-
Notifications
You must be signed in to change notification settings - Fork 1
/
CentOS7x_Install-MongoDB-Three-Node-Cluster-Group-in-Replica-Mode-playbook.yml
297 lines (229 loc) · 10.2 KB
/
CentOS7x_Install-MongoDB-Three-Node-Cluster-Group-in-Replica-Mode-playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
---
################################################################################
# description: Installs MongoDB 3x on CentOS7x
# usage: ansible-playbook CentOS7x_Install-MongoDB-Three-Node-Cluster-Group-in-Replica-Mode-playbook.yml --extra-vars 'HostOrGroup=YourServerOrGroupNameGoesHere MongoAdminPassword=StartingAdminPasswordHere'
# author: Ernest G. Wilson II <[email protected]> (https://github.com/ernestgwilsonii)
# license: MIT
################################################################################
# Ansible Playbook options
# REF: http://docs.ansible.com/ansible/playbooks.html
#####################################################
- name: Generate prerequistite MongoDB replication key on the Ansible host
hosts: localhost
serial: "100%"
gather_facts: False
tasks:
# Execute raw command(s)
# REF: http://docs.ansible.com/ansible/raw_module.html
##########################################################
- name: /usr/bin/openssl rand -base64 756 > /tmp/mongod-replication.key
raw: /usr/bin/openssl rand -base64 756 > /tmp/mongod-replication.key
# Ansible Playbook options
# REF: http://docs.ansible.com/ansible/playbooks.html
#####################################################
- name: Install MongoDB 3x on CentOS7x
hosts: "{{ HostOrGroup|default ('FATAL ERROR --> HostOrGroup NOT SET! You must specify either a Host or a Group name!') }}"
serial: "100%"
gather_facts: False
tasks:
# Install or configure repository used on the OS by yum
# REF: https://docs.ansible.com/ansible/yum_repository_module.html
##################################################################
# /etc/yum.repos.d/mongodb-org-3.4.repo
- name: Install repository for MongoDB Community Edition
yum_repository:
name: MongoDB
description: MongoDB Repository
file: mongodb-org-3.4
baseurl: https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.4/x86_64/
enabled: yes
gpgcheck: yes
gpgkey: https://www.mongodb.org/static/pgp/server-3.4.asc
# Install yum packages
# REF: http://docs.ansible.com/ansible/yum_module.html
######################################################
- name: Install mongodb-org
yum:
name=mongodb-org
state=latest
# Update various configuration files
# REF: http://docs.ansible.com/ansible/lineinfile_module.html
#############################################################
- name: Ensure that boot-time transparent_hugepage/defrag is set to never
lineinfile:
dest=/etc/rc.local
state=present
line='echo never > /sys/kernel/mm/transparent_hugepage/defrag'
- name: Ensure that boot-time transparent_hugepage/enabled is set to never
lineinfile:
dest=/etc/rc.local
state=present
line='echo never > /sys/kernel/mm/transparent_hugepage/enabled'
# Use the file module
# REF: http://docs.ansible.com/ansible/file_module.html
#######################################################
# /etc/rc.local is linked to /etc/rc.d/rc.local which must be set executable
- name: chmod 777 /etc/rc.d/rc.local
file:
path: /etc/rc.d/rc.local
mode: 0777
# command - Executes a command on a remote node
# REF: http://docs.ansible.com/ansible/command_module.html
##########################################################
- name: Ensure current active running value transparent_hugepage/defrag is set to never
command: echo never > /sys/kernel/mm/transparent_hugepage/defrag
- name: Ensure current active running value transparent_hugepage/enabled is set to never
command: echo never > /sys/kernel/mm/transparent_hugepage/enabled
# Restart firewalld to make sure it is running OK before changing any rules
# REF: http://docs.ansible.com/ansible/service_module.html
##########################################################
- name: Ensure the firewalld service is enabled and re-started before changing any rules
service:
name=firewalld
enabled=yes
state=restarted
# Update the firewalld configuration
# REF: http://docs.ansible.com/ansible/firewalld_module.html
############################################################
- name: Update firewall to allow port TCP 27017 for incoming MongoDB connections
firewalld:
port=27017/tcp
permanent=true
immediate=yes
state=enabled
zone=public
# Tweak settings in INI files
# REF: http://docs.ansible.com/ansible/ini_file_module.html
###########################################################
# Set values in /usr/lib/systemd/system/mongod.service
- name: Specify After value of multi-user.target under the Unit section in /usr/lib/systemd/system/mongod.service
ini_file:
dest: /usr/lib/systemd/system/mongod.service
section: Unit
option: After
value: 'multi-user.target'
# Set values in /usr/lib/systemd/system/mongod.service
- name: Remove the WantedBy value of multi-user.target under the Install section in /usr/lib/systemd/system/mongod.service
ini_file:
dest: /usr/lib/systemd/system/mongod.service
section: Install
option: WantedBy
state: absent
# Use the copy module to copy various files into place
# REF: http://docs.ansible.com/ansible/copy_module.html
#######################################################
# /usr/lib/tmpfiles.d/mongod.conf
- name: Copy the mongod.conf systemd tmpfiles.d configuration file from Ansible local file files/MongoDB/mongod.conf to MongoDB remote /usr/lib/tmpfiles.d/mongod.conf
copy:
src=files/MongoDB/mongod.conf
dest=/usr/lib/tmpfiles.d/mongod.conf
owner=mongod
group=mongod
mode=0644
# Enable and start mongod service
# REF: http://docs.ansible.com/ansible/service_module.html
##########################################################
- name: Enable and start the mongod service for the first time with the default configuration
service:
name=mongod.service
enabled=yes
state=restarted
# Note: Command line verification:
# systemctl status mongod.service
# systemctl status mongod.service -l
# service mongod status
# ls /var/lib/mongo
# cat /var/log/messages | grep mongod
# cat /usr/lib/systemd/system/mongod.service
# cat /etc/mongod.conf
# cat /var/log/mongodb/mongod.log
# Use the template module to populate files with data
# REF: http://docs.ansible.com/ansible/template_module.html
###########################################################
# An "import" JS file will be used to create the initial starting admin user and set a starting password
- name: Copy a "MongoDB style JS import template" file needed to create the initial admin account
template:
src=templates/MongoDB/addMongoAdmin.js.j2
dest=/tmp/addMongoAdmin.js
owner=root
group=mongod
mode=0644
# /etc/mongod.conf - Enables security flag that requires usernames/passwords going forward and names a starting replica set
- name: Deploy modified production ready configuration templates/MongoDB/replica-mode-mongod.conf.j2 to remote /etc/mongod.conf
template:
src=templates/MongoDB/replica-mode-mongod.conf.j2
dest=/etc/mongod.conf
owner=root
group=mongod
mode=0644
# Execute raw command(s)
# REF: http://docs.ansible.com/ansible/raw_module.html
##########################################################
# Add a starting admin user and starting password to the "admin" database BEFORE security gets enabled!
- name: Create a starting "admin" user and setting the starting password to {{ MongoAdminPassword|default ('mongodb') }}
raw: /usr/bin/mongo admin < /tmp/addMongoAdmin.js
# Use the file module
# REF: http://docs.ansible.com/ansible/file_module.html
#######################################################
- name: rm /tmp/addMongoAdmin.js
file:
path: /tmp/addMongoAdmin.js
state: absent
# Use the copy module to copy various files into place
# REF: http://docs.ansible.com/ansible/copy_module.html
#######################################################
# /var/lib/mongo/mongod-replication.key
- name: Copy temporary Ansible local file /tmp/mongod-replication.key to MongoDB remote /var/lib/mongo/mongod-replication.key
copy:
src=/tmp/mongod-replication.key
dest=/var/lib/mongo/mongod-replication.key
owner=mongod
group=mongod
mode=0400
# /etc/ssl/mongodb.pem
- name: Copy starting self-signed certificate from Ansible files/MongoDB/mongodb.pem to MongoDB remote /etc/ssl/mongodb.pem
copy:
src=files/MongoDB/mongodb.pem
dest=/etc/ssl/mongodb.pem
owner=mongod
group=mongod
mode=0400
# command - Executes a command on a remote node
# REF: http://docs.ansible.com/ansible/command_module.html
##########################################################
- name: Ensure current active running value transparent_hugepage/defrag is set to never
command: echo never > /sys/kernel/mm/transparent_hugepage/defrag
- name: Ensure current active running value transparent_hugepage/enabled is set to never
command: echo never > /sys/kernel/mm/transparent_hugepage/enabled
# Re-start mongod service
# REF: http://docs.ansible.com/ansible/service_module.html
##########################################################
- name: Re-start the mongod service with a production ready configuration in place
service:
name=mongod.service
enabled=yes
state=restarted
# Note: Command line verification:
# systemctl status mongod.service
# systemctl status mongod.service -l
# service mongod status
# ls /var/lib/mongo
# cat /var/log/messages | grep mongod
# cat /usr/lib/systemd/system/mongod.service
# cat /etc/mongod.conf
# cat /var/log/mongodb/mongod.log
# Ansible Playbook options
# REF: http://docs.ansible.com/ansible/playbooks.html
#####################################################
- name: Post deployment cleanup of the MongoDB replication key from the temporary location on the Ansible host
hosts: localhost
serial: "100%"
gather_facts: False
tasks:
# Use the file module
# REF: http://docs.ansible.com/ansible/file_module.html
#######################################################
- name: rm /tmp/mongod-replication.key
file:
path: /tmp/mongod-replication.key
state: absent