Update to 2021-02-11 19:00

4 years ago · c38264c49d
parent 2dfdf66d0c
commit c38264c49d
13 changed files with 179 additions and 97 deletions
--- a/roles/mongodb_server/defaults/main.yml
+++ b/roles/mongodb_server/defaults/main.yml
@ -3,4 +3,9 @@
 mongo_port: 27017
 mongo_src_ip: []
 mongo_db_path: /var/lib/mongo
+# Should authorization be enabled
+mongo_auth: True
+mongo_admin_user: mongoadmin
+# A random one will be created if not defined here
+# mongo_admin_pass: S3cr3t.
 ...
--- a/roles/mongodb_server/tasks/conf.yml
+++ b/roles/mongodb_server/tasks/conf.yml
@ -0,0 +1,40 @@
+---
+
+- name: Deploy mongorc.js for the root user
+  template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600
+  register: mongo_mongorc
+  tags: mongo
+
+- when: mongo_mongorc.changed
+  block:
+
+    - name: Temporarily disable auth
+      template: src=mongod.conf.j2 dest=/etc/mongod.conf
+      vars:
+        - mongo_auth: False
+
+    - name: Restart mongo
+      service: name=mongod state=restarted
+
+    - name: Create the admin user
+      mongodb_user:
+        database: admin
+        name: "{{ mongo_admin_user }}"
+        password: "{{ mongo_admin_pass }}"
+        login_port: "{{ mongo_port }}"
+        roles:
+          - readWriteAnyDatabase
+          - userAdminAnyDatabase
+          - dbAdminAnyDatabase
+      tags: mongo
+
+  tags: mongo
+
+- name: Deploy configuration
+  template: src=mongod.conf.j2 dest=/etc/mongod.conf
+  notify: restart mongod
+  tags: mongo
+
+- name: Deploy mongorc.js for the root user
+  template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600
+  tags: mongo
--- a/roles/mongodb_server/tasks/facts.yml
+++ b/roles/mongodb_server/tasks/facts.yml
@ -0,0 +1,18 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+  tags: mongo
+
+# Create a random encryption password
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "/root/.mongo.pw"
+    - set_fact: mongo_admin_pass={{ rand_pass }}
+  when: mongo_admin_pass is not defined
+  tags: mongo
+
--- a/roles/mongodb_server/tasks/install.yml
+++ b/roles/mongodb_server/tasks/install.yml
@ -0,0 +1,60 @@
+---
+
+- name: Remove versions from the base repo
+  yum:
+    name:
+      - mongodb
+      - mongodb-server
+    state: absent
+  tags: mongo
+
+- name: Install MongoDB server and tools
+  yum: name={{ mongo_packages }}
+  tags: mongo
+
+# We install from pip because pymongo available in repo for both EL7 and EL8 is too old
+# it doesn't support CRAM-SHA-256 for example
+- name: Install pymongo
+  pip: name=pymongo state=latest
+  tags: mongo
+
+- name: Create data dir
+  file: path={{ mongo_db_path }} state=directory
+  tags: mongo
+
+  # Do it in two times so parent dir don't have restrictive permissions
+- name: Set permissions on data dir
+  file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700
+  tags: mongo
+
+- name: Deploy pre/post backup scripts
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750
+  loop:
+    - pre
+    - post
+  tags: mongo
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/mongod.service.d state=directory
+  tags: mongo
+
+- name: Customize systemd unit
+  copy:
+    content: |
+      [Service]
+      PrivateTmp=yes
+      ProtectSystem=full
+      ProtectHome=yes
+      Restart=on-failure
+      StartLimitInterval=0
+      RestartSec=30
+    dest: /etc/systemd/system/mongod.service.d/ansible.conf
+  register: mongo_unit
+  notify: restart mongod
+  tags: mongo
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: mongo_unit.changed
+  tags: mongo
+
--- a/roles/mongodb_server/tasks/iptables.yml
+++ b/roles/mongodb_server/tasks/iptables.yml
@ -0,0 +1,9 @@
+---
+
+- name: Handle mongodb port
+  iptables_raw:
+    name: mongo_ports
+    state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n"
+  tags: firewall,mongo
+
--- a/roles/mongodb_server/tasks/main.yml
+++ b/roles/mongodb_server/tasks/main.yml
@ -1,93 +1,12 @@
 ---

- include_vars: "{{ item }}"
-  with_first_found:
-    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
-    - vars/{{ ansible_distribution }}.yml
-    - vars/{{ ansible_os_family }}.yml
-  tags: mongo
-
- name: Remove versions from the base repo
-  yum:
-    name:
-      - mongodb
-      - mongodb-server
-    state: absent
-  tags: mongo
-
- name: Install MongoDB server and tools
-  yum: name={{ mongo_packages }}
-  tags: mongo
-
- name: Create data dir
-  file: path={{ mongo_db_path }} state=directory
-  tags: mongo
-
-  # Do it in two times so parent dir don't have restrictive permissions
- name: Set permissions on data dir
-  file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700
-  tags: mongo
-
- name: Set correct SELinux label
-  sefcontext:
-    target: "{{ mongo_db_path }}"
-    setype: mongod_var_lib_t
-    state: present
-  when: ansible_selinux.status == 'enabled'
-  tags: mongo
-
- name: Restore SELinux contexts
-  command: restorecon -R {{ mongo_db_path }}
+- include: facts.yml
+- include: install.yml
+- include: selinux.yml
  when: ansible_selinux.status == 'enabled'
-  changed_when: False
-  tags: mongo
-
- name: Deploy pre/post backup scripts
-  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750
-  loop:
-    - pre
-    - post
-  tags: mongo
-
- name: Deploy configuration
-  template: src=mongod.conf.j2 dest=/etc/mongod.conf
-  notify: restart mongod
-  tags: mongo
-
- name: Create systemd unit snippet dir
-  file: path=/etc/systemd/system/mongod.service.d state=directory
-  tags: mongo
-
- name: Customize systemd unit
-  copy:
-    content: |
-      [Service]
-      PrivateTmp=yes
-      ProtectSystem=full
-      ProtectHome=yes
-      Restart=on-failure
-      StartLimitInterval=0
-      RestartSec=30
-    dest: /etc/systemd/system/mongod.service.d/ansible.conf
-  register: mongo_unit
-  notify: restart mongod
-  tags: mongo
-
- name: Reload systemd
-  systemd: daemon_reload=True
-  when: mongo_unit.changed
-  tags: mongo
-
- name: Handle mongodb port
-  iptables_raw:
-    name: mongo_ports
-    state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}"
-    rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n"
+- include: iptables.yml
  when: iptables_manage | default(True)
-  tags: firewall,mongo
-
- name: Start and enable MongoDB daemon
-  service: name=mongod state=started enabled=yes
-  tags: mongo
+- include: conf.yml
+- include: services.yml

 ...
--- a/roles/mongodb_server/tasks/selinux.yml
+++ b/roles/mongodb_server/tasks/selinux.yml
@ -0,0 +1,14 @@
+---
+
+- name: Set correct SELinux label
+  sefcontext:
+    target: "{{ mongo_db_path }}"
+    setype: mongod_var_lib_t
+    state: present
+  tags: mongo
+
+- name: Restore SELinux contexts
+  command: restorecon -R {{ mongo_db_path }}
+  changed_when: False
+  tags: mongo
+
--- a/roles/mongodb_server/tasks/services.yml
+++ b/roles/mongodb_server/tasks/services.yml
@ -0,0 +1,6 @@
+---
+
+- name: Start and enable MongoDB daemon
+  service: name=mongod state=started enabled=yes
+  tags: mongo
+
--- a/roles/mongodb_server/templates/mongod.conf.j2
+++ b/roles/mongodb_server/templates/mongod.conf.j2
@ -1,7 +1,16 @@
-bind_ip = 0.0.0.0
-port = {{ mongo_port }}
-pidfilepath = /var/run/mongodb/mongod.pid
-unixSocketPrefix = /var/run/mongodb
-dbpath = {{ mongo_db_path }}
-syslog = true
-fork = true
+systemLog:
+  destination: syslog
+processManagement:
+  fork: true
+  pidFilePath: /var/run/mongodb/mongod.pid
+net:
+  port: {{ mongo_port }}
+  bindIp: 0.0.0.0
+  bindIpAll: true
+  unixDomainSocket:
+    pathPrefix: /var/run/mongodb
+security:
+  authorization: {{ mongo_auth | ternary('enabled','disabled') }}
+storage:
+  dbPath: {{ mongo_db_path }}
+  
--- a/roles/mongodb_server/templates/mongorc.js.j2
+++ b/roles/mongodb_server/templates/mongorc.js.j2
@ -0,0 +1,2 @@
+db = connect('localhost:{{ mongo_port }}/admin');
+db.auth('{{ mongo_admin_user }}', '{{ mongo_admin_pass }}');
--- a/roles/mongodb_server/templates/pre-backup.j2
+++ b/roles/mongodb_server/templates/pre-backup.j2
@ -1,4 +1,4 @@
 #!/bin/bash -e

 mkdir -p /home/lbkp/mongo
-mongodump --quiet --port {{ mongo_port }} --out /home/lbkp/mongo
+mongodump --username {{ mongo_admin_user }} --password {{ mongo_admin_pass | quote }} --quiet --port {{ mongo_port }} --out /home/lbkp/mongo
--- a/roles/mongodb_server/vars/CentOS-7.yml
+++ b/roles/mongodb_server/vars/CentOS-7.yml
@ -3,4 +3,4 @@
 mongo_packages:
  - mongodb-org-server
  - mongodb-org
-  - python-pymongo
+  - python-pip
--- a/roles/mongodb_server/vars/CentOS-8.yml
+++ b/roles/mongodb_server/vars/CentOS-8.yml
@ -3,4 +3,4 @@
 mongo_packages:
  - mongodb-org-server
  - mongodb-org
-  - python3-pymongo
+  - python3-pip