Commit ffcb873e authored by Dave Johnson's avatar Dave Johnson
Browse files

Moved AWS specific bits

Created an “aws” sub-dir that contains all of the project files
specific to AWS. Use the top-level project generically and the aws
subdirectory for AWS.
parent 000fa67b
Copyright (C) 2013 AnsibleWorks, Inc.
This work is licensed under the Creative Commons Attribution 3.0 Unported License.
To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/deed.en_US.
LAMP Stack + HAProxy: Example Playbooks
-----------------------------------------------------------------------------
- Requires Ansible 1.2
- Expects CentOS/RHEL 6 hosts
This example is an extension of the simple LAMP deployment. Here we'll install
and configure a web server with an HAProxy load balancer in front, and deploy
an application to the web servers. This set of playbooks also have the
capability to dynamically add and remove web server nodes from the deployment.
It also includes examples to do a rolling update of a stack without affecting
the service.
You can also optionally configure a Nagios monitoring node.
### Initial Site Setup
First we configure the entire stack by listing our hosts in the 'hosts'
inventory file, grouped by their purpose:
[webservers]
webserver1
webserver2
[dbservers]
dbserver
[lbservers]
lbserver
[monitoring]
nagios
After which we execute the following command to deploy the site:
ansible-playbook -i hosts site.yml
The deployment can be verified by accessing the IP address of your load
balancer host in a web browser: http://<ip-of-lb>:8888. Reloading the page
should have you hit different webservers.
The Nagios web interface can be reached at http://<ip-of-nagios>/nagios/
The default username and password are "nagiosadmin" / "nagiosadmin".
### Removing and Adding a Node
Removal and addition of nodes to the cluster is as simple as editing the
hosts inventory and re-running:
ansible-playbook -i hosts site.yml
### Rolling Update
Rolling updates are the preferred way to update the web server software or
deployed application, since the load balancer can be dynamically configured
to take the hosts to be updated out of the pool. This will keep the service
running on other servers so that the users are not interrupted.
In this example the hosts are updated in serial fashion, which means that
only one server will be updated at one time. If you have a lot of web server
hosts, this behaviour can be changed by setting the 'serial' keyword in
webservers.yml file.
Once the code has been updated in the source repository for your application
which can be defined in the group_vars/all file, execute the following
command:
ansible-playbook -i hosts rolling_update.yml
You can optionally pass: -e webapp_version=xxx to the rolling_update
playbook to specify a specific version of the example webapp to deploy.
---
# Variables here are applicable to all host groups
httpd_port: 80
ntpserver: 192.168.1.2
[webservers]
web1
web2
[dbservers]
db1
[lbservers]
lb1
[monitoring]
nagios
---
# This role installs httpd
- name: Install http
yum: name={{ item }} state=present
with_items:
- httpd
- name: http service state
service: name=httpd state=started enabled=yes
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)
mQINBEvSKUIBEADLGnUj24ZVKW7liFN/JA5CgtzlNnKs7sBg7fVbNWryiE3URbn1
JXvrdwHtkKyY96/ifZ1Ld3lE2gOF61bGZ2CWwJNee76Sp9Z+isP8RQXbG5jwj/4B
M9HK7phktqFVJ8VbY2jfTjcfxRvGM8YBwXF8hx0CDZURAjvf1xRSQJ7iAo58qcHn
XtxOAvQmAbR9z6Q/h/D+Y/PhoIJp1OV4VNHCbCs9M7HUVBpgC53PDcTUQuwcgeY6
pQgo9eT1eLNSZVrJ5Bctivl1UcD6P6CIGkkeT2gNhqindRPngUXGXW7Qzoefe+fV
QqJSm7Tq2q9oqVZ46J964waCRItRySpuW5dxZO34WM6wsw2BP2MlACbH4l3luqtp
Xo3Bvfnk+HAFH3HcMuwdaulxv7zYKXCfNoSfgrpEfo2Ex4Im/I3WdtwME/Gbnwdq
3VJzgAxLVFhczDHwNkjmIdPAlNJ9/ixRjip4dgZtW8VcBCrNoL+LhDrIfjvnLdRu
vBHy9P3sCF7FZycaHlMWP6RiLtHnEMGcbZ8QpQHi2dReU1wyr9QgguGU+jqSXYar
1yEcsdRGasppNIZ8+Qawbm/a4doT10TEtPArhSoHlwbvqTDYjtfV92lC/2iwgO6g
YgG9XrO4V8dV39Ffm7oLFfvTbg5mv4Q/E6AWo/gkjmtxkculbyAvjFtYAQARAQAB
tCFFUEVMICg2KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAjYEEwECACAFAkvS
KUICGw8GCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRA7Sd8qBgi4lR/GD/wLGPv9
qO39eyb9NlrwfKdUEo1tHxKdrhNz+XYrO4yVDTBZRPSuvL2yaoeSIhQOKhNPfEgT
9mdsbsgcfmoHxmGVcn+lbheWsSvcgrXuz0gLt8TGGKGGROAoLXpuUsb1HNtKEOwP
Q4z1uQ2nOz5hLRyDOV0I2LwYV8BjGIjBKUMFEUxFTsL7XOZkrAg/WbTH2PW3hrfS
WtcRA7EYonI3B80d39ffws7SmyKbS5PmZjqOPuTvV2F0tMhKIhncBwoojWZPExft
HpKhzKVh8fdDO/3P1y1Fk3Cin8UbCO9MWMFNR27fVzCANlEPljsHA+3Ez4F7uboF
p0OOEov4Yyi4BEbgqZnthTG4ub9nyiupIZ3ckPHr3nVcDUGcL6lQD/nkmNVIeLYP
x1uHPOSlWfuojAYgzRH6LL7Idg4FHHBA0to7FW8dQXFIOyNiJFAOT2j8P5+tVdq8
wB0PDSH8yRpn4HdJ9RYquau4OkjluxOWf0uRaS//SUcCZh+1/KBEOmcvBHYRZA5J
l/nakCgxGb2paQOzqqpOcHKvlyLuzO5uybMXaipLExTGJXBlXrbbASfXa/yGYSAG
iVrGz9CE6676dMlm8F+s3XXE13QZrXmjloc6jwOljnfAkjTGXjiB7OULESed96MR
XtfLk0W5Ab9pd7tKDR6QHI7rgHXfCopRnZ2VVQ==
=V/6I
-----END PGP PUBLIC KEY BLOCK-----
[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 6 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux 6 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=1
---
# Handlers for common notifications
- name: restart ntp
service: name=ntpd state=restarted
- name: restart iptables
service: name=iptables state=restarted
---
# This role contains common plays that will run on all nodes.
- name: Install python bindings for SE Linux
yum: name={{ item }} state=present
with_items:
- libselinux-python
- libsemanage-python
- name: Create the repository for EPEL
copy: src=epel.repo dest=/etc/yum.repos.d/epel.repo
- name: Create the GPG key for EPEL
copy: src=RPM-GPG-KEY-EPEL-6 dest=/etc/pki/rpm-gpg
- name: install some useful nagios plugins
yum: name={{ item }} state=present
with_items:
- nagios-nrpe
- nagios-plugins-swap
- nagios-plugins-users
- nagios-plugins-procs
- nagios-plugins-load
- nagios-plugins-disk
- name: Install ntp
yum: name=ntp state=present
tags: ntp
- name: Configure ntp file
template: src=ntp.conf.j2 dest=/etc/ntp.conf
tags: ntp
notify: restart ntp
- name: Start the ntp service
service: name=ntpd state=started enabled=yes
tags: ntp
# work around RHEL 7, for now
- name: insert iptables template
template: src=iptables.j2 dest=/etc/sysconfig/iptables
when: ansible_distribution_major_version != '7'
notify: restart iptables
- name: test to see if selinux is running
command: getenforce
register: sestatus
changed_when: false
# {{ ansible_managed }}
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
{% if (inventory_hostname in groups.tag_ansible_group_webservers) or (inventory_hostname in groups.tag_ansible_group_monitoring) %}
-A INPUT -p tcp --dport 80 -j ACCEPT
{% endif %}
{% if (inventory_hostname in groups.tag_ansible_group_dbservers) %}
-A INPUT -p tcp --dport 3306 -j ACCEPT
{% endif %}
{% if (inventory_hostname in groups.tag_ansible_group_lbservers) %}
-A INPUT -p tcp --dport {{ listenport }} -j ACCEPT
{% endif %}
{% for host in groups.tag_ansible_group_monitoring %}
-A INPUT -p tcp -s {{ hostvars[host].ansible_default_ipv4.address }} --dport 5666 -j ACCEPT
{% endfor %}
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
server {{ ntpserver }}
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
---
# Handler to handle DB tier notifications
- name: restart mysql
service: name=mysqld state=restarted
---
# This role will install MySQL and create db user and give permissions.
- name: Install Mysql package
yum: name={{ item }} state=present
with_items:
- mysql-server
- MySQL-python
- name: Configure SELinux to start mysql on any port
seboolean: name=mysql_connect_any state=true persistent=yes
when: sestatus.rc != 0
- name: Create Mysql configuration file
template: src=my.cnf.j2 dest=/etc/my.cnf
notify:
- restart mysql
- name: Start Mysql Service
service: name=mysqld state=started enabled=yes
- name: Create Application Database
mysql_db: name={{ dbname }} state=present
- name: Create Application DB User
mysql_user: name={{ dbuser }} password={{ upassword }} priv=*.*:ALL host='%' state=present
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
port={{ mysql_port }}
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
---
# Handlers for HAproxy
- name: restart haproxy
service: name=haproxy state=restarted
- name: reload haproxy
service: name=haproxy state=reloaded
---
# This role installs HAProxy and configures it.
- name: Download and install haproxy
yum: name=haproxy state=present
- name: Configure the haproxy cnf file with hosts
template: src=haproxy.cfg.j2 dest=/etc/haproxy/haproxy.cfg
notify: restart haproxy
- name: Start the haproxy service
service: name=haproxy state=started enabled=yes
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user root
group root
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats level admin
defaults
mode {{ mode }}
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
backend app
{% for host in groups.tag_ansible_group_lbservers %}
listen {{ daemonname }} 0.0.0.0:{{ listenport }}
{% endfor %}
balance {{ balance }}
{% for host in groups.tag_ansible_group_webservers %}
server {{ host }} {{ hostvars[host]['ansible_' + iface].ipv4.address }}:{{ httpd_port }}
{% endfor %}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment