diff options
Diffstat (limited to 'ansible_collections/community/mongodb/roles')
174 files changed, 6496 insertions, 0 deletions
diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/.yamllint b/ansible_collections/community/mongodb/roles/mongodb_auth/.yamllint new file mode 100644 index 00000000..88276760 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/README.md b/ansible_collections/community/mongodb/roles/mongodb_auth/README.md new file mode 100644 index 00000000..11619c3f --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/README.md @@ -0,0 +1,84 @@ +mongodb_auth +============ + +This role to enables auth on MongoDB servers, adds the first admin user, and adds a list of other users. +If your mongo instance requires ssl or an alternative auth_mechanism, please use +[`module_defaults`](https://docs.ansible.com/ansible/latest/user_guide/playbooks_module_defaults.html) +to provide the default auth details for `community.mongodb.mongodb_user` (these defaults are ignored +when adding the initial admin user with the localhost exception). + +If running this on a MongoDB server that already has an admin user (ie when using this role to audit +an alternate install method), you must touch `/root/mongodb_admin.success` or you will get an error +when this role tries to add the admin user again. + +Role Variables +-------------- + +* `mongod_host`: The domain or ip to use to communicate with mongod. Default localhost. +* `mongod_port`: The port used by the mongod process. Default 27017. +* `mongod_package`: The mongod package to install. Default mongodb-org-server. +* `authorization`: Enable authorization. Default enabled. +* `mongodb_admin_db`: MongoDB admin database (for adding users). Default admin. +* `mongodb_admin_user`: MongoDB admin username. Default admin. +* `mongodb_admin_pwd`: MongoDB admin password. Defaults to value of mongodb_admin_default_pwd. +* `mongodb_admin_default_pwd`: MongoDB admin password (for parent roles to override without overriding user's password). Default admin. +* `mongodb_users`: List of additional users to add. Each user dict should include fields: db, user, pwd, state (default: "present"), roles (default: "readWrite"). +* `mongodb_force_update_password`: Whether or not to force a password update for any users in mongodb_users. Setting this to yes will result in 'changed' on every run, even if the password is the same. Setting this to no only adds a password when creating the user. + +IMPORTANT NOTE: It is expected that mongodb_admin_user & mongodb_admin_pwd values be overridden in your own file protected by Ansible Vault. Any production environments should protect these values. For more information see [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) + +Dependencies +------------ + +mongodb_repository + +Example Playbook +---------------- + +Install MongoDB preparing hosts for a Replicaset + +```yaml + - hosts: servers + roles: + - { role: "community.mongodb.mongodb_repository" } + - { role: "community.mongodb.mongodb_mongod" } + + tasks: + + - name: Initialise MongoDB Replicaset rs0 + community.mongodb.mongodb_replicaset: + login_database: "admin" + login_host: localhost + replica_set: "rs0" + members: + - "mongodb1" + - "mongodb2" + - "mongodb3" + when: ansible_hostname == "mongodb1" + register: repl + + - name: Ensure replicaset has reached a converged state + community.mongodb.mongodb_status: + replica_set: "rs0" + poll: 10 + interval: 10 + when: repl.changed == True + + - name: Import mongodb_auth role + include_role: + name: mongodb_auth + vars: + mongod_host: "127.0.0.1" + mongodb_admin_pwd: "f00b@r" + when: ansible_hostname == "mongodb1" +``` + +License +------- + +BSD + +Author Information +------------------ + +Jacob Floyd (https://github.com/cognifloyd) diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/defaults/main.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/defaults/main.yml new file mode 100644 index 00000000..c34225a2 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/defaults/main.yml @@ -0,0 +1,28 @@ +--- +# defaults file for mongodb_auth +mongod_port: 27017 +mongod_package: "mongodb-org-server" + +authorization: "enabled" + +# when adding auth, the login credentials to use +mongodb_admin_user: admin +# For production use - please change the admin password! +mongodb_admin_pwd: "{{ mongodb_default_admin_pwd }}" +# The default is separate so other roles can provide a default without overriding a user provided password. +mongodb_default_admin_pwd: admin +# allow for alternate admin roles (e.g. userAdminAnyDatabase) +mongodb_admin_roles: "root" + +# Additional users to add. +mongodb_users: [] +# - db: somedatabase +# user: someuser +# pwd: "S0meP@ss" +# state: present # can be omitted +# roles: readWrite # if omitted "readWrite" will be used + +# whether to force a password update for any users in mongodb_users +# Setting this to yes will result in 'changed' on every run, even if the password is the same. +# See the comment in tasks/main.yml for more details. +mongodb_force_update_password: no diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/meta/main.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/meta/main.yml new file mode 100644 index 00000000..bf076537 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/meta/main.yml @@ -0,0 +1,30 @@ +--- +galaxy_info: + author: Jacob Floyd + description: Configure auth on MongoDB servers. + + license: GPLv3 + + min_ansible_version: 2.9 + + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..a92fe041 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/Dockerfile.j2 @@ -0,0 +1,40 @@ +# Molecule managed +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %}
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/molecule.yml new file mode 100644 index 00000000..e5b2a2ad --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/molecule.yml @@ -0,0 +1,50 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + - name: ubuntu_18 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + - name: debian_buster + image: debian:buster + command: /sbin/init + privileged: True + - name: debian_bullseye + image: debian:bullseye + command: /sbin/init + privileged: True + - name: amazonlinux + image: amazonlinux:2 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/playbook.yml new file mode 100644 index 00000000..dad3c992 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/playbook.yml @@ -0,0 +1,65 @@ +--- +- name: Converge + hosts: all + become: yes + vars: + # for this test, each machine is an isolated mongod instance + replicaset: false + sharding: false + + # initially disable authorization on some hosts + hosts_with_auth_disabled: + - ubuntu_18 + - debian_buster + + # add some users for some of the hosts + hosts_with_extra_user: + - centos_8 + - amazonlinux + - debian_buster + mongodb_users_empty: [] + mongodb_users_full: + - db: somedatabase + user: someuser + pwd: "S0meP@ss" + roles: readWrite + - db: somedatabase + user: otheruser + pwd: "0th3rP@ss" + roles: readWrite + mongodb_users: "{% if inventory_hostname in hosts_with_extra_user %}{{ mongodb_users_full }}{% else %}{{ mongodb_users_empty }}{% endif %}" + + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_mongod + authorization: "{% if inventory_hostname in hosts_with_auth_disabled %}disabled{% else %}enabled{% endif %}" + tags: molecule-idempotence-notest # avoids false positive where replacing conf file disables authorization again + + tasks: + - name: Add EPEL repo to CentOS 7 to allow installing pip package + become: yes + yum: + name: epel-release + state: present + when: inventory_hostname == 'centos_7' + + - name: Install python stuff + package: + name: + - "python{% if needs_3 %}3{% endif %}-setuptools" + - "python{% if needs_3 %}3{% endif %}-pip" + vars: + needs_3: "{{ ansible_facts.python.version.major == 3 }}" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + + - name: Enable mongo auth + include_role: + name: mongodb_auth + + - name: Install MongoDB Shell + package: + name: mongodb-mongosh diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/prepare.yml new file mode 100644 index 00000000..9bb20f0b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/prepare.yml @@ -0,0 +1,22 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + redhat_packages: + - net-tools + tasks: + + - name: Ensure epel is available + package: + name: epel-release + state: present + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Amazon" + + - name: Install redhat packages + package: + name: "{{ redhat_packages }}" + state: present + when: ansible_os_family == "RedHat"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/tests/test_default.py new file mode 100644 index 00000000..7d600622 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/default/tests/test_default.py @@ -0,0 +1,56 @@ +import os +import yaml + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ["MOLECULE_INVENTORY_FILE"] +).get_hosts("all") + + +def include_vars(host): + ansible = host.ansible("include_vars", + 'file="../../defaults/main.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + f = host.file("/etc/mongod.conf") + + assert f.exists + assert yaml.safe_load(f.content)["security"]["authorization"] == "enabled" + + +def test_mongod_service(host): + mongod_service = include_vars(host)["ansible_facts"].get("mongod_service", "mongod") + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + port = include_vars(host)["ansible_facts"].get("mongod_port", 27017) + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + assert s.is_listening + + +def test_mongo_shell_connectivity(host): + """ + Tests that we can connect to mongos via the shell annd run a cmd + """ + facts = include_vars(host)["ansible_facts"] + port = facts.get("mongod_port", 27017) + user = facts.get("mongod_admin_user", "admin") + pwd = facts.get("mongodb_default_admin_pwd", "admin") + + cmd = host.run( + "mongosh admin --username {user} --password {pwd} --port {port} --eval 'db.runCommand({{listDatabases: 1}})'".format( + user=user, pwd=pwd, port=port + ) + ) + + assert cmd.rc == 0 + assert "admin" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/molecule.yml new file mode 100644 index 00000000..de4d1c6d --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/molecule.yml @@ -0,0 +1,54 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos-7 + box: centos/7 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-16 + box: ubuntu/xenial64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-18 + box: ubuntu/bionic64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-buster + box: debian/buster64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-bullseye + box: debian/bullseye + interfaces: + - network_name: private_network + type: dhcp + auto_config: true +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/playbook.yml new file mode 100644 index 00000000..fc51f79e --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/playbook.yml @@ -0,0 +1,66 @@ +--- +- name: Converge + hosts: all + become: yes + vars: + # for this test, each machine is an isolated mongod instance + replicaset: false + sharding: false + + # initially disable authorization on some hosts + hosts_with_auth_disabled: + - ubuntu_18 + - debian_buster + + # add some users for some of the hosts + hosts_with_extra_user: + - centos_8 + - ubuntu_16 + - debian_buster + mongodb_users_empty: [] + mongodb_users_full: + - db: somedatabase + user: someuser + pwd: "S0meP@ss" + roles: readWrite + - db: somedatabase + user: otheruser + pwd: "0th3rP@ss" + roles: readWrite + mongodb_users: "{% if inventory_hostname in hosts_with_extra_user %}{{ mongodb_users_full }}{% else %}{{ mongodb_users_empty }}{% endif %}" + + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_mongod + vars: + authorization: "{% if inventory_hostname in hosts_with_auth_disabled %}disabled{% else %}enabled{% endif %}" + tags: molecule-idempotence-notest # avoids false positive where replacing conf file disables authorization again + + tasks: + - name: Add EPEL repo to CentOS 7 to allow installing pip package + become: yes + yum: + name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_facts.distribution_major_version }}.noarch.rpm" + state: present + when: inventory_hostname == 'centos_7' + + - name: Install python stuff + package: + name: + - "python{% if needs_3 %}3{% endif %}-setuptools" + - "python{% if needs_3 %}3{% endif %}-pip" + vars: + needs_3: "{{ ansible_facts.python.version.major == 3 }}" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + + - name: Enable mongo auth + include_role: + name: mongodb_auth + + - name: Install MongoDB Shell + package: + name: mongodb-org-shell diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/prepare.yml new file mode 100644 index 00000000..0f186973 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/prepare.yml @@ -0,0 +1,40 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + avahi_packages_redhat: + - "avahi" + - "nss-mdns" + avahi_packages_debian: + - "avahi-daemon" + - "avahi-discover" + - "libnss-mdns" + tasks: + + - name: Ensure epel is available + yum: + name: epel-release + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_redhat }}" + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_debian }}" + state: present + when: ansible_os_family == "Debian" + + # debian-stretch seems to require a reboot for avahi-daemon to run + - name: Reboot host + reboot: + + - name: Ensure avahi-daemon is started + service: + name: avahi-daemon + state: started diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/tests/test_default.py new file mode 100644 index 00000000..933015a0 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/molecule/virtualbox/tests/test_default.py @@ -0,0 +1,56 @@ +import os +import yaml + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ["MOLECULE_INVENTORY_FILE"] +).get_hosts("all") + + +def include_vars(host): + ansible = host.ansible("include_vars", + 'file="../../defaults/main.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + f = host.file("/etc/mongod.conf") + + assert f.exists + assert yaml.safe_load(f.content)["security"]["authorization"] == "enabled" + + +def test_mongod_service(host): + mongod_service = include_vars(host)["ansible_facts"].get("mongod_service", "mongod") + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + port = include_vars(host)["ansible_facts"].get("mongod_port", 27017) + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + assert s.is_listening + + +def test_mongo_shell_connectivity(host): + """ + Tests that we can connect to mongos via the shell annd run a cmd + """ + facts = include_vars(host)["ansible_facts"] + port = facts.get("mongod_port", 27017) + user = facts.get("mongod_admin_user", "admin") + pwd = facts.get("mongod_default_admin_pwd", "admin") + + cmd = host.run( + "mongo admin --username {user} --password {pwd} --port {port} --eval 'db.runCommand({{listDatabases: 1}})'".format( + user=user, pwd=pwd, port=port + ) + ) + + assert cmd.rc == 0 + assert "admin" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/tasks/main.yml new file mode 100644 index 00000000..d3775a1b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/tasks/main.yml @@ -0,0 +1,115 @@ +--- +# tasks file for mongodb_auth +- name: Include OS-specific vars + include_vars: + file: "{{ lookup('first_found', params) }}" + vars: + params: + paths: + - "vars" + files: + - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml" + - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml" + - "{{ ansible_facts.distribution }}.yml" + - "{{ ansible_facts.os_family }}.yml" + - default.yml + tags: + - "vars" + +- name: Ensure mongod and pyyaml packages are installed + package: + name: + - "{{ mongod_package }}" + # pyyaml is used to validate yaml files on change + - "{{ pyyaml_package }}" + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "pkg" + +- name: Warn about default credentials + when: mongodb_admin_pwd == mongodb_default_admin_pwd + debug: + msg: "[WARNING] Using default admin credentials for mongodb admin account! Please change them!" + tags: + - "debug" + +- name: Enable security section in mongod.conf + lineinfile: + path: /etc/mongod.conf + regexp: |- + ^[#'"\s]*security['"]?\s*: + line: 'security:' + validate: | + {{ mongodb_python }} -c ' + import yaml, io + if "security" not in yaml.safe_load(io.open("%s")): + exit(1) + ' + tags: + - "mongodb" + - "setup" + +- name: Enable authentication in mongod.conf + lineinfile: + path: /etc/mongod.conf + insertafter: '^security:' + # two space indentation (the default) assumed + line: ' authorization: {{ authorization }}' + regexp: |- + ^[#'"\s]+authorization['"]?\s*: + validate: | + {{ mongodb_python }} -c ' + import yaml, io + if yaml.safe_load(io.open("%s"))["security"]["authorization"] != "{{ authorization }}": + exit(1) + ' + register: _enable_mongo_auth + tags: + - "mongodb" + - "setup" + +# This is a task instead of a handler so we can add users right away +- name: Restart mongodb to enable auth before adding additional users + # This allows us to safely assume auth is already enabled when adding more users + when: _enable_mongo_auth is changed + service: + name: mongod + state: restarted + tags: + - "mongodb" + - "service" + - "setup" + +- name: Add mongo admin user with localhost exception + community.mongodb.mongodb_user: + state: present + + # on_create triggers additional queries that are not compatible with localhost exception + update_password: always + + name: "{{ mongodb_admin_user }}" + password: "{{ mongodb_admin_pwd }}" + database: admin + roles: "{{ mongodb_admin_roles }}" + + login_host: localhost + login_port: "{{ mongod_port | string }}" # silence implicit int->str conversion warning + create_for_localhost_exception: /root/mongodb_admin.success + tags: + - "mongodb" + - "setup" + - "admin_user" + +- name: Add additional mongo users + include_tasks: mongodb_auth_user.yml + loop: "{{ mongodb_users }}" + loop_control: + loop_var: _mongodb_user + # using loop_control: label does not obscure the password in output for verbosity > 1 + # So, loop over an include where the task name will include the username + db, but the loop var won't print out. + no_log: yes + tags: + - "mongodb" + - "app_user" diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/tasks/mongodb_auth_user.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/tasks/mongodb_auth_user.yml new file mode 100644 index 00000000..e21dec07 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/tasks/mongodb_auth_user.yml @@ -0,0 +1,32 @@ +--- +- name: "Add mongo auth user - {{ _mongodb_user.user }} on {{ _mongodb_user.db }}" + community.mongodb.mongodb_user: + state: "{{ _mongodb_user.state|default('present') }}" + + # NOTE: on_create is idempotent, always is not. + # With `update_password: on_create`, mongodb_user checks to see if the user + # (a) exists on the db, and (b) has the same roles, + # and then it only adds the user if it's not there or the roles have changed. + # With `update_password: always`, mongodb_user cannot tell if the password + # needs to be changed without attempting a login with those credentials. + # But mongodb_user does not currently implement such a check. + # A comment in mongodb_user points to https://jira.mongodb.org/browse/SERVER-22848 + update_password: "{{ mongodb_force_update_password|ternary('always', 'on_create') }}" + + name: "{{ _mongodb_user.user }}" + password: "{{ _mongodb_user.pwd }}" + database: "{{ _mongodb_user.db }}" + roles: "{{ _mongodb_user.roles|default('readWrite') }}" + + login_host: localhost + login_port: "{{ mongod_port | string }}" # silence implicit int->str conversion warning + login_user: "{{ mongodb_admin_user }}" + login_password: "{{ mongodb_admin_pwd }}" + login_database: admin + # to provide additional auth details (eg for ssl* or auth_mechanism, set module_defaults in playbook) + # module_defaults: + # community.mongodb.mongodb_user: + # auth_mechanism: ... + tags: + - "mongodb" + - "app_user" diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/vars/Amazon.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/Amazon.yml new file mode 100644 index 00000000..190d2622 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/Amazon.yml @@ -0,0 +1,2 @@ +--- +pyyaml_package: PyYAML diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/vars/RedHat-7.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/RedHat-7.yml new file mode 100644 index 00000000..190d2622 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/RedHat-7.yml @@ -0,0 +1,2 @@ +--- +pyyaml_package: PyYAML diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/vars/RedHat-8.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/RedHat-8.yml new file mode 100644 index 00000000..ba3964da --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/RedHat-8.yml @@ -0,0 +1,2 @@ +--- +pyyaml_package: python3-pyyaml diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/vars/default.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/default.yml new file mode 100644 index 00000000..af98d755 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/default.yml @@ -0,0 +1,2 @@ +--- +pyyaml_package: "python{% if ansible_facts.python.version.major == 3 %}3{% endif %}-yaml" diff --git a/ansible_collections/community/mongodb/roles/mongodb_auth/vars/main.yml b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/main.yml new file mode 100644 index 00000000..458cdc63 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_auth/vars/main.yml @@ -0,0 +1,2 @@ +--- +mongodb_python: "{{ ansible_python_interpreter | default( (ansible_python|default({})).get('executable', 'python') ) }}" diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/.yamllint b/ansible_collections/community/mongodb/roles/mongodb_config/.yamllint new file mode 100644 index 00000000..88276760 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/README.md b/ansible_collections/community/mongodb/roles/mongodb_config/README.md new file mode 100644 index 00000000..4ab33efc --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/README.md @@ -0,0 +1,58 @@ +mongodb_config +============== + +A simple role to aid in setting up a CSRS Config Server Replicaset for a MongoDB sharded cluster. + +Role Variables +-------------- + +* `config_port`: The port used by the mongos process. Default 27019. +* `mongod_service`: The name of the mongod service. Default mongod. +* `mongodb_user`: The Linux OS user for MongoDB. Default mongod. +* `mongodb_group`: The Linux OS user group for MongoDB. Default mongod. +* `pid_file`: The pid file for mongos. Default /run/mongodb/mongos.pid. +* `log_path`: Path of the log file. Default /var/log/mongodb/mongod.log. +* `bind_ip`: The IP address mongod will bind to. Default 0.0.0.0. +* `bind_ip_all`: Have mongod bind to all IP addresses instead of specifying `bind_ip`. Default false. +* `config_repl_set_name`: The replicaset name for the config servers. Default cfg. +* `authorization`: Enable authorization. Default enabled. +* `openssl_keyfile_content`: The kexfile content that MongoDB uses to authenticate within a replicaset. Generate with cmd: openssl rand -base64 756. +* `openssl_keyfile_path`: Put the openssl_keyfile at this path. Default: /etc/keyfile +* `mongod_package`: The name of the mongod installation package. Default mongodb-org-server. +replicaset: When enabled add a replication section to the configuration. Default true. +* `net_compressors`: If this is set, this sets `net.compression.compressors` in mongod.conf. +* `mongod_config_template`: If defined allows to override path to mongod config template with custom configuration. Default "mongod.conf.j2" +* `skip_restart`: If set to `true` will skip restarting mongod service when config file or the keyfile content changes. Default `true`. +* `db_path`: Path to database data location. Default `/var/lib/mongodb` on Debian based distributions, `/var/lib/mongo` for others. +* `mongodb_use_tls`: Wether to use tls. Default false. +* `mongodb_certificate_key_file`: Path to the PEM-file containing the certficate and private key. +* `mongodb_certificate_ca_file`: Path to the CA-file. + +Dependencies +------------ + +mongodb_repository + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables +passed in as parameters) is always nice for users too: + + +```yaml + - hosts: servers + roles: + - { role: mongodb_repository } + - { role: mongodb_config, config_repl_set_name: "mycustomrs" } +``` + +License +------- + +BSD + +Author Information +------------------ + +Rhys Campbell (https://github.com/rhysmeister) diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/defaults/main.yml b/ansible_collections/community/mongodb/roles/mongodb_config/defaults/main.yml new file mode 100644 index 00000000..0460a8bd --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/defaults/main.yml @@ -0,0 +1,34 @@ +--- +# defaults file for mongodb_config +pid_file: /var/run/mongodb/mongod.pid +bind_ip: 0.0.0.0 +bind_ip_all: false +log_path: /var/log/mongodb/mongod.log +# config_port is in vars to facilitate molecule tests +config_repl_set_name: cfg +authorization: enabled +openssl_keyfile_path: /etc/keyfile +openssl_keyfile_content: | + Z2CeA9BMcoY5AUWoegjv/XWL2MA1SQcL4HvmRjYaTjSp/xosJy+LL2X3OQb1xVWC + rO2e6Tu6A3R4muunitI6Vr0IKeU5UbTpR0N4hSU6HDrV9z2PIEWlkQqKh01ZRLEY + V3hR73acj0jA8eWIWeiV039d18jvMb8X2h8409lfcD6PPJJGjyaC8S4LY/TrsK2z + tx+l/vqOOAMhGB5mEMjx1LXUMsRG9ot6vFu9I5LPd1A4q9xw9jddYK5C6YTLccun + ZyCDsv7ImkCprV0+0vhTyxIEnfaNtvOlWypuvmRr/DEyd2NPowd1n6C+rgk8gs1t + SGLCZP93gXza0rIoQzHtuf5pOJK9qyKjuNtuuLa/KFsida8a69JXn7fmS0IIja0m + Ir0OrQ2Ta3n4VbQwQo97BWODWmkgzz0mUd6VmMps5zLsCW1vVqYFQHuAAbLekW0q + 8JRm8OQ6n2hp8j4zYd3/Qw7vqsVj8sHicNB0bCW29b64H4f2J/AcUA/cm0xSUQyb + +myeCB4vWvydh5AfFVnw7sXvzU6egaYRomdmrl59QrTDneJu13hwzIchsFparoWJ + XjpldopGeDaJLU18ga7MSL02ozB+EoJ14DJxQU7E5MQk7fDMPeitXKZ8ymxb7LeA + k0Rtc/JQM8aDLoRklhLZRRARBrv1RLo8DM8CB2q4s+FwVU4QJl7mFyiwk3eTN6sN + PTgFRo3/dHsEA2OwGG+hnGFGnoYf2mkECR5jqai83CXgva9v2rPNjDTJYHpmd3I0 + fNijueXZZdzUA58y8mcoSGVYdRhr0g8jaWQ12PZEgX5Nnlekh5GHG0j8HT4qj/0Y + D3xVuE3WvrhldY5EOsaTt2ZXZx5REmJDIW1KcnvQKiVDJ2QzP5xdXYA0hh3TdTVE + sb4UreMw/WyBpANiICMlJRBgSd0f0VGMlYzLX2BL14YpNnLhmoQqKzfBN6v2XAEG + mJfrCUVuP1nBEklk23lYkNi/ohe+aodNjdN+2DHp42sGZHYP +mongod_package: "mongodb-org-server" +replicaset: true +net_compressors: null +mongod_config_template: "configsrv.conf.j2" +skip_restart: true +db_path: "{{ '/var/lib/mongodb' if ansible_os_family == 'Debian' else '/var/lib/mongo' if ansible_os_family == 'RedHat' else '/var/lib/mongo' }}" +mongodb_use_tls: false diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/handlers/main.yml b/ansible_collections/community/mongodb/roles/mongodb_config/handlers/main.yml new file mode 100644 index 00000000..ff695029 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: Restart mongod + listen: Restart mongod service + service: + name: "{{ mongod_service }}" + state: restarted + when: not skip_restart + +- name: Wait for port to become active + listen: Restart mongod service + wait_for: + host: "{{ bind_ip | split(',') | first }}" + port: "{{ config_port }}" + when: not skip_restart diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/meta/main.yml b/ansible_collections/community/mongodb/roles/mongodb_config/meta/main.yml new file mode 100644 index 00000000..10dd8449 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/meta/main.yml @@ -0,0 +1,57 @@ +--- +galaxy_info: + author: Rhys Campbell + description: Configure the CSRS Config Server Replicaset for a MongoDB sharded cluster. (Use mongodb_mongod for Standalone installations - this does not create mongo.conf) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: GPLv3 + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/molecule.yml new file mode 100644 index 00000000..2ce4bf91 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/molecule.yml @@ -0,0 +1,69 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + hostname: centos_7 + image: centos:7 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mymongo" + network_mode: "mymongo" + - name: ubuntu_18 + hostname: ubuntu_18 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + networks: + - name: "mymongo" + network_mode: "mymongo" + - name: debian_buster + hostname: debian_buster + image: debian:buster + command: /sbin/init + privileged: True + networks: + - name: "mymongo" + network_mode: "mymongo" + - name: debian_bullseye + hostname: debian_bullseye + image: debian:bullseye + command: /sbin/init + privileged: True + networks: + - name: "mymongo" + network_mode: "mymongo" + - name: amazonlinux + hostname: amazonlinux + image: amazonlinux:2 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mymongo" +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/playbook.yml new file mode 100644 index 00000000..8838f2df --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/playbook.yml @@ -0,0 +1,39 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_config + vars: + db_path: "/data/db" + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "amazonlinux" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "amazonlinux" + + - name: Install MongoDB Shell + package: + name: mongodb-mongosh + + - name: Init config server replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + login_port: 27019 + replica_set: cfg + validate: no + members: + - centos_7:27019 + - amazonlinux:27019 + - ubuntu_18:27019 + - debian_bullseye:27019 + - debian_buster:27019 + when: ansible_hostname == "amazonlinux" diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/prepare.yml new file mode 100644 index 00000000..9bb20f0b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/prepare.yml @@ -0,0 +1,22 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + redhat_packages: + - net-tools + tasks: + + - name: Ensure epel is available + package: + name: epel-release + state: present + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Amazon" + + - name: Install redhat packages + package: + name: "{{ redhat_packages }}" + state: present + when: ansible_os_family == "RedHat"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/tests/test_default.py new file mode 100644 index 00000000..6832e3f9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/custom_db_path/tests/test_default.py @@ -0,0 +1,80 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongod.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + mongod_service = include_vars(host)['ansible_facts']['mongod_service'] + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + port = include_vars(host)['ansible_facts']['config_port'] + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + + assert s.is_listening + + +def test_mongod_replicaset(host): + ''' + Ensure that the MongoDB config replicaset has been created successfully + ''' + port = include_vars(host)['ansible_facts']['config_port'] + cmd = "mongosh --port {0} --eval 'rs.status()'".format(port) + # We only want to run this once + if host.ansible.get_variables()['inventory_hostname'] == "amazonlinux": + r = host.run(cmd) + + assert "cfg" in r.stdout + assert "centos_7:{0}".format(port) in r.stdout + assert "amazonlinux:{0}".format(port) in r.stdout + assert "ubuntu_18:{0}".format(port) in r.stdout + assert "debian_buster:{0}".format(port) in r.stdout + assert "debian_bullseye:{0}".format(port) in r.stdout + + +def test_mongod_config_custom_path(host): + ''' + Ensure that the custom path is respected + ''' + default_path = "/data/db" + + # assert path exists + f = host.file(default_path) + assert f.exists + assert f.is_directory + # assert mongodb.conf contains path + conf = host.file('/etc/mongod.conf').content_string + assert "dbPath: {0}".format(default_path) in conf diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..873b4939 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %}
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/molecule.yml new file mode 100644 index 00000000..2ce4bf91 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/molecule.yml @@ -0,0 +1,69 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + hostname: centos_7 + image: centos:7 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mymongo" + network_mode: "mymongo" + - name: ubuntu_18 + hostname: ubuntu_18 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + networks: + - name: "mymongo" + network_mode: "mymongo" + - name: debian_buster + hostname: debian_buster + image: debian:buster + command: /sbin/init + privileged: True + networks: + - name: "mymongo" + network_mode: "mymongo" + - name: debian_bullseye + hostname: debian_bullseye + image: debian:bullseye + command: /sbin/init + privileged: True + networks: + - name: "mymongo" + network_mode: "mymongo" + - name: amazonlinux + hostname: amazonlinux + image: amazonlinux:2 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mymongo" +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/playbook.yml new file mode 100644 index 00000000..e5131ba5 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/playbook.yml @@ -0,0 +1,37 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_config + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "amazonlinux" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "amazonlinux" + + - name: Install MongoDB Shell + package: + name: mongodb-mongosh + + - name: Init config server replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + login_port: 27019 + replica_set: cfg + validate: no + members: + - centos_7:27019 + - amazonlinux:27019 + - ubuntu_18:27019 + - debian_bullseye:27019 + - debian_buster:27019 + when: ansible_hostname == "amazonlinux" diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/prepare.yml new file mode 100644 index 00000000..9bb20f0b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/prepare.yml @@ -0,0 +1,22 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + redhat_packages: + - net-tools + tasks: + + - name: Ensure epel is available + package: + name: epel-release + state: present + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Amazon" + + - name: Install redhat packages + package: + name: "{{ redhat_packages }}" + state: present + when: ansible_os_family == "RedHat"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/tests/test_default.py new file mode 100644 index 00000000..33130751 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/default/tests/test_default.py @@ -0,0 +1,85 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongod.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + mongod_service = include_vars(host)['ansible_facts']['mongod_service'] + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + port = include_vars(host)['ansible_facts']['config_port'] + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + + assert s.is_listening + + +def test_mongod_replicaset(host): + ''' + Ensure that the MongoDB config replicaset has been created successfully + ''' + port = include_vars(host)['ansible_facts']['config_port'] + cmd = "mongosh --port {0} --eval 'rs.status()'".format(port) + # We only want to run this once + if host.ansible.get_variables()['inventory_hostname'] == "amazonlinux": + r = host.run(cmd) + + assert "cfg" in r.stdout + assert "centos_7:{0}".format(port) in r.stdout + assert "amazonlinux:{0}".format(port) in r.stdout + assert "ubuntu_18:{0}".format(port) in r.stdout + assert "debian_buster:{0}".format(port) in r.stdout + assert "debian_bullseye:{0}".format(port) in r.stdout + + +def test_mongod_config_default_path(host): + ''' + Ensure that the default paths for RedHat and Debian based OSes are respected + ''' + hostname = host.ansible.get_variables()['inventory_hostname'] + default_path = "/var/lib/mongo" + if hostname.startswith('centos'): + default_path = "/var/lib/mongo" + elif hostname.startswith('ubuntu') or hostname.startswith('debian'): + default_path = "/var/lib/mongodb" + + # assert path exists + f = host.file(default_path) + assert f.exists + assert f.is_directory + # asset mongodb.cnf contains path + conf = host.file('/etc/mongod.conf').content_string + assert "dbPath: {0}".format(default_path) in conf diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/molecule.yml new file mode 100644 index 00000000..14d29680 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/molecule.yml @@ -0,0 +1,54 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos-7 + box: centos/7 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-16 + box: ubuntu/xenial64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-18 + box: ubuntu/bionic64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-buster + box: debian/buster64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-stretch + box: debian/contrib-stretch64 # Standard debian/stretch64 had issues: Unable to locate package linux-headers-4.9.0-9-amd64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/playbook.yml new file mode 100644 index 00000000..4e699306 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/playbook.yml @@ -0,0 +1,38 @@ +--- +- name: Converge + hosts: all + become: yes + + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_config + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "ubuntu-16" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "ubuntu-16" + + - name: Install MongoDB Shell + package: + name: mongodb-org-shell + + - name: Init config server replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + login_port: 27019 + replica_set: cfg + members: + - ubuntu-16.local:27019 + - ubuntu-18.local:27019 + - debian-stretch.local:27019 + - debian-buster.local:27019 + - centos-7.local:27019 + when: ansible_hostname == "ubuntu-16" diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/prepare.yml new file mode 100644 index 00000000..acf089f2 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/prepare.yml @@ -0,0 +1,39 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + avahi_packages_redhat: + - "avahi" + - "nss-mdns" + avahi_packages_debian: + - "avahi-daemon" + - "avahi-discover" + - "libnss-mdns" + tasks: + + - name: Ensure epel is available + yum: + name: epel-release + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_redhat }}" + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_debian }}" + state: present + when: ansible_os_family == "Debian" + + - name: Reboot host for avahi-daemon + reboot: + + - name: Ensure avahi-daemon is started + service: + name: avahi-daemon + state: started diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/tests/test_default.py new file mode 100644 index 00000000..e49d8408 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/molecule/virtualbox/tests/test_default.py @@ -0,0 +1,65 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongod.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + mongod_service = include_vars(host)['ansible_facts']['mongod_service'] + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + port = include_vars(host)['ansible_facts']['config_port'] + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + + assert s.is_listening + + +def test_mongod_cfg_replicaset(host): + ''' + Ensure that the MongoDB config replicaset has been created successfully + ''' + port = include_vars(host)['ansible_facts']['config_port'] + cmd = "mongo --port {0} --eval 'rs.status()'".format(port) + # We only want to run this once + if host.ansible.get_variables()['inventory_hostname'] == "amazonlinux": + r = host.run(cmd) + + assert "cfg" in r.stdout + assert "amazonlinux.local:{0}".format(port) in r.stdout + assert "ubuntu-18.local:{0}".format(port) in r.stdout + assert "debian-buster.local:{0}".format(port) in r.stdout + assert "debian-stretch.local:{0}".format(port) in r.stdout + assert "centos-7.local:{0}".format(port) in r.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_config/tasks/main.yml new file mode 100644 index 00000000..5f394925 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/tasks/main.yml @@ -0,0 +1,79 @@ +--- +# tasks file for mongodb_config +- name: Include OS-specific vars + include_vars: + file: "{{ lookup('first_found', params) }}" + vars: + params: + paths: + - "vars" + files: + - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml" + - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml" + - "{{ ansible_facts.distribution }}.yml" + - "{{ ansible_facts.os_family }}.yml" + - default.yml + tags: + "vars" + +- name: Ensure mongod package is installed + package: + name: "{{ mongod_package }}" + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "pkg" + - "setup" + - "mongodb" + +- name: Ensure db_path dir exists + file: + path: "{{ db_path }}" + state: directory + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + tags: + - "setup" + - "mongodb" + +- name: Copy config file + template: + src: "{{ mongod_config_template }}" + dest: /etc/mongod.conf + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + notify: + - Restart mongod service + tags: + - "setup" + - "mongodb" + +- name: Copy keyfile to host + copy: + content: | + {{ openssl_keyfile_content }} + dest: "{{ openssl_keyfile_path }}" + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + mode: 0400 + notify: + - Restart mongod service + tags: + - "setup" + - "mongodb" + +- name: Check for github override + set_fact: + x_github_override: "{{ lookup('env', 'X_GITHUB_OVERRIDE') | default('0', True) }}" + tags: + - "ci" + +- name: Start mongod service + service: + name: "{{ mongod_service }}" + state: started + enabled: yes + tags: + - "mongodb" + - "service" diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/templates/configsrv.conf.j2 b/ansible_collections/community/mongodb/roles/mongodb_config/templates/configsrv.conf.j2 new file mode 100644 index 00000000..d6f3ba7d --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/templates/configsrv.conf.j2 @@ -0,0 +1,60 @@ +# mongod.conf + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# where to write logging data. +systemLog: + destination: file + logAppend: true + path: {{ log_path }} + +# Where and how to store data. +storage: + dbPath: {{ db_path }} + journal: + enabled: true + engine: "wiredTiger" + +# how the process runs +processManagement: +{% if ansible_facts.os_family == "RedHat" %} # Breaks Ubuntu / Debian + fork: true + pidFilePath: /var/run/mongodb/mongod.pid +{% endif %} + timeZoneInfo: /usr/share/zoneinfo + +# network interfaces +net: + port: {{ config_port }} +{% if bind_ip_all %} + bindIpAll: true +{% else %} + bindIp: {{ bind_ip }} +{% endif %} +{% if net_compressors %} + compression: + compressors: {{ net_compressors }} +{% endif %} +{% if mongodb_use_tls %} + tls: + mode: requireTLS + certificateKeyFile: {{ mongodb_certificate_key_file }} + CAFile: {{ mongodb_certificate_ca_file }} +{% endif %} + +{% if authorization == "enabled" %} +security: + authorization: {{ authorization }} + keyFile: {{ openssl_keyfile_path }} +{% endif %} + +#operationProfiling: + +{% if replicaset %} +replication: + replSetName: {{ config_repl_set_name }} +{% endif %} + +sharding: + clusterRole: configsvr diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/vars/Debian.yml b/ansible_collections/community/mongodb/roles/mongodb_config/vars/Debian.yml new file mode 100644 index 00000000..4e72a693 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/vars/Debian.yml @@ -0,0 +1,5 @@ +--- +config_port: 27019 +mongodb_user: "mongodb" +mongodb_group: "mongodb" +mongod_service: "mongod" diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/vars/RedHat.yml b/ansible_collections/community/mongodb/roles/mongodb_config/vars/RedHat.yml new file mode 100644 index 00000000..b9bd15f0 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/vars/RedHat.yml @@ -0,0 +1,5 @@ +--- +config_port: 27019 +mongodb_user: "mongod" +mongodb_group: "mongod" +mongod_service: "mongod" diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/vars/default.yml b/ansible_collections/community/mongodb/roles/mongodb_config/vars/default.yml new file mode 100644 index 00000000..b9bd15f0 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/vars/default.yml @@ -0,0 +1,5 @@ +--- +config_port: 27019 +mongodb_user: "mongod" +mongodb_group: "mongod" +mongod_service: "mongod" diff --git a/ansible_collections/community/mongodb/roles/mongodb_config/vars/main.yml b/ansible_collections/community/mongodb/roles/mongodb_config/vars/main.yml new file mode 100644 index 00000000..ed97d539 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_config/vars/main.yml @@ -0,0 +1 @@ +--- diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/.yamllint b/ansible_collections/community/mongodb/roles/mongodb_install/.yamllint new file mode 100644 index 00000000..88276760 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/README.md b/ansible_collections/community/mongodb/roles/mongodb_install/README.md new file mode 100644 index 00000000..d1642368 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/README.md @@ -0,0 +1,34 @@ +mongodb_install +=============== + +Install MongoDB packages on Debian and RedHat based platforms. Installs the mongodb-org meta-package which then installs the following packages: mongodb-org-server, mongodb-org-shell, mongodb-org-mongos, mongodb-org-tools. + +Role Variables +-------------- + +specific_mongodb_version - Install a specific version of mongodb i.e. 4.4.1. The specified version must be available in the system repositories. By default this variable is undefined. +mongodb_hold_packages - Runs the lock_mongodb_packages.sh script to either lock mongodb-org packages at a specific version or to release the lock. Set to "HOLD" or "NOHOLD" as desired. No checks are made to see if the hold already exists or not. By default this variable is undefined and the script is not executed. The task is executed at the end and it is possible that packages could be upgraded before the lock is initially applied. + +Dependencies +------------ +mongodb_repository + +Example Playbook +---------------- + +```yaml + - hosts: servers + roles: + - mongodb_repository + - mongodb_install +``` + +License +------- + +BSD + +Author Information +------------------ + +Rhys Campbell (https://github.com/rhysmeister) diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/files/lock_mongodb_packages.sh b/ansible_collections/community/mongodb/roles/mongodb_install/files/lock_mongodb_packages.sh new file mode 100644 index 00000000..0c3e8e6f --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/files/lock_mongodb_packages.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +# Hold mongodb-org packages on RHEL and Debian based systems + +set -e; +set -u; + +HOLD="$1"; +PACKAGE_NAME="mongodb-org*" + +if [[ "$HOLD" == "HOLD" ]]; then + if command -v yum &> /dev/null; then + yum versionlock "$PACKAGE_NAME" && touch /root/mongo_version_lock.success; + elif command -v apt-mark &> /dev/null; then + apt-mark hold "$PACKAGE_NAME" && touch /root/mongo_version_lock.success; + fi; +elif [[ "$HOLD" == "NOHOLD" ]]; then + if command -v yum &> /dev/null; then + yum versionlock delete "$PACKAGE_NAME" || true && rm -rf /root/mongo_version_lock.success; + elif command -v apt-mark &> /dev/null; then + apt-mark unhold "$PACKAGE_NAME" && rm -rf /root/mongo_version_lock.success; + fi; +else + echo "No action taken"; +fi; diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/meta/main.yml b/ansible_collections/community/mongodb/roles/mongodb_install/meta/main.yml new file mode 100644 index 00000000..ed4e3c4e --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/meta/main.yml @@ -0,0 +1,57 @@ +--- +galaxy_info: + author: Rhys Campbell + description: Install MongoDB packages on Debian and RedHat based platforms. + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: GPLv3 + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/molecule.yml new file mode 100644 index 00000000..985257fb --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/molecule.yml @@ -0,0 +1,42 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + - name: ubuntu_18 + image: ubuntu:18.04 + privileged: yes + command: "/sbin/init" + - name: debian_buster + image: debian:buster + privileged: yes + command: "/sbin/init" + - name: debian_bullseye + image: debian:bullseye + privileged: yes + command: "/sbin/init" + - name: amazonlinux + image: amazonlinux:2 +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/playbook.yml new file mode 100644 index 00000000..cfcf732b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/playbook.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_install diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/tests/test_default.py new file mode 100644 index 00000000..08024e35 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/default/tests/test_default.py @@ -0,0 +1,30 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_mongod_available(host): + cmd = host.run("mongod --version") + assert cmd.rc == 0 + assert "db version" in cmd.stdout + + +def test_mongo_available(host): + cmd = host.run("mongosh --version") + assert cmd.rc == 0 + + +def test_mongos_available(host): + cmd = host.run("mongos --version") + assert cmd.rc == 0 + assert "mongos version" in cmd.stdout + + +def test_mongodump_available(host): + cmd = host.run("mongodump --version") + assert cmd.rc == 0 + assert "mongodump version" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/molecule.yml new file mode 100644 index 00000000..69fbac20 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/molecule.yml @@ -0,0 +1,50 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + - name: amazonlinux + image: amazonlinux:2 + - name: ubuntu_18 + image: ubuntu:18.04 + - name: debian_buster + image: debian:buster + - name: debian_bullseye + image: debian:bullseye +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' +scenario: + test_sequence: + - dependency + - lint + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - side_effect + - verify + - cleanup + - destroy diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/playbook.yml new file mode 100644 index 00000000..12ddc3a7 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/playbook.yml @@ -0,0 +1,8 @@ +--- +- name: Converge + hosts: all + vars: + mongodb_hold_packages: "HOLD" + roles: + - role: mongodb_repository + - role: mongodb_install diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/prepare.yml new file mode 100644 index 00000000..8a94ca7e --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/prepare.yml @@ -0,0 +1,12 @@ +--- +- name: Prepare + hosts: all + become: yes + + tasks: + + - name: Required packages + yum: + name: yum-plugin-versionlock + state: present + when: ansible_facts.os_family == "RedHat" diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/tests/test_default.py new file mode 100644 index 00000000..6710d267 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_hold_packages/tests/test_default.py @@ -0,0 +1,37 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_mongodb_lock_file(host): + f = host.file("/root/mongo_version_lock.success") + assert f.exists + + +def test_mongodb_packages_not_installed(host): + p = host.package("mongodb-org") + assert p.is_installed + p = host.package("mongodb-org-server") + assert p.is_installed + p = host.package("mongodb-mongosh") + assert p.is_installed + p = host.package("mongodb-org-mongos") + assert p.is_installed + p = host.package("mongodb-org-tools") + assert p.is_installed + + +def test_mongodb_packages_held(host): + if not host.ansible.get_variables()['inventory_hostname'].startswith('centos') \ + and not host.ansible.get_variables()['inventory_hostname'].startswith('amazonlinux'): + c = "apt-mark showhold" + elif host.ansible.get_variables()['inventory_hostname'].startswith('centos') \ + or host.ansible.get_variables()['inventory_hostname'].startswith('amazonlinux'): + c = "yum versionlock list" + cmd = host.run(c) + assert cmd.rc == 0 + assert 'mongodb-org' in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/molecule.yml new file mode 100644 index 00000000..69fbac20 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/molecule.yml @@ -0,0 +1,50 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + - name: amazonlinux + image: amazonlinux:2 + - name: ubuntu_18 + image: ubuntu:18.04 + - name: debian_buster + image: debian:buster + - name: debian_bullseye + image: debian:bullseye +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' +scenario: + test_sequence: + - dependency + - lint + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - side_effect + - verify + - cleanup + - destroy diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/playbook.yml new file mode 100644 index 00000000..e74a45b4 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/playbook.yml @@ -0,0 +1,8 @@ +--- +- name: Converge + hosts: all + vars: + mongodb_hold_packages: "NOHOLD" + roles: + - role: mongodb_repository + - role: mongodb_install diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/prepare.yml new file mode 100644 index 00000000..325651e0 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/prepare.yml @@ -0,0 +1,12 @@ +--- +- name: Prepare + hosts: all + become: yes + + tasks: + + - name: Required packages + yum: + name: yum-plugin-versionlock + state: present + when: ansible_facts.os_family == "RedHat"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/tests/test_default.py new file mode 100644 index 00000000..948c34b8 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/mongodb_nohold_packages/tests/test_default.py @@ -0,0 +1,36 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_mongodb_lock_file(host): + f = host.file("/root/mongo_version_lock.success") + assert not f.exists + + +def test_mongodb_packages_installed(host): + p = host.package("mongodb-org") + assert p.is_installed + p = host.package("mongodb-org-server") + assert p.is_installed + p = host.package("mongodb-mongosh") + assert p.is_installed + p = host.package("mongodb-org-mongos") + assert p.is_installed + p = host.package("mongodb-org-tools") + assert p.is_installed + + +def test_mongodb_packages_held(host): + if host.ansible.get_variables()['inventory_hostname'] in ['debian_buster', 'debian_bullseye', 'ubuntu_18']: + c = "apt-mark showhold" + elif host.ansible.get_variables()['inventory_hostname'].startswith('centos') \ + or host.ansible.get_variables()['inventory_hostname'].startswith('amazonlinux'): + c = "yum versionlock list" + cmd = host.run(c) + assert cmd.rc == 0 + assert 'mongodb-org' not in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/Dockerfile.j2 new file mode 100644 index 00000000..873b4939 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %}
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/molecule.yml new file mode 100644 index 00000000..bc5d8faf --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/molecule.yml @@ -0,0 +1,36 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + - name: amazonlinux + image: amazonlinux:2 + - name: ubuntu_18 + image: ubuntu:18.04 + - name: debian_buster + image: debian:buster + - name: debian_bullseye + image: debian:bullseye +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/playbook.yml new file mode 100644 index 00000000..9008b5f1 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/playbook.yml @@ -0,0 +1,9 @@ +--- +- name: Converge + hosts: all + vars: + specific_mongodb_version: "6.0.3" + roles: + - role: mongodb_repository + mongodb_version: "6.0" + - role: mongodb_install diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/tests/test_default.py new file mode 100644 index 00000000..b18055ed --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/specific_mongodb_version/tests/test_default.py @@ -0,0 +1,36 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_mongod_available(host): + cmd = host.run("mongod --version") + assert cmd.rc == 0 + assert "db version" in cmd.stdout + + +def test_mongo_available(host): + cmd = host.run("mongosh --version") + assert cmd.rc == 0 + + +def test_mongos_available(host): + cmd = host.run("mongos --version") + assert cmd.rc == 0 + assert "mongos version" in cmd.stdout + + +def test_mongodump_available(host): + cmd = host.run("mongodump --version") + assert cmd.rc == 0 + assert "mongodump version" in cmd.stdout + + +def test_specific_mongodb_version(host): + cmd = host.run("mongod --version") + assert cmd.rc == 0 + assert "6.0.3" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/molecule.yml new file mode 100644 index 00000000..14d29680 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/molecule.yml @@ -0,0 +1,54 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos-7 + box: centos/7 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-16 + box: ubuntu/xenial64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-18 + box: ubuntu/bionic64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-buster + box: debian/buster64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-stretch + box: debian/contrib-stretch64 # Standard debian/stretch64 had issues: Unable to locate package linux-headers-4.9.0-9-amd64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/playbook.yml new file mode 100644 index 00000000..1b64ffc5 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/playbook.yml @@ -0,0 +1,8 @@ +--- +- name: Converge + hosts: all + become: yes + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_install diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/prepare.yml new file mode 100644 index 00000000..98711356 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/prepare.yml @@ -0,0 +1,43 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + avahi_packages_redhat: + - "avahi" + - "nss-mdns" + avahi_packages_debian: + - "avahi-daemon" + - "avahi-discover" + - "libnss-mdns" + tasks: + + - name: Ensure epel is available + yum: + name: epel-release + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_redhat }}" + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_debian }}" + state: present + when: ansible_os_family == "Debian" + + # debian-stretch seems to require a reboot for avahi-daemon to run + - name: Reboot host + reboot: + + - name: Ensure services are started + service: + name: "{{ item }}" + state: started + with_items: + #- dbus + - avahi-daemon diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/tests/test_default.py new file mode 100644 index 00000000..b8a23ad4 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/molecule/virtualbox/tests/test_default.py @@ -0,0 +1,31 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_mongod_available(host): + cmd = host.run("mongod --version") + assert cmd.rc == 0 + assert "db version" in cmd.stdout + + +def test_mongo_available(host): + cmd = host.run("mongo --version") + assert cmd.rc == 0 + assert "MongoDB shell version" in cmd.stdout + + +def test_mongos_available(host): + cmd = host.run("mongos --version") + assert cmd.rc == 0 + assert "mongos version" in cmd.stdout + + +def test_mongodump_available(host): + cmd = host.run("mongodump --version") + assert cmd.rc == 0 + assert "mongodump version" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_install/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_install/tasks/main.yml new file mode 100644 index 00000000..be872912 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_install/tasks/main.yml @@ -0,0 +1,61 @@ +--- +# tasks file for mongodb_install +- name: Install MongoDB Packages + package: + name: mongodb-org + state: present + when: specific_mongodb_version is not defined + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "mongodb" + - "setup" + - "pkg" + +- name: Install MongoDB Packages (Specific version) + package: + name: "mongodb-org*{{ specific_mongodb_version }}" + state: present + when: + - specific_mongodb_version is defined + - ansible_facts.os_family == "RedHat" + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "mongodb" + - "setup" + - "pkg" + +# apt silliness: +# In order to upgrade/downgrade to a specific version of mongodb-org, +# we must also specifiy version of mongodb-org deps. +# https://dba.stackexchange.com/questions/197336/how-to-install-specific-mongo-version-from-the-ppa +- name: Install MongoDB Packages (Specific version) + package: + name: + - "mongodb-org={{ specific_mongodb_version }}" + - "mongodb-org-server={{ specific_mongodb_version }}" + - "mongodb-mongosh" # mongosh package uses a new versioning number schema + - "mongodb-org-mongos={{ specific_mongodb_version }}" + - "mongodb-org-tools={{ specific_mongodb_version }}" + state: present + when: + - specific_mongodb_version is defined + - ansible_facts.os_family == "Debian" + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "mongodb" + - "setup" + - "pkg" + - "debian" + +- name: Manage package locks - {{ mongodb_hold_packages }} + script: lock_mongodb_packages.sh {{ mongodb_hold_packages }} + when: + - mongodb_hold_packages is defined + tags: + - "mongodb" diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/README.md b/ansible_collections/community/mongodb/roles/mongodb_linux/README.md new file mode 100644 index 00000000..7cc37be4 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/README.md @@ -0,0 +1,42 @@ +mongodb_linux +============= + +A simple role to configure Linux Operating System settings, for Debian and RedHat systems, as advised in the [MongoDB Production Notes](https://docs.mongodb.com/manual/administration/production-notes/). + +A brief description of what we do in this role: + +* Set swappiness. +* Ensure NTP (or equivalent) service is installed and running. +* Ensure GNU C Library is the latest available. +* Disable NUMA reclaim zone. +* Add script to disable transparent-huge-pages and setup as a service. +* Set pam limits. +* Set various sysctl values. + +Role Variables +-------------- + +swappiness: OS swappiness value. Default "1". +ntp_package: Name of ntp package. Default ntp. +ntp_service: Name of ntp service. Default ntpd. + +* On RedHat 8 and higher systems ntp_package and ntp_service are set to chrony and chronyd respectively. + +Example Playbook +---------------- + +```yaml + - hosts: servers + roles: + - mongodb_linux +``` + +License +------- + +BSD + +Author Information +------------------ + +Rhys Campbell (https://github.com/rhysmeister) diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/defaults/main.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/defaults/main.yml new file mode 100644 index 00000000..7b2a0a68 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/defaults/main.yml @@ -0,0 +1,10 @@ +--- +# defaults file for mongodb_linux + +# swappiness is 0-100; 60 is the default on many distros. +# 0=disable swapping; 1=swap only to avoid OOM; 60=swap often; 100=swap aggressively +swappiness: "1" + +nproc_and_nofile_limit: 64000 +# TODO: mongo suggests infinity here +memlock_limit: 1024 diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/files/thp-disable.service b/ansible_collections/community/mongodb/roles/mongodb_linux/files/thp-disable.service new file mode 100644 index 00000000..3602ed7b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/files/thp-disable.service @@ -0,0 +1,9 @@ +[Unit] +Description=Disable Transparent Huge Pages + +[Service] +Type=oneshot +ExecStart=/usr/bin/env sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag" + +[Install] +WantedBy=multi-user.target diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/meta/main.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/meta/main.yml new file mode 100644 index 00000000..8ed890e5 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/meta/main.yml @@ -0,0 +1,57 @@ +--- +galaxy_info: + author: Rhys Campbell + description: A simple role to configure Linux Operating System settings, as advised in the MongoDB Production Notes. + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: GPLv3 + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..7ca3536c --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo procps-ng; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %}
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/molecule.yml new file mode 100644 index 00000000..048dd024 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/molecule.yml @@ -0,0 +1,65 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mongodb_linux" + network_mode: "mongodb_linux" + - name: ubuntu_18 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + networks: + - name: "mongodb_linux" + network_mode: "mongodb_linux" + - name: debian_buster + image: debian:buster + command: /sbin/init + privileged: True + networks: + - name: "mongodb_linux" + network_mode: "mongodb_linux" + - name: debian_bullseye + image: debian:bullseye + command: /sbin/init + privileged: True + networks: + - name: "mongodb_linux" + network_mode: "mongodb_linux" + - name: amazonlinux + image: amazonlinux:2 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mongodb_linux" + network_mode: "mongodb_linux" +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/playbook.yml new file mode 100644 index 00000000..89bccd5e --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_linux diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/tests/test_default.py new file mode 100644 index 00000000..266562ad --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/default/tests/test_default.py @@ -0,0 +1,81 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_ntp_package(host): + ntp = host.package("ntp") + chrony = host.package("chrony") + assert ntp.is_installed or chrony.is_installed + + +def test_ntpd_service(host): + ntpd = host.service("ntpd") + + if ntpd.is_running: + assert ntpd.is_enabled + else: + ntp = host.service("ntp") + if ntp.is_running: + assert ntp.is_enabled + else: + chronyd = host.service("chronyd") + assert chronyd.is_running + assert chronyd.is_enabled + + +def test_swappiness_value(host): + cmd = host.run("cat /proc/sys/vm/swappiness") + + assert cmd.rc == 0 + assert cmd.stdout.strip() == "1" + + +def test_thp_service_file(host): + f = host.file("/etc/systemd/system/disable-transparent-huge-pages.service") + + assert f.exists + assert f.user == "root" + assert f.group == "root" + + +def test_thp_service(host): + ''' + Validates the service actually works + ''' + switches = ["/sys/kernel/mm/transparent_hugepage/enabled", + "/sys/kernel/mm/transparent_hugepage/defrag"] + + facts = host.ansible("setup")["ansible_facts"] + virt_types = facts.get("ansible_virtualization_tech_guest", [facts["ansible_virtualization_type"]]) + in_docker = "container" in virt_types or "docker" in virt_types + # in_docker is false on GHA here since they use custom parent cgroup (actions_job) + if not in_docker and facts["ansible_virtualization_role"] == "guest": + # inspecting cgroups is iffy on GHA, so use the /.dockerenv file + in_docker = host.file("/.dockerenv").exists + + if not in_docker: + for d in switches: + cmd = host.run("cat {0}".format(d)) + + assert cmd.rc == 0 + assert "[never]" in cmd.stdout + + +def test_limit_file(host): + f = host.file("/etc/security/limits.conf") + + assert f.exists + assert f.user == "root" + assert f.group == "root" + + assert f.contains("mongodb hard nproc 64000") + assert f.contains("mongodb hard nofile 64000") + assert f.contains("mongodb soft nproc 64000") + assert f.contains("mongodb soft nofile 64000") + assert f.contains("mongodb hard memlock 1024") + assert f.contains("mongodb soft memlock 1024") diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/molecule.yml new file mode 100644 index 00000000..bbe64d8f --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/molecule.yml @@ -0,0 +1,34 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos-7 + box: centos/7 + - name: ubuntu-16 + box: ubuntu/xenial64 + - name: ubuntu-18 + box: ubuntu/bionic64 + - name: debian-buster + box: debian/buster64 + - name: debian-stretch + box: debian/contrib-stretch64 # Standard debian/stretch64 had issues: Unable to locate package linux-headers-4.9.0-9-amd64 +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/playbook.yml new file mode 100644 index 00000000..8e9d4e75 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/playbook.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + become: yes + + roles: + - role: mongodb_linux diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/prepare.yml new file mode 100644 index 00000000..58b16460 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/prepare.yml @@ -0,0 +1,12 @@ +--- +- name: Prepare + hosts: all + become: yes + + tasks: + + - name: Ensure epel-release is installed + package: + name: epel-release + state: present + when: ansible_os_family == "RedHat" diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/tests/test_default.py new file mode 100644 index 00000000..266562ad --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/molecule/virtualbox/tests/test_default.py @@ -0,0 +1,81 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_ntp_package(host): + ntp = host.package("ntp") + chrony = host.package("chrony") + assert ntp.is_installed or chrony.is_installed + + +def test_ntpd_service(host): + ntpd = host.service("ntpd") + + if ntpd.is_running: + assert ntpd.is_enabled + else: + ntp = host.service("ntp") + if ntp.is_running: + assert ntp.is_enabled + else: + chronyd = host.service("chronyd") + assert chronyd.is_running + assert chronyd.is_enabled + + +def test_swappiness_value(host): + cmd = host.run("cat /proc/sys/vm/swappiness") + + assert cmd.rc == 0 + assert cmd.stdout.strip() == "1" + + +def test_thp_service_file(host): + f = host.file("/etc/systemd/system/disable-transparent-huge-pages.service") + + assert f.exists + assert f.user == "root" + assert f.group == "root" + + +def test_thp_service(host): + ''' + Validates the service actually works + ''' + switches = ["/sys/kernel/mm/transparent_hugepage/enabled", + "/sys/kernel/mm/transparent_hugepage/defrag"] + + facts = host.ansible("setup")["ansible_facts"] + virt_types = facts.get("ansible_virtualization_tech_guest", [facts["ansible_virtualization_type"]]) + in_docker = "container" in virt_types or "docker" in virt_types + # in_docker is false on GHA here since they use custom parent cgroup (actions_job) + if not in_docker and facts["ansible_virtualization_role"] == "guest": + # inspecting cgroups is iffy on GHA, so use the /.dockerenv file + in_docker = host.file("/.dockerenv").exists + + if not in_docker: + for d in switches: + cmd = host.run("cat {0}".format(d)) + + assert cmd.rc == 0 + assert "[never]" in cmd.stdout + + +def test_limit_file(host): + f = host.file("/etc/security/limits.conf") + + assert f.exists + assert f.user == "root" + assert f.group == "root" + + assert f.contains("mongodb hard nproc 64000") + assert f.contains("mongodb hard nofile 64000") + assert f.contains("mongodb soft nproc 64000") + assert f.contains("mongodb soft nofile 64000") + assert f.contains("mongodb hard memlock 1024") + assert f.contains("mongodb soft memlock 1024") diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/tasks/main.yml new file mode 100644 index 00000000..e8a61a39 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/tasks/main.yml @@ -0,0 +1,200 @@ +--- +# tasks file for mongodb_linux + +- name: Include OS-specific vars + include_vars: + file: "{{ lookup('first_found', params) }}" + vars: + params: + paths: + - "vars" + files: + - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml" + - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml" + - "{{ ansible_facts.distribution }}.yml" + - "{{ ansible_facts.os_family }}.yml" + - default.yml + tags: + - "vars" + +- name: See if we are in docker + when: + - "ansible_facts.virtualization_role == 'guest'" + - not in_docker # defined in vars + block: + - name: Check if we are in docker (based on /.dockerenv file) + stat: + path: /.dockerenv + register: dockerenv_file + tags: + - "ci" + - name: Update in_docker var + set_fact: + in_docker: "{{ dockerenv_file.stat.exists }}" + tags: + - "ci" + + +# Tasks based on: https://docs.mongodb.com/manual/administration/production-notes/ + +- name: Set swappiness + ansible.posix.sysctl: + name: vm.swappiness + value: "{{ swappiness }}" + state: present + tags: + - "linux" + - "setup" + +- name: Ensure ntp service is installed + package: + name: "{{ ntp_package }}" + state: present + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "linux" + - "setup" + - "pkg" + +- name: Update perms on chrony pid dir on RedHat 8 + file: + path: /run/chrony/ + owner: root + group: root + state: directory + when: + - ansible_facts.os_family == "RedHat" + - ansible_facts.distribution_major_version|int >= 8 + tags: + - "linux" + - "setup" + - "redhat" + +- name: Ensure ntp service is configured + service: + name: "{{ ntp_service }}" + state: started + enabled: yes + tags: + - "linux" + - "setup" + - "service" + +- name: Ensure GNU C Library is the latest + package: + name: "{{ gnu_c_lib }}" + state: latest + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "linux" + - "setup" + - "pkg" + +- name: Ensure NUMA zone reclaim is disabled + ansible.posix.sysctl: + name: vm.zone_reclaim_mode + value: "0" + state: present + reload: yes + when: not in_docker|bool + tags: + - "linux" + - "setup" + +# https://docs.mongodb.com/manual/tutorial/transparent-huge-pages/ +- name: Ensure thp-disable service exists + copy: + src: thp-disable.service + dest: /etc/systemd/system/disable-transparent-huge-pages.service + owner: root + group: root + register: thp + tags: + - "linux" + - "setup" + +- name: Reload systemd + systemd: + daemon_reexec: yes + when: thp is changed + tags: + - "linux" + - "setup" + - "service" + +- name: Check if disable-transparent-huge-pages service is already run + shell: cat /sys/kernel/mm/transparent_hugepage/enabled | grep -o '[never]' + register: _huge_page_status + ignore_errors: yes + changed_when: _huge_page_status.stdout == "" + tags: + - "linux" + - "service" + - "setup" + +- name: Enable disable-transparent-huge-pages service + service: + name: disable-transparent-huge-pages + state: started + enabled: yes + when: (not in_docker|bool) and (_huge_page_status.stdout == "") + tags: + - "linux" + - "service" + - "setup" + +# Tasks based on: https://docs.mongodb.com/manual/reference/ulimit/ + +- name: Set pam limits (nproc and nofile) + community.general.pam_limits: + domain: "{{ item[0] }}" + limit_type: "{{ item[1] }}" + limit_item: "{{ item[2] }}" + value: "{{ item[3] }}" + with_nested: + - ["root", "mongodb"] + - ["hard", "soft"] + - ["nproc", "nofile"] + - ["{{ nproc_and_nofile_limit }}"] + tags: + - "linux" + - "setup" + +- name: Set pam limits (memlock) + community.general.pam_limits: + domain: "{{ item[0] }}" + limit_type: "{{ item[1] }}" + limit_item: "{{ item[2] }}" + value: "{{ item[3] }}" + with_nested: + - ["root", "mongodb"] + - ["hard", "soft"] + - ["memlock"] + - ["{{ memlock_limit }}"] + tags: + - "linux" + - "setup" + +# Other tuning settings + +- name: Set sysctl values + ansible.posix.sysctl: + name: "{{ item['name'] }}" + value: "{{ item['value'] }}" + state: present + loop: + # TODO: These may need to be configurable for different usage patterns. + - { "name": "vm.dirty_ratio", "value": "15" } + - { "name": "vm.dirty_background_ratio", "value": "5" } + - { "name": "net.core.somaxconn ", "value": "4096" } + - { "name": "net.ipv4.tcp_fin_timeout", "value": "30" } + - { "name": "net.ipv4.tcp_keepalive_intvl", "value": "30" } + - { "name": "net.ipv4.tcp_keepalive_time", "value": "120" } + - { "name": "net.ipv4.tcp_max_syn_backlog ", "value": "4096" } + tags: + - "linux" + - "setup" diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/vars/Debian.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/Debian.yml new file mode 100644 index 00000000..375c7983 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/Debian.yml @@ -0,0 +1,5 @@ +--- +# Packages for Debian distros +ntp_package: ntp +ntp_service: ntp +gnu_c_lib: libc6 diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/vars/RedHat-8.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/RedHat-8.yml new file mode 100644 index 00000000..bc70604b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/RedHat-8.yml @@ -0,0 +1,5 @@ +--- +# Packages for RedHat-8 distros +ntp_package: chrony +ntp_service: chronyd +gnu_c_lib: glibc diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/vars/RedHat.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/RedHat.yml new file mode 100644 index 00000000..57ebecc8 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/RedHat.yml @@ -0,0 +1,5 @@ +--- +# Packages for RedHat distros +ntp_package: ntp +ntp_service: ntpd +gnu_c_lib: glibc diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/vars/default.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/default.yml new file mode 100644 index 00000000..0f0db5a7 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/default.yml @@ -0,0 +1,5 @@ +--- +# Packages (default fallthrough) +ntp_package: ntp +ntp_service: ntpd +gnu_c_lib: libc6 diff --git a/ansible_collections/community/mongodb/roles/mongodb_linux/vars/main.yml b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/main.yml new file mode 100644 index 00000000..7f55b9c8 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_linux/vars/main.yml @@ -0,0 +1,7 @@ +--- +in_docker: "{{ \ + ansible_facts.virtualization_role == 'guest' and ( \ + ['container', 'docker'] | intersect( \ + ansible_facts.virtualization_tech_guest | default([ansible_facts.virtualization_type]) \ + ) | bool \ + ) }}" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/.yamllint b/ansible_collections/community/mongodb/roles/mongodb_mongod/.yamllint new file mode 100644 index 00000000..88276760 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/README.md b/ansible_collections/community/mongodb/roles/mongodb_mongod/README.md new file mode 100644 index 00000000..51a80129 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/README.md @@ -0,0 +1,60 @@ +mongodb_mongod +============== + +A simple role to aid in the setup of a MongoDB replicaset. + +Role Variables +-------------- + +* `mongod_port`: The port used by the mongod process. Default 27017. +* `mongod_service`: The name of the mongod service. Default mongod. +* `mongodb_user`: The Linux OS user for MongoDB. Default mongod. +* `mongodb_group`: The Linux OS user group for MongoDB. Default mongod. +* `bind_ip`: The IP address mongod will bind to. Default 0.0.0.0. +* `bind_ip_all`: Have mongod bind to all IP addresses instead of specifying `bind_ip`. Default false. +* `log_path`: Path of the log file. Default: /var/log/mongodb/mongod.log. +* `repl_set_name`: The name of the replicaset the member will participate in. Default rs0. +* `authorization`: Enable authorization. Default enabled. +* `openssl_keyfile_content`: The keyfile content that MongoDB uses to authenticate within a replicaset. Generate with cmd: openssl rand -base64 756. +* `openssl_keyfile_path`: Put the openssl_keyfile at this path. Default: /etc/keyfile +* `mongodb_admin_user`: MongoDB admin username. Default admin. +* `mongodb_admin_pwd`: MongoDB admin password. Default admin. +* `mongod_package`: The mongod package to install. Default mongodb-org-server. +* `replicaset`: When enabled add a replication section to the configuration. Default true. +* `sharding`: If this replicaset member will form part of a sharded cluster. Default false. +* `net_compressors`: If this is set, this sets `net.compression.compressors` in mongod.conf. +* `mongod_config_template`: If defined allows to override path to mongod config template with custom configuration. Default "mongod.conf.j2" +* `skip_restart`: If set to `true` will skip restarting mongod service when config file or the keyfile content changes. Default `true`. +* `db_path`: Path to database data location. Default `/var/lib/mongodb` on Debian based distributions, `/var/lib/mongo` for others. +* `mongodb_use_tls`: Wether to use tls. Default false. +* `mongodb_certificate_key_file`: Path to the PEM-file containing the certficate and private key. +* `mongodb_certificate_ca_file`: Path to the CA-file. + +IMPORTANT NOTE: It is expected that `mongodb_admin_user` & `mongodb_admin_pwd` values be overridden in your own file protected by Ansible Vault. These values are primary included here for Molecule/Travis CI integration. Any production environments should protect these values. For more information see [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) + +Dependencies +------------ + +mongodb_repository + +Example Playbook +---------------- + +Install MongoDB preparing hosts for a Sharded Cluster. + +```yaml + - hosts: servers + roles: + - { role: mongodb_repository } + - { role: mongodb_mongod, mongod_port: 27018, sharding: true } +``` + +License +------- + +BSD + +Author Information +------------------ + +Rhys Campbell (https://github.com/rhysmeister) diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/defaults/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/defaults/main.yml new file mode 100644 index 00000000..b0d9da22 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/defaults/main.yml @@ -0,0 +1,36 @@ +--- +# defaults file for mongodb_mongod +mongod_port: 27017 +bind_ip: 0.0.0.0 +bind_ip_all: false +log_path: "/var/log/mongodb/mongod.log" +repl_set_name: rs0 +authorization: "enabled" +openssl_keyfile_path: /etc/keyfile +openssl_keyfile_content: | + Z2CeA9BMcoY5AUWoegjv/XWL2MA1SQcL4HvmRjYaTjSp/xosJy+LL2X3OQb1xVWC + rO2e6Tu6A3R4muunitI6Vr0IKeU5UbTpR0N4hSU6HDrV9z2PIEWlkQqKh01ZRLEY + V3hR73acj0jA8eWIWeiV039d18jvMb8X2h8409lfcD6PPJJGjyaC8S4LY/TrsK2z + tx+l/vqOOAMhGB5mEMjx1LXUMsRG9ot6vFu9I5LPd1A4q9xw9jddYK5C6YTLccun + ZyCDsv7ImkCprV0+0vhTyxIEnfaNtvOlWypuvmRr/DEyd2NPowd1n6C+rgk8gs1t + SGLCZP93gXza0rIoQzHtuf5pOJK9qyKjuNtuuLa/KFsida8a69JXn7fmS0IIja0m + Ir0OrQ2Ta3n4VbQwQo97BWODWmkgzz0mUd6VmMps5zLsCW1vVqYFQHuAAbLekW0q + 8JRm8OQ6n2hp8j4zYd3/Qw7vqsVj8sHicNB0bCW29b64H4f2J/AcUA/cm0xSUQyb + +myeCB4vWvydh5AfFVnw7sXvzU6egaYRomdmrl59QrTDneJu13hwzIchsFparoWJ + XjpldopGeDaJLU18ga7MSL02ozB+EoJ14DJxQU7E5MQk7fDMPeitXKZ8ymxb7LeA + k0Rtc/JQM8aDLoRklhLZRRARBrv1RLo8DM8CB2q4s+FwVU4QJl7mFyiwk3eTN6sN + PTgFRo3/dHsEA2OwGG+hnGFGnoYf2mkECR5jqai83CXgva9v2rPNjDTJYHpmd3I0 + fNijueXZZdzUA58y8mcoSGVYdRhr0g8jaWQ12PZEgX5Nnlekh5GHG0j8HT4qj/0Y + D3xVuE3WvrhldY5EOsaTt2ZXZx5REmJDIW1KcnvQKiVDJ2QzP5xdXYA0hh3TdTVE + sb4UreMw/WyBpANiICMlJRBgSd0f0VGMlYzLX2BL14YpNnLhmoQqKzfBN6v2XAEG + mJfrCUVuP1nBEklk23lYkNi/ohe+aodNjdN+2DHp42sGZHYP +mongodb_admin_user: admin +mongodb_admin_pwd: admin +mongod_package: "mongodb-org-server" +replicaset: true +sharding: false +net_compressors: null +mongod_config_template: "mongod.conf.j2" +skip_restart: true +db_path: "{{ '/var/lib/mongodb' if ansible_os_family == 'Debian' else '/var/lib/mongo' if ansible_os_family == 'RedHat' else '/var/lib/mongo' }}" +mongodb_use_tls: false diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/handlers/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/handlers/main.yml new file mode 100644 index 00000000..02681753 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: Restart mongod + listen: Restart mongod service + service: + name: "{{ mongod_service }}" + state: restarted + when: not skip_restart + +- name: Wait for port to become active + listen: Restart mongod service + wait_for: + host: "{{ bind_ip | split(',') | first }}" + port: "{{ mongod_port }}" + when: not skip_restart diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/meta/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/meta/main.yml new file mode 100644 index 00000000..223ab1ec --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/meta/main.yml @@ -0,0 +1,57 @@ +--- +galaxy_info: + author: Rhys Campbell + description: Configure the mongod service (includes populating mongod.conf) which is a MongoDB replicaset or standalone server. + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: GPLv3 + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/molecule.yml new file mode 100644 index 00000000..eb611f22 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/molecule.yml @@ -0,0 +1,65 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mongod" + network_mode: "mongod" + - name: ubuntu_18 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: debian_buster + image: debian:buster + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: debian_bullseye + image: debian:bullseye + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: amazonlinux + image: amazonlinux:2 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mongod" + network_mode: "mongod" +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/playbook.yml new file mode 100644 index 00000000..0e4d6cec --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/playbook.yml @@ -0,0 +1,38 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_mongod + vars: + db_path: "/data/db" + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "amazonlinux" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "amazonlinux" + + - name: Install MongoDB Shell + package: + name: mongodb-mongosh + + - name: Initialise replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + replica_set: rs0 + validate: yes + members: + - centos_7:27017 + - amazonlinux:27017 + - ubuntu_18:27017 + - debian_bullseye:27017 + - debian_buster:27017 + when: ansible_hostname == "amazonlinux" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/prepare.yml new file mode 100644 index 00000000..9bb20f0b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/prepare.yml @@ -0,0 +1,22 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + redhat_packages: + - net-tools + tasks: + + - name: Ensure epel is available + package: + name: epel-release + state: present + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Amazon" + + - name: Install redhat packages + package: + name: "{{ redhat_packages }}" + state: present + when: ansible_os_family == "RedHat"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/tests/test_default.py new file mode 100644 index 00000000..7b52e559 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/custom_db_path/tests/test_default.py @@ -0,0 +1,84 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongod.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + mongod_service = include_vars(host)['ansible_facts']['mongod_service'] + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + try: + port = include_vars(host)['ansible_facts']['mongod_port'] + except KeyError: + port = 27017 + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + assert s.is_listening + + +def test_mongod_replicaset(host): + ''' + Ensure that the MongoDB replicaset has been created successfully + ''' + try: + port = include_vars(host)['ansible_facts']['mongod_port'] + except KeyError: + port = 27017 + cmd = "mongosh --port {0} --eval 'rs.status()'".format(port) + # We only want to run this once + if host.ansible.get_variables()['inventory_hostname'] == "amazonlinux": + r = host.run(cmd) + assert "rs0" in r.stdout + assert "centos_7:{0}".format(port) in r.stdout + assert "amazonlinux:{0}".format(port) in r.stdout + assert "ubuntu_18:{0}".format(port) in r.stdout + assert "debian_buster:{0}".format(port) in r.stdout + assert "debian_bullseye:{0}".format(port) in r.stdout + + +def test_mongod_config_custom_path(host): + ''' + Ensure that the custom path is respected + ''' + default_path = "/data/db" + + # assert path exists + f = host.file(default_path) + assert f.exists + assert f.is_directory + # assert mongodb.conf contains path + conf = host.file('/etc/mongod.conf').content_string + assert "dbPath: {0}".format(default_path) in conf diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/molecule.yml new file mode 100644 index 00000000..eb611f22 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/molecule.yml @@ -0,0 +1,65 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mongod" + network_mode: "mongod" + - name: ubuntu_18 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: debian_buster + image: debian:buster + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: debian_bullseye + image: debian:bullseye + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: amazonlinux + image: amazonlinux:2 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mongod" + network_mode: "mongod" +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/playbook.yml new file mode 100644 index 00000000..a7dfeeaf --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/playbook.yml @@ -0,0 +1,36 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_mongod + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "amazonlinux" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "amazonlinux" + + - name: Install MongoDB Shell + package: + name: mongodb-mongosh + + - name: Initialise replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + replica_set: rs0 + validate: yes + members: + - centos_7:27017 + - amazonlinux:27017 + - ubuntu_18:27017 + - debian_bullseye:27017 + - debian_buster:27017 + when: ansible_hostname == "amazonlinux" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/prepare.yml new file mode 100644 index 00000000..9bb20f0b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/prepare.yml @@ -0,0 +1,22 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + redhat_packages: + - net-tools + tasks: + + - name: Ensure epel is available + package: + name: epel-release + state: present + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Amazon" + + - name: Install redhat packages + package: + name: "{{ redhat_packages }}" + state: present + when: ansible_os_family == "RedHat"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/tests/test_default.py new file mode 100644 index 00000000..ceab5c90 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/default/tests/test_default.py @@ -0,0 +1,89 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongod.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + mongod_service = include_vars(host)['ansible_facts']['mongod_service'] + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + try: + port = include_vars(host)['ansible_facts']['mongod_port'] + except KeyError: + port = 27017 + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + assert s.is_listening + + +def test_mongod_replicaset(host): + ''' + Ensure that the MongoDB replicaset has been created successfully + ''' + try: + port = include_vars(host)['ansible_facts']['mongod_port'] + except KeyError: + port = 27017 + cmd = "mongosh --port {0} --eval 'rs.status()'".format(port) + # We only want to run this once + if host.ansible.get_variables()['inventory_hostname'] == "amazonlinux": + r = host.run(cmd) + assert "rs0" in r.stdout + assert "centos_7:{0}".format(port) in r.stdout + assert "amazonlinux:{0}".format(port) in r.stdout + assert "ubuntu_18:{0}".format(port) in r.stdout + assert "debian_buster:{0}".format(port) in r.stdout + assert "debian_bullseye:{0}".format(port) in r.stdout + + +def test_mongod_default_path(host): + ''' + Ensure that the default paths for RedHat and Debian based OSes are respected + ''' + hostname = host.ansible.get_variables()['inventory_hostname'] + default_path = "/var/lib/mongo" + if hostname.startswith('centos'): + default_path = "/var/lib/mongo" + elif hostname.startswith('ubuntu') or hostname.startswith('debian'): + default_path = "/var/lib/mongodb" + + # assert path exists + f = host.file(default_path) + assert f.exists + assert f.is_directory + # asset mongodb.cnf contains path + conf = host.file('/etc/mongod.conf').content_string + assert "dbPath: {0}".format(default_path) in conf diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/molecule.yml new file mode 100644 index 00000000..eb611f22 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/molecule.yml @@ -0,0 +1,65 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mongod" + network_mode: "mongod" + - name: ubuntu_18 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: debian_buster + image: debian:buster + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: debian_bullseye + image: debian:bullseye + command: /sbin/init + privileged: True + networks: + - name: "mongod" + network_mode: "mongod" + - name: amazonlinux + image: amazonlinux:2 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mongod" + network_mode: "mongod" +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/playbook.yml new file mode 100644 index 00000000..707dc5ba --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/playbook.yml @@ -0,0 +1,39 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_mongod + vars: + db_path: "/data/db" + bind_ip: '"127.0.0.1,127.0.0.2,{{ ansible_default_ipv4.address }}"' + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "amazonlinux" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "amazonlinux" + + - name: Install MongoDB Shell + package: + name: mongodb-mongosh + + - name: Initialise replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + replica_set: rs0 + validate: yes + members: + - centos_7:27017 + - amazonlinux:27017 + - ubuntu_18:27017 + - debian_bullseye:27017 + - debian_buster:27017 + when: ansible_hostname == "amazonlinux" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/prepare.yml new file mode 100644 index 00000000..5143c818 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/prepare.yml @@ -0,0 +1,30 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + redhat_packages: + - net-tools + amazon_packages: + - iproute + tasks: + + - name: Ensure epel is available + package: + name: epel-release + state: present + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Amazon" + + - name: Install redhat packages + package: + name: "{{ redhat_packages }}" + state: present + when: ansible_os_family == "RedHat" + + - name: Install amazon packages + package: + name: "{{ amazon_packages }}" + state: present + when: ansible_distribution == "Amazon"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/tests/test_default.py new file mode 100644 index 00000000..de3da6dd --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/multiple_bind_ip/tests/test_default.py @@ -0,0 +1,84 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongod.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + mongod_service = include_vars(host)['ansible_facts']['mongod_service'] + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + try: + port = include_vars(host)['ansible_facts']['mongod_port'] + except KeyError: + port = 27017 + s = host.socket("tcp://127.0.0.1:{0}".format(port)) + assert s.is_listening + + +def test_mongod_replicaset(host): + ''' + Ensure that the MongoDB replicaset has been created successfully + ''' + try: + port = include_vars(host)['ansible_facts']['mongod_port'] + except KeyError: + port = 27017 + cmd = "mongosh --port {0} --eval 'rs.status()'".format(port) + # We only want to run this once + if host.ansible.get_variables()['inventory_hostname'] == "amazonlinux": + r = host.run(cmd) + assert "rs0" in r.stdout + assert "centos_7:{0}".format(port) in r.stdout + assert "amazonlinux:{0}".format(port) in r.stdout + assert "ubuntu_18:{0}".format(port) in r.stdout + assert "debian_buster:{0}".format(port) in r.stdout + assert "debian_bullseye:{0}".format(port) in r.stdout + + +def test_mongod_config_custom_path(host): + ''' + Ensure that the custom path is respected + ''' + default_path = "/data/db" + + # assert path exists + f = host.file(default_path) + assert f.exists + assert f.is_directory + # assert mongodb.conf contains path + conf = host.file('/etc/mongod.conf').content_string + assert "dbPath: {0}".format(default_path) in conf diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/molecule.yml new file mode 100644 index 00000000..14d29680 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/molecule.yml @@ -0,0 +1,54 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos-7 + box: centos/7 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-16 + box: ubuntu/xenial64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-18 + box: ubuntu/bionic64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-buster + box: debian/buster64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-stretch + box: debian/contrib-stretch64 # Standard debian/stretch64 had issues: Unable to locate package linux-headers-4.9.0-9-amd64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/playbook.yml new file mode 100644 index 00000000..c2ddf6c1 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/playbook.yml @@ -0,0 +1,34 @@ +--- +- name: Converge + hosts: all + become: yes + + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_mongod + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "ubuntu-16" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "ubuntu-16" + + - name: Initialise replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + replica_set: rs0 + validate: yes + members: + - ubuntu-16.local:27017 + - ubuntu-18.local:27017 + - debian-stretch.local:27017 + - debian-buster.local:27017 + - centos-7.local:27017 + when: ansible_hostname == "ubuntu-16" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/prepare.yml new file mode 100644 index 00000000..0f186973 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/prepare.yml @@ -0,0 +1,40 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + avahi_packages_redhat: + - "avahi" + - "nss-mdns" + avahi_packages_debian: + - "avahi-daemon" + - "avahi-discover" + - "libnss-mdns" + tasks: + + - name: Ensure epel is available + yum: + name: epel-release + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_redhat }}" + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_debian }}" + state: present + when: ansible_os_family == "Debian" + + # debian-stretch seems to require a reboot for avahi-daemon to run + - name: Reboot host + reboot: + + - name: Ensure avahi-daemon is started + service: + name: avahi-daemon + state: started diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/tests/test_default.py new file mode 100644 index 00000000..0490c233 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/molecule/virtualbox/tests/test_default.py @@ -0,0 +1,71 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongod.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + mongod_service = include_vars(host)['ansible_facts']['mongod_service'] + s = host.service(mongod_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + try: + port = include_vars(host)['ansible_facts']['mongod_port'] + except KeyError: + port = 27017 + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + + assert s.is_listening + + +def test_mongod_replicaset(host): + ''' + Ensure that the MongoDB replicaset has been created successfully + ''' + try: + port = include_vars(host)['ansible_facts']['mongod_port'] + except KeyError: + port = 27017 + cmd = "mongo --port {0} --eval 'rs.status()'".format(port) + # We only want to run this once + if host.ansible.get_variables()['inventory_hostname'] == "ubuntu_16": + r = host.run(cmd) + + assert "rs0" in r.stdout + assert "ubuntu-16:{0}".format(port) in r.stdout + assert "ubuntu-18:{0}".format(port) in r.stdout + assert "debian-stretch:{0}".format(port) in r.stdout + assert "debian-buster:{0}".format(port) in r.stdout + assert "centos-7:{0}".format(port) in r.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/main.yml new file mode 100644 index 00000000..79a6cc13 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/tasks/main.yml @@ -0,0 +1,81 @@ +--- +# tasks file for mongodb_mongod +- name: Include OS-specific vars + include_vars: + file: "{{ lookup('first_found', params) }}" + vars: + params: + paths: + - "vars" + files: + - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml" + - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml" + - "{{ ansible_facts.distribution }}.yml" + - "{{ ansible_facts.os_family }}.yml" + - default.yml + tags: + - "vars" + +- name: Ensure mongod package is installed + package: + name: "{{ mongod_package }}" + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "mongodb" + - "pkg" + - "setup" + +- name: Ensure db_path dir exists + file: + path: "{{ db_path }}" + state: directory + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + tags: + - "mongodb" + - "setup" + +- name: Copy config file + template: + src: "{{ mongod_config_template }}" + dest: /etc/mongod.conf + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + notify: + - Restart mongod service + tags: + - "mongodb" + - "setup" + +- name: Copy keyfile to host + copy: + content: | + {{ openssl_keyfile_content }} + dest: "{{ openssl_keyfile_path }}" + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + mode: 0400 + when: authorization == "enabled" + notify: + - Restart mongod service + tags: + - "mongodb" + - "setup" + +- name: Check for github override + set_fact: + x_github_override: "{{ lookup('env', 'X_GITHUB_OVERRIDE') | default('0', True) }}" + tags: + - "ci" + +- name: Start mongod service + service: + name: "{{ mongod_service }}" + state: started + enabled: yes + tags: + - "mongodb" + - "setup" + - "service" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongod.conf.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongod.conf.j2 new file mode 100644 index 00000000..e9b68f8a --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/templates/mongod.conf.j2 @@ -0,0 +1,64 @@ +# mongod.conf + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# where to write logging data. +systemLog: + destination: file + logAppend: true + path: {{ log_path }} + +# Where and how to store data. +storage: + dbPath: {{ db_path }} + journal: + enabled: true + engine: "wiredTiger" + +# how the process runs +processManagement: +{% if ansible_facts.os_family == "RedHat" %} # Breaks Ubuntu / Debian + fork: true + pidFilePath: /var/run/mongodb/mongod.pid +{% endif %} + timeZoneInfo: /usr/share/zoneinfo + +# network interfaces +net: + port: {{ mongod_port }} +{% if bind_ip_all %} + bindIpAll: true +{% else %} + bindIp: {{ bind_ip }} +{% endif %} +{% if net_compressors %} + compression: + compressors: {{ net_compressors }} +{% endif %} +{% if mongodb_use_tls %} + tls: + mode: requireTLS + certificateKeyFile: {{ mongodb_certificate_key_file }} + CAFile: {{ mongodb_certificate_ca_file }} +{% endif %} + +{% if authorization == "enabled" %} +security: + authorization: {{ authorization }} +{% if replicaset or sharding %} + keyFile: {{ openssl_keyfile_path }} +{% endif %} +{% endif %} + +#operationProfiling: + +{% if replicaset %} +replication: + replSetName: {{ repl_set_name }} +{% endif %} + +{% if sharding %} +sharding: + clusterRole: shardsvr +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/Debian.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/Debian.yml new file mode 100644 index 00000000..0e1368a6 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/Debian.yml @@ -0,0 +1,4 @@ +--- +mongodb_user: "mongodb" +mongodb_group: "mongodb" +mongod_service: "mongod" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/RedHat.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/RedHat.yml new file mode 100644 index 00000000..4df9dd94 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- +mongodb_user: "mongod" +mongodb_group: "mongod" +mongod_service: "mongod" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/default.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/default.yml new file mode 100644 index 00000000..4df9dd94 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/default.yml @@ -0,0 +1,4 @@ +--- +mongodb_user: "mongod" +mongodb_group: "mongod" +mongod_service: "mongod" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/main.yml new file mode 100644 index 00000000..ed97d539 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongod/vars/main.yml @@ -0,0 +1 @@ +--- diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/.yamllint b/ansible_collections/community/mongodb/roles/mongodb_mongos/.yamllint new file mode 100644 index 00000000..88276760 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/README.md b/ansible_collections/community/mongodb/roles/mongodb_mongos/README.md new file mode 100644 index 00000000..41424678 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/README.md @@ -0,0 +1,60 @@ +mongodb_mongos +============== + +A role to setup a mongos server for a MongoDB sharded cluster. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should +be mentioned here. For instance, if the role uses the EC2 module, it may be a +good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +* `mongos_port`: The port used by the mongos process. Default 27017. +* `mongos_service`: The name of the mongos service. Default mongos. +* `mongodb_user`: The Linux OS user for MongoDB. Default mongod. +* `mongodb_group`: The Linux OS user group for MongoDB. Default mongod. +* `pid_file`: The pid file for mongos. Default /run/mongodb/mongos.pid. +* `bind_ip`: The IP address mongos will bind to. Default 0.0.0.0. +* `bind_ip_all`: Have mongos bind to all IP addresses instead of specifying `bind_ip`. Default false. +* `log_path`: Path of the log file. Default: /var/log/mongodb/mongos.log. +* `mypy`: Python interpretor. Default python +* `mongos_package`: The name of the mongos installation package. Default mongodb-org-mongos. +* `config_repl_set_name`: The name of the config server replicaset. Default cfg. +* `config_servers`: "config1:27019, config2:27019, config3:27019" +* `openssl_keyfile_content`: The kexfile content that MongoDB uses to authenticate within a replicaset. Generate with cmd: openssl rand -base64 756. +* `openssl_keyfile_path`: Put the openssl_keyfile at this path. Default: /etc/keyfile +* `net_compressors`: If this is set, this sets `net.compression.compressors` in mongos.conf. +* `mongos_config_template`: If defined allows to override path to mongod config template with custom configuration. Default "mongos.conf.j2" +* `skip_restart`: If set to `true` will skip restarting mongos service when config file or the keyfile content changes. Default `true`. +* `mongodb_use_tls`: Wether to use tls. Default false. +* `mongodb_certificate_key_file`: Path to the PEM-file containing the certficate and private key. +* `mongodb_certificate_ca_file`: Path to the CA-file. + +Dependencies +------------ + +mongodb_repository + +Example Playbook +---------------- + +```yaml + - hosts: servers + roles: + - mongodb_repository + - mongodb_mongos +``` + +License +------- + +BSD + +Author Information +------------------ + +Rhys Campbell (https://github.com/rhysmeister) diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/defaults/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/defaults/main.yml new file mode 100644 index 00000000..6d91e881 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/defaults/main.yml @@ -0,0 +1,33 @@ +--- +# defaults file for mongodb_mongos +pid_file: /run/mongodb/mongos.pid +bind_ip: 0.0.0.0 +bind_ip_all: false +log_path: "/var/log/mongodb/mongos.log" +# mongos_port in vars to facilitate molecule tests +mypy: python +mongos_package: "mongodb-org-mongos" +config_repl_set_name: cfg +config_servers: "config1:27019, config2:27019, config3:27019" +openssl_keyfile_path: /etc/keyfile +openssl_keyfile_content: | + Z2CeA9BMcoY5AUWoegjv/XWL2MA1SQcL4HvmRjYaTjSp/xosJy+LL2X3OQb1xVWC + rO2e6Tu6A3R4muunitI6Vr0IKeU5UbTpR0N4hSU6HDrV9z2PIEWlkQqKh01ZRLEY + V3hR73acj0jA8eWIWeiV039d18jvMb8X2h8409lfcD6PPJJGjyaC8S4LY/TrsK2z + tx+l/vqOOAMhGB5mEMjx1LXUMsRG9ot6vFu9I5LPd1A4q9xw9jddYK5C6YTLccun + ZyCDsv7ImkCprV0+0vhTyxIEnfaNtvOlWypuvmRr/DEyd2NPowd1n6C+rgk8gs1t + SGLCZP93gXza0rIoQzHtuf5pOJK9qyKjuNtuuLa/KFsida8a69JXn7fmS0IIja0m + Ir0OrQ2Ta3n4VbQwQo97BWODWmkgzz0mUd6VmMps5zLsCW1vVqYFQHuAAbLekW0q + 8JRm8OQ6n2hp8j4zYd3/Qw7vqsVj8sHicNB0bCW29b64H4f2J/AcUA/cm0xSUQyb + +myeCB4vWvydh5AfFVnw7sXvzU6egaYRomdmrl59QrTDneJu13hwzIchsFparoWJ + XjpldopGeDaJLU18ga7MSL02ozB+EoJ14DJxQU7E5MQk7fDMPeitXKZ8ymxb7LeA + k0Rtc/JQM8aDLoRklhLZRRARBrv1RLo8DM8CB2q4s+FwVU4QJl7mFyiwk3eTN6sN + PTgFRo3/dHsEA2OwGG+hnGFGnoYf2mkECR5jqai83CXgva9v2rPNjDTJYHpmd3I0 + fNijueXZZdzUA58y8mcoSGVYdRhr0g8jaWQ12PZEgX5Nnlekh5GHG0j8HT4qj/0Y + D3xVuE3WvrhldY5EOsaTt2ZXZx5REmJDIW1KcnvQKiVDJ2QzP5xdXYA0hh3TdTVE + sb4UreMw/WyBpANiICMlJRBgSd0f0VGMlYzLX2BL14YpNnLhmoQqKzfBN6v2XAEG + mJfrCUVuP1nBEklk23lYkNi/ohe+aodNjdN+2DHp42sGZHYP +net_compressors: null +mongos_config_template: "mongos.conf.j2" +skip_restart: true +mongodb_use_tls: false diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/handlers/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/handlers/main.yml new file mode 100644 index 00000000..7ee30f2d --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: Restart mongos + listen: Restart mongos service + service: + name: "{{ mongos_service }}" + state: restarted + when: not skip_restart + +- name: Wait for port to become active + listen: Restart mongos service + wait_for: + host: "{{ bind_ip | split(',') | first }}" + port: "{{ mongos_port }}" + when: not skip_restart diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/meta/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/meta/main.yml new file mode 100644 index 00000000..1f736d9e --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/meta/main.yml @@ -0,0 +1,57 @@ +--- +galaxy_info: + author: Rhys Campbell + description: Configure the mongos service (includes populating mongos.conf) which only runs in a sharded MongoDB cluster. + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: GPLv3 + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/molecule.yml new file mode 100644 index 00000000..0bc842e6 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/molecule.yml @@ -0,0 +1,69 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + # centos_7 and debian_stretch disabled to reduce test time + #- name: centos_7 + # image: centos:7 + # command: /sbin/init + # privileged: True + # volumes: + # - /sys/fs/cgroup:/sys/fs/cgroup:ro + # networks: + # - name: "mymongos" + # network_mode: "mymongos" + - name: amazonlinux + image: amazonlinux:2 + command: /sbin/init + privileged: True + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + networks: + - name: "mymongos" + network_mode: "mymongos" + - name: ubuntu_18 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + networks: + - name: "mymongos" + network_mode: "mymongos" + - name: debian_buster + image: debian:buster + command: /sbin/init + privileged: True + networks: + - name: "mymongos" + network_mode: "mymongos" + #- name: debian_stretch + # image: debian:stretch + # command: /sbin/init + # privileged: True + # networks: + # - name: "mymongos" + # network_mode: "mymongos" + - name: config1 + image: ubuntu:18.04 + command: /sbin/init + privileged: True + networks: + - name: "mymongos" + network_mode: "mymongos" +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/playbook.yml new file mode 100644 index 00000000..6c69b8ac --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/playbook.yml @@ -0,0 +1,63 @@ +--- +- name: Converge + hosts: all + become: yes + + vars: + admin_user: "admin" + admin_user_password: "admin" + + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_install + when: "'config' in ansible_hostname" + tags: molecule-idempotence-notest + - role: mongodb_config + when: "'config' in ansible_hostname" + tags: molecule-idempotence-notest + - role: mongodb_mongos + when: "'config' not in ansible_hostname" + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "config1" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "config1" + + - name: Install MongoDB Shell + package: + name: mongodb-mongosh + + - name: Init config server replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + login_port: "27019" + replica_set: cfg + validate: no + members: + - config1:27019 + when: ansible_hostname == "config1" + + - name: Restart the mongos service + service: + name: mongos + state: started + when: "'config' not in ansible_hostname" + + - name: Add MongoDB Admin User using localhost exception on the mongos + community.mongodb.mongodb_user: + name: "{{ admin_user }}" + password: "{{ admin_user_password }}" + login_port: "27019" + database: admin + roles: + - "root" + create_for_localhost_exception: /root/mongodb_admin.success + when: ansible_hostname == "config1" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/prepare.yml new file mode 100644 index 00000000..9bb20f0b --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/prepare.yml @@ -0,0 +1,22 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + redhat_packages: + - net-tools + tasks: + + - name: Ensure epel is available + package: + name: epel-release + state: present + when: + - ansible_os_family == "RedHat" + - ansible_distribution != "Amazon" + + - name: Install redhat packages + package: + name: "{{ redhat_packages }}" + state: present + when: ansible_os_family == "RedHat"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/tests/test_default.py new file mode 100644 index 00000000..b2a7e9cb --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/default/tests/test_default.py @@ -0,0 +1,64 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + if host.ansible.get_variables()['inventory_hostname'] != 'config1': + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongos.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + + if host.ansible.get_variables()['inventory_hostname'] != 'config1': + mongos_service = include_vars(host)['ansible_facts']['mongos_service'] + s = host.service(mongos_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + if host.ansible.get_variables()['inventory_hostname'] != 'config1': + port = include_vars(host)['ansible_facts']['mongos_port'] + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + + assert s.is_listening + + +def test_mongos_shell_connectivity(host): + ''' + Tests that we can connect to mongos via the shell annd run a cmd + ''' + if host.ansible.get_variables()['inventory_hostname'] != 'config1': + port = include_vars(host)['ansible_facts']['mongos_port'] + cmd = host.run("mongosh admin --username admin --password admin --port {0} --eval 'db.runCommand({{listDatabases: 1}})'".format(port)) + + assert cmd.rc == 0 + assert "config" in cmd.stdout + assert "admin" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/molecule.yml new file mode 100644 index 00000000..f790062c --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/molecule.yml @@ -0,0 +1,60 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos-7 + box: centos/7 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-16 + box: ubuntu/xenial64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-18 + box: ubuntu/bionic64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-buster + box: debian/buster64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-stretch + box: debian/contrib-stretch64 # Standard debian/stretch64 had issues: Unable to locate package linux-headers-4.9.0-9-amd64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: config1 + box: debian/contrib-stretch64 # Standard debian/stretch64 had issues: Unable to locate package linux-headers-4.9.0-9-amd64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/playbook.yml new file mode 100644 index 00000000..7873ee67 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/playbook.yml @@ -0,0 +1,70 @@ +--- +- name: Converge + hosts: all + become: yes + + vars: + admin_user: "admin" + admin_user_password: "admin" + + roles: + - role: mongodb_repository + tags: molecule-idempotence-notest + - role: mongodb_install + when: "'config' in ansible_hostname" + tags: molecule-idempotence-notest + - role: mongodb_config + when: "'config' in ansible_hostname" + tags: molecule-idempotence-notest + - role: mongodb_mongos + when: "'config' not in ansible_hostname" + + tasks: + + - name: Install python stuff + package: + name: ["python-setuptools", "python-pip"] + when: ansible_hostname == "config1" + + - name: Install pymongo + pip: + name: "{{ 'pymongo==3.12.*' if ansible_python_version[0:3] | float < 3.6 else 'pymongo' }}" + when: ansible_hostname == "config1" + + - name: Install MongoDB Shell + package: + name: mongodb-org-shell + + - name: Init config server replicaset + community.mongodb.mongodb_replicaset: + login_host: localhost + login_port: 27019 + replica_set: cfg + validate: no + members: + - config1.local:27019 + when: ansible_hostname == "config1" + + - name: Set add .local prefix to service name + lineinfile: + path: /etc/mongos.conf + regexp: " *configDB: *" + line: ' configDB: "cfg/config1.local:27019"' + when: "'config' not in ansible_hostname" + + - name: Restart the mongos service + service: + name: mongos + state: restarted + when: "'config' not in ansible_hostname" + + - name: Add MongoDB Admin User using localhost exception on the mongos + community.mongodb.mongodb_user: + name: "{{ admin_user }}" + password: "{{ admin_user_password }}" + login_port: "27019" + database: admin + roles: + - "root" + create_for_localhost_exception: /root/mongodb_admin.success + when: ansible_hostname == "config1" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/prepare.yml new file mode 100644 index 00000000..d56f58bb --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/prepare.yml @@ -0,0 +1,48 @@ +--- +- name: Prepare + hosts: all + become: yes + vars: + avahi_packages_redhat: + - "avahi" + - "nss-mdns" + avahi_packages_debian: + - "avahi-daemon" + - "avahi-discover" + - "libnss-mdns" + + tasks: + + - name: Run apt update + shell: apt update + when: ansible_os_family == "Debian" + + - name: Ensure epel is available + yum: + name: epel-release + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_redhat }}" + state: present + when: ansible_os_family == "RedHat" + + - name: Install avahi packages + package: + name: "{{ avahi_packages_debian }}" + state: present + when: ansible_os_family == "Debian" + + # debian-stretch seems to require a reboot for avahi-daemon to run + - name: Reboot host + reboot: + + - name: Ensure services are started + service: + name: "{{ item }}" + state: started + with_items: + #- dbus + - avahi-daemon diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/tests/test_default.py new file mode 100644 index 00000000..49546445 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/molecule/virtualbox/tests/test_default.py @@ -0,0 +1,64 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + ansible = host.ansible('include_vars', + 'file="../../vars/Debian.yml"', + False, + False) + else: + ansible = host.ansible('include_vars', + 'file="../../vars/RedHat.yml"', + False, + False) + return ansible + + +def test_mongod_cnf_file(host): + if host.ansible.get_variables()['inventory_hostname'] != 'config1': + mongodb_user = include_vars(host)['ansible_facts']['mongodb_user'] + mongodb_group = include_vars(host)['ansible_facts']['mongodb_group'] + f = host.file('/etc/mongos.conf') + + assert f.exists + assert f.user == mongodb_user + assert f.group == mongodb_group + + +def test_mongod_service(host): + + if host.ansible.get_variables()['inventory_hostname'] != 'config1': + mongos_service = include_vars(host)['ansible_facts']['mongos_service'] + s = host.service(mongos_service) + + assert s.is_running + assert s.is_enabled + + +def test_mongod_port(host): + if host.ansible.get_variables()['inventory_hostname'] != 'config1': + port = include_vars(host)['ansible_facts']['mongos_port'] + s = host.socket("tcp://0.0.0.0:{0}".format(port)) + + assert s.is_listening + + +def test_mongos_shell_connectivity(host): + ''' + Tests that we can connect to mongos via the shell annd run a cmd + ''' + if host.ansible.get_variables()['inventory_hostname'] != 'config1': + port = include_vars(host)['ansible_facts']['mongos_port'] + cmd = host.run("mongo admin -username admin --password admin --port {0} --eval 'db.runCommand({{listDatabases: 1}})'".format(port)) + + assert cmd.rc == 0 + assert "config" in cmd.stdout + assert "admin" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/tasks/main.yml new file mode 100644 index 00000000..ffe58d13 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/tasks/main.yml @@ -0,0 +1,123 @@ +--- +# tasks file for mongodb_mongos +- name: Include OS-specific vars + include_vars: + file: "{{ lookup('first_found', params) }}" + vars: + params: + paths: + - "vars" + files: + - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml" + - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml" + - "{{ ansible_facts.distribution }}.yml" + - "{{ ansible_facts.os_family }}.yml" + - default.yml + tags: + - "vars" + +- name: Create mongodb_group + group: + name: "{{ mongodb_group }}" + system: yes + tags: + - "linux" + - "setup" + - "mongodb" + +- name: Create mongodb_user + user: + name: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + system: yes + createhome: no + tags: + - "linux" + - "setup" + - "mongodb" + +- name: Copy keyfile to host + copy: + content: | + {{ openssl_keyfile_content }} + dest: "{{ openssl_keyfile_path }}" + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + mode: 0400 + notify: + - Restart mongos service + tags: + - "setup" + - "mongodb" + +- name: Ensure /usr/local/bin/ directory exists + file: + path: /usr/local/bin/ + state: directory + recurse: yes + tags: + - "setup" + - "mongodb" + +- name: Ensure mongos service pre start script exists + template: + src: mongos_pre.sh.j2 + dest: /usr/local/bin/mongos_pre.sh + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + mode: 0755 + tags: + - "setup" + - "mongodb" + +- name: Ensure mongos.service file exists + template: + src: mongos.service.j2 + dest: /etc/systemd/system/mongos.service + owner: root + group: root + register: sysd + tags: + - "setup" + - "mongodb" + +- name: Run systemctl daemon-reload + systemd: + daemon_reload: yes + when: sysd is changed + tags: + - "setup" + - "service" + +- name: Ensure mongos.conf file exists + template: + src: "{{ mongos_config_template }}" + dest: /etc/mongos.conf + owner: "{{ mongodb_user }}" + group: "{{ mongodb_group }}" + notify: + - Restart mongos service + tags: + - "setup" + - "mongodb" + +- name: Ensure mongos package is installed + package: + name: "{{ mongos_package }}" + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "setup" + - "mongodb" + - "pkg" + +- name: Start mongos service + service: + name: "{{ mongos_service }}" + state: started + enabled: yes + tags: + - "setup" + - "mongodb" + - "service" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.conf.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.conf.j2 new file mode 100644 index 00000000..6c61b871 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.conf.j2 @@ -0,0 +1,28 @@ +systemLog: + destination: file + path: {{ log_path }} + logAppend: true + logRotate: reopen +net: +{% if bind_ip_all %} + bindIpAll: true +{% else %} + bindIp: {{ bind_ip }} +{% endif %} + port: {{ mongos_port }} +{% if net_compressors %} + compression: + compressors: {{ net_compressors }} +{% endif %} +{% if mongodb_use_tls %} + tls: + mode: requireTLS + certificateKeyFile: {{ mongodb_certificate_key_file }} + CAFile: {{ mongodb_certificate_ca_file }} +{% endif %} +sharding: + configDB: "{{ config_repl_set_name }}/{{ config_servers }}" +processManagement: + timeZoneInfo: /usr/share/zoneinfo +security: + keyFile: {{ openssl_keyfile_path }} diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.service.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.service.j2 new file mode 100644 index 00000000..6f1a11bc --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos.service.j2 @@ -0,0 +1,22 @@ +[Unit] +Description=mongos +After=syslog.target +After=network.target + +[Service] +User={{ mongodb_user }} +Group={{ mongodb_group }} +PIDFile={{ pid_file }} +PermissionsStartOnly=true +ExecStartPre=/usr/local/bin/mongos_pre.sh +ExecStart=/usr/bin/mongos --quiet \ + --config /etc/mongos.conf +LimitFSIZE=infinity +LimitCPU=infinity +LimitAS=infinity +LimitNOFILE=64000 +LimitNPROC=64000 +TasksAccounting=false + +[Install] +WantedBy=multi-user.target diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos_pre.sh.j2 b/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos_pre.sh.j2 new file mode 100644 index 00000000..ea58c81a --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/templates/mongos_pre.sh.j2 @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +if [ ! -d /var/log/mongodb ]; then + mkdir -p /var/log/mongodb && chown {{ mongodb_user }}:{{ mongodb_group }} /var/log/mongodb +fi diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/Debian.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/Debian.yml new file mode 100644 index 00000000..02e64683 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/Debian.yml @@ -0,0 +1,5 @@ +--- +mongodb_user: "mongodb" +mongodb_group: "mongodb" +mongos_port: 27017 +mongos_service: "mongos" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/RedHat.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/RedHat.yml new file mode 100644 index 00000000..47197a81 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/RedHat.yml @@ -0,0 +1,5 @@ +--- +mongodb_user: "mongod" +mongodb_group: "mongod" +mongos_port: 27017 +mongos_service: "mongos" diff --git a/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/default.yml b/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/default.yml new file mode 100644 index 00000000..47197a81 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_mongos/vars/default.yml @@ -0,0 +1,5 @@ +--- +mongodb_user: "mongod" +mongodb_group: "mongod" +mongos_port: 27017 +mongos_service: "mongos" diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/.yamllint b/ansible_collections/community/mongodb/roles/mongodb_repository/.yamllint new file mode 100644 index 00000000..88276760 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/README.md b/ansible_collections/community/mongodb/roles/mongodb_repository/README.md new file mode 100644 index 00000000..86e41407 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/README.md @@ -0,0 +1,47 @@ +mongodb_repository +================== + +Configures a repository for MongoDB on Debian and RedHat based platforms. + +Role Variables +-------------- + +* mongodb_version: Version of MongoDB. Default "4.4". +* debian_packages: Packages needed on Debian systems for this role. + + +Defaults +---------- + +The following two dictionaries provide configuration details for the MongoDB repositories. Most users should not need to change these. + +debian: + apt_key_url: Apt Key Url. + apt_repository_repo: Apr repository string. +redhat: + rpm_key_key: Rpm Key Url. + yum_baseurl: Yum repository base url. + yum_gpgkey: Yum repository gpg key. + yum_gpgcheck: Enable or disable gpg check. Boolean. + yum_description: Yum Repository Description. + +Example Playbook +---------------- + +Set mongodb_version to 4.0. + +```yaml + - hosts: servers + roles: + - { role: mongodb_repository, mongodb_version: "4.0" } +``` + +License +------- + +BSD + +Author Information +------------------ + +Rhys Campbell (https://github.com/rhysmeister) diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/defaults/main.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/defaults/main.yml new file mode 100644 index 00000000..814fc1d3 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/defaults/main.yml @@ -0,0 +1,15 @@ +--- +mongodb_version: "6.0" +debian_packages: + - apt-transport-https + - curl + - gnupg +debian: + apt_key_url: "https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc" + apt_repository_repo: "deb{{ ' [ arch=amd64,arm64 ]' if ansible_facts.distribution == 'Ubuntu' else '' }} https://repo.mongodb.org/apt/{{ ansible_facts.distribution|lower }} {{ ansible_facts.distribution_release }}/mongodb-org/{{ mongodb_version }} {{ 'multiverse' if ansible_facts.distribution == 'Ubuntu' else 'main' }}" +redhat: + rpm_key_key: "https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc" + yum_baseurl: "https://repo.mongodb.org/yum/{{ 'amazon' if ansible_distribution == 'Amazon' else 'redhat' }}/$releasever/mongodb-org/{{ mongodb_version }}/x86_64/" + yum_gpgkey: "https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc" + yum_gpgcheck: true + yum_description: "Official MongoDB {{ mongodb_version }} yum repo" diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/meta/main.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/meta/main.yml new file mode 100644 index 00000000..85de212d --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/meta/main.yml @@ -0,0 +1,57 @@ +--- +galaxy_info: + author: Rhys Campbell + description: Configures a package repository for MongoDB on Debian and RedHat based platforms. + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: GPLv3 + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/molecule.yml new file mode 100644 index 00000000..24b7cee6 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/molecule.yml @@ -0,0 +1,36 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + - name: ubuntu_18 + image: ubuntu:18.04 + - name: debian_buster + image: debian:buster + - name: debian_bullseye + image: debian:bullseye + - name: amazonlinux + image: amazonlinux:2 +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/playbook.yml new file mode 100644 index 00000000..75a509d1 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_repository diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/tests/test_default.py new file mode 100644 index 00000000..a5a44dbe --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/default/tests/test_default.py @@ -0,0 +1,69 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + ansible = host.ansible('include_vars', + 'file="../../defaults/main.yml"', + False, + False) + return ansible + + +def get_mongodb_version(host): + return include_vars(host)['ansible_facts']['mongodb_version'] + + +def test_redhat_mongodb_repository_file(host): + # with capsys.disabled(): #Disable autocapture of output and send to stdout N.B capsys must be passed into function + # print(include_vars(host)['ansible_facts']) + mongodb_version = get_mongodb_version(host) + if host.system_info.distribution == "redhat" \ + or host.system_info.distribution == "centos" \ + or host.system_info.distribution == "amazon": + f = host.file("/etc/yum.repos.d/mongodb-{0}.repo".format(mongodb_version)) + assert f.exists + assert f.user == 'root' + assert f.group == 'root' + assert f.mode == 0o644 + assert f.md5sum == "dbcb01e2e25b6d10afd27b60205136c3" + + +def test_redhat_yum_search(host): + mongodb_version = get_mongodb_version(host) + if host.system_info.distribution == "redhat" \ + or host.system_info.distribution == "centos" \ + or host.system_info.distribution == "amazon": + cmd = host.run("yum search mongodb --disablerepo='*' \ + --enablerepo='mongodb-{0}'".format(mongodb_version)) + + assert cmd.rc == 0 + assert "MongoDB database server" in cmd.stdout + + +def test_debian_mongodb_repository_file(host): + mongodb_version = get_mongodb_version(host) + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + f = host.file("/etc/apt/sources.list.d/mongodb-{0}.list".format(mongodb_version)) + + assert f.exists + assert f.user == 'root' + assert f.group == 'root' + assert f.mode == 0o644 + assert "repo.mongodb.org" in f.content_string + assert mongodb_version in f.content_string + + +def test_debian_apt_search(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + cmd = host.run("apt search mongodb") + + assert cmd.rc == 0 + assert "mongodb" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/molecule.yml new file mode 100644 index 00000000..14d29680 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/molecule.yml @@ -0,0 +1,54 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos-7 + box: centos/7 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-16 + box: ubuntu/xenial64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: ubuntu-18 + box: ubuntu/bionic64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-buster + box: debian/buster64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true + - name: debian-stretch + box: debian/contrib-stretch64 # Standard debian/stretch64 had issues: Unable to locate package linux-headers-4.9.0-9-amd64 + interfaces: + - network_name: private_network + type: dhcp + auto_config: true +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/playbook.yml new file mode 100644 index 00000000..d49d9e23 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/playbook.yml @@ -0,0 +1,6 @@ +--- +- name: Converge + hosts: all + become: yes + roles: + - role: mongodb_repository diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/tests/test_default.py new file mode 100644 index 00000000..bfe613a4 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/molecule/virtualbox/tests/test_default.py @@ -0,0 +1,67 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def include_vars(host): + ansible = host.ansible('include_vars', + 'file="../../defaults/main.yml"', + False, + False) + return ansible + + +def get_mongodb_version(host): + return include_vars(host)['ansible_facts']['mongodb_version'] + + +def test_redhat_mongodb_repository_file(host): + # with capsys.disabled(): #Disable autocapture of output and send to stdout N.B capsys must be passed into function + # print(include_vars(host)['ansible_facts']) + mongodb_version = get_mongodb_version(host) + if host.system_info.distribution == "redhat" \ + or host.system_info.distribution == "centos": + f = host.file("/etc/yum.repos.d/mongodb-{0}.repo".format(mongodb_version)) + assert f.exists + assert f.user == 'root' + assert f.group == 'root' + assert f.mode == 0o644 + assert f.md5sum == "71c3a725d5aad794793a4b599f7564c0" + + +def test_redhat_yum_search(host): + mongodb_version = get_mongodb_version(host) + if host.system_info.distribution == "redhat" \ + or host.system_info.distribution == "centos": + cmd = host.run("yum search mongodb --disablerepo='*' \ + --enablerepo='mongodb-{0}'".format(mongodb_version)) + + assert cmd.rc == 0 + assert "MongoDB database server" in cmd.stdout + + +def test_debian_cassandra_repository_file(host): + mongodb_version = get_mongodb_version(host) + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + f = host.file("/etc/apt/sources.list.d/mongodb-{0}.list".format(mongodb_version)) + + assert f.exists + assert f.user == 'root' + assert f.group == 'root' + assert f.mode == 0o644 + assert "repo.mongodb.org" in f.content_string + assert mongodb_version in f.content_string + + +def test_debian_apt_search(host): + if host.system_info.distribution == "debian" \ + or host.system_info.distribution == "ubuntu": + cmd = host.run("apt search mongodb") + + assert cmd.rc == 0 + assert "mongodb-org-server" in cmd.stdout diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/Debian.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/Debian.yml new file mode 100644 index 00000000..45261650 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/Debian.yml @@ -0,0 +1,40 @@ +--- +# tasks file for mongodb_repository (Debian os_family) +- name: Install debian packages + apt: + name: "{{ debian_packages }}" + state: present + register: _apt + until: _apt is succeeded + retries: 5 + tags: + - "pkg" + - "setup" + - "debian" + +- name: Add apt key for MongoDB repository + apt_key: + url: "{{ debian.apt_key_url }}" + state: present + register: _apt + until: _apt is succeeded + retries: 5 + tags: + - "pkg" + - "setup" + - "mongodb" + - "debian" + +- name: Ensure MongoDB apt repository exists + apt_repository: + repo: "{{ debian.apt_repository_repo }}" + state: present + filename: "mongodb-{{ mongodb_version }}" + register: _apt + until: _apt is succeeded + retries: 5 + tags: + - "pkg" + - "setup" + - "mongodb" + - "debian" diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/RedHat.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/RedHat.yml new file mode 100644 index 00000000..53ff3085 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/RedHat.yml @@ -0,0 +1,30 @@ +--- +# tasks file for mongodb_repository (RedHat os_family) +- name: Add mongodb.org gpgkey + rpm_key: + key: "{{ redhat.rpm_key_key }}" + state: present + register: _yum + until: _yum is succeeded + retries: 5 + tags: + - "pkg" + - "setup" + - "mongodb" + - "redhat" + +- name: Ensure MongoDB yum repository exists + yum_repository: + name: "mongodb-{{ mongodb_version }}" + description: "{{ redhat.yum_description }}" + baseurl: "{{ redhat.yum_baseurl }}" + gpgcheck: "{{ redhat.yum_gpgcheck }}" + gpgkey: "{{ redhat.yum_gpgkey }}" + register: _yum + until: _yum is succeeded + retries: 5 + tags: + - "pkg" + - "setup" + - "mongodb" + - "redhat" diff --git a/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/main.yml new file mode 100644 index 00000000..bf77da35 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_repository/tasks/main.yml @@ -0,0 +1,4 @@ +--- +# tasks file for mongodb_repository +- name: Include OS-specific tasks + include_tasks: "{{ ansible_facts.os_family }}.yml" diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/.yamllint b/ansible_collections/community/mongodb/roles/mongodb_selinux/.yamllint new file mode 100644 index 00000000..88276760 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/README.md b/ansible_collections/community/mongodb/roles/mongodb_selinux/README.md new file mode 100644 index 00000000..5f5b9f45 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/README.md @@ -0,0 +1,29 @@ +mongodb_linux +============= + +Configures SeLinux as per the instructions located at https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/ + + +Role Variables +-------------- + +required_packages: Package required for this role. Currently checkpolicy & policycoreutils-python. + +Example Playbook +---------------- + +```yaml + - hosts: servers + roles: + - "mongodb_selinux" +``` + +License +------- + +BSD + +Author Information +------------------ + +Rhys Campbell (https://github.com/rhysmeister) diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/files/compile_mongodb_selinux.sh b/ansible_collections/community/mongodb/roles/mongodb_selinux/files/compile_mongodb_selinux.sh new file mode 100644 index 00000000..02580d16 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/files/compile_mongodb_selinux.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -e; +set -u; + +rm -f /root/mongodb_selinux.success; +checkmodule -M -m -o /root/mongodb_cgroup_memory.mod /root/mongodb_cgroup_memory.te +semodule_package -o /root/mongodb_cgroup_memory.pp -m /root/mongodb_cgroup_memory.mod +semodule -i /root/mongodb_cgroup_memory.pp +touch /root/mongodb_selinux.success;
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/meta/main.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/meta/main.yml new file mode 100644 index 00000000..9edf1df9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/meta/main.yml @@ -0,0 +1,57 @@ +--- +galaxy_info: + author: Rhys Campbell + description: Configure SELinux for MongoDB. + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: GPLv3 + + min_ansible_version: 1.2 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If Travis integration is configured, only notifications for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + # github_branch: + + # + # platforms is a list of platforms, and each platform has a name and a list of versions. + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/Dockerfile.j2 b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/Dockerfile.j2 new file mode 100644 index 00000000..ea0538b9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/Dockerfile.j2 @@ -0,0 +1,41 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +{% if item.env is defined %} +{% for var, value in item.env.items() %} +{% if value %} +ENV {{ var }} {{ value }} +{% endif %} +{% endfor %} +{% endif %} + +{% if item.name == 'amazonlinux' %} +RUN yum -y install systemd sudo; \ + cd /lib/systemd/system/sysinit.target.wants/ ; \ + for i in *; do [ $i = systemd-tmpfiles-setup.service ] || rm -f $i ; done ; \ + rm -f /lib/systemd/system/multi-user.target.wants/* ; \ + rm -f /etc/systemd/system/*.wants/* ; \ + rm -f /lib/systemd/system/local-fs.target.wants/* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* ; \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* ; \ + rm -f /lib/systemd/system/basic.target.wants/* ; \ + rm -f /lib/systemd/system/anaconda.target.wants/* +{% else %} +# Add systemd-sysv package for Debian to get systemd working (and procps for sysctl) and netbase for firewalld +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 systemd-sysv procps netbase && apt-get clean; \ + elif [ $(command -v dnf) ] && grep -q 'platform:el8' /etc/os-release ; then dnf makecache && dnf update -y && dnf --assumeyes install python3 sudo python3-devel bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && rm -Rf /usr/share/doc && rm -Rf /usr/share/man && dnf clean all && cp /bin/true /sbin/agetty; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash iproute && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi +{% endif %} + +{% if item.name == 'debian_bullseye' %} +RUN apt install -y python3 +{% endif %} diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/molecule.yml new file mode 100644 index 00000000..24b7cee6 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/molecule.yml @@ -0,0 +1,36 @@ +--- +dependency: + name: galaxy +driver: + name: docker +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos_7 + image: centos:7 + - name: ubuntu_18 + image: ubuntu:18.04 + - name: debian_buster + image: debian:buster + - name: debian_bullseye + image: debian:bullseye + - name: amazonlinux + image: amazonlinux:2 +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false + inventory: + host_vars: + debian_bullseye: + ansible_python_interpreter: /usr/bin/python3 +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/playbook.yml new file mode 100644 index 00000000..94943c2a --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/playbook.yml @@ -0,0 +1,5 @@ +--- +- name: Converge + hosts: all + roles: + - role: mongodb_selinux diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/tests/test_default.py new file mode 100644 index 00000000..70c02eb6 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/default/tests/test_default.py @@ -0,0 +1,13 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_mongodb_cgroup_module_installed(host): + cmd = host.run("semodule --list-modules | grep mongodb_cgroup_memory") + + assert cmd.rc == 0 diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/prepare.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/prepare.yml new file mode 100644 index 00000000..6744c4e4 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/prepare.yml @@ -0,0 +1,10 @@ +--- +- name: Prepare + hosts: all + + tasks: + + - name: Set Python3 for bullseye + set_fact: + ansible_python_interpreter: /usr/bin/python3 + when: ansible_distribution_release == 'bullseye'
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/molecule.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/molecule.yml new file mode 100644 index 00000000..bd78119e --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/molecule.yml @@ -0,0 +1,34 @@ +--- +dependency: + name: galaxy +driver: + name: vagrant + provider: + name: virtualbox +lint: + name: yamllint + options: + config-data: + line-length: disable +platforms: + - name: centos-7 + box: centos/7 + - name: ubuntu-16 + box: ubuntu/xenial64 + - name: ubuntu-18 + box: ubuntu/bionic64 + - name: debian-buster + box: debian/buster64 + - name: debian-bullseye + box: debian/bullseye +provisioner: + name: ansible + lint: + name: ansible-lint + enabled: false +verifier: + name: testinfra + lint: + name: flake8 + options: + ignore: 'E501' diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/playbook.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/playbook.yml new file mode 100644 index 00000000..929837d5 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/playbook.yml @@ -0,0 +1,6 @@ +--- +- name: Converge + hosts: all + become: yes + roles: + - role: mongodb_selinux diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/tests/test_default.py b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/tests/test_default.py new file mode 100644 index 00000000..1cee4af9 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/molecule/virtualbox/tests/test_default.py @@ -0,0 +1,14 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE'] +).get_hosts('all') + + +def test_mongodb_cgroup_module_installed(host): + with host.sudo(): + cmd = host.run("semodule --list-modules | grep mongodb_cgroup_memory") + + assert cmd.rc == 0 diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/tasks/main.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/tasks/main.yml new file mode 100644 index 00000000..b80c4c7c --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/tasks/main.yml @@ -0,0 +1,57 @@ +--- +# tasks file for mongodb_selinux +- name: Include OS-specific vars + include_vars: + file: "{{ lookup('first_found', params) }}" + vars: + params: + paths: + - "vars" + files: + - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml" + - "{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml" + - "{{ ansible_facts.distribution }}.yml" + - "{{ ansible_facts.os_family }}.yml" + - default.yml + tags: + - "vars" + +- name: Install required packages + package: + name: "{{ required_packages }}" + register: _pkg + until: _pkg is succeeded + retries: 5 + tags: + - "pkg" + - "setup" + +- name: Copy custom MongoDB SeLinux Policy to Host + copy: + content: | + module mongodb_cgroup_memory 1.0; + + require { + type cgroup_t; + type mongod_t; + class dir search; + class file { getattr open read }; + } + + #============= mongod_t ============== + allow mongod_t cgroup_t:dir search; + allow mongod_t cgroup_t:file { getattr open read }; + dest: /root/mongodb_cgroup_memory.te + register: mongodb_policy + tags: + - "setup" + - "mongodb" + - "linux" + +- name: Compile & Install MongoDB Policy + script: files/compile_mongodb_selinux.sh + when: mongodb_policy.changed + tags: + - "setup" + - "mongodb" + - "linux" diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Amazon.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Amazon.yml new file mode 100644 index 00000000..43c462fb --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Amazon.yml @@ -0,0 +1,10 @@ +--- +# defaults file for mongodb_selinux +required_packages: + - "pcp-selinux" + - "checkpolicy" + - "policycoreutils-python" + - "selinux-policy-mls" + - "selinux-policy" + - "selinux-policy-doc" + - "selinux-policy-targeted"
\ No newline at end of file diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Debian.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Debian.yml new file mode 100644 index 00000000..838b5143 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Debian.yml @@ -0,0 +1,9 @@ +--- +# defaults file for mongodb_selinux +required_packages: + - "checkpolicy" + - "policycoreutils-python-utils" + - "selinux-policy-mls" + - "selinux-policy-default" + - "selinux-policy-src" + - "selinux-policy-doc" diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/RedHat-7.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/RedHat-7.yml new file mode 100644 index 00000000..2b36fa9e --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/RedHat-7.yml @@ -0,0 +1,9 @@ +--- +# defaults file for mongodb_selinux +required_packages: + - "checkpolicy" + - "policycoreutils-python" + - "selinux-policy-mls" + - "selinux-policy" + - "selinux-policy-doc" + - "selinux-policy-targeted" diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/RedHat-8.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/RedHat-8.yml new file mode 100644 index 00000000..71aaccb1 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/RedHat-8.yml @@ -0,0 +1,9 @@ +--- +# defaults file for mongodb_selinux +required_packages: + - "checkpolicy" + - "policycoreutils-python-utils" + - "selinux-policy-mls" + - "selinux-policy" + - "selinux-policy-doc" + - "selinux-policy-targeted" diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Ubuntu-16.04.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Ubuntu-16.04.yml new file mode 100644 index 00000000..281472a8 --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/Ubuntu-16.04.yml @@ -0,0 +1,9 @@ +--- +# defaults file for mongodb_selinux +required_packages: + - "checkpolicy" + - "policycoreutils" + - "selinux-policy-mls" + - "selinux-policy-default" + - "selinux-policy-src" + - "selinux-policy-doc" diff --git a/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/default.yml b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/default.yml new file mode 100644 index 00000000..bb5fce4a --- /dev/null +++ b/ansible_collections/community/mongodb/roles/mongodb_selinux/vars/default.yml @@ -0,0 +1,5 @@ +--- +# defaults file for mongodb_selinux +required_packages: + - "checkpolicy" + - "policycoreutils-python" |