generated from linux-system-roles/template
/
main.yml
791 lines (697 loc) · 26.4 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
# SPDX-License-Identifier: MIT
---
- name: Ensure ansible_facts and variables used by role
include_tasks: tasks/set_vars.yml
- name: Unset the __mssql_sqlcmd_login_cmd fact
set_fact:
__mssql_sqlcmd_login_cmd: null
- name: Link the deprecated accept_microsoft_sql_server_2019_standard_eula fact
set_fact:
mssql_accept_microsoft_sql_server_standard_eula: >-
{{ mssql_accept_microsoft_sql_server_2019_standard_eula }}
when: mssql_accept_microsoft_sql_server_2019_standard_eula is defined
- name: Verify that the user accepts EULA variables
assert:
that:
- mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula | bool
- mssql_accept_microsoft_cli_utilities_for_sql_server_eula | bool
- mssql_accept_microsoft_sql_server_standard_eula | bool
fail_msg:
- "You must accept EULA by setting the following variables to true:"
- "mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula"
- "mssql_accept_microsoft_cli_utilities_for_sql_server_eula"
- "mssql_accept_microsoft_sql_server_standard_eula"
- name: Verify if the mssql_version variable is provided correctly
assert:
that: mssql_version | int == 2017 or mssql_version | int == 2019
fail_msg: "The mssql_version variable must be set to either 2017 or 2019."
- name: Verify if the mssql_upgrade variable is provided correctly
fail:
msg:
- "You set mssql_upgrade to true and mssql_version to 2017."
- "If you want to upgrade, set the variables as such:"
- "mssql_version: 2019"
- "mssql_upgrade: true"
when:
- mssql_upgrade | bool
- mssql_version | int == 2017
- name: Verify that EL < 8 is not used with mssql_ha_configure=true
fail:
msg: mssql_ha_configure=true does not support running against EL 7 hosts
when:
- mssql_ha_configure | bool
- ansible_distribution in ['CentOS', 'RedHat']
- ansible_distribution_version is version('8', '<')
- name: Verify if the mssql_ha_replica_type variable is provided correctly
assert:
that: mssql_ha_replica_type in
['primary', 'synchronous', 'witness', 'absent']
fail_msg: >-
You must set the mssql_ha_replica_type variable to one of 'primary',
'synchronous', 'witness', 'absent'
when: mssql_ha_configure | bool
- name: Verify that 'mssql_ha_replica_type = primary' is provided once
assert:
that: ansible_play_hosts_all |
map('extract', hostvars, 'mssql_ha_replica_type') |
select('match', '^primary$') |
list |
length == 1
fail_msg: >-
You must set the mssql_ha_replica_type variable to 'primary' for one of
your managed nodes
run_once: true
when: mssql_ha_configure | bool
- name: Verify that mssql_ha_cluster variables are provided correctly
assert:
that:
- mssql_ha_cluster_virtual_ip is not none
- mssql_ha_stonith_resources.id is defined
- mssql_ha_stonith_resources.agent is defined
fail_msg: >-
When setting mssql_ha_cluster_run_role=true you must also specify
mssql_ha_cluster_virtual_ip and mssql_ha_stonith_resources correctly
when:
- mssql_ha_cluster_run_role | bool
- mssql_ha_configure | bool
- name: Print variables to be used with the ha_cluster role
when: mssql_ha_cluster_print_vars | bool
run_once: true
block:
- name: Set fact with ha_cluster_* variables and their values
set_fact:
__mssql_ha_cluster_vars: "{{ __mssql_ha_cluster_vars | d([]) + [
{
lookup('varnames', '^ha_cluster*', wantlist=True)[item | int]:
lookup('vars', *lookup('varnames', '^ha_cluster*', wantlist=True))
[item | int]
}
] }}"
with_sequence: >-
start=0
end={{ lookup('varnames', '^ha_cluster*', wantlist=True) | length - 1 }}
no_log: true
- name: Print variables to be used with the ha_cluster role
debug:
msg: "{{ __mssql_ha_cluster_vars | to_nice_yaml(indent=2) }}"
- name: End play
meta: end_play
- name: Gather package facts
package_facts:
manager: auto
no_log: true
- name: >-
Verify if mssql_version is not smaller then the existing SQL Server version
fail:
msg:
- "You set mssql_version to 2017, but your SQL Server is version 2019."
- "The role does not support downgrading SQL Server."
when:
- mssql_version | int == 2017
- ansible_facts.packages["mssql-server"][0]["version"] is defined
- ansible_facts.packages["mssql-server"][0]["version"] is search("^15.*")
- name: Deploy the GPG key for Microsoft repositories
rpm_key:
key: "{{ mssql_rpm_key }}"
state: present
# This works only on systems that use yum or dnf
- name: Update all packages from SQL Server 2017 repo
package:
name: "*"
disablerepo: "*"
enablerepo: packages-microsoft-com-mssql-server-2017
state: latest # noqa 403
when:
- mssql_upgrade | bool
- ansible_facts.packages["mssql-server"][0]["version"] is defined
- ansible_facts.packages["mssql-server"][0]["version"] is search("^14.*")
- name: Remove the Microsoft SQL Server 2017 repository to upgrade to 2019
yum_repository:
name: packages-microsoft-com-mssql-server-2017
state: absent
when: mssql_upgrade | bool
- name: Configure the Microsoft SQL Server {{ mssql_version }} repository
yum_repository:
name: packages-microsoft-com-mssql-server-{{ mssql_version | int }}
description: Microsoft SQL Server {{ mssql_version }}
baseurl: "{{ mssql_server_repository }}"
gpgcheck: true
when: >-
(__mssql_server_packages not in ansible_facts.packages) or
(mssql_upgrade | bool)
- name: Ensure the {{ __mssql_server_packages }} package
package:
name: "{{ __mssql_server_packages }}"
state: "{{ 'latest' if mssql_upgrade else 'present' }}"
# /opt/mssql/bin/sqlservr requires libldap-2.4.so.2. Latest Fedora use newer
# libldap by default, therefore, it is required to install openldap-compat
# because it provides libldap-2.4.so.2.
- name: Ensure that the openldap-compat package is installed
package:
name: openldap-compat
state: present
when:
- ansible_distribution == "Fedora"
- ansible_distribution_version | int >= 34
- name: Check if the errorlog file exists and its location
shell: |
set -euo pipefail
errorlog="$(grep '^errorlogfile' /var/opt/mssql/mssql.conf \
| sed 's/errorlogfile : //')" || :
if [ -s "${errorlog}" ]; then
echo "${errorlog}"
elif [ -s /var/opt/mssql/log/errorlog ]; then
echo /var/opt/mssql/log/errorlog
else
echo ""
fi
changed_when: false
register: __mssql_errorlog
- name: Gather system services facts
service_facts:
no_log: true
- name: Set up MSSQL
when: not __mssql_is_setup
vars:
__mssql_is_setup: >-
{{ ('running' in
ansible_facts['services']['mssql-server.service']['state']) or
('enabled' in
ansible_facts['services']['mssql-server.service']['status']) or
(__mssql_errorlog.stdout | length > 0) }}
block:
- name: Verify that the variables required for setting up MSSQL are defined
assert:
that:
- mssql_password is not none
- mssql_edition is not none
fail_msg:
- "You must define the following variables to set up MSSQL:"
- "mssql_password"
- "mssql_edition"
- name: Set up MSSQL
command: /opt/mssql/bin/mssql-conf -n setup
environment:
- ACCEPT_EULA: "Y"
- MSSQL_SA_PASSWORD: "{{ mssql_password }}"
- MSSQL_PID: "{{ mssql_edition }}"
when: not __mssql_is_setup
register: __mssql_conf_setup
- name: Ensure that the tuned-profiles-mssql package is installed
package:
name: tuned-profiles-mssql
state: present
- name: Ensure that the tuned service is started and enabled
service:
name: tuned
state: started
enabled: true
- name: Get the active Tuned profiles
command: tuned-adm active
changed_when: false
register: __mssql_tuned_active_profiles
# adding the mssql profile to the end of the list ensures
# that it overrides conflicting settings in other profiles
- name: Add mssql to the list of Tuned profiles
when: '"mssql" not in __mssql_tuned_active_profiles.stdout'
block:
- name: Attempt to add mssql to the list of Tuned profiles
command: >-
tuned-adm profile {{ __mssql_tuned_active_profiles.stdout |
regex_replace( '^Current active profile: ', '' ) }} mssql
register: __mssql_tuned_adm_profile
changed_when: __mssql_tuned_adm_profile.stderr | length == 0
failed_when: false
# It is needed because there is a bug in tuned that causes issues when
# adding multiple profiles with common ancestors. Fail happens for example,
# when running `tuned-adm profile virtual-guest mssql` because both profiles
# include `throughput-performance`
# https://bugzilla.redhat.com/show_bug.cgi?id=1825882
- name: Remove troublemaking include from the mssql profile
lineinfile:
path: /usr/lib/tuned/mssql/tuned.conf
regexp: include=throughput-performance
state: absent
when: >-
"Cannot find profile 'throughput-performance'" in
__mssql_tuned_adm_profile.stderr
- name: Add the fixed mssql profile to the list of Tuned profiles
command: >-
tuned-adm profile {{ __mssql_tuned_active_profiles.stdout |
regex_replace( '^Current active profile: ', '' ) }} mssql
when: >-
"Cannot find profile 'throughput-performance'" in
__mssql_tuned_adm_profile.stderr
register: __mssql_tuned_adm_profile
changed_when: __mssql_tuned_adm_profile.stderr | length == 0
- name: Configure the Microsoft SQL Server Tools repository
yum_repository:
name: packages-microsoft-com-prod
description: Microsoft SQL Server Tools
baseurl: "{{ mssql_client_repository }}"
gpgcheck: true
- name: Ensure that SQL Server client tools are installed
package:
name: "{{ __mssql_client_packages }}"
state: present
environment:
- ACCEPT_EULA: Y
- name: Set a new password for the MSSQL sa user
when:
- __mssql_conf_setup is skipped
- mssql_password is not none
block:
- name: Prepare MSSQL and facts for logging in
include_tasks: verify_password.yml
vars:
__mssql_password: "{{ mssql_password }}"
- name: Check if the set password matches the existing password
command: "{{ __mssql_sqlcmd_login_cmd }} -Q 'SELECT @@VERSION'"
ignore_errors: true
changed_when: false
register: __mssql_password_query
- name: Ensure that the mssql-server service is stopped
service:
name: mssql-server
state: stopped
when: __mssql_password_query is failed
notify: Restart the mssql-server service
- name: Change the password of the sa user
command: /opt/mssql/bin/mssql-conf set-sa-password
environment:
- MSSQL_SA_PASSWORD: "{{ mssql_password }}"
when: __mssql_password_query is failed
notify: Restart the mssql-server service
- name: Set a new edition for MSSQL
when:
- __mssql_conf_setup is skipped
- mssql_edition is not none
block:
- name: Check if the set edition matches the existing edition
shell: |
errorlog_edition="$(grep -oi '{{ mssql_edition }} edition' \
{{ __mssql_errorlog.stdout }})"
if [ -z "${errorlog_edition}" ]; then
edition_matches=false
else
edition_matches=true
fi
echo "${edition_matches}"
register: __mssql_edition_matches
changed_when: false
- name: Ensure that the mssql-server service is stopped
service:
name: mssql-server
state: stopped
when: not __mssql_edition_matches.stdout | bool
notify: Restart the mssql-server service
- name: Change the edition of MSSQL
command: /opt/mssql/bin/mssql-conf set-edition
environment:
MSSQL_PID: "{{ mssql_edition }}"
register: __mssql_conf_set_edition
changed_when: '"The new edition is" in __mssql_conf_set_edition.stdout'
when: not __mssql_edition_matches.stdout | bool
notify: Restart the mssql-server service
- name: Configure the IP address setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "network ipaddress"
__mssql_conf_setting_value: "{{ mssql_ip_address }}"
when: mssql_ip_address is not none
- name: Configure the TCP port setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "network tcpport"
__mssql_conf_setting_value: "{{ mssql_tcp_port }}"
when: mssql_tcp_port is not none
- name: Configure the sqlagent setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "sqlagent enabled"
__mssql_conf_setting_value: "{{ mssql_enable_sql_agent }}"
when: mssql_enable_sql_agent is not none
- name: Ensure the {{ __mssql_server_fts_packages }} package
package:
name: "{{ __mssql_server_fts_packages }}"
state: "{{ 'present' if mssql_install_fts | bool else 'absent' }}"
when: mssql_install_fts is not none
notify: Restart the mssql-server service
- name: Ensure the {{ __mssql_powershell_packages }} package
package:
name: "{{ __mssql_powershell_packages }}"
state: "{{ 'present' if mssql_install_powershell | bool else 'absent' }}"
when: mssql_install_powershell is not none
- name: Configure HA
when: mssql_enable_ha is not none
block:
- name: Ensure the {{ __mssql_server_ha_packages }} package
package:
name: "{{ __mssql_server_ha_packages }}"
state: "{{ 'present' if mssql_enable_ha | bool else 'absent' }}"
notify: Restart the mssql-server service
- name: Configure the hadrenabled setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "hadr hadrenabled"
__mssql_conf_setting_value: "{{ 1 if mssql_enable_ha else 0 }}"
- name: Tune MSSQL for FUA-capable storage
when: mssql_tune_for_fua_storage is not none
block:
- name: Check if the 3979 trace flag is enabled
shell: grep '^traceflag' /var/opt/mssql/mssql.conf || true
changed_when: false
register: __mssql_get_traceflag
- name: Set the 3979 traceflag
command: >-
/opt/mssql/bin/mssql-conf traceflag 3979 on
when:
- mssql_tune_for_fua_storage | bool
- "'3979' not in __mssql_get_traceflag.stdout"
- name: Unset the 3979 traceflag
command: >-
/opt/mssql/bin/mssql-conf traceflag 3979 off
when:
- not mssql_tune_for_fua_storage | bool
- "'3979' in __mssql_get_traceflag.stdout"
# the alternatewritethrough must be set to `false` as per MS docs
- name: Configure the alternatewritethrough setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "control alternatewritethrough"
__mssql_conf_setting_value: "0"
- name: Configure the writethrough setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "control writethrough"
__mssql_conf_setting_value: >-
{{ 1 if mssql_tune_for_fua_storage else 0 }}
- name: Configure TLS encryption
when:
- mssql_tls_enable is not none
block:
- name: Copy certificate and private_key files to the host
copy:
src: "{{ item }}"
remote_src: "{{ mssql_tls_remote_src }}"
dest: >-
/etc/pki/tls/{{ 'certs' if item == mssql_tls_cert
else 'private' }}/{{ item | basename }}
owner: mssql
group: mssql
mode: 0600
force: "{{ mssql_tls_force }}"
with_items:
- "{{ mssql_tls_cert }}"
- "{{ mssql_tls_private_key }}"
when: mssql_tls_enable | bool
- name: Configure the tlscert setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_tls_cert_dest: >-
/etc/pki/tls/certs/{{ mssql_tls_cert | basename }}
__mssql_conf_setting: "network tlscert"
__mssql_conf_setting_value: >-
{{ __mssql_tls_cert_dest if mssql_tls_enable else 'unset' }}
- name: Configure the tlskey setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_tls_private_key_dest: >-
/etc/pki/tls/private/{{ mssql_tls_private_key | basename }}
__mssql_conf_setting: "network tlskey"
__mssql_conf_setting_value: >-
{{ __mssql_tls_private_key_dest if mssql_tls_enable else 'unset' }}
- name: Configure the tlsprotocols setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "network tlsprotocols"
__mssql_conf_setting_value: >-
{{ mssql_tls_version if mssql_tls_enable else 'unset' }}
- name: Configure the forceencryption setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "network forceencryption"
__mssql_conf_setting_value: "{{ '1' if mssql_tls_enable else 'unset' }}"
- name: Open required firewall ports and set required facts
when:
- mssql_ha_configure | bool
block:
- name: >-
Open the {{ mssql_ha_listener_port }}/tcp port and
enable the high-availability service in firewall
when: mssql_ha_firewall_configure | bool
include_role:
name: fedora.linux_system_roles.firewall
vars:
firewall:
- port: "{{ mssql_ha_listener_port }}/tcp"
zone: public
state: enabled
permanent: true
runtime: true
- service: high-availability
state: enabled
permanent: true
runtime: true
# This is required because by default variables in vars/main.yml are
# mapped into global variables and the role needs them in host variables
- name: Set host variables
set_fact:
__mssql_ha_availability_mode: "{{ __mssql_ha_availability_mode }}"
__mssql_ha_failover_mode: "{{ __mssql_ha_failover_mode }}"
__mssql_ha_seeding_mode: "{{ __mssql_ha_seeding_mode }}"
- name: Configure availability group on the primary node
when:
- mssql_ha_configure | bool
- mssql_ha_replica_type == 'primary'
block:
- name: Ensure the {{ __mssql_server_ha_packages }} package
package:
name: "{{ __mssql_server_ha_packages }}"
state: "{{ 'present' if mssql_ha_configure | bool else 'absent' }}"
register: __mssql_server_ha_packages_install
- name: Enable the hadrenabled setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "hadr hadrenabled"
__mssql_conf_setting_value: 1
# meta: flush_handlers does not support when conditional
- name: Restart the mssql-server service if hadrenabled task was changed
service:
name: mssql-server
state: restarted
when: (__mssql_conf_set is changed) or
(__mssql_server_ha_packages_install is changed)
register: __mssql_primary_restarted
- name: Enable AlwaysOn Health events
vars:
__mssql_input_sql_file: enable_alwayson.j2
include_tasks: input_sql_file.yml
- name: Remove certificate from SQL Server
vars:
__mssql_input_sql_file: drop_cert.j2
include_tasks: input_sql_file.yml
when: mssql_ha_reset_cert | bool
- name: Remove certificate and private key files
file:
path: "{{ item }}"
state: absent
loop:
- "{{ __mssql_ha_cert_dest }}"
- "{{ __mssql_ha_private_key_dest }}"
when: mssql_ha_reset_cert | bool
- name: Create master key encryption
vars:
__mssql_input_sql_file: create_master_key_encryption.j2
include_tasks: input_sql_file.yml
- name: Create and back up certificate
vars:
__mssql_input_sql_file: create_and_back_up_cert.j2
include_tasks: input_sql_file.yml
# changed_when: false because the role removes cert files after using them
- name: >-
Fetch certificate and private key from the primary node to the control
node
fetch:
src: "{{ item.value }}"
dest: "{{ item.key }}"
flat: true
with_dict:
cert: "{{ __mssql_ha_cert_dest }}"
key: "{{ __mssql_ha_private_key_dest }}"
changed_when: false
- name: Create database mirroring endpoints
vars:
__mssql_input_sql_file: configure_endpoint.j2
include_tasks: input_sql_file.yml
- name: Create the {{ mssql_ha_login }}
vars:
__mssql_input_sql_file: create_ha_login.j2
include_tasks: input_sql_file.yml
# Required for configure_ag.j2 to set WRITE_LEASE_VALIDITY based on RHEL ver
- name: Get mssql-server version to see if WRITE_LEASE_VALIDITY is available
package_facts:
manager: auto
no_log: true
- name: Create the {{ mssql_ha_ag_name }} availability group
vars:
__mssql_input_sql_file: configure_ag.j2
include_tasks: input_sql_file.yml
- name: Grant permissions to the {{ mssql_ha_login }} login
vars:
__mssql_input_sql_file: grant_permissions_to_ha_login.j2
include_tasks: input_sql_file.yml
- name: Back up and replicate the {{ mssql_ha_db_name }} database
vars:
__mssql_input_sql_file: replicate_db.j2
include_tasks: input_sql_file.yml
# This is required because `any_errors_fatal: true` does not work within
# blocks that have rescue or always sections
- name: Set a fact to indicate successful set up on the primary replica
delegate_to: localhost
set_fact:
__mssql_primary_successful: true
run_once: true
rescue:
# changed_when: false because this task removes unused remnant of cert files
- name: Remove certificate and private key from the control node
delegate_to: localhost
file:
path: "{{ item }}"
state: absent
loop:
- cert
- key
changed_when: false
- name: Fail because this rescue block does not actually rescue failed tasks
fail:
msg: Configuration tasks failed
- name: Configure availability group on replicas
when:
- mssql_ha_configure | bool
- mssql_ha_replica_type in ['synchronous', 'witness']
any_errors_fatal: true
block:
- name: Fail if the primary node failed
delegate_to: localhost
fail:
msg: "Halting playbook execution due to error on the primary node"
when: not __mssql_primary_successful | d(false)
run_once: true
- name: Ensure the {{ __mssql_server_ha_packages }} package
package:
name: "{{ __mssql_server_ha_packages }}"
state: "{{ 'present' if mssql_ha_configure | bool else 'absent' }}"
register: __mssql_server_ha_packages_install
- name: Enable the hadrenabled setting
include_tasks: mssql_conf_setting.yml
vars:
__mssql_conf_setting: "hadr hadrenabled"
__mssql_conf_setting_value: 1
# flush_handlers task does not support when conditional
- name: Restart the mssql-server service if hadrenabled task was changed
service:
name: mssql-server
state: restarted
when: (__mssql_conf_set is changed) or
(__mssql_server_ha_packages_install is changed)
register: __mssql_replica_restarted
- name: Enable AlwaysOn Health events
vars:
__mssql_input_sql_file: enable_alwayson.j2
include_tasks: input_sql_file.yml
- name: Create master key encryption
vars:
__mssql_input_sql_file: create_master_key_encryption.j2
include_tasks: input_sql_file.yml
- name: Distribute certificate and private key to managed nodes
copy:
src: "{{ item.key }}"
dest: "{{ item.value }}"
owner: mssql
group: mssql
mode: 0660
force: true
with_dict:
cert: "{{ __mssql_ha_cert_dest }}"
key: "{{ __mssql_ha_private_key_dest }}"
- name: Remove certificate from SQL Server
vars:
__mssql_input_sql_file: drop_cert.j2
include_tasks: input_sql_file.yml
when: mssql_ha_reset_cert | bool
- name: Restore certificate
vars:
__mssql_input_sql_file: restore_cert.j2
include_tasks: input_sql_file.yml
- name: Create database mirroring endpoints
vars:
__mssql_input_sql_file: configure_endpoint.j2
include_tasks: input_sql_file.yml
- name: Create the {{ mssql_ha_login }} login
vars:
__mssql_input_sql_file: create_ha_login.j2
include_tasks: input_sql_file.yml
- name: Join synchronous and witness servers to the availability group
vars:
__mssql_input_sql_file: join_to_ag.j2
include_tasks: input_sql_file.yml
- name: Grant permissions to the {{ mssql_ha_login }} login
vars:
__mssql_input_sql_file: grant_permissions_to_ha_login.j2
include_tasks: input_sql_file.yml
- name: Verify if the {{ mssql_ha_db_name }} database exists on secondaries
vars:
__mssql_input_sql_file: verify_sql_cluster.j2
include_tasks: input_sql_file.yml
when: mssql_ha_replica_type not in ['primary', 'witness']
always:
# changed_when: false because this task removes unused remnant of cert files
- name: Remove certificate and private key from the control node
delegate_to: localhost
file:
path: "{{ item }}"
state: absent
loop:
- cert
- key
changed_when: false
- name: Configure pacemaker
when: mssql_ha_configure | bool
block:
- name: Save credentials for the {{ mssql_ha_login }} SQL Server login
copy:
content: |-
{{ mssql_ha_login }}
{{ mssql_ha_login_password }}
dest: /var/opt/mssql/secrets/passwd
owner: root
group: root
mode: 0400
force: true
- name: Run ha_cluster to configure pacemaker
include_role:
name: fedora.linux_system_roles.ha_cluster
when: mssql_ha_cluster_run_role | bool
- name: Verify if the {{ mssql_ha_db_name }} database exists
vars:
__mssql_input_sql_file: verify_sql_cluster.j2
include_tasks: input_sql_file.yml
when:
- mssql_ha_configure | bool
- mssql_ha_replica_type != 'witness'
- name: Ensure the ansible_managed header in /var/opt/mssql/mssql.conf
vars:
__lsr_ansible_managed: "{{ lookup('template', 'get_ansible_managed.j2') }}"
blockinfile:
path: /var/opt/mssql/mssql.conf
block: "{{ __lsr_ansible_managed }}"
insertbefore: BOF
# Keep this task at the bottom, it must be run at the end of the role
- name: Input the {{ mssql_input_sql_file }} sql file to SQL Server
vars:
__mssql_input_sql_file: "{{ mssql_input_sql_file }}"
include_tasks: input_sql_file.yml
when:
- mssql_input_sql_file is defined
- mssql_input_sql_file is not none