mirror of
https://pagure.io/fedora-infra/ansible.git
synced 2026-05-05 06:43:35 +08:00
464 lines
13 KiB
YAML
464 lines
13 KiB
YAML
---
|
|
# Openstack has a newer version of rabbitmq
|
|
- name: Install RHOSP13 repo file
|
|
ansible.builtin.copy: src="{{ files }}/common/rhos13.repo" dest=/etc/yum.repos.d/rhos13.repo
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
- packages
|
|
- yumrepos
|
|
when: ansible_distribution_major_version|int == 7
|
|
|
|
- name: Install RHOSP16 repo file
|
|
ansible.builtin.copy: src="{{ files }}/common/rhos16.repo" dest=/etc/yum.repos.d/rhos16.repo
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
- packages
|
|
- yumrepos
|
|
when: ansible_distribution_major_version|int == 8
|
|
|
|
- name: Install needed packages
|
|
ansible.builtin.package:
|
|
state: present
|
|
name:
|
|
- rabbitmq-server
|
|
- nagios-plugins-rabbitmq
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- packages
|
|
|
|
- name: Deploy CA certificate
|
|
ansible.builtin.copy:
|
|
src: "{{private}}/files/rabbitmq/{{env}}/ca-combined.crt"
|
|
dest: /etc/rabbitmq/ca.crt
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Create node cert directory
|
|
ansible.builtin.file: path=/etc/rabbitmq/nodecert/ owner=root group=root mode=0755 state=directory
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Deploy node certificate
|
|
ansible.builtin.copy: src="{{private}}/files/rabbitmq/{{env}}/pki/issued/{{inventory_hostname}}.crt"
|
|
dest=/etc/rabbitmq/nodecert/node.crt
|
|
owner=root group=root mode=0644
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Deploy node private key
|
|
ansible.builtin.copy: src="{{private}}/files/rabbitmq/{{env}}/pki/private/{{inventory_hostname}}.key"
|
|
dest=/etc/rabbitmq/nodecert/node.key
|
|
owner=rabbitmq group=rabbitmq mode=0600
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Build combined node key
|
|
assemble: src=/etc/rabbitmq/nodecert/ dest=/etc/rabbitmq/nodecert.combined.pem
|
|
owner=rabbitmq group=rabbitmq mode=0600
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Find the erlang SSL path
|
|
ansible.builtin.command:
|
|
argv:
|
|
- erl
|
|
- -noinput
|
|
- -eval
|
|
- 'io:format("~s~n", [filename:dirname(code:which(inet_tls_dist))])'
|
|
- -s
|
|
- init
|
|
- stop
|
|
register: _erlang_ssl_path_result
|
|
changed_when: false
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Set the Erlang SSL path fact
|
|
set_fact:
|
|
erlang_ssl_path: "{{ _erlang_ssl_path_result.stdout | trim }}"
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Deploy configuration
|
|
ansible.builtin.template: src={{item}}.j2 dest=/etc/rabbitmq/{{item}} owner=root group=root mode=0644
|
|
with_items:
|
|
- rabbitmq.conf
|
|
- rabbitmq-env.conf
|
|
- inter_node_tls.config
|
|
when: "datacenter == 'rdu3'"
|
|
notify:
|
|
- Restart rabbitmq
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Deploy staging cookie
|
|
ansible.builtin.copy: content="{{rabbitmq_cluster_cookie_staging}}" dest=/var/lib/rabbitmq/.erlang.cookie
|
|
owner=rabbitmq group=rabbitmq mode=0400
|
|
when: "env == 'staging'"
|
|
notify:
|
|
- Restart rabbitmq
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Deploy production cookie
|
|
ansible.builtin.copy: content="{{rabbitmq_cluster_cookie_production}}" dest=/var/lib/rabbitmq/.erlang.cookie
|
|
owner=rabbitmq group=rabbitmq mode=0400
|
|
when: "env == 'production'"
|
|
notify:
|
|
- Restart rabbitmq
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Create RabbitMQ systemd override directory
|
|
ansible.builtin.file:
|
|
path: /etc/systemd/system/rabbitmq-server.service.d/
|
|
state: directory
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Override file limit on rabbitmq
|
|
ansible.builtin.copy:
|
|
content: "[Service]\nLimitNOFILE={{rabbitmq_cluster_file_limit}}\n"
|
|
dest: /etc/systemd/system/rabbitmq-server.service.d/override.conf
|
|
notify:
|
|
- Restart rabbitmq
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Start rabbitmq
|
|
service: name=rabbitmq-server state=started enabled=yes
|
|
tags:
|
|
- rabbitmq_cluster
|
|
|
|
# This require a running server...
|
|
- name: Enable the HTTP management console and SSL authentication plugins
|
|
rabbitmq_plugin:
|
|
names: "rabbitmq_management,\
|
|
rabbitmq_auth_mechanism_ssl,\
|
|
rabbitmq_federation,\
|
|
rabbitmq_federation_management"
|
|
when: ansible_distribution_major_version|int < 9
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
# This is probably bad, I guess the plugin code isn't compatible anymore?
|
|
# We can do it by hand, it's probably slower but fine.
|
|
- name: Enable the plugins
|
|
ansible.builtin.command: rabbitmq-plugins enable {{item}}
|
|
when: ansible_distribution_major_version|int >= 9
|
|
register: result
|
|
changed_when: "'Plugin configuration unchanged.' not in result.stdout"
|
|
with_items:
|
|
- rabbitmq_management
|
|
- rabbitmq_auth_mechanism_ssl
|
|
- rabbitmq_federation
|
|
- rabbitmq_federation_management
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
|
|
# This requires the HTTPS management server to be running...`
|
|
- name: Nope. No standard users. Even if we use TLS auth
|
|
rabbitmq_user: user=guest state=absent
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
|
|
- name: Configure the pubsub virtual host
|
|
rabbitmq_vhost:
|
|
name: /pubsub
|
|
state: present
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
# This is the publicly accessible virtual host
|
|
- name: Configure the publicly accessible vhost
|
|
when: inventory_hostname.startswith('rabbitmq01')
|
|
rabbitmq_vhost:
|
|
name: /public_pubsub
|
|
state: present
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Configure the HA policy for queues on the pubsub virtual
|
|
rabbitmq_policy:
|
|
name: HA
|
|
apply_to: queues
|
|
pattern: .*
|
|
tags:
|
|
ha-mode: all
|
|
ha-sync-mode: automatic # Auto sync queues to new cluster members
|
|
ha-sync-batch-size: 10000 # Larger is faster, but must finish in 1 net_ticktime
|
|
vhost: /pubsub
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Add a policy to limit queues to 1GB and remove after a month of no use for /pubsub
|
|
when: inventory_hostname.startswith('rabbitmq01')
|
|
rabbitmq_policy:
|
|
apply_to: queues
|
|
name: pubsub_sweeper
|
|
state: present
|
|
pattern: ".*"
|
|
tags:
|
|
# Queues can use at most 1GB of storage
|
|
max-length-bytes: 1073741824
|
|
vhost: /pubsub
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Create the admin user for the {{ item }} vhost
|
|
rabbitmq_user:
|
|
user: admin
|
|
password: "{{ (env == 'production')|ternary(rabbitmq_admin_password_production, rabbitmq_admin_password_staging) }}"
|
|
vhost: "{{ item }}"
|
|
configure_priv: .*
|
|
read_priv: .*
|
|
write_priv: .*
|
|
tags: administrator
|
|
with_items:
|
|
- /
|
|
- /pubsub
|
|
- /public_pubsub
|
|
when: inventory_hostname.startswith('rabbitmq01')
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Dump the admin password in a file for administrative operations
|
|
ansible.builtin.copy:
|
|
dest: /root/.rabbitmqpass
|
|
content: "{{ (env == 'production')|ternary(rabbitmq_admin_password_production, rabbitmq_admin_password_staging) }}"
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
# VirtualHost /centos-odcs
|
|
- import_tasks: vhost-centos-odcs.yml
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
# Users with the "monitoring" tag have read-only access vhosts, connections,
|
|
# channels, node-level resource usage, and cluster stats.
|
|
# (this needs to be done after all vhost that the user has access to have been created)
|
|
- name: Create the Nagios monitoring user in staging
|
|
rabbitmq_user:
|
|
user: nagios-monitoring
|
|
password: "{{ rabbitmq_monitoring_password_staging }}"
|
|
update_password: always
|
|
permissions:
|
|
- vhost: /
|
|
configure_priv: "^$"
|
|
read_priv: "^$"
|
|
write_priv: "^$"
|
|
- vhost: /pubsub
|
|
configure_priv: "^$"
|
|
read_priv: "^$"
|
|
write_priv: "^$"
|
|
- vhost: /public_pubsub
|
|
configure_priv: "^$"
|
|
read_priv: "^$"
|
|
write_priv: "^$"
|
|
- vhost: /centos-odcs
|
|
configure_priv: "^$"
|
|
read_priv: "^$"
|
|
write_priv: "^$"
|
|
tags: monitoring
|
|
when: env == "staging" and inventory_hostname.startswith('rabbitmq01')
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Create the Nagios monitoring user in production
|
|
rabbitmq_user:
|
|
user: nagios-monitoring
|
|
password: "{{ rabbitmq_monitoring_password_production }}"
|
|
update_password: always
|
|
permissions:
|
|
- vhost: /
|
|
configure_priv: "^$"
|
|
read_priv: "^$"
|
|
write_priv: "^$"
|
|
- vhost: /pubsub
|
|
configure_priv: "^$"
|
|
read_priv: "^$"
|
|
write_priv: "^$"
|
|
- vhost: /public_pubsub
|
|
configure_priv: "^$"
|
|
read_priv: "^$"
|
|
write_priv: "^$"
|
|
- vhost: /centos-odcs
|
|
configure_priv: "^$"
|
|
read_priv: "^$"
|
|
write_priv: "^$"
|
|
tags: monitoring
|
|
when: env == "production" and inventory_hostname.startswith('rabbitmq01')
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Configure a policy to ensure the public vhost stays swept up and tidy
|
|
when: inventory_hostname.startswith('rabbitmq01')
|
|
rabbitmq_policy:
|
|
apply_to: queues
|
|
name: sweeper
|
|
state: present
|
|
pattern: ".*"
|
|
tags:
|
|
# Unused queues are killed after 1000 * 60 * 60 (1 hour in milliseconds)
|
|
expires: 3600000
|
|
# Queues can use at most 1024 * 1024 * 50 (50MB) to store messages
|
|
max-length-bytes: 52428800
|
|
vhost: /public_pubsub
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
# Create a user with:
|
|
# * permission to configure and write to any uuidish-named objects
|
|
# * permission to read anything since users need to read exchanges for bindings
|
|
# read queues for consuming
|
|
- name: Create a user for public access
|
|
when: inventory_hostname.startswith('rabbitmq01')
|
|
rabbitmq_user:
|
|
user: "fedora{{ env_suffix }}"
|
|
permissions:
|
|
- vhost: /public_pubsub
|
|
# Matches, for example, de23804a-304a-4228-b239-35099c98bd1e
|
|
# Regex is Erlang flavored: http://erlang.org/doc/man/re.html
|
|
configure_priv: "^((\\w{8}(-\\w{4}){3}-\\w{12})|amq\\..*)$"
|
|
write_priv: "^((\\w{8}(-\\w{4}){3}-\\w{12})|amq\\..*)$"
|
|
read_priv: .*
|
|
state: present
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
# User with permissions to shovel messages out of pubsub into the public vhost.
|
|
# This user needs permissions to create a new exchange, bind an exchange to an
|
|
# exchange, create a queue, and bind a queue to an exchange.
|
|
- name: Create a user for federation
|
|
when: inventory_hostname.startswith('rabbitmq01')
|
|
rabbitmq_user:
|
|
user: pubsub_federation
|
|
permissions:
|
|
- vhost: /pubsub
|
|
configure_priv: "^federation.*"
|
|
write_priv: "^federation.*"
|
|
read_priv: .*
|
|
state: present
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Create pubsub_federation cert directory
|
|
ansible.builtin.file: path=/etc/rabbitmq/pubsub_federation/ owner=root group=root mode=0755 state=directory
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Deploy pubsub_federation certificate
|
|
ansible.builtin.copy: src="{{private}}/files/rabbitmq/{{env}}/pki/issued/pubsub_federation.crt"
|
|
dest=/etc/rabbitmq/pubsub_federation/client_cert.pem
|
|
owner=root group=root mode=0644
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
- name: Deploy node private key
|
|
ansible.builtin.copy: src="{{private}}/files/rabbitmq/{{env}}/pki/private/pubsub_federation.key"
|
|
dest=/etc/rabbitmq/pubsub_federation/client_key.pem
|
|
owner=rabbitmq group=rabbitmq mode=0600
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
# This is the connection from our public vhost to the private pubsub vhost.
|
|
# Note that at present they live on the same cluster, but they don't need to.
|
|
#
|
|
# Note that the reason we set the value in the "vars" attribute is that if you
|
|
# use a variable in the "value" json string, it causes Ansible to produce invalid
|
|
# JSON which will choke up rabbitmq_parameters.
|
|
# https://github.com/ansible-collections/community.rabbitmq/issues/153#issuecomment-1505586927
|
|
- name: Configure federation upstream from pubsub to the public_pubsub vhost
|
|
when: inventory_hostname.startswith('rabbitmq01')
|
|
rabbitmq_parameter:
|
|
component: "federation-upstream"
|
|
name: "pubsub-to-public_pubsub"
|
|
value: "{{ federation_upstream_value|to_json }}"
|
|
state: present
|
|
vhost: /public_pubsub
|
|
vars:
|
|
federation_upstream_value:
|
|
uri: "amqps://pubsub_federation:@rabbitmq01{{env_suffix}}.rdu3.fedoraproject.org/%2Fpubsub?cacertfile=%2Fetc%2Frabbitmq%2Fca.crt&certfile=%2Fetc%2Frabbitmq%2Fpubsub_federation%2Fclient_cert.pem&keyfile=%2Fetc%2Frabbitmq%2Fpubsub_federation%2Fclient_key.pem&verify=verify_peer&server_name_indication=rabbitmq{{env_suffix}}.fedoraproject.org&auth_mechanism=external"
|
|
ack-mode: "on-confirm"
|
|
|
|
- name: Configure a policy to federate the pubsub topic exchange to public_pubsub
|
|
when: inventory_hostname.startswith('rabbitmq01')
|
|
rabbitmq_policy:
|
|
apply_to: exchanges
|
|
name: pubsub-to-public_pubsub
|
|
state: present
|
|
pattern: "^amq\\.topic$"
|
|
tags:
|
|
federation-upstream: "pubsub-to-public_pubsub"
|
|
vhost: /public_pubsub
|
|
|
|
# SELinux: allow the Nagios NRPE plugin to access the management interface
|
|
- name: Install the selinux module compilation script
|
|
ansible.builtin.copy:
|
|
src: selinux-load.sh
|
|
dest: /etc/nagios/selinux-load.sh
|
|
mode: "0755"
|
|
|
|
- name: Copy over our custom selinux module
|
|
ansible.builtin.copy:
|
|
src: nrpe_rabbitmq.te
|
|
dest: /etc/nagios/nrpe_rabbitmq.te
|
|
register: selinux_module
|
|
|
|
- name: Compile and install our custom selinux module
|
|
ansible.builtin.command: /etc/nagios/selinux-load.sh
|
|
when: selinux_module is changed
|
|
|
|
# Queue monitoring for CentOS Zabbix
|
|
- import_tasks: centos-monitoring.yml
|
|
when: inventory_hostname.startswith('rabbitmq03') and env == 'production'
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|
|
|
|
# Individual applications accounts & queues
|
|
- import_tasks: apps.yml
|
|
tags:
|
|
- rabbitmq_cluster
|
|
- config
|