From c38264c49d25cfce95822b4da25655ce62d76f5a Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Thu, 11 Feb 2021 19:00:06 +0100 Subject: [PATCH] Update to 2021-02-11 19:00 --- roles/mongodb_server/defaults/main.yml | 5 ++ roles/mongodb_server/tasks/conf.yml | 40 ++++++++++++ roles/mongodb_server/tasks/facts.yml | 18 ++++++ roles/mongodb_server/tasks/install.yml | 60 +++++++++++++++++ roles/mongodb_server/tasks/iptables.yml | 9 +++ roles/mongodb_server/tasks/main.yml | 93 ++------------------------- roles/mongodb_server/tasks/selinux.yml | 14 ++++ roles/mongodb_server/tasks/services.yml | 6 ++ roles/mongodb_server/templates/mongod.conf.j2 | 23 +++++-- roles/mongodb_server/templates/mongorc.js.j2 | 2 + roles/mongodb_server/templates/pre-backup.j2 | 2 +- roles/mongodb_server/vars/CentOS-7.yml | 2 +- roles/mongodb_server/vars/CentOS-8.yml | 2 +- 13 files changed, 179 insertions(+), 97 deletions(-) create mode 100644 roles/mongodb_server/tasks/conf.yml create mode 100644 roles/mongodb_server/tasks/facts.yml create mode 100644 roles/mongodb_server/tasks/install.yml create mode 100644 roles/mongodb_server/tasks/iptables.yml create mode 100644 roles/mongodb_server/tasks/selinux.yml create mode 100644 roles/mongodb_server/tasks/services.yml create mode 100644 roles/mongodb_server/templates/mongorc.js.j2 diff --git a/roles/mongodb_server/defaults/main.yml b/roles/mongodb_server/defaults/main.yml index 7f53e66..ab22852 100644 --- a/roles/mongodb_server/defaults/main.yml +++ b/roles/mongodb_server/defaults/main.yml @@ -3,4 +3,9 @@ mongo_port: 27017 mongo_src_ip: [] mongo_db_path: /var/lib/mongo +# Should authorization be enabled +mongo_auth: True +mongo_admin_user: mongoadmin +# A random one will be created if not defined here +# mongo_admin_pass: S3cr3t. ... diff --git a/roles/mongodb_server/tasks/conf.yml b/roles/mongodb_server/tasks/conf.yml new file mode 100644 index 0000000..9420558 --- /dev/null +++ b/roles/mongodb_server/tasks/conf.yml @@ -0,0 +1,40 @@ +--- + +- name: Deploy mongorc.js for the root user + template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600 + register: mongo_mongorc + tags: mongo + +- when: mongo_mongorc.changed + block: + + - name: Temporarily disable auth + template: src=mongod.conf.j2 dest=/etc/mongod.conf + vars: + - mongo_auth: False + + - name: Restart mongo + service: name=mongod state=restarted + + - name: Create the admin user + mongodb_user: + database: admin + name: "{{ mongo_admin_user }}" + password: "{{ mongo_admin_pass }}" + login_port: "{{ mongo_port }}" + roles: + - readWriteAnyDatabase + - userAdminAnyDatabase + - dbAdminAnyDatabase + tags: mongo + + tags: mongo + +- name: Deploy configuration + template: src=mongod.conf.j2 dest=/etc/mongod.conf + notify: restart mongod + tags: mongo + +- name: Deploy mongorc.js for the root user + template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600 + tags: mongo diff --git a/roles/mongodb_server/tasks/facts.yml b/roles/mongodb_server/tasks/facts.yml new file mode 100644 index 0000000..eb7578b --- /dev/null +++ b/roles/mongodb_server/tasks/facts.yml @@ -0,0 +1,18 @@ +--- + +- include_vars: "{{ item }}" + with_first_found: + - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_distribution }}.yml + - vars/{{ ansible_os_family }}.yml + tags: mongo + +# Create a random encryption password +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "/root/.mongo.pw" + - set_fact: mongo_admin_pass={{ rand_pass }} + when: mongo_admin_pass is not defined + tags: mongo + diff --git a/roles/mongodb_server/tasks/install.yml b/roles/mongodb_server/tasks/install.yml new file mode 100644 index 0000000..ff00e60 --- /dev/null +++ b/roles/mongodb_server/tasks/install.yml @@ -0,0 +1,60 @@ +--- + +- name: Remove versions from the base repo + yum: + name: + - mongodb + - mongodb-server + state: absent + tags: mongo + +- name: Install MongoDB server and tools + yum: name={{ mongo_packages }} + tags: mongo + +# We install from pip because pymongo available in repo for both EL7 and EL8 is too old +# it doesn't support CRAM-SHA-256 for example +- name: Install pymongo + pip: name=pymongo state=latest + tags: mongo + +- name: Create data dir + file: path={{ mongo_db_path }} state=directory + tags: mongo + + # Do it in two times so parent dir don't have restrictive permissions +- name: Set permissions on data dir + file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700 + tags: mongo + +- name: Deploy pre/post backup scripts + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750 + loop: + - pre + - post + tags: mongo + +- name: Create systemd unit snippet dir + file: path=/etc/systemd/system/mongod.service.d state=directory + tags: mongo + +- name: Customize systemd unit + copy: + content: | + [Service] + PrivateTmp=yes + ProtectSystem=full + ProtectHome=yes + Restart=on-failure + StartLimitInterval=0 + RestartSec=30 + dest: /etc/systemd/system/mongod.service.d/ansible.conf + register: mongo_unit + notify: restart mongod + tags: mongo + +- name: Reload systemd + systemd: daemon_reload=True + when: mongo_unit.changed + tags: mongo + diff --git a/roles/mongodb_server/tasks/iptables.yml b/roles/mongodb_server/tasks/iptables.yml new file mode 100644 index 0000000..96de6ac --- /dev/null +++ b/roles/mongodb_server/tasks/iptables.yml @@ -0,0 +1,9 @@ +--- + +- name: Handle mongodb port + iptables_raw: + name: mongo_ports + state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n" + tags: firewall,mongo + diff --git a/roles/mongodb_server/tasks/main.yml b/roles/mongodb_server/tasks/main.yml index f598e0d..186977d 100644 --- a/roles/mongodb_server/tasks/main.yml +++ b/roles/mongodb_server/tasks/main.yml @@ -1,93 +1,12 @@ --- -- include_vars: "{{ item }}" - with_first_found: - - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml - - vars/{{ ansible_distribution }}.yml - - vars/{{ ansible_os_family }}.yml - tags: mongo - -- name: Remove versions from the base repo - yum: - name: - - mongodb - - mongodb-server - state: absent - tags: mongo - -- name: Install MongoDB server and tools - yum: name={{ mongo_packages }} - tags: mongo - -- name: Create data dir - file: path={{ mongo_db_path }} state=directory - tags: mongo - - # Do it in two times so parent dir don't have restrictive permissions -- name: Set permissions on data dir - file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700 - tags: mongo - -- name: Set correct SELinux label - sefcontext: - target: "{{ mongo_db_path }}" - setype: mongod_var_lib_t - state: present - when: ansible_selinux.status == 'enabled' - tags: mongo - -- name: Restore SELinux contexts - command: restorecon -R {{ mongo_db_path }} +- include: facts.yml +- include: install.yml +- include: selinux.yml when: ansible_selinux.status == 'enabled' - changed_when: False - tags: mongo - -- name: Deploy pre/post backup scripts - template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750 - loop: - - pre - - post - tags: mongo - -- name: Deploy configuration - template: src=mongod.conf.j2 dest=/etc/mongod.conf - notify: restart mongod - tags: mongo - -- name: Create systemd unit snippet dir - file: path=/etc/systemd/system/mongod.service.d state=directory - tags: mongo - -- name: Customize systemd unit - copy: - content: | - [Service] - PrivateTmp=yes - ProtectSystem=full - ProtectHome=yes - Restart=on-failure - StartLimitInterval=0 - RestartSec=30 - dest: /etc/systemd/system/mongod.service.d/ansible.conf - register: mongo_unit - notify: restart mongod - tags: mongo - -- name: Reload systemd - systemd: daemon_reload=True - when: mongo_unit.changed - tags: mongo - -- name: Handle mongodb port - iptables_raw: - name: mongo_ports - state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}" - rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n" +- include: iptables.yml when: iptables_manage | default(True) - tags: firewall,mongo - -- name: Start and enable MongoDB daemon - service: name=mongod state=started enabled=yes - tags: mongo +- include: conf.yml +- include: services.yml ... diff --git a/roles/mongodb_server/tasks/selinux.yml b/roles/mongodb_server/tasks/selinux.yml new file mode 100644 index 0000000..4b8873f --- /dev/null +++ b/roles/mongodb_server/tasks/selinux.yml @@ -0,0 +1,14 @@ +--- + +- name: Set correct SELinux label + sefcontext: + target: "{{ mongo_db_path }}" + setype: mongod_var_lib_t + state: present + tags: mongo + +- name: Restore SELinux contexts + command: restorecon -R {{ mongo_db_path }} + changed_when: False + tags: mongo + diff --git a/roles/mongodb_server/tasks/services.yml b/roles/mongodb_server/tasks/services.yml new file mode 100644 index 0000000..41d80bc --- /dev/null +++ b/roles/mongodb_server/tasks/services.yml @@ -0,0 +1,6 @@ +--- + +- name: Start and enable MongoDB daemon + service: name=mongod state=started enabled=yes + tags: mongo + diff --git a/roles/mongodb_server/templates/mongod.conf.j2 b/roles/mongodb_server/templates/mongod.conf.j2 index c7d7a18..7774a32 100644 --- a/roles/mongodb_server/templates/mongod.conf.j2 +++ b/roles/mongodb_server/templates/mongod.conf.j2 @@ -1,7 +1,16 @@ -bind_ip = 0.0.0.0 -port = {{ mongo_port }} -pidfilepath = /var/run/mongodb/mongod.pid -unixSocketPrefix = /var/run/mongodb -dbpath = {{ mongo_db_path }} -syslog = true -fork = true +systemLog: + destination: syslog +processManagement: + fork: true + pidFilePath: /var/run/mongodb/mongod.pid +net: + port: {{ mongo_port }} + bindIp: 0.0.0.0 + bindIpAll: true + unixDomainSocket: + pathPrefix: /var/run/mongodb +security: + authorization: {{ mongo_auth | ternary('enabled','disabled') }} +storage: + dbPath: {{ mongo_db_path }} + diff --git a/roles/mongodb_server/templates/mongorc.js.j2 b/roles/mongodb_server/templates/mongorc.js.j2 new file mode 100644 index 0000000..64d0d24 --- /dev/null +++ b/roles/mongodb_server/templates/mongorc.js.j2 @@ -0,0 +1,2 @@ +db = connect('localhost:{{ mongo_port }}/admin'); +db.auth('{{ mongo_admin_user }}', '{{ mongo_admin_pass }}'); diff --git a/roles/mongodb_server/templates/pre-backup.j2 b/roles/mongodb_server/templates/pre-backup.j2 index 7e44d04..f01e977 100644 --- a/roles/mongodb_server/templates/pre-backup.j2 +++ b/roles/mongodb_server/templates/pre-backup.j2 @@ -1,4 +1,4 @@ #!/bin/bash -e mkdir -p /home/lbkp/mongo -mongodump --quiet --port {{ mongo_port }} --out /home/lbkp/mongo +mongodump --username {{ mongo_admin_user }} --password {{ mongo_admin_pass | quote }} --quiet --port {{ mongo_port }} --out /home/lbkp/mongo diff --git a/roles/mongodb_server/vars/CentOS-7.yml b/roles/mongodb_server/vars/CentOS-7.yml index df5bee3..365ec1c 100644 --- a/roles/mongodb_server/vars/CentOS-7.yml +++ b/roles/mongodb_server/vars/CentOS-7.yml @@ -3,4 +3,4 @@ mongo_packages: - mongodb-org-server - mongodb-org - - python-pymongo + - python-pip diff --git a/roles/mongodb_server/vars/CentOS-8.yml b/roles/mongodb_server/vars/CentOS-8.yml index 3cfec82..3e9cac6 100644 --- a/roles/mongodb_server/vars/CentOS-8.yml +++ b/roles/mongodb_server/vars/CentOS-8.yml @@ -3,4 +3,4 @@ mongo_packages: - mongodb-org-server - mongodb-org - - python3-pymongo + - python3-pip