Merge remote-tracking branch 'upstream/main'

roles/common_vars/defaults/main/redis.yml

@@ -15,3 +15,9 @@ redis_user_itential_password: itential
 redis_user_repluser_password: repluser
 redis_user_sentineladmin_password: admin
 redis_user_sentineluser_password: sentineluser
+
+# Default redis port
+redis_port: 6379
+
+# The default redis sentinel listen port
+redis_sentinel_port: 26379

roles/mongodb/tasks/configure-selinux.yml

@@ -8,6 +8,16 @@
       ansible.builtin.include_role:
         name: selinux
 
+    - name: Allow mongodb to listen on tcp port when using non-standard mongo port
+      community.general.seport:
+        ports: "{{ mongo_port }}"
+        proto: tcp
+        setype: mongod_port_t
+        state: present
+      when:
+        - ansible_selinux.status == "enabled"
+        - mongo_port != 27017
+
     # MongoDB is configured to use non-default paths for its data and log
     # directories. First, we need to update the SELinux policy to allow the
     # mongod service to use the new directory, it’s worth to note that we

roles/mongodb/tasks/main.yml

@@ -202,6 +202,7 @@
       community.mongodb.mongodb_user:
         login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}"
         login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+        login_port: "{{ mongo_port }}"
         database: "{{ mongo_admin_db_name }}"
         name: admin
         password: "{{ mongo_user_admin_password }}"
@@ -220,6 +221,7 @@
       community.mongodb.mongodb_user:
         login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}"
         login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+        login_port: "{{ mongo_port }}"
         database: "{{ mongo_itential_db_name }}"
         user: itential
         password: "{{ mongo_user_itential_password }}"
@@ -238,6 +240,7 @@
       community.mongodb.mongodb_user:
         login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}"
         login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+        login_port: "{{ mongo_port }}"
         database: "{{ mongo_localaaa_db_name }}"
         user: localaaa
         password: "{{ mongo_user_localaaa_password }}"

roles/mongodb_common/tasks/check-auth-status.yml

@@ -10,6 +10,9 @@
 
     - name: Check if auth is enabled
       community.mongodb.mongodb_shell:
+        login_user: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary('admin', omit) }}"
+        login_password: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+        login_port: "{{ mongo_port }}"
         mongo_cmd: auto
         db: admin
         eval: "db.getUsers()"

roles/mongodb_common/tasks/determine-primary-server.yml

@@ -10,6 +10,7 @@
     mongo_cmd: auto
     login_user: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary('admin', omit) }}"
     login_password: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+    login_port: "{{ mongo_port }}"
     eval: "rs.status()"
   register: rs_status_result
   changed_when: false
@@ -29,6 +30,7 @@
       community.mongodb.mongodb_status:
         login_user: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary('admin', omit) }}"
         login_password: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+        login_port: "{{ mongo_port }}"
         replica_set: rs0
       register: mongodb_status_result
 

roles/mongodb_replication/tasks/main.yml

@@ -28,17 +28,24 @@
     tasks_from: restart-mongo.yml
   when: result1.changed or result2.changed
 
+- name: Set empty array of mongo servers
+  ansible.builtin.set_fact:
+    mongodb_servers: []
+
+# This task should always run, arbiter or not
 - name: Create the replicaset members list (no arbiter)
   ansible.builtin.set_fact:
-    mongodb_servers: "{{ groups.mongodb }}"
+    mongodb_servers: "{{ mongodb_servers + [item + ':' + mongo_port | string] }}"
+  with_items: "{{ groups.mongodb }}"
   when:
     - inventory_hostname in groups.mongodb
     - groups.mongodb.index(inventory_hostname) == 0
-    - not groups.mongodb_arbiter is defined
 
-- name: Create the replicaset members list (with arbiter)
+# This task will only run when there is an arbiter defined in the hosts file
+- name: Add the arbiter to the list of servers when there is one
   ansible.builtin.set_fact:
-    mongodb_servers: "{{ groups.mongodb + groups.mongodb_arbiter }}"
+    mongodb_servers: "{{ mongodb_servers + [item + ':' + mongo_port | string] }}"
+  with_items: "{{ groups.mongodb_arbiter }}"
   when:
     - inventory_hostname in groups.mongodb
     - groups.mongodb.index(inventory_hostname) == 0
@@ -48,6 +55,7 @@
   community.mongodb.mongodb_replicaset:
     login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}"
     login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+    login_port: "{{ mongo_port }}"
     replica_set: "{{ mongo_replset_name }}"
     members: "{{ mongodb_servers }}"
     arbiter_at_index: "{{ (groups.mongodb_arbiter | default([]) | length > 0) | ternary(mongodb_servers | length - 1, omit) }}"
@@ -61,6 +69,7 @@
   community.mongodb.mongodb_status:
     login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}"
     login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+    login_port: "{{ mongo_port }}"
     login_database: admin
     poll: 3
     interval: 10
@@ -113,6 +122,7 @@
     mongo_cmd: auto
     login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}"
     login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}"
+    login_port: "{{ mongo_port }}"
     login_database: admin
     eval: db.adminCommand({"setDefaultRWConcern":1,"defaultWriteConcern":{"w":1}})
   when:

roles/platform/templates/profile.j2

@@ -55,7 +55,7 @@
     {% set redis_host = None %}
     {% set sentinels = [] %}
     {% for sentinel in groups[vars.redis_group_name] %}
-      {% set sentinel = dict(host = hostvars[ sentinel ].inventory_hostname, port = 26379) %}
+      {% set sentinel = dict(host = hostvars[ sentinel ].inventory_hostname, port = redis_sentinel_port) %}
       {{ sentinels.append(sentinel) }}
     {% endfor %}
   {% endif %}
@@ -223,7 +223,7 @@
     "maxRetriesPerRequest" : 20,
     "name" : "mymaster",
     "password" : {{ redis_password | to_json }},
-    "port" : 6379,
+    "port" : {{ redis_port }},
 {% if redis_replication | bool %}
     "sentinels" : {{ sentinels | to_json }},
     "sentinelPassword" : {{ sentinel_password | to_json }},

roles/redis/defaults/main.yml

@@ -18,9 +18,6 @@ redis_data_dir: /var/lib/redis
 # The location of the Redis data directory
 redis_pid_dir: /var/run
 
-# Default redis port
-redis_port: 6379
-
 # Redis user and group
 redis_owner: redis
 redis_group: redis
@@ -52,7 +49,7 @@ packages_path: "{{ itential_packages_path }}/{{ iap_release }}/redis"
 
 # Redis install method - string.
 # The valid values are 'remi_repo' (default) or 'source'.
-redis_install_method: remi_repo
+redis_install_method: source
 
 # The EPEL repo is only required when the redis_install_method is set to 'remi_repo'
 epel_repo_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"

roles/redis/files/redis_varlib.te

@@ -0,0 +1,22 @@
+
+module redis_varlib 1.0;
+
+require {
+        type redis_t;
+        type default_t;
+        type unreserved_port_t;
+        type var_lib_t;
+        type var_log_t;
+        class dir { add_name create read remove_name write };
+        class file { append create getattr open read rename unlink write };
+        class tcp_socket name_bind;
+}
+
+#============= redis_t ==============
+
+allow redis_t default_t:dir { add_name create read remove_name write };
+allow redis_t default_t:file { append create getattr open read rename unlink write };
+allow redis_t unreserved_port_t:tcp_socket name_bind;
+allow redis_t var_lib_t:dir { add_name write };
+allow redis_t var_lib_t:file { getattr read };
+allow redis_t var_log_t:file open;

roles/redis/tasks/main.yml

@@ -18,13 +18,58 @@
     name: os
   tags: install_base_os_packages
 
+# Kernel Adjust
+# Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition.
+# Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328
+- name: Adjust Memory Overcommit
+  ansible.posix.sysctl:
+    name: vm.overcommit_memory
+    value: 1
+
 - name: Configure SELinux
   tags: configure_selinux
   block:
     - name: Install custom SELinux profiles
       ansible.builtin.include_role:
         name: selinux
 
+- name: Create Redis group
+  ansible.builtin.group:
+    name: "{{ redis_group }}"
+
+- name: Create Redis user
+  ansible.builtin.user:
+    name: "{{ redis_owner }}"
+    group: "{{ redis_group }}"
+    state: present
+
+- name: Create Redis data directory
+  ansible.builtin.file:
+    state: directory
+    path: "{{ redis_data_dir }}"
+    owner: "{{ redis_owner }}"
+    group: "{{ redis_group }}"
+    mode: "0755"
+  when: redis_data_dir != "/var/lib/redis" or redis_install_method == "source"
+
+- name: Create Redis log directory
+  ansible.builtin.file:
+    state: directory
+    path: "{{ redis_log_dir }}"
+    owner: "{{ redis_owner }}"
+    group: "{{ redis_group }}"
+    mode: "0755"
+  when: redis_log_dir != "/var/log/redis" or redis_install_method == "source"
+
+- name: Create Redis pid directory
+  ansible.builtin.file:
+    state: directory
+    path: "{{ redis_pid_dir }}"
+    owner: "{{ redis_owner }}"
+    group: "{{ redis_group }}"
+    mode: "0755"
+  when: redis_pid_dir != "/var/run" or redis_install_method == "source"
+
 - name: Install Redis
   tags: install_redis
   block:

roles/redis/tasks/redis-using-source.yml

@@ -96,37 +96,3 @@
     owner: root
     group: root
     mode: "0644"
-
-- name: Create Redis group
-  ansible.builtin.group:
-    name: "{{ redis_group }}"
-
-- name: Create Redis user
-  ansible.builtin.user:
-    name: "{{ redis_owner }}"
-    group: "{{ redis_group }}"
-    state: present
-
-- name: Create Redis data directory
-  ansible.builtin.file:
-    name: "{{ redis_data_dir }}"
-    state: directory
-    owner: "{{ redis_owner }}"
-    group: "{{ redis_group }}"
-    mode: "0755"
-
-- name: Create Redis log directory
-  ansible.builtin.file:
-    name: "{{ redis_log_dir }}"
-    state: directory
-    owner: "{{ redis_owner }}"
-    group: "{{ redis_group }}"
-    mode: "0755"
-
-- name: Create Redis pid directory
-  ansible.builtin.file:
-    name: "{{ redis_pid_dir }}"
-    state: directory
-    owner: "{{ redis_owner }}"
-    group: "{{ redis_group }}"
-    mode: "0755"

roles/redis/templates/redis.conf.j2

@@ -300,7 +300,7 @@ daemonize no
 #
 # Note that on modern Linux systems "/run/redis.pid" is more conforming
 # and should be used instead.
-pidfile /var/run/redis_6379.pid
+pidfile {{ redis_pid_dir }}/redis_{{ redis_port }}.pid
 
 # Specify the server verbosity level.
 # This can be one of:
@@ -746,9 +746,10 @@ min-replicas-to-write 1
 #
 {% if redis_replication | bool %}
 replica-announce-ip {{ inventory_hostname }}
+replica-announce-port {{ redis_port }}
 {% endif %}
 # replica-announce-ip 5.5.5.5
-# replica-announce-port 1234
+#replica-announce-port 1234
 
 ############################### KEYS TRACKING #################################
 

roles/redis_replication/defaults/main.yml

@@ -6,6 +6,3 @@ redis_sentinel_conf_file: "{{ redis_conf_path }}/sentinel.conf"
 
 # The location of the Redis Sentinel log file
 redis_sentinel_log: "{{ redis_log_dir }}/sentinel.log"
-
-# The default redis sentinel listen port
-redis_sentinel_port: 26379

roles/redis_replication/tasks/main.yml

@@ -41,7 +41,7 @@
       ansible.builtin.lineinfile:
         path: "{{ redis_conf_file }}"
         regexp: "# replicaof <masterip> <masterport>"
-        line: "replicaof {{ hostvars[groups['redis'][0]].inventory_hostname }} 6379"
+        line: "replicaof {{ hostvars[groups['redis'][0]].inventory_hostname }} {{ redis_port }}"
       when:
         - groups['redis'] is defined
         - inventory_hostname in groups['redis']
@@ -51,7 +51,7 @@
       ansible.builtin.lineinfile:
         path: "{{ redis_conf_file }}"
         regexp: "# replicaof <masterip> <masterport>"
-        line: "replicaof {{ hostvars[groups['redis_secondary'][0]].inventory_hostname }} 6379"
+        line: "replicaof {{ hostvars[groups['redis_secondary'][0]].inventory_hostname }} {{ redis_port }}"
       when:
         - groups['redis_secondary'] is defined
         - inventory_hostname in groups['redis_secondary']

roles/redis_replication/templates/sentinel.conf.j2

@@ -81,7 +81,7 @@ dir /tmp
 #
 # Note: master name should not include special characters or spaces.
 # The valid charset is A-z 0-9 and the three characters ".-_".
-sentinel monitor mymaster {{ master_name }} 6379 2
+sentinel monitor mymaster {{ master_name }} {{ redis_port }} 2
 
 {% if redis_auth %}
 sentinel auth-pass mymaster {{ redis_user_sentineluser_password }}