From 8e0c2ed9d232d1149b71d65624ec42c34f05e696 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Mon, 2 Dec 2024 10:47:39 +0100 Subject: [PATCH] Adding and using ansible roles 389ds-set-backend-readonly and haproxy-disable-backend --- playbooks/configure-ldap-servers.yaml | 4 +- playbooks/disable-ldap-server.yaml | 37 +++++++++--------- .../tasks/main.yaml | 0 roles/haproxy-disable-backend/tasks/main.yaml | 38 +++++++++++++++++++ roles/haproxy-disable-backend/vars/main.yaml | 11 ++++++ 5 files changed, 71 insertions(+), 19 deletions(-) rename includes/set-389ds-backend-readonly.yaml => roles/389ds-set-backend-readonly/tasks/main.yaml (100%) create mode 100644 roles/haproxy-disable-backend/tasks/main.yaml create mode 100644 roles/haproxy-disable-backend/vars/main.yaml diff --git a/playbooks/configure-ldap-servers.yaml b/playbooks/configure-ldap-servers.yaml index ce7df7a..8f08ba0 100644 --- a/playbooks/configure-ldap-servers.yaml +++ b/playbooks/configure-ldap-servers.yaml @@ -7,7 +7,7 @@ tasks: - name: "Exec command for retrieving version of 389ds LDAP server." - ansible.builtin.shell: ns-slapd -v | grep -i '^389-Directory' | sed -e 's|.*/||' -e 's/[ ].*//' + ansible.builtin.shell: ns-slapd -v | grep -i '^389-Directory' | sed -e 's|.*/||' -e 's/\s.*//' register: get_389ds_version check_mode: false changed_when: false @@ -24,7 +24,7 @@ - name: "Fail for non existing 389ds LDAP server." ansible.builtin.fail: - msg: "No 389ds LDAP server found on host '{{ ansible_fqdn }}'." + msg: "No 389ds LDAP server found on host '{{ inventory_hostname }}'." when: version_389ds == '' - name: "Configure logging for host '{{ inventory_hostname }}'." diff --git a/playbooks/disable-ldap-server.yaml b/playbooks/disable-ldap-server.yaml index 1e0a014..5733306 100644 --- a/playbooks/disable-ldap-server.yaml +++ b/playbooks/disable-ldap-server.yaml @@ -37,6 +37,7 @@ - name: "Disable the given host as a HAProxy backend server." hosts: haproxy_servers + gather_facts: false tasks: @@ -50,15 +51,16 @@ var: ldapserver_to_disable verbosity: 0 - - name: "Setting backend server {{ haproxy_backend_name }}/{{ ldapserver_to_disable }} into maintenance." - community.general.haproxy: - state: drain - host: "{{ ldapserver_to_disable }}" - socket: "{{ haproxy_admin_socket }}" + - name: "Setting HAProxy backend server into maintenance." + include_role: + name: 'haproxy-disable-backend' + vars: backend: "{{ haproxy_backend_name }}" - wait: true - wait_interval: 2 - wait_retries: 60 + backend_server: "{{ ldapserver_to_disable }}" + + # - name: "Fail for stop." + # ansible.builtin.fail: + # msg: "Hard stopping here ..." - name: "Disabling Replication on the given host." hosts: ldap_servers @@ -120,21 +122,21 @@ puppet agent --disable "[$( date +'%Y-%m-%d' )]: Disbled by Ansible playbook 'disable-ldap-server.yaml'." args: creates: '/opt/puppetlabs/puppet/cache/state/agent_disabled.lock' - when: ldapserver_to_disable == ansible_fqdn + when: ldapserver_to_disable == inventory_hostname - name: "Disabling Puppet service on '{{ ldapserver_to_disable }}'." ansible.builtin.service: enabled: false name: puppet state: stopped - when: ldapserver_to_disable == ansible_fqdn + when: ldapserver_to_disable == inventory_hostname - name: "Disabling Wazuh service on '{{ ldapserver_to_disable }}'." ansible.builtin.service: enabled: false name: wazuh-agent state: stopped - when: ldapserver_to_disable == ansible_fqdn + when: ldapserver_to_disable == inventory_hostname - name: "Retrieve all backends from '{{ ldapserver_to_disable }}'." ansible.builtin.shell: "dsconf '{{ slapd_instance }}' backend suffix list" @@ -164,15 +166,16 @@ verbosity: 0 - name: "Setting all backends to readonly." - include_tasks: '../includes/set-389ds-backend-readonly.yaml' - when: ldapserver_to_disable == ansible_fqdn + include_role: + name: 389ds-set-backend-readonly + when: ldapserver_to_disable == inventory_hostname loop: "{{ suffixes | dict2items }}" loop_control: loop_var: backend - name: "Removing replication agreements on host to disable." include_tasks: '../includes/del-389ds-backend-repl-agmts-target.yaml' - when: ldapserver_to_disable == ansible_fqdn + when: ldapserver_to_disable == inventory_hostname vars: suffix: "{{ item[0].key }}" target: "{{ item[1] }}" @@ -180,14 +183,14 @@ - name: "Removing replication agreements on hosts to keep." include_tasks: '../includes/del-389ds-backend-repl-agmts-src.yaml' - when: ldapserver_to_disable != ansible_fqdn + when: ldapserver_to_disable != inventory_hostname vars: suffix: "{{ item[0].key }}" target: "{{ item[1] }}" loop: "{{ suffixes | dict2items | product( ansible_play_batch ) | list }}" - name: "Disabling replication on all suffixes." - when: ldapserver_to_disable == ansible_fqdn + when: ldapserver_to_disable == inventory_hostname include_tasks: '../includes/disable-389ds-replication.yaml' vars: suffix: "{{ item.key }}" @@ -195,7 +198,7 @@ - name: "Clean all RUVs for Replication ID {{ target_replica_id }} on all suffixes ..." include_tasks: '../includes/389ds-repl-tasks-cleanallruv.yaml' - when: ldapserver_to_disable != ansible_fqdn + when: ldapserver_to_disable != inventory_hostname vars: suffix: "{{ item.key }}" loop: "{{ suffixes | dict2items | list }}" diff --git a/includes/set-389ds-backend-readonly.yaml b/roles/389ds-set-backend-readonly/tasks/main.yaml similarity index 100% rename from includes/set-389ds-backend-readonly.yaml rename to roles/389ds-set-backend-readonly/tasks/main.yaml diff --git a/roles/haproxy-disable-backend/tasks/main.yaml b/roles/haproxy-disable-backend/tasks/main.yaml new file mode 100644 index 0000000..dd5b47d --- /dev/null +++ b/roles/haproxy-disable-backend/tasks/main.yaml @@ -0,0 +1,38 @@ +--- + +- debug: + msg: "Setting server '{{ backend_server }}' on HAProxy backend '{{ backend }}' into maintenance ..." + verbosity: 0 + +- name: "Get file stat of HAProxy admin socket '{{ haproxy_admin_socket }}' ..." + ansible.builtin.stat: + path: "{{ haproxy_admin_socket }}" + register: admin_socket + +- name: "File stat of HAProxy admin socket '{{ haproxy_admin_socket }}': " + debug: + var: admin_socket + verbosity: 3 + +- name: "Check existence of HAProxy admin socket '{{ haproxy_admin_socket }}'." + ansible.builtin.fail: + msg: "The HAProxy admin socket '{{ haproxy_admin_socket }}' does not exists." + when: admin_socket.stat.exists != true + +- name: "Checkinf, whether '{{ haproxy_admin_socket }}' is a socket." + ansible.builtin.fail: + msg: "The path '{{ haproxy_admin_socket }}' for the HAProxy admin socket is not a socket." + when: admin_socket.stat.issock != true + +- name: "Setting backend server {{ backend }}/{{ backend_server }} into maintenance." + community.general.haproxy: + state: drain + host: "{{ backend_server }}" + socket: "{{ haproxy_admin_socket }}" + backend: "{{ backend }}" + wait: "{{ haproxy_wait_for_disable }}" + wait_interval: "{{ haproxy_wait_interval }}" + wait_retries: "{{ haproxy_wait_retries }}" + + +# vim: filetype=yaml diff --git a/roles/haproxy-disable-backend/vars/main.yaml b/roles/haproxy-disable-backend/vars/main.yaml new file mode 100644 index 0000000..cc0f36c --- /dev/null +++ b/roles/haproxy-disable-backend/vars/main.yaml @@ -0,0 +1,11 @@ +--- + +haproxy_user_socket: '/run/haproxy/user.sock' +haproxy_admin_socket: '/run/haproxy/admin.sock' +haproxy_test_socket: '/etc/passwd' + +haproxy_wait_for_disable: true +haproxy_wait_interval: 2 +haproxy_wait_retries: 60 + +# vim: filetype=yaml -- 2.39.5