From: Frank Brehm <frank.brehm@pixelpark.com>
Date: Mon, 2 Dec 2024 09:47:39 +0000 (+0100)
Subject: Adding and using ansible roles 389ds-set-backend-readonly and haproxy-disable-backend
X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=8e0c2ed9d232d1149b71d65624ec42c34f05e696;p=pixelpark%2Fpp-admin-tools.git

Adding and using ansible roles 389ds-set-backend-readonly and haproxy-disable-backend
---

diff --git a/includes/set-389ds-backend-readonly.yaml b/includes/set-389ds-backend-readonly.yaml
deleted file mode 100644
index e6042df..0000000
--- a/includes/set-389ds-backend-readonly.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-
-- name: "Get current Readonly status of Backend '{{ backend.value }}' ..."
-  ansible.builtin.shell: "dsconf '{{ slapd_instance }}' backend suffix get '{{ backend.value }}' | grep -i '^nsslapd-readonly:' | sed -e 's/^nsslapd-readonly:[ 	]*//i'"
-  check_mode: false
-  changed_when: false
-  register: backend_get_ro_status
-
-- name: "Show current backend_get_ro_status"
-  debug:
-    var: backend_get_ro_status
-    verbosity: 2
-
-- name: "Set fact backend_ro."
-  no_log: true
-  set_fact:
-    backend_ro: "{{ backend_get_ro_status.stdout is falsy }}"
-
-- name: "The backend '{{ backend.key }}' ({{ backend.value }}) readonly status:"
-  debug:
-    var: backend_ro
-
-- name: "Setting backend '{{ backend.value }}' to readonly."
-  ansible.builtin.shell: "dsconf '{{ slapd_instance }}' backend suffix set --enable-readonly '{{ backend.value }}'"
-  when: backend_ro == false
-
-- name: "Set fact backend_get_ro_status."
-  no_log: true
-  set_fact:
-    backend_get_ro_status: ~
-
-# vim: filetype=yaml
diff --git a/playbooks/configure-ldap-servers.yaml b/playbooks/configure-ldap-servers.yaml
index ce7df7a..8f08ba0 100644
--- a/playbooks/configure-ldap-servers.yaml
+++ b/playbooks/configure-ldap-servers.yaml
@@ -7,7 +7,7 @@
   tasks:
 
     - name: "Exec command for retrieving version of 389ds LDAP server."
-      ansible.builtin.shell: ns-slapd -v | grep -i '^389-Directory' | sed -e 's|.*/||' -e 's/[ 	].*//'
+      ansible.builtin.shell: ns-slapd -v | grep -i '^389-Directory' | sed -e 's|.*/||' -e 's/\s.*//'
       register: get_389ds_version
       check_mode: false
       changed_when: false
@@ -24,7 +24,7 @@
 
     - name: "Fail for non existing 389ds LDAP server."
       ansible.builtin.fail:
-        msg: "No 389ds LDAP server found on host '{{ ansible_fqdn }}'."
+        msg: "No 389ds LDAP server found on host '{{ inventory_hostname }}'."
       when: version_389ds == ''
 
     - name: "Configure logging for host '{{ inventory_hostname }}'."
diff --git a/playbooks/disable-ldap-server.yaml b/playbooks/disable-ldap-server.yaml
index 1e0a014..5733306 100644
--- a/playbooks/disable-ldap-server.yaml
+++ b/playbooks/disable-ldap-server.yaml
@@ -37,6 +37,7 @@
 
 - name: "Disable the given host as a HAProxy backend server."
   hosts: haproxy_servers
+  gather_facts: false
 
   tasks:
 
@@ -50,15 +51,16 @@
         var: ldapserver_to_disable
         verbosity: 0
 
-    - name: "Setting backend server {{ haproxy_backend_name }}/{{ ldapserver_to_disable }} into maintenance."
-      community.general.haproxy:
-        state: drain
-        host: "{{ ldapserver_to_disable }}"
-        socket: "{{ haproxy_admin_socket }}"
+    - name: "Setting HAProxy backend server into maintenance."
+      include_role:
+        name: 'haproxy-disable-backend'
+      vars:
         backend: "{{ haproxy_backend_name }}"
-        wait: true
-        wait_interval: 2
-        wait_retries: 60
+        backend_server: "{{ ldapserver_to_disable }}"
+
+    # - name: "Fail for stop."
+    #   ansible.builtin.fail:
+    #     msg: "Hard stopping here ..."
 
 - name: "Disabling Replication on the given host."
   hosts: ldap_servers
@@ -120,21 +122,21 @@
         puppet agent --disable "[$( date +'%Y-%m-%d' )]: Disbled by Ansible playbook 'disable-ldap-server.yaml'."
       args:
         creates: '/opt/puppetlabs/puppet/cache/state/agent_disabled.lock'
-      when: ldapserver_to_disable == ansible_fqdn
+      when: ldapserver_to_disable == inventory_hostname
 
     - name: "Disabling Puppet service on '{{ ldapserver_to_disable }}'."
       ansible.builtin.service:
         enabled: false
         name: puppet
         state: stopped
-      when: ldapserver_to_disable == ansible_fqdn
+      when: ldapserver_to_disable == inventory_hostname
 
     - name: "Disabling Wazuh service on '{{ ldapserver_to_disable }}'."
       ansible.builtin.service:
         enabled: false
         name: wazuh-agent
         state: stopped
-      when: ldapserver_to_disable == ansible_fqdn
+      when: ldapserver_to_disable == inventory_hostname
 
     - name: "Retrieve all backends from '{{ ldapserver_to_disable }}'."
       ansible.builtin.shell: "dsconf '{{ slapd_instance }}' backend suffix list"
@@ -164,15 +166,16 @@
         verbosity: 0
 
     - name: "Setting all backends to readonly."
-      include_tasks: '../includes/set-389ds-backend-readonly.yaml'
-      when: ldapserver_to_disable == ansible_fqdn
+      include_role:
+        name: 389ds-set-backend-readonly
+      when: ldapserver_to_disable == inventory_hostname
       loop: "{{ suffixes | dict2items }}"
       loop_control:
         loop_var: backend
 
     - name: "Removing replication agreements on host to disable."
       include_tasks: '../includes/del-389ds-backend-repl-agmts-target.yaml'
-      when: ldapserver_to_disable == ansible_fqdn
+      when: ldapserver_to_disable == inventory_hostname
       vars:
         suffix: "{{ item[0].key }}"
         target: "{{ item[1] }}"
@@ -180,14 +183,14 @@
 
     - name: "Removing replication agreements on hosts to keep."
       include_tasks: '../includes/del-389ds-backend-repl-agmts-src.yaml'
-      when: ldapserver_to_disable != ansible_fqdn
+      when: ldapserver_to_disable != inventory_hostname
       vars:
         suffix: "{{ item[0].key }}"
         target: "{{ item[1] }}"
       loop: "{{ suffixes | dict2items | product( ansible_play_batch ) | list }}"
 
     - name: "Disabling replication on all suffixes."
-      when: ldapserver_to_disable == ansible_fqdn
+      when: ldapserver_to_disable == inventory_hostname
       include_tasks: '../includes/disable-389ds-replication.yaml'
       vars:
         suffix: "{{ item.key }}"
@@ -195,7 +198,7 @@
 
     - name: "Clean all RUVs for Replication ID {{ target_replica_id }} on all suffixes ..."
       include_tasks: '../includes/389ds-repl-tasks-cleanallruv.yaml'
-      when: ldapserver_to_disable != ansible_fqdn
+      when: ldapserver_to_disable != inventory_hostname
       vars:
         suffix: "{{ item.key }}"
       loop: "{{ suffixes | dict2items | list }}"
diff --git a/roles/389ds-set-backend-readonly/tasks/main.yaml b/roles/389ds-set-backend-readonly/tasks/main.yaml
new file mode 100644
index 0000000..e6042df
--- /dev/null
+++ b/roles/389ds-set-backend-readonly/tasks/main.yaml
@@ -0,0 +1,32 @@
+---
+
+- name: "Get current Readonly status of Backend '{{ backend.value }}' ..."
+  ansible.builtin.shell: "dsconf '{{ slapd_instance }}' backend suffix get '{{ backend.value }}' | grep -i '^nsslapd-readonly:' | sed -e 's/^nsslapd-readonly:[ 	]*//i'"
+  check_mode: false
+  changed_when: false
+  register: backend_get_ro_status
+
+- name: "Show current backend_get_ro_status"
+  debug:
+    var: backend_get_ro_status
+    verbosity: 2
+
+- name: "Set fact backend_ro."
+  no_log: true
+  set_fact:
+    backend_ro: "{{ backend_get_ro_status.stdout is falsy }}"
+
+- name: "The backend '{{ backend.key }}' ({{ backend.value }}) readonly status:"
+  debug:
+    var: backend_ro
+
+- name: "Setting backend '{{ backend.value }}' to readonly."
+  ansible.builtin.shell: "dsconf '{{ slapd_instance }}' backend suffix set --enable-readonly '{{ backend.value }}'"
+  when: backend_ro == false
+
+- name: "Set fact backend_get_ro_status."
+  no_log: true
+  set_fact:
+    backend_get_ro_status: ~
+
+# vim: filetype=yaml
diff --git a/roles/haproxy-disable-backend/tasks/main.yaml b/roles/haproxy-disable-backend/tasks/main.yaml
new file mode 100644
index 0000000..dd5b47d
--- /dev/null
+++ b/roles/haproxy-disable-backend/tasks/main.yaml
@@ -0,0 +1,38 @@
+---
+
+- debug:
+    msg: "Setting server '{{ backend_server }}' on HAProxy backend '{{ backend }}' into maintenance ..."
+    verbosity: 0
+
+- name: "Get file stat of HAProxy admin socket '{{ haproxy_admin_socket }}' ..."
+  ansible.builtin.stat:
+    path: "{{ haproxy_admin_socket }}"
+  register: admin_socket
+
+- name: "File stat of  HAProxy admin socket '{{ haproxy_admin_socket }}': "
+  debug:
+    var: admin_socket
+    verbosity: 3
+
+- name: "Check existence of HAProxy admin socket '{{ haproxy_admin_socket }}'."
+  ansible.builtin.fail:
+    msg: "The HAProxy admin socket '{{ haproxy_admin_socket }}' does not exists."
+  when: admin_socket.stat.exists != true
+
+- name: "Checkinf, whether '{{ haproxy_admin_socket }}' is a socket."
+  ansible.builtin.fail:
+    msg: "The path '{{ haproxy_admin_socket }}' for the HAProxy admin socket is not a socket."
+  when: admin_socket.stat.issock != true
+
+- name: "Setting backend server {{ backend }}/{{ backend_server }} into maintenance."
+  community.general.haproxy:
+    state: drain
+    host: "{{ backend_server }}"
+    socket: "{{ haproxy_admin_socket }}"
+    backend: "{{ backend }}"
+    wait: "{{ haproxy_wait_for_disable }}"
+    wait_interval: "{{ haproxy_wait_interval }}"
+    wait_retries: "{{ haproxy_wait_retries }}"
+
+
+# vim: filetype=yaml
diff --git a/roles/haproxy-disable-backend/vars/main.yaml b/roles/haproxy-disable-backend/vars/main.yaml
new file mode 100644
index 0000000..cc0f36c
--- /dev/null
+++ b/roles/haproxy-disable-backend/vars/main.yaml
@@ -0,0 +1,11 @@
+---
+
+haproxy_user_socket: '/run/haproxy/user.sock'
+haproxy_admin_socket: '/run/haproxy/admin.sock'
+haproxy_test_socket: '/etc/passwd'
+
+haproxy_wait_for_disable: true
+haproxy_wait_interval: 2
+haproxy_wait_retries: 60
+
+# vim: filetype=yaml