From 800836b2d9f3afc9db2797ee83b4f6ba93d30eed Mon Sep 17 00:00:00 2001 From: Josh Lay Date: Mon, 25 Feb 2019 21:49:51 -0600 Subject: [PATCH] initial commit --- README.md | 143 ++++++++++++++++++++++++++ TODO | 15 +++ ansible.cfg | 8 ++ play.yml | 37 +++++++ roles/bootstrap/tasks/main.yml | 66 ++++++++++++ roles/create-user/tasks/deb.yml | 23 +++++ roles/create-user/tasks/el.yml | 23 +++++ roles/create-user/tasks/main.yml | 20 ++++ roles/docker/files/daemon.json | 3 + roles/docker/tasks/main.yml | 32 ++++++ roles/glusterfs-client/tasks/main.yml | 13 +++ roles/glusterfs-server/tasks/main.yml | 42 ++++++++ roles/hardening/handlers/main.yml | 3 + roles/hardening/tasks/main.yml | 32 ++++++ roles/install-packages/tasks/deb.yml | 9 ++ roles/install-packages/tasks/el.yml | 14 +++ roles/install-packages/tasks/main.yml | 20 ++++ roles/rke/tasks/main.yml | 6 ++ roles/sysctl/tasks/main.yml | 5 + roles/tuned/tasks/el.yml | 15 +++ roles/tuned/tasks/main.yml | 7 ++ roles/update-packages/tasks/main.yml | 29 ++++++ roles/zfs/tasks/main.yml | 44 ++++++++ 23 files changed, 609 insertions(+) create mode 100644 README.md create mode 100644 TODO create mode 100644 ansible.cfg create mode 100644 play.yml create mode 100644 roles/bootstrap/tasks/main.yml create mode 100644 roles/create-user/tasks/deb.yml create mode 100644 roles/create-user/tasks/el.yml create mode 100644 roles/create-user/tasks/main.yml create mode 100644 roles/docker/files/daemon.json create mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/glusterfs-client/tasks/main.yml create mode 100644 roles/glusterfs-server/tasks/main.yml create mode 100644 roles/hardening/handlers/main.yml create mode 100644 roles/hardening/tasks/main.yml create mode 100644 roles/install-packages/tasks/deb.yml create mode 100644 roles/install-packages/tasks/el.yml create mode 100644 roles/install-packages/tasks/main.yml create mode 100644 roles/rke/tasks/main.yml create mode 100644 roles/sysctl/tasks/main.yml create mode 100644 roles/tuned/tasks/el.yml create mode 100644 roles/tuned/tasks/main.yml create mode 100644 roles/update-packages/tasks/main.yml create mode 100644 roles/zfs/tasks/main.yml diff --git a/README.md b/README.md new file mode 100644 index 000000000..719fec7 --- /dev/null +++ b/README.md @@ -0,0 +1,143 @@ +## deploy_base +This playbook is used to test my misc. roles that I intend to use as a deployment framework. + +### Known issues +The package updates for atomic aren't idempotent. Some previous ostree transactions register a change, regardless of the actual transactional activity. + +Simply comment out the update-packages role in play.yml to avoid this, if desired. + +### Example usage +``` +[jlay@delta deploy_base]$ ansible-playbook -i hosts play.yml +username for the user you want to create [jlay]: +password for created user: +confirm password for created user: + +PLAY [lan] ************************************************************************************************************************************************ + +TASK [Gathering Facts] **************************************************************************************************************************************** +ok: [gitlab] + +TASK [bootstrap : check if atomic] **************************************************************************************************************************** +ok: [gitlab] + +TASK [bootstrap : check for cloud.cfg] ************************************************************************************************************************ +ok: [gitlab] + +TASK [bootstrap : set fact (atomic state)] ******************************************************************************************************************** +ok: [gitlab] + +TASK [bootstrap : set fact (cloud.cfg state)] ***************************************************************************************************************** +ok: [gitlab] + +TASK [bootstrap : install prereqs] **************************************************************************************************************************** +ok: [gitlab] => (item=libselinux-python) +ok: [gitlab] => (item=sudo) + +TASK [bootstrap : remove update_etc_hosts from cloud.cfg] ***************************************************************************************************** +skipping: [gitlab] + +TASK [bootstrap : remove requiretty] ************************************************************************************************************************** +ok: [gitlab] + +TASK [bootstrap : install epel] ******************************************************************************************************************************* +ok: [gitlab] + +TASK [update-packages : update packages (atomic)] ************************************************************************************************************* +skipping: [gitlab] + +TASK [update-packages : update packages (non-atomic)] ********************************************************************************************************* +ok: [gitlab] + +TASK [update-packages : reboot updated hosts] ***************************************************************************************************************** +skipping: [gitlab] + +TASK [update-packages : wait for rebooted host to return] ***************************************************************************************************** +skipping: [gitlab] + +TASK [install-packages : include_tasks] *********************************************************************************************************************** +skipping: [gitlab] + +TASK [install-packages : include_tasks] *********************************************************************************************************************** +included: /home/jlay/git/deploy_base/roles/install-packages/tasks/el.yml for gitlab + +TASK [install-packages : install packages (RHEL/CentOS/Fedora)] *********************************************************************************************** +ok: [gitlab] => (item=bash-completion) +ok: [gitlab] => (item=htop) +ok: [gitlab] => (item=vim) +ok: [gitlab] => (item=strace) +ok: [gitlab] => (item=dmidecode) +ok: [gitlab] => (item=nethogs) +ok: [gitlab] => (item=sysbench) +ok: [gitlab] => (item=fio) +ok: [gitlab] => (item=rsync) +ok: [gitlab] => (item=iperf3) +ok: [gitlab] => (item=nmap) +ok: [gitlab] => (item=lvm2) +ok: [gitlab] => (item=bind-utils) + +TASK [create-user : include_tasks] **************************************************************************************************************************** +skipping: [gitlab] + +TASK [create-user : include_tasks] **************************************************************************************************************************** +included: /home/jlay/git/deploy_base/roles/create-user/tasks/el.yml for gitlab + +TASK [create-user : creating user jlay in wheel group (RHEL/CentOS/Fedora)] *********************************************************************************** +ok: [gitlab] + +TASK [create-user : enable nopasswd sudo (RHEL/CentOS/Fedora)] ************************************************************************************************ +ok: [gitlab] + +TASK [create-user : copy current pubkeys to ~jlay/.ssh/authorized_keys] *************************************************************************************** +ok: [gitlab] => (item=ssh-ed25519 [...] jlay@workstation) +ok: [gitlab] => (item=ssh-rsa [...] jlay@workstation) + +TASK [hardening : disable services] *************************************************************************************************************************** +ok: [gitlab] => (item=postfix) +failed: [gitlab] (item=rpcbind) => {"changed": false, "item": "rpcbind", "msg": "Could not find the requested service rpcbind: host"} +ok: [gitlab] => (item=rsyncd.service) +ok: [gitlab] => (item=rsyncd.socket) +...ignoring + +TASK [hardening : disable password auth] ********************************************************************************************************************** +ok: [gitlab] + +TASK [docker : install docker] ******************************************************************************************************************************** +ok: [gitlab] + +TASK [docker : add jlay to 'dockerroot' group] **************************************************************************************************************** +ok: [gitlab] + +TASK [docker : copy daemon.json] ****************************************************************************************************************************** +ok: [gitlab] + +TASK [docker : enable/start docker] *************************************************************************************************************************** +ok: [gitlab] + +TASK [zfs : install zfs-release package (RHEL/CentOS)] ******************************************************************************************************** +ok: [gitlab] + +TASK [zfs : install zfs-release package (Fedora)] ************************************************************************************************************* +skipping: [gitlab] + +TASK [zfs : install zfs and dkms] ***************************************************************************************************************************** +ok: [gitlab] => (item=kernel-devel) +ok: [gitlab] => (item=@Development tools) +ok: [gitlab] => (item=dkms) +ok: [gitlab] => (item=zfs) + +TASK [zfs : load zfs module] ********************************************************************************************************************************** +ok: [gitlab] + +TASK [zfs : add zfs to modules-load.d] ************************************************************************************************************************ +ok: [gitlab] + +TASK [zfs : set zfs_arc_max to 75% installed memory (11630000000 bytes)] ************************************************************************************** +ok: [gitlab] + +PLAY RECAP **************************************************************************************************************************************************** +gitlab : ok=26 changed=0 unreachable=0 failed=0 + +[jlay@delta deploy_base]$ +``` + diff --git a/TODO b/TODO new file mode 100644 index 000000000..4c11c2e --- /dev/null +++ b/TODO @@ -0,0 +1,15 @@ +- Break out common packages from play into local vars file + +- Fix atomic package updates. Not idempotent if there are pending transactions. Maybe add a task to clean up pending transactions before updating. + +- Make create-user role task 'copy pubkey to authorized_keys for user' more correct/idempotent. It currently copies the file ~/.ssh/id_rsa.pub to authorized_keys rather than the contents, clobbering what may be there. + +- Extend glusterfs-server role. If K8s, ensure Heketi pod is deployed. If not K8s, deploy normal service. + If a new deploy of Heketi, use Jinja2 templating for Heketi topology and import it (task run_once/one node only). + This will setup the disks/bricks, Ansible won't need to do it (modules for Gluster aren't great) + +- Test conditionals against more than CentOS to ensure it remains effective across Fedora (atomic/non), CentOS, and RHEL. + +- Make the playbook prompt for user/password only when making a user - eg: variable named 'createuser' (yes/no) to decide. Ansible doesn't seem to natively do this with vars_prompt, may need hackery. + +- Remove some cross-role dependencies. For example, the bootstrap role (which will likely always need to be included) defines is_atomic, used by other roles. Keeping things within their own roles helps keep them portable/reusable. Anything that is usable by many roles should be included in 'bootstrap'. diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 000000000..e57103f --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,8 @@ +[defaults] +host_key_checking = False +retry_files_enabled = False + +[ssh_connection] +pipelining = True +control_path = %(directory)s/%%h-%%p-%%r) +ssh_args = diff --git a/play.yml b/play.yml new file mode 100644 index 000000000..b3aed86 --- /dev/null +++ b/play.yml @@ -0,0 +1,37 @@ +--- +- hosts: all + vars: + common_pkgs: + - bash-completion + - htop + - vim + - strace + - dmidecode + - nethogs + - sysbench + - fio + - rsync + arc_size_mb: "{{ (ansible_memtotal_mb * 0.75)|int|abs }}" + arc_size_bytes: "{{ arc_size_mb }}000000" + pwgen: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,hexdigits,punctuation length=32') }}" + + vars_prompt: + + - name: "username" + prompt: "username for the user you want to create" + default: jlay + private: no + + roles: + - {role: bootstrap} + - {role: update-packages} + - {role: install-packages} + - {role: create-user} + - {role: hardening} +# - {role: docker} +# - {role: tuned} +# - {role: glusterfs-client} +# - {role: glusterfs-server} + - {role: zfs} +# - {role: rke} + - {role: sysctl} diff --git a/roles/bootstrap/tasks/main.yml b/roles/bootstrap/tasks/main.yml new file mode 100644 index 000000000..9b82d5c --- /dev/null +++ b/roles/bootstrap/tasks/main.yml @@ -0,0 +1,66 @@ +--- +- block: + + - name: check if atomic + stat: + path: /run/ostree-booted + register: ostree + + - name: check for cloud.cfg + stat: + path: /etc/cloud/cloud.cfg + register: cloudcfg + + - name: set fact (atomic state) + set_fact: + is_atomic: "{{ ostree.stat.exists }}" + + - name: set fact (cloud.cfg state) + set_fact: + is_cloudy: "{{ cloudcfg.stat.exists }}" + + - name: install prereqs + package: + name: "{{ item }}" + state: installed + with_items: + - libselinux-python + - sudo + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "Fedora"] and not is_atomic + + - name: enable fastestmirror (fedora - non-atomic) + lineinfile: + path: /etc/dnf/dnf.conf + regexp: "^fastestmirror=" + line: "fastestmirror=True" + when: ansible_distribution in ["Fedora"] and not is_atomic + + - name: remove update_etc_hosts from cloud.cfg + lineinfile: + line: ' - update_etc_hosts' + path: /etc/cloud/cloud.cfg + state: absent + when: is_cloudy + + - name: add hosts to /etc/hosts + lineinfile: + path: /etc/hosts + state: present + line: "{{ hostvars[item].ip }} {{ hostvars[item].ansible_hostname }}" + regexp: "^{{ hostvars[item].ip }} " + with_items: "{{ groups.all }}" + + - name: remove requiretty + lineinfile: + regexp: '^\w+\s+requiretty' + path: /etc/sudoers + state: absent + + - name: install epel + package: + name: epel-release + state: latest + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux"] and not is_atomic + + tags: + - bootstrap diff --git a/roles/create-user/tasks/deb.yml b/roles/create-user/tasks/deb.yml new file mode 100644 index 000000000..aed0636 --- /dev/null +++ b/roles/create-user/tasks/deb.yml @@ -0,0 +1,23 @@ +--- + +- name: creating user {{ username }} in sudo group (Debian/Ubuntu) + user: + name: "{{ username }}" + password: "{{ pwgen | password_hash('sha512') }}" + state: present + shell: /bin/bash + groups: sudo + append: yes + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + update_password: on_create + register: user_created + +- name: enable nopasswd sudo (Debian/Ubuntu) + lineinfile: + dest: /etc/sudoers + regexp: '^%sudo' + line: "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" + state: present + validate: 'visudo -cf %s' diff --git a/roles/create-user/tasks/el.yml b/roles/create-user/tasks/el.yml new file mode 100644 index 000000000..95000c1 --- /dev/null +++ b/roles/create-user/tasks/el.yml @@ -0,0 +1,23 @@ +--- + +- name: creating user {{ username }} in wheel group (RHEL/CentOS/Fedora) + user: + name: "{{ username }}" + password: "{{ pwgen | password_hash('sha512') }}" + state: present + shell: /bin/bash + groups: wheel + append: yes + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + update_password: on_create + register: user_created + +- name: enable nopasswd sudo (RHEL/CentOS/Fedora) + lineinfile: + dest: /etc/sudoers + regexp: '^%wheel' + line: "%wheel ALL=(ALL) NOPASSWD: ALL" + state: present + validate: 'visudo -cf %s' diff --git a/roles/create-user/tasks/main.yml b/roles/create-user/tasks/main.yml new file mode 100644 index 000000000..1a049f1 --- /dev/null +++ b/roles/create-user/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- include_tasks: deb.yml + when: ansible_distribution in ["Debian", "Ubuntu"] + +- include_tasks: el.yml + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "Fedora"] + +- name: print generated password for {{ username }} on each host + debug: var=pwgen + when: user_created is changed + +- name: copy current pubkeys to ~{{ username }}/.ssh/authorized_keys + authorized_key: + user: "{{ username }}" + state: present + key: "{{ item }}" + with_items: + - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}" + - "{{ lookup('file','~/.ssh/id_rsa.pub') }}" diff --git a/roles/docker/files/daemon.json b/roles/docker/files/daemon.json new file mode 100644 index 000000000..9e34694 --- /dev/null +++ b/roles/docker/files/daemon.json @@ -0,0 +1,3 @@ +{ + "group": "dockerroot" +} diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml new file mode 100644 index 000000000..aa1fac6 --- /dev/null +++ b/roles/docker/tasks/main.yml @@ -0,0 +1,32 @@ +--- + +- name: install docker + package: + name: docker + state: latest + when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux"] and not is_atomic + register: docker_installed + +- name: add {{ username }} to 'dockerroot' group + user: + name: "{{ username }}" + groups: dockerroot + append: yes + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux"] and not is_atomic + + +- name: copy daemon.json + copy: + src: roles/docker/files/daemon.json + dest: /etc/docker/daemon.json + owner: root + group: root + mode: 0644 + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux"] and not is_atomic + +- name: enable/start docker + service: + name: docker + state: started + enabled: yes + when: ansible_distribution in ["CentOS", "Fedora", "Red Hat Enterprise Linux"] and not is_atomic diff --git a/roles/glusterfs-client/tasks/main.yml b/roles/glusterfs-client/tasks/main.yml new file mode 100644 index 000000000..dd0e3a3 --- /dev/null +++ b/roles/glusterfs-client/tasks/main.yml @@ -0,0 +1,13 @@ +--- + +- name: install glusterfs 4.1 LTS SIG package (CentOS) + package: + name: centos-release-gluster41 + state: latest + when: ansible_distribution == 'CentOS' + +- name: install heketi-client (CentOS/Fedora) + package: + name: heketi-client + state: latest + when: ansible_distribution in ["CentOS", "Fedora"] and not is_atomic diff --git a/roles/glusterfs-server/tasks/main.yml b/roles/glusterfs-server/tasks/main.yml new file mode 100644 index 000000000..d314388 --- /dev/null +++ b/roles/glusterfs-server/tasks/main.yml @@ -0,0 +1,42 @@ +--- + +- name: install glusterfs 4.1 LTS SIG package (CentOS) + package: + name: centos-release-gluster41 + state: latest + when: ansible_distribution == 'CentOS' + +- name: install glusterfs-server + package: + name: glusterfs-server + state: present + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "Fedora"] and not is_atomic + register: gluster_installed + +- name: start glusterd + service: + name: glusterd + state: started + enabled: yes + when: gluster_installed is changed + +- name: add hosts to /etc/hosts + lineinfile: + path: /etc/hosts + state: present + line: "{{ hostvars[item].ip }} {{ hostvars[item].gluster_hostname }}" + regexp: "^{{ hostvars[item].ip }} " + with_items: "{{ groups.all }}" + +- name: create glusterfs-server container (atomic) + docker_container: + name: glusterfs-server + image: gluster/gluster-centos:gluster4u0_centos7 + hostname: glusterfs-server + network_mode: host + privileged: yes + restart_policy: always + shm_size: 2G + devices: + - "{{ gluster_dev }}:{{ gluster_dev }}:rwo" + when: is_atomic diff --git a/roles/hardening/handlers/main.yml b/roles/hardening/handlers/main.yml new file mode 100644 index 000000000..5b8df80 --- /dev/null +++ b/roles/hardening/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart sshd + systemd: name=sshd state=restarted diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml new file mode 100644 index 000000000..ee22bd3 --- /dev/null +++ b/roles/hardening/tasks/main.yml @@ -0,0 +1,32 @@ +--- +#- name: Disallow root SSH access +# lineinfile: +# dest: /etc/ssh/sshd_config +# regexp: "^PermitRootLogin" +# line: "PermitRootLogin no" +# state: present +# notify: Restart ssh + + +# untested on debian/ubuntu +- name: disable services + service: + name: "{{ item }}" + state: stopped + enabled: no + with_items: + - postfix + - rpcbind + - rsyncd.service + - rsyncd.socket + ignore_errors: true + +- name: disable password auth + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + state: present + notify: restart sshd + + diff --git a/roles/install-packages/tasks/deb.yml b/roles/install-packages/tasks/deb.yml new file mode 100644 index 000000000..d8dbd2e --- /dev/null +++ b/roles/install-packages/tasks/deb.yml @@ -0,0 +1,9 @@ +--- + +- name: install packages (Debian/Ubuntu) + package: + name: "{{ item }}" + state: latest + with_items: + - "{{ common_pkgs }}" + - dnsutils diff --git a/roles/install-packages/tasks/el.yml b/roles/install-packages/tasks/el.yml new file mode 100644 index 000000000..d6ec45f --- /dev/null +++ b/roles/install-packages/tasks/el.yml @@ -0,0 +1,14 @@ +--- + +- name: install packages (RHEL/CentOS/Fedora) + package: + name: "{{ item }}" + state: latest + with_items: + - "{{ common_pkgs }}" + - iperf3 + - nmap + - lvm2 + - bind-utils + - psmisc # may work on deb/ubuntu also? - provides killall + - wget diff --git a/roles/install-packages/tasks/main.yml b/roles/install-packages/tasks/main.yml new file mode 100644 index 000000000..cc7e153 --- /dev/null +++ b/roles/install-packages/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- include_tasks: deb.yml + when: ansible_distribution in ["Debian", "Ubuntu"] + +- include_tasks: el.yml + when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora"] and not is_atomic + +# Need an idempotent way to install packages on atomic +# command module isn't idempotent and the package module insists on installing containers. + +#- name: install packages (fedora - atomic) +# command: rpm-ostree install '{{ item }}' +# with_items: +# - htop +# - vim +# - iperf3 +# - strace +# - nmap +# when: ansible_distribution == 'Fedora' and is_atomic diff --git a/roles/rke/tasks/main.yml b/roles/rke/tasks/main.yml new file mode 100644 index 000000000..de86374 --- /dev/null +++ b/roles/rke/tasks/main.yml @@ -0,0 +1,6 @@ +--- + +- name: enable net.bridge.bridge-nf-call-iptables + sysctl: + name: net.bridge.bridge-nf-call-iptables + value: 1 diff --git a/roles/sysctl/tasks/main.yml b/roles/sysctl/tasks/main.yml new file mode 100644 index 000000000..0b7ffb2 --- /dev/null +++ b/roles/sysctl/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: raise somaxconn + sysctl: + name: net.core.somaxconn + value: 512 diff --git a/roles/tuned/tasks/el.yml b/roles/tuned/tasks/el.yml new file mode 100644 index 000000000..6a41998 --- /dev/null +++ b/roles/tuned/tasks/el.yml @@ -0,0 +1,15 @@ +--- + +- name: install packages + package: + name: "{{ item }}" + state: latest + with_items: + - tuned + - tuned-utils + +- name: start service + service: + name: tuned + enabled: yes + state: started diff --git a/roles/tuned/tasks/main.yml b/roles/tuned/tasks/main.yml new file mode 100644 index 000000000..fad137e --- /dev/null +++ b/roles/tuned/tasks/main.yml @@ -0,0 +1,7 @@ +--- + +- include_tasks: deb.yml + when: ansible_distribution in ["Debian", "Ubuntu"] + +- include_tasks: el.yml + when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "Fedora"] and not is_atomic diff --git a/roles/update-packages/tasks/main.yml b/roles/update-packages/tasks/main.yml new file mode 100644 index 000000000..d3d2fef --- /dev/null +++ b/roles/update-packages/tasks/main.yml @@ -0,0 +1,29 @@ +--- +- block: + + - name: update packages (atomic) + atomic_host: + revision: latest + when: ansible_distribution == 'Fedora' and is_atomic + register: atomic_host_upgraded + + - name: update packages (non-atomic) + package: + name: '*' + state: latest + when: ansible_distribution in ["CentOS", "Red Hat Enterprise Linux", "Fedora", "Debian", "Ubuntu"] and not is_atomic + register: host_upgraded + + - name: reboot updated hosts + shell: nohup bash -c "sleep 2 && shutdown -r now" & + register: host_reset + when: (atomic_host_upgraded is changed) or (host_upgraded is changed) + + - name: wait for rebooted host to return + wait_for_connection: + timeout: 300 + delay: 20 + when: host_reset is changed + + tags: + - update diff --git a/roles/zfs/tasks/main.yml b/roles/zfs/tasks/main.yml new file mode 100644 index 000000000..9ff3cad --- /dev/null +++ b/roles/zfs/tasks/main.yml @@ -0,0 +1,44 @@ +--- + +- name: install zfs-release package (RHEL/CentOS) + yum: + name: "http://download.zfsonlinux.org/epel/zfs-release.el7_5.noarch.rpm" + state: present + when: ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux" ] + +- name: install zfs-release package (Fedora) + dnf: + name: "http://download.zfsonlinux.org/fedora/zfs-release.fc29.noarch.rpm" + state: present + when: ansible_distribution in ["Fedora"] and not is_atomic + +- name: install zfs and dkms + package: + name: "{{ item }}" + state: present + with_items: + - kernel-devel + - "@Development tools" + - dkms + - zfs + register: zfs_installed + when: not is_atomic + +- name: load zfs module + modprobe: + name: zfs + state: present + +- name: add zfs to modules-load.d + copy: + dest: "/etc/modules-load.d/zfs.conf" + content: | + zfs + +#- name: set zfs_arc_max to 75% installed memory ({{ arc_size_bytes }} bytes) +# lineinfile: +# path: "/etc/modprobe.d/zfs.conf" +# regexp: '^options zfs zfs_arc_max=' +# line: 'options zfs zfs_arc_max="{{ arc_size_bytes }}"' +# create: yes +# commented out, does not adjust to 75% of each host, leading to disproportionate allocations