c60b55ec83
This commit enanbles Ansible linting and does some
minor refactoring to make existing Ansible roles
compatible with the new rules.
Several Ansible linting rules have been excluded to keep the number
of changes from being too onerous.
Also a new script in ci-scripts is used to check very config file
included in the Browbeat repo for validity using the template
Browbeat uses when it runs.
Here's a list of the new linting rules
* Ansible tasks must have names
* When you use shell you must use become not sudo
* Using become_user without using become is not allowed
* If a repo is pulled it must be a pinned version of commit, not latest
* Always_run is deprecated don't use it
* Variables without {{}} and not in when statements are deprecated don't use them
* No Trailing whitepaces
* YAML checking, catches big syntax errors but not less obvious ones
Change-Id: Ic531c91c408996d4e7d8899afe8b21d364998680
160 lines
4.3 KiB
YAML
160 lines
4.3 KiB
YAML
---
|
|
#
|
|
# Install/run graphite-web for browbeat
|
|
#
|
|
|
|
- name: Install graphite rpms
|
|
yum: name={{ item }} state=present
|
|
become: true
|
|
with_items:
|
|
- graphite-web
|
|
- python-carbon
|
|
- expect
|
|
|
|
- name: Check for graphite.db sqlite
|
|
shell: ls /var/lib/graphite-web/graphite.db
|
|
ignore_errors: true
|
|
register: graphite_db_installed
|
|
|
|
- name: Copy setup-graphite-db.exp
|
|
copy:
|
|
src=setup-graphite-db.exp
|
|
dest=/root/setup-graphite-db.exp
|
|
owner=root
|
|
group=root
|
|
mode=0755
|
|
become: true
|
|
|
|
- name: Create initial graphite db
|
|
shell: /root/setup-graphite-db.exp {{ graphite_username }} {{ graphite_password }} && chown apache:apache /var/lib/graphite-web/graphite.db
|
|
become: true
|
|
when: graphite_db_installed.rc != 0
|
|
notify:
|
|
- restart apache
|
|
|
|
- name: Setup httpd graphite-web config
|
|
template:
|
|
src=graphite-web.conf.j2
|
|
dest=/etc/httpd/conf.d/graphite-web.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
notify:
|
|
- restart apache
|
|
|
|
### begin firewall ###
|
|
# we need TCP/80 open
|
|
# determine firewall status and take action
|
|
# 1) use firewall-cmd if firewalld is utilized
|
|
# 2) insert iptables rule if iptables is used
|
|
|
|
# Firewalld
|
|
- name: (graphite-web) Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: true
|
|
|
|
- name: (graphite-web) Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | grep -vq inactive
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: true
|
|
|
|
- name: (graphite-web) Determine if TCP/{{graphite_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_graphite_port_exists
|
|
no_log: true
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{graphite_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_graphite_port_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services)
|
|
shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_graphite_port_exists
|
|
failed_when: iptables_graphite_port_exists == 127
|
|
no_log: true
|
|
|
|
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{graphite_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_graphite_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services)
|
|
shell: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
|
|
|
### end firewall ###
|
|
|
|
# Start graphite-web service
|
|
- name: Setup httpd service
|
|
service: name=httpd state=started enabled=true
|
|
become: true
|
|
|
|
# remove silly welcome from apache (if it exists)
|
|
- name: Remove httpd welcome config
|
|
become: true
|
|
file: path=/etc/httpd/conf.d/welcome.conf state=absent
|
|
notify:
|
|
- restart apache
|
|
|
|
#
|
|
# setup the python-carbon service
|
|
#
|
|
|
|
- name: Setup carbon-cache service
|
|
service: name=carbon-cache state=started enabled=true
|
|
become: true
|
|
|
|
- name: copy carbon storage schema config
|
|
copy:
|
|
src=storage-schemas.conf
|
|
dest=/etc/carbon/storage-schemas.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
notify:
|
|
- restart carbon-cache
|
|
|
|
- name: copy carbon storage aggregation config
|
|
copy:
|
|
src=storage-aggregation.conf
|
|
dest=/etc/carbon/storage-aggregation.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
notify:
|
|
- restart carbon-cache
|
|
|
|
- name: copy carbon config
|
|
copy:
|
|
src=carbon.conf
|
|
dest=/etc/carbon/carbon.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
notify:
|
|
- restart carbon-cache
|
|
|
|
|