diff --git a/defaults/main.yml b/defaults/main.yml index 782a59a1..ae219bbc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -79,7 +79,7 @@ galera_monitoring_max_connections: 10 # This can be replaced with other hostnames, cidr, ips, and ips + wildcards. # See https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html # -#galera_monitoring_allowed_source: "0.0.0.0/0" +# galera_monitoring_allowed_source: "0.0.0.0/0" # Additional users to add or remove galera_additional_users: [] @@ -143,15 +143,15 @@ galera_wsrep_cluster_address: >- galera_wsrep_node_incoming_address: "{{ galera_wsrep_address }}" ## Cap the maximum number of threads / workers when a user value is unspecified. galera_wsrep_slave_threads_max: 16 -galera_wsrep_slave_threads: "{{ [[ansible_facts['processor_vcpus']|default(2), 2] | max, galera_wsrep_slave_threads_max] | min }}" +galera_wsrep_slave_threads: "{{ [[ansible_facts['processor_vcpus'] | default(2), 2] | max, galera_wsrep_slave_threads_max] | min }}" galera_wsrep_retry_autocommit: 3 galera_wsrep_debug: NONE galera_wsrep_sst_method: mariabackup galera_wsrep_provider_options: - { option: "gcache.size", value: "{{ galera_gcache_size }}" } - - { option: "gmcast.listen_addr", value: "tcp://{{ galera_wsrep_node_incoming_address }}:{{ galera_wsrep_cluster_port }}" } + - { option: "gmcast.listen_addr", value: "tcp://{{ galera_wsrep_node_incoming_address }}:{{ galera_wsrep_cluster_port }}" } galera_wsrep_sst_auth_user: "{{ galera_root_user }}" -galera_wsrep_sst_auth_password: "{{ galera_root_password }}" +galera_wsrep_sst_auth_password: "{{ galera_root_password }}" # mariabackup parallel/sync threads galera_mariabackup_threads: 4 @@ -227,7 +227,10 @@ galera_pki_install_ca: galera_pki_keys_path: "{{ galera_pki_dir ~ '/certs/private/' }}" galera_pki_certs_path: "{{ galera_pki_dir ~ '/certs/certs/' }}" galera_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('MariaDBIntermediate') }}" -galera_pki_intermediate_cert_path: "{{ galera_pki_dir ~ '/roots/' ~ galera_pki_intermediate_cert_name ~ '/certs/' ~ galera_pki_intermediate_cert_name ~ '.crt' }}" +galera_pki_intermediate_cert_path: >- + {{ + galera_pki_dir ~ '/roots/' ~ galera_pki_intermediate_cert_name ~ '/certs/' ~ galera_pki_intermediate_cert_name ~ '.crt' + }} galera_pki_regen_cert: '' galera_pki_certificates: - name: "galera_{{ ansible_facts['hostname'] }}" @@ -284,7 +287,7 @@ galera_pki_install_certificates: # Setting the following variable to 'yes' will disable the PrivateDevices galera_disable_privatedevices: "{{ _galera_disable_privatedevices }}" -#install and configure the galera client as well as the server +# install and configure the galera client as well as the server galera_install_client: false galera_client_package_install: "{{ galera_install_client }}" galera_client_package_state: "latest" @@ -296,13 +299,18 @@ galera_ssl_server: "{{ openstack_pki_setup_host | default('localhost') }}" ## Database info galera_db_setup_host: "{{ openstack_db_setup_host | default(galera_cluster_members[0] | default('localhost')) }}" -galera_db_setup_python_interpreter: "{{ openstack_db_setup_python_interpreter | default((galera_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable'])) }}" +galera_db_setup_python_interpreter: >- + {{ + openstack_db_setup_python_interpreter | default( + (galera_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']) + ) + }} # Configure backups of database # copies is the number of full backups to be kept, the corresponding # incremental backups will also be kept. Uses systemd timer instead of cron. galera_mariadb_backups_enabled: false -#galera_mariadb_backups_group_gid: +# galera_mariadb_backups_group_gid: galera_mariadb_backups_group_name: backups galera_mariadb_backups_path: "/var/backup/mariadb_backups" galera_mariadb_backups_full_copies: 2 @@ -314,7 +322,7 @@ galera_mariadb_backups_increment_on_calendar: - "*-*-* 12:00:00" - "*-*-* 18:00:00" galera_mariadb_backups_increment_randomized_delay_sec: 0 -#galera_mariadb_backups_user is the name of the mariadb database user +# galera_mariadb_backups_user is the name of the mariadb database user galera_mariadb_backups_user: galera_mariadb_backup galera_mariadb_backups_suffix: "{{ inventory_hostname }}" galera_mariadb_backups_cnf_file: "/etc/mysql/mariabackup.cnf" diff --git a/meta/main.yml b/meta/main.yml index 5dc84f6b..a2bafb76 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,19 +18,19 @@ galaxy_info: description: Installation galera server company: Rackspace license: Apache2 - min_ansible_version: 2.1 + min_ansible_version: "2.10" platforms: - name: Debian versions: - - buster + - bullseye - name: Ubuntu versions: - - bionic - focal + - jammy - name: EL versions: - - 8 - categories: + - "9" + galaxy_tags: - cloud - galera - mariadb diff --git a/tasks/galera_client_main.yml b/tasks/galera_client_main.yml index 6f8efdd8..77e612fe 100644 --- a/tasks/galera_client_main.yml +++ b/tasks/galera_client_main.yml @@ -17,11 +17,13 @@ set_fact: galera_packages_list: "{{ galera_client_distro_packages }}" -- include_tasks: "galera_install_{{ ansible_facts['pkg_mgr'] }}.yml" +- name: Including distro-specific installation tasks + include_tasks: "galera_install_{{ ansible_facts['pkg_mgr'] }}.yml" when: - galera_client_package_install | bool -- include_tasks: galera_client_post_install.yml +- name: Including galera_client_post_install + include_tasks: galera_client_post_install.yml - name: Create and install SSL certificates include_role: diff --git a/tasks/galera_devel_main.yml b/tasks/galera_devel_main.yml index 6a870441..ffdca204 100644 --- a/tasks/galera_devel_main.yml +++ b/tasks/galera_devel_main.yml @@ -17,4 +17,5 @@ set_fact: galera_packages_list: "{{ galera_devel_distro_packages }}" -- include_tasks: "galera_install_{{ ansible_facts['pkg_mgr'] }}.yml" +- name: Including distro-specific installation tasks + include_tasks: "galera_install_{{ ansible_facts['pkg_mgr'] }}.yml" diff --git a/tasks/galera_install_apt.yml b/tasks/galera_install_apt.yml index 9b21fd9e..27c3b7e5 100644 --- a/tasks/galera_install_apt.yml +++ b/tasks/galera_install_apt.yml @@ -23,10 +23,16 @@ src: "gpg/{{ item.id }}" dest: "{{ item.file }}" mode: '0644' - with_items: "{{ galera_gpg_keys | selectattr('file','defined') | list }}" + with_items: "{{ galera_gpg_keys | selectattr('file', 'defined') | list }}" - name: Install gpg keys - apt_key: "{{ key }}" + apt_key: + data: "{{ key['data'] | default(omit) }}" + file: "{{ key['file'] | default(omit) }}" + id: "{{ key['id'] | default(omit) }}" + state: "{{ key['state'] | default(omit) }}" + url: "{{ key['url'] | default(omit) }}" + validate_certs: "{{ key['validate_certs'] | default(omit) }}" with_items: "{{ galera_gpg_keys }}" loop_control: loop_var: key @@ -62,16 +68,6 @@ with_items: "{{ galera_debconf_items }}" no_log: yes -- name: Update Apt cache - apt: - update_cache: yes - when: - - add_galera_repo is changed - register: update_apt_cache - until: update_apt_cache is success - retries: 5 - delay: 2 - - name: Install galera role remote packages (apt) apt: name: "{{ galera_packages_list }}" diff --git a/tasks/galera_server_encryption.yml b/tasks/galera_server_encryption.yml index 7be1dd32..193a7394 100644 --- a/tasks/galera_server_encryption.yml +++ b/tasks/galera_server_encryption.yml @@ -29,7 +29,7 @@ config_type: "ini" notify: Restart all mysql -- name: use encryption with the file key management plugin +- name: Use encryption with the file key management plugin block: - name: Create encryption directory file: @@ -50,10 +50,11 @@ file: path: "{{ galera_db_encryption_tmp_dir }}" state: directory + mode: "0750" delegate_to: "localhost" run_once: true - - name: Create encryption keys if the user does not specify them and put them on the deploy host + - name: Create encryption keys if the user does not specify them and put them on the deploy host # noqa: no-changed-when risky-shell-pipe shell: "for i in {1..2}; do echo \"$i;$(openssl rand -hex 32)\"; done | tee {{ galera_db_encryption_tmp_dir }}/mysql_encryption_keys > /dev/null" delegate_to: "localhost" run_once: true @@ -61,14 +62,26 @@ - galera_db_encryption_keys is not defined - name: Create the encryption key file from the user provided galera_db_encryption_keys - shell: "echo '{{ galera_db_encryption_keys }}' > {{ galera_db_encryption_tmp_dir }}/mysql_encryption_keys" + shell: "echo '{{ galera_db_encryption_keys }}' > {{ galera_db_encryption_tmp_dir }}/mysql_encryption_keys" # noqa: no-changed-when delegate_to: "localhost" run_once: true when: - galera_db_encryption_keys is defined - name: Create an encrypted keyfile using encryption key - command: "openssl enc -aes-256-cbc -md sha1 -k {{ galera_db_encryption_password }} -in {{ galera_db_encryption_tmp_dir }}/mysql_encryption_keys -out {{ galera_db_encryption_tmp_dir }}/mysql_encryption_keyfile.enc" + command: # noqa: no-changed-when + argv: + - openssl + - enc + - -aes-256-cbc + - -md + - sha1 + - -k + - "{{ galera_db_encryption_password }}" + - -in + - "{{ galera_db_encryption_tmp_dir }}/mysql_encryption_keys" + - -out + - "{{ galera_db_encryption_tmp_dir }}/mysql_encryption_keyfile.enc" delegate_to: "localhost" run_once: true @@ -78,7 +91,7 @@ dest: "/etc/mysql/encryption/keyfile.enc" owner: mysql group: mysql - mode: 0600 + mode: "0600" force: false # only copy the file if it does not exist notify: Restart all mysql @@ -88,7 +101,6 @@ dest: "/etc/mysql/encryption/.keyfile.key" owner: mysql group: mysql - mode: 0600 + mode: "0600" when: - galera_mariadb_encryption_plugin == "file_key_management" - diff --git a/tasks/galera_server_install.yml b/tasks/galera_server_install.yml index 8abd199b..b9444f5a 100644 --- a/tasks/galera_server_install.yml +++ b/tasks/galera_server_install.yml @@ -17,9 +17,11 @@ set_fact: galera_packages_list: "{{ galera_server_required_distro_packages + galera_server_mariadb_distro_packages }}" -- include_tasks: "galera_install_{{ ansible_facts['pkg_mgr'] }}.yml" +- name: Including distro-specific installation tasks + include_tasks: "galera_install_{{ ansible_facts['pkg_mgr'] }}.yml" -- include_tasks: galera_server_encryption.yml +- name: Including galera_server_encryption + include_tasks: galera_server_encryption.yml when: - galera_mariadb_encryption_enabled | bool tags: @@ -31,6 +33,7 @@ section: galera option: deployed value: true + mode: "0644" - name: Set the galera existing cluster fact set_fact: diff --git a/tasks/galera_server_main.yml b/tasks/galera_server_main.yml index 4aec775c..8f9a70dc 100644 --- a/tasks/galera_server_main.yml +++ b/tasks/galera_server_main.yml @@ -29,12 +29,13 @@ tags: - always -- name: initialize local facts +- name: Initialize local facts ini_file: dest: "/etc/ansible/facts.d/openstack_ansible.fact" section: "galera" option: initialized value: true + mode: "0644" - name: Refresh local facts setup: @@ -63,14 +64,16 @@ tags: - always -- include_tasks: galera_server_cluster_state.yml +- name: Including galera_server_cluster_state + include_tasks: galera_server_cluster_state.yml when: - galera_deployed | bool - not galera_ignore_cluster_state | bool tags: - always -- include_tasks: galera_server_upgrade.yml +- name: Including galera_server_upgrade + include_tasks: galera_server_upgrade.yml when: galera_deployed | bool args: apply: @@ -79,7 +82,8 @@ tags: - always -- include_tasks: galera_server_install.yml +- name: Including galera_server_install + include_tasks: galera_server_install.yml args: apply: tags: @@ -87,7 +91,8 @@ tags: - always -- include_tasks: galera_server_post_install.yml +- name: Including galera_server_post_install + include_tasks: galera_server_post_install.yml args: apply: tags: @@ -98,7 +103,8 @@ - name: Flush handlers meta: flush_handlers -- include_tasks: galera_server_setup.yml +- name: Including galera_server_setup + include_tasks: galera_server_setup.yml when: inventory_hostname == galera_server_bootstrap_node args: apply: @@ -107,7 +113,8 @@ tags: - always -- include_tasks: galera_server_backups.yml +- name: Including galera_server_backups + include_tasks: galera_server_backups.yml when: - galera_mariadb_backups_enabled | bool - inventory_hostname in galera_mariadb_backups_nodes diff --git a/tasks/galera_server_post_install.yml b/tasks/galera_server_post_install.yml index 34b700f5..6fb3cd71 100644 --- a/tasks/galera_server_post_install.yml +++ b/tasks/galera_server_post_install.yml @@ -90,10 +90,10 @@ file: path: "{{ item.path }}" state: "directory" - owner: "{{ item.owner|default('root') }}" - group: "{{ item.group|default('root') }}" - mode: "{{ item.mode|default('0755') }}" - recurse: "{{ item.recurse|default('false') }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0755') }}" + recurse: "{{ item.recurse | default('false') }}" with_items: - { path: "{{ galera_data_dir }}", owner: "mysql", mode: "02755" } - { path: "{{ galera_tmp_dir }}", owner: "mysql", mode: "02755" } @@ -175,7 +175,7 @@ state: "link" force: "yes" -- name: remove default mysql_safe_syslog +- name: Remove default mysql_safe_syslog file: path: "/etc/mysql/conf.d/mysqld_safe_syslog.cnf" state: absent diff --git a/tasks/galera_server_upgrade.yml b/tasks/galera_server_upgrade.yml index 6e5b560a..ace546ec 100644 --- a/tasks/galera_server_upgrade.yml +++ b/tasks/galera_server_upgrade.yml @@ -37,7 +37,8 @@ tags: - galera_server-upgrade -- include_tasks: galera_server_upgrade_pre.yml +- name: Including galera_server_upgrade_pre + include_tasks: galera_server_upgrade_pre.yml when: - galera_upgrade | bool args: diff --git a/tasks/galera_server_upgrade_pre.yml b/tasks/galera_server_upgrade_pre.yml index b09ed04e..1060fa49 100644 --- a/tasks/galera_server_upgrade_pre.yml +++ b/tasks/galera_server_upgrade_pre.yml @@ -17,8 +17,8 @@ # a service may not yet exist on the target host. This will # cause the service stop task to fail. To cater for this # we only try to stop the service is it exists. -- name: Check whether a mysql service exists yet - shell: systemctl list-unit-files --state=enabled --type=service | grep "^{{ galera_mariadb_service_name }}.service .* enabled$" # noqa command-instead-of-module risky-shell-pipe +- name: Check whether a mysql service exists yet # noqa command-instead-of-module risky-shell-pipe + shell: systemctl list-unit-files --state=enabled --type=service | grep "^{{ galera_mariadb_service_name }}.service .* enabled$" args: executable: /bin/bash changed_when: false @@ -42,4 +42,3 @@ state: absent with_items: - "{{ galera_server_upgrade_packages_remove }}" - diff --git a/tasks/main.yml b/tasks/main.yml index 89291cad..c99c2ef1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,7 +28,8 @@ tags: - always -- include_tasks: galera_client_main.yml +- name: Including galera_client_main + include_tasks: galera_client_main.yml when: - galera_install_client | bool - inventory_hostname not in galera_cluster_members or galera_root_user != 'root' @@ -39,7 +40,8 @@ tags: - always -- include_tasks: galera_devel_main.yml +- name: Including galera_devel_main + include_tasks: galera_devel_main.yml when: - galera_install_devel | bool args: @@ -49,7 +51,8 @@ tags: - always -- include_tasks: galera_server_main.yml +- name: Including galera_server_main + include_tasks: galera_server_main.yml when: - galera_install_server | bool args: diff --git a/vars/debian.yml b/vars/debian.yml index 75cc5891..5443586f 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -73,7 +73,9 @@ galera_debconf_items: vtype: "string" # Repositories -_galera_repo_url: "http://{{ galera_repo_host }}/MariaDB/mariadb-{{ galera_major_version }}.{{ galera_minor_version }}/repo/{{ ansible_facts['distribution'] | lower }}" +_galera_repo_url: >- + http://{{ galera_repo_host }}/MariaDB/mariadb-{{ galera_major_version }}.{{ galera_minor_version }}/repo/{{ ansible_facts['distribution'] | lower }} + _galera_repo: repo: "deb {{ galera_repo_url }} {{ ansible_facts['distribution_release'] }} main" state: "present"