Add Ansible playbook for node configuration

This will replace all of the existing node provisioning/configuration.
CentOS 7 nodes are currently supported.

Signed-off-by: Martin Schwenke <martin@meltin.net>

18 files changed, 239 insertions, 0 deletions

diff --git a/ansible/node/roles/common/files/rsyslog.conf b/ansible/node/roles/common/files/rsyslog.conf
new file mode 100644
index 0000000..6478b45
--- /dev/null
+++ b/ansible/node/roles/common/files/rsyslog.conf
@@ -0,0 +1,14 @@
+# Select a high precision time format.  This allows accurate merging
+# of logs from multiple cluster nodes for easier CTDB debugging.
+$ActionFileDefaultTemplate   RSYSLOG_FileFormat
+
+# Turn off rate-limiting.  Why would we want to lose messages by
+# default?
+$SystemLogRateLimitInterval 0
+$SystemLogRateLimitBurst 0
+
+# Turn on UDP listener to be able to take advantage of CTDB's new
+# direct-to-syslog-on-UDP feature.
+$ModLoad imudp
+$UDPServerAddress 127.0.0.1
+$UDPServerRun 514
diff --git a/ansible/node/roles/common/files/ssh_config b/ansible/node/roles/common/files/ssh_config
new file mode 100644
index 0000000..de7ff06
--- /dev/null
+++ b/ansible/node/roles/common/files/ssh_config
@@ -0,0 +1,2 @@
+StrictHostKeyChecking no
+IdentityFile ~/.ssh/id_autocluster
diff --git a/ansible/node/roles/common/handlers/main.yml b/ansible/node/roles/common/handlers/main.yml
new file mode 100644
index 0000000..1b033cb
--- /dev/null
+++ b/ansible/node/roles/common/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+# Including handlers and conditional handlers seem broken :-(
+
+- name: restart NTP server redhat
+  service:
+    name: chronyd
+    state: restarted
+
+- name: restart rsyslog
+  service:
+    name: rsyslog
+    state: restarted
diff --git a/ansible/node/roles/common/tasks/generic/autocluster.yml b/ansible/node/roles/common/tasks/generic/autocluster.yml
new file mode 100644
index 0000000..753b225
--- /dev/null
+++ b/ansible/node/roles/common/tasks/generic/autocluster.yml
@@ -0,0 +1,5 @@
+---
+- name: create autocluster state directory
+  file:
+    path: /root/.autocluster
+    state: directory
diff --git a/ansible/node/roles/common/tasks/generic/hosts.yml b/ansible/node/roles/common/tasks/generic/hosts.yml
new file mode 100644
index 0000000..6983826
--- /dev/null
+++ b/ansible/node/roles/common/tasks/generic/hosts.yml
@@ -0,0 +1,5 @@
+---
+- name: create /etc/hosts
+  template:
+    src: hosts.j2
+    dest: /etc/hosts
diff --git a/ansible/node/roles/common/tasks/generic/mount_home.yml b/ansible/node/roles/common/tasks/generic/mount_home.yml
new file mode 100644
index 0000000..8a49816
--- /dev/null
+++ b/ansible/node/roles/common/tasks/generic/mount_home.yml
@@ -0,0 +1,12 @@
+---
+- name: ensure that an fstab entry exists to NFS mount /home
+  lineinfile:
+    path: /etc/fstab
+    regexp: '^.*:/home /home nfs.*'
+    # Do not use locking, since this starts/needs rpc.statd, which is
+    # stopped/started by CTDB
+    line: '{{ virthost }}:/home /home nfs nfsvers=3,intr,nolock 0 0'
+
+- name: ensure that /home is mounted
+  shell: >
+    findmnt -n /home || mount /home
diff --git a/ansible/node/roles/common/tasks/generic/resolv_conf.yml b/ansible/node/roles/common/tasks/generic/resolv_conf.yml
new file mode 100644
index 0000000..b6704ee
--- /dev/null
+++ b/ansible/node/roles/common/tasks/generic/resolv_conf.yml
@@ -0,0 +1,5 @@
+---
+- name: configure resolver
+  template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
diff --git a/ansible/node/roles/common/tasks/generic/rsyslog.yml b/ansible/node/roles/common/tasks/generic/rsyslog.yml
new file mode 100644
index 0000000..88535af
--- /dev/null
+++ b/ansible/node/roles/common/tasks/generic/rsyslog.yml
@@ -0,0 +1,7 @@
+---
+- name: add autocluster-specific rsyslog configuration
+  copy:
+    src: rsyslog.conf
+    dest: /etc/rsyslog.d/autocluster.conf
+  notify:
+    - restart rsyslog
diff --git a/ansible/node/roles/common/tasks/generic/selinux.yml b/ansible/node/roles/common/tasks/generic/selinux.yml
new file mode 100644
index 0000000..b7e9c2f
--- /dev/null
+++ b/ansible/node/roles/common/tasks/generic/selinux.yml
@@ -0,0 +1,4 @@
+---
+- selinux:
+    policy: targeted
+    state: permissive
diff --git a/ansible/node/roles/common/tasks/generic/ssh.yml b/ansible/node/roles/common/tasks/generic/ssh.yml
new file mode 100644
index 0000000..c3bff9f
--- /dev/null
+++ b/ansible/node/roles/common/tasks/generic/ssh.yml
@@ -0,0 +1,5 @@
+---
+- name: configure passwordless SSH
+  copy:
+    src: ssh_config
+    dest: /root/.ssh/config
diff --git a/ansible/node/roles/common/tasks/generic/timezone.yml b/ansible/node/roles/common/tasks/generic/timezone.yml
new file mode 100644
index 0000000..87b0ba4
--- /dev/null
+++ b/ansible/node/roles/common/tasks/generic/timezone.yml
@@ -0,0 +1,12 @@
+---
+- name: configure node timezone
+  timezone:
+    hwclock: UTC
+    name: "{{timezone}}"
+
+- name: hand hack timezone to avoid reboot
+  file:
+    src: /usr/share/zoneinfo/{{timezone}}
+    path: /etc/localtime
+    state: link
+    force: yes
diff --git a/ansible/node/roles/common/tasks/main.yml b/ansible/node/roles/common/tasks/main.yml
new file mode 100644
index 0000000..104d9f5
--- /dev/null
+++ b/ansible/node/roles/common/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- include_tasks: "{{ ansible_os_family | lower }}/{{ task }}.yml"
+  with_list:
+  - packages
+  - firewall
+  - ntp
+  loop_control:
+    loop_var: task
+
+- meta: flush_handlers
+
+- include_tasks: generic/{{ task }}.yml
+  with_list:
+  - selinux
+  - autocluster
+  - hosts
+  - resolv_conf
+  - ssh
+  - timezone
+  - rsyslog
+  - mount_home
+  loop_control:
+    loop_var: task
+
+- meta: flush_handlers
diff --git a/ansible/node/roles/common/tasks/redhat/firewall.yml b/ansible/node/roles/common/tasks/redhat/firewall.yml
new file mode 100644
index 0000000..bf5eeb4
--- /dev/null
+++ b/ansible/node/roles/common/tasks/redhat/firewall.yml
@@ -0,0 +1,6 @@
+---
+- name: disable firewall
+  service:
+    name: firewalld
+    enabled: no
+    state: stopped
diff --git a/ansible/node/roles/common/tasks/redhat/ntp.yml b/ansible/node/roles/common/tasks/redhat/ntp.yml
new file mode 100644
index 0000000..3495457
--- /dev/null
+++ b/ansible/node/roles/common/tasks/redhat/ntp.yml
@@ -0,0 +1,18 @@
+---
+- name: ensure NTP server is installed
+  package:
+    name: chrony 
+    state: installed
+
+- name: ensure NTP server is configured
+  template:
+    src: chrony.conf.j2
+    dest: /etc/chrony.conf
+  notify:
+    - restart NTP server redhat
+
+- name: ensure NTP server is running and enabled
+  service:
+    name: chronyd
+    state: started
+    enabled: yes
diff --git a/ansible/node/roles/common/tasks/redhat/packages.yml b/ansible/node/roles/common/tasks/redhat/packages.yml
new file mode 100644
index 0000000..b2430e5
--- /dev/null
+++ b/ansible/node/roles/common/tasks/redhat/packages.yml
@@ -0,0 +1,53 @@
+---
+- name: disable Network Manager on next boot
+  service:
+    name: NetworkManager
+    enabled: no
+    # Note that this only works because the interfaces of interest
+    # have been marked in Vagrant as: nm_controlled: "no" - otherwise
+    # NetworkManager would stop and take the interfaces down with it!
+    state: stopped
+
+- name: disable EPEL to speed things up
+  package:
+    name: epel-release
+    state: absent
+
+- name: find non-autocluster YUM repo files
+  find:
+    paths: /etc/yum.repos.d/
+    patterns: '(?!autocluster-)^.*\.repo$'
+    use_regex: yes
+  register: find_results
+  when: repositories_delete_existing
+
+- name: Remove non-autocluster repo files
+  file:
+    path: "{{ f['path'] }}"
+    state: absent
+  with_list: "{{ find_results['files'] }}"
+  loop_control:
+    loop_var: f
+  when: repositories_delete_existing
+
+- name: Add local distro repos
+  yum_repository:
+    name: "autocluster-{{ repo.name }}"
+    description: "{{ repo.name }}"
+    baseurl: "{{ repo.baseurl | default(repository_baseurl) }}/{{ repo.path }}"
+    gpgcheck: "{{ repo.gpgcheck | default('yes') }}"
+    proxy: _none_
+  when: repo.type == "distro"
+  with_list: "{{ repositories }}"
+  loop_control:
+    loop_var: repo
+
+- name: ensure optional dependencies for Ansible template handling
+  package:
+    name: libselinux-python
+    state: present
+
+- name: ensure NFS client tools are installed
+  package:
+    name: nfs-utils
+    state: present
diff --git a/ansible/node/roles/common/templates/chrony.conf.j2 b/ansible/node/roles/common/templates/chrony.conf.j2
new file mode 100644
index 0000000..2a4f259
--- /dev/null
+++ b/ansible/node/roles/common/templates/chrony.conf.j2
@@ -0,0 +1,41 @@
+server {{virthost}} iburst
+
+# Ignore stratum in source selection.
+stratumweight 0
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Enable kernel RTC synchronization.
+rtcsync
+
+# In first three updates step the system clock instead of slew
+# if the adjustment is larger than 10 seconds.
+makestep 10 3
+
+# Allow NTP client access from local network.
+#allow 192.168/16
+
+# Listen for commands only on localhost.
+bindcmdaddress 127.0.0.1
+bindcmdaddress ::1
+
+# Serve time even if not synchronized to any NTP server.
+#local stratum 10
+
+keyfile /etc/chrony.keys
+
+# Specify the key used as password for chronyc.
+commandkey 1
+
+# Generate command key if missing.
+generatecommandkey
+
+# Disable logging of client accesses.
+noclientlog
+
+# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
+logchange 0.5
+
+logdir /var/log/chrony
+#log measurements statistics tracking
diff --git a/ansible/node/roles/common/templates/hosts.j2 b/ansible/node/roles/common/templates/hosts.j2
new file mode 100644
index 0000000..c575ea2
--- /dev/null
+++ b/ansible/node/roles/common/templates/hosts.j2
@@ -0,0 +1,10 @@
+# Generated by autocluster
+127.0.0.1	localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1		localhost localhost.localdomain localhost6 localhost6.localdomain6
+
+{{ virthost }}	kvmhost
+
+# autocluster {{ cluster }}
+{% for hostname, n in nodes | dictsort %}
+{{ n.ips[0] }}	{{ hostname }}.{{ resolv_conf.domain | lower }} {{ hostname }}
+{% endfor                              %}
diff --git a/ansible/node/roles/common/templates/resolv.conf.j2 b/ansible/node/roles/common/templates/resolv.conf.j2
new file mode 100644
index 0000000..7ebaf95
--- /dev/null
+++ b/ansible/node/roles/common/templates/resolv.conf.j2
@@ -0,0 +1,3 @@
+domain {{resolv_conf.domain}}
+search {{resolv_conf.search}}
+nameserver {{resolv_conf.nameserver}}