Merge pull request #1019 from edx/jarv/ansible-1.5-and-certs

Jarv/ansible 1.5 and certs

Merge pull request #1019 from edx/jarv/ansible-1.5-and-certs
Jarv/ansible 1.5 and certs
0147c588 · John Jarvis · 8670ed9d · 43186344 · 0147c588 · 0147c588
Commit 0147c588 authored Apr 17, 2014 by John Jarvis
32 changed files
--- a/playbooks/edx-east/edx_continuous_integration.yml
+++ b/playbooks/edx-east/edx_continuous_integration.yml
@@ -18,6 +18,7 @@
      - ora
      - xqueue
      - xserver
+      - certs
      nginx_default_sites:
      - lms
    - edxlocal

--- a/playbooks/edx_sandbox.yml
+++ b/playbooks/edx_sandbox.yml
@@ -38,7 +38,7 @@
    - forum
    - { role: "xqueue", update_users: True }
    - ora
-    - discern
+    - certs
    - edx_ansible
    - role: datadog
      when: ENABLE_DATADOG

--- a/playbooks/roles/analytics-server/tasks/deploy.yml
+++ b/playbooks/roles/analytics-server/tasks/deploy.yml
@@ -25,6 +25,7 @@
 - name: checkout code
  git:
    dest={{ as_code_dir }} repo={{ as_source_repo }}
+    accept_hostkey=yes
    version={{ as_version }} force=true
  environment:
    GIT_SSH: $as_git_ssh

--- a/playbooks/roles/analytics/tasks/deploy.yml
+++ b/playbooks/roles/analytics/tasks/deploy.yml
@@ -25,6 +25,7 @@
 - name: checkout code
  git:
    dest={{ analytics_code_dir }} repo={{ analytics_source_repo }}
+    accept_hostkey=yes
    version={{ analytics_version }} force=true
  environment:
    GIT_SSH: $analytics_git_ssh

--- a/playbooks/roles/certs/defaults/main.yml
+++ b/playbooks/roles/certs/defaults/main.yml
@@ -25,18 +25,39 @@ CERTS_AWS_KEY: ""
 CERTS_AWS_ID: ""
 # GPG key ID, defaults to the dummy key
 CERTS_KEY_ID: "FEF8D954"
-# Path to git identity file for pull access to
-# the edX certificates repo - REQUIRED
-# Example - {{ secure_dir }}/files/git-identity
-CERTS_GIT_IDENTITY: !!null
+# Contents of the identity for a private
+# repo. Leave set to "none" if using the public
+# certificate repo
+CERTS_GIT_IDENTITY: "none"
 # Path to public and private gpg key for signing
 # the edX certificate. Default is a dummy key
 CERTS_LOCAL_PRIVATE_KEY: "example-private-key.txt"

+# This defaults to the public certificates repo which is
+# used for open-edx
+CERTS_REPO: "https://github.com/edx/read-only-certificate-code"
+CERTS_NGINX_PORT: 18090
+CERTS_WEB_ROOT: "{{ certs_data_dir }}/www-data"
+CERTS_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+CERTS_DOWNLOAD_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+CERTS_VERIFY_URL: "http://localhost:{{ CERTS_NGINX_PORT }}"
+# Set to false if using s3 or if you don't want certificates
+# copied to the web root
+CERTS_COPY_TO_WEB_ROOT: true
+CERTS_S3_UPLOAD: false
+
+# Can be set to a different repo for private
+# templates, fonts, etc.
+CERTS_TEMPLATE_DATA_DIR: 'template_data'
+# this is the trust export, output of
+# gpg --export-ownertrust
+CERTS_OWNER_TRUST: "A9F9EAD11A0A6E7E5A037BDC044089B6FEF8D954:6:\n"
+
 ########## Internal role vars below

 certs_user: certs
 certs_app_dir: "{{ COMMON_APP_DIR }}/certs"
+certs_data_dir: "{{ COMMON_DATA_DIR }}/certs"
 certs_code_dir: "{{ certs_app_dir }}/certificates"
 certs_venvs_dir: "{{ certs_app_dir }}/venvs"
 certs_venv_dir: "{{ certs_venvs_dir }}/certs"
@@ -44,7 +65,6 @@ certs_venv_bin: "{{ certs_venv_dir }}/bin"
 certs_git_ssh: /tmp/git_ssh.sh
 certs_git_identity: "{{ certs_app_dir }}/certs-git-identity"
 certs_requirements_file: "{{ certs_code_dir }}/requirements.txt"
-certs_repo: "git@github.com:/edx/certificates"
 certs_version: 'master'
 certs_gpg_dir: "{{ certs_app_dir }}/gnupg"
 certs_env_config:
@@ -57,6 +77,13 @@ certs_env_config:
  CERT_KEY_ID: $CERTS_KEY_ID
  LOGGING_ENV: ""
  CERT_GPG_DIR: $certs_gpg_dir
+  CERT_URL: $CERTS_URL
+  CERT_DOWNLOAD_URL: $CERTS_DOWNLOAD_URL
+  CERT_WEB_ROOT: $CERTS_WEB_ROOT
+  COPY_TO_WEB_ROOT: $CERTS_COPY_TO_WEB_ROOT
+  S3_UPLOAD: $CERTS_S3_UPLOAD
+  CERT_VERIFY_URL: $CERTS_VERIFY_URL
+  TEMPLATE_DATA_DIR: $CERTS_TEMPLATE_DATA_DIR

 certs_auth_config:
  QUEUE_USER: $CERTS_QUEUE_USER

--- a/playbooks/roles/certs/files/example-key-ownertrust.txt
+++ b/playbooks/roles/certs/files/example-key-ownertrust.txt
+A9F9EAD11A0A6E7E5A037BDC044089B6FEF8D954:6:
--- a/playbooks/roles/certs/tasks/deploy.yml
+++ b/playbooks/roles/certs/tasks/deploy.yml
@@ -36,14 +36,19 @@
    owner={{ certs_user }} mode=750
  notify: restart certs

+# This key is only needed if you are pulling down a private
+# certificates repo
 - name: install read-only ssh key for the certs repo
  copy: >
    content="{{ CERTS_GIT_IDENTITY }}" dest={{ certs_git_identity }}
    force=yes owner={{ certs_user }} mode=0600
+  when: CERTS_GIT_IDENTITY != "none"
  notify: restart certs

 - name: checkout certificates repo into {{ certs_code_dir }}
-  git: dest={{ certs_code_dir }} repo={{ certs_repo }} version={{ certs_version }}
+  git: >
+    dest={{ certs_code_dir }} repo={{ CERTS_REPO }} version={{ certs_version }}
+    accept_hostkey=yes
  sudo_user: "{{ certs_user }}"
  environment:
    GIT_SSH: "{{ certs_git_ssh }}"
@@ -51,6 +56,7 @@

 - name: remove read-only ssh key for the certs repo
  file: path={{ certs_git_identity }} state=absent
+  when: CERTS_GIT_IDENTITY != "none"
  notify: restart certs

 - name : install python requirements

--- a/playbooks/roles/certs/tasks/main.yml
+++ b/playbooks/roles/certs/tasks/main.yml
@@ -31,10 +31,6 @@
 #     - supervisor
 #     - certs
 #
- name: Checking to see if git identity is set
-  fail: msg="You must set CERTS_GIT_IDENTITY var for this role!"
-  when: not CERTS_GIT_IDENTITY
-
 - name: create application user
  user: >
    name="{{ certs_user }}"
@@ -43,7 +39,7 @@
    shell=/bin/false
  notify: restart certs

- name: create certs app and data dirs
+- name: create certs app dirs
  file: >
    path="{{ item }}"
    state=directory
@@ -52,7 +48,20 @@
  notify: restart certs
  with_items:
    - "{{ certs_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ certs_app_dir }}/.ssh"
    - "{{ certs_venvs_dir }}"
+    - "{{ certs_data_dir }}"
+
+# The certs web root must be owned
+# by the web user so the certs service
+# can write files there.
+- name: create certs web root
+  file: >
+    path="{{ CERTS_WEB_ROOT }}"
+    state=directory
+    owner="{{ common_web_group }}"
+    group="{{ certs_user }}"

 - name: create certs gpg dir
  file: >
@@ -69,6 +78,12 @@
  notify: restart certs
  register: certs_gpg_key

+- name: copy the pgp trust export
+  copy: >
+    content="{{ CERTS_OWNER_TRUST }}"
+    dest={{ certs_app_dir }}/trust.export
+    owner={{ common_web_user }} mode=0600
+  notify: restart certs

 - name: load the gpg key
  shell: >
@@ -77,4 +92,11 @@
  when: certs_gpg_key.changed
  notify: restart certs

+- name: import the trust export
+  shell: >
+    /usr/bin/gpg --homedir {{ certs_gpg_dir }} --import-ownertrust {{ certs_app_dir }}/trust.export
+  sudo_user: "{{ common_web_user }}"
+  when: certs_gpg_key.changed
+  notify: restart certs
+
 - include: deploy.yml tags=deploy
--- a/playbooks/roles/demo/tasks/deploy.yml
+++ b/playbooks/roles/demo/tasks/deploy.yml
 ---

 - name: check out the demo course
-  git: dest={{ demo_code_dir }}  repo={{ demo_repo }} version={{ demo_version }}
+  git: >
+    dest={{ demo_code_dir }}  repo={{ demo_repo }} version={{ demo_version }}
+    accept_hostkey=yes
  sudo_user: "{{ demo_edxapp_user }}"
  register: demo_checkout


--- a/playbooks/roles/discern/tasks/deploy.yml
+++ b/playbooks/roles/discern/tasks/deploy.yml
@@ -33,13 +33,17 @@
    - restart discern

 - name: git checkout discern repo into discern_code_dir
-  git: dest={{ discern_code_dir }} repo={{ discern_source_repo }} version={{ discern_version }}
+  git: >
+    dest={{ discern_code_dir }} repo={{ discern_source_repo }} version={{ discern_version }}
+    accept_hostkey=yes
  sudo_user: "{{ discern_user }}"
  notify:
    - restart discern

 - name: git checkout ease repo into discern_ease_code_dir
-  git: dest={{ discern_ease_code_dir}} repo={{ discern_ease_source_repo }} version={{ discern_ease_version }}
+  git: >
+    dest={{ discern_ease_code_dir}} repo={{ discern_ease_source_repo }} version={{ discern_ease_version }}
+    accept_hostkey=yes
  sudo_user: "{{ discern_user }}"
  notify:
    - restart discern
@@ -48,7 +52,7 @@
 - name : install python pre-requirements for discern and ease
  pip: >
    requirements={{item}} virtualenv={{ discern_venv_dir }} state=present
-    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"  
+    extra_args="-i {{ COMMON_PYPI_MIRROR_URL }}"
  sudo_user: "{{ discern_user }}"
  notify:
    - restart discern

--- a/playbooks/roles/edx_ansible/defaults/main.yml
+++ b/playbooks/roles/edx_ansible/defaults/main.yml
@@ -29,6 +29,7 @@ edx_ansible_debian_pkgs:
  - libxml2-dev
  - libxslt1-dev
  - curl
+  - python-yaml
 edx_ansible_app_dir: "{{ COMMON_APP_DIR }}/edx_ansible"
 edx_ansible_code_dir: "{{ edx_ansible_app_dir }}/edx_ansible"
 edx_ansible_data_dir: "{{ COMMON_DATA_DIR }}/edx_ansible"

--- a/playbooks/roles/edx_ansible/tasks/deploy.yml
+++ b/playbooks/roles/edx_ansible/tasks/deploy.yml
 ---
 - name: git checkout edx_ansible repo into edx_ansible_code_dir
-  git: dest={{ edx_ansible_code_dir }} repo={{ edx_ansible_source_repo }} version={{ configuration_version }}
+  git: >
+    dest={{ edx_ansible_code_dir }} repo={{ edx_ansible_source_repo }} version={{ configuration_version }}
+    accept_hostkey=yes
  sudo_user: "{{ edx_ansible_user }}"

 - name : install edx_ansible venv requirements

--- a/playbooks/roles/edx_ansible/templates/update.j2
+++ b/playbooks/roles/edx_ansible/templates/update.j2
@@ -12,7 +12,7 @@ IFS=","
            -v        add verbosity to edx_ansible run
            -h        this

-    <repo> - must be one of edx-platform, xqueue, cs_comments_service, xserver, ease, discern, edx-ora, configuration
+    <repo> - must be one of edx-platform, xqueue, cs_comments_service, xserver, ease, edx-ora, configuration, read-only-certificate-code
    <version> - can be a commit or tag

 EO
@@ -43,12 +43,13 @@ edx_ansible_cmd="{{ edx_ansible_venv_bin }}/ansible-playbook -i localhost, -c lo

 repos_to_cmd["edx-platform"]="$edx_ansible_cmd edxapp.yml -e 'edx_platform_version=$2'"
 repos_to_cmd["xqueue"]="$edx_ansible_cmd xqueue.yml -e 'xqueue_version=$2'"
+repos_to_cmd["xserver"]="$edx_ansible_cmd xserver.yml -e 'xserver_version=$2'"
 repos_to_cmd["cs_comments_service"]="$edx_ansible_cmd forum.yml -e 'forum_version=$2'"
 repos_to_cmd["xserver"]="$edx_ansible_cmd forums.yml -e 'xserver_version=$2'"
 repos_to_cmd["ease"]="$edx_ansible_cmd discern.yml -e 'discern_ease_version=$2' && $edx_ansible_cmd ora.yml -e 'ora_ease_version=$2'"
-repos_to_cmd["discern"]="$edx_ansible_cmd discern.yml -e 'discern_version=$2'"
 repos_to_cmd["edx-ora"]="$edx_ansible_cmd ora.yml -e 'ora_version=$2'"
 repos_to_cmd["configuration"]="$edx_ansible_cmd edx_ansible.yml -e 'configuration_version=$2'"
+repos_to_cmd["read-only-certificate-code"]="$edx_ansible_cmd certs.yml -e 'certs_version=$2'"


 if [[ -z $1 || -z $2 ]]; then

--- a/playbooks/roles/edxapp/tasks/deploy.yml
+++ b/playbooks/roles/edxapp/tasks/deploy.yml
@@ -28,7 +28,9 @@

 # Do A Checkout
 - name: checkout edx-platform repo into {{edxapp_code_dir}}
-  git: dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
+  git: >
+    dest={{edxapp_code_dir}} repo={{edx_platform_repo}} version={{edx_platform_version}}
+    accept_hostkey=yes
  register: chkout
  sudo_user: "{{ edxapp_user }}"
  environment:
@@ -45,7 +47,9 @@
  - "restart edxapp_workers"

 - name: checkout theme
-  git: dest={{ edxapp_app_dir }}/themes/{{edxapp_theme_name}} repo={{edxapp_theme_source_repo}} version={{edxapp_theme_version}}
+  git: >
+    dest={{ edxapp_app_dir }}/themes/{{edxapp_theme_name}} repo={{edxapp_theme_source_repo}} version={{edxapp_theme_version}}
+    accept_hostkey=yes
  when: edxapp_theme_name != ''
  sudo_user: "{{ edxapp_user }}"
  environment:

--- a/playbooks/roles/edxapp/tasks/main.yml
+++ b/playbooks/roles/edxapp/tasks/main.yml
@@ -19,6 +19,8 @@
  - "restart edxapp_workers"
  with_items:
    - "{{ edxapp_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ edxapp_app_dir }}/.ssh"
    - "{{ edxapp_data_dir }}"
    - "{{ edxapp_venvs_dir }}"
    - "{{ edxapp_theme_dir }}"

--- a/playbooks/roles/forum/tasks/deploy.yml
+++ b/playbooks/roles/forum/tasks/deploy.yml
@@ -30,7 +30,9 @@
  notify: restart the forum service

 - name:  git checkout forum repo into {{ forum_code_dir }}
-  git: dest={{ forum_code_dir }} repo={{ forum_source_repo }} version={{ forum_version }}
+  git: >
+    dest={{ forum_code_dir }} repo={{ forum_source_repo }} version={{ forum_version }}
+    accept_hostkey=yes
  sudo_user: "{{ forum_user }}"
  notify: restart the forum service


--- a/playbooks/roles/jenkins_master/tasks/main.yml
+++ b/playbooks/roles/jenkins_master/tasks/main.yml
@@ -84,7 +84,9 @@
 # upstream, we may be able to use the regular plugin install process.
 # Until then, we compile and install the forks ourselves.
 - name: checkout custom plugin repo
-  git: repo={{ item.repo_url }} dest=/tmp/{{ item.repo_name }} version={{ item.version }}
+  git: >
+    repo={{ item.repo_url }} dest=/tmp/{{ item.repo_name }} version={{ item.version }}
+    accept_hostkey=yes
  with_items: jenkins_custom_plugins

 - name: compile custom plugins

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/certs.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/certs.j2
+server {
+  listen {{ CERTS_NGINX_PORT }} default_server;
+
+  location / {
+    root {{ CERTS_WEB_ROOT }};
+    {% include "basic-auth.j2" %}
+    try_files $uri $uri/valid.html =404;
+  }
+}
+
--- a/playbooks/roles/notifier/tasks/deploy.yml
+++ b/playbooks/roles/notifier/tasks/deploy.yml
@@ -4,6 +4,7 @@
  git:
    dest={{ NOTIFIER_CODE_DIR }} repo={{ NOTIFIER_SOURCE_REPO }}
    version={{ NOTIFIER_VERSION }}
+    accept_hostkey=yes
  sudo: true
  sudo_user: "{{ NOTIFIER_USER }}"
  notify:

--- a/playbooks/roles/ora/tasks/deploy.yml
+++ b/playbooks/roles/ora/tasks/deploy.yml
@@ -40,7 +40,9 @@

 # Do A Checkout
 - name: git checkout ora repo into {{ ora_app_dir }}
-  git: dest={{ ora_code_dir }} repo={{ ora_source_repo }} version={{ ora_version }}
+  git: >
+    dest={{ ora_code_dir }} repo={{ ora_source_repo }} version={{ ora_version }}
+    accept_hostkey=yes
  sudo_user: "{{ ora_user }}"
  notify:
    - restart ora

--- a/playbooks/roles/ora/tasks/ease.yml
+++ b/playbooks/roles/ora/tasks/ease.yml
 # Do A Checkout
 - name: git checkout ease repo into its base dir
-  git: dest={{ora_ease_code_dir}} repo={{ora_ease_source_repo}} version={{ora_ease_version}}
+  git: >
+    dest={{ora_ease_code_dir}} repo={{ora_ease_source_repo}} version={{ora_ease_version}}
+    accept_hostkey=yes
  sudo_user: "{{ ora_user }}"
  notify:
    - restart ora

--- a/playbooks/roles/rbenv/tasks/main.yml
+++ b/playbooks/roles/rbenv/tasks/main.yml
@@ -53,6 +53,7 @@
  git: >
    repo=https://github.com/sstephenson/rbenv.git
    dest={{ rbenv_dir }}/.rbenv version={{ rbenv_version }}
+    accept_hostkey=yes
  sudo_user: "{{ rbenv_user }}"

 - name: ensure ruby_env exists
@@ -79,7 +80,9 @@
  when: rbuild_present|failed or (installable_ruby_vers is defined and rbenv_ruby_version not in installable_ruby_vers)

 - name: clone ruby-build repo
-  git: repo=https://github.com/sstephenson/ruby-build.git dest={{ tempdir.stdout }}/ruby-build
+  git: >
+    repo=https://github.com/sstephenson/ruby-build.git dest={{ tempdir.stdout }}/ruby-build
+    accept_hostkey=yes
  when: rbuild_present|failed or (installable_ruby_vers is defined and rbenv_ruby_version not in installable_ruby_vers)
  sudo_user: "{{ rbenv_user }}"


--- a/playbooks/roles/xqueue/tasks/deploy.yml
+++ b/playbooks/roles/xqueue/tasks/deploy.yml
@@ -28,7 +28,9 @@

 # Do A Checkout
 - name: git checkout xqueue repo into xqueue_code_dir
-  git: dest={{ xqueue_code_dir }} repo={{ xqueue_source_repo }} version={{ xqueue_version }}
+  git: >
+    dest={{ xqueue_code_dir }} repo={{ xqueue_source_repo }} version={{ xqueue_version }}
+    accept_hostkey=yes
  sudo_user: "{{ xqueue_user }}"
  notify:
    - restart xqueue

--- a/playbooks/roles/xserver/tasks/deploy.yml
+++ b/playbooks/roles/xserver/tasks/deploy.yml
@@ -12,7 +12,9 @@
  when: not disable_edx_services

 - name: checkout code
-  git: dest={{xserver_code_dir}} repo={{xserver_source_repo}} version={{xserver_version}}
+  git: >
+    dest={{xserver_code_dir}} repo={{xserver_source_repo}} version={{xserver_version}}
+    accept_hostkey=yes
  sudo_user: "{{ xserver_user }}"
  notify: restart xserver

@@ -48,7 +50,9 @@
  notify: restart xserver

 - name: checkout grader code
-  git: dest={{ XSERVER_GRADER_DIR }} repo={{ XSERVER_GRADER_SOURCE }} version={{ xserver_grader_version }}
+  git: >
+    dest={{ XSERVER_GRADER_DIR }} repo={{ XSERVER_GRADER_SOURCE }} version={{ xserver_grader_version }}
+    accept_hostkey=yes
  environment:
    GIT_SSH: /tmp/git_ssh.sh
  notify: restart xserver

--- a/playbooks/roles/xserver/tasks/main.yml
+++ b/playbooks/roles/xserver/tasks/main.yml
@@ -32,6 +32,8 @@
    group="{{ common_web_group }}"
  with_items:
    - "{{ xserver_app_dir }}"
+    # needed for the ansible 1.5 git module
+    - "{{ xserver_app_dir }}/.ssh"
    - "{{ xserver_venvs_dir }}"
    - "{{ xserver_data_dir }}"
    - "{{ xserver_data_dir }}/data"

--- a/playbooks/roles/xserver/templates/git_ssh.sh.j2
+++ b/playbooks/roles/xserver/templates/git_ssh.sh.j2
 #!/bin/sh
-exec /usr/bin/ssh -o StrictHostKeyChecking=no -i {{ xserver_git_identity }} "$@"
+exec /usr/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i {{ xserver_git_identity }} "$@"
--- a/playbooks/vagrant-devstack.yml
+++ b/playbooks/vagrant-devstack.yml
@@ -2,16 +2,6 @@
  hosts: all
  sudo: True
  gather_facts: True
-  vars:
-    migrate_db: "yes"
-    openid_workaround: True
-    devstack: True
-    disable_edx_services: True
-    edx_platform_version: 'master'
-    mongo_enable_journal: False
-    EDXAPP_NO_PREREQ_INSTALL: 0
-    COMMON_MOTD_TEMPLATE: "devstack_motd.tail.j2"
-    COMMON_SSH_PASSWORD_AUTH: "yes"
  vars_files:
    - "group_vars/all"
  roles:

--- a/playbooks/vagrant-fullstack.yml
+++ b/playbooks/vagrant-fullstack.yml
@@ -2,11 +2,6 @@
  hosts: all
  sudo: True
  gather_facts: True
-  vars:
-    migrate_db: "yes"
-    openid_workaround: True
-    EDXAPP_LMS_NGINX_PORT: '80'
-    edx_platform_version: 'master'
  vars_files:
    - "group_vars/all"
  roles:
@@ -19,6 +14,7 @@
      - ora
      - forum
      - xqueue
+      - certs
      nginx_default_sites:
      - lms
      - cms
@@ -33,4 +29,5 @@
    - forum
    - { role: "xqueue", update_users: True }
    - ora
+    - certs
    - edx_ansible
--- a/requirements.txt
+++ b/requirements.txt
-ansible==1.4.4
-PyYAML==3.10
+ansible==1.5.4
+PyYAML==3.11
 Jinja2==2.7.2
-MarkupSafe==0.18
+MarkupSafe==0.21
 argparse==1.2.1
 boto==2.20.1
-ecdsa==0.10
-paramiko==1.12.0
+ecdsa==0.11
+paramiko==1.13.0
 pycrypto==2.6.1
 wsgiref==0.1.2
 docopt==0.6.1
--- a/util/jenkins/ansible-provision.sh
+++ b/util/jenkins/ansible-provision.sh
@@ -87,6 +87,8 @@ EDXAPP_PREVIEW_LMS_BASE: preview.${deploy_host}
 EDXAPP_LMS_BASE: ${deploy_host}
 EDXAPP_CMS_BASE: studio.${deploy_host}
 EDXAPP_SITE_NAME: ${deploy_host}
+CERTS_DOWNLOAD_URL: "http://${deploy_host}:18090"
+CERTS_VERIFY_URL: "http://${deploy_host}:18090"
 edx_platform_version: $edxapp_version
 forum_version: $forum_version
 xqueue_version: $xqueue_version
@@ -161,15 +163,15 @@ done
 # run non-deploy tasks for all roles
 if [[ $reconfigure == "true" || $server_type == "full_edx_installation_from_scratch" ]]; then
    cat $extra_vars_file
-    ansible-playbook edx_continuous_integration.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --skip-tags deploy
+    ansible-playbook edx_continuous_integration.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu 
 fi

-if [[ $server_type == "full_edx_installation" || $server_type == "full_edx_installation_from_scratch" ]]; then
+if [[ $server_type == "full_edx_installation" ]]; then
    # Run deploy tasks for the roles selected
    for i in $roles; do
        if [[ ${deploy[$i]} == "true" ]]; then
            cat $extra_vars_file
-            ansible-playbook ${i}.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --tags deploy
+            ansible-playbook ${i}.yml -i "${deploy_host}," -e@${extra_vars_file} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --tags deploy -v
        fi
    done
 fi

--- a/vagrant/base/devstack/Vagrantfile
+++ b/vagrant/base/devstack/Vagrantfile
@@ -52,6 +52,21 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|

  config.vm.provision :ansible do |ansible|
    ansible.playbook = "../../../playbooks/vagrant-devstack.yml"
-    ansible.verbose = "extra"
+    ansible.verbose = "vvvv"
+    # set extra-vars here instead of in the vagrant play so that
+    # they are written out to /edx/etc/server-vars.yml which can
+    # be used later when running ansible locally
+    ansible.extra_vars = {
+        migrate_db: 'yes',
+        openid_workaround: true,
+        devstack: true,
+        disable_edx_services: true,
+        edx_platform_version: 'master',
+        mongo_enable_journal: false,
+        EDXAPP_NO_PREREQ_INSTALL: 0,
+        COMMON_MOTD_TEMPLATE: 'devstack_motd.tail.j2',
+        COMMON_SSH_PASSWORD_AUTH: "yes",
+    }
+
  end
 end
--- a/vagrant/base/fullstack/Vagrantfile
+++ b/vagrant/base/fullstack/Vagrantfile
@@ -7,7 +7,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box     = "precise64"
  config.vm.box_url = "http://files.vagrantup.com/precise64.box"
  config.ssh.insert_key = true
-
+  config.vm.synced_folder  ".", "/vagrant", disabled: true
  config.vm.network :private_network, ip: "192.168.33.10"

  config.vm.provider :virtualbox do |vb|
@@ -28,6 +28,19 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.provision :ansible do |ansible|
    # point Vagrant at the location of your playbook you want to run
    ansible.playbook = "../../../playbooks/vagrant-fullstack.yml"
-    ansible.verbose = "extra"
+    # set extra-vars here instead of in the vagrant play so that
+    # they are written out to /edx/etc/server-vars.yml which can
+    # be used later when running ansible locally
+    ansible.extra_vars = { 
+        ansible_ssh_user: 'vagrant',
+        migrate_db: 'yes',
+        openid_workaround: true,
+        edx_platform_version: 'master',
+        EDXAPP_LMS_NGINX_PORT: '80',
+        EDX_ANSIBLE_DUMP_VARS: true,
+        CERTS_DOWNLOAD_URL: 'http://192.168.33.10:18090',
+        CERTS_VERIFY_URL: 'http://192.168.33.10:18090',
+    }
+    ansible.verbose = "vvvv"
  end
 end