Moved AWS specific bits

Created an “aws” sub-dir that contains all of the project files specific to AWS. Use the top-level project generically and the aws subdirectory for AWS.
ansible · Jul 28, 2016 · ffcb873 · ffcb873
1 parent 000fa67
commit ffcb873
Show file tree

Hide file tree

Showing 38 changed files with 2,125 additions and 22 deletions.
diff --git a/lamp_haproxy/aws/LICENSE.md b/lamp_haproxy/aws/LICENSE.md
@@ -0,0 +1,4 @@
+Copyright (C) 2013 AnsibleWorks, Inc.
+
+This work is licensed under the Creative Commons Attribution 3.0 Unported License. 
+To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/deed.en_US. 
diff --git a/lamp_haproxy/aws/README.md b/lamp_haproxy/aws/README.md
@@ -0,0 +1,72 @@
+LAMP Stack + HAProxy: Example Playbooks
+-----------------------------------------------------------------------------
+
+- Requires Ansible 1.2
+- Expects CentOS/RHEL 6 hosts
+
+This example is an extension of the simple LAMP deployment. Here we'll install
+and configure a web server with an HAProxy load balancer in front, and deploy
+an application to the web servers. This set of playbooks also have the
+capability to dynamically add and remove web server nodes from the deployment.
+It also includes examples to do a rolling update of a stack without affecting
+the service.
+
+You can also optionally configure a Nagios monitoring node.
+
+### Initial Site Setup
+
+First we configure the entire stack by listing our hosts in the 'hosts'
+inventory file, grouped by their purpose:
+
+		[webservers]
+		webserver1
+		webserver2
+		
+		[dbservers]
+		dbserver
+		
+		[lbservers]
+		lbserver
+		
+		[monitoring]
+		nagios
+
+After which we execute the following command to deploy the site:
+
+		ansible-playbook -i hosts site.yml
+
+The deployment can be verified by accessing the IP address of your load
+balancer host in a web browser: http://<ip-of-lb>:8888. Reloading the page
+should have you hit different webservers.
+
+The Nagios web interface can be reached at http://<ip-of-nagios>/nagios/
+
+The default username and password are "nagiosadmin" / "nagiosadmin".
+
+### Removing and Adding a Node
+
+Removal and addition of nodes to the cluster is as simple as editing the
+hosts inventory and re-running:
+
+        ansible-playbook -i hosts site.yml
+
+### Rolling Update
+
+Rolling updates are the preferred way to update the web server software or
+deployed application, since the load balancer can be dynamically configured
+to take the hosts to be updated out of the pool. This will keep the service
+running on other servers so that the users are not interrupted.
+
+In this example the hosts are updated in serial fashion, which means that
+only one server will be updated at one time. If you have a lot of web server
+hosts, this behaviour can be changed by setting the 'serial' keyword in
+webservers.yml file.
+
+Once the code has been updated in the source repository for your application
+which can be defined in the group_vars/all file, execute the following
+command:
+
+	 ansible-playbook -i hosts rolling_update.yml
+
+You can optionally pass: -e webapp_version=xxx to the rolling_update
+playbook to specify a specific version of the example webapp to deploy.
diff --git a/lamp_haproxy/aws/group_vars/all b/lamp_haproxy/aws/group_vars/all
@@ -0,0 +1,5 @@
+---
+# Variables here are applicable to all host groups
+
+httpd_port: 80
+ntpserver: 192.168.1.2
diff --git a/...xy/group_vars/tag_ansible_group_dbservers → ...ws/group_vars/tag_ansible_group_dbservers b/...xy/group_vars/tag_ansible_group_dbservers → ...ws/group_vars/tag_ansible_group_dbservers
diff --git a/...xy/group_vars/tag_ansible_group_lbservers → ...ws/group_vars/tag_ansible_group_lbservers b/...xy/group_vars/tag_ansible_group_lbservers → ...ws/group_vars/tag_ansible_group_lbservers
diff --git a/...y/group_vars/tag_ansible_group_webservers → ...s/group_vars/tag_ansible_group_webservers b/...y/group_vars/tag_ansible_group_webservers → ...s/group_vars/tag_ansible_group_webservers
diff --git a/lamp_haproxy/aws/hosts b/lamp_haproxy/aws/hosts
@@ -0,0 +1,12 @@
+[webservers]
+web1
+web2
+
+[dbservers]
+db1
+
+[lbservers]
+lb1
+
+[monitoring]
+nagios
diff --git a/lamp_haproxy/aws/roles/base-apache/tasks/main.yml b/lamp_haproxy/aws/roles/base-apache/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+# This role installs httpd
+
+- name: Install http
+  yum: name={{ item }} state=present
+  with_items:
+   - httpd
+
+- name: http service state
+  service: name=httpd state=started enabled=yes
diff --git a/lamp_haproxy/aws/roles/common/files/RPM-GPG-KEY-EPEL-6 b/lamp_haproxy/aws/roles/common/files/RPM-GPG-KEY-EPEL-6
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+mQINBEvSKUIBEADLGnUj24ZVKW7liFN/JA5CgtzlNnKs7sBg7fVbNWryiE3URbn1
+JXvrdwHtkKyY96/ifZ1Ld3lE2gOF61bGZ2CWwJNee76Sp9Z+isP8RQXbG5jwj/4B
+M9HK7phktqFVJ8VbY2jfTjcfxRvGM8YBwXF8hx0CDZURAjvf1xRSQJ7iAo58qcHn
+XtxOAvQmAbR9z6Q/h/D+Y/PhoIJp1OV4VNHCbCs9M7HUVBpgC53PDcTUQuwcgeY6
+pQgo9eT1eLNSZVrJ5Bctivl1UcD6P6CIGkkeT2gNhqindRPngUXGXW7Qzoefe+fV
+QqJSm7Tq2q9oqVZ46J964waCRItRySpuW5dxZO34WM6wsw2BP2MlACbH4l3luqtp
+Xo3Bvfnk+HAFH3HcMuwdaulxv7zYKXCfNoSfgrpEfo2Ex4Im/I3WdtwME/Gbnwdq
+3VJzgAxLVFhczDHwNkjmIdPAlNJ9/ixRjip4dgZtW8VcBCrNoL+LhDrIfjvnLdRu
+vBHy9P3sCF7FZycaHlMWP6RiLtHnEMGcbZ8QpQHi2dReU1wyr9QgguGU+jqSXYar
+1yEcsdRGasppNIZ8+Qawbm/a4doT10TEtPArhSoHlwbvqTDYjtfV92lC/2iwgO6g
+YgG9XrO4V8dV39Ffm7oLFfvTbg5mv4Q/E6AWo/gkjmtxkculbyAvjFtYAQARAQAB
+tCFFUEVMICg2KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAjYEEwECACAFAkvS
+KUICGw8GCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRA7Sd8qBgi4lR/GD/wLGPv9
+qO39eyb9NlrwfKdUEo1tHxKdrhNz+XYrO4yVDTBZRPSuvL2yaoeSIhQOKhNPfEgT
+9mdsbsgcfmoHxmGVcn+lbheWsSvcgrXuz0gLt8TGGKGGROAoLXpuUsb1HNtKEOwP
+Q4z1uQ2nOz5hLRyDOV0I2LwYV8BjGIjBKUMFEUxFTsL7XOZkrAg/WbTH2PW3hrfS
+WtcRA7EYonI3B80d39ffws7SmyKbS5PmZjqOPuTvV2F0tMhKIhncBwoojWZPExft
+HpKhzKVh8fdDO/3P1y1Fk3Cin8UbCO9MWMFNR27fVzCANlEPljsHA+3Ez4F7uboF
+p0OOEov4Yyi4BEbgqZnthTG4ub9nyiupIZ3ckPHr3nVcDUGcL6lQD/nkmNVIeLYP
+x1uHPOSlWfuojAYgzRH6LL7Idg4FHHBA0to7FW8dQXFIOyNiJFAOT2j8P5+tVdq8
+wB0PDSH8yRpn4HdJ9RYquau4OkjluxOWf0uRaS//SUcCZh+1/KBEOmcvBHYRZA5J
+l/nakCgxGb2paQOzqqpOcHKvlyLuzO5uybMXaipLExTGJXBlXrbbASfXa/yGYSAG
+iVrGz9CE6676dMlm8F+s3XXE13QZrXmjloc6jwOljnfAkjTGXjiB7OULESed96MR
+XtfLk0W5Ab9pd7tKDR6QHI7rgHXfCopRnZ2VVQ==
+=V/6I
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/lamp_haproxy/aws/roles/common/files/epel.repo b/lamp_haproxy/aws/roles/common/files/epel.repo
@@ -0,0 +1,26 @@
+[epel]
+name=Extra Packages for Enterprise Linux 6 - $basearch
+#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
+failovermethod=priority
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
+
+[epel-debuginfo]
+name=Extra Packages for Enterprise Linux 6 - $basearch - Debug
+#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch
+failovermethod=priority
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
+gpgcheck=1
+
+[epel-source]
+name=Extra Packages for Enterprise Linux 6 - $basearch - Source
+#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch
+failovermethod=priority
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
+gpgcheck=1
diff --git a/lamp_haproxy/aws/roles/common/handlers/main.yml b/lamp_haproxy/aws/roles/common/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+# Handlers for common notifications
+
+- name: restart ntp
+  service: name=ntpd state=restarted
+
+- name: restart iptables
+  service: name=iptables state=restarted
diff --git a/lamp_haproxy/aws/roles/common/tasks/main.yml b/lamp_haproxy/aws/roles/common/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+# This role contains common plays that will run on all nodes.
+
+- name: Install python bindings for SE Linux
+  yum: name={{ item }} state=present
+  with_items:
+   - libselinux-python
+   - libsemanage-python
+
+- name: Create the repository for EPEL
+  copy: src=epel.repo dest=/etc/yum.repos.d/epel.repo
+
+- name: Create the GPG key for EPEL
+  copy: src=RPM-GPG-KEY-EPEL-6 dest=/etc/pki/rpm-gpg
+
+- name: install some useful nagios plugins
+  yum: name={{ item }} state=present
+  with_items:
+   - nagios-nrpe
+   - nagios-plugins-swap
+   - nagios-plugins-users
+   - nagios-plugins-procs
+   - nagios-plugins-load
+   - nagios-plugins-disk
+
+- name: Install ntp
+  yum: name=ntp state=present
+  tags: ntp
+
+- name: Configure ntp file
+  template: src=ntp.conf.j2 dest=/etc/ntp.conf
+  tags: ntp
+  notify: restart ntp
+
+- name: Start the ntp service
+  service: name=ntpd state=started enabled=yes
+  tags: ntp
+
+# work around RHEL 7, for now
+- name: insert iptables template
+  template: src=iptables.j2 dest=/etc/sysconfig/iptables
+  when: ansible_distribution_major_version != '7'
+  notify: restart iptables
+
+- name: test to see if selinux is running
+  command: getenforce
+  register: sestatus
+  changed_when: false
diff --git a/lamp_haproxy/aws/roles/common/templates/iptables.j2 b/lamp_haproxy/aws/roles/common/templates/iptables.j2
@@ -0,0 +1,30 @@
+# {{ ansible_managed }}
+# Manual customization of this file is not recommended.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+{% if (inventory_hostname in groups.tag_ansible_group_webservers) or (inventory_hostname in groups.tag_ansible_group_monitoring) %}
+-A INPUT -p tcp  --dport 80 -j ACCEPT
+{% endif %}
+
+{% if (inventory_hostname in groups.tag_ansible_group_dbservers) %}
+-A INPUT -p tcp  --dport 3306 -j  ACCEPT
+{% endif %}
+
+{% if (inventory_hostname in groups.tag_ansible_group_lbservers) %}
+-A INPUT -p tcp  --dport {{ listenport }} -j  ACCEPT
+{% endif %}
+
+{% for host in groups.tag_ansible_group_monitoring %}
+-A INPUT -p tcp -s {{ hostvars[host].ansible_default_ipv4.address }} --dport 5666 -j ACCEPT
+{% endfor %}
+
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
diff --git a/lamp_haproxy/aws/roles/common/templates/ntp.conf.j2 b/lamp_haproxy/aws/roles/common/templates/ntp.conf.j2
@@ -0,0 +1,12 @@
+
+driftfile /var/lib/ntp/drift
+
+restrict 127.0.0.1 
+restrict -6 ::1
+
+server {{ ntpserver }}
+
+includefile /etc/ntp/crypto/pw
+
+keys /etc/ntp/keys
+
diff --git a/lamp_haproxy/aws/roles/db/handlers/main.yml b/lamp_haproxy/aws/roles/db/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+# Handler to handle DB tier notifications
+
+- name: restart mysql
+  service: name=mysqld state=restarted
+
diff --git a/lamp_haproxy/aws/roles/db/tasks/main.yml b/lamp_haproxy/aws/roles/db/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+# This role will install MySQL and create db user and give permissions.
+
+- name: Install Mysql package
+  yum: name={{ item }} state=present
+  with_items:
+   - mysql-server
+   - MySQL-python
+
+- name: Configure SELinux to start mysql on any port
+  seboolean: name=mysql_connect_any state=true persistent=yes
+  when: sestatus.rc != 0
+
+- name: Create Mysql configuration file
+  template: src=my.cnf.j2 dest=/etc/my.cnf
+  notify:
+  - restart mysql
+
+- name: Start Mysql Service
+  service: name=mysqld state=started enabled=yes
+
+- name: Create Application Database
+  mysql_db: name={{ dbname }} state=present
+
+- name: Create Application DB User
+  mysql_user: name={{ dbuser }} password={{ upassword }} priv=*.*:ALL host='%' state=present
diff --git a/lamp_haproxy/aws/roles/db/templates/my.cnf.j2 b/lamp_haproxy/aws/roles/db/templates/my.cnf.j2
@@ -0,0 +1,11 @@
+[mysqld]
+datadir=/var/lib/mysql
+socket=/var/lib/mysql/mysql.sock
+user=mysql
+# Disabling symbolic-links is recommended to prevent assorted security risks
+symbolic-links=0
+port={{ mysql_port }}
+
+[mysqld_safe]
+log-error=/var/log/mysqld.log
+pid-file=/var/run/mysqld/mysqld.pid
diff --git a/lamp_haproxy/aws/roles/haproxy/handlers/main.yml b/lamp_haproxy/aws/roles/haproxy/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+# Handlers for HAproxy
+
+- name: restart haproxy
+  service: name=haproxy state=restarted
+
+- name: reload haproxy
+  service: name=haproxy state=reloaded
+
diff --git a/lamp_haproxy/aws/roles/haproxy/tasks/main.yml b/lamp_haproxy/aws/roles/haproxy/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+# This role installs HAProxy and configures it.
+
+- name: Download and install haproxy
+  yum: name=haproxy state=present
+
+- name: Configure the haproxy cnf file with hosts
+  template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg
+  notify: restart haproxy
+
+- name: Start the haproxy service
+  service: name=haproxy state=started enabled=yes
diff --git a/lamp_haproxy/aws/roles/haproxy/templates/haproxy.cfg.j2 b/lamp_haproxy/aws/roles/haproxy/templates/haproxy.cfg.j2
@@ -0,0 +1,39 @@
+global
+    log         127.0.0.1 local2 
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        root
+    group       root
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats level admin
+
+defaults
+    mode                    {{ mode }}
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+backend app
+    {% for host in groups.tag_ansible_group_lbservers %}
+    	listen {{ daemonname }} 0.0.0.0:{{ listenport }}
+    {% endfor %}
+    balance     {{ balance }}
+    {% for host in groups.tag_ansible_group_webservers %}
+        server {{ host }} {{ hostvars[host]['ansible_' + iface].ipv4.address }}:{{ httpd_port }}
+    {% endfor %}