From 75d5ceb6f0de00a922eda0c91687bc5477679a28 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Wed, 26 Aug 2020 09:23:29 +0200 Subject: [PATCH 01/16] haproxy_runc: adding runc / docker based haproxy reusable service --- .../roles/haproxy_runc/defaults/main.yml | 5 ++ .../roles/haproxy_runc/meta/main.yml | 3 + .../roles/haproxy_runc/tasks/main.yml | 18 +++++ .../tasks/setup-runc-container.yml | 66 +++++++++++++++++++ .../haproxy_runc/tasks/setup-systemd-unit.yml | 21 ++++++ .../haproxy_runc/templates/haproxy.service.j2 | 14 ++++ 6 files changed, 127 insertions(+) create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/defaults/main.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/meta/main.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/defaults/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/defaults/main.yml new file mode 100644 index 0000000000..8b0590e0fe --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/defaults/main.yml @@ -0,0 +1,5 @@ +--- +runc_dir: "/opt/runc" +haproxy_version: "2.2.2" +haproxy_image_tag: "{{ haproxy_version }}-alpine" +haproxy_image: "{{ image_registry_address }}/haproxy:{{ haproxy_image_tag }}" diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/meta/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/meta/main.yml new file mode 100644 index 0000000000..745ba4d956 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: preflight_facts diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml new file mode 100644 index 0000000000..d9a0421855 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: Assert input parameters + assert: + that: + - haproxy_service is defined + +- name: Setup runc container + include_tasks: setup-runc-container.yml + +- name: Setup systemd unit + include_tasks: setup-systemd-unit.yml + +- name: Enable and start {{ haproxy_service }} service + systemd: + name: "{{ haproxy_service }}" + state: started + enabled: true + daemon_reload: true diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml new file mode 100644 index 0000000000..c7698038a3 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml @@ -0,0 +1,66 @@ +--- +- name: Assert input parameters + assert: + that: + - runc_dir is defined + - haproxy_service is defined + - haproxy_image_tag is defined + - haproxy_image is defined + +- name: Set haproxy related facts + set_fact: + haproxy_dir: "{{ runc_dir }}/{{ haproxy_service }}" + haproxy_archive: /tmp/haproxy-{{ haproxy_image_tag }}.tar + +- name: Pull and export haproxy docker container + shell: | + docker pull {{ haproxy_image }} && docker export $(docker create {{ haproxy_image }}) --output {{ haproxy_archive }} + args: + creates: "{{ haproxy_archive }}" + +- name: Extract haproxy container archive + shell: | + install -d {{ haproxy_dir }}/rootfs/ && tar xpf {{ haproxy_archive }} -C {{ haproxy_dir }}/rootfs/ + args: + creates: "{{ haproxy_dir }}/rootfs/" + +- name: Create initial config.json file + shell: | + runc spec + args: + chdir: "{{ haproxy_dir }}/" + creates: "{{ haproxy_dir }}/config.json" + +- name: Slurp config.json file contents + slurp: + src: "{{ haproxy_dir }}/config.json" + register: slurp_config_json + +- name: Adjust and save config.json file contents + copy: + dest: "{{ haproxy_dir }}/config.json" + # Update and render json payload + content: | + {{ _document | combine(_update, recursive=true) | to_nice_json }} + vars: + # Parse json payload + _document: >- + {{ slurp_config_json.content | b64decode | from_json }} + # Define extra volume mounts + _mounts: + - destination: /usr/local/etc/haproxy/haproxy.cfg + source: /etc/haproxy/{{ haproxy_service }}.cfg + type: bind + options: [rbind, ro] + # Assemble document update + _update: + process: + args: [/usr/local/sbin/haproxy, -f, /usr/local/etc/haproxy/haproxy.cfg] + terminal: false # required for running it detached + linux: + # Remove "network" namespace to enable "host-networking" + namespaces: >- + {{ _document.linux.namespaces | selectattr('type', '!=', 'network') | list }} + # Merge cointainer's volume / mount definitions + mounts: >- + {{ (_document.mounts + _mounts) | unique }} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml new file mode 100644 index 0000000000..be264d8d47 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml @@ -0,0 +1,21 @@ +--- +- name: Assert input parameters + assert: + that: + - runc_dir is defined + - haproxy_service is defined + +- name: Discover runc binary + shell: | + which runc + register: shell_which_runc + +- name: Set runc and haproxy related facts + set_fact: + haproxy_dir: "{{ runc_dir }}/{{ haproxy_service }}" + runc_binary: "{{ shell_which_runc.stdout.strip() }}" + +- name: Render {{ haproxy_service }} service systemd unit + template: + dest: /etc/systemd/system/{{ haproxy_service }}.service + src: haproxy.service.j2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 new file mode 100644 index 0000000000..b779fda854 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 @@ -0,0 +1,14 @@ +# {{ ansible_managed }} + +[Unit] +After=network.target + +[Service] +Type=forking +WorkingDirectory={{ haproxy_dir }} +ExecStart={{ runc_binary }} run --detach {{ haproxy_service }} +ExecStop={{ runc_binary }} kill {{ haproxy_service }} SIGUSR1 +ExecStopPost={{ runc_binary }} delete {{ haproxy_service }} + +[Install] +WantedBy=multi-user.target From cc97d6e8d60a7338fcfb6cc2d793eda5878dd654 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Wed, 26 Aug 2020 09:23:29 +0200 Subject: [PATCH 02/16] requirements.txt: adding haproxy:2.2.2-alpine docker image --- .../files/download-requirements/centos-7/requirements.txt | 1 + .../files/download-requirements/redhat-7/requirements.txt | 1 + .../files/download-requirements/ubuntu-18.04/requirements.txt | 1 + .../data/common/defaults/configuration/image-registry.yml | 2 ++ 4 files changed, 5 insertions(+) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt index 8614f34066..55787e7f01 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/centos-7/requirements.txt @@ -160,6 +160,7 @@ https://get.helm.sh/helm-v3.2.0-linux-amd64.tar.gz https://github.com/hashicorp/vault-helm/archive/v0.4.0.tar.gz [images] +haproxy:2.2.2-alpine kubernetesui/dashboard:v2.0.3 kubernetesui/metrics-scraper:v1.0.4 registry:2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt index fb4276d787..18b7730788 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/redhat-7/requirements.txt @@ -157,6 +157,7 @@ https://get.helm.sh/helm-v3.2.0-linux-amd64.tar.gz https://github.com/hashicorp/vault-helm/archive/v0.4.0.tar.gz [images] +haproxy:2.2.2-alpine kubernetesui/dashboard:v2.0.3 kubernetesui/metrics-scraper:v1.0.4 registry:2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt index 7a261a5bf2..bf566c2994 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt +++ b/core/src/epicli/data/common/ansible/playbooks/roles/repository/files/download-requirements/ubuntu-18.04/requirements.txt @@ -182,6 +182,7 @@ https://get.helm.sh/helm-v3.2.0-linux-amd64.tar.gz https://github.com/hashicorp/vault-helm/archive/v0.4.0.tar.gz [images] +haproxy:2.2.2-alpine kubernetesui/dashboard:v2.0.3 kubernetesui/metrics-scraper:v1.0.4 registry:2 diff --git a/core/src/epicli/data/common/defaults/configuration/image-registry.yml b/core/src/epicli/data/common/defaults/configuration/image-registry.yml index 4ecf855d74..b7c0fb06ba 100644 --- a/core/src/epicli/data/common/defaults/configuration/image-registry.yml +++ b/core/src/epicli/data/common/defaults/configuration/image-registry.yml @@ -28,6 +28,8 @@ specification: - name: "brainsam/pgbouncer:1.12" file_name: pgbouncer-1.12.tar current: + - name: "haproxy:2.2.2-alpine" + file_name: haproxy-2.2.2-alpine.tar - name: "k8s.gcr.io/kube-apiserver:v1.18.6" file_name: kube-apiserver-v1.18.6.tar - name: "k8s.gcr.io/kube-controller-manager:v1.18.6" From ad6bb7f24a35b902a600ea68edcfe7477ae0e9e3 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Wed, 26 Aug 2020 09:23:29 +0200 Subject: [PATCH 03/16] kubernetes_common: reusing haproxy_runc role (refactor) --- .../tasks/configure-haproxy-Debian.yml | 5 ---- .../tasks/configure-haproxy-RedHat.yml | 5 ---- .../tasks/configure-haproxy.yml | 25 ++++++++++++------- .../templates/haproxy.cfg.j2 | 4 +-- 4 files changed, 17 insertions(+), 22 deletions(-) delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy-Debian.yml delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy-RedHat.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy-Debian.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy-Debian.yml deleted file mode 100644 index 27ace16ca2..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy-Debian.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Render haproxy config - template: - src: haproxy.cfg.j2 - dest: /etc/haproxy/haproxy.cfg diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy-RedHat.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy-RedHat.yml deleted file mode 100644 index 70950f292b..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy-RedHat.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Render haproxy config - template: - src: haproxy.cfg.j2 - dest: /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml index 40e38b1085..00db52d542 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml @@ -23,13 +23,20 @@ haproxy_backend_servers: >- {{ kubernetes_common.haproxy_master_names | zip(kubernetes_common.haproxy_master_ipv4s) | list }} -- include_tasks: "configure-haproxy-{{ ansible_os_family }}.yml" +- name: Ensure /etc/haproxy directory exists + file: + path: /etc/haproxy/ + state: directory -- name: Reload HAProxy service - service: - name: haproxy - enabled: true - state: "{{ item }}" - loop: - - started - - reloaded +- name: Configure and start haproxy + vars: + haproxy_service: haproxy-k8s + block: + - name: Render haproxy config + template: + dest: /etc/haproxy/{{ haproxy_service }}.cfg + src: haproxy.cfg.j2 + + - name: Setup and start {{ haproxy_service }} runc-based systemd service + include_role: + name: haproxy_runc diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/templates/haproxy.cfg.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/templates/haproxy.cfg.j2 index ffa44f4d15..1d64d7399e 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/templates/haproxy.cfg.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/templates/haproxy.cfg.j2 @@ -1,9 +1,7 @@ # {{ ansible_managed }} global - log /dev/log local0 - log /dev/log local1 notice - daemon + log stdout format raw local0 notice defaults log global From b1c1dc9e30edd634da570aa7338570f404a011c1 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Mon, 31 Aug 2020 09:37:56 +0200 Subject: [PATCH 04/16] haproxy_runc: adding docker image extraction script (bash) --- .../files/extract-docker-image-V1.sh | 135 ++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100755 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh new file mode 100755 index 0000000000..f30e668bcd --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh @@ -0,0 +1,135 @@ +#!/usr/bin/env bash + +: ${DEBUG:=} +: ${IMAGE_TAR:="$1"} +: ${OUTPUT_DIR:="$2"} + +set -o errexit -o nounset -o pipefail + +[[ -n "$DEBUG" ]] && set -x || true +[[ -n "$IMAGE_TAR" ]] && [[ -f "$IMAGE_TAR" ]] + +# Assert that required binaries are available in PATH. +which basename readlink xargs dirname install tar jq find sort uniq rm cp + +readonly IMAGE_NAME="$(basename "$IMAGE_TAR" .tar)" + +readonly SELF="$(readlink -f "$0" | xargs dirname)" +readonly CACHE="$SELF/.cache" + +readonly _IMG_="$CACHE/$IMAGE_NAME.img" +readonly _TMP_="$CACHE/$IMAGE_NAME.tmp" + +if [[ -n "$OUTPUT_DIR" ]]; then + readonly _OUT_="$OUTPUT_DIR" +else + readonly _OUT_="$CACHE/$IMAGE_NAME.out" # default value +fi + +function extract_image { + if [[ -d "$_IMG_/" ]]; then + return + fi + install -d "$_IMG_/" + tar xpf "$IMAGE_TAR" -C "$_IMG_/" +} + +function get_layer_name { + local layer_file="$1" layer_name + # Handle two common layer naming convetions: + layer_name="${layer_file%%/layer.tar}" # docker save + layer_name="${layer_name%%.tar}" # skopeo copy + echo "$layer_name" +} + +function get_layer_files { + jq -r '.[0].Layers[]' "$_IMG_/manifest.json" +} + +function get_layer_names { + local layer_file + get_layer_files | while IFS= read layer_file; do + get_layer_name "$layer_file" + done +} + +# Extract each layer's .tar archive into separate directories named as layers themselves. +function extract_layers { + local layer_file + get_layer_files | while IFS= read layer_file; do + local layer_name="$(get_layer_name "$layer_file")" + if [[ -d "$_TMP_/$layer_name/" ]]; then + continue + fi + install -d "$_TMP_/$layer_name/" + tar xpf "$_IMG_/$layer_file" -C "$_TMP_/$layer_name/" + done +} + +# Remove files according to "whiteouts" (https://github.com/moby/moby/blob/master/image/spec/v1.2.md#creating-an-image-filesystem-changeset). +function process_whiteouts { + local layer_name="$1" whiteout + + (cd "$_TMP_/$layer_name/" && find . -type f -name '.wh..wh..opq') \ + | while IFS= read whiteout; do + echo whiteout = "$whiteout" + rm -f "$_TMP_/$layer_name/$whiteout" + done + + (cd "$_TMP_/$layer_name/" && find . -type f -name '.wh.*') \ + | while IFS= read whiteout; do + echo whiteout = "$whiteout" + rm -f "$_TMP_/$layer_name/$whiteout" + echo must_be_removed = "${whiteout/.wh./}" + rm -rf "$_OUT_/${whiteout/.wh./}" + done +} + +# The tar and cp commands do not support replacing a file/directory with a symlink or vice versa. +# To handle it, we detect such changes beforehand and clean the output directory. +function process_symlinks { + local layer_name="$1" must_be_removed + + (cd "$_OUT_/" && find . -type f,d; cd "$_TMP_/$layer_name/" && find . -type l) | sort | uniq -d \ + | while IFS= read must_be_removed; do + echo must_be_removed = "$must_be_removed" + rm -rf "$_OUT_/$must_be_removed" + done + + (cd "$_OUT_/" && find . -type l; cd "$_TMP_/$layer_name/" && find . -type f,d) | sort | uniq -d \ + | while IFS= read must_be_removed; do + echo must_be_removed = "$must_be_removed" + rm -rf "$_OUT_/$must_be_removed" + done + + cp --preserve --recursive --no-dereference "$_TMP_/$layer_name/." "$_OUT_/" +} + +function merge_layers { + if [[ -d "$_OUT_/" ]]; then + return + fi + # Ensure output directory exists. + install -d "$_OUT_/" + + local layer + get_layer_names | while IFS= read layer_name; do + process_whiteouts "$layer_name" + process_symlinks "$layer_name" + done +} + +function remove_cache { + rm -rf "$_IMG_/" "$_TMP_/" +} + +function main { + trap remove_cache ERR EXIT INT TERM + extract_image + extract_layers + merge_layers +} + +main + +# vim:ts=4:sw=4:et:syn=sh: From e267bbac02c06f41ce1d51c6438969e89cc8c746 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Mon, 31 Aug 2020 09:39:38 +0200 Subject: [PATCH 05/16] haproxy_runc: reusing docker image extraction script (bash) --- .../roles/haproxy_runc/defaults/main.yml | 3 +- .../tasks/install-packages-Debian.yml | 7 ++++ .../tasks/install-packages-RedHat.yml | 7 ++++ .../roles/haproxy_runc/tasks/main.yml | 3 ++ .../tasks/setup-runc-container.yml | 39 ++++++++++++------- .../haproxy_runc/tasks/setup-systemd-unit.yml | 1 + 6 files changed, 44 insertions(+), 16 deletions(-) create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/install-packages-Debian.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/install-packages-RedHat.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/defaults/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/defaults/main.yml index 8b0590e0fe..37d0069e02 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/defaults/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/defaults/main.yml @@ -2,4 +2,5 @@ runc_dir: "/opt/runc" haproxy_version: "2.2.2" haproxy_image_tag: "{{ haproxy_version }}-alpine" -haproxy_image: "{{ image_registry_address }}/haproxy:{{ haproxy_image_tag }}" +haproxy_image_tar: "haproxy-{{ haproxy_image_tag }}.tar" +extra_mounts: [] diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/install-packages-Debian.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/install-packages-Debian.yml new file mode 100644 index 0000000000..be92c1e13b --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/install-packages-Debian.yml @@ -0,0 +1,7 @@ +--- +- name: Install containerd.io package for Debian family + apt: + update_cache: true + name: + - containerd.io # provides "runc" + state: present diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/install-packages-RedHat.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/install-packages-RedHat.yml new file mode 100644 index 0000000000..99cdc268a5 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/install-packages-RedHat.yml @@ -0,0 +1,7 @@ +--- +- name: Install containerd.io package for RedHat family + yum: + update_cache: true + name: + - containerd.io # provides "runc" + state: present diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml index d9a0421855..c02625a52b 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml @@ -4,6 +4,9 @@ that: - haproxy_service is defined +- name: Install required system packages + include_tasks: "install-packages-{{ ansible_os_family }}.yml" + - name: Setup runc container include_tasks: setup-runc-container.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml index c7698038a3..6d01b1010e 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml @@ -4,25 +4,31 @@ that: - runc_dir is defined - haproxy_service is defined - - haproxy_image_tag is defined - - haproxy_image is defined + - haproxy_image_tar is defined + - extra_mounts is defined - name: Set haproxy related facts set_fact: haproxy_dir: "{{ runc_dir }}/{{ haproxy_service }}" - haproxy_archive: /tmp/haproxy-{{ haproxy_image_tag }}.tar -- name: Pull and export haproxy docker container - shell: | - docker pull {{ haproxy_image }} && docker export $(docker create {{ haproxy_image }}) --output {{ haproxy_archive }} - args: - creates: "{{ haproxy_archive }}" +- name: Download haproxy docker image archive + include_role: + name: download + tasks_from: download_image + vars: + file_name: "{{ haproxy_image_tar }}" + validate_certs: false -- name: Extract haproxy container archive - shell: | - install -d {{ haproxy_dir }}/rootfs/ && tar xpf {{ haproxy_archive }} -C {{ haproxy_dir }}/rootfs/ +- name: Extract haproxy docker image + script: + cmd: extract-docker-image-V1.sh + environment: + IMAGE_TAR: "{{ download_directory }}/{{ haproxy_image_tar }}" + OUTPUT_DIR: "{{ haproxy_dir }}/rootfs" args: + chdir: /tmp # free disk space is required (2x size of the image) (seems to be using ~/.ansible/tmp/) creates: "{{ haproxy_dir }}/rootfs/" + executable: /bin/bash - name: Create initial config.json file shell: | @@ -37,25 +43,26 @@ register: slurp_config_json - name: Adjust and save config.json file contents + when: _updated_document != _document copy: dest: "{{ haproxy_dir }}/config.json" # Update and render json payload content: | - {{ _document | combine(_update, recursive=true) | to_nice_json }} + {{ _updated_document | to_nice_json }} vars: # Parse json payload _document: >- {{ slurp_config_json.content | b64decode | from_json }} # Define extra volume mounts _mounts: - - destination: /usr/local/etc/haproxy/haproxy.cfg + - destination: /etc/haproxy/haproxy.cfg source: /etc/haproxy/{{ haproxy_service }}.cfg type: bind options: [rbind, ro] # Assemble document update _update: process: - args: [/usr/local/sbin/haproxy, -f, /usr/local/etc/haproxy/haproxy.cfg] + args: [/usr/local/sbin/haproxy, -f, /etc/haproxy/haproxy.cfg] terminal: false # required for running it detached linux: # Remove "network" namespace to enable "host-networking" @@ -63,4 +70,6 @@ {{ _document.linux.namespaces | selectattr('type', '!=', 'network') | list }} # Merge cointainer's volume / mount definitions mounts: >- - {{ (_document.mounts + _mounts) | unique }} + {{ (_document.mounts + (extra_mounts | default([])) + _mounts) | unique }} + _updated_document: >- + {{ _document | combine(_update, recursive=true) }} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml index be264d8d47..f2e135e0a7 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml @@ -9,6 +9,7 @@ shell: | which runc register: shell_which_runc + changed_when: false - name: Set runc and haproxy related facts set_fact: From dd8ef952379004e027eba7b6cef5650d3fe8b225 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Mon, 31 Aug 2020 09:41:07 +0200 Subject: [PATCH 06/16] haproxy: reusing haproxy_runc role (refactor) --- .../haproxy/files/haproxy_rsyslog_Debian.conf | 1 - .../haproxy/files/haproxy_rsyslog_RedHat.conf | 7 - .../playbooks/roles/haproxy/tasks/Debian.yml | 114 ---------------- .../playbooks/roles/haproxy/tasks/RedHat.yml | 122 ------------------ .../haproxy/tasks/deploy_certificates.yml | 55 ++++++++ ...generate.yml => generate_certificates.yml} | 23 ++-- .../playbooks/roles/haproxy/tasks/main.yml | 24 +++- .../roles/haproxy/tasks/setup_logrotate.yml | 9 -- .../roles/haproxy/templates/haproxy.cfg.j2 | 99 ++++++++++++++ .../haproxy/templates/haproxy_Debian.cfg.j2 | 110 ---------------- .../haproxy/templates/haproxy_RedHat.cfg.j2 | 113 ---------------- .../roles/haproxy/templates/logrotate.conf.j2 | 14 -- 12 files changed, 189 insertions(+), 502 deletions(-) delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/files/haproxy_rsyslog_Debian.conf delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/files/haproxy_rsyslog_RedHat.conf delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/Debian.yml delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/RedHat.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy_certificates.yml rename core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/{certificate_generate.yml => generate_certificates.yml} (68%) delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/setup_logrotate.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy.cfg.j2 delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy_Debian.cfg.j2 delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy_RedHat.cfg.j2 delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/logrotate.conf.j2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/files/haproxy_rsyslog_Debian.conf b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/files/haproxy_rsyslog_Debian.conf deleted file mode 100644 index 52ae91b62a..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/files/haproxy_rsyslog_Debian.conf +++ /dev/null @@ -1 +0,0 @@ -local0.* /var/log/haproxy.log diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/files/haproxy_rsyslog_RedHat.conf b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/files/haproxy_rsyslog_RedHat.conf deleted file mode 100644 index d02ce9d53d..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/files/haproxy_rsyslog_RedHat.conf +++ /dev/null @@ -1,7 +0,0 @@ -$ModLoad imudp -$UDPServerAddress 127.0.0.1 -$UDPServerRun 514 -$template Haproxy,"%msg%n" -local1.* /var/log/haproxy.log -### keep logs in localhost ### -&~ diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/Debian.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/Debian.yml deleted file mode 100644 index fb383e8dd7..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/Debian.yml +++ /dev/null @@ -1,114 +0,0 @@ ---- -# HAProxy Debian family of specific tasks - -- name: Install haproxy package - apt: name=haproxy update_cache=yes state=present - -- name: Restart haproxy service - service: - name: haproxy - state: stopped - -- name: Find certificate file in role directory - local_action: find paths="{{ role_path }}/files/" patterns="*.pem" - become: no - register: certificates_names - -- name: Check if any certificate exist in role directory - set_fact: - certificates_exist: "{{ certificates_names is defined and (certificates_names.files | length >0) }}" - -- name: Write file name - debug: - msg: "{{ item.path }}" - with_items: "{{ certificates_names.files }}" - when: - - certificates_exist - -- name: Write file name - debug: - msg: "{{ certificates_names.files | length }}" - when: - - certificates_exist - -- name: Display if certificate file in role directory exists - debug: - msg: "Certificate exists" - when: - - certificates_exist - -- name: Create directory in /etc/ssl if it doesn't exist - file: - path: /etc/ssl/haproxy - state: directory - -- name: Copy certificate remotely if certificate file in role directory exists - copy: - src: "{{ item.path }}" - dest: /etc/ssl/haproxy/ - with_items: "{{ certificates_names.files }}" - when: - - certificates_exist - -- name: Generate self signed certificate - include_tasks: certificate_generate.yml - when: - - not certificates_exist - -- name: Copy self signed certificate to /etc/ssl/haproxy/ - copy: - src: /tmp/{{ specification.self_signed_concatenated_cert_name }} - dest: /etc/ssl/haproxy/ - remote_src: yes - when: - - not certificates_exist - -- name: Find certificate file in haproxy directory - find: - paths="/etc/ssl/haproxy/" patterns="*.pem" - register: haproxy_certs_names - -- name: Write certs in haproxy - debug: - msg: "{{ item.path }}" - with_items: "{{ haproxy_certs_names.files }}" - when: - - certificates_exist - -- name: Copy haproxy config - template: - dest: /etc/haproxy/haproxy.cfg - src: haproxy_{{ ansible_os_family }}.cfg.j2 - -- name: Copy dhparam config - copy: - dest: /etc/haproxy/dhparam - src: "dhparam" - -- name: Copy haproxy rsyslog config - copy: - dest: /etc/rsyslog.d/haproxy.conf - src: "haproxy_rsyslog_{{ ansible_os_family }}.conf" - -- name: Uncomment modules loading - replace: - path: /etc/rsyslog.conf - regexp: '#module(load="imudp")' - replace: 'module(load="imudp")' - -- name: Uncomment modules loading - replace: - path: /etc/rsyslog.conf - regexp: '#input(type="imudp" port="514")' - replace: 'input(type="imudp" port="514")' - -- name: Restart rsyslog service - service: - name: rsyslog - state: restarted - -- name: Enable haproxy service - service: - name: haproxy - state: started - enabled: yes diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/RedHat.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/RedHat.yml deleted file mode 100644 index d341c44c33..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/RedHat.yml +++ /dev/null @@ -1,122 +0,0 @@ ---- -# HaProxy Red Hat family of specific tasks - -- name: Disable SELinux at next reboot - selinux: - state: disabled - ignore_errors: yes - -- name: Set SELinux in permissive mode until the machine is rebooted - command: setenforce 0 - ignore_errors: true - changed_when: false - -- name: Install haproxy family packages - yum: - name: - - rh-haproxy18 - - rh-haproxy18-haproxy-syspaths - update_cache: yes - state: present - -- name: Stop haproxy service - service: - name: haproxy - state: stopped - -- name: Find certificate file in role directory - local_action: find paths="{{ role_path }}/files/" patterns="*.pem" - become: no - register: certificates_names - -- name: Check if any certificate exist in role directory - set_fact: - certificates_exist: "{{ certificates_names is defined and (certificates_names.files | length >0) }}" - -- name: Write file name - debug: - msg: "{{ item.path }}" - with_items: "{{ certificates_names.files }}" - when: certificates_exist - -- name: Write file name - debug: - msg: "{{ certificates_names.files | length }}" - when: certificates_exist - -- name: Display if certificate file in role directory exists - debug: - msg: "Certificate exists" - when: certificates_exist - -- name: Create directory in /etc/ssl if it doesn't exist - file: - path: /etc/ssl/haproxy - state: directory - -- name: Copy certificate remotely if certificate file in role directory exists - copy: - src: "{{ item.path }}" - dest: /etc/ssl/haproxy/ - with_items: "{{ certificates_names.files }}" - when: certificates_exist - -- name: Generate self signed certificate - include_tasks: certificate_generate.yml - when: not certificates_exist - -- name: Copy self signed certificate to /etc/ssl/haproxy/ - copy: - src: /tmp/{{ specification.self_signed_concatenated_cert_name }} - dest: /etc/ssl/haproxy/ - remote_src: yes - when: not certificates_exist - -- name: Find certificate file in haproxy directory - find: - paths="/etc/ssl/haproxy/" patterns="*.pem" - register: haproxy_certs_names - -- name: Write certs in haproxy - debug: - msg: "{{ item.path }}" - with_items: "{{ haproxy_certs_names.files }}" - when: certificates_exist - -- name: Copy haproxy config - template: - dest: /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg - src: "haproxy_{{ ansible_os_family }}.cfg.j2" - -- name: Copy dhparam.pem config - copy: - dest: /etc/opt/rh/rh-haproxy18/haproxy/dhparam - src: "dhparam" - -- name: Uncomment modules loading - replace: - path: /etc/rsyslog.conf - regexp: '#$ModLoad imudp' - replace: '$ModLoad imudp' - -- name: Uncomment modules loading - replace: - path: /etc/rsyslog.conf - regexp: '#$UDPServerRun 514' - replace: '$UDPServerRun 514' - -- name: Copy haproxy rsyslog config - copy: - dest: /etc/rsyslog.d/haproxy.conf - src: "haproxy_rsyslog_{{ ansible_os_family }}.conf" - -- name: Restart rsyslog service - service: - name: rsyslog - state: restarted - -- name: Start haproxy service - service: - name: haproxy - state: started - enabled: yes diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy_certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy_certificates.yml new file mode 100644 index 0000000000..35dbd45126 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy_certificates.yml @@ -0,0 +1,55 @@ +--- +- name: Ensure /etc/ssl/haproxy directory exists + file: + path: /etc/ssl/haproxy/ + state: directory + +- name: Find certificate files in role directory + local_action: + module: find + paths: "{{ role_path }}/files/" + patterns: "*.pem" + become: false + register: certificates_names + +- name: Check if any certificate exist in role directory + set_fact: + certificates_exist: >- + {{ certificates_names is defined and (certificates_names.files | length > 0) }} + +- name: Handle "local" certificates + when: certificates_exist + block: + - name: Copy certificates remotely if certificate files in role directory exist + copy: + dest: /etc/ssl/haproxy/ + src: "{{ item.path }}" + loop: "{{ certificates_names.files }}" + +- name: Handle "remote" certificates + when: not certificates_exist + block: + - name: Generate self-signed certificates + include_tasks: generate_certificates.yml + + - name: Copy self-signed certificates to /etc/ssl/haproxy/ + copy: + dest: /etc/ssl/haproxy/ + src: /tmp/{{ specification.self_signed_concatenated_cert_name }} + remote_src: true + +- name: Find certificate files in haproxy directory # needed in templates + find: + paths: /etc/ssl/haproxy/ + patterns: "*.pem" + register: haproxy_certs_names + +- name: Ensure /etc/haproxy directory exists + file: + path: /etc/haproxy/ + state: directory + +- name: Copy dhparam config + copy: + dest: /etc/haproxy/dhparam + src: dhparam diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/certificate_generate.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/generate_certificates.yml similarity index 68% rename from core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/certificate_generate.yml rename to core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/generate_certificates.yml index 9680d41c8d..9c0bcb1e3c 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/certificate_generate.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/generate_certificates.yml @@ -1,5 +1,4 @@ --- - - name: Check if self signed certificate exists on node stat: path: /tmp/{{ specification.self_signed_certificate_name }} @@ -11,7 +10,13 @@ register: privkey_node - name: Generate private key if certificate hasn't been found in directory - shell: openssl req -x509 -nodes -newkey rsa:4096 -keyout /tmp/{{ specification.self_signed_private_key_name }} -out /tmp/{{ specification.self_signed_certificate_name }} -days 365 -subj '/CN=test' + shell: | + openssl req \ + -x509 -nodes -newkey rsa:4096 \ + -keyout /tmp/{{ specification.self_signed_private_key_name }} \ + -out /tmp/{{ specification.self_signed_certificate_name }} \ + -days 365 \ + -subj '/CN=test' when: - not certificate_node.stat.exists - not privkey_node.stat.exists @@ -31,15 +36,13 @@ path: /tmp/{{ specification.self_signed_concatenated_cert_name }} register: cert_consolidated -- name: Display if cert exists - debug: - msg: "Cert doesn't exist" - when: - - not cert_consolidated.stat.exists - - name: Concatenate key and cert for haproxy - shell: cat /tmp/{{ specification.self_signed_certificate_name }} /tmp/{{ specification.self_signed_private_key_name }} > /tmp/{{ specification.self_signed_concatenated_cert_name }} + shell: | + cat \ + /tmp/{{ specification.self_signed_certificate_name }} \ + /tmp/{{ specification.self_signed_private_key_name }} \ + > /tmp/{{ specification.self_signed_concatenated_cert_name }} when: - certificate_node.stat.exists - privkey_node.stat.exists - - not cert_consolidated.stat.exists \ No newline at end of file + - not cert_consolidated.stat.exists diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml index f8151e6412..6ea86cf9bc 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml @@ -1,5 +1,25 @@ --- +- name: Ensure certificates exist remotely + include_tasks: deploy_certificates.yml -- include_tasks: "{{ ansible_os_family }}.yml" -- include_tasks: "setup_logrotate.yml" +- name: Configure and start haproxy + vars: { haproxy_service: haproxy } + block: + - name: Render haproxy config + template: + dest: /etc/haproxy/{{ haproxy_service }}.cfg + src: haproxy.cfg.j2 + - name: Setup and start {{ haproxy_service }} runc-based systemd service + include_role: + name: haproxy_runc + vars: + extra_mounts: + - destination: /etc/haproxy/dhparam + source: /etc/haproxy/dhparam + type: bind + options: [rbind, ro] + - destination: /etc/ssl/haproxy/ + source: /etc/ssl/haproxy/ + type: bind + options: [rbind, ro] diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/setup_logrotate.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/setup_logrotate.yml deleted file mode 100644 index c42f41ae96..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/setup_logrotate.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: Copy logrotate config - template: - dest: /etc/logrotate.d/haproxy - owner: root - group: root - mode: 0644 - src: logrotate.conf.j2 \ No newline at end of file diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy.cfg.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy.cfg.j2 new file mode 100644 index 0000000000..c81bcfb9b3 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy.cfg.j2 @@ -0,0 +1,99 @@ +#jinja2: trim_blocks:False +# {{ ansible_managed }} + +global + log stdout format raw local0 notice + stats timeout 30s + + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-dh-param-file /etc/haproxy/dhparam + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + {%- if specification is defined and specification.http_request_timeout is defined %} + timeout http-request {{ specification.http_request_timeout }} + {%- endif %} + +{%- for front in specification.frontend %} +frontend {{ front.name }} + {%- if front.https is defined and front.https == True %} + mode tcp + bind *:{{ front.port }} ssl {% for cert_name in haproxy_certs_names.files %}crt {{ cert_name.path }} {% endfor %} + {%- else %} + bind *:{{ front.port }} + {%- endif %} + + {%- if (front.domain_backend_mapping is defined) and (front.domain_backend_mapping > 0) %} + {%- if front.https == True %} + {%- for mapping in front.domain_backend_mapping %} + acl {{ mapping.backend }} ssl_fc_sni {{ mapping.domain }} + {%- endfor %} + {%- endif %} + {%- if front.https == False %} + {%- for mapping in front.domain_backend_mapping %} + acl {{ mapping.backend }} hdr_dom(host) -i {{ mapping.domain }} + {%- endfor %} + {%- endif %} + {%- endif %} + + {%- if front.backend | length == 1 %} + default_backend {{ front.backend | first }} + {%- endif %} + {%- if front.backend | length > 1 %} + {%- for back in front.backend %} + use_backend {{ back }} if {{ back }} + {%- endfor %} + {%- endif %} +{%- endfor %} + +{%- for back in specification.backend %} +backend {{ back.name }} + balance roundrobin + {%- if back.https is defined and back.https == True %} + option tcp-check + mode tcp + {%- endif %} + {%- if back.server_groups is defined and back.server_groups is subset(groups) %} + {%- for server_group in back.server_groups %} + {%- for server in groups[server_group] %} + {%- if back.https is defined and back.https == True %} + server {{ server }} {{ hostvars[server].ansible_default_ipv4.address }}:{{ back.port }} check ssl verify none + {%- else %} + server {{ server }} {{ hostvars[server].ansible_default_ipv4.address }}:{{ back.port }} check + {%- endif %} + {%- endfor %} + {%- endfor %} + {%- endif %} + + {%- if back.servers is defined %} + {%- for server in back.servers %} + {%- if back.https is defined and back.https == True %} + server {{ server.name }} {{ server.address }}:{{ back.port }} check ssl verify none + {%- else %} + server {{ server.name }} {{ server.address }}:{{ back.port }} check + {%- endif %} + {%- endfor %} + {%- endif %} +{%- endfor %} + +{%- if specification.stats is defined and specification.stats.enable == True %} +listen stats + bind {{ specification.stats.bind_address }} + stats enable + stats refresh 10s + stats admin if { src 127.0.0.1 } + stats hide-version # Hide HAProxy version + stats uri {{ specification.stats.uri }} + stats auth {{ specification.stats.user }}:{{ specification.stats.password }} +{%- endif %} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy_Debian.cfg.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy_Debian.cfg.j2 deleted file mode 100644 index 8b3c31ff78..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy_Debian.cfg.j2 +++ /dev/null @@ -1,110 +0,0 @@ -#jinja2: trim_blocks:False - -# {{ ansible_managed }} - -global - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats timeout 30s - user haproxy - group haproxy - daemon - - ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - - ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - - ssl-dh-param-file /etc/haproxy/dhparam - - -defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 -{%- if specification is defined and specification.http_request_timeout is defined %} - timeout http-request {{ specification.http_request_timeout }} -{%- endif %} - - -{%- for front in specification.frontend %} -frontend {{ front.name }} - {%- if front.https is defined and front.https == True %} - mode tcp - bind *:{{ front.port }} ssl {% for cert_name in haproxy_certs_names.files %}crt {{ cert_name.path }} {% endfor %} - {%- else %} - bind *:{{ front.port }} - {%- endif %} - - {%- if (front.domain_backend_mapping is defined) and (front.domain_backend_mapping > 0) %} - {%- if front.https == True %} - {%- for mapping in front.domain_backend_mapping %} - acl {{ mapping.backend }} ssl_fc_sni {{ mapping.domain }} - {%- endfor %} - {%- endif %} - {%- if front.https == False %} - {%- for mapping in front.domain_backend_mapping %} - acl {{ mapping.backend }} hdr_dom(host) -i {{ mapping.domain }} - {%- endfor %} - {%- endif %} - {%- endif %} - - {%- if front.backend | length == 1 %} - default_backend {{ front.backend | first }} - {%- endif %} - {%- if front.backend | length > 1 %} - {%- for back in front.backend %} - use_backend {{ back }} if {{ back }} - {%- endfor %} - {%- endif %} - -{%- endfor %} - -{%- for back in specification.backend %} -backend {{ back.name }} - balance roundrobin - {%- if back.https is defined and back.https == True %} - option tcp-check - mode tcp - {%- endif %} - {%- if back.server_groups is defined and back.server_groups is subset(groups) %} - {%- for server_group in back.server_groups %} - {%- for server in groups[server_group] %} - {%- if back.https is defined and back.https == True %} - server {{ server }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:{{ back.port }} check ssl verify none - {%- else %} - server {{ server }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:{{ back.port }} check - {%- endif %} - {%- endfor %} - {%- endfor %} - {%- endif %} - - {%- if back.servers is defined %} - {%- for server in back.servers %} - {%- if back.https is defined and back.https == True %} - server {{ server.name }} {{ server.address }}:{{ back.port }} check ssl verify none - {%- else %} - server {{ server.name }} {{ server.address }}:{{ back.port }} check - {%- endif %} - {%- endfor %} - {%- endif %} -{%- endfor %} - -{%- if specification.stats is defined %} - {%- if specification.stats.enable %} -listen stats - bind {{ specification.stats.bind_address }} - stats enable - stats refresh 10s - stats admin if { src 127.0.0.1 } - stats hide-version # Hide HAProxy version - stats uri {{ specification.stats.uri }} - stats auth {{ specification.stats.user }}:{{ specification.stats.password }} - {%- endif %} -{%- endif %} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy_RedHat.cfg.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy_RedHat.cfg.j2 deleted file mode 100644 index b1a6cff0ff..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy_RedHat.cfg.j2 +++ /dev/null @@ -1,113 +0,0 @@ -#jinja2: trim_blocks:False - -# {{ ansible_managed }} - -global - log 127.0.0.1 local1 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats timeout 30s - user haproxy - group haproxy - daemon - - ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - - ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - - ssl-dh-param-file /etc/opt/rh/rh-haproxy18/haproxy/dhparam - - -defaults - log global - mode http - option httplog - option dontlognull - timeout connect 5000 - timeout client 50000 - timeout server 50000 -{%- if specification is defined and specification.http_request_timeout is defined %} - timeout http-request {{ specification.http_request_timeout }} -{%- endif %} - - -{%- for front in specification.frontend %} -frontend {{ front.name }} - {%- if front.https is defined and front.https == True %} - mode tcp - bind *:{{ front.port }} ssl {% for cert_name in haproxy_certs_names.files %}crt {{ cert_name.path }} {% endfor %} - {%- else %} - bind *:{{ front.port }} - {%- endif %} - - {%- if (front.domain_backend_mapping is defined) and (front.domain_backend_mapping > 0) %} - {%- if front.https == True %} - {%- for mapping in front.domain_backend_mapping %} - acl {{ mapping.backend }} ssl_fc_sni {{ mapping.domain }} - {%- endfor %} - {%- endif %} - {%- if front.https == False %} - {%- for mapping in front.domain_backend_mapping %} - acl {{ mapping.backend }} hdr_dom(host) -i {{ mapping.domain }} - {%- endfor %} - {%- endif %} - {%- endif %} - - {%- if front.backend | length == 1 %} - default_backend {{ front.backend | first }} - {%- endif %} - {%- if front.backend | length > 1 %} - {%- for back in front.backend %} - use_backend {{ back }} if {{ back }} - {%- endfor %} - {%- endif %} - -{%- endfor %} - - -{%- for back in specification.backend %} -backend {{ back.name }} - balance roundrobin - {%- if back.https is defined and back.https == True %} - option tcp-check - mode tcp - {%- endif %} - {%- if back.server_groups is defined and back.server_groups is subset(groups) %} - {%- for server_group in back.server_groups %} - {%- for server in groups[server_group] %} - {%- if back.https is defined and back.https == True %} - server {{ server }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:{{ back.port }} check ssl verify none - {%- else %} - server {{ server }} {{ hostvars[server]['ansible_default_ipv4']['address'] }}:{{ back.port }} check - {%- endif %} - {%- endfor %} - {%- endfor %} - {%- endif %} - - {%- if back.servers is defined %} - {%- for server in back.servers %} - {%- if back.https is defined and back.https == True %} - server {{ server.name }} {{ server.address }}:{{ back.port }} check ssl verify none - {%- else %} - server {{ server.name }} {{ server.address }}:{{ back.port }} check - {%- endif %} - {%- endfor %} - {%- endif %} -{%- endfor %} - -{%- if specification.stats is defined %} - {%- if specification.stats.enable %} -listen stats - mode http - bind :9000 - stats enable - stats refresh 10s - stats admin if { src 127.0.0.1 } - stats hide-version # Hide HAProxy version - stats realm Haproxy\ Statistics # Title text for popup window - stats uri /haproxy?stats - stats auth {{ specification.stats.user }}:{{ specification.stats.password }} - {%- endif %} -{%- endif %} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/logrotate.conf.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/logrotate.conf.j2 deleted file mode 100644 index c4a2cb8e31..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/logrotate.conf.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# {{ ansible_managed }} - -{{ specification.haproxy_log_path }} { - missingok - copytruncate - notifempty - rotate 2 - monthly - size 500M - dateext - compress - delaycompress - maxage {{ specification.logs_max_days }} -} From d9de1d7c2e7de246a5e2f228c6093b8543a95b3b Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Mon, 31 Aug 2020 10:06:41 +0200 Subject: [PATCH 07/16] haproxy_runc: typo fix --- .../roles/haproxy_runc/files/extract-docker-image-V1.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh index f30e668bcd..0f1c93c4aa 100755 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh @@ -112,7 +112,7 @@ function merge_layers { # Ensure output directory exists. install -d "$_OUT_/" - local layer + local layer_name get_layer_names | while IFS= read layer_name; do process_whiteouts "$layer_name" process_symlinks "$layer_name" From 54d5d48e3db84a5da4481407175765db0ec40f52 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Mon, 31 Aug 2020 15:59:52 +0200 Subject: [PATCH 08/16] haproxy_exporter: coding style improvements --- .../roles/haproxy_exporter/defaults/main.yml | 1 - .../roles/haproxy_exporter/tasks/main.yml | 17 +++++++---------- .../templates/file_sd_haproxy_config.yml.j2 | 2 -- .../prometheus-haproxy-exporter.service.j2 | 1 + 4 files changed, 8 insertions(+), 13 deletions(-) delete mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/defaults/main.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/defaults/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/defaults/main.yml deleted file mode 100644 index ed97d539c0..0000000000 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/tasks/main.yml index 28d1191f35..95e502b47a 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/tasks/main.yml @@ -1,5 +1,4 @@ --- - - name: Create haproxy_exporter system group group: name: haproxy_exporter @@ -16,7 +15,7 @@ - name: Set HAProxy Exporter file name to install set_fact: - exporter_file_name: "{{ specification.file_name }}" + exporter_file_name: "{{ specification.file_name }}" - name: Download HAProxy Exporter binaries include_role: @@ -26,21 +25,19 @@ file_name: "{{ exporter_file_name }}" - name: Create /opt/haproxy_exporter directories - become: yes file: path: "{{ item }}" - recurse: yes + recurse: true owner: root group: haproxy_exporter mode: 0750 state: directory with_items: - - /opt/haproxy_exporter + - /opt/haproxy_exporter - name: Unpack haproxy_exporter binary - become: yes unarchive: - remote_src: yes + remote_src: true src: "{{ download_directory }}/{{ exporter_file_name }}" dest: "/opt/haproxy_exporter" creates: "/opt/haproxy_exporter/haproxy_exporter" @@ -100,10 +97,10 @@ - name: Configure systemd to use prometheus-haproxy-exporter service systemd: - enabled: yes + enabled: true state: started name: prometheus-haproxy-exporter - daemon_reload: yes + daemon_reload: true - name: Copy file_sd_haproxy_config to prometheus hosts template: @@ -120,4 +117,4 @@ systemd: state: restarted name: prometheus-haproxy-exporter - daemon_reload: yes + daemon_reload: true diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/templates/file_sd_haproxy_config.yml.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/templates/file_sd_haproxy_config.yml.j2 index 8b10f2e6e3..4e274071af 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/templates/file_sd_haproxy_config.yml.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/templates/file_sd_haproxy_config.yml.j2 @@ -1,8 +1,6 @@ # {{ ansible_managed }} - - targets: ['{{ inventory_hostname }}:{{ specification.config_for_prometheus.exporter_listen_port }}'] labels: {% for item in specification.config_for_prometheus.file_sd_labels %} "{{ item.label }}": "{{ item.value }}" {% endfor %} - diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/templates/prometheus-haproxy-exporter.service.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/templates/prometheus-haproxy-exporter.service.j2 index 9331d52de8..16bf809ca2 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/templates/prometheus-haproxy-exporter.service.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_exporter/templates/prometheus-haproxy-exporter.service.j2 @@ -1,3 +1,4 @@ +# {{ ansible_managed }} [Unit] Description={{ specification.description }} From f64cc9bfccf54fc811a5ee8697147f0f1fa781b2 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Mon, 31 Aug 2020 15:59:52 +0200 Subject: [PATCH 09/16] haproxy: configuring logging + cleanups --- ...rtificates.yml => deploy-certificates.yml} | 2 +- ...ificates.yml => generate-certificates.yml} | 0 .../playbooks/roles/haproxy/tasks/main.yml | 8 +++--- .../haproxy/tasks/setup-haproxy-logging.yml | 25 +++++++++++++++++++ .../templates/haproxy-logrotate.conf.j2 | 13 ++++++++++ .../haproxy/templates/haproxy-rsyslog.conf.j2 | 8 ++++++ .../roles/haproxy/templates/haproxy.cfg.j2 | 2 ++ 7 files changed, 54 insertions(+), 4 deletions(-) rename core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/{deploy_certificates.yml => deploy-certificates.yml} (96%) rename core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/{generate_certificates.yml => generate-certificates.yml} (100%) create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/setup-haproxy-logging.yml create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy-logrotate.conf.j2 create mode 100644 core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy-rsyslog.conf.j2 diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy_certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy-certificates.yml similarity index 96% rename from core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy_certificates.yml rename to core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy-certificates.yml index 35dbd45126..0192370a7d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy_certificates.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/deploy-certificates.yml @@ -30,7 +30,7 @@ when: not certificates_exist block: - name: Generate self-signed certificates - include_tasks: generate_certificates.yml + include_tasks: generate-certificates.yml - name: Copy self-signed certificates to /etc/ssl/haproxy/ copy: diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/generate_certificates.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/generate-certificates.yml similarity index 100% rename from core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/generate_certificates.yml rename to core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/generate-certificates.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml index 6ea86cf9bc..21fdda6d71 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Ensure certificates exist remotely - include_tasks: deploy_certificates.yml + include_tasks: deploy-certificates.yml - name: Configure and start haproxy vars: { haproxy_service: haproxy } @@ -11,8 +11,7 @@ src: haproxy.cfg.j2 - name: Setup and start {{ haproxy_service }} runc-based systemd service - include_role: - name: haproxy_runc + include_role: { name: haproxy_runc } vars: extra_mounts: - destination: /etc/haproxy/dhparam @@ -23,3 +22,6 @@ source: /etc/ssl/haproxy/ type: bind options: [rbind, ro] + +- name: Setup haproxy logging + include_tasks: setup-haproxy-logging.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/setup-haproxy-logging.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/setup-haproxy-logging.yml new file mode 100644 index 0000000000..cfb013cb0e --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/setup-haproxy-logging.yml @@ -0,0 +1,25 @@ +--- +- name: Copy haproxy rsyslog config + template: + dest: /etc/rsyslog.d/haproxy.conf + src: haproxy-rsyslog.conf.j2 + owner: root + group: root + mode: u=rw,go=r + register: template_haproxy_rsyslog_conf + +- name: Restart rsyslog service + systemd: + name: rsyslog + state: restarted + when: + - template_haproxy_rsyslog_conf is changed + +# Logrotate is executed in cron, please take a look at the "common" role +- name: Copy logrotate config + template: + dest: /etc/logrotate.d/haproxy + src: haproxy-logrotate.conf.j2 + owner: root + group: root + mode: u=rw,go=r diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy-logrotate.conf.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy-logrotate.conf.j2 new file mode 100644 index 0000000000..ffc936efe0 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy-logrotate.conf.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} +{{ specification.haproxy_log_path }} { + missingok + copytruncate + notifempty + rotate 2 + monthly + size 500M + dateext + compress + delaycompress + maxage {{ specification.logs_max_days }} +} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy-rsyslog.conf.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy-rsyslog.conf.j2 new file mode 100644 index 0000000000..0142a59c97 --- /dev/null +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy-rsyslog.conf.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} +$ModLoad imudp +$UDPServerAddress 127.0.0.1 +$UDPServerRun 514 +$template Haproxy,"%msg%n" +local1.* /var/log/haproxy.log +### keep logs in localhost ### +&~ diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy.cfg.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy.cfg.j2 index c81bcfb9b3..7d00ef8c9d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy.cfg.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/templates/haproxy.cfg.j2 @@ -3,6 +3,8 @@ global log stdout format raw local0 notice + log 127.0.0.1 local1 # Send to rsyslog via 127.0.0.1:514/udp + stats timeout 30s ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 From d4f161a7816521866df726e7c33cab444fc79ebe Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Mon, 31 Aug 2020 15:59:52 +0200 Subject: [PATCH 10/16] haproxy_runc: template cleanup --- .../playbooks/roles/haproxy_runc/templates/haproxy.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 index b779fda854..154d9f2996 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 @@ -1,5 +1,4 @@ # {{ ansible_managed }} - [Unit] After=network.target From 5b31618fc7ec8f31b3b201d762806c2685776bea Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Mon, 31 Aug 2020 16:43:32 +0200 Subject: [PATCH 11/16] backup/recovery: simplifying haproxy procedures (after refactor) --- .../backup/tasks/load_balancer_haproxy_etc.yml | 14 +++----------- .../recovery/tasks/load_balancer_haproxy_etc.yml | 14 +++----------- 2 files changed, 6 insertions(+), 22 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/backup/tasks/load_balancer_haproxy_etc.yml b/core/src/epicli/data/common/ansible/playbooks/roles/backup/tasks/load_balancer_haproxy_etc.yml index 93d31e37e9..f9e2c77cba 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/backup/tasks/load_balancer_haproxy_etc.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/backup/tasks/load_balancer_haproxy_etc.yml @@ -10,17 +10,9 @@ import_tasks: common/create_snapshot_archive.yml vars: snapshot_prefix: "haproxy_etc" - dirs_to_archive: >- - {{ _dirs_to_archive_switch[ansible_os_family] | default(_dirs_to_archive_switch.default) }} - # Simulate some basic in-place switch/case expression using a dictionary. - _dirs_to_archive_switch: - RedHat: - - /etc/haproxy/ - - /etc/ssl/haproxy/ - - /etc/opt/rh/rh-haproxy18/haproxy/ - default: - - /etc/haproxy/ - - /etc/ssl/haproxy/ + dirs_to_archive: + - /etc/haproxy/ + - /etc/ssl/haproxy/ - name: Create snapshot checksum import_tasks: common/create_snapshot_checksum.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/recovery/tasks/load_balancer_haproxy_etc.yml b/core/src/epicli/data/common/ansible/playbooks/roles/recovery/tasks/load_balancer_haproxy_etc.yml index 7633d9cce7..c602d3ef91 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/recovery/tasks/load_balancer_haproxy_etc.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/recovery/tasks/load_balancer_haproxy_etc.yml @@ -23,17 +23,9 @@ - name: Clear directories import_tasks: common/clear_directories.yml vars: - dirs_to_clear: >- - {{ _dirs_to_clear_switch[ansible_os_family] | default(_dirs_to_clear_switch.default) }} - # Simulate some basic in-place switch/case expression using a dictionary. - _dirs_to_clear_switch: - RedHat: - - /etc/haproxy/ - - /etc/ssl/haproxy/ - - /etc/opt/rh/rh-haproxy18/haproxy/ - default: - - /etc/haproxy/ - - /etc/ssl/haproxy/ + dirs_to_clear: + - /etc/haproxy/ + - /etc/ssl/haproxy/ - name: Extract the archive unarchive: From 8024a7dc739bd89f6d34f514cfbff0f353a34c41 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Tue, 1 Sep 2020 09:16:26 +0200 Subject: [PATCH 12/16] haproxy_runc: "find" command invocation fix (redhat) --- .../roles/haproxy_runc/files/extract-docker-image-V1.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh index 0f1c93c4aa..ed0e6982ae 100755 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh @@ -90,13 +90,13 @@ function process_whiteouts { function process_symlinks { local layer_name="$1" must_be_removed - (cd "$_OUT_/" && find . -type f,d; cd "$_TMP_/$layer_name/" && find . -type l) | sort | uniq -d \ + (cd "$_OUT_/" && find . -type f -or -type d; cd "$_TMP_/$layer_name/" && find . -type l) | sort | uniq -d \ | while IFS= read must_be_removed; do echo must_be_removed = "$must_be_removed" rm -rf "$_OUT_/$must_be_removed" done - (cd "$_OUT_/" && find . -type l; cd "$_TMP_/$layer_name/" && find . -type f,d) | sort | uniq -d \ + (cd "$_OUT_/" && find . -type l; cd "$_TMP_/$layer_name/" && find . -type f -or -type d) | sort | uniq -d \ | while IFS= read must_be_removed; do echo must_be_removed = "$must_be_removed" rm -rf "$_OUT_/$must_be_removed" From c96bb5a130b924373d57d36009b25b5e41f5c70a Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Tue, 1 Sep 2020 09:16:26 +0200 Subject: [PATCH 13/16] haproxy_runc: fixing incomplete cleanup after errors --- .../roles/haproxy_runc/files/extract-docker-image-V1.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh index ed0e6982ae..f7f5957910 100755 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/files/extract-docker-image-V1.sh @@ -123,8 +123,14 @@ function remove_cache { rm -rf "$_IMG_/" "$_TMP_/" } +function remove_all { + rm -rf "$_OUT_/" + remove_cache +} + function main { - trap remove_cache ERR EXIT INT TERM + trap remove_cache EXIT + trap remove_all ERR INT TERM extract_image extract_layers merge_layers From 542686270f06af8f183178dee65ad4fdf2535368 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Tue, 1 Sep 2020 09:16:26 +0200 Subject: [PATCH 14/16] haproxy_runc/kubernetes_common/haproxy: adding "reload" method --- .../playbooks/roles/haproxy/tasks/main.yml | 32 ++++++++----------- .../tasks/setup-runc-container.yml | 4 +-- .../haproxy_runc/templates/haproxy.service.j2 | 1 + .../tasks/configure-haproxy.yml | 17 +++++----- 4 files changed, 24 insertions(+), 30 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml index 21fdda6d71..2e4caf66b6 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml @@ -2,26 +2,20 @@ - name: Ensure certificates exist remotely include_tasks: deploy-certificates.yml -- name: Configure and start haproxy - vars: { haproxy_service: haproxy } - block: - - name: Render haproxy config - template: - dest: /etc/haproxy/{{ haproxy_service }}.cfg - src: haproxy.cfg.j2 +- name: Render haproxy config + template: + dest: /etc/haproxy/haproxy.cfg + src: haproxy.cfg.j2 - - name: Setup and start {{ haproxy_service }} runc-based systemd service - include_role: { name: haproxy_runc } - vars: - extra_mounts: - - destination: /etc/haproxy/dhparam - source: /etc/haproxy/dhparam - type: bind - options: [rbind, ro] - - destination: /etc/ssl/haproxy/ - source: /etc/ssl/haproxy/ - type: bind - options: [rbind, ro] +- name: Setup and start haproxy runc-based systemd service + include_role: { name: haproxy_runc } + vars: + haproxy_service: haproxy + extra_mounts: + - destination: /etc/ssl/haproxy/ + source: /etc/ssl/haproxy/ + type: bind + options: [rbind, ro] - name: Setup haproxy logging include_tasks: setup-haproxy-logging.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml index 6d01b1010e..5162966ac4 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml @@ -55,8 +55,8 @@ {{ slurp_config_json.content | b64decode | from_json }} # Define extra volume mounts _mounts: - - destination: /etc/haproxy/haproxy.cfg - source: /etc/haproxy/{{ haproxy_service }}.cfg + - destination: /etc/haproxy/ + source: /etc/{{ haproxy_service }}/ type: bind options: [rbind, ro] # Assemble document update diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 index 154d9f2996..591c94dd5d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/templates/haproxy.service.j2 @@ -6,6 +6,7 @@ After=network.target Type=forking WorkingDirectory={{ haproxy_dir }} ExecStart={{ runc_binary }} run --detach {{ haproxy_service }} +ExecReload={{ runc_binary }} kill {{ haproxy_service }} SIGUSR2 ExecStop={{ runc_binary }} kill {{ haproxy_service }} SIGUSR1 ExecStopPost={{ runc_binary }} delete {{ haproxy_service }} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml index 00db52d542..5d4a5b286c 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml @@ -23,18 +23,17 @@ haproxy_backend_servers: >- {{ kubernetes_common.haproxy_master_names | zip(kubernetes_common.haproxy_master_ipv4s) | list }} -- name: Ensure /etc/haproxy directory exists - file: - path: /etc/haproxy/ - state: directory - -- name: Configure and start haproxy - vars: - haproxy_service: haproxy-k8s +- name: Configure and start haproxy "distributed" load-balancer + vars: { haproxy_service: haproxy-k8s } block: + - name: Ensure /etc/{{ haproxy_service }}/ directory exists + file: + path: /etc/{{ haproxy_service }}/ + state: directory + - name: Render haproxy config template: - dest: /etc/haproxy/{{ haproxy_service }}.cfg + dest: /etc/{{ haproxy_service }}/haproxy.cfg src: haproxy.cfg.j2 - name: Setup and start {{ haproxy_service }} runc-based systemd service From 2e9b3e14193c7365b5a1c9fc94a58486b5d7ee81 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Tue, 1 Sep 2020 09:16:26 +0200 Subject: [PATCH 15/16] kubernetes_common: dropping unneeded haproxy packages --- .../kubernetes_common/tasks/install-packages-Debian.yml | 7 ------- .../kubernetes_common/tasks/install-packages-RedHat.yml | 9 --------- 2 files changed, 16 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/install-packages-Debian.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/install-packages-Debian.yml index 9486e5cd61..57d46a6a6d 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/install-packages-Debian.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/install-packages-Debian.yml @@ -1,5 +1,4 @@ --- - - name: Install NFS package for Debian family apt: name: @@ -13,9 +12,3 @@ - kubectl={{specification.version}}-00 - kubeadm={{specification.version}}-00 state: present - -- name: Install HAProxy package - apt: - name: haproxy - update_cache: true - state: present diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/install-packages-RedHat.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/install-packages-RedHat.yml index 179538680a..5070536a70 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/install-packages-RedHat.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/install-packages-RedHat.yml @@ -1,5 +1,4 @@ --- - - name: Install NFS package for RedHat family yum: name: @@ -15,11 +14,3 @@ - kubeadm-{{specification.version}}-0 update_cache: yes state: present - -- name: Install HAProxy family packages - yum: - name: - - rh-haproxy18 - - rh-haproxy18-haproxy-syspaths - update_cache: yes - state: present From 39b899fe1e8a0b453995ae5470f5acce868548b6 Mon Sep 17 00:00:00 2001 From: Michal Opala Date: Tue, 1 Sep 2020 09:16:26 +0200 Subject: [PATCH 16/16] haproxy_runc/kubernetes_common/haproxy: improving idempotency --- .../ansible/playbooks/roles/haproxy/tasks/main.yml | 7 +++++++ .../playbooks/roles/haproxy_runc/tasks/main.yml | 12 +++++++++++- .../haproxy_runc/tasks/setup-runc-container.yml | 9 ++++++++- .../roles/haproxy_runc/tasks/setup-systemd-unit.yml | 7 +++++++ .../kubernetes_common/tasks/configure-haproxy.yml | 9 ++++++++- 5 files changed, 41 insertions(+), 3 deletions(-) diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml index 2e4caf66b6..4b21b35f43 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy/tasks/main.yml @@ -6,6 +6,7 @@ template: dest: /etc/haproxy/haproxy.cfg src: haproxy.cfg.j2 + register: template_haproxy_cfg - name: Setup and start haproxy runc-based systemd service include_role: { name: haproxy_runc } @@ -17,5 +18,11 @@ type: bind options: [rbind, ro] +- name: Reload haproxy service + systemd: + name: haproxy + state: reloaded + when: template_haproxy_cfg is changed + - name: Setup haproxy logging include_tasks: setup-haproxy-logging.yml diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml index c02625a52b..cd7090a33f 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/main.yml @@ -7,15 +7,25 @@ - name: Install required system packages include_tasks: "install-packages-{{ ansible_os_family }}.yml" +- name: Prepare the haproxy_service_needs_restart fact + set_fact: + haproxy_service_needs_restart: false + - name: Setup runc container include_tasks: setup-runc-container.yml - name: Setup systemd unit include_tasks: setup-systemd-unit.yml -- name: Enable and start {{ haproxy_service }} service +- name: Ensure {{ haproxy_service }} service is running systemd: name: "{{ haproxy_service }}" state: started enabled: true daemon_reload: true + +- name: Restart {{ haproxy_service }} service + systemd: + name: "{{ haproxy_service }}" + state: restarted + when: haproxy_service_needs_restart diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml index 5162966ac4..fb54656be0 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-runc-container.yml @@ -6,6 +6,7 @@ - haproxy_service is defined - haproxy_image_tar is defined - extra_mounts is defined + - haproxy_service_needs_restart is defined - name: Set haproxy related facts set_fact: @@ -62,7 +63,7 @@ # Assemble document update _update: process: - args: [/usr/local/sbin/haproxy, -f, /etc/haproxy/haproxy.cfg] + args: [/usr/local/sbin/haproxy, -W, -f, /etc/haproxy/haproxy.cfg] terminal: false # required for running it detached linux: # Remove "network" namespace to enable "host-networking" @@ -73,3 +74,9 @@ {{ (_document.mounts + (extra_mounts | default([])) + _mounts) | unique }} _updated_document: >- {{ _document | combine(_update, recursive=true) }} + register: copy_config_json + +- name: Mark {{ haproxy_service }} service to be restarted + set_fact: + haproxy_service_needs_restart: >- + {{ haproxy_service_needs_restart or ((copy_config_json is defined) and (copy_config_json is changed)) }} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml index f2e135e0a7..d15e72d49b 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/haproxy_runc/tasks/setup-systemd-unit.yml @@ -4,6 +4,7 @@ that: - runc_dir is defined - haproxy_service is defined + - haproxy_service_needs_restart is defined - name: Discover runc binary shell: | @@ -20,3 +21,9 @@ template: dest: /etc/systemd/system/{{ haproxy_service }}.service src: haproxy.service.j2 + register: template_haproxy_service + +- name: Mark {{ haproxy_service }} service to be restarted + set_fact: + haproxy_service_needs_restart: >- + {{ haproxy_service_needs_restart or ((template_haproxy_service is defined) and (template_haproxy_service is changed)) }} diff --git a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml index 5d4a5b286c..cf69e3f2a9 100644 --- a/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml +++ b/core/src/epicli/data/common/ansible/playbooks/roles/kubernetes_common/tasks/configure-haproxy.yml @@ -35,7 +35,14 @@ template: dest: /etc/{{ haproxy_service }}/haproxy.cfg src: haproxy.cfg.j2 + register: template_haproxy_cfg - - name: Setup and start {{ haproxy_service }} runc-based systemd service + - name: Setup and start {{ haproxy_service }} service include_role: name: haproxy_runc + + - name: Reload {{ haproxy_service }} service + systemd: + name: "{{ haproxy_service }}" + state: reloaded + when: template_haproxy_cfg is changed