devops-coop / ansible-haproxy Goto Github PK
View Code? Open in Web Editor NEWInstalls and configure HAProxy
License: Apache License 2.0
Installs and configure HAProxy
License: Apache License 2.0
There's a difference between the documentation and the template:
https://github.com/FloeDesignTechnologies/ansible-haproxy/blob/master/vars/main.yml#L26
https://github.com/FloeDesignTechnologies/ansible-haproxy/blob/master/templates/defaults.cfg#L6-L8
By the way, in this template implementation if we want to generated in the /etc/haproxy/haproxy.cfg this line:
defaults
log global
We have to code the yaml file:
haproxy_defaults:
log:
- address: global
facility: ' '
This trick is a bit uggly. Maybe (like you did for default_backend and use_backend) you can add something in order to code like that:
haproxy_defaults:
log: global
Would it be possible to get a versioned release of this role? Its important for many users to be able to lock down the role to a specific version, instead of always pulling the master branch.
According to the Galaxy Docs, this should be as easy as just adding tags in GitHub.
If you applied any tags to your repository, Galaxy will automatically display a “version” for each tag. This means users users can choose the version (tag) to download.
...
To import new tags, you can trigger a re-import from the “Your Roles” page anytime.
This allows users to lock in a specific release in their requirements.yml
like so:
- src: info.haproxy
version: v0.1
Forgive me if i see it wrong, but when i run this role again on the same machine it keeps on saying "changed" while its the same config. So in the end i have 13 changes on my host while nothing has changed. Is this because your "building" the config which doesn't have any means to guarantee idempotence?
Are you interested to a mini test suite (with TravisCI) following this guide ?
https://www.jeffgeerling.com/blog/testing-ansible-roles-travis-ci-github
It will check :
After that commt: e91947d I started to get messages: fatal: [lb1.prometheus.n1.nato]: FAILED! => {"failed": true, "msg": "The conditional check '(item.path | basename) not in (haproxy_frontends | json_query('[*].name') | map('regex_replace', '(.*)', '\\\\1.cfg') | list)' failed. The error was: You need to install \"jmespath\" prior to running json_query filter\n\nThe error appears to have been in '/builds/continuous-delivery/prometheus-ansible-deploy/roles/FloeDesignTechnologies.haproxy/tasks/configure.yml': line 17, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: \"Remove unmanaged files for the frontends\"\n ^ here\n"}
Using docker from alpine v3.4 with installing pythin with apk --update add python py-pip
.
I know that I need just to install some python lib to fix it, but couldnt u add tag before that commit so I could checkout version I need in more human-readable way? (without commit hash, v1.1 like or smthing)
The vars/main.yml, line 41, needs to change. As of this commit, bind is an array. This template implies that it is a string.
PR is coming :)
This galaxy roles work nicely that I can use directly without modification. Good job. 👍
But when repeatly run the ansible playbook, most tasks are still marked as changed
Any suggestions to get ride of it? I'd like to get all OK
status in the end.
TASK [haproxy : Empty the folder if not already empty] *************************
changed: [10_1_1_2]
cmd: find /etc/haproxy/compiled -name *.cfg -exec rm -f {} ;
start: 2016-05-17 17:05:40.986202
end: 2016-05-17 17:05:40.992326
delta: 0:00:00.006124
TASK [haproxy : Build up the global config] ************************************
changed: [10_1_1_2]
TASK [haproxy : Build up the default config] ***********************************
changed: [10_1_1_2]
TASK [haproxy : Assemble the backends configuration file] **********************
changed: [10_1_1_2]
msg: OK
TASK [haproxy : Assemble the frontends configuration file] *********************
changed: [10_1_1_2]
msg: OK
TASK [haproxy : Assemble the listen sections configuration file] ***************
changed: [10_1_1_2]
msg: OK
TASK [haproxy : Assemble the userlists sections configuration file] ************
changed: [10_1_1_2]
msg: OK
Our company is not using this role anymore and cannot commit to maintaining it. We are looking for an individual or organization that would take over the maintenance.
HAProxy has a very neat feature:
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-unique-id-format
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-unique-id-header
Not sure if it's currently possible to add these options. If not, it should be configurable.
So this is a weird one, I'm getting this:
TASK [devops-coop.haproxy : Build up the global config] *************************************************************************************************************************************
fatal: [host]: FAILED! => {"changed": false, "msg": "AnsibleUndefinedVariable: 'list object' has no attribute 'items'"}
With much head-scratching, I found this is happening at the end of the template, when dealing with the tune
option. I've discovered this:
[anotherhost] TASK: devops-coop.haproxy : Build up the global config (debug)> p task_vars['haproxy_global']
{u'chroot': u'/var/lib/haproxy',
u'daemon': True,
u'group': u'haproxy',
u'log': [{u'address': u'/dev/log', u'facility': u'local0'},
{u'address': u'/dev/log',
u'facility': u'local1',
u'level': u'notice'}],
u'ssl_default_bind_ciphers': u'{{ _haproxy_ssl_ciphers }}',
u'ssl_default_bind_options': u'{{ _haproxy_ssl_options }}',
u'ssl_default_server_ciphers': u'{{ _haproxy_ssl_ciphers }}',
u'ssl_default_server_options': u'{{ _haproxy_ssl_options }}',
u'tune': {u'ssl': {u'default-dh-param': 2048}},
u'user': u'haproxy'}
Ok, tune
is a dict of dicts, good. Lets feed this by hand:
(ansible)host [05:22 PM] [j:1] ~/ansible $ cd roles/devops-coop.haproxy/filter_plugins/
(ansible)host [05:22 PM] [j:1] ~/.../roles/devops-coop.haproxy/filter_plugins $ ipython
In [2]: import flatten
In [9]: h = {u'chroot': u'/var/lib/haproxy',
...: u'daemon': True,
...: u'group': u'haproxy',
...: u'log': [{u'address': u'/dev/log', u'facility': u'local0'},
...: {u'address': u'/dev/log',
...: u'facility': u'local1',
...: u'level': u'notice'}],
...: u'ssl_default_bind_ciphers': u'{{ _haproxy_ssl_ciphers }}',
...: u'ssl_default_bind_options': u'{{ _haproxy_ssl_options }}',
...: u'ssl_default_server_ciphers': u'{{ _haproxy_ssl_ciphers }}',
...: u'ssl_default_server_options': u'{{ _haproxy_ssl_options }}',
...: u'tune': {u'ssl': {u'default-dh-param': 2048}},
...: u'user': u'haproxy'}
In [11]: h['tune']
Out[11]: {u'ssl': {u'default-dh-param': 2048}}
In [12]: for param, value in flatten.flatten(h['tune']).items():
print param, value
....:
ssl.default-dh-param 2048
All good thus far. Now with some debugging in the template:
haproxy_global.tune | flatten | type_debug: list
--
haproxy_global.tune | type_debug: dict
--
haproxy_global.tune | flatten: [u'ssl']
--
haproxy_global.tune: {u'ssl': {u'default-dh-param': 2048}}
--
haproxy_global pretty print:
{u'chroot': u'/var/lib/haproxy',
u'daemon': True,
u'group': u'haproxy',
u'log': [{u'address': u'/dev/log', u'facility': u'local0'},
{u'address': u'/dev/log',
u'facility': u'local1',
u'level': u'notice'}],
u'ssl_default_bind_ciphers': u'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
u'ssl_default_bind_options': u'no-sslv3 no-tls-tickets',
u'ssl_default_server_ciphers': u'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', u'ssl_default_server_options': u'no-sslv3 no-tls-tickets', u'tune': {u'ssl': {u'default-dh-param': 2048}}, u'user': u'haproxy'}
Very odd! Perhaps custom filters to jinja always return lists or something?!?
I'm running Ansible devel, and only just installed your role.
It would be good if we could use HAProxy 1.5:
add-apt-repository ppa:vbernat/haproxy-1.5
geerlingguy.epel
or add that role in as a dependency.Ansible warns about the sudo: yes flag in install.yml:
[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo'
(default).
This feature will be removed in a future release.
I think it is safe to assume the haproxy role is run with superuser rights, so it doesn't make much sense to have the flag there.
CentOS and Alpine don't ship error files (or don't place them in the locations found in defaults.yml
). In the defaults.cfg
template, we do not configure errorfile
directives on these distributions:
ansible-haproxy/templates/defaults.cfg
Lines 52 to 58 in 0dac057
This prevents users on those distributions from declaring error files using this role.
We need to allow the user to specify that they want to configure the files if they've provided them outside this role.
tasks/install.yml
[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default).
This feature will be removed in a future release. Deprecation
warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
TASK [haproxy : Check epel repo] ***********************************************
[WARNING]: Consider using yum module rather than running yum
TASK [haproxy : Build up the listen sections] **********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment value uses the full variable syntax ('{{haproxy_listen}}').
This feature will
be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
The templates/frontend.cfg, lines 34-40, also needs correction. default_backend is not a required option, but this code will save default_backend to the frontends.cfg regardless of whether the variable is set or not. Furthermore, there is no 'item' at this point, so item.default_backend doesn't exist. Finally, there is no 'backends' in the vars either, so 'item.backends' will never be defined, and the code in lines 35-40 will never get processed.
Hi There,
I see that you have a meta file for ansible galaxy but I don't seem to be able to find this package on there.
Is this intended?
I have an indentation problem with some variables :
[defaults]
maxconn
var is unindentated
[backend & frontend]
http-response
and http-request
have wrong indentation
PR is coming :)
Run fine with this role, but got error when run with dry-run (--check
)
TASK [haproxy : Add epel repo] *************************************************
fatal: [10_61_136_24]: FAILED! => {"failed": true, "msg": "The conditional check 'ansible_pkg_mgr == 'yum' and epel_repo_check.rc != 0' failed. The error was: error while evaluating conditional (ansible_pkg_mgr == 'yum' and epel_repo_check.rc != 0): 'dict object' has no attribute 'rc'\n\nThe error appears to have been in '/Users/bill/telstra/projects/MC/ansible-orchestration/roles.galaxy/haproxy/tasks/install.yml': line 34, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: 'Add epel repo'\n ^ here\n"}
msg: The conditional check 'ansible_pkg_mgr == 'yum' and epel_repo_check.rc != 0' failed. The error was: error while evaluating conditional (ansible_pkg_mgr == 'yum' and epel_repo_check.rc != 0): 'dict object' has no attribute 'rc'
The error appears to have been in '/Users/bill/telstra/projects/MC/ansible-orchestration/roles.galaxy/haproxy/tasks/install.yml': line 34, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: 'Add epel repo'
^ here
to retry, use: --limit @front_end_lb.retry
PLAY RECAP *********************************************************************
Maybe the commit 106a0a5 introduce a breaking change.
Short message is:
"msg": "AnsibleUndefinedVariable: 'macros' is undefined"
With all the details:
failed: [my_server] (item={u'http_request': [{u'action': u'add-header', u'param': u'X-Forwarded-Proto https', u'condition': u'if { ssl_fc }'}, {u'action': u'add-header', u'param': u'X-Forwarded-Ssl on', u'condition': u'if { ssl_fc }'}], u'description': u"Notre beau stock d'objets", u'name': u'bk_nexus', u'servers': [{u'ip': u'10.0.1.13', u'params': [u'check'], u'name': u'nexus1', u'port': u'8081'}, {u'ip': u'10.0.1.113', u'params': [u'check', u'backup'], u'name': u'nexus2', u'port': u'8081'}]}) => {"failed": true, "item": {"description": "Notre beau stock d'objets", "http_request": [{"action": "add-header", "condition": "if { ssl_fc }", "param": "X-Forwarded-Proto https"}, {"action": "add-header", "condition": "if { ssl_fc }", "param": "X-Forwarded-Ssl on"}], "name": "bk_nexus", "servers": [{"ip": "10.0.1.13", "name": "nexus1", "params": ["check"], "port": "8081"}, {"ip": "10.0.1.113", "name": "nexus2", "params": ["check", "backup"], "port": "8081"}]}, "msg": "AnsibleUndefinedVariable: 'macros' is undefined"}
Getting this when trying to run. This worked on a previous version of ansible, not sure which version it was though (sorry).
I have not changed any haproxy_global stuff
TASK: [info.haproxy | Ensure chroot directory exists] *************************
fatal: [lb0.example.com] => template error while templating string: no test named 'false'
FATAL: all hosts have already failed -- aborting
ansible-playbook --version
# => ansible-playbook 1.8.2
After implementing #79, use package
to install distribution-specific packages.
Use this standard pattern instead of set_fact
:
- name: Load a variable file based on the OS type, or a default if not found. Using free-form to specify the file.
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
- "default.yml
IUS offers HAProxy 1.6 and 1.7 as haproxy16u
and haproxy17u
, respectively.
include_vars
could do something like:
- include_vars:
# returns {"_haproxy_package_name": "haproxy"}
- "{{ ansible_distribution }}.yml"
Then we can install HAProxy like so:
- package:
name: "{{ haproxy_package_name | default(_haproxy_package_name) }}"
when preparing variable files, such as global, defaults, frontend, backend, listen, etc. I stuck with some parameters or options which are not defined in these template files.
There are so many parameters in haproxy, and we are not possible to include them all.
So will it be fine to add an extra
part to include all parameters directly if they are not defined. Such as:
{% if item.extra is defined %}
{% for parameter in item.extra %}
{{ parameter }}
{% endfor %}
{% endif -%}
We need add it in all template files.
Then you will easily add more.
haproxy_global:
extra:
- tune.ssl.default-dh-param 2048
- more parameter and options.
Your options? If you are happy with this idea, I will prepare the pull request.
flatten.py creates flatten.pyc which can cause repository sync issues under certain circumstances in ansible tower.
json_query
depends on jmespath, which may not be available on all systems.
We can replace this expression with a portable filter plugin instead.
In version 1.6.x, new session resolvers
was added to support DNS name service and dynamic IP backend.
https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.3.2
So we need add it to templates as:
Example of a resolvers section (with default values):
resolvers mydns
nameserver dns1 10.0.0.1:53
nameserver dns2 10.0.0.2:53
resolve_retries 3
timeout retry 1s
hold valid 10s
raise this first, and will implement it soon.
Changes introduced in pull request #21 seem to break this module on Cent OS 7 with the following error:
`TASK: [haproxy | Add haproxy apt repo] ****************************************
fatal: [192.168.1.2] => error while evaluating conditional: ansible_lsb.codename == "wheezy"
FATAL: all hosts have already failed -- aborting`
ansible --version
ansible 1.8.4
While check mode works as expected and displays a proper diff between old and new configs, executing the role will always rewrite the configuration directories.
This does not actually break things, but seems like poor design.
Is there a particular reason why there is a removal task before writing the configuration files?
If there is concern about leftovers, why not just leave out those that will be written?
Also, it would be better to use the file module instead of running find, I think.
Hello guys,
Just a little suggestion. A good practice on Github is to keep the master branch clean with the last stable release and create a "dev" branch.
Anyway, thanks for you work in this Ansible role.
In lines 39-43 of this file, the template reads 'except' in multiple places. The correct text for this is 'expect'. This typo prevents a user from setting up http checking when using the listen directive.
my groups_var file:
haproxy_listen:
- name: ssl
bind: "{{ ansible_default_ipv4.address }}"
ssl:
cert: /etc/pki/tls/certs/ssl.pem no-sslv3
But I got this:
listen ssl
bind 1 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
bind 0 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
bind . ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
bind 1 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
bind . ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
bind 1 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
bind . ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
bind 2 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
should be:
listen ssl
bind 10.1.1.2 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
Hello,
I'm wondering why are you using a custom repo ppa:vbernat ?
Removing this entry, fully works on debian jessie, with haproxy 1.5.8
Install the epel-release
package instead:
https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.