diff --git a/CHANGELOG.md b/CHANGELOG.md index 97a79989..78ecd6ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,16 +13,26 @@ The **patch** part changes incrementally at each release. ### Added * dovecot: Update munin plugin & configure it +* dovecot: vmail uid/gid are configurable +* evoacme: variable to disable Debian version check (default: False) +* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) +* minifirewall: upstream release 20.12 +* minifirewall: add variables to force upgrade the script and the config (default: False) +* mysql: install save_mysql_processlist script * nextcloud: New role to setup a nextcloud instance * redis: variable to force use of port 6379 in instances mode +* redis: check maxmemory in NRPE check * lxc-php: Allow php containers to contact local MySQL with localhost ### Changed -* evoacme: Don't ignore hooks with . in the name (ignore when it's ".disable") +* apt: disable APT Periodic +* evoacme: upstream release 20.12 +* evocheck: upstream release 20.12 ### Fixed +* cerbot: parse HAProxy config file only if HAProxy is found * lxc: Force lxc containers to be in the correct timezone ### Removed diff --git a/apt/tasks/config.yml b/apt/tasks/config.yml index 988aac7a..48892b9e 100644 --- a/apt/tasks/config.yml +++ b/apt/tasks/config.yml @@ -11,6 +11,7 @@ with_items: - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' } - { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' } + - { line: "APT::Periodic::Enable \"0\";", regexp: 'APT::Periodic::Enable' } when: apt_evolinux_config tags: - apt diff --git a/certbot/files/hooks/haproxy.sh b/certbot/files/hooks/haproxy.sh index 1a7f5d4e..932a3e90 100644 --- a/certbot/files/hooks/haproxy.sh +++ b/certbot/files/hooks/haproxy.sh @@ -56,6 +56,9 @@ main() { fi if daemon_found_and_running; then + readonly haproxy_config_file="/etc/haproxy/haproxy.cfg" + readonly haproxy_cert_dir=$(detect_haproxy_cert_dir) + if found_renewed_lineage; then haproxy_cert_file="${haproxy_cert_dir}/$(basename "${RENEWED_LINEAGE}").pem" failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem" @@ -86,7 +89,5 @@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} readonly haproxy_bin=$(command -v haproxy) -readonly haproxy_config_file="/etc/haproxy/haproxy.cfg" -readonly haproxy_cert_dir=$(detect_haproxy_cert_dir) main diff --git a/dovecot/defaults/main.yml b/dovecot/defaults/main.yml index 884bc1ca..52e06bda 100644 --- a/dovecot/defaults/main.yml +++ b/dovecot/defaults/main.yml @@ -1,2 +1,4 @@ --- -dovecot_foo: bar + +dovecot_vmail_uid: 5000 +dovecot_vmail_gid: 5000 diff --git a/dovecot/tasks/main.yml b/dovecot/tasks/main.yml index 8492e00a..8508a902 100644 --- a/dovecot/tasks/main.yml +++ b/dovecot/tasks/main.yml @@ -40,7 +40,7 @@ - name: create vmail group group: name: vmail - gid: 5000 + gid: "{{ dovecot_vmail_gid }}" tags: - dovecot @@ -48,7 +48,7 @@ user: name: vmail group: vmail - uid: 5000 + uid: "{{ dovecot_vmail_uid }}" shell: /bin/false tags: - dovecot diff --git a/evoacme/defaults/main.yml b/evoacme/defaults/main.yml index e54ef2fc..ef16ee78 100644 --- a/evoacme/defaults/main.yml +++ b/evoacme/defaults/main.yml @@ -14,3 +14,5 @@ evoacme_ssl_loc: 'Marseille' evoacme_ssl_org: 'Evolix' evoacme_ssl_ou: 'Security' evoacme_ssl_email: 'security@evolix.net' + +evoacme_disable_debian_check: False diff --git a/evoacme/files/evoacme.sh b/evoacme/files/evoacme.sh index 6db0cab7..2ea2d273 100755 --- a/evoacme/files/evoacme.sh +++ b/evoacme/files/evoacme.sh @@ -14,7 +14,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -284,13 +284,19 @@ main() { export EVOACME_CHAIN="${LIVE_CHAIN}" export EVOACME_FULLCHAIN="${LIVE_FULLCHAIN}" + # emulate certbot hooks environment variables + export RENEWED_LINEAGE="${LIVE_DIR}" + export RENEWED_DOMAINS="${VHOST}" + # search for files in hooks directory for hook in $(find ${HOOKS_DIR} -type f -executable | sort); do + set +e # keep only executables files, not containing a "." if [ -x "${hook}" ] && (basename "${hook}" | grep -vqF ".disable"); then debug "Executing ${hook}" ${hook} fi + set -e done } @@ -303,7 +309,7 @@ readonly QUIET=${QUIET:-"0"} readonly TEST=${TEST:-"0"} readonly DRY_RUN=${DRY_RUN:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.12" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/make-csr.sh b/evoacme/files/make-csr.sh index 372c58fc..f82ad65b 100755 --- a/evoacme/files/make-csr.sh +++ b/evoacme/files/make-csr.sh @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -265,7 +265,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.12" # Read configuration file, if it exists [ -r /etc/default/evoacme ] && . /etc/default/evoacme diff --git a/evoacme/files/vhost-domains.sh b/evoacme/files/vhost-domains.sh index 41b065b6..5a60c23c 100755 --- a/evoacme/files/vhost-domains.sh +++ b/evoacme/files/vhost-domains.sh @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2020 Evolix , Victor Laborie , Jérémy Lecour , Benoit Série @@ -170,7 +170,7 @@ readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} readonly QUIET=${QUIET:-"0"} -readonly VERSION="20.08" +readonly VERSION="20.12" readonly SRV_IP=${SRV_IP:-""} diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index bd8cc055..4c71d90e 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -6,6 +6,7 @@ - ansible_distribution == "Debian" - ansible_distribution_major_version is version('9', '>=') msg: only compatible with Debian >= 9 + when: not evoacme_disable_debian_check - include: certbot.yml diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 5c3f1365..287982e2 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -readonly VERSION="20.04.3" +readonly VERSION="20.12" # base functions @@ -205,10 +205,13 @@ check_customsudoers() { grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file" } check_vartmpfs() { - df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" -} -check_vartmpfs() { - df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + FINDMNT_BIN=$(command -v findmnt) + if [ -x "${FINDMNT_BIN}" ]; then + ${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + else + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" + fi + } check_serveurbase() { is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" @@ -559,7 +562,7 @@ check_evobackup_exclude_mount() { # shellcheck disable=SC2064 trap "rm -f ${excludes_file}" 0 # shellcheck disable=SC2044 - for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do + for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") for mount in ${not_excluded}; do @@ -878,15 +881,25 @@ check_sql_backup() { if (is_installed "mysql-server" || is_installed "mariadb-server"); then # You could change the default path in /etc/evocheck.cf SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} - test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})" + for backup_path in ${SQL_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done fi } check_postgres_backup() { - if is_installed "postgresql-9*"; then + if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then # If you use something like barman, you should disable this check # You could change the default path in /etc/evocheck.cf - POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"} - test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})" + POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"} + for backup_path in ${POSTGRES_BACKUP_PATH}; do + if [ ! -f "${backup_path}" ]; then + failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})" + test "${VERBOSE}" = 1 || break + fi + done fi } check_mongo_backup() { @@ -1013,7 +1026,7 @@ check_duplicate_fs_label() { BLKID_BIN=$(command -v blkid) if [ -x "$BLKID_BIN" ]; then tmpFile=$(mktemp -p /tmp) - parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) for part in $parts; do echo "$part" >> "$tmpFile" done @@ -1517,8 +1530,6 @@ main() { # shellcheck disable=SC2034 readonly PROGNAME=$(basename "$0") -# shellcheck disable=SC2034 -readonly PROGDIR=$(realpath -m "$(dirname "$0")") # shellcheck disable=2124 readonly ARGS=$@ diff --git a/evolinux-users/tasks/sudo.yml b/evolinux-users/tasks/sudo.yml index 2f2ee07c..6f127da8 100644 --- a/evolinux-users/tasks/sudo.yml +++ b/evolinux-users/tasks/sudo.yml @@ -4,6 +4,6 @@ when: ansible_distribution_release == "jessie" - include: sudo_stretch.yml - when: ansible_distribution_major_version is version('9', '>=') + when: ansible_distribution_major_version is defined and ansible_distribution_major_version is version('9', '>=') - meta: flush_handlers diff --git a/kvm-host/defaults/main.yml b/kvm-host/defaults/main.yml index 4c77a2ff..bb97c0f9 100644 --- a/kvm-host/defaults/main.yml +++ b/kvm-host/defaults/main.yml @@ -1,2 +1,3 @@ --- kvm_custom_libvirt_images_path: '' +kvm_install_drbd: True diff --git a/kvm-host/meta/main.yml b/kvm-host/meta/main.yml index 1d6d1c36..0976cf88 100644 --- a/kvm-host/meta/main.yml +++ b/kvm-host/meta/main.yml @@ -12,8 +12,8 @@ galaxy_info: - name: Debian versions: - jessie + - stretch + - buster -dependencies: [] - # List your role dependencies here, one per line. - # Be sure to remove the '[]' above if you add dependencies - # to this list. +dependencies: + - { role: evolix/drbd, when: kvm_install_drbd } diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml index 5489b06a..fd4e726b 100644 --- a/minifirewall/defaults/main.yml +++ b/minifirewall/defaults/main.yml @@ -5,11 +5,15 @@ minifirewall_tail_file: /etc/default/minifirewall.tail minifirewall_tail_included: False minifirewall_tail_force: True +minifirewall_force_upgrade_script: False +minifirewall_force_upgrade_config: False + minifirewall_git_url: "https://forge.evolix.org/minifirewall.git" minifirewall_checkout_path: "/tmp/minifirewall" minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_ipv6: "on" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" +minifirewall_docker: "off" minifirewall_default_trusted_ips: [] minifirewall_additional_trusted_ips: [] diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf index 7285822a..1c637483 100644 --- a/minifirewall/files/minifirewall.conf +++ b/minifirewall/files/minifirewall.conf @@ -1,6 +1,5 @@ # Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall -# For fun, we keep last change from first CVS repository: -# version 0.1 - 12 juillet 2007 $Id: firewall.rc,v 1.2 2007/07/12 19:08:59 reg Exp $ +# Version 20.12 — 2020-12-01 22:55:35 # Main interface INT='eth0' @@ -8,6 +7,12 @@ INT='eth0' # IPv6 IPV6=on +# Docker Mode +# Changes the behaviour of minifirewall to not break the containers' network +# For instance, turning it on will disable nat table purge +# Also, we'll add the DOCKER-USER chain, in iptable +DOCKER='off' + # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='192.168.0.2/32' diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml index 82be385c..4c852d6b 100644 --- a/minifirewall/tasks/config.yml +++ b/minifirewall/tasks/config.yml @@ -51,13 +51,19 @@ blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR IPS" - content: | + block: | # Main interface INT='{{ minifirewall_int }}' # IPv6 IPV6='{{ minifirewall_ipv6 }}' + # Docker Mode + # Changes the behaviour of minifirewall to not break the containers' network + # For instance, turning it on will disable nat table purge + # Also, we'll add the DOCKER-USER chain, in iptable + DOCKER='{{ minifirewall_docker }}' + # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='{{ minifirewall_intlan }}' @@ -89,7 +95,7 @@ blockinfile: dest: "{{ minifirewall_main_file }}" marker: "# {mark} ANSIBLE MANAGED BLOCK FOR PORTS" - content: | + block: | # Protected services # (add also in Public services if needed) SERVICESTCP1p='{{ minifirewall_protected_ports_tcp | join(' ') }}' diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml index a4bcf734..5d6438ed 100644 --- a/minifirewall/tasks/install.yml +++ b/minifirewall/tasks/install.yml @@ -9,7 +9,7 @@ template: src: minifirewall.j2 dest: /etc/init.d/minifirewall - force: no + force: "{{ minifirewall_force_upgrade_script | default('no') }}" mode: "0700" owner: root group: root @@ -18,7 +18,7 @@ copy: src: minifirewall.conf dest: "{{ minifirewall_main_file }}" - force: no + force: "{{ minifirewall_force_upgrade_config | default('no') }}" mode: "0600" owner: root group: root diff --git a/minifirewall/templates/minifirewall.j2 b/minifirewall/templates/minifirewall.j2 index 8045ce60..13b5130d 100755 --- a/minifirewall/templates/minifirewall.j2 +++ b/minifirewall/templates/minifirewall.j2 @@ -4,7 +4,7 @@ # we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel # See https://gitea.evolix.org/evolix/minifirewall -# Copyright (c) 2007-2015 Evolix +# Copyright (c) 2007-2020 Evolix # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 3 @@ -51,6 +51,20 @@ BROAD='255.255.255.255' PORTSROOT='0:1023' PORTSUSER='1024:65535' +chain_exists() +{ + local chain_name="$1" ; shift + [ $# -eq 1 ] && local intable="--table $1" + iptables $intable -nL "$chain_name" >/dev/null 2>&1 +} + +# Configuration +oldconfigfile="/etc/firewall.rc" +configfile="{{ minifirewall_main_file }}" + +IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') +DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') +INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}') case "$1" in start) @@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT $IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' $IPT -A LOG_ACCEPT -j ACCEPT -# Configuration -oldconfigfile="/etc/firewall.rc" -configfile="{{ minifirewall_main_file }}" - if test -f $oldconfigfile; then echo "$oldconfigfile is deprecated, rename to $configfile" >&2 exit 1 @@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP +if [ "$DOCKER" = "on" ]; then + + $IPT -N MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-TRUSTED -j DROP + + $IPT -N MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN + + $IPT -N MINIFW-DOCKER-PUB + $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PUB -j RETURN + + # Flush DOCKER-USER if exist, create it if absent + if chain_exists 'DOCKER-USER'; then + $IPT -F DOCKER-USER + else + $IPT -N DOCKER-USER + fi; + + # Pipe new connection through MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -j RETURN + +fi + + # Local services restrictions ############################# @@ -218,6 +255,64 @@ for x in $SERVICESUDP3 done +if [ "$DOCKER" = "on" ]; then + + # Public services defined in SERVICESTCP1 & SERVICESUDP1 + for dstport in $SERVICESTCP1 + do + $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN + done + + for dstport in $SERVICESUDP1 + do + $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN + done + + # Privileged services (accessible from privileged & trusted IPs) + for dstport in $SERVICESTCP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + # Trusted services (accessible from trusted IPs) + for dstport in $SERVICESTCP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done +fi + # External services ################### @@ -323,11 +418,24 @@ trap - INT TERM EXIT $IPT -F ONLYTRUSTED $IPT -F ONLYPRIVILEGIED $IPT -F NEEDRESTRICT - $IPT -t nat -F + [ "$DOCKER" = "off" ] && $IPT -t nat -F $IPT -t mangle -F [ "$IPV6" != "off" ] && $IPT6 -F INPUT [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT + if [ "$DOCKER" = "on" ]; then + $IPT -F DOCKER-USER + $IPT -A DOCKER-USER -j RETURN + + $IPT -F MINIFW-DOCKER-PUB + $IPT -X MINIFW-DOCKER-PUB + $IPT -F MINIFW-DOCKER-PRIVILEGED + $IPT -X MINIFW-DOCKER-PRIVILEGED + $IPT -F MINIFW-DOCKER-TRUSTED + $IPT -X MINIFW-DOCKER-TRUSTED + + fi + # Accept all $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT diff --git a/mysql/files/save_mysql_processlist.sh b/mysql/files/save_mysql_processlist.sh new file mode 100644 index 00000000..95abc57d --- /dev/null +++ b/mysql/files/save_mysql_processlist.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -e + +processlist() { + mysqladmin --verbose --vertical processlist +} + +DIR="/var/log/mysql-processlist" +TS=`date +%Y%m%d%H%M%S` +FILE="${DIR}/${TS}" + +if [ ! -d "${DIR}" ]; then + mkdir -p "${DIR}" + chown root:adm "${DIR}" + chmod 750 "${DIR}" +fi + +processlist > "${FILE}" +chmod 640 "${FILE}" +chown root:adm "${FILE}" + +find "${DIR}" -type f -mtime +1 -delete + +exit 0 diff --git a/mysql/handlers/main.yml b/mysql/handlers/main.yml index 87a7613a..80afafe5 100644 --- a/mysql/handlers/main.yml +++ b/mysql/handlers/main.yml @@ -22,4 +22,4 @@ - name: 'restart xinetd' service: name: 'xinetd' - state: 'restart' + state: 'restarted' diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 7609a81e..164507aa 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -178,3 +178,12 @@ tags: - mysql - packages + +- name: "Install save_mysql_processlist.sh" + copy: + src: save_mysql_processlist.sh + dest: "{{ mysql_scripts_dir or general_scripts_dir | mandatory }}/save_mysql_processlist.sh" + mode: "0755" + force: no + tags: + - mysql diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml index c81ff575..7b2b3734 100644 --- a/postgresql/defaults/main.yml +++ b/postgresql/defaults/main.yml @@ -9,7 +9,7 @@ postgresql_random_page_cost: 1.5 postgresql_effective_cache_size: "{{ (ansible_memtotal_mb * 0.5) | int }}MB" # PostgreSQL version -postgresql_version: '9.6' +postgresql_version: '' # Set locales locales_default: fr_FR.UTF-8 diff --git a/postgresql/tasks/packages_buster.yml b/postgresql/tasks/packages_buster.yml index 3f45e84c..3a1a440e 100644 --- a/postgresql/tasks/packages_buster.yml +++ b/postgresql/tasks/packages_buster.yml @@ -1,5 +1,10 @@ --- +- name: "Set variables (Debian 10)" + set_fact: + postgresql_version: '11' + when: postgresql_version == "" + - include: pgdg-repo.yml when: postgresql_version != '11' diff --git a/postgresql/tasks/packages_jessie.yml b/postgresql/tasks/packages_jessie.yml index abf0ad08..3e21bc0e 100644 --- a/postgresql/tasks/packages_jessie.yml +++ b/postgresql/tasks/packages_jessie.yml @@ -1,5 +1,10 @@ --- +- name: "Set variables (Debian 8)" + set_fact: + postgresql_version: '9.4' + when: postgresql_version == "" + - include: pgdg-repo.yml when: postgresql_version != '9.4' diff --git a/postgresql/tasks/packages_stretch.yml b/postgresql/tasks/packages_stretch.yml index d6a3aa5e..eff513f9 100644 --- a/postgresql/tasks/packages_stretch.yml +++ b/postgresql/tasks/packages_stretch.yml @@ -1,5 +1,10 @@ --- +- name: "Set variables (Debian 9)" + set_fact: + postgresql_version: '9.6' + when: postgresql_version == "" + - include: pgdg-repo.yml when: postgresql_version != '9.6' diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml index dcc63d6f..8d937b82 100644 --- a/postgresql/tasks/pgdg-repo.yml +++ b/postgresql/tasks/pgdg-repo.yml @@ -18,8 +18,13 @@ #url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc data: "{{ lookup('file', 'ACCC4CF8.asc') }}" +- name: Update and upgrade apt packages for PGDG repository + apt: + upgrade: yes + update_cache: yes + - name: Add APT preference file template: src: postgresql.pref.j2 - dest: /etc/apt/preferences.d/ + dest: /etc/apt/preferences.d/postgresql.pref mode: "0644" diff --git a/redis/files/check_redis_instances.sh b/redis/files/check_redis_instances.sh index 7821aeb0..a7dead82 100644 --- a/redis/files/check_redis_instances.sh +++ b/redis/files/check_redis_instances.sh @@ -30,11 +30,21 @@ check_server() { host=$(config_var "bind" "${conf_file}") port=$(config_var "port" "${conf_file}") pass=$(config_var "requirepass" "${conf_file}") + maxmemory=$(config_var "maxmemory" "${conf_file}") + maxmemory_policy=$(config_var "maxmemory-policy" "${conf_file}") cmd="${check_bin} -H ${host} -p ${port}" + # If "requirepass" is set we add the password to the check if [ -n "${pass}" ]; then cmd="${cmd} -x ${pass}" fi + # If "maxmemory" is set and "maxmemory-policy" is missing or set to "noeviction" + # then we enforce the "maxmemory" limit + if [ -n "${maxmemory}" ]; then + if [ -z "${maxmemory_policy}" ] || [ "${maxmemory_policy}" = "noeviction" ]; then + cmd="${cmd} --total_memory ${maxmemory} --memory_utilization 80,90" + fi + fi result=$($cmd) ret="${?}" if [ "${ret}" -ge 2 ]; then diff --git a/redis/tasks/default-log2mail.yml b/redis/tasks/default-log2mail.yml index 8614a11d..21628b0c 100644 --- a/redis/tasks/default-log2mail.yml +++ b/redis/tasks/default-log2mail.yml @@ -8,7 +8,7 @@ mode: "0640" create: yes marker: "# {mark} ANSIBLE MANAGED RULES FOR DEFAULT INSTANCE" - content: | + block: | file = {{ redis_log_dir }}/redis-server.log pattern = "Cannot allocate memory" mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}