From e1180b39a7c69a276ef4c7ef206607f5f3fffeb0 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 14 Jul 2015 00:30:49 +0200 Subject: [PATCH] library/roles/mysql: better backup script. Now supports nagios and a retain interval. library/roles/iptables: special case for ldap. library/roles/openldap-server: first bits of a openldap role --- iptables/templates/iptables-rules.v4.j2 | 16 ++++++ mysql/defaults/main.yml | 8 +++ mysql/files/mysql-backup.sh | 75 +++++++++++++++++++------ mysql/tasks/mysql-backup.yml | 10 ++-- mysql/templates/mysql_backup-default.j2 | 19 ++----- openldap-server/defaults/main.yml | 16 ++++++ 6 files changed, 110 insertions(+), 34 deletions(-) mode change 100755 => 100644 mysql/files/mysql-backup.sh create mode 100644 openldap-server/defaults/main.yml diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2 index 5670652d..8a5507ed 100644 --- a/iptables/templates/iptables-rules.v4.j2 +++ b/iptables/templates/iptables-rules.v4.j2 @@ -74,6 +74,22 @@ -A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP {% endif %} +{% if openldap_slapd_tcp_port is defined %} +{% if openldap_allowed_clients is defined %} +{% for addr in openldap_allowed_clients %} +{% if not openldap_slapd_ssl_only %} +-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT +{% endif %} +-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT +{% endfor %} +{% else %} +{% if not openldap_slapd_ssl_only %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT +{% endif %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT +{% endif %} +{% endif %} + {% if mongodb_allowed_hosts is defined %} # mongodb clients {% for ip in mongodb_allowed_hosts %} diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index ba9167e3..21a3e9e6 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -3,6 +3,8 @@ mysql_enabled: True mysql_pkg_state: present mysql_conf_dir: /etc/mysql/conf.d mysql_socket: /var/run/mysqld/mysqld.sock +mysql_data_dir: /var/lib/mysql +mysql_log_dir: /var/log/mysql # python-mysqldb is needed by ansible to manage users and databases mysql_packages_list: @@ -36,3 +38,9 @@ mysql_listen_on_ext_int: False #mysql_db_data: # - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32' ] } +mysql_backup_use_nagios: False +mysql_backup_logdir: '{{ mysql_log_dir }}' +mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log' +mysql_backup_retain_copies: 15 +mysql_backup_destdir: /var/lib/mysql-backup + diff --git a/mysql/files/mysql-backup.sh b/mysql/files/mysql-backup.sh old mode 100755 new mode 100644 index 800645b0..89c21a57 --- a/mysql/files/mysql-backup.sh +++ b/mysql/files/mysql-backup.sh @@ -1,41 +1,82 @@ -#!/bin/sh +#!/bin/bash + +RETVAL=0 + +MY_BACKUP_USE_NAGIOS="False" +MY_BACKUP_DIR=/var/lib/mysql-backup +MY_DATA_DIR=/var/lib/mysql +N_DAYS_TO_SPARE=7 + +if [ -f /etc/default/mysql_backup ] ; then + . /etc/default/mysql_backup +fi if [ ! -f /root/.my.cnf ] ; then exit 1 fi -MY_BACKUP_DIR=/var/lib/mysql-backup umask 0077 -MY_DATA_DIR=/var/lib/mysql -LOCKFILE=$MY_DATA_DIR/.mysqldump.lock - +# Year month day - hour minute second +SAVE_TIME=$( date +%Y%m%d-%H%M%S ) +TIMESTAMP= +TIMESTAMP_LOG=$MY_BACKUP_DIR/.timestamp if [ ! -d $MY_BACKUP_DIR ] ; then mkdir -p $MY_BACKUP_DIR fi -if [ ! -d $MY_BACKUP_DIR/log ] ; then - mkdir -p $MY_BACKUP_DIR/log +if [ ! -d $MY_BACKUP_LOG_DIR ] ; then + mkdir -p $MY_BACKUP_LOG_DIR fi -if [ ! -d $MY_BACKUP_DIR/old ] ; then - mkdir -p $MY_BACKUP_DIR/old +if [ ! -d $MY_BACKUP_DIR/history ] ; then + mkdir -p $MY_BACKUP_DIR/history fi chmod -R 700 $MY_BACKUP_DIR +LOCKFILE=$MY_DATA_DIR/.mysqldump.lock +NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status +# Exclude list +EXCLUDE_LIST='performance_schema' if [ ! -f $LOCKFILE ] ; then touch $LOCKFILE - for db in $( /bin/ls -1 /var/lib/mysql/ ) ; do - if [ -d /var/lib/mysql/$db ] ; then + if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then + > $NAGIOS_LOG + fi + for db in $( /bin/ls -1 /var/lib/mysql/ | grep -v $EXCLUDE_LIST ) ; do + if [ -d /var/lib/mysql/$db ] ; then if [ -f $MY_BACKUP_DIR/$db.sql ] ; then - mv -f $MY_BACKUP_DIR/$db.sql $MY_BACKUP_DIR/old + mv -f $MY_BACKUP_DIR/$db.sql $MY_BACKUP_DIR/history fi #mysqldump -uroot -f --opt -p$MYSQLPASS $db > $MY_BACKUP_DIR/$db.sql 2> $MY_BACKUP_DIR/log/$db.log - mysqldump -f --opt $db > $MY_BACKUP_DIR/$db.sql 2> $MY_BACKUP_DIR/log/$db.log - chmod 600 $MY_BACKUP_DIR/$db.sql - fi + mysqldump -f --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log + DUMP_RESULT=$? + chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} + if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then + if [ $DUMP_RESULT -ne 0 ] ; then + echo "$db:FAILED" >> $NAGIOS_LOG + RETVAL=$DUMP_RESULT + else + echo "$db:OK" >> $NAGIOS_LOG + fi + fi + pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1 + rm -f $db.sql + ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql + popd >/dev/null 2>&1 + fi done # Do a "flush-hosts" after the backup - mysqladmin flush-hosts 2> $MY_BACKUP_DIR/log/flush-hosts.log + mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log + TIMESTAMP=$( date +%s ) + echo "$TIMESTAMP" > $TIMESTAMP_LOG rm -f $LOCKFILE +else + RETVAL=2 + if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then + echo "old backup still running:WARNING" >> $NAGIOS_LOG + fi fi -exit 0 +# Remove the old backups +find ${MY_BACKUP_DIR}/history -ctime +$N_DAYS_TO_SPARE -exec rm -f {} \; + +exit $RETVAL diff --git a/mysql/tasks/mysql-backup.yml b/mysql/tasks/mysql-backup.yml index 2707a41e..f8fe343b 100644 --- a/mysql/tasks/mysql-backup.yml +++ b/mysql/tasks/mysql-backup.yml @@ -1,10 +1,12 @@ --- - name: Install a script that performs mysql dumps copy: src=mysql-backup.sh dest=/usr/local/bin/mysql-backup owner=root group=root mode=0750 - tags: - - mysql + tags: [ 'mysql', 'mysql_backup' ] + +- name: Install the mysql backup defaults + template: src=mysql_backup-default.j2 dest=/etc/default/mysql_backup owner=root group=root mode=0440 + tags: [ 'mysql', 'mysql_backup' ] - name: Cron job that executes mysql nightly backups copy: src=mysql-backup.cron dest=/etc/cron.d/mysql-backup owner=root group=root mode=0644 - tags: - - mysql + tags: [ 'mysql', 'mysql_backup' ] diff --git a/mysql/templates/mysql_backup-default.j2 b/mysql/templates/mysql_backup-default.j2 index 602d32cc..3eccc710 100644 --- a/mysql/templates/mysql_backup-default.j2 +++ b/mysql/templates/mysql_backup-default.j2 @@ -1,13 +1,6 @@ -PG_SERVICE='postgresql-{{ psql_version }}' -PG_VERSION='{{ psql_version }}' -PG_DUMP_BIN='{{ pg_backup_pgdump_bin }}' -PG_BCK_BIN='{{ pg_backup_bin }}' -USE_NAGIOS='{{ pg_backup_use_nagios }}' -LOG_DIR='{{ pg_backup_logdir }}' -LOG_FILE='{{ pg_backup_logfile}}' -N_DAYS_TO_SPARE='{{ pg_backup_retain_copies }}' -BUILD_DBLIST='{{ pg_backup_build_db_list }}' -DB_LIST="{{ pg_backup_db_list }}" -PG_USE_AUTH='{{ pg_backup_use_auth }}' -PG_PASS_FILE='{{ pg_backup_pass_file }}' -BACKUPDIR='{{ pg_backup_destdir }}' +MY_BACKUP_USE_NAGIOS='{{ mysql_backup_use_nagios }}' +MY_BACKUP_LOG_DIR='{{ mysql_backup_logdir }}' +MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}' +N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}' +MY_BACKUP_DIR='{{ mysql_backup_destdir }}' +MY_DATA_DIR='{{ mysql_data_dir }}' diff --git a/openldap-server/defaults/main.yml b/openldap-server/defaults/main.yml new file mode 100644 index 00000000..ee47a4f9 --- /dev/null +++ b/openldap-server/defaults/main.yml @@ -0,0 +1,16 @@ +--- +openldap_pkg_state: present +openldap_service_enabled: True +openldap_pkg_list: + - slapd + - ldapvi + - ldap-utils + - ldapscripts + +openldap_slapd_tcp_port: 389 +openldap_slapd_ssl_port: 636 +openldap_slapd_ssl_only: False + +# openldap_allowed_clients: +# - ip/32 +# - net/24