From 21db35836880eecab6927d9ebd472e52396a8fd4 Mon Sep 17 00:00:00 2001 From: Steven Schattenberg <122639296+steven-schattenberg-itential@users.noreply.github.com> Date: Wed, 18 Sep 2024 15:19:45 -0400 Subject: [PATCH 1/2] Support non-standard mongo port (#65) * resolved conflicts * Adding port var to mongo tasks to support non-standard ports * Fixed typo * Resolved code review items --- roles/mongodb/tasks/configure-selinux.yml | 10 ++++++++++ roles/mongodb/tasks/main.yml | 3 +++ .../mongodb_common/tasks/check-auth-status.yml | 3 +++ .../tasks/determine-primary-server.yml | 2 ++ roles/mongodb_replication/tasks/main.yml | 18 ++++++++++++++---- 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/roles/mongodb/tasks/configure-selinux.yml b/roles/mongodb/tasks/configure-selinux.yml index 542e65f..beb346d 100644 --- a/roles/mongodb/tasks/configure-selinux.yml +++ b/roles/mongodb/tasks/configure-selinux.yml @@ -8,6 +8,16 @@ ansible.builtin.include_role: name: selinux + - name: Allow mongodb to listen on tcp port when using non-standard mongo port + community.general.seport: + ports: "{{ mongo_port }}" + proto: tcp + setype: mongod_port_t + state: present + when: + - ansible_selinux.status == "enabled" + - mongo_port != 27017 + # MongoDB is configured to use non-default paths for its data and log # directories. First, we need to update the SELinux policy to allow the # mongod service to use the new directory, it’s worth to note that we diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 9f47eba..235f420 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -202,6 +202,7 @@ community.mongodb.mongodb_user: login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}" login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" database: "{{ mongo_admin_db_name }}" name: admin password: "{{ mongo_user_admin_password }}" @@ -220,6 +221,7 @@ community.mongodb.mongodb_user: login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}" login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" database: "{{ mongo_itential_db_name }}" user: itential password: "{{ mongo_user_itential_password }}" @@ -238,6 +240,7 @@ community.mongodb.mongodb_user: login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}" login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" database: "{{ mongo_localaaa_db_name }}" user: localaaa password: "{{ mongo_user_localaaa_password }}" diff --git a/roles/mongodb_common/tasks/check-auth-status.yml b/roles/mongodb_common/tasks/check-auth-status.yml index 197dc2c..13f4b2f 100644 --- a/roles/mongodb_common/tasks/check-auth-status.yml +++ b/roles/mongodb_common/tasks/check-auth-status.yml @@ -10,6 +10,9 @@ - name: Check if auth is enabled community.mongodb.mongodb_shell: + login_user: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary('admin', omit) }}" + login_password: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" mongo_cmd: auto db: admin eval: "db.getUsers()" diff --git a/roles/mongodb_common/tasks/determine-primary-server.yml b/roles/mongodb_common/tasks/determine-primary-server.yml index b06e43f..1fb6dd0 100644 --- a/roles/mongodb_common/tasks/determine-primary-server.yml +++ b/roles/mongodb_common/tasks/determine-primary-server.yml @@ -10,6 +10,7 @@ mongo_cmd: auto login_user: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary('admin', omit) }}" login_password: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" eval: "rs.status()" register: rs_status_result changed_when: false @@ -29,6 +30,7 @@ community.mongodb.mongodb_status: login_user: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary('admin', omit) }}" login_password: "{{ mongo_auth_enabled is defined and mongo_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" replica_set: rs0 register: mongodb_status_result diff --git a/roles/mongodb_replication/tasks/main.yml b/roles/mongodb_replication/tasks/main.yml index eacb57b..c38be64 100644 --- a/roles/mongodb_replication/tasks/main.yml +++ b/roles/mongodb_replication/tasks/main.yml @@ -28,17 +28,24 @@ tasks_from: restart-mongo.yml when: result1.changed or result2.changed +- name: Set empty array of mongo servers + ansible.builtin.set_fact: + mongodb_servers: [] + +# This task should always run, arbiter or not - name: Create the replicaset members list (no arbiter) ansible.builtin.set_fact: - mongodb_servers: "{{ groups.mongodb }}" + mongodb_servers: "{{ mongodb_servers + [item + ':' + mongo_port | string] }}" + with_items: "{{ groups.mongodb }}" when: - inventory_hostname in groups.mongodb - groups.mongodb.index(inventory_hostname) == 0 - - not groups.mongodb_arbiter is defined -- name: Create the replicaset members list (with arbiter) +# This task will only run when there is an arbiter defined in the hosts file +- name: Add the arbiter to the list of servers when there is one ansible.builtin.set_fact: - mongodb_servers: "{{ groups.mongodb + groups.mongodb_arbiter }}" + mongodb_servers: "{{ mongodb_servers + [item + ':' + mongo_port | string] }}" + with_items: "{{ groups.mongodb_arbiter }}" when: - inventory_hostname in groups.mongodb - groups.mongodb.index(inventory_hostname) == 0 @@ -48,6 +55,7 @@ community.mongodb.mongodb_replicaset: login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}" login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" replica_set: "{{ mongo_replset_name }}" members: "{{ mongodb_servers }}" arbiter_at_index: "{{ (groups.mongodb_arbiter | default([]) | length > 0) | ternary(mongodb_servers | length - 1, omit) }}" @@ -61,6 +69,7 @@ community.mongodb.mongodb_status: login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}" login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" login_database: admin poll: 3 interval: 10 @@ -113,6 +122,7 @@ mongo_cmd: auto login_user: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary('admin', omit) }}" login_password: "{{ mongodb_auth_enabled is defined and mongodb_auth_enabled | ternary(mongo_user_admin_password, omit) }}" + login_port: "{{ mongo_port }}" login_database: admin eval: db.adminCommand({"setDefaultRWConcern":1,"defaultWriteConcern":{"w":1}}) when: From 469b367c091a5b9790564020729d3854b7eaed56 Mon Sep 17 00:00:00 2001 From: Marcos Dias Date: Fri, 20 Sep 2024 18:53:27 -0300 Subject: [PATCH 2/2] Fixed redis installation when using custom variables (#66) * Create redis_varlib.te This file will add SELinux context to add log, data directories in a different place from the default * Update main.yml to support redis_data_dir, redis_log_dir, redis_pid_dir, different port Fix support to: * redis_data_dir, * redis_log_dir, * redis_pid_dir, * different port * Remove user,group and data,log directories creation. Remove user,group and data,log directories creation. Those items now are created in main.yml tasks * Fixed pid dir, and announce port Fixed pid dir, and announce port * Change the installation source from remi_repo to source Change the installation source from remi_repo to source * Added redis_port and sentinel_port variables Added redis_port and sentinel_port variables * Fixed the hardcoded redis ports to variable Fixed the hardcoded redis ports to variable * Fixed source install Fixed source install * Fixed conditions rules for execute directories creation Fixed conditions rules for execute directories creation * Optimize the code in announce items Optimize the code in announce items * Removed sentinel port, moved for common vars Removed sentinel port, moved for common vars * Fixed the hardcoded redis port to a variable Fixed the hardcoded redis port to a variable * Fixed hardcoded ports to variable Fixed hardcoded ports to variable * Fix sentinel variable name Fix sentinel variable name * Fixed trailing spaces Fixed trailing spaces --- roles/common_vars/defaults/main/redis.yml | 6 +++ roles/platform/templates/profile.j2 | 4 +- roles/redis/defaults/main.yml | 5 +-- roles/redis/files/redis_varlib.te | 22 +++++++++ roles/redis/tasks/main.yml | 45 +++++++++++++++++++ roles/redis/tasks/redis-using-source.yml | 34 -------------- roles/redis/templates/redis.conf.j2 | 5 ++- roles/redis_replication/defaults/main.yml | 3 -- roles/redis_replication/tasks/main.yml | 4 +- .../templates/sentinel.conf.j2 | 2 +- 10 files changed, 82 insertions(+), 48 deletions(-) create mode 100644 roles/redis/files/redis_varlib.te diff --git a/roles/common_vars/defaults/main/redis.yml b/roles/common_vars/defaults/main/redis.yml index 88a0d6d..ff1f9ca 100644 --- a/roles/common_vars/defaults/main/redis.yml +++ b/roles/common_vars/defaults/main/redis.yml @@ -15,3 +15,9 @@ redis_user_itential_password: itential redis_user_repluser_password: repluser redis_user_sentineladmin_password: admin redis_user_sentineluser_password: sentineluser + +# Default redis port +redis_port: 6379 + +# The default redis sentinel listen port +redis_sentinel_port: 26379 diff --git a/roles/platform/templates/profile.j2 b/roles/platform/templates/profile.j2 index 64b41d1..8d28d71 100644 --- a/roles/platform/templates/profile.j2 +++ b/roles/platform/templates/profile.j2 @@ -55,7 +55,7 @@ {% set redis_host = None %} {% set sentinels = [] %} {% for sentinel in groups[vars.redis_group_name] %} - {% set sentinel = dict(host = hostvars[ sentinel ].inventory_hostname, port = 26379) %} + {% set sentinel = dict(host = hostvars[ sentinel ].inventory_hostname, port = redis_sentinel_port) %} {{ sentinels.append(sentinel) }} {% endfor %} {% endif %} @@ -223,7 +223,7 @@ "maxRetriesPerRequest" : 20, "name" : "mymaster", "password" : {{ redis_password | to_json }}, - "port" : 6379, + "port" : {{ redis_port }}, {% if redis_replication | bool %} "sentinels" : {{ sentinels | to_json }}, "sentinelPassword" : {{ sentinel_password | to_json }}, diff --git a/roles/redis/defaults/main.yml b/roles/redis/defaults/main.yml index 87c6063..521245b 100644 --- a/roles/redis/defaults/main.yml +++ b/roles/redis/defaults/main.yml @@ -18,9 +18,6 @@ redis_data_dir: /var/lib/redis # The location of the Redis data directory redis_pid_dir: /var/run -# Default redis port -redis_port: 6379 - # Redis user and group redis_owner: redis redis_group: redis @@ -52,7 +49,7 @@ packages_path: "{{ itential_packages_path }}/{{ iap_release }}/redis" # Redis install method - string. # The valid values are 'remi_repo' (default) or 'source'. -redis_install_method: remi_repo +redis_install_method: source # The EPEL repo is only required when the redis_install_method is set to 'remi_repo' epel_repo_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" diff --git a/roles/redis/files/redis_varlib.te b/roles/redis/files/redis_varlib.te new file mode 100644 index 0000000..0b61a50 --- /dev/null +++ b/roles/redis/files/redis_varlib.te @@ -0,0 +1,22 @@ + +module redis_varlib 1.0; + +require { + type redis_t; + type default_t; + type unreserved_port_t; + type var_lib_t; + type var_log_t; + class dir { add_name create read remove_name write }; + class file { append create getattr open read rename unlink write }; + class tcp_socket name_bind; +} + +#============= redis_t ============== + +allow redis_t default_t:dir { add_name create read remove_name write }; +allow redis_t default_t:file { append create getattr open read rename unlink write }; +allow redis_t unreserved_port_t:tcp_socket name_bind; +allow redis_t var_lib_t:dir { add_name write }; +allow redis_t var_lib_t:file { getattr read }; +allow redis_t var_log_t:file open; diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml index 013eeca..dcd3546 100644 --- a/roles/redis/tasks/main.yml +++ b/roles/redis/tasks/main.yml @@ -18,6 +18,14 @@ name: os tags: install_base_os_packages +# Kernel Adjust +# Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. +# Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328 +- name: Adjust Memory Overcommit + ansible.posix.sysctl: + name: vm.overcommit_memory + value: 1 + - name: Configure SELinux tags: configure_selinux block: @@ -25,6 +33,43 @@ ansible.builtin.include_role: name: selinux +- name: Create Redis group + ansible.builtin.group: + name: "{{ redis_group }}" + +- name: Create Redis user + ansible.builtin.user: + name: "{{ redis_owner }}" + group: "{{ redis_group }}" + state: present + +- name: Create Redis data directory + ansible.builtin.file: + state: directory + path: "{{ redis_data_dir }}" + owner: "{{ redis_owner }}" + group: "{{ redis_group }}" + mode: "0755" + when: redis_data_dir != "/var/lib/redis" or redis_install_method == "source" + +- name: Create Redis log directory + ansible.builtin.file: + state: directory + path: "{{ redis_log_dir }}" + owner: "{{ redis_owner }}" + group: "{{ redis_group }}" + mode: "0755" + when: redis_log_dir != "/var/log/redis" or redis_install_method == "source" + +- name: Create Redis pid directory + ansible.builtin.file: + state: directory + path: "{{ redis_pid_dir }}" + owner: "{{ redis_owner }}" + group: "{{ redis_group }}" + mode: "0755" + when: redis_pid_dir != "/var/run" or redis_install_method == "source" + - name: Install Redis tags: install_redis block: diff --git a/roles/redis/tasks/redis-using-source.yml b/roles/redis/tasks/redis-using-source.yml index 00c2067..104a05b 100644 --- a/roles/redis/tasks/redis-using-source.yml +++ b/roles/redis/tasks/redis-using-source.yml @@ -96,37 +96,3 @@ owner: root group: root mode: "0644" - -- name: Create Redis group - ansible.builtin.group: - name: "{{ redis_group }}" - -- name: Create Redis user - ansible.builtin.user: - name: "{{ redis_owner }}" - group: "{{ redis_group }}" - state: present - -- name: Create Redis data directory - ansible.builtin.file: - name: "{{ redis_data_dir }}" - state: directory - owner: "{{ redis_owner }}" - group: "{{ redis_group }}" - mode: "0755" - -- name: Create Redis log directory - ansible.builtin.file: - name: "{{ redis_log_dir }}" - state: directory - owner: "{{ redis_owner }}" - group: "{{ redis_group }}" - mode: "0755" - -- name: Create Redis pid directory - ansible.builtin.file: - name: "{{ redis_pid_dir }}" - state: directory - owner: "{{ redis_owner }}" - group: "{{ redis_group }}" - mode: "0755" diff --git a/roles/redis/templates/redis.conf.j2 b/roles/redis/templates/redis.conf.j2 index 8c15b33..4cfaa09 100644 --- a/roles/redis/templates/redis.conf.j2 +++ b/roles/redis/templates/redis.conf.j2 @@ -300,7 +300,7 @@ daemonize no # # Note that on modern Linux systems "/run/redis.pid" is more conforming # and should be used instead. -pidfile /var/run/redis_6379.pid +pidfile {{ redis_pid_dir }}/redis_{{ redis_port }}.pid # Specify the server verbosity level. # This can be one of: @@ -746,9 +746,10 @@ min-replicas-to-write 1 # {% if redis_replication | bool %} replica-announce-ip {{ inventory_hostname }} +replica-announce-port {{ redis_port }} {% endif %} # replica-announce-ip 5.5.5.5 -# replica-announce-port 1234 +#replica-announce-port 1234 ############################### KEYS TRACKING ################################# diff --git a/roles/redis_replication/defaults/main.yml b/roles/redis_replication/defaults/main.yml index 9ae2f3a..fca62b2 100644 --- a/roles/redis_replication/defaults/main.yml +++ b/roles/redis_replication/defaults/main.yml @@ -6,6 +6,3 @@ redis_sentinel_conf_file: "{{ redis_conf_path }}/sentinel.conf" # The location of the Redis Sentinel log file redis_sentinel_log: "{{ redis_log_dir }}/sentinel.log" - -# The default redis sentinel listen port -redis_sentinel_port: 26379 diff --git a/roles/redis_replication/tasks/main.yml b/roles/redis_replication/tasks/main.yml index dddf5a5..72e8121 100644 --- a/roles/redis_replication/tasks/main.yml +++ b/roles/redis_replication/tasks/main.yml @@ -41,7 +41,7 @@ ansible.builtin.lineinfile: path: "{{ redis_conf_file }}" regexp: "# replicaof " - line: "replicaof {{ hostvars[groups['redis'][0]].inventory_hostname }} 6379" + line: "replicaof {{ hostvars[groups['redis'][0]].inventory_hostname }} {{ redis_port }}" when: - groups['redis'] is defined - inventory_hostname in groups['redis'] @@ -51,7 +51,7 @@ ansible.builtin.lineinfile: path: "{{ redis_conf_file }}" regexp: "# replicaof " - line: "replicaof {{ hostvars[groups['redis_secondary'][0]].inventory_hostname }} 6379" + line: "replicaof {{ hostvars[groups['redis_secondary'][0]].inventory_hostname }} {{ redis_port }}" when: - groups['redis_secondary'] is defined - inventory_hostname in groups['redis_secondary'] diff --git a/roles/redis_replication/templates/sentinel.conf.j2 b/roles/redis_replication/templates/sentinel.conf.j2 index 5384dfb..76251c1 100644 --- a/roles/redis_replication/templates/sentinel.conf.j2 +++ b/roles/redis_replication/templates/sentinel.conf.j2 @@ -81,7 +81,7 @@ dir /tmp # # Note: master name should not include special characters or spaces. # The valid charset is A-z 0-9 and the three characters ".-_". -sentinel monitor mymaster {{ master_name }} 6379 2 +sentinel monitor mymaster {{ master_name }} {{ redis_port }} 2 {% if redis_auth %} sentinel auth-pass mymaster {{ redis_user_sentineluser_password }}