Update to 2021-02-11 19:00

master
Daniel Berteaud 4 years ago
parent 2dfdf66d0c
commit c38264c49d
  1. 5
      roles/mongodb_server/defaults/main.yml
  2. 40
      roles/mongodb_server/tasks/conf.yml
  3. 18
      roles/mongodb_server/tasks/facts.yml
  4. 60
      roles/mongodb_server/tasks/install.yml
  5. 9
      roles/mongodb_server/tasks/iptables.yml
  6. 93
      roles/mongodb_server/tasks/main.yml
  7. 14
      roles/mongodb_server/tasks/selinux.yml
  8. 6
      roles/mongodb_server/tasks/services.yml
  9. 23
      roles/mongodb_server/templates/mongod.conf.j2
  10. 2
      roles/mongodb_server/templates/mongorc.js.j2
  11. 2
      roles/mongodb_server/templates/pre-backup.j2
  12. 2
      roles/mongodb_server/vars/CentOS-7.yml
  13. 2
      roles/mongodb_server/vars/CentOS-8.yml

@ -3,4 +3,9 @@
mongo_port: 27017 mongo_port: 27017
mongo_src_ip: [] mongo_src_ip: []
mongo_db_path: /var/lib/mongo mongo_db_path: /var/lib/mongo
# Should authorization be enabled
mongo_auth: True
mongo_admin_user: mongoadmin
# A random one will be created if not defined here
# mongo_admin_pass: S3cr3t.
... ...

@ -0,0 +1,40 @@
---
- name: Deploy mongorc.js for the root user
template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600
register: mongo_mongorc
tags: mongo
- when: mongo_mongorc.changed
block:
- name: Temporarily disable auth
template: src=mongod.conf.j2 dest=/etc/mongod.conf
vars:
- mongo_auth: False
- name: Restart mongo
service: name=mongod state=restarted
- name: Create the admin user
mongodb_user:
database: admin
name: "{{ mongo_admin_user }}"
password: "{{ mongo_admin_pass }}"
login_port: "{{ mongo_port }}"
roles:
- readWriteAnyDatabase
- userAdminAnyDatabase
- dbAdminAnyDatabase
tags: mongo
tags: mongo
- name: Deploy configuration
template: src=mongod.conf.j2 dest=/etc/mongod.conf
notify: restart mongod
tags: mongo
- name: Deploy mongorc.js for the root user
template: src=mongorc.js.j2 dest=/root/.mongorc.js mode=600
tags: mongo

@ -0,0 +1,18 @@
---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
tags: mongo
# Create a random encryption password
- block:
- import_tasks: ../includes/get_rand_pass.yml
vars:
- pass_file: "/root/.mongo.pw"
- set_fact: mongo_admin_pass={{ rand_pass }}
when: mongo_admin_pass is not defined
tags: mongo

@ -0,0 +1,60 @@
---
- name: Remove versions from the base repo
yum:
name:
- mongodb
- mongodb-server
state: absent
tags: mongo
- name: Install MongoDB server and tools
yum: name={{ mongo_packages }}
tags: mongo
# We install from pip because pymongo available in repo for both EL7 and EL8 is too old
# it doesn't support CRAM-SHA-256 for example
- name: Install pymongo
pip: name=pymongo state=latest
tags: mongo
- name: Create data dir
file: path={{ mongo_db_path }} state=directory
tags: mongo
# Do it in two times so parent dir don't have restrictive permissions
- name: Set permissions on data dir
file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700
tags: mongo
- name: Deploy pre/post backup scripts
template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750
loop:
- pre
- post
tags: mongo
- name: Create systemd unit snippet dir
file: path=/etc/systemd/system/mongod.service.d state=directory
tags: mongo
- name: Customize systemd unit
copy:
content: |
[Service]
PrivateTmp=yes
ProtectSystem=full
ProtectHome=yes
Restart=on-failure
StartLimitInterval=0
RestartSec=30
dest: /etc/systemd/system/mongod.service.d/ansible.conf
register: mongo_unit
notify: restart mongod
tags: mongo
- name: Reload systemd
systemd: daemon_reload=True
when: mongo_unit.changed
tags: mongo

@ -0,0 +1,9 @@
---
- name: Handle mongodb port
iptables_raw:
name: mongo_ports
state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n"
tags: firewall,mongo

@ -1,93 +1,12 @@
--- ---
- include_vars: "{{ item }}" - include: facts.yml
with_first_found: - include: install.yml
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml - include: selinux.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
tags: mongo
- name: Remove versions from the base repo
yum:
name:
- mongodb
- mongodb-server
state: absent
tags: mongo
- name: Install MongoDB server and tools
yum: name={{ mongo_packages }}
tags: mongo
- name: Create data dir
file: path={{ mongo_db_path }} state=directory
tags: mongo
# Do it in two times so parent dir don't have restrictive permissions
- name: Set permissions on data dir
file: path={{ mongo_db_path }} state=directory owner=mongod group=mongod mode=700
tags: mongo
- name: Set correct SELinux label
sefcontext:
target: "{{ mongo_db_path }}"
setype: mongod_var_lib_t
state: present
when: ansible_selinux.status == 'enabled'
tags: mongo
- name: Restore SELinux contexts
command: restorecon -R {{ mongo_db_path }}
when: ansible_selinux.status == 'enabled' when: ansible_selinux.status == 'enabled'
changed_when: False - include: iptables.yml
tags: mongo
- name: Deploy pre/post backup scripts
template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/mongo mode=750
loop:
- pre
- post
tags: mongo
- name: Deploy configuration
template: src=mongod.conf.j2 dest=/etc/mongod.conf
notify: restart mongod
tags: mongo
- name: Create systemd unit snippet dir
file: path=/etc/systemd/system/mongod.service.d state=directory
tags: mongo
- name: Customize systemd unit
copy:
content: |
[Service]
PrivateTmp=yes
ProtectSystem=full
ProtectHome=yes
Restart=on-failure
StartLimitInterval=0
RestartSec=30
dest: /etc/systemd/system/mongod.service.d/ansible.conf
register: mongo_unit
notify: restart mongod
tags: mongo
- name: Reload systemd
systemd: daemon_reload=True
when: mongo_unit.changed
tags: mongo
- name: Handle mongodb port
iptables_raw:
name: mongo_ports
state: "{{ (mongo_src_ip | length > 0) | ternary('present','absent') }}"
rules: "-A INPUT -m state --state NEW -p tcp --dport {{ mongo_port }} -s {{ mongo_src_ip | join(',') }} -j ACCEPT\n"
when: iptables_manage | default(True) when: iptables_manage | default(True)
tags: firewall,mongo - include: conf.yml
- include: services.yml
- name: Start and enable MongoDB daemon
service: name=mongod state=started enabled=yes
tags: mongo
... ...

@ -0,0 +1,14 @@
---
- name: Set correct SELinux label
sefcontext:
target: "{{ mongo_db_path }}"
setype: mongod_var_lib_t
state: present
tags: mongo
- name: Restore SELinux contexts
command: restorecon -R {{ mongo_db_path }}
changed_when: False
tags: mongo

@ -0,0 +1,6 @@
---
- name: Start and enable MongoDB daemon
service: name=mongod state=started enabled=yes
tags: mongo

@ -1,7 +1,16 @@
bind_ip = 0.0.0.0 systemLog:
port = {{ mongo_port }} destination: syslog
pidfilepath = /var/run/mongodb/mongod.pid processManagement:
unixSocketPrefix = /var/run/mongodb fork: true
dbpath = {{ mongo_db_path }} pidFilePath: /var/run/mongodb/mongod.pid
syslog = true net:
fork = true port: {{ mongo_port }}
bindIp: 0.0.0.0
bindIpAll: true
unixDomainSocket:
pathPrefix: /var/run/mongodb
security:
authorization: {{ mongo_auth | ternary('enabled','disabled') }}
storage:
dbPath: {{ mongo_db_path }}

@ -0,0 +1,2 @@
db = connect('localhost:{{ mongo_port }}/admin');
db.auth('{{ mongo_admin_user }}', '{{ mongo_admin_pass }}');

@ -1,4 +1,4 @@
#!/bin/bash -e #!/bin/bash -e
mkdir -p /home/lbkp/mongo mkdir -p /home/lbkp/mongo
mongodump --quiet --port {{ mongo_port }} --out /home/lbkp/mongo mongodump --username {{ mongo_admin_user }} --password {{ mongo_admin_pass | quote }} --quiet --port {{ mongo_port }} --out /home/lbkp/mongo

@ -3,4 +3,4 @@
mongo_packages: mongo_packages:
- mongodb-org-server - mongodb-org-server
- mongodb-org - mongodb-org
- python-pymongo - python-pip

@ -3,4 +3,4 @@
mongo_packages: mongo_packages:
- mongodb-org-server - mongodb-org-server
- mongodb-org - mongodb-org
- python3-pymongo - python3-pip

Loading…
Cancel
Save