Merge branch 'master' of adellam/ansible-roles into master

library/roles/keepalived/defaults/main.yml

@@ -10,11 +10,20 @@ keepalived_pkg_state: latest
 keepalived_pkgs:
   - keepalived
 
+keepalived_use_unicast: False
+keepalived_unicast_src_ip: '{{ ansible_default_ipv4.address }}'
+keepalived_unicast_peer_ip:
+  - 127.0.0.1
+  - 127.0.0.2
 keepalived_mcast_addr: 224.0.0.0/8
 keepalived_floating_ip1: 127.0.0.1
 keepalived_script1_name: chk_haproxy
 keepalived_inst_priority: 100
 keepalived_vrouter_id: 51
+keepalived_non_local_bind: True
+
+keepalived_enable_script_security: True
+keepalived_script_username: keepalived_script
 
 keepalived_nagios_check: False
 keepalived_notify_script: /usr/local/bin/keepalived_notify

library/roles/keepalived/tasks/main.yml

@@ -1,22 +1,43 @@
 ---
 - block:
-    
     - name: Install the keepalived repository
       apt_repository: repo={{ keepalived_repo }} update_cache=yes
       when: ansible_distribution_major_version <= '16'
 
     - name: Install the keepalived package
-      apt: name={{ item }} state={{ keepalived_pkg_state }}  update_cache=yes cache_valid_time=1800
+      apt: name={{ keepalived_pkgs }} state={{ keepalived_pkg_state }} cache_valid_time=1800
-      with_items: '{{ keepalived_pkgs }}'
+
+    - name: Install the user that the keepalived scripts will run under
+      user: name={{ keepalived_script_username }} home=/var/lib/keepalived createhome=no shell=/usr/sbin/nologin system=yes
 
     - name: Install the keepalived configuration
-      template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf
+      template: src=keepalived.conf.j2 dest=/etc/keepalived/keepalived.conf owner=root group=root mode=0600
       notify: restart keepalived
 
     - name: Install the keepalived notify scripts
-      template: src=keepalived_notify.sh.j2 dest={{ item.notify }} owner=root group=root mode=0754
+      template: src=keepalived_notify.sh.j2 dest={{ item.notify }} owner=root group={{ keepalived_script_username }} mode=0754
       with_items: '{{ keepalived_instances }}'
 
+    - name: Set the kernel net.ipv4.ip_nonlocal_bind sysctl
+      sysctl: 
+        reload: yes
+        state: present
+        name: net.ipv4.ip_nonlocal_bind
+        sysctl_set: yes
+        sysctl_file: /etc/sysctl.d/90-keepalived
+        value: 1
+      when: keepalived_non_local_bind
+
+    - name: Disable the kernel net.ipv4.ip_nonlocal_bind sysctl if not needed
+      sysctl: 
+        reload: yes
+        state: absent
+        name: net.ipv4.ip_nonlocal_bind
+        sysctl_set: yes
+        sysctl_file: /etc/sysctl.d/90-keepalived
+        value: 1
+      when: not keepalived_non_local_bind
+
     - name: Install the keepalived NRPE nagios check
       copy: src=check_keepalived_state dest={{ nagios_plugins_dir }}/check_keepalived_state  owner=root group=root mode=0555
       with_items: '{{ keepalived_instances }}'
@@ -38,12 +59,9 @@
   tags: keepalived
   when: keepalived_install
 
-
 - block:
-    
     - name: Remove the keepalived package if we do not want it
-      apt: name={{ item }} state=absent
+      apt: name={{ keepalived_pkgs }} state=absent
-      with_items: '{{ keepalived_pkgs }}'
 
     - name: Remove the keepalived notify scripts
       file: dest={{ item.notify }} state=absent

library/roles/keepalived/templates/keepalived.conf.j2

@@ -1,11 +1,20 @@
+global_defs {
+    {% if keepalived_enable_script_security %}
+
+    enable_script_security
+    script_user {{ keepalived_script_username }}
+
+    {% endif %}
+}
+
 {% for script in keepalived_scripts %}
 vrrp_script {{ script.name }} {
         script "{{ script.script }}"
         interval {{ script.interval | default(1) }}
         weight {{ script.weight | default(2) }}
-        fall: {{ script.fall | default(3) }}
+        fall {{ script.fall | default(3) }}
-        raise: {{ script.raise | default(2) }}
+        rise {{ script.raise | default(2) }}
-        timeout: {{ script.timeout | default(5) }}
+        timeout {{ script.timeout | default(5) }}
 }
 {% endfor %}
 
@@ -13,20 +22,29 @@ vrrp_script {{ script.name }} {
 vrrp_instance {{ instance.name }} {
         interface {{ instance.interface }}
         {% if instance.state is defined %}
+
         state {{ instance.state }}
+
         {% endif %}
         virtual_router_id {{ instance.vrouter_id }}
         priority {{ instance.priority }}
         {% if instance.notify is defined %}
+
         notify {{ instance.notify }}
+
         {% endif %}
         {% if instance.nopreempt is defined and instance.nopreempt %}
+
         nopreempt
+
         {% endif %}
         {% if instance.authentication is defined %}
+
         authentication {
             auth_type {{ instance.authentication }}
             auth_pass {{ instance.authpass }}
+        }
+
         {% endif %}
         virtual_ipaddress {
         {% for addr in instance.v_addr %}
@@ -39,11 +57,25 @@ vrrp_instance {{ instance.name }} {
         {% endfor %}
         }
         {% if instance.track_interface is defined %}
+
         track_interface {
         {% for if in instance.track_interface %}
             {{ if }}
         {% endfor %}
         }
+
+        {% endif %}
+        {% if keepalived_use_unicast %}
+
+        unicast_src_ip {{ keepalived_unicast_src_ip }}
+        unicast_peer {
+
+            {% for ipaddr in keepalived_unicast_peer_ip %}
+            {{ ipaddr }}
+            {% endfor %}
+
+        }
+
         {% endif %}
 }
 {% endfor %}