From 849cbf64ea12043b0a7727d7dc3684b54c83ac57 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 3 Jun 2020 19:53:13 +0200 Subject: [PATCH] Import the old role, Ubuntu only. --- README.md | 46 +- defaults/main.yml | 232 +++++- files/arping_script | 12 + files/ip_script | 12 + files/pgpool-letsencrypt-acme.sh | 37 + files/postgresql-backup.cron | 66 ++ files/postgresql-backup.sh | 150 ++++ files/postgresql-letsencrypt-acme.sh | 37 + handlers/main.yml | 23 +- meta/main.yml | 56 +- tasks/configure-access.yml | 90 +++ tasks/main.yml | 40 +- tasks/manage_pg_db.yml | 56 ++ tasks/packages.yml | 11 + tasks/pgpool-ii.yml | 78 ++ tasks/pgpool-letsencrypt-acmetool.yml | 23 + tasks/postgis.yml | 6 + tasks/postgres_pgpool.yml | 75 ++ tasks/postgresql-backup.yml | 42 ++ tasks/postgresql-config.yml | 58 ++ tasks/postgresql-letsencrypt-acmetool.yml | 21 + tasks/postgresql-service-status.yml | 11 + tasks/postgresql-ssl-config.yml | 29 + tasks/postgresql_org_repo.yml | 15 + tasks/psql-kernel-sharedmem.yml | 8 + templates/pcp.conf.j2 | 1 + templates/pg_backup-default.j2 | 26 + templates/pgpass.j2 | 10 + templates/pgpool-wd-sudoers.j2 | 3 + templates/pgpool.conf.j2 | 677 ++++++++++++++++++ templates/pgpool_recovery_stage_1.j2 | 43 ++ templates/pgpool_recovery_stage_2.j2 | 37 + templates/pgpool_remote_start.j2 | 8 + templates/postgresql-sudoers.j2 | 3 + .../postgresql_wal_backup_and_removal.j2 | 17 + 35 files changed, 1991 insertions(+), 68 deletions(-) create mode 100644 files/arping_script create mode 100644 files/ip_script create mode 100644 files/pgpool-letsencrypt-acme.sh create mode 100755 files/postgresql-backup.cron create mode 100755 files/postgresql-backup.sh create mode 100644 files/postgresql-letsencrypt-acme.sh create mode 100644 tasks/configure-access.yml create mode 100644 tasks/manage_pg_db.yml create mode 100644 tasks/packages.yml create mode 100644 tasks/pgpool-ii.yml create mode 100644 tasks/pgpool-letsencrypt-acmetool.yml create mode 100644 tasks/postgis.yml create mode 100644 tasks/postgres_pgpool.yml create mode 100644 tasks/postgresql-backup.yml create mode 100644 tasks/postgresql-config.yml create mode 100644 tasks/postgresql-letsencrypt-acmetool.yml create mode 100644 tasks/postgresql-service-status.yml create mode 100644 tasks/postgresql-ssl-config.yml create mode 100644 tasks/postgresql_org_repo.yml create mode 100644 tasks/psql-kernel-sharedmem.yml create mode 100644 templates/pcp.conf.j2 create mode 100644 templates/pg_backup-default.j2 create mode 100644 templates/pgpass.j2 create mode 100644 templates/pgpool-wd-sudoers.j2 create mode 100644 templates/pgpool.conf.j2 create mode 100644 templates/pgpool_recovery_stage_1.j2 create mode 100644 templates/pgpool_recovery_stage_2.j2 create mode 100644 templates/pgpool_remote_start.j2 create mode 100644 templates/postgresql-sudoers.j2 create mode 100644 templates/postgresql_wal_backup_and_removal.j2 diff --git a/README.md b/README.md index 3637db8..b2f9093 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,41 @@ Role Name ========= -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +A role that installs PostgreSQL and manages databases and users. +It can also install pgPoolII Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +The most important variables are listed below: + +``` yaml +psql_postgresql_install: True +psql_pkg_state: present +postgresql_enabled: True +psql_pgpool_install: False +psql_pgpool_service_install: False +psql_version: 11 +psql_db_host: localhost +psql_listen_on_ext_int: False +psql_use_alternate_data_dir: False +psql_enable_ssl: False +psql_force_ssl_client_connection: False +postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}' + +psql_db_data: + # Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. + - { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: True } + # Example of line needed to manage the db accesses (used by iptables too), without creating the db and the user. Useful, for example, to give someone access to the postgresql db + - { name: '{{ psql_db_name }}', user: '{{ psql_db_user }}', allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: False } + # Example of line needed to remove a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. + - { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', managedb: True, roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], state=absent } +``` Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +None License ------- @@ -35,4 +45,4 @@ EUPL-1.2 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Andrea Dell'Amico, diff --git a/defaults/main.yml b/defaults/main.yml index 95d3c70..a604053 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,232 @@ --- -# defaults file for ansible-role-template \ No newline at end of file +pg_use_postgresql_org_repo: True + +psql_postgresql_install: True +psql_pkg_state: present +postgresql_enabled: True +psql_pgpool_install: False +psql_pgpool_service_install: False +psql_pgpool_pkg_state: installed +# I prefer to use the postgresql.org repositories +# +# See the features matrix here: http://www.postgresql.org/about/featurematrix/ +# +psql_version: 11 +psql_db_host: localhost +psql_db_port: 5432 +psql_db_size_w: 150000000 +psql_db_size_c: 170000000 +psql_listen_on_ext_int: False +psql_use_alternate_data_dir: False +psql_data_dir: '/var/lib/postgresql/{{ psql_version }}' +psql_conf_dir: '/etc/postgresql/{{ psql_version }}/main' +psql_log_dir: /var/log/postgresql +psql_conf_parameters: + - { name: 'max_connections', value: '100', set: 'False' } + - { name: 'shared_buffers', value: '24MB', set: 'False' } + - { name: 'temp_buffers', value: '8MB', set: 'False' } + - { name: 'work_mem', value: '1MB', set: 'False' } + - { name: 'maintenance_work_mem', value: '16MB', set: 'False' } + - { name: 'max_stack_depth', value: '2MB', set: 'False' } + - { name: 'max_files_per_process', value: '1000', set: 'False' } + +# logging configuration. Important: the parameters that need a restart must be listed in psql_conf_parameters +psql_log_configuration: + - { name: 'log_destination', value: 'stderr', set: 'True' } + - { name: 'logging_collector', value: 'off', set: 'False' } + - { name: 'log_directory', value: "'{{ psql_log_dir }}'", set: 'True' } + - { name: 'log_rotation_age', value: '1d', set: 'True' } + - { name: 'log_rotation_size', value: '10MB', set: 'True' } + - { name: 'client_min_messages', value: 'notice', set: 'True' } + - { name: 'log_min_messages', value: 'warning', set: 'True' } + - { name: 'log_min_error_statement', value: 'error', set: 'True' } + - { name: 'log_min_duration_statement', value: '-1', set: 'True' } + - { name: 'log_checkpoints', value: 'off', set: 'True' } + - { name: 'log_connections', value: 'on', set: 'True' } + - { name: 'log_disconnections', value: 'off', set: 'True' } + - { name: 'log_duration', value: 'off', set: 'True' } + - { name: 'log_error_verbosity', value: 'default', set: 'True' } + - { name: 'log_hostname', value: 'on', set: 'True' } + +# Treat vacuum separately. Important: the parameters that need a restart must be listed in psql_conf_parameters +psql_autovacuum_configuration: + - { name: 'track_counts', value: 'on', set: 'True' } + - { name: 'autovacuum', value: 'on', set: 'True' } + - { name: 'log_autovacuum_min_duration', value: '-1', set: 'True' } + - { name: 'autovacuum_vacuum_threshold', value: '50', set: 'True' } + - { name: 'autovacuum_analyze_threshold', value: '50', set: 'True' } + - { name: 'autovacuum_vacuum_scale_factor', value: '0.2', set: 'True' } + - { name: 'autovacuum_vacuum_cost_limit', value: '1000', set: 'True' } + +# SSL as a special case +psql_enable_ssl: False +psql_force_ssl_client_connection: False +postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}' +psql_ssl_privkey_global_file: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey' +psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key +psql_ssl_cert_file: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' +psql_ssl_ca_file: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain' +psql_conf_ssl_parameters: + - { name: 'ssl', value: 'true' } + - { name: 'ssl_cert_file', value: '{{ psql_ssl_cert_file }}' } + - { name: 'ssl_key_file', value: '{{ psql_ssl_privkey_file }}' } + - { name: 'ssl_ca_file', value: '{{ psql_ssl_ca_file }}' } + +psql_conf_disable_ssl_parameters: + - { name: 'ssl', value: 'false' } + +psql_set_shared_memory: False +psql_sysctl_file: 30-postgresql-shm.conf +psql_sysctl_kernel_sharedmem_parameters: + - { name: 'kernel.shmmax', value: '33554432' } + - { name: 'kernel.shmall', value: '2097152' } + +postgresql_pkgs: + - 'postgresql-{{ psql_version }}' + - 'postgresql-contrib-{{ psql_version }}' + - 'postgresql-client-{{ psql_version }}' + - pgtop + +psql_ansible_needed_pkgs: + - python-psycopg2 + +psql_db_name: db_name +psql_db_user: db_user +psql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault" + +# Those need to be installed on the postgresql server. +postgresql_pgpool_pkgs: + - 'postgresql-{{ psql_version }}-pgpool2' + +#psql_db_data: + # Example of line needed to create a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. + #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: True } + # Example of line needed to manage the db accesses (used by iptables too), without creating the db and the user. Useful, for example, to give someone access to the postgresql db + #- { name: '{{ psql_db_name }}', user: '{{ psql_db_user }}', allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], managedb: False } + # Example of line needed to remove a db, create the user that owns the db, manage the db accesses (used by iptables too). All the fields are mandatory. + #- { name: '{{ psql_db_name }}', encoding: 'UTF8', user: '{{ psql_db_user }}', pwd: '{{ psql_db_pwd }}', managedb: True, roles: 'NOCREATEDB,NOSUPERUSER', extensions: [ 'postgis', 'pgpool_regclass', 'pgpool_recovery' ], allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], state=absent } + + +# pgpool-II +pgpool_pkgs: + - pgpool2 + - iputils-arping + +pgpool_enabled: True +pgpool_listen_addresses: 'localhost' +pgpool_port: 5433 +pgpool_listen_backlog_multiplier: 2 +pgpool_pcp_user: admin +# Define pcp_pwd in a vault file +pgpool_pcp_listen_addresses: '*' +pgpool_pcp_port: 9898 +#pgpool_backends: +# - { id: 0, hostname: 'backend0', backend_port: '{{ psql_db_port }}', backend_weight: 1, backend_data_directory: '{{ psql_data_dir }}', backend_flag: 'ALLOW_TO_FAILOVER' } +pgpool_enable_pool_hba: 'on' +pgpool_pool_passwd: 'pool_passwd' +pgpool_num_init_children: 32 +pgpool_max_pool: 4 +pgpool_child_life_time: 300 +pgpool_child_max_connections: 0 +pgpool_connection_life_time: 0 +pgpool_client_idle_limit: 0 +pgpool_log_destination: syslog +pgpool_log_connections: 'on' +pgpool_log_hostname: 'on' +pgpool_log_statement: 'off' +pgpool_log_per_node_statement: 'off' +pgpool_debug_level: 0 +pgpool_replication_mode: 'on' +pgpool_replicate_select: 'off' +pgpool_insert_lock: 'on' +pgpool_lobj_lock_table: '' +pgpool_replication_stop_on_mismatch: 'on' +pgpool_failover_if_affected_tuples_mismatch: 'off' +pgpool_recovery_timeout: 30 +pgpool_client_idle_limit_in_recovery: -1 +pgpool_load_balance_mode: 'on' +pgpool_ignore_leading_white_space: 'on' +pgpool_recovery_user: postgres +# pgpool_recovery_user_pwd: use a vault file for this one +pgpool_recovery_stage1_script: pgpool_recovery_stage_1 +pgpool_recovery_stage2_script: pgpool_recovery_stage_2 +pgpool_remote_start_script: pgpool_remote_start +pgpool_white_function_list: '' +pgpool_black_function_list: 'nextval,setval' +pgpool_allow_sql_comments: 'on' +pgpool_fail_over_on_backend_error: 'on' +pgpool_relcache_expire: 3600 +pgpool_memory_cache_enabled: 'off' +pgpool_memqcache_method: memcached +pgpool_memqcache_memcached_host: localhost +pgpool_memqcache_memcached_port: 11211 +pgpool_memqcache_expire: 0 +pgpool_memqcache_auto_cache_invalidation: 'on' +pgpool_serialize_accept: 'off' +# HA and watchdog +pgpool_use_watchdog: 'off' +pgpool_wd_trusted_servers: 'localhost,localhost' +pgpool_wd_port: 9000 +pgpool_wd_priority: 1 +# Warning: setting pgpool_wd_heartbeat_mode to False enables +# the 'query mode' that is untested and not working without manual intervention +pgpool_wd_heartbeat_mode: True +pgpool_wd_heartbeat_port: 9694 +pgpool_wd_heartbeat_keepalive_int: 3 +pgpool_wd_heartbeat_deadtime: 30 +pgpool_wd_heartbeat_dest0: 'localhost' +pgpool_wd_heartbeat_dest0_port: '{{ pgpool_wd_heartbeat_port }}' +#pgpool_wd_authkey: 'set it inside a vault file' + +# SSL as a special case +pgpool_enable_ssl: False +pgpool_letsencrypt_managed: True +pgpool_ssl_key: /etc/pki/pgpool2/pgpool2.key +pgpool_ssl_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' +pgpool_ssl_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/fullchain' +pgpool_ssl_ca_dir: /etc/ssl/certs +pgpool_virtual_ip: 127.0.0.1 +pgpool_virtual_netmask: 24 + +# WAL files archiving is mandatory for pgpool recovery +psql_wal_files_archiving_enabled: '{{ psql_pgpool_install }}' +psql_restart_after_wal_enabling: True +psql_wal_archiving_log_dir: '{{ psql_data_dir }}/archive_log' +psql_base_backup_dir: '{{ pg_backup_base_dir }}/base_backup' +psql_wal_files_conf: + - { name: 'wal_level', value: 'archive', set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'wal_sync_method', value: 'fdatasync', set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'full_page_writes', value: 'on', set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'wal_log_hints', value: 'on', set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'archive_mode', value: 'on', set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'archive_command', value: "'test ! -f {{ psql_wal_archiving_log_dir }}/%f && cp %p {{ psql_wal_archiving_log_dir }}/%f'", set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'archive_timeout', value: '120', set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'max_wal_senders', value: '5', set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'wal_sender_timeout', value: '60s', set: '{{ psql_wal_files_archiving_enabled }}' } + - { name: 'max_replication_slots', value: '5', set: '{{ psql_wal_files_archiving_enabled }}' } + + +# postgis +postgres_install_gis_extensions: False +postgres_gis_version: 2.5 +postgres_gis_pkgs: + - 'postgresql-{{ psql_version }}-postgis-{{ postgres_gis_version }}' + +# Local backup +pg_backup_enabled: True +pg_backup_bin: /usr/local/sbin/postgresql-backup +pg_backup_pgdump_bin: /usr/bin/pg_dump +pg_backup_retain_copies: 2 +pg_backup_build_db_list: "yes" +# Dynamically created from psql_db_data if pg_backup_db_list is not set +#pg_backup_db_list: '{{ psql_db_name}}' +pg_backup_base_dir: /var/lib/pgsql +pg_backup_destdir: '{{ pg_backup_base_dir }}/backups' +pg_backup_logdir: /var/log/postgresql +pg_backup_logfile: '{{ pg_backup_logdir }}/postgresql-backup.log' +pg_backup_use_auth: "no" +pg_backup_pass_file: /root/.pgpass +pg_backup_use_nagios: "yes" + +# Used to configure firewalld +postgresql_firewalld_zone: '{{ firewalld_default_zone }}' diff --git a/files/arping_script b/files/arping_script new file mode 100644 index 0000000..ae7479f --- /dev/null +++ b/files/arping_script @@ -0,0 +1,12 @@ +#!/bin/bash +# +# Exec /usr/bin/arping as root via sudo + +RETVAL= +CMD=/usr/bin/arping + +sudo $CMD $@ +RETVAL=$? + +exit $RETVAL + diff --git a/files/ip_script b/files/ip_script new file mode 100644 index 0000000..225bbb7 --- /dev/null +++ b/files/ip_script @@ -0,0 +1,12 @@ +#!/bin/bash +# +# Exec /sbin/ip as root via sudo + +RETVAL= +CMD=/sbin/ip + +sudo $CMD $@ +RETVAL=$? + +exit $RETVAL + diff --git a/files/pgpool-letsencrypt-acme.sh b/files/pgpool-letsencrypt-acme.sh new file mode 100644 index 0000000..38ac48b --- /dev/null +++ b/files/pgpool-letsencrypt-acme.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +H_NAME=$( hostname -f ) +LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks +LE_CERTS_DIR=/var/lib/acme/live/$H_NAME +LE_LOG_DIR=/var/log/letsencrypt +PGPOOL2_CERTDIR=/etc/pki/pgpool2 +PGPOOL2_KEYFILE=$PGPOOL2_CERTDIR/pgpool2.key +DATE=$( date ) + +[ ! -d $PGPOOL2_CERTDIR ] && mkdir -p $PGPOOL2_CERTDIR +[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR +echo "$DATE" >> $LE_LOG_DIR/pgpool2.log + +if [ -f /etc/default/letsencrypt ] ; then + . /etc/default/letsencrypt +else + echo "No letsencrypt default file" >> $LE_LOG_DIR/pgpool2.log +fi + +echo "Copy the key file" >> $LE_LOG_DIR/pgpool2.log +cp ${LE_CERTS_DIR}/privkey ${PGPOOL2_KEYFILE} +chmod 440 ${PGPOOL2_KEYFILE} +chown root ${PGPOOL2_KEYFILE} +chgrp postgres ${PGPOOL2_KEYFILE} + +echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log +if [ -x /bin/systemctl ] ; then + systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1 +else + service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1 +fi + +echo "Done." >> $LE_LOG_DIR/pgpool2.log + +exit 0 + diff --git a/files/postgresql-backup.cron b/files/postgresql-backup.cron new file mode 100755 index 0000000..e797298 --- /dev/null +++ b/files/postgresql-backup.cron @@ -0,0 +1,66 @@ +#!/bin/bash + +if [ -f /etc/default/pg_backup ] ; then + . /etc/default/pg_backup +else + PG_BACKUP_ENABLED=True + PG_SERVICE=postgresql + USE_NAGIOS=no + LOG_DIR=/var/log/postgresql + LOG_FILE=$LOG_DIR/postgresql-backup.log + PG_BCK_BIN=/usr/local/sbin/postgresql-backup +fi + +# Remote backup performed by duplicity. When active, do not run via cron +if [ -x /etc/cron.daily/duplicity_backup ] ; then + DATE=$( date ) + echo "$DATE: duplicity backups active. Exiting" >> $LOG_FILE + exit 0 +fi + +# Remote backup performed by BackupPC. If it is active, do not run via cron +if [ -f /var/log/backuppc.log ] ; then + TMSTMP=$( date +%s ) + . /var/log/backuppc.log + LAST_BACKUP_TIME=$( expr $TMSTMP - $BACKUP_TIMESTAMP ) + if [ $LAST_BACKUP_TIME -lt 86400 -a $BACKUP_RESULT == 'OK' ] ; then + DATE=$( date ) + echo "$DATE: BackupPC is active, doing nothing" >> $LOG_FILE + exit 0 + fi +fi + +export PATH="/sbin:/usr/sbin:/usr/local/sbin:$PATH" +PG_SVC=$( service $PG_SERVICE status >/dev/null ) +PG_RUNNING=$? + +if [ $PG_BACKUP_ENABLED == 'True' ] ; then + if [ "$PG_RUNNING" -ne "0" -a "$PG_RUNNING" -ne "3" ] ; then + DATE=$( date ) + echo "$DATE: The postgresql service is not running" >> $LOG_FILE + exit 1 + else + if [ ! -d $LOG_DIR ] ; then + mkdir -p $LOG_DIR + fi + DATE_START=$( date ) + echo "$DATE_START: Starting the backup procedure" >> $LOG_FILE + $PG_BCK_BIN >> $LOG_FILE 2>&1 + DATE_END=$( date ) + echo "$DATE_END: Backup procedure finished" >> $LOG_FILE + fi +else + DATE=$( date ) + echo "$DATE: Postgresql backups administratively disabled" >> $LOG_FILE +fi + +if [ "${USE_NAGIOS}" == "yes" ] ; then + N_LOGDIR=/var/log/nagios-checks + if [ ! -d $N_LOGDIR ] ; then + mkdir -p $N_LOGDIR + fi +fi + +exit 0 + + diff --git a/files/postgresql-backup.sh b/files/postgresql-backup.sh new file mode 100755 index 0000000..1b7c890 --- /dev/null +++ b/files/postgresql-backup.sh @@ -0,0 +1,150 @@ +#!/bin/bash + + +# Set up the environment +if [ -f /etc/default/pg_backup ] ; then + . /etc/default/pg_backup +else + N_DAYS_TO_SPARE=7 + USE_NAGIOS=no + BUILD_DBLIST=yes + PG_USE_AUTH=no + PG_PASS_FILE=/root/.pgpass + BACKUPDIR=/var/lib/pgsql/backups + DB_LIST= +fi + +# Year month day - hour minute second +SAVE_TIME=$( date +%Y%m%d-%H%M%S ) +TIMESTAMP= +RETVAL=0 +#export LANG=C +HISTDIR=$BACKUPDIR/history +TIMESTAMP_LOG=$BACKUPDIR/.timestamp +# If nagios is active, save the report status for each backup +# Nagios return values: 0 = OK, 1 = WARNING, 2 = CRITICAL, 3 = UNKNOWN +NAGIOS_LOG=$BACKUPDIR/.nagios-status +DUMP_RESULT=0 +LOCKFILE=${BACKUPDIR}/.dumplock + +create_backup_dirs() { + if [ ! -d ${BACKUPDIR} ] ; then + mkdir -p ${BACKUPDIR} + fi + if [ ! -d ${HISTDIR} ] ; then + mkdir -p ${HISTDIR} + fi + if [ "${PG_USE_AUTH}" == "no" ] ; then + chown -R postgres:postgres $BACKUPDIR + fi +} + +cleanup_old_backups() { + # Remove the old backups + find ${HISTDIR} -atime +${N_DAYS_TO_SPARE} -type f -exec rm -f {} \; + # TODELETE=$( /bin/ls "${HISTDIR}/" | awk -F '.' '{print $NF}' | sort -ruV | tail -n +${N_DAYS_TO_SPARE} ) + # for i in ${TODELETE} + # do + # rm -f "${HISTDIR}/*.${i}" + # done +} + +create_db_list() { + # The psql -l command prints too much stuff + #DB_LIST=$( psql -q -t -l -U postgres | grep -v template0 | grep -v template1 | grep -v : | grep -v ^\( | grep -v ^\- | awk '{print $1}' ) + DB_LIST=$( su - postgres -c "/usr/lib/postgresql/${PG_VERSION}/bin/oid2name " | awk '{print $2}' | tail -n +4 | grep -v template0 | grep -v template1 ) +} + +run_backup_as_db_user() { + for db in $DB_LIST ; do + grep ":${db}:" "$PG_PASS_FILE" 2>/dev/null + DB_IN_AUTFILE_RETVAL=$? + if [ $DB_IN_AUTFILE_RETVAL -eq 0 ] ; then + PG_HOST=$( grep :${db}: $PG_PASS_FILE | cut -d : -f 1 ) + PG_PORT=$( grep :${db}: $PG_PASS_FILE | cut -d : -f 2 ) + PG_USER=$( grep :${db}: $PG_PASS_FILE | cut -d : -f 4 ) + ${PG_DUMP_BIN} -Fc -h $PG_HOST -p $PG_PORT -U $PG_USER $db > ${HISTDIR}/$db.data.$SAVE_TIME + DUMP_RESULT=$? + else + DUMP_RESULT=2 + fi + pushd ${BACKUPDIR}/ >/dev/null 2>&1 + rm -f $db.data + ln -s ${HISTDIR}/$db.data.$SAVE_TIME ./$db.data + popd >/dev/null 2>&1 + done +} + +run_backup_as_postgres() { + su - postgres -c "pg_dumpall -g > ${HISTDIR}/pgsql-global.data.$SAVE_TIME" + for db in $DB_LIST ; do + su - postgres -c "${PG_DUMP_BIN} -Fc $db > ${HISTDIR}/$db.data.$SAVE_TIME" + DUMP_RESULT=$? + pushd ${BACKUPDIR}/ >/dev/null 2>&1 + rm -f $db.data + ln -s ${HISTDIR}/$db.data.$SAVE_TIME ./$db.data + popd >/dev/null 2>&1 + done +} + +clear_nagios_data() { + if [ "$USE_NAGIOS" == "yes" ] ; then + > $NAGIOS_LOG + fi +} + +write_nagios_data() { + if [ "$USE_NAGIOS" == "yes" ] ; then + if [ $DUMP_RESULT -ne 0 ] ; then + echo "$db:FAILED" >> $NAGIOS_LOG + RETVAL=$DUMP_RESULT + else + echo "$db:OK" >> $NAGIOS_LOG + fi + fi +} + +fix_backup_permissions() { + chmod -R u+rwX,g-rwx,o-rwx ${HISTDIR} +} +######## +# +# Main +# +umask 0077 + +create_backup_dirs +if [ "$BUILD_DBLIST" == "yes" ] ; then + create_db_list +fi + +if [ ! -f $LOCKFILE ] ; then + touch $LOCKFILE + clear_nagios_data + if [ "${PG_USE_AUTH}" == "yes" ] ; then + if [ ! -f $PG_PASS_FILE -o -z $PG_PASS_FILE ] ; then + if [ "$USE_NAGIOS" == "yes" ] ; then + echo ".pgpass file not found or empty but authentication needed. All db backups FAILED" >> $NAGIOS_LOG + fi + RETVAL=2 + exit 2 + fi + run_backup_as_db_user + else + run_backup_as_postgres + fi + write_nagios_data + TIMESTAMP=$( date +%s ) + echo "$TIMESTAMP" > $TIMESTAMP_LOG + rm -f $LOCKFILE +else + RETVAL=2 + if [ "$USE_NAGIOS" == "yes" ] ; then + echo "old backup still running:WARNING" >> $NAGIOS_LOG + fi +fi + +fix_backup_permissions +cleanup_old_backups + +exit $RETVAL diff --git a/files/postgresql-letsencrypt-acme.sh b/files/postgresql-letsencrypt-acme.sh new file mode 100644 index 0000000..a3c227e --- /dev/null +++ b/files/postgresql-letsencrypt-acme.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +H_NAME=$( hostname -f ) +LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks +LE_CERTS_DIR=/var/lib/acme/live/$H_NAME +LE_LOG_DIR=/var/log/letsencrypt +POSTGRESQL_CERTDIR=/etc/pki/postgresql +POSTGRESQL_KEYFILE=$POSTGRESQL_CERTDIR/postgresql.key +DATE=$( date ) + +[ ! -d $POSTGRESQL_CERTDIR ] && mkdir -p $POSTGRESQL_CERTDIR +[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR +echo "$DATE" >> $LE_LOG_DIR/postgresql.log + +if [ -f /etc/default/letsencrypt ] ; then + . /etc/default/letsencrypt +else + echo "No letsencrypt default file" >> $LE_LOG_DIR/postgresql.log +fi + +echo "Copy the key file" >> $LE_LOG_DIR/postgresql.log +cp ${LE_CERTS_DIR}/privkey ${POSTGRESQL_KEYFILE} +chmod 440 ${POSTGRESQL_KEYFILE} +chown root ${POSTGRESQL_KEYFILE} +chgrp postgres ${POSTGRESQL_KEYFILE} + +echo "Restart the postgresql service" >> $LE_LOG_DIR/postgresql.log +if [ -x /bin/systemctl ] ; then + systemctl restart postgresql >> $LE_LOG_DIR/postgresql.log 2>&1 +else + service postgresql restart >> $LE_LOG_DIR/postgresql.log 2>&1 +fi + +echo "Done." >> $LE_LOG_DIR/postgresql.log + +exit 0 + diff --git a/handlers/main.yml b/handlers/main.yml index 27474e0..54aa620 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,23 @@ --- -# handlers file for ansible-role-template \ No newline at end of file +- name: Restart postgresql + service: name=postgresql state=restarted + when: postgresql_enabled + +- name: Reload postgresql + service: name=postgresql state=reloaded + when: postgresql_enabled + +- name: Reload pgpool2 + service: name=pgpool2 state=reloaded + when: pgpool_enabled + ignore_errors: True + +- name: Restart pgpool2 + service: name=pgpool2 state=restarted + when: pgpool_enabled + +- name: Restart postgresql with pgpool config + service: name=postgresql state=restarted + when: + - postgresql_enabled + - psql_restart_after_wal_enabling diff --git a/meta/main.yml b/meta/main.yml index 1126a5e..096f185 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,61 +1,23 @@ galaxy_info: - author: your name - description: your description + author: Andrea Dell'Amico + description: Systems Architect company: ISTI-CNR - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: EUPL-1.2 + license: EUPL 1.2+ min_ansible_version: 2.8 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # Optionally specify the branch Galaxy will use when accessing the GitHub - # repo for this role. During role install, if no tags are available, - # Galaxy will use this branch. During import Galaxy will access files on - # this branch. If Travis integration is configured, only notifications for this - # branch will be accepted. Otherwise, in all cases, the repo's default branch - # (usually master) will be used. - #github_branch: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. # To view available platforms and versions (or releases), visit: # https://galaxy.ansible.com/api/v1/platforms/ # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 + platforms: + - name: Ubuntu + versions: + - bionic - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - postgresql dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. - diff --git a/tasks/configure-access.yml b/tasks/configure-access.yml new file mode 100644 index 0000000..f2871b2 --- /dev/null +++ b/tasks/configure-access.yml @@ -0,0 +1,90 @@ +--- +- name: Open the postgresql service to a specific zone. + firewalld: service=postgresql zone={{ postgresql_firewalld_zone }} permanent=True state=enabled immediate=True + when: + - psql_listen_on_ext_int | bool + - firewalld_enabled | bool + +- name: Give access to the remote postgresql client + lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_listen_on_ext_int | bool + - psql_db_data is defined + - item.1 is defined + - not psql_force_ssl_client_connection | bool + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] + +- name: Give access to the remote postgresql client, force ssl + lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_listen_on_ext_int | bool + - psql_db_data is defined + - item.1 is defined + - psql_force_ssl_client_connection | bool + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] + +# No conditionals, it is needed to perform base backups when the WAL archive is active +- name: Give local access with replication privileges to the postgres user + lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer" + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ] + +- name: Set the postgresql listen port + action: configfile path={{ psql_conf_dir }}/postgresql.conf key=port value="{{ psql_db_port }}" + register: restart_postgresql + tags: [ 'postgresql', 'postgres', 'pg_conf' ] + +- name: We want postgres listen on the public IP + action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'*'" + register: restart_postgresql + when: + - psql_listen_on_ext_int | bool + tags: [ 'postgresql', 'postgres', 'pg_conf' ] + +- name: If postgresql is only accessed from localhost make it listen only on the localhost interface + action: configfile path={{ psql_conf_dir }}/postgresql.conf key=listen_addresses value="'localhost'" + register: restart_postgresql + when: + - not psql_listen_on_ext_int | bool + tags: [ 'postgresql', 'postgres', 'pg_conf' ] + +- name: Log the connections + action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_connections value="on" + register: restart_postgresql + when: psql_db_data is defined + tags: [ 'postgresql', 'postgres', 'pg_conf' ] + +- name: Log the disconnections + action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_disconnections value="on" + register: restart_postgresql + when: psql_db_data is defined + tags: [ 'postgresql', 'postgres', 'pg_conf' ] + +- name: Log the hostnames + action: configfile path={{ psql_conf_dir }}/postgresql.conf key=log_hostname value="on" + register: restart_postgresql + when: + - psql_listen_on_ext_int | bool + tags: [ 'postgresql', 'postgres', 'pg_conf' ] + +- name: Set the correct permissions to the postgresql files + file: dest={{ psql_conf_dir }}/{{ item }} owner=root group=postgres mode=0640 + with_items: + - pg_hba.conf + - postgresql.conf + tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ] + +- name: Restart the postgresql server after changing parameters that need a restart + service: name=postgresql state=restarted + when: + - restart_postgresql is changed + ignore_errors: True + tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_conf' ] diff --git a/tasks/main.yml b/tasks/main.yml index 53c6cae..51b98e9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,40 @@ --- -# tasks file for ansible-role-template \ No newline at end of file +- import_tasks: postgresql_org_repo.yml + when: pg_use_postgresql_org_repo +- import_tasks: packages.yml + when: psql_postgresql_install +- import_tasks: postgis.yml + when: postgres_install_gis_extensions +- import_tasks: postgresql-config.yml + when: psql_postgresql_install +- import_tasks: postgresql-ssl-config.yml + when: psql_postgresql_install +- import_tasks: psql-kernel-sharedmem.yml + when: + - psql_postgresql_install + - psql_set_shared_memory +- import_tasks: configure-access.yml + when: + - psql_postgresql_install + - psql_db_data is defined +- import_tasks: postgresql-service-status.yml + when: psql_postgresql_install +- import_tasks: postgres_pgpool.yml + when: psql_pgpool_install +- import_tasks: manage_pg_db.yml + when: + - psql_postgresql_install + - psql_db_data is defined +- import_tasks: postgresql-backup.yml + when: + - psql_postgresql_install +- import_tasks: pgpool-ii.yml + when: psql_pgpool_service_install +- import_tasks: postgresql-letsencrypt-acmetool.yml + when: + - letsencrypt_acme_install is defined +- import_tasks: pgpool-letsencrypt-acmetool.yml + when: + - letsencrypt_acme_install is defined + + diff --git a/tasks/manage_pg_db.yml b/tasks/manage_pg_db.yml new file mode 100644 index 0000000..4e681ad --- /dev/null +++ b/tasks/manage_pg_db.yml @@ -0,0 +1,56 @@ +--- +- name: Add a user for the postgresql DBs + become: True + become_user: postgres + postgresql_user: user={{ item.user }} password={{ item.pwd }} role_attr_flags={{ item.roles }} port={{ psql_db_port }} state={{ item.userstate | default('present') }} + with_items: '{{ psql_db_data | default(omit) }}' + when: item.roles is defined + tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user' ] + +- name: Add the databases with the correct owner. Or remove them, if not used anymore + become: True + become_user: postgres + postgresql_db: db={{ item.name }} port={{ psql_db_port }} encoding={{ item.encoding }} owner={{ item.user }} template=template0 state={{ item.state | default('present') }} + with_items: '{{ psql_db_data | default(omit) }}' + when: item.managedb | default(True) + tags: [ 'postgresql', 'postgres', 'pg_db' ] + +- name: Manage users privileges + become: True + become_user: postgres + postgresql_privs: + db: '{{ item.name }}' + privs: '{{ item.privs }}' + #type: database + objs: "{{ item.objs | default('ALL_IN_SCHEMA') }}" + roles: '{{ item.roles }}' + port: '{{ psql_db_port }}' + state: "{{ item.userstate | default('present') }}" + grant_option: "{{ item.grant_option | default('yes') }}" + with_items: '{{ psql_db_privs | default(omit) }}' + when: psql_db_privs is defined + tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_user', 'postgresql_privs' ] + +# - name: Add schemas to a database. +# become: True +# become_user: postgres +# postgresql_schema: database={{ item.0.name }} port={{ psql_db_port }} name={{ item.1 }} owner={{ item.0.user }} state={{ item.0.schemastate | default('present') }} +# with_subelements: +# - '{{ psql_db_data | default([]) }}' +# - schema +# when: +# - item.0.manageschema | default(False) +# - item.1 is defined +# ignore_errors: True +# tags: [ 'postgresql', 'postgres', 'pg_db', 'pg_schema' ] + +- name: Define a user with password, with no associated DBs + become: True + become_user: postgres + postgresql_user: user={{ item.user }} password={{ item.pwd }} port={{ psql_db_port }} + with_items: '{{ psql_db_data | default(omit) }}' + when: + - item.pwd is defined + - item.roles is not defined + tags: [ 'postgresql', 'postgres', 'pg_db' ] + diff --git a/tasks/packages.yml b/tasks/packages.yml new file mode 100644 index 0000000..1e5c610 --- /dev/null +++ b/tasks/packages.yml @@ -0,0 +1,11 @@ +--- +- block: + - name: Install the packages that ansible needs to manage the postgresql users and databases + apt: pkg={{ psql_ansible_needed_pkgs }} state={{ psql_pkg_state }} cache_valid_time=3600 + + - name: install the postgresql packages + apt: pkg={{ postgresql_pkgs }} state={{ psql_pkg_state }} cache_valid_time=3600 + notify: Restart postgresql + + tags: [ 'postgresql', 'postgres' ] + diff --git a/tasks/pgpool-ii.yml b/tasks/pgpool-ii.yml new file mode 100644 index 0000000..b6e31f5 --- /dev/null +++ b/tasks/pgpool-ii.yml @@ -0,0 +1,78 @@ +--- +- block: + - name: Install the pgpool package + apt: name={{ pgpool_pkgs }} state={{ psql_pgpool_pkg_state }} cache_valid_time=1800 + + - name: Configure pcp + #template: src=pcp.conf.j2 dest=/etc/pgpool2/pcp.conf owner=root group=postgres mode=0640 + shell: pwd=`pg_md5 {{ pcp_pwd }}` ; echo "{{ pgpool_pcp_user }}:${pwd}" > /etc/pgpool2/pcp.conf ; chmod 640 /etc/pgpool2/pcp.conf; chown root:postgres /etc/pgpool2/pcp.conf + + - name: Install the pgpool configuration file + template: src=pgpool.conf.j2 dest=/etc/pgpool2/pgpool.conf owner=root group=postgres mode=0640 + notify: Restart pgpool2 + + - name: Give access to the remote postgresql clients + lineinfile: name=/etc/pgpool2/pool_hba.conf regexp="^host {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_db_data is defined + - item.1 is defined + notify: Reload pgpool2 + + - name: Create the pki directory to store the pgpool key + file: dest=/etc/pki/pgpool2 state=directory owner=postgres group=postgres mode=0750 + when: pgpool_enable_ssl + + - name: Create a pgpool accessible ssl key file if it does not exist + copy: src=/var/lib/acme/live/{{ ansible_fqdn }}/privkey dest=/etc/pki/pgpool2/pgpool2.key owner=postgres group=postgres mode=0400 remote_src=True + when: pgpool_enable_ssl + + - name: Install the pool_passwd configuration file + shell: cd /etc/pgpool2 ; pg_md5 -m -u {{ item.user }} {{ item.pwd }} ; chown root:postgres /etc/pgpool2/pool_passwd ; chmod 660 /etc/pgpool2/pool_passwd + with_items: '{{ psql_db_data | default([]) }}' + + - name: Install the sudoers config that permits pgpool change the network configuration during a failover + template: src=pgpool-wd-sudoers.j2 dest=/etc/sudoers.d/pgpool-wd owner=root group=root mode=0440 + + - name: Install the ip script that manage the network configuration during a failover + copy: src={{ item }} dest=/sbin/{{ item }} owner=root group=root mode=0755 + with_items: + - ip_script + + - name: Install the arping scripts that manage the network configuration during a failover + copy: src={{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 + with_items: + - arping_script + + - name: Start and enable pgpool2 + service: name=pgpool2 state=started enabled=yes + + when: pgpool_enabled + tags: [ 'postgresql', 'postgres', 'pgpool', 'pcp_conf', 'pgpool_conf' ] + + +- block: + - name: Stop and disable pgpool2 + service: name=pgpool2 state=stopped enabled=no + + - name: Install the pgpool packages + apt: name={{ pgpool_pkgs }} state=absent + + - name: Remove the pgpool failover sudoers file + file: dest=/etc/sudoers.d/pgpool-wd state=absent + + - name: Remove the pgpool configuration directory + file: dest=/etc/pgpool2 state=absent + + - name: Remove the scripts that manage the network configuration during a failover + file: dest={{ item }} state=absent + with_items: + - /sbin/ip_script + - /usr/local/bin/arping_script + + when: not pgpool_enabled + tags: [ 'postgresql', 'postgres', 'pgpool' ] + + diff --git a/tasks/pgpool-letsencrypt-acmetool.yml b/tasks/pgpool-letsencrypt-acmetool.yml new file mode 100644 index 0000000..627e6e6 --- /dev/null +++ b/tasks/pgpool-letsencrypt-acmetool.yml @@ -0,0 +1,23 @@ +--- +- block: + - name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + + - name: Install a script that fix the letsencrypt certificate for pgpool and then reloads the service + copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555 + + when: + - psql_pgpool_service_install + - pgpool_letsencrypt_managed + - letsencrypt_acme_install + tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ] + + +- block: + - name: Remove the letsencrypt hook for pgpool + file: dest=/usr/lib/acme/hooks/pgpool state=absent + + when: + - psql_pgpool_service_install + - not pgpool_letsencrypt_managed + tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ] diff --git a/tasks/postgis.yml b/tasks/postgis.yml new file mode 100644 index 0000000..4de1363 --- /dev/null +++ b/tasks/postgis.yml @@ -0,0 +1,6 @@ +--- +- name: install the postgresql GIS packages + apt: pkg={{ postgres_gis_pkgs }} state={{ psql_pkg_state }} cache_valid_time=3600 + notify: Restart postgresql + tags: [ 'postgresql', 'postgres', 'postgis' ] + diff --git a/tasks/postgres_pgpool.yml b/tasks/postgres_pgpool.yml new file mode 100644 index 0000000..3756e9c --- /dev/null +++ b/tasks/postgres_pgpool.yml @@ -0,0 +1,75 @@ +--- +- name: Install the packages needed by postgres when running behind a pgpool server + apt: pkg={{ postgresql_pgpool_pkgs }} state={{ psql_pkg_state }} cache_valid_time=3600 + when: psql_pgpool_install + notify: Restart postgresql + tags: [ 'postgresql', 'postgres', 'pgpool' ] + +- name: Add the postgres user that will manage the recovery, if not postgres + become: True + become_user: postgres + postgresql_user: user={{ pgpool_recovery_user }} password={{ pgpool_recovery_user_pwd }} role_attr_flags=REPLICATION port={{ psql_db_port }} + when: + - ('{{ pgpool_recovery_user }}' != 'postgres') + - pgpool_recovery_user_pwd is defined + tags: [ 'postgresql', 'postgres', 'pgpool' ] + +- name: Give access to the pgpool recovery user, if it is not postgres + lineinfile: name=/etc/postgresql/{{ psql_version }}/main/pg_hba.conf regexp="^host {{ item.0.name }} {{ pgpool_recovery_user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ pgpool_recovery_user }} {{ item.1 }} md5" + with_subelements: + - '{{ psql_db_data | default([]) }}' + - allowed_hosts + when: + - psql_db_data is defined + - item.1 is defined + - pgpool_recovery_user_pwd is defined + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pgpool' ] + +- name: Add the system user that will manage the recovery, if not postgres + user: user={{ pgpool_recovery_user }} password={{ pgpool_recovery_user_pwd | password_hash('sha512') }} groups=postgres shell=/bin/bash system=yes + when: + - ('{{ pgpool_recovery_user }}' != 'postgres') + - pgpool_recovery_user_pwd is defined + tags: [ 'postgresql', 'postgres', 'pgpool' ] + +- name: Create the ssh keys for the recovery user + user: user={{ pgpool_recovery_user }} generate_ssh_key=yes ssh_key_bits=2048 ssh_key_file=.ssh/id_rsa ssh_key_type=rsa + tags: [ 'postgresql', 'postgres', 'pgpool' ] + +- name: Install the pgpool recovery and remote restart scripts. They assume that the postgresql hosts can talk to each other + template: src={{ item.1 }}.j2 dest={{ item.0.backend_data_directory }}/main/{{ item.1 }} owner=postgres group=postgres mode=0500 + with_nested: + - '{{ pgpool_backends | default([]) }}' + - [ '{{ pgpool_recovery_stage1_script }}', '{{ pgpool_recovery_stage2_script }}', '{{ pgpool_remote_start_script }}' ] + tags: [ 'postgresql', 'postgres', 'pgpool' ] + +- name: Set the postgresql configuration parameters needed by pgpool + action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="{{ item.value }}" + with_items: '{{ psql_wal_files_conf }}' + when: + - item.set + - psql_wal_files_archiving_enabled + notify: Restart postgresql with pgpool config + tags: [ 'postgresql', 'postgres', 'pg_conf', 'pgpool' ] + +- name: Add the pgpool postgres extensions to the template1 dbs + become: True + become_user: postgres + postgresql_ext: name={{ item }} db=template1 port={{ psql_db_port }} + with_items: + - pgpool_regclass + - pgpool_recovery + tags: [ 'postgresql', 'postgres', 'pg_extensions' ] + +- name: Install the sudoers config that permits the postgres user to restart the service after a recovery + template: src=postgresql-sudoers.j2 dest=/etc/sudoers.d/postgres-pgpool owner=root group=root mode=0440 + tags: [ 'postgres', 'postgresql', 'sudo', 'pgpool' ] + +- name: Install a script that cleans up the wal log archives + template: src=postgresql_wal_backup_and_removal.j2 dest=/usr/local/sbin/postgresql_wal_backup_and_removal owner=root group=root mode=0755 + tags: [ 'postgresql', 'postgres', 'pgpool' ] + +- name: Install a cron job to cleanup the wal log archives + cron: name="Clean up the postgresql WAL log archives" user=postgres job="/usr/local/sbin/postgresql_wal_backup_and_removal > {{ psql_log_dir }}/wal_removal.log 2>&1" special_time=daily + tags: [ 'postgresql', 'postgres', 'pgpool' ] diff --git a/tasks/postgresql-backup.yml b/tasks/postgresql-backup.yml new file mode 100644 index 0000000..874193e --- /dev/null +++ b/tasks/postgresql-backup.yml @@ -0,0 +1,42 @@ +--- +- name: Backup script for the postgresql database(s) + copy: src=postgresql-backup.sh dest=/usr/local/sbin/postgresql-backup owner=root mode=0744 + tags: [ 'pgbackup_cron', 'pg_backup', 'postgresql', 'postgres' ] + +- name: daily cron job for the postgresql database(s) backup + copy: src=postgresql-backup.cron dest=/etc/cron.daily/postgresql-backup owner=root mode=0744 + when: pgbackup_cron_step is undefined or + pgbackup_cron_step < 1 or + pgbackup_cron_step > 12 + tags: [ 'pgbackup_cron', 'pg_backup', 'postgresql', 'postgres' ] + +- name: hour step cron job for the postgresql database(s) backup + cron: + name: "hourly step postgresql dump" + minute: "10" + hour: "*/{{ pgbackup_cron_step }}" + job: "/usr/local/sbin/postgresql-backup.cron" + when: pgbackup_cron_step is defined and + pgbackup_cron_step >=1 and + pgbackup_cron_step <= 12 + tags: [ 'pgbackup_cron', 'pg_backup', 'postgresql', 'postgres' ] + +- name: postgresql backup defaults + template: src=pg_backup-default.j2 dest=/etc/default/pg_backup owner=root mode=0744 + tags: [ 'pg_backup', 'postgresql', 'postgres', 'pg_db' ] + +- name: Create the postgresql backups data directory + file: dest={{ pg_backup_destdir }} owner=postgres group=postgres mode=700 recurse=yes state=directory + tags: [ 'pg_backup', 'postgresql', 'postgres' ] + +- name: Create the postgresql WAL files backup directories + file: dest={{ item }} owner=postgres group=postgres mode=700 recurse=yes state=directory + with_items: + - '{{ psql_wal_archiving_log_dir }}' + - '{{ psql_base_backup_dir }}' + when: psql_wal_files_archiving_enabled + tags: [ 'pg_backup', 'postgresql', 'postgres' ] + +- name: authorization file for the psql command + template: src=pgpass.j2 dest={{ pg_backup_pass_file }} owner=root mode=0600 + tags: [ 'pg_backup', 'postgresql', 'postgres', 'pgpass', 'pg_db' ] diff --git a/tasks/postgresql-config.yml b/tasks/postgresql-config.yml new file mode 100644 index 0000000..a70ea5a --- /dev/null +++ b/tasks/postgresql-config.yml @@ -0,0 +1,58 @@ +--- +- block: + - name: Check if the new postgresql data directory exists + stat: path={{ psql_data_dir }} + register: postgresql_data_dir + + - name: Stop the postgresql service while reconfiguring the data directory + service: name=postgresql state=stopped + when: postgresql_data_dir.stat.isdir is not defined + + - name: Create the postgresql data directory if it is not in the default place + file: dest={{ psql_data_dir }} owner=postgres group=postgres mode=700 recurse=yes state=directory + + - name: Set the postgresql data dir if it is different from the default + become: True + become_user: postgres + action: configfile path={{ psql_conf_dir }}/postgresql.conf key=data_directory value="'{{ psql_data_dir }}'" + + - name: Copy the postgresql data directory into the new place + shell: '[ "/var/lib/postgresql/{{ psql_version }}/main" != "{{ psql_data_dir }}" ] && cp -a /var/lib/postgresql/{{ psql_version }}/main/* {{ psql_data_dir }}' + args: + creates: '{{ psql_data_dir }}/main/base' + when: postgresql_data_dir.stat.isdir is not defined + + - name: Start the postgresql service that will use the new data directory + service: name=postgresql state=started + when: postgresql_data_dir.stat.isdir is not defined + + when: psql_use_alternate_data_dir + tags: [ 'postgresql', 'postgres', 'pg_conf' ] + +- name: Set some postgresql configuration parameters that require a db restart + become: True + become_user: postgres + action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" + with_items: '{{ psql_conf_parameters }}' + when: item.set == 'True' + notify: Restart postgresql + tags: [ 'postgresql', 'postgres', 'pg_conf' ] + +- name: Set the postgresql logging configuration parameters + become: True + become_user: postgres + action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" + with_items: '{{ psql_log_configuration }}' + when: item.set == 'True' + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_log' ] + +- name: Set the postgresql autovacuum configuration parameters + become: True + become_user: postgres + action: configfile path={{ psql_conf_dir }}/postgresql.conf key={{ item.name }} value="{{ item.value }}" + with_items: '{{ psql_autovacuum_configuration }}' + when: item.set == 'True' + notify: Reload postgresql + tags: [ 'postgresql', 'postgres', 'pg_conf', 'pg_conf_autovacuum' ] + diff --git a/tasks/postgresql-letsencrypt-acmetool.yml b/tasks/postgresql-letsencrypt-acmetool.yml new file mode 100644 index 0000000..8531a46 --- /dev/null +++ b/tasks/postgresql-letsencrypt-acmetool.yml @@ -0,0 +1,21 @@ +--- +- block: + - name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + + - name: Install a script that fix the letsencrypt certificate for postgresql and then restarts the service + copy: src=postgresql-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/postgresql owner=root group=root mode=4555 + + when: + - postgresql_letsencrypt_managed + - letsencrypt_acme_install + tags: [ 'postgresql', 'postgres', 'letsencrypt' ] + + +- block: + - name: Remove the letsencrypt certificate hook for postgresql + file: dest=/usr/lib/acme/hooks/postgresql state=absent + + when: + - not postgresql_letsencrypt_managed + tags: [ 'postgresql', 'postgres', 'letsencrypt' ] diff --git a/tasks/postgresql-service-status.yml b/tasks/postgresql-service-status.yml new file mode 100644 index 0000000..0980378 --- /dev/null +++ b/tasks/postgresql-service-status.yml @@ -0,0 +1,11 @@ +--- +- name: Ensure that the postgresql server is started + service: name=postgresql state=started enabled=yes + when: postgresql_enabled + tags: [ 'postgresql', 'postgres' ] + +- name: Ensure that the postgresql server is stopped and disabled + service: name=postgresql state=stopped enabled=no + when: not postgresql_enabled + tags: [ 'postgresql', 'postgres' ] + diff --git a/tasks/postgresql-ssl-config.yml b/tasks/postgresql-ssl-config.yml new file mode 100644 index 0000000..d7fbfb3 --- /dev/null +++ b/tasks/postgresql-ssl-config.yml @@ -0,0 +1,29 @@ +--- +- block: + - name: Setup SSL in the postgresql configuration + become: True + become_user: postgres + action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'" + with_items: '{{ psql_conf_ssl_parameters }}' + notify: Restart postgresql + + - name: Create the pki directory to store the postgresql key + file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750 + + - name: Create a postgres accessible ssl key file if it does not exist + copy: src={{ psql_ssl_privkey_global_file }} dest={{ psql_ssl_privkey_file }} owner=postgres group=postgres mode=0400 remote_src=True + + when: psql_enable_ssl + tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ] + + +- block: + - name: Disable SSL in the postgresql configuration + become: True + become_user: postgres + action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'" + with_items: '{{ psql_conf_disable_ssl_parameters }}' + notify: Restart postgresql + + when: not psql_enable_ssl + tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ] diff --git a/tasks/postgresql_org_repo.yml b/tasks/postgresql_org_repo.yml new file mode 100644 index 0000000..cc6e811 --- /dev/null +++ b/tasks/postgresql_org_repo.yml @@ -0,0 +1,15 @@ +--- +- name: Get the signing key for the postgresql.org repository + apt_key: url=https://www.postgresql.org/media/keys/ACCC4CF8.asc state=present + when: pg_use_postgresql_org_repo + tags: + - postgresql + - postgresql_repo + +- name: Setup the postgresql.org repository + apt_repository: repo='deb http://apt.postgresql.org/pub/repos/apt/ {{ ansible_lsb.codename }}-pgdg main' update_cache=yes + when: pg_use_postgresql_org_repo + tags: + - postgresql + - postgresql_repo + diff --git a/tasks/psql-kernel-sharedmem.yml b/tasks/psql-kernel-sharedmem.yml new file mode 100644 index 0000000..6a3ca44 --- /dev/null +++ b/tasks/psql-kernel-sharedmem.yml @@ -0,0 +1,8 @@ +--- +- name: Configure the kernel shared memory to please postgresql + sysctl: name={{ item.name }} value={{ item.value }} sysctl_file=/etc/sysctl.d/{{ psql_sysctl_file }} reload=yes state=present + with_items: '{{ psql_sysctl_kernel_sharedmem_parameters }}' + when: psql_set_shared_memory + tags: + - sysctl + - postgresql diff --git a/templates/pcp.conf.j2 b/templates/pcp.conf.j2 new file mode 100644 index 0000000..26a41d8 --- /dev/null +++ b/templates/pcp.conf.j2 @@ -0,0 +1 @@ +{{ pgpool_pcp_user }}:{{ '{{ pcp_pwd }}' | pg_md5 }} diff --git a/templates/pg_backup-default.j2 b/templates/pg_backup-default.j2 new file mode 100644 index 0000000..6164879 --- /dev/null +++ b/templates/pg_backup-default.j2 @@ -0,0 +1,26 @@ +PG_SERVICE=postgresql +PG_BACKUP_ENABLED={{ pg_backup_enabled }} +PG_VERSION={{ psql_version }} +PG_DUMP_BIN={{ pg_backup_pgdump_bin }} +PG_BCK_BIN={{ pg_backup_bin }} +{% if pg_backup_enabled %} +USE_NAGIOS={{ pg_backup_use_nagios }} +{% else %} +USE_NAGIOS=no +{% endif %} +LOG_DIR={{ pg_backup_logdir }} +LOG_FILE={{ pg_backup_logfile}} +N_DAYS_TO_SPARE={{ pg_backup_retain_copies }} +BUILD_DBLIST={{ pg_backup_build_db_list }} +{% if pg_backup_db_list is defined %} +DB_LIST="{{ pg_backup_db_list }}" +{% else %} +{% if psql_db_data is defined %} +DB_LIST="{% for db in psql_db_data %}{% if db.managedb is defined and db.managedb %}{{ db.name }} {% endif %}{% endfor %}" +{% else %} +DB_LIST="" +{% endif %} +{% endif %} +PG_USE_AUTH={{ pg_backup_use_auth }} +PG_PASS_FILE={{ pg_backup_pass_file }} +BACKUPDIR={{ pg_backup_destdir }} diff --git a/templates/pgpass.j2 b/templates/pgpass.j2 new file mode 100644 index 0000000..c3d7f75 --- /dev/null +++ b/templates/pgpass.j2 @@ -0,0 +1,10 @@ +# Loop psql_db_data to add multiple databases +{% if psql_db_data is defined %} +{% for db in psql_db_data %} +{% if db.pwd is defined %} +{% if db.managedb is defined and db.managedb %} +{{ psql_db_host }}:{{ psql_db_port }}:{{ db.name }}:{{ db.user }}:{{ db.pwd }} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} diff --git a/templates/pgpool-wd-sudoers.j2 b/templates/pgpool-wd-sudoers.j2 new file mode 100644 index 0000000..9ba1167 --- /dev/null +++ b/templates/pgpool-wd-sudoers.j2 @@ -0,0 +1,3 @@ +{{ pgpool_recovery_user }} ALL=(ALL) NOPASSWD: /bin/ip +{{ pgpool_recovery_user }} ALL=(ALL) NOPASSWD: /usr/bin/arping + diff --git a/templates/pgpool.conf.j2 b/templates/pgpool.conf.j2 new file mode 100644 index 0000000..3718912 --- /dev/null +++ b/templates/pgpool.conf.j2 @@ -0,0 +1,677 @@ +# ---------------------------- +# pgPool-II configuration file +# ---------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# Whitespace may be used. Comments are introduced with "#" anywhere on a line. +# The complete list of parameter names and allowed values can be found in the +# pgPool-II documentation. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, or use "pgpool reload". Some +# parameters, which are marked below, require a server shutdown and restart to +# take effect. +# + + +#------------------------------------------------------------------------------ +# CONNECTIONS +#------------------------------------------------------------------------------ + +# - pgpool Connection Settings - + +listen_addresses = '{{ pgpool_listen_addresses }}' + # Host name or IP address to listen on: + # '*' for all, '' for no TCP/IP connections + # (change requires restart) +port = {{ pgpool_port }} + # Port number + # (change requires restart) +socket_dir = '/var/run/postgresql' + # Unix domain socket path + # The Debian package defaults to + # /var/run/postgresql + # (change requires restart) +listen_backlog_multiplier = {{ pgpool_listen_backlog_multiplier }} + # Set the backlog parameter of listen(2) to + # num_init_children * listen_backlog_multiplier. + # (change requires restart) + +# - pgpool Communication Manager Connection Settings - + +pcp_listen_addresses = '{{ pgpool_pcp_listen_addresses }}' + # Host name or IP address for pcp process to listen on: + # '*' for all, '' for no TCP/IP connections + # (change requires restart) +pcp_port = {{ pgpool_pcp_port }} + # Port number for pcp + # (change requires restart) +pcp_socket_dir = '/var/run/postgresql' + # Unix domain socket path for pcp + # The Debian package defaults to + # /var/run/postgresql + # (change requires restart) + +# - Backend Connection Settings - + +{% for bk in pgpool_backends %} +backend_hostname{{ bk.id}} = '{{ bk.hostname }}' +backend_port{{ bk.id }} = {{ bk.backend_port }} +backend_weight{{ bk.id }} = {{ bk.backend_weight }} +backend_data_directory{{ bk.id }} = '{{ bk.backend_data_directory }}' +backend_flag{{ bk.id }} = '{{ bk.backend_flag }}' +{% endfor %} +# - Authentication - + +enable_pool_hba = {{ pgpool_enable_pool_hba }} + # Use pool_hba.conf for client authentication +pool_passwd = '{{ pgpool_pool_passwd }}' + # File name of pool_passwd for md5 authentication. + # "" disables pool_passwd. + # (change requires restart) +authentication_timeout = 60 + # Delay in seconds to complete client authentication + # 0 means no timeout. + +{% if pgpool_enable_ssl %} +# - SSL Connections - +ssl = on +ssl_key = '{{ pgpool_ssl_key }}' +ssl_cert = '{{ pgpool_ssl_cert }}' +ssl_ca_cert = '{{ pgpool_ssl_ca }}' +ssl_ca_cert_dir = '{{ pgpool_ssl_ca_dir }}' +{% endif %} + +#------------------------------------------------------------------------------ +# POOLS +#------------------------------------------------------------------------------ + +# - Pool size - + +num_init_children = {{ pgpool_num_init_children }} + # Number of pools + # (change requires restart) +max_pool = {{ pgpool_max_pool }} + # Number of connections per pool + # (change requires restart) + +# - Life time - + +child_life_time = {{ pgpool_child_life_time }} + # Pool exits after being idle for this many seconds +child_max_connections = {{ pgpool_child_max_connections }} + # Pool exits after receiving that many connections + # 0 means no exit +connection_life_time = {{ pgpool_connection_life_time }} + # Connection to backend closes after being idle for this many seconds + # 0 means no close +client_idle_limit = {{ pgpool_client_idle_limit }} + # Client is disconnected after being idle for that many seconds + # (even inside an explicit transactions!) + # 0 means no disconnection + + +#------------------------------------------------------------------------------ +# LOGS +#------------------------------------------------------------------------------ + +# - Where to log - + +log_destination = '{{ pgpool_log_destination }}' + # Where to log + # Valid values are combinations of stderr, + # and syslog. Default to stderr. + +# - What to log - + +log_line_prefix = '%t: pid %p: ' # printf-style string to output at beginning of each log line. + +log_connections = {{ pgpool_log_connections }} + # Log connections +log_hostname = {{ pgpool_log_hostname }} + # Hostname will be shown in ps status + # and in logs if connections are logged +log_statement = {{ pgpool_log_statement }} + # Log all statements +log_per_node_statement = {{ pgpool_log_per_node_statement }} + # Log all statements + # with node and backend informations +log_standby_delay = 'none' + # Log standby delay + # Valid values are combinations of always, + # if_over_threshold, none + +# - Syslog specific - + +syslog_facility = 'LOCAL0' + # Syslog local facility. Default to LOCAL0 +syslog_ident = 'pgpool' + # Syslog program identification string + # Default to 'pgpool' + +# - Debug - + +debug_level = {{ pgpool_debug_level }} + # Debug message verbosity level + # 0 means no message, 1 or more mean verbose + +#log_error_verbosity = default # terse, default, or verbose messages + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +pid_file_name = '/var/run/postgresql/pgpool.pid' + # PID file name + # (change requires restart) +logdir = '/var/log/postgresql' + # Directory of pgPool status file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTION POOLING +#------------------------------------------------------------------------------ + +connection_cache = on + # Activate connection pools + # (change requires restart) + + # Semicolon separated list of queries + # to be issued at the end of a session + # The default is for 8.3 and later +reset_query_list = 'ABORT; DISCARD ALL' + # The following one is for 8.2 and before +#reset_query_list = 'ABORT; RESET ALL; SET SESSION AUTHORIZATION DEFAULT' + +serialize_accept = {{ pgpool_serialize_accept }} + + +#------------------------------------------------------------------------------ +# REPLICATION MODE +#------------------------------------------------------------------------------ + +replication_mode = {{ pgpool_replication_mode }} + # Activate replication mode + # (change requires restart) +replicate_select = {{ pgpool_replicate_select }} + # Replicate SELECT statements + # when in replication mode + # replicate_select is higher priority than + # load_balance_mode. + +insert_lock = {{ pgpool_insert_lock }} + # Automatically locks a dummy row or a table + # with INSERT statements to keep SERIAL data + # consistency + # Without SERIAL, no lock will be issued +lobj_lock_table = '{{ pgpool_lobj_lock_table }}' + # When rewriting lo_creat command in + # replication mode, specify table name to + # lock + +# - Degenerate handling - + +replication_stop_on_mismatch = {{ pgpool_replication_stop_on_mismatch }} + # On disagreement with the packet kind + # sent from backend, degenerate the node + # which is most likely "minority" + # If off, just force to exit this session + +failover_if_affected_tuples_mismatch = {{ pgpool_failover_if_affected_tuples_mismatch }} + # On disagreement with the number of affected + # tuples in UPDATE/DELETE queries, then + # degenerate the node which is most likely + # "minority". + # If off, just abort the transaction to + # keep the consistency + + +#------------------------------------------------------------------------------ +# LOAD BALANCING MODE +#------------------------------------------------------------------------------ + +load_balance_mode = {{ pgpool_load_balance_mode }} + # Activate load balancing mode + # (change requires restart) +ignore_leading_white_space = {{ pgpool_ignore_leading_white_space }} + # Ignore leading white spaces of each query +white_function_list = '{{ pgpool_white_function_list }}' + # Comma separated list of function names + # that don't write to database + # Regexp are accepted +black_function_list = '{{ pgpool_black_function_list }}' + # Comma separated list of function names + # that write to database + # Regexp are accepted + +database_redirect_preference_list = '' + # comma separated list of pairs of database and node id. + # example: postgres:primary,mydb[0-4]:1,mydb[5-9]:2' + # valid for streaming replicaton mode only. + +app_name_redirect_preference_list = '' + # comma separated list of pairs of app name and node id. + # example: 'psql:primary,myapp[0-4]:1,myapp[5-9]:standby' + # valid for streaming replicaton mode only. +allow_sql_comments = {{ pgpool_allow_sql_comments }} + # if on, ignore SQL comments when judging if load balance or + # query cache is possible. + # If off, SQL comments effectively prevent the judgment + # (pre 3.4 behavior). + +#------------------------------------------------------------------------------ +# MASTER/SLAVE MODE +#------------------------------------------------------------------------------ + +master_slave_mode = off + # Activate master/slave mode + # (change requires restart) +master_slave_sub_mode = 'slony' + # Master/slave sub mode + # Valid values are combinations slony or + # stream. Default is slony. + # (change requires restart) + +# - Streaming - + +sr_check_period = 0 + # Streaming replication check period + # Disabled (0) by default +sr_check_user = 'nobody' + # Streaming replication check user + # This is neccessary even if you disable streaming + # replication delay check by sr_check_period = 0 +sr_check_password = '' + # Password for streaming replication check user +delay_threshold = 0 + # Threshold before not dispatching query to standby node + # Unit is in bytes + # Disabled (0) by default + +# - Special commands - + +follow_master_command = '' + # Executes this command after master failover + # Special values: + # %d = node id + # %h = host name + # %p = port number + # %D = database cluster path + # %m = new master node id + # %H = hostname of the new master node + # %M = old master node id + # %P = old primary node id + # %r = new master port number + # %R = new master database cluster path + # %% = '%' character + +#------------------------------------------------------------------------------ +# HEALTH CHECK +#------------------------------------------------------------------------------ + +health_check_period = 0 + # Health check period + # Disabled (0) by default +health_check_timeout = 20 + # Health check timeout + # 0 means no timeout +health_check_user = 'nobody' + # Health check user +health_check_password = '' + # Password for health check user +health_check_max_retries = 0 + # Maximum number of times to retry a failed health check before giving up. +health_check_retry_delay = 1 + # Amount of time to wait (in seconds) between retries. +connect_timeout = 10000 + # Timeout value in milliseconds before giving up to connect to backend. + # Default is 10000 ms (10 second). Flaky network user may want to increase + # the value. 0 means no timeout. + # Note that this value is not only used for health check, + # but also for ordinary conection to backend. + +#------------------------------------------------------------------------------ +# FAILOVER AND FAILBACK +#------------------------------------------------------------------------------ + +failover_command = '' + # Executes this command at failover + # Special values: + # %d = node id + # %h = host name + # %p = port number + # %D = database cluster path + # %m = new master node id + # %H = hostname of the new master node + # %M = old master node id + # %P = old primary node id + # %r = new master port number + # %R = new master database cluster path + # %% = '%' character +failback_command = '' + # Executes this command at failback. + # Special values: + # %d = node id + # %h = host name + # %p = port number + # %D = database cluster path + # %m = new master node id + # %H = hostname of the new master node + # %M = old master node id + # %P = old primary node id + # %r = new master port number + # %R = new master database cluster path + # %% = '%' character + +fail_over_on_backend_error = {{ pgpool_fail_over_on_backend_error }} + # Initiates failover when reading/writing to the + # backend communication socket fails + # If set to off, pgpool will report an + # error and disconnect the session. + +search_primary_node_timeout = 10 + # Timeout in seconds to search for the + # primary node when a failover occurs. + # 0 means no timeout, keep searching + # for a primary node forever. + +#------------------------------------------------------------------------------ +# ONLINE RECOVERY +#------------------------------------------------------------------------------ + +recovery_user = '{{ pgpool_recovery_user }}' + # Online recovery user +{% if pgpool_recovery_user_pwd is defined %} +recovery_password = '{{ pgpool_recovery_user_pwd | default() }}' + # Online recovery password +{% else %} +recovery_password = '' +{% endif %} +recovery_1st_stage_command = '{{ pgpool_recovery_stage1_script }}' + # Executes a command in first stage +recovery_2nd_stage_command = '{{ pgpool_recovery_stage2_script }}' + # Executes a command in second stage +recovery_timeout = {{ pgpool_recovery_timeout }} + # Timeout in seconds to wait for the + # recovering node's postmaster to start up + # 0 means no wait +client_idle_limit_in_recovery = {{ pgpool_client_idle_limit_in_recovery }} + # Client is disconnected after being idle + # for that many seconds in the second stage + # of online recovery + # 0 means no disconnection + # -1 means immediate disconnection + + +#------------------------------------------------------------------------------ +# WATCHDOG +#------------------------------------------------------------------------------ + +# - Enabling - + +use_watchdog = {{ pgpool_use_watchdog }} + # Activates watchdog + # (change requires restart) + +# -Connection to up stream servers - + +trusted_servers = '{{ pgpool_wd_trusted_servers }}' + # trusted server list which are used + # to confirm network connection + # (hostA,hostB,hostC,...) + # (change requires restart) +ping_path = '/bin' + # ping command path + # (change requires restart) + +# - Watchdog communication Settings - + +wd_hostname = '{{ ansible_default_ipv4.address }}' + # Host name or IP address of this watchdog + # (change requires restart) +wd_port = 9000 + # port number for watchdog service + # (change requires restart) +wd_authkey = '{{ pgpool_wd_authkey }}' + # Authentication key for watchdog communication + # (change requires restart) + +# - Virtual IP control Setting - + +delegate_IP = '{{ pgpool_virtual_ip }}' + # delegate IP address + # If this is empty, virtual IP never bring up. + # (change requires restart) +if_cmd_path = '/sbin' + # ifconfig command path + # (change requires restart) +if_up_cmd = 'ip_script addr add {{ pgpool_virtual_ip }}/{{ pgpool_virtual_netmask }} dev {{ ansible_default_ipv4.alias }}' + # startup delegate IP command + # (change requires restart) +if_down_cmd = 'ip_script addr del {{ pgpool_virtual_ip }}/{{ pgpool_virtual_netmask }} dev {{ ansible_default_ipv4.alias }}' + # shutdown delegate IP command + # (change requires restart) + +arping_path = '/usr/local/bin' # arping command path + # (change requires restart) + +arping_cmd = 'arping_script -U $_IP_$ -w 1' + # arping command + # (change requires restart) + +# - Behaivor on escalation Setting - + +clear_memqcache_on_escalation = on + # Clear all the query cache on shared memory + # when standby pgpool escalate to active pgpool + # (= virtual IP holder). + # This should be off if client connects to pgpool + # not using virtual IP. + # (change requires restart) +wd_escalation_command = 'date >> {{ psql_log_dir }}/wd_pgpool_escalation.log' + # Executes this command at escalation on new active pgpool. + # (change requires restart) +wd_de_escalation_command = 'date >> {{ psql_log_dir }}/wd_pgpool_de_escalation.log' + +# - Lifecheck Setting - + +# -- common -- +wd_monitoring_interfaces_list = 'any' + +wd_lifecheck_method = 'heartbeat' + # Method of watchdog lifecheck ('heartbeat' or 'query') + # (change requires restart) +wd_interval = 10 + # lifecheck interval (sec) > 0 + # (change requires restart) + +wd_priority = {{ pgpool_wd_priority }} + +{% if pgpool_wd_heartbeat_mode %} +# -- heartbeat mode -- + +wd_heartbeat_port = {{ pgpool_wd_heartbeat_port }} + # Port number for receiving heartbeat signal + # (change requires restart) +wd_heartbeat_keepalive = {{ pgpool_wd_heartbeat_keepalive_int }} + # Interval time of sending heartbeat signal (sec) + # (change requires restart) +wd_heartbeat_deadtime = {{ pgpool_wd_heartbeat_deadtime }} + # Deadtime interval for heartbeat signal (sec) + # (change requires restart) +heartbeat_destination0 = '{{ pgpool_wd_heartbeat_dest0 }}' + # Host name or IP address of destination 0 + # for sending heartbeat signal. + # (change requires restart) +heartbeat_destination_port0 = {{ pgpool_wd_heartbeat_dest0_port }} + # Port number of destination 0 for sending + # heartbeat signal. Usually this is the + # same as wd_heartbeat_port. + # (change requires restart) +heartbeat_device0 = '' + # Name of NIC device (such like 'eth0') + # used for sending/receiving heartbeat + # signal to/from destination 0. + # This works only when this is not empty + # and pgpool has root privilege. + # (change requires restart) + +{% else %} +# -- query mode -- + +wd_life_point = 3 + # lifecheck retry times + # (change requires restart) +wd_lifecheck_query = 'SELECT 1' + # lifecheck query to pgpool from watchdog + # (change requires restart) +wd_lifecheck_dbname = 'template1' + # Database name connected for lifecheck + # (change requires restart) +wd_lifecheck_user = 'nobody' + # watchdog user monitoring pgpools in lifecheck + # (change requires restart) +wd_lifecheck_password = '' + # Password for watchdog user in lifecheck + # (change requires restart) + + +{% endif %} +# - Other pgpool Connection Settings - + +other_pgpool_hostname0 = '{{ pgpool_wd_heartbeat_dest0 }}' + # Host name or IP address to connect to for other pgpool 0 + # (change requires restart) +other_pgpool_port0 = {{ pgpool_port }} + # Port number for othet pgpool 0 + # (change requires restart) +other_wd_port0 = {{ pgpool_wd_port }} + # Port number for othet watchdog 0 + # (change requires restart) + +#------------------------------------------------------------------------------ +# OTHERS +#------------------------------------------------------------------------------ +relcache_expire = {{ pgpool_relcache_expire }} + # Life time of relation cache in seconds. + # 0 means no cache expiration(the default). + # The relation cache is used for cache the + # query result against PostgreSQL system + # catalog to obtain various information + # including table structures or if it's a + # temporary table or not. The cache is + # maintained in a pgpool child local memory + # and being kept as long as it survives. + # If someone modify the table by using + # ALTER TABLE or some such, the relcache is + # not consistent anymore. + # For this purpose, cache_expiration + # controls the life time of the cache. +relcache_size = 256 + # Number of relation cache + # entry. If you see frequently: + # "pool_search_relcache: cache replacement happend" + # in the pgpool log, you might want to increate this number. + +check_temp_table = on + # If on, enable temporary table check in SELECT statements. + # This initiates queries against system catalog of primary/master + # thus increases load of master. + # If you are absolutely sure that your system never uses temporary tables + # and you want to save access to primary/master, you could turn this off. + # Default is on. + +check_unlogged_table = on + # If on, enable unlogged table check in SELECT statements. + # This initiates queries against system catalog of primary/master + # thus increases load of master. + # If you are absolutely sure that your system never uses unlogged tables + # and you want to save access to primary/master, you could turn this off. + # Default is on. + +#------------------------------------------------------------------------------ +# IN MEMORY QUERY MEMORY CACHE +#------------------------------------------------------------------------------ +memory_cache_enabled = {{ pgpool_memory_cache_enabled }} + # If on, use the memory cache functionality, off by default +memqcache_method = '{{ pgpool_memqcache_method }}' + # Cache storage method. either 'shmem'(shared memory) or + # 'memcached'. 'shmem' by default + # (change requires restart) +memqcache_memcached_host = '{{ pgpool_memqcache_memcached_host }}' + # Memcached host name or IP address. Mandatory if + # memqcache_method = 'memcached'. + # Defaults to localhost. + # (change requires restart) +memqcache_memcached_port = {{ pgpool_memqcache_memcached_port }} + # Memcached port number. Mondatory if memqcache_method = 'memcached'. + # Defaults to 11211. + # (change requires restart) +memqcache_total_size = 67108864 + # Total memory size in bytes for storing memory cache. + # Mandatory if memqcache_method = 'shmem'. + # Defaults to 64MB. + # (change requires restart) +memqcache_max_num_cache = 1000000 + # Total number of cache entries. Mandatory + # if memqcache_method = 'shmem'. + # Each cache entry consumes 48 bytes on shared memory. + # Defaults to 1,000,000(45.8MB). + # (change requires restart) +memqcache_expire = {{ pgpool_memqcache_expire }} # Memory cache entry life time specified in seconds. + # 0 means infinite life time. 0 by default. + # (change requires restart) +memqcache_auto_cache_invalidation = {{ pgpool_memqcache_auto_cache_invalidation }} + # If on, invalidation of query cache is triggered by corresponding + # DDL/DML/DCL(and memqcache_expire). If off, it is only triggered + # by memqcache_expire. on by default. + # (change requires restart) +memqcache_maxcache = 409600 + # Maximum SELECT result size in bytes. + # Must be smaller than memqcache_cache_block_size. Defaults to 400KB. + # (change requires restart) +memqcache_cache_block_size = 1048576 + # Cache block size in bytes. Mandatory if memqcache_method = 'shmem'. + # Defaults to 1MB. + # (change requires restart) +memqcache_oiddir = '/var/log/pgpool/oiddir' + # Temporary work directory to record table oids + # (change requires restart) +white_memqcache_table_list = '' + # Comma separated list of table names to memcache + # that don't write to database + # Regexp are accepted +black_memqcache_table_list = '' + # Comma separated list of table names not to memcache + # that don't write to database + # Regexp are accepted diff --git a/templates/pgpool_recovery_stage_1.j2 b/templates/pgpool_recovery_stage_1.j2 new file mode 100644 index 0000000..8b77ffa --- /dev/null +++ b/templates/pgpool_recovery_stage_1.j2 @@ -0,0 +1,43 @@ +#!/bin/bash +# PGpool stage 1 recovery script +# Reference: http://michael.stapelberg.de/Artikel/replicated_postgresql_with_pgpool +# +TS=$(date +%Y-%m-%d_%H-%M-%S) +MASTER_HOST=$(hostname -f) +# $1 is {{ psql_data_dir }}/main while $3 is {{ psql_data_dir }} +MASTER_DATA=$1 +MASTER_DATA_BASE_DIR={{ psql_data_dir }} +RECOVERY_TARGET=${2} +RECOVERY_DATA=${3}/main +RECOVERY_DATA_BASE_DIR={{ psql_data_dir }} + +logger "pgpool_recovery_1: MASTER_DATA=$MASTER_DATA" +logger "pgpool_recovery_1: RECOVERY_DATA=$RECOVERY_DATA" + +archive_dir={{ psql_wal_archiving_log_dir }} + +# Ensure that postgres is shut down on the target node +ssh -T $RECOVERY_TARGET sudo /etc/init.d/postgresql stop + +# Move the PostgreSQL data directory out of our way. +ssh -T $RECOVERY_TARGET \ + "[ -d $RECOVERY_DATA ] && mv $RECOVERY_DATA $RECOVERY_DATA.$TS" + +# If the archive dir is not empty the backup fails +ssh -T $RECOVERY_TARGET \ + "[ -d $archive_dir ] && rm $archive_dir/*" + +# We only use archived WAL logs during recoveries, so delete all +# logs from the last recovery to limit the growth. +rm $archive_dir/* + +# With this file present, our archive_command will actually +# archive WAL files. +touch $archive_dir/backup_in_progress + +psql -c "select pg_start_backup('pgpool-recovery')" postgres +echo "restore_command = 'scp $MASTER_HOST:$archive_dir/%f %p'" > $RECOVERY_DATA/recovery.conf +tar -C $MASTER_DATA_BASE_DIR -zcf pgsql.tar.gz main +psql -c 'select pg_stop_backup()' postgres +scp pgsql.tar.gz $RECOVERY_TARGET:$RECOVERY_DATA_BASE_DIR + diff --git a/templates/pgpool_recovery_stage_2.j2 b/templates/pgpool_recovery_stage_2.j2 new file mode 100644 index 0000000..d9e037b --- /dev/null +++ b/templates/pgpool_recovery_stage_2.j2 @@ -0,0 +1,37 @@ +#!/bin/bash +# Online recovery 2nd stage script +# +MASTER_DATA_BASE_DIR={{ psql_data_dir }} +MASTER_DATA=${1} +RECOVERY_TARGET=${2} +RECOVERY_DATA_BASE_DIR={{ psql_data_dir }} +RECOVERY_DATA=${3} +port={{ psql_db_port }} # PostgreSQL port number + +archive_dir={{ psql_wal_archiving_log_dir }} + +logger "pgpool_recovery_2: MASTER_DATA=$MASTER_DATA" +logger "pgpool_recovery_2: RECOVERY_DATA=$RECOVERY_DATA" +logger "pgpool_recovery_2: archive_dir=$archive_dir" + + +# Force to flush current value of sequences to xlog +psql -p $port -t -c 'SELECT datname FROM pg_database WHERE NOT datistemplate AND datallowconn' template1| +while read i +do + if [ "$i" != "" ];then + psql -p $port -c "SELECT setval(oid, nextval(oid)) FROM pg_class WHERE relkind = 'S'" $i + fi +done + +# Flush all transactions to disk. Since pgpool stopped all connections, +# there cannot be any data that does not reside on disk until the +# to-be-recovered host is back on line. +psql -p $port -c "SELECT pgpool_switch_xlog('$archive_dir')" template1 + +# Copy over all archive logs at once. +rsync -avx --delete $archive_dir/ \ + $RECOVERY_TARGET:$archive_dir/ + +# Delete the flag file to disable WAL archiving again. +rm $archive_dir/backup_in_progress diff --git a/templates/pgpool_remote_start.j2 b/templates/pgpool_remote_start.j2 new file mode 100644 index 0000000..6c44c25 --- /dev/null +++ b/templates/pgpool_remote_start.j2 @@ -0,0 +1,8 @@ +#!/bin/bash +DEST=$1 +DESTDIR=$2 + +# Deploy a base backup +ssh -T $DEST 'cd {{ psql_data_dir }}; tar zxf pgsql.tar.gz' 2>/dev/null 1>/dev/null < /dev/null +# Startup PostgreSQL server +ssh -T $DEST sudo /etc/init.d/postgresql start 2>/dev/null 1>/dev/null < /dev/null diff --git a/templates/postgresql-sudoers.j2 b/templates/postgresql-sudoers.j2 new file mode 100644 index 0000000..9726c80 --- /dev/null +++ b/templates/postgresql-sudoers.j2 @@ -0,0 +1,3 @@ +postgres ALL=(ALL) NOPASSWD: /etc/init.d/postgres* + + diff --git a/templates/postgresql_wal_backup_and_removal.j2 b/templates/postgresql_wal_backup_and_removal.j2 new file mode 100644 index 0000000..22d6454 --- /dev/null +++ b/templates/postgresql_wal_backup_and_removal.j2 @@ -0,0 +1,17 @@ +#!/bin/bash + +BASE_BACKUP_DIR={{ psql_base_backup_dir }} +WAL_ARCHIVES_LOG_DIR={{ psql_wal_archiving_log_dir }} +WAL_LATEST_BACKUP= + +# The base backup dir needs to be empty + +rm -f $BASE_BACKUP_DIR/* +pg_basebackup -F t -z -D $BASE_BACKUP_DIR + +cd $WAL_ARCHIVES_LOG_DIR +WAL_LATEST_BACKUP=$( /bin/ls -1tr *.backup | tail -1 ) +pg_archivecleanup $WAL_ARCHIVES_LOG_DIR $WAL_LATEST_BACKUP + +exit $? +