory_servers
      collections:
        - jfrog.platform
      roles:
        - artifactory

    Ansible uses SSH to connect to hosts. Verify that your SSH private key is on your client and that the public keys are installed on your Ansible hosts.

  3. Create an inventory file: Use one of the examples from the examples directory to construct an inventory file (hosts.yml) with the host addresses and variables.

  4. Next, create your playbook: Use one of the examples from the examples directory to construct a playbook using the JFrog Ansible roles. These roles will be applied to your inventory and provision software.

  5. Execute the following command to provision the JFrog software with Ansible. 

    ansible-playbook -vv platform.yml -i hosts.ini

Generating Master and Join Keys

  1. Generate the master and join keys. If you do not provide these keys, they will be set to the defaults in the groupvars/all/vars.yaml file under each role. For production deployments, you may want to generate your master and join keys and to apply them to all the nodes using the following command.

    MASTER_KEY_VALUE=$(openssl rand -hex 32)
JOIN_KEY_VALUE=$(openssl rand -hex 32)
ansible-playbook -vv platform.yml -i hosts.ini --extra-vars "master_key=$MASTER_KEY_VALUE join_key=$JOIN_KEY_VALUE"

    Important

    Remember to save the generated master and join keys for future upgrades.

Overriding the system.yaml in Ansible Installations

By default, the flag <product>_systemyaml_override is set to false, which means that any changes you do to override/edit the existing yaml will not be applied.
By setting this flag to true, e.g., artifactory_systemyaml_override: true, you can then override the existing configurations for the product, in this case Artifactory.

Using Ansible Vault to Encrypt Vars

Some vars you may want to keep secret. You may put these vars into a separate file and encrypt them using the Ansible Vault.

Use the following command.

ansible-vault encrypt secret-vars.yml --vault-password-file ~/.vault_pass.txt

Then in your playbook include the secret vars file.

- hosts: artifactory_servers
  vars_files:
    - ./vars/secret-vars.yml
    - ./vars/vars.yml
  roles:
    - artifactory

Using an External Database

If you want to use an external database for one or more products:

  1. Set the value of the postgres_enabled field to false (which means that you are not going to use the Postgres role that is bundled with the collection) in group_vars/all/vars.yml.  

  2. Follow the steps below to create an external database and then change the corresponding product values in group_vars/all/vars.yml.
    The following example shows a sample configuration for the Artifactory database connection details. 

    postgres_enabled: false

artifactory_db_type: postgresql
artifactory_db_driver: org.postgresql.Driver
artifactory_db_name: <external_db_name>
artifactory_db_user: <external_db_user>
artifactory_db_password: <external_db_pasword>
artifactory_db_url: jdbc:postgresql://<external_db_host>:5432/{{ artifactory_db_name }}

You can also modify other JFrog products database configuration to set up an external PostgreSQL database in the same file.

Creating the PostgreSQL Database

Supported PostgreSQL Versions

Artifactory supports PostgreSQL version 13.x and below (9.5 and 9.6 were EOL in 2021).

Use the commands below to create an Artifactory user and database with appropriate permissions. Modify the relevant values to match your specific environment:

Creating an Artifactory User and Database
CREATE USER artifactory WITH PASSWORD 'password';
CREATE DATABASE artifactory WITH OWNER=artifactory ENCODING='UTF8';
GRANT ALL PRIVILEGES ON DATABASE artifactory TO artifactory;

Once you have verified that the script is correct, you need to run it to create the database and proceed with configuring the database.

Artifactory Privileges

We recommend providing Artifactory with full privileges on the database.


Configuring Artifactory to Use PostgreSQL

When you configure Artifactory to use PostgreSQL, all the artifact information is stored in PostgreSQL while the artifact binary data is stored in the file system (under $JFROG_HOME/artifactory/var/data/artifactory/filestore).

While it is possible to store BLOBs inside PostgreSQL we do  not recommend it. This is important because the PostgreSQL driver does not support streaming BLOBs with unknown length to the database. Therefore, Artifactory temporarily saves deployed files to the filesystem and only then saves the BLOB to the database.

Configuring Artifactory to Use PostgreSQL Single Node

  1. Stop the Artifactory service.

  2. Edit the database connection details in the system.yaml configuration file as follows.

    shared:
  database:
    type: postgresql
    driver: org.postgresql.Driver
    url: jdbc:postgresql://<your db url, for example: localhost:5432>/artifactory
    username: artifactory
    password: password


  3. Start the Artifactory service.

Configuring Artifactory HA to Use PostgreSQL Database in HA

Available from Artifactory 7.31.10.

  1. Stop the Artifactory service.

  2. Edit the system.yaml file to update the following values.

    Because Artifactory uses multiple drivers and you need to configure the connection strings for these separately.


    1. The url field under the shared database section in the following format.

      jdbc:postgresql://<PostgreSQL Database 1 URL>,..., <PostgreSQL Database N URL>/artifactory?targetServerType=primary

    2. The url field under the metadata database section in the following format.

      jdbc:postgresql://<PostgreSQL Database 1 URL>,..., <PostgreSQL Database N URL>/artifactory?target_session_attrs=read-write"

      The following sample shows an example system.yaml file configuration.

      systemYaml:
 shared:
   logging:
   ...
   database:
     type: postgresql
     url: "jdbc:postgresql://17.21.0.2:5432,17.21.0.3:5432/artifactory?targetServerType=primary"
     driver: org.postgresql.Driver
     username: "artifactory"
     password: "password"
 artifactory:
   Database:
 ...
 frontend:
 ...
 access:
 ...
 metadata:
   database:
     type: postgresql
     url: "jdbc:postgresql://17.21.0.2:5432,17.21.0.3:5432/artifactory?target_session_attrs=read-write"
     driver: org.postgresql.Driver
     username: "artifactory"
     password: "password"
...
  3. Start the Artifactory service.

Enabling TLS Encryption

To enable Transport Layer Security (TLS) encryption for PostgreSQL, set the sslmode property to verify-full in the  JDBC connector URL.

For example, in the $JFROG_HOME/artifactory/var/etc/system.yaml file: 

shared:
  database:
    ...
    url:jdbc:postgresql://mypostgress.mydomain.com:5432/artifactory?ssl=true&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=verify-  
    full&sslrootcert=/tmp/server.crt
...

If you are using old certificates or have an AWS RDS instance that was created before July 2020, you will not have Subject Alternative Name (SAN) enabled. To resolve this issue, you will need to generate a new certificate with SAN.


High Availability (HA) Installation

By default, the Ansible Platform Collection is installed in a single node configuration. Currently, HA is supported for Artifactory and not the other products.

To enable HA for Artifactory, set the following as true in roles/artifactory/defaults/main.yml inside the Ansible Platform Collection.

artifactory_ha_enabled: true

You can also enable HA by setting extra-vars by running the following command if you are doing a fresh installation. 

ansible-playbook -vv platform.yml -i hosts.ini --extra-vars "artifactory_ha_enabled=true"

You can enable HA for an existing single node installation by running the following command.

ansible-playbook -vv platform.yml -i hosts.ini --extra-vars "artifactory_ha_enabled=true artifactory_systemyaml_override=true"

By default, Ansible tries to manage all of the machines referenced in a play in parallel and starts all Artifactory nodes in parallel, which is not supported and causes the installation to fail. To avoid such a scenario, add the following serial mode logic in your playbook when you install or upgrade Artifactory in HA mode. 

- hosts: artifactory_servers
  serial:
    - 1
    - 100%
  roles:
    - role: artifactory
      when: artifactory_enabled | bool

By default, all nodes are installed as primary nodes, which means that all nodes in the high availability cluster can perform tasks such as replication, garbage collection, backups, exporting, and importing. Every node in the cluster can serve any of the mentioned tasks and if any node goes down, the different nodes in the cluster will be able to perform these tasks instead. By default, when adding a new node (member) to the cluster, it will be able to perform cluster-wide tasks without user intervention. 

The "taskAffinity": "any" attribute is set by default, on all the nodes in the cluster, when installing an Artifactory version 7.17.4 and above and is configured under the Nodes section in the Artifactory Configuration YAML. To remove this functionality from a node, set  "taskAffinity": "none". For more information, see Cloud-Native High Availability

Building the Collection Archive

  1. Go to the ansible_collections/jfrog/installers directory.

  2. Update the galaxy.yml meta file as needed. Update the version.

  3. Build the archive (this requires Ansible 2.9+).

    ansible-galaxy collection build

Set SSL Certificate and Key for Nginx

Set artifactory_nginx_ssl_enabled as true in roles/artifactory/defaults/main.yml inside the Ansible Platform Collection. This enables Artifactory to use the artifactory_nginx_ssl role.

Configure the following role variables in the artifactory_nginx_ssl role.

  • server_name: The server name. For example, artifactory.54.105.51.178.xip.io.
  • certificate: The SSL certificate
  • certificate_key: The SSL private key.
  • nginx_worker_processes: The worker_processes configuration for Nginx. Default is 1.
  • artifactory_docker_registry_subdomain: Whether to add a redirect directive to the Nginx configuration for the use of docker subdomains.
  • No labels
Copyright © 2023 JFrog Ltd.