stone-payments.mongodb
Role for Ansible which manages MongoDB in a standalone setup or replica set.
Supported systems
To conserve development efforts, we decided that a supported distro should:
- be currently supported by the distro-maker (aka not in EOL);
- be currently supported by MongoDB.org (this requirement will probably be dropped soon);
- be systemd-based;
- have a wide-enough user-base.
Therefore, the supported systems list is currently:
- Enterprise Linux (both CentOS and RHEL)
- 7.3
- 7.4
- 7.5
- Ubuntu
- 16.04
Further distros may be added upon request, as long as the requirements are met.
Usage
Quickstart
There's absolute no variable needed to setup a basic, passwordless, loopback-only, standalone MongoDB setup. Just include it in a play:
- name: install mongodb
hosts: all
roles: stone-payments.mongodbReplica set setup
In order to build a replica set, you need to inform the master that he is a master, and a replica on which master to connect to. You can do all this with the following excerpt:
- name: install mongodb replica set
host: all
roles: stone-payments.mongodb
vars:
mongodb_conf_bindIp: "0.0.0.0"
mongodb_replSet_enabled: true
mongodb_replSet_name: "someReplicaSetName"
mongodb_replSet_master: "1.2.3.4" #must be an IP address
mongodb_replSet_key: "someLongKey" #optional, cross-replica authentication key
mongodb_replSet_member: "{{ ansible_eth1['ipv4']['address'] }}" #optional, specify a different IF for replication
mongodb_replSet_arbiter: "{{ true if inventory_hostname == 'hostThatIsArbiter' else false }}"Authentication
You can enable authentication and create an admin account the following way:
- name: install mongodb with authentication
hosts: all
roles: stone-payments.mongodb
vars:
mongodb_conf_auth: true
mongodb_admin_user: "admin"
mongodb_admin_password: "somePassword"Logging
You can set any systemLog
option by providing mongodb_conf_logging dictionary:
- name: install mongodb with network debug logging
host: all
roles: stone-payments.mongodb
vars:
mongodb_conf_logging:
verbosity: 0
component:
network:
verbosity: 5
destination: file
path: /var/log/mongodb/mongod.logFirewall
This rule will configure either ufw or firewalld to enable incoming connections by default. You may customize this with the following options (which are specific to the firewall solution you're utilizing):
- name: install mongodb with custom firewall settings
hosts: all
roles: stone-payments.mongodb
vars:
mongodb_firewall_zone: "public" #firewalld only
mongodb_firewall_interface: "eth0" #ufw only
mongodb_firewall_source: "192.168.0.0/24" #ufw onlyYou may also suppress firewall config by setting mongodb_install_firewall: false.
Linux Security Modules
This role will configure LSMs by default (currently only SELinux is supported). You may disable this by setting:
mongodb_install_lsm: false.
Other configs
I believe almost every other config is self-explanatory or directly related to a MongoDB core feature. Simply override
the configs on defaults/main.yml and they will be (hopefully) applied to your system.
Testing
This role implements most unit tests with Molecule on Docker. Notice that we only support Molecule 2.0 or greater. Some tests are implemented on Vagrant with VirtualBox so we can test aspects that require a full-blown VM. However, for the tests that require Vagrant, there's no CI integration since there isn't a public CI that supports nested virtualization.
The following scenarios are present:
| Scenario Name | Driver | Description |
|---|---|---|
default |
docker | Basic role sanity tests in a individual setup |
replica-set |
docker | Mixed distro setup in a replica set |
security |
vagrant | Full-blown VM to test LSM and firewall config |
Docker environment setup
You can install Molecule and the Docker interaction library inside a virtual environment with the following commands. Notice that we need docker-py both inside and outside the virtualenv.
sudo pip install docker-py
virtualenv .venv
.venv/bin/activate
pip install molecule docker-pyThe Docker installation and configuration is out of scope.
If you have a SELinux-enabled host, you must also have the libselinux-python library installed. There's a special addition in the Molecule playbook when delegating tasks to localhost to use the host's python interpreter instead of the virtualenv python in order to properly access the SELinux bindings. You can install this package both on Fedora and CentOS with:
sudo yum install python2-libselinuxVagrant environment setup
You can install Molecule inside a virtual environment with the following commands:
virtualenv .venv
.venv/bin/activate
pip install moleculeThe Vagrant and VirtualBox installation and configuration is out of scope.
Running the test
After having Molecule setup within the virtualenv, you can run the tests with:
molecule converge [-s scenario_name]Where scenario_name is the name of a test case under molecule. The default test case is run if no parameter is
passed.
Contributing
Just open a PR. We love PRs!
To Do List
Here's some suggestions on what to do:
- Support use of distro-packaged MongoDB.
- Write further standalone tests with serverspec or testinfra.
- Improve the test case for the replica set.
License
This role is distributed under the MIT license.