Self Hosting Primero v2 - Installation

So maybe you have read the programmatic guidance for self hosting, self hosting set up and background info, the hosting requirements checklist, you have completed all the security tasks, you have reviewed the Tier 4 Deployment Workplan, you have hired world class dev ops engineers/system admins and topped your bank account up to overflowing.

Looks like you may be ready to self host!


Install Ubuntu 20.04 LTS and upgrade the target machine if you have not already done so:

sudo apt-get update && sudo apt-get upgrade

:warning: This machine needs to have a public world reachable IP address and FQDN


Copy your ssh key to the target machine and make sure you have passwordless ssh access


Then install the required packages

sudo apt-get install python3-all python-is-python3 python3-pip python3-venv pwgen

also upgrade pip

pip install --upgrade pip

Clone the repository and enter the correct folder

ian@wintermuted:~/Dev$ mkdir v2-deploy
ian@wintermuted:~/Dev$ cd v2-deploy/
ian@wintermuted:~/Dev/v2-deploy$ git clone
ian@wintermuted:~/Dev/v2-deploy$ cd primero/ansible

Create the virtual environment

ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ virtualenv ../venv

edit the bin/activate script

ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ vi bin/activate

and comment out line 58


then run activate

ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ bin/activate

this should finish something like this

Starting galaxy collection install process
Process install dependency map
Starting collection install process
Installing 'quoin.infrastructure:1.0.0' to '/home/ian/Dev/v2-deploy/primero/ansible/ansible_collections/quoin/infrastructure'
Created collection for quoin.infrastructure at /home/ian/Dev/v2-deploy/primero/ansible/ansible_collections/quoin/infrastructure
quoin.infrastructure (1.0.0) was installed successfully

Create the file inventory.yml in the folder


containing the following content (you need to change whatever is between the < > symbols and then remove the <> symbols)

      ansible_user: 'root'
      primero_host: '<>'
      primero_tag: 'latest'
      locale_all: 'en,fr,ar'
      always_pull: true,
      # These 3 variables are used to drive the build task.
      # Can be omitted if pulling images from Dockerhub
      primero_repo_branch: 'development_v2'
      build_docker_tag: 'latest'
      build_docker_container_registry: ''
      # If you want to seed from a private configuration repo
      #primero_configuration_repo: ''
      #primero_configuration_repo_branch: 'master'
      #primero_configuration_path: 'directory/of/config/loader/script'
      use_lets_encrypt: 'true'
      # The other certbot/lets_encrypt variables are optional. Include only if using Let's Encrypt
      - '{{ primero_host }}'
      certbot_email: '<>'
      lets_encrypt_domain: '{{ primero_host }}'
      lets_encrypt_email: '{{ certbot_email }}'
      # Different for self-signed certs
      nginx_ssl_cert_path: '/etc/letsencrypt/live/primero/fullchain.pem'
      nginx_ssl_key_path: '/etc/letsencrypt/live/primero/privkey.pem'
      # Optionally parametrize Primero containers with other environment attributes.
      # Do not use this dictionary for secrets!!!
        PRIMERO_DEFAULT_USERS: 'true' # Seed default users when using the managed Primero SaaS configs
        # LOCALE_DEFAULT: 'ar' # Optionally override English as the default locale.

Create secrets.yml in the folder


and then generate 5 strings as your secrets.

ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ pwgen -s 32 5

copy the generated strings to the file secrets.yml (you need to add each one between the < > symbols and then remove the <> symbols)

primero_secret_key_base: ‘< >’
primero_message_secret: ‘< >’
postgres_password: ‘< >’
devise_secret_key: ‘< >’
devise_jwt_secret_key: ‘< >’

Once you have done this then activate the virtual environment

ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ source ../venv/bin/activate

and bootstrap

(venv) ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ ansible-playbook bootstrap.yml

this should finish something like this

PLAY RECAP *********************************************************************        : ok=7    changed=4    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0 

then do docker

(venv) ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ ansible-playbook install-docker.yml

load the primero secrets

(venv) ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ ansible-playbook application-primero.yml --tags "local-env" -e @secrets.yml

and then install Primero

(venv) ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ ansible-playbook application-primero.yml --tags configure,start

and finally install Lets Encrypt Certs (its better however to use your own bought certificates if self hosting)

(venv) ian@wintermuted:~/Dev/v2-deploy/primero/ansible$ ansible-playbook certbot.yml

then visit the domain you supplied in the primero_host variable of inventory.yml and you can login to the CPIMS+

Now that your system is up and running you should now be thinking about maintenance and upgrading strategies for your production machine


If you need to look at the containers and the code which was actually installed on the target do this

sudo -s
docker ps

which will output all the containers like

6423f1d80c6b   primeroims/nginx:latest         "/usr/local/bin/entr…"   11 minutes ago   Up 11 minutes>80/tcp, :::80->80/tcp,>443/tcp, :::443->443/tcp   primero_nginx_1
a633ce0f0c53   primeroims/application:latest   "/ bund…"   11 minutes ago   Up 11 minutes

so to access the application code do

docker exec -it a633ce0f0c53 sh

1 Like

I tried to install and Solr everytime craches. Why this soft has a lot of bugs?

Did you upgrade the target machine before deployment? Did you try restarting the service on the target?

I followed your guideline until “install Primero” - ansible-playbook application-primero.yml --tags configure,start
I got an error about to clone the primero_configuration_repo : ‘’ as the picture below.
I have an account with ssh key on bitbucket but cannot access that repository.
Please kindly advise.

@tyaiya you are trying to clone someone elses private repository. check your inventory.yml and comment out the lines below

as shown above

@irlawrence | I commented them out, however got an another error about docker-compose or its path. May I seek your advice, please.

1 Like

These commands above finished correctly?

Thank you, Ian. It seems no error. Here are the results:



Ok, so now try the secrets and the primero install commands

Dear Ian, here are they:
no error for secrets.yml

But it is the same error for - application-primero.yml --tags configure,start

The installDocker to the production server is completed at /opt/docker/bin

However, here at /opt/docker/bin - there is no any .yml file (as error said there is no file or directory for docker.compose.yml)

I am not sure how the the script running. Is it execute from deploy machine .primero/docker/ (which all .yml files there), to the production server or I have to put those yml files or install something at production server manually?

Thank you.

There are a couple of things which seem odd to me.

  • Your production server which looks like it is is a public world accessible address? I think 192.168.x.x is a private IP range
  • You seem to be running everything as root. What is the reason for this?

Thank you for your checking, I am sorry that I didn’t tell you at the beginning - all these machines is my testing VMs. That’s why they have private IPs and no domain name. I am running as root because I found some lines need su privilege, so I use root in this testing environment . We will harden a real production server.
Do you think these may cause of the error ? It seems scripts ran fine between 2 machines until the install Primero with application-primero.yml which not found 2 files as shown in the above error screen.

Yes you need a FQDN. You should also use a normal user. This tutorial builds on the concepts from the original tutorial for 1.x series so take a look at setting up a simple cloud instance which is explained in the linked guide if you are just learning/testing.

I also added this warning to this post

I followed all the steps of the guide but When I try to login, the page keep loading and I’m getting this error in the image below. The resources on https dosen’t load.
Please help me.

If you mess up and want to remove the docker volumes you can ssh in to the target and do

sudo -s
docker ps -a | grep -v CONTAINER | cut -d " " -f1 | xargs docker stop
docker ps -a | grep -v CONTAINER | cut -d " " -f1 | xargs docker rm
docker volume ls | cut -d " " -f6 | xargs docker volume rm

then run all the ansible-playbook commands again

Thank you so much! It works.
I had to uninstall the docker, ngnix and removed the certbot certificates that I had generated on the target machine.

After cleaning the target machine, I executed all the ansible-playbook commands again and the is solved.

Hi, I’ve been trying to follow through this while troubleshooting issues. My latest has me a little stumped.
The db won’t seed, it looks like the script is pointing to the wrong app root:
/srv/primero/application/db/configuration/system_settings/system_settings.rb:8:in create_or_update_system_setting' /srv/primero/application/db/configuration/system_settings/system_settings.rb:15:in <top (required)>’
/srv/primero/application/db/configuration/load_configuration.rb:32:in <top (required)>' /srv/primero/application/db/seeds.rb:1:in load’
/srv/primero/application/db/seeds.rb:1:in `<top (required)>’
Tasks: TOP => db:seed
the setup places primero in /srv/primero as root not /srv/primero/application (to be clear, there is no application folder in this location). I’ve tried adding the app_root environment variable and just adding a sym link as a workaround but neither worked. Any chance you could help me find the problem? The website is up but I can’t log in with the default credentials basically.


So you cannot use private ips. It needs a public world reachable ip


Using external instances of Postgres and Solr.

Instead of using primero’s docker images of Postgres and Solr is it possible to use external installations?
We would like to use AlloyDB for Postgres and a already running Solr instance in Yeti. How is the config done on Ansible?