Skip to content
Snippets Groups Projects
Verified Commit b3fe3623 authored by Chris Croome's avatar Chris Croome
Browse files

README and sys tasks updated

parent 9beae5bd
No related branches found
No related tags found
No related merge requests found
Pipeline #27114 passed
Stage: lint
Hide whitespace changes
Inline Side-by-side
README.md
+ 40
54
View file @ b3fe3623
# Webarchitects Ansible Debian MariaDB Role
# Webarchitects Ansible Debian MariaDB Role
[![pipeline status](https://git.coop/webarch/mariadb/badges/master/pipeline.svg)](https://git.coop/webarch/mariadb/-/commits/master)
This repository contains an Ansible role for installing and configuring [MariaDB](https://mariadb.org/) on Debian servers.
Versions of this role including and prior to [version 1.9.1](https://git.coop/webarch/mariadb/-/tree/1.9.1) require Ansible 2.9 and use the command and shell modules for many tasks, version 2.0.0 onwards requires Ansible 2.10 and uses the [community.mysql collection](https://docs.ansible.com/ansible/latest/collections/community/mysql/).
## Role versions
The `community.mysql` collection modules can be installed into `~/.ansible/collections/ansible_collections` like this:
Version 3.0.0 and greater of this role provide the option to edit or template MariaDB configuration files and use YAML dictionaries for the specification, existing files are read using [the JC ini parser](https://kellyjonbrazil.github.io/jc/docs/parsers/ini) and edited using the [community.general.ini_file module](https://docs.ansible.com/ansible/latest/collections/community/general/ini_file_module.html) or created or clobbered using the [ansible.builtin.template module](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html).
```bash
ansible-galaxy collection install community.mysql
```
The last 2.x version of this role [version 2.4.2](https://git.coop/webarch/mariadb/-/releases/2.4.2) is the last version that contains Ansible tasks to switch between password and socket authentication for the root user, all 3.0.0 versions assume socket authentication is used.
Versions of this role including and prior to [version 1.9.1](https://git.coop/webarch/mariadb/-/tree/1.9.1) require Ansible 2.9 and use the command and shell modules for many tasks, version 2.0.0 onwards requires Ansible 2.10 and uses the [community.mysql collection](https://docs.ansible.com/ansible/latest/collections/community/mysql/).
This role can be used to [switch the root users authentication plugin from `unix_socket` to `mysql_native_password`](tasks/mariadb_root_password.yml) and [back](tasks/info_socket.yml) and it also runs `mysql_upgrade`, [imports](tasks/sys.yml) the [sys schema](https://github.com/webarch-coop/mariadb-sys), [updates the timezone data](tasks/tz.yml) when needed and sets [some systemd defaults](templates/mariadb.conf.j2).
This role adds [a script](templates/mariadb_root.fact.j2) to `/etc/ansible/facts.d` which results in the `ansible_local.mariadb_root.plugin` variable being generated with the value(s) of the root authentication plugins, `auth_socket`, `unix_socket` and / or `mysql_native_password`.
The primary URL of this repo is [`https://git.coop/webarch/mariadb`](https://git.coop/webarch/mariadb) and this is where the [release notes](https://git.coop/webarch/debug/-/releases) are, it is also [mirrored to GitHub](https://github.com/webarch-coop/ansible-role-debug) and [available via Ansible Galaxy](https://galaxy.ansible.com/chriscroome/debug).
## Defaults
See also the [defaults/main.yml](defaults/main.yml) file.
| Variable name | Default value | Comment |
|----------------------------------------|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `mariadb` | `true` | Set `mariadb` to false to prevent any tasks in this role being run |
| `mariadb_host` | `localhost` | Note that this roles hasn't been tested with hosts other than `localhost` |
| `mariadb_port` | `3306` | The default MariaDB port |
| `mariadb_path` | `/usr/bin/mariadb` | The existance of the `mariadb_path` is used as a test for generating the `local_facts` |
| `mariadb_socket` | `/var/run/mysqld/mysqld.sock` | The path to the MariaDB scoket |
| `mariadb_mysqltuner` | `true` | Install [MySQLTuner](https://github.com/major/MySQLTuner-perl) |
| `mariadb_mysqltuner_version` | `latest` | Set `latest` or a version from [the releases page](https://github.com/major/MySQLTuner-perl/releases), eg `v1.9.9` |
| `mariadb_sys_schema` | `false` | If `mariadb_sys_schema` is true then the sys schema is imported from [this repo](https://github.com/webarch-coop/mariadb-sys) |
| `mariadb_time_zone_import` | `true` | If `mariadb_time_zone_import` is true then the time zone tables when they have been updated |
| `mariadb_systemd_no_new_privileges` | `true` | Set systemd `NoNewPrivileges` to true for MariaDB |
| `mariadb_systemd_private_network` | `true` | Set systemd `PrivateNetwork` to true for MariaDB |
| `mariadb_systemd_private_tmp` | `true` | Set systemd `PrivateTmp` to true for MariaDB |
| `mariadb_join_buffer_size` | `8M` | |
| `mariadb_open_files_limit` | `122880` | |
| `mariadb_table_open_cache` | `4000` | |
| `mariadb_tmp_table_size` | `32M` | |
| `mariadb_max_heap_table_size` | `"{{ mariadb_tmp_table_size }}"` | |
| `mariadb_max_allowed_packet` | `64M` | |
| `mariadb_key_buffer_size` | `16M` | |
| `mariadb_max_connections` | `80` | |
| `max_user_connections` | `0` | |
| `mariadb_table_cache` | `64` | |
| `mariadb_thread_concurrency` | `10` | |
| `mariadb_innodb_buffer_pool_size` | `1G` | |
| `mariadb_innodb_log_file_size` | `256M` | |
| `mariadb_innodb_buffer_pool_instances` | `1` | |
| `mariadb_transaction_isolation` | | Not defined by default, for [Nextcloud](https://docs.nextcloud.com/server/25/admin_manual/configuration_database/linux_database_configuration.html) |
| `mariadb_binlog_format` | | Not defined by default, for [Nextcloud](https://docs.nextcloud.com/server/25/admin_manual/configuration_database/linux_database_configuration.html) |
| `mariadb_query_cache_type` | `0` | |
| `mariadb_query_cache_limit` | `0` | |
| `mariadb_query_cache_size` | `0` | |
| `mariadb_root_auth` | `socket` | Set to `password` or `socket` to switch the root authentication plugin |
| `mariadb_username` | | Provide a `mariadb_username` to add a MariaDB user account |
| `mariadb_database` | | If `mariadb_username` is set and `mariadb_database` is not set then the DB value will default to `mariadb_username` |
| `mariadb_password` | | This variable is randomly generated and written to `/.my.cnf` or set to the value in `/.my.cnf` if it is present |
| `mariadb_priv` | | An array of user `PRIVILEGES`, if `mariadb_priv` is not set it defaults to `ALL` |
| `mariadb_mycnf` | | If a Linux user account exists that matches `mariadb_username` this will be set to `/home/{{ mariadb_username }}/.my.cnf` and if not `/root/{{ mariadb_username }}/.my.cnf` |
## Role variables
See the [defaults/main.yml](defaults/main.yml) file for the default variables, the [vars/main.yml](vars/main.yml) file for the preset variables and the [meta/argument_specs.yml](meta/argument_specs.yml) file for the variable specification.
### mariadb
### mariadb_config
### mariadb_mysqltuner
### mariadb_mysqltuner_version
### mariadb_pkgs
### mariadb_socket
### mariadb_systemd_units
### mariadb_sys_schema
## mariadb_time_zone_import
## Creating users and databases
......@@ -71,7 +45,7 @@ You can call the `mariadb_user.yml` tasks multiple times, for example:
include_role:
name: mariadb
tasks_from: mariadb_user.yml
vars:
vars:
mariadb_database: wordpress
mariadb_username: wordpress
mariadb_priv:
......@@ -109,3 +83,15 @@ You can call the `mariadb_user.yml` tasks multiple times, for example:
```
Note that the `mariadb_password` variable will contain the password for the last user created.
## Repository
The primary URL of this repo is [`https://git.coop/webarch/mariadb`](https://git.coop/webarch/mariadb) however it is also [mirrored to GitHub](https://github.com/webarch-coop/ansible-role-mariadb) and [available via Ansible Galaxy](https://galaxy.ansible.com/chriscroome/mariadb).
If you use this role please use a tagged release, see [the release notes](https://git.coop/webarch/mariadb/-/releases).
## Copyright
Copyright 2018-2023 Chris Croome, <[chris@webarchitects.co.uk](mailto:chris@webarchitects.co.uk)>.
This role is released under [the same terms as Ansible itself](https://github.com/ansible/ansible/blob/devel/COPYING), the [GNU GPLv3](LICENSE).
defaults/main.yml
+ 3
11
View file @ b3fe3623
......@@ -34,6 +34,7 @@ mariadb_config:
max_heap_table_size: "32M"
max_user_connections: "0"
open_files_limit: "122880"
performance_schema: "on"
query_cache_limit: "0"
query_cache_size: "0"
query_cache_type: "0"
......@@ -50,6 +51,8 @@ mariadb_config:
conf:
mysqldump:
max_allowed_packet: "64M"
mariadb_mysqltuner: true
mariadb_mysqltuner_version: latest
mariadb_pkgs:
- jo
- mariadb-client
......@@ -69,17 +72,6 @@ mariadb_systemd_units:
PrivateNetwork: "true"
PrivateTmp: "true"
LimitNOFILE: "122880"
# Install MySQLTuner from GitHub
# https://github.com/major/MySQLTuner-perl
mariadb_mysqltuner: true
mariadb_mysqltuner_version: latest
# If mariadb_sys_schema is true then the sys schema is imported from this repo
# https://github.com/webarch-coop/mariadb-sys
mariadb_sys_schema: false
# Import time zone tables
mariadb_time_zone_import: true
...
tasks/main.yml
+ 4
1
View file @ b3fe3623
......@@ -120,7 +120,10 @@
- name: Include the MariaDB sys schema tasks
ansible.builtin.include_tasks: sys.yml
when: (mariadb_sys_schema | bool) and ("sys" not in mariadb_databases)
when:
- mariadb_sys_schema | bool
- ( "sys" not in mariadb_databases )
- mariadb_version is ansible.builtin.version('10.6.0', 'gt')
- name: Run mysql_upgrade
ansible.builtin.command: mysql_upgrade
......
tasks/sys.yml
+ 37
44
View file @ b3fe3623
# Copyright 2018-2023 Chris Croome
#
# This file is part of the Webarchitects MariaDB Ansible role.
#
# The Webarchitects MariaDB Ansible role is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
#
# The Webarchitects MariaDB Ansible role is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with the Webarchitects MariaDB Ansible role. If not, see <https://www.gnu.org/licenses/>.
---
- name: Install the MariaDB sys schema
- name: Install or remove the MariaDB sys schema
block:
- name: MariaDB sys repo directory present
ansible.builtin.file:
- name: Check if the MariaDB sys repo directory is present
ansible.builtin.stat:
path: /usr/local/src/mariadb-sys
state: directory
mode: 0755
register: mariadb_sys_repo_path
- name: MariaDB sys schema repo present
ansible.builtin.git:
repo: https://github.com/webarch-coop/mariadb-sys.git
dest: /usr/local/src/mariadb-sys
clone: true
version: master
- name: Use shell to import the MariaDB sys schema
- name: Install the MariaDB sys schema when it is not already present
block:
# Bash might be /bin/bash or /usr/bin/bash
- name: Run which bash
ansible.builtin.command: which bash
check_mode: false
changed_when: false
register: which_bash
failed_when: which_bash.stdout is not regex('\/bash$')
- name: Set a variable for the path to Bash
ansible.builtin.set_fact:
bash: "{{ which_bash.stdout }}"
- name: Import the sys schema using the shell module
ansible.builtin.shell: |
set -e -o pipefail
mysql < ./mariadb_sys_install.sql
changed_when: true
args:
executable: "{{ bash }}"
chdir: /usr/local/src/mariadb-sys
when: mariadb_root_auth_current == "password"
- name: Use import the sys schema using community.mysql.mysql_db and a socket
community.mysql.mysql_db:
name: all
state: import
target: /usr/local/src/mariadb-sys/mariadb_sys_install.sql
login_user: root
login_unix_socket: /run/mysqld/mysqld.sock
when: mariadb_root_auth_current is regex('socket$')
- name: MariaDB sys repo directory present
ansible.builtin.file:
path: /usr/local/src/mariadb-sys
state: directory
mode: 0755
- name: MariaDB sys schema repo present
ansible.builtin.git:
repo: https://git.coop/webarch/mariadb-sys.git
dest: /usr/local/src/mariadb-sys
clone: true
version: v1.5.3
- name: Use import the sys schema using community.mysql.mysql_db and a socket
community.mysql.mysql_db:
name: all
state: import
target: /usr/local/src/mariadb-sys/sys_10.sql
login_user: root
login_unix_socket: "{{ mariadb_socket }}"
when: not mariadb_sys_repo_path.stat.exists | bool
tags:
- mariadb
- mariadb_databases
...
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Webarchitects | Forum | Status | SSH Fingerprints