diff options
author | Martin Schwenke <martin@meltin.net> | 2019-02-06 14:53:10 +1100 |
---|---|---|
committer | Martin Schwenke <martin@meltin.net> | 2019-03-25 16:52:25 +1100 |
commit | 51ff83de30db6934e243226ce05c6394b8986a12 (patch) | |
tree | f8dbbe3ceabc398a4596c968285a7245b3c70e01 /ansible/node/roles/nas | |
parent | 7003df8ad2ec9eaa119439f21976e7117b1771e5 (diff) | |
download | autocluster-51ff83de30db6934e243226ce05c6394b8986a12.tar.gz autocluster-51ff83de30db6934e243226ce05c6394b8986a12.tar.xz autocluster-51ff83de30db6934e243226ce05c6394b8986a12.zip |
Add Ansible playbook for node configuration
This will replace all of the existing node provisioning/configuration.
CentOS 7 nodes are currently supported.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Diffstat (limited to 'ansible/node/roles/nas')
21 files changed, 388 insertions, 0 deletions
diff --git a/ansible/node/roles/nas/files/rpc-rquotad.sysconfig b/ansible/node/roles/nas/files/rpc-rquotad.sysconfig new file mode 100644 index 0000000..93f7089 --- /dev/null +++ b/ansible/node/roles/nas/files/rpc-rquotad.sysconfig @@ -0,0 +1 @@ +RPCRQUOTADOPTS="-p 32768" diff --git a/ansible/node/roles/nas/files/smb.conf b/ansible/node/roles/nas/files/smb.conf new file mode 100644 index 0000000..5c8ead3 --- /dev/null +++ b/ansible/node/roles/nas/files/smb.conf @@ -0,0 +1,4 @@ +[global] + clustering=yes + ctdb:registry.tdb=yes + include=registry diff --git a/ansible/node/roles/nas/tasks/generic/ctdb-once.yml b/ansible/node/roles/nas/tasks/generic/ctdb-once.yml new file mode 100644 index 0000000..139bd32 --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/ctdb-once.yml @@ -0,0 +1,3 @@ +--- +- name: set security context for CTDB recovery lock directory + command: chcon -t ctdbd_var_t {{ clusterfs.mountpoint }}/.ctdb diff --git a/ansible/node/roles/nas/tasks/generic/ctdb-start.yml b/ansible/node/roles/nas/tasks/generic/ctdb-start.yml new file mode 100644 index 0000000..8bc9dbb --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/ctdb-start.yml @@ -0,0 +1,12 @@ +--- +- name: start CTDB + service: + name: ctdb + state: started + +- name: wait until CTDB is healthy + command: ctdb nodestatus all + register: result + until: result.rc == 0 + retries: 24 + delay: 5 diff --git a/ansible/node/roles/nas/tasks/generic/ctdb-stop.yml b/ansible/node/roles/nas/tasks/generic/ctdb-stop.yml new file mode 100644 index 0000000..ca624dc --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/ctdb-stop.yml @@ -0,0 +1,5 @@ +--- +- name: stop CTDB + service: + name: ctdb + state: stopped diff --git a/ansible/node/roles/nas/tasks/generic/ctdb-with-samba-nfs.yml b/ansible/node/roles/nas/tasks/generic/ctdb-with-samba-nfs.yml new file mode 100644 index 0000000..dea44fa --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/ctdb-with-samba-nfs.yml @@ -0,0 +1,41 @@ +--- +# Should be running already but this won't hurt +- import_tasks: ctdb-start.yml + +- name: join active directory domain + shell: | + net ads testjoin || \ + timeout 10 net ads join -U "administrator%{{ ad.admin_password }}" + register: result + until: result.rc == 0 + retries: 5 + delay: 1 + run_once: true + when: auth_method == 'winbind' + +# FIXME: This will be useful to allow version checking to enable +# services/event scripts in different ways + +# New in Ansible 2.5 +#- name: get package facts +# package_facts: +# manager: "auto" + +#- name: show them +# debug: var=ansible_facts.packages + +- import_tasks: ctdb-stop.yml + +- name: configure CTDB to manage smbd and NFS + command: ctdb event script enable legacy {{ s }} + with_list: + - 50.samba + - 60.nfs + loop_control: + loop_var: s + +- name: configure CTDB to manage winbindd + command: ctdb event script enable legacy 49.winbind + when: auth_method == 'winbind' + +- import_tasks: ctdb-start.yml diff --git a/ansible/node/roles/nas/tasks/generic/ctdb.yml b/ansible/node/roles/nas/tasks/generic/ctdb.yml new file mode 100644 index 0000000..5041db4 --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/ctdb.yml @@ -0,0 +1,37 @@ +--- +- name: generate CTDB configuration file + template: + src: ctdb_conf.j2 + dest: /etc/ctdb/ctdb.conf + +- name: generate CTDB public addresses file + template: + src: ctdb_public_addresses.j2 + dest: /etc/ctdb/public_addresses + +- name: create directory for CTDB recovery lock + file: + path: "{{ clusterfs.mountpoint }}/.ctdb" + state: directory + +- import_tasks: ctdb-once.yml + run_once: true + +- name: ensure CTDB is enabled + service: + name: ctdb + enabled: yes + +# This stops things failing if the domain has not been joined or similar +- name: ensure that CTDB is not managing smbd, winbind and NFS + command: ctdb event script disable legacy {{ s }} + with_list: + - 49.winbind + - 50.samba + - 60.nfs + loop_control: + loop_var: s + +# Restart just in case ctdbd was running but unhealthy +- import_tasks: ctdb-stop.yml +- import_tasks: ctdb-start.yml diff --git a/ansible/node/roles/nas/tasks/generic/nfs.yml b/ansible/node/roles/nas/tasks/generic/nfs.yml new file mode 100644 index 0000000..90c00bc --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/nfs.yml @@ -0,0 +1,5 @@ +--- +- name: generate NFS exports file + template: + src: nfs_exports.j2 + dest: /etc/exports diff --git a/ansible/node/roles/nas/tasks/generic/samba-gpfs-once.yml b/ansible/node/roles/nas/tasks/generic/samba-gpfs-once.yml new file mode 100644 index 0000000..101cd4b --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/samba-gpfs-once.yml @@ -0,0 +1,16 @@ +--- +- name: Tweak Samba config for GPFS cluster filesystem + command: net conf setparm global "{{ p.param }}" "{{ p.value }}" + with_list: + - param: vfs objects + value: gpfs fileid + - param: fileid:mapping + value: fsname + - param: nfs4:chown + value: "yes" + - param: nfs4:acedup + value: merge + - param: force unknown acl user + value: "yes" + loop_control: + loop_var: p diff --git a/ansible/node/roles/nas/tasks/generic/samba-once.yml b/ansible/node/roles/nas/tasks/generic/samba-once.yml new file mode 100644 index 0000000..8a586e6 --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/samba-once.yml @@ -0,0 +1,12 @@ +--- +- name: generate initial Samba registry configuration + template: + src: samba_registry.j2 + dest: /root/.autocluster/samba-registry.conf + +# Need to start at least ctdbd... maybe smbd? + +- name: initialise Samba registry configuration + command: net conf import /root/.autocluster/samba-registry.conf + +- import_tasks: samba-{{ clusterfs.type }}-once.yml diff --git a/ansible/node/roles/nas/tasks/generic/samba.yml b/ansible/node/roles/nas/tasks/generic/samba.yml new file mode 100644 index 0000000..c1e58b8 --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/samba.yml @@ -0,0 +1,10 @@ +--- +- name: add smb.conf + copy: + src: smb.conf + dest: /etc/samba/smb.conf + +# TODO: Enable 50.samba and 60.nfs event scripts + +- import_tasks: samba-once.yml + run_once: true diff --git a/ansible/node/roles/nas/tasks/generic/shares.yml b/ansible/node/roles/nas/tasks/generic/shares.yml new file mode 100644 index 0000000..db5d58e --- /dev/null +++ b/ansible/node/roles/nas/tasks/generic/shares.yml @@ -0,0 +1,9 @@ +--- +- name: create share directories + file: + path: "{{s.directory}}" + mode: "{{s.mode}}" + state: directory + with_list: "{{shares}}" + loop_control: + loop_var: s diff --git a/ansible/node/roles/nas/tasks/main.yml b/ansible/node/roles/nas/tasks/main.yml new file mode 100644 index 0000000..6d56084 --- /dev/null +++ b/ansible/node/roles/nas/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- include_tasks: "{{ ansible_os_family | lower }}/{{ task }}.yml" + with_list: + - samba + - nfs + loop_control: + loop_var: task + +- include_tasks: generic/{{ task }}.yml + with_list: + - shares + - ctdb + - samba + - nfs + - ctdb-with-samba-nfs + loop_control: + loop_var: task diff --git a/ansible/node/roles/nas/tasks/redhat/nfs.yml b/ansible/node/roles/nas/tasks/redhat/nfs.yml new file mode 100644 index 0000000..4dc1d7c --- /dev/null +++ b/ansible/node/roles/nas/tasks/redhat/nfs.yml @@ -0,0 +1,31 @@ +--- +- name: install NFS packages + package: + name: nfs-utils + state: present + +- name: ensure NFS does not autostart + service: + name: "{{ s }}" + enabled: no + with_list: + - nfs + - nfslock + loop_control: + loop_var: s + +- name: generate NFS configuration + template: + src: nfs_sysconfig.j2 + dest: /etc/sysconfig/nfs + +- name: check if /etc/sysconfig/rpc-rquotad exists + stat: + path: /etc/sysconfig/rpc-rquotad + register: sysconfig_rpc_rquotad + +- name: generate quota configuration file + file: + src: rpc-rquotad.sysconfig + path: /etc/sysconfig/rpc-rquotad + when: sysconfig_rpc_rquotad.stat.exists diff --git a/ansible/node/roles/nas/tasks/redhat/samba.yml b/ansible/node/roles/nas/tasks/redhat/samba.yml new file mode 100644 index 0000000..ebcd7fb --- /dev/null +++ b/ansible/node/roles/nas/tasks/redhat/samba.yml @@ -0,0 +1,48 @@ +--- + +- name: install Samba packages + package: + name: + - tdb-tools + - samba + - samba-client + - samba-doc + - samba-winbind + - samba-winbind-clients + state: present + +- name: install Samba packages for GPFS + package: + name: samba-vfs-gpfs + state: present + when: clusterfs.type == 'gpfs' + +- name: ensure Samba does not autostart + service: + name: "{{ service }}" + enabled: no + with_list: + - smb + - nmb + - winbind + loop_control: + loop_var: service + +- name: Set up NSS, PAM, ... + command: > + authconfig --update --nostart + --disablewinbindauth --disablewinbind --disablekrb5 + when: auth_method == 'files' + +- name: Set up NSS, PAM, KRB5, ... + command: > + authconfig --update --nostart + --enablewinbindauth --enablewinbind --enablekrb5 + --krb5kdc={{ kdc }}.{{ resolv_conf.domain }} + --krb5realm={{ resolv_conf.domain }} + when: auth_method == 'winbind' + +- name: Set up NSS, PAM, KRB5, ... + fail: + msg: "Invalid auth_method: {{ auth_method }}" + when: auth_method != 'files' and auth_method != 'winbind' diff --git a/ansible/node/roles/nas/templates/ctdb_conf.j2 b/ansible/node/roles/nas/templates/ctdb_conf.j2 new file mode 100644 index 0000000..fbfaead --- /dev/null +++ b/ansible/node/roles/nas/templates/ctdb_conf.j2 @@ -0,0 +1,6 @@ +[logging] + location = syslog + log level = NOTICE + +[cluster] + recovery lock = {{ clusterfs.mountpoint }}/.ctdb/recovery.lock diff --git a/ansible/node/roles/nas/templates/ctdb_public_addresses.j2 b/ansible/node/roles/nas/templates/ctdb_public_addresses.j2 new file mode 100644 index 0000000..77f95b7 --- /dev/null +++ b/ansible/node/roles/nas/templates/ctdb_public_addresses.j2 @@ -0,0 +1,55 @@ +{# #} +{# How many static public addresses/interfaces per node? #} +{# #} +{% set num_static = (nodes[ansible_hostname].ips | length) - 1 %} +{# #} +{# Gather all static addresses, sublist per interface #} +{# #} +{% set static_addrs = [] %} +{% for i in range(1, num_static + 1) -%} +{{ static_addrs.append([]) }} +{%- endfor %} +{% for hostname, n in nodes | dictsort %} +{% if n.is_ctdb_node %} +{% for i in range(1, num_static + 1) -%} +{{ static_addrs[i - 1].append(n.ips[i]) }} +{%- endfor %} +{% endif %} +{% endfor %} +{# #} +{# For each list of static IPs, find interface, print with each IP #} +{# #} +{% set h = ansible_hostname %} +{% for ips in static_addrs %} +{% for iface in ansible_interfaces %} +{% set ai = 'ansible_%s'|format(iface) %} +{% if hostvars[h][ai]['ipv4'] is defined %} +{% set ip4 = hostvars[h][ai]['ipv4'] %} +{% if ip4['address'] is defined %} +{% set aip = ip4['address'] %} +{% set netmask = ip4['netmask'] %} +{% set prefix = (aip + '/' + netmask) | ipv4('prefix') %} +{% if aip in ips %} +{% for ip in ips %} +{% set ip_int = ip | ipaddr('int') %} +{{ (ip_int + 100) | ipaddr('address') }}/{{ prefix }} {{ iface }} +{% endfor %} +{% endif %} +{% endif %} +{% endif %} +{% if hostvars[h][ai]['ipv6'] is defined %} +{% for ip6 in hostvars[h][ai]['ipv6'] %} +{% if ip6['address'] is defined %} +{% set aip = ip6['address'] %} +{% set prefix = ip6['prefix'] %} +{% if aip in ips %} +{% for ip in ips %} +{% set ip_int = ip | ipaddr('int') %} +{{ (ip_int + 100) | ipaddr('address') }}/{{ prefix }} {{ iface }} +{% endfor %} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endfor %} diff --git a/ansible/node/roles/nas/templates/ctdb_sysconfig.j2 b/ansible/node/roles/nas/templates/ctdb_sysconfig.j2 new file mode 100644 index 0000000..9992023 --- /dev/null +++ b/ansible/node/roles/nas/templates/ctdb_sysconfig.j2 @@ -0,0 +1,23 @@ +# Core +CTDB_PUBLIC_ADDRESSES=/etc/ctdb/public_addresses +CTDB_RECOVERY_LOCK={{ clusterfs.mountpoint }}/.ctdb/recovery.lock + +# Services managed +CTDB_MANAGES_SAMBA=yes +{% if auth_method == 'winbind' %} +CTDB_MANAGES_WINBIND=yes +{% else %} +CTDB_MANAGES_WINBIND=no +{% endif %} + +CTDB_MANAGES_NFS=yes +CTDB_MANAGES_HTTPD=yes +CTDB_MANAGES_VSFTPD=yes + +# System +ulimit -n 1048576 +ulimit -c unlimited + +# Logging +CTDB_LOGGING="syslog" +CTDB_DEBUGLEVEL=NOTICE diff --git a/ansible/node/roles/nas/templates/nfs_exports.j2 b/ansible/node/roles/nas/templates/nfs_exports.j2 new file mode 100644 index 0000000..00bd867 --- /dev/null +++ b/ansible/node/roles/nas/templates/nfs_exports.j2 @@ -0,0 +1,6 @@ +# NFS exports file generated by autocluster +{% set fsid = 834258092 %} +{% for s in shares %} +"{{ s.directory }}" *(rw,no_root_squash,subtree_check,fsid={{ fsid }}) + {% set fsid = fsid + 1 %} +{% endfor %} diff --git a/ansible/node/roles/nas/templates/nfs_sysconfig.j2 b/ansible/node/roles/nas/templates/nfs_sysconfig.j2 new file mode 100644 index 0000000..c103fc7 --- /dev/null +++ b/ansible/node/roles/nas/templates/nfs_sysconfig.j2 @@ -0,0 +1,14 @@ +NFS_HOSTNAME="{{ cluster }}" + +STATD_PORT=32765 +STATD_OUTGOING_PORT=32766 +MOUNTD_PORT=32767 +RQUOTAD_PORT=32768 +LOCKD_UDPPORT=32769 +LOCKD_TCPPORT=32769 + +STATDARG="-n ${NFS_HOSTNAME}" +STATD_HA_CALLOUT="/etc/ctdb/statd-callout" + +RPCNFSDARGS="-N 4" +RPCNFSDCOUNT=8 diff --git a/ansible/node/roles/nas/templates/samba_registry.j2 b/ansible/node/roles/nas/templates/samba_registry.j2 new file mode 100644 index 0000000..f6200af --- /dev/null +++ b/ansible/node/roles/nas/templates/samba_registry.j2 @@ -0,0 +1,33 @@ +[global] +{% if auth_method == 'winbind' %} + security = ADS +{% elif auth_method == 'files' %} + security = USER +{% else %} + security = BROKEN +{% endif %} + + logging = syslog + log level = 1 + + netbios name = {{ cluster }} + workgroup = {{ samba.workgroup }} + realm = {{ resolv_conf.domain }} + + disable netbios = yes + disable spoolss = yes + + idmap config * : backend = autorid + idmap config * : range = 1000000-1999999 + + kernel oplocks = yes + + read only = no + +{% for s in shares %} +[{{ s.name }}] + path = {{ s.directory }} + comment = Example share {{ s.name }} + guest ok = yes + browseable = yes +{% endfor %} |