-
Notifications
You must be signed in to change notification settings - Fork 1
/
CentOS7x_Generate-and-Install-both-a-new-MongoDB-Replication-Key-and-a-new-Self-Signed-Certificate-playbook.yml
135 lines (105 loc) · 4.94 KB
/
CentOS7x_Generate-and-Install-both-a-new-MongoDB-Replication-Key-and-a-new-Self-Signed-Certificate-playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
---
################################################################################
# description: Generates and installs a new replication key to a GROUP of MongoDB 3x servers on CentOS7x
# usage: CentOS7x_Generate-and-Install-both-a-new-MongoDB-Replication-Key-and-a-new-Self-Signed-Certificate-playbook.yml --extra-vars 'HostOrGroup=YourGroupNameGoesHere'
# author: Ernest G. Wilson II <[email protected]> (https://github.com/ernestgwilsonii)
# license: MIT
################################################################################
# Ansible Playbook options
# REF: http://docs.ansible.com/ansible/playbooks.html
#####################################################
- name: Generate prerequistite MongoDB replication key on the Ansible host
hosts: localhost
serial: "100%"
gather_facts: False
tasks:
# Execute raw command(s)
# REF: http://docs.ansible.com/ansible/raw_module.html
##########################################################
# Generate a new replication key
- name: /usr/bin/openssl rand -base64 756 > /tmp/mongod-replication.key
raw: /usr/bin/openssl rand -base64 756 > /tmp/mongod-replication.key
# Generate a new self-signed certificate
- name: cd /tmp && /usr/bin/openssl req -nodes -newkey rsa:2048 -new -x509 -days 3650 -keyout mongodb-cert.key -out mongodb-cert.crt -subj '/C=US/ST=Washington/L=Seattle/O=CenturyLink/OU=Cloud/CN=*.centurylink.local/[email protected]'
raw: cd /tmp && /usr/bin/openssl req -nodes -newkey rsa:2048 -new -x509 -days 3650 -keyout mongodb-cert.key -out mongodb-cert.crt -subj '/C=US/ST=Washington/L=Seattle/O=CenturyLink/OU=Cloud/CN=*.centurylink.local/[email protected]'
# Create a single usable file that the MongoDB configuration will use as the self-signed certificate
- name: cd /tmp && cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
raw: cd /tmp && cat mongodb-cert.key mongodb-cert.crt > mongodb.pem
# Ansible Playbook options
# REF: http://docs.ansible.com/ansible/playbooks.html
#####################################################
- name: install a new replication key to a GROUP of MongoDB 3x servers on CentOS7x
hosts: "{{ HostOrGroup|default ('FATAL ERROR --> HostOrGroup NOT SET! You must specify either a Host or a Group name!') }}"
serial: "100%"
gather_facts: False
tasks:
# Use the copy module to copy various files into place
# REF: http://docs.ansible.com/ansible/copy_module.html
#######################################################
# /var/lib/mongo/mongod-replication.key
- name: Copy temporary Ansible local file /tmp/mongod-replication.key to MongoDB remote /var/lib/mongo/mongod-replication.key
copy:
src=/tmp/mongod-replication.key
dest=/var/lib/mongo/mongod-replication.key
owner=mongod
group=mongod
mode=0400
# /etc/ssl/mongodb.pem
- name: Copy temporary Ansible local file /tmp/mongodb.pem to MongoDB remote /etc/ssl/mongodb.pem
copy:
src=/tmp/mongodb.pem
dest=/etc/ssl/mongodb.pem
owner=mongod
group=mongod
mode=0444
# command - Executes a command on a remote node
# REF: http://docs.ansible.com/ansible/command_module.html
##########################################################
- name: Ensure current active running value transparent_hugepage/defrag is set to never
command: echo never > /sys/kernel/mm/transparent_hugepage/defrag
- name: Ensure current active running value transparent_hugepage/enabled is set to never
command: echo never > /sys/kernel/mm/transparent_hugepage/enabled
# Enable and start mongod service
# REF: http://docs.ansible.com/ansible/service_module.html
##########################################################
- name: Re-start the mongod service
service:
name=mongod.service
enabled=yes
state=restarted
# Note: Command line verification:
# systemctl status mongod.service
# systemctl status mongod.service -l
# service mongod status
# ls /var/lib/mongo
# cat /var/log/messages | grep mongod
# cat /usr/lib/systemd/system/mongod.service
# cat /etc/mongod.conf
# cat /var/log/mongodb/mongod.log
# Ansible Playbook options
# REF: http://docs.ansible.com/ansible/playbooks.html
#####################################################
- name: Post deployment cleanup of the MongoDB replication key and self-signed certicate files from the temporary location on the Ansible host
hosts: localhost
serial: "100%"
gather_facts: False
tasks:
# Use the file module
# REF: http://docs.ansible.com/ansible/file_module.html
#######################################################
- name: rm /tmp/mongod-replication.key
file:
path: /tmp/mongod-replication.key
state: absent
- name: rm /tmp/mongodb-cert.crt
file:
path: /tmp/mongodb-cert.crt
state: absent
- name: rm /tmp/mongodb-cert.key
file:
path: /tmp/mongodb-cert.key
state: absent
- name: rm /tmp/mongodb.pem
file:
path: /tmp/mongodb.pem
state: absent