exterrestris / ansible-role-sanoid Goto Github PK

View Code? Open in Web Editor NEW

2.0 1.0 3.0 65 KB

Ansible role to install and configure Sanoid & Syncoid

License: MIT License

Jinja 100.00%

ansible-role ansible sanoid syncoid zfs-snapshots

ansible-role-sanoid's Introduction

Ansible role `exterrestris.sanoid`

An Ansible role to install and configure automated ZFS snapshots and replication using Sanoid/Syncoid

Requirements

Sanoid package available in distribution
systemd

In order for Syncoid to replicate to a remote host, you must ensure that SSH access via public key authentication is correctly set up for the relevant users

Role Variables

Installation

Variable	Default	Comments
`sanoid_install_from`	`"package"`	Install Sanoid from OS package or from GitHub

Install from source

Variable	Default	Comments
`sanoid_source_github_url`	https://github.com/jimsalterjrs/sanoid	GitHub repo to clone
`sanoid_source_version`	`latest`	Git branch, tag or commit to checkout. `latest` will select the most recent release
`sanoid_source_download_dir`	`/tmp/sanoid`	Directory to clone repo to
`sanoid_source_install_dir`	`/usr/local/sbin`	Directory to install binaries to
`sanoid_source_remove_package`	`yes`	Remove the OS package if installed

Configuration

Variable	Default	Comments
`sanoid_datasets`	`[]`	List of datasets to snapshot
`sanoid_templates`	Example templates from sanoid.conf	List of policy templates
`syncoid_syncs`	`[]`	List of datasets to replicate

`sanoid_templates[]`

Variable	Default	Comments
`name`	Required	Template name
`setting`	`""`	Policy setting

All settings supported by Sanoid in templates are supported - see sanoid.conf and sanoid.defaults.conf for details Similarly, most Syncoid flags are configurable via syncoid_syncs.

`sanoid_datasets[]`

Variable	Default	Comments
`name`	Required	ZFS dataset to snapshot
`templates`	Required	Sanoid template(s) to use for policy
`recursive`	`"no"`	Include child datasets with this dataset
`process_children_only`	`"no"`	Do not include this dataset
`overrides`	`[]`	List of template settings to override

`syncoid_syncs[]`

Variable	Default	Comments
`src`	Required	Source ZFS dataset
`src_host`	`""`	Source host
`src_user`	`"root"`	Source user. Ignored if `src_host` empty
`dest`	Required	Destination ZFS dataset
`dest_host`	`""`	Destination host
`dest_user`	`"root"`	Destination user. Ignored if `dest_host` empty
`recursive`	`"no"`	Copy child datasets
`force_delete`	`"no"`	Remove destination datasets recursively

Syncoid systemd Settings

Variable	Default	Comments
`syncoid_service_name`	`"syncoid"`	systemd service name for Syncoid
`syncoid_timer_frequency`	`"daily"`	systemd service frequency for Syncoid
`syncoid_use_ssh_key`	`yes`	Use an SSH key to login to remote hosts
`syncoid_generate_ssh_key`	`yes`	Generate an SSH key for Syncoid to use
`syncoid_generated_ssh_key`	`id_syncoid`	Name of generated SSH key
`syncoid_ssh_key`	`/root/.ssh/{``syncoid_generated_ssh_key``\|id_rsa}`	Path to SSH key for Syncoid to use
`syncoid_ssh_key_install_remote`	`yes`	Install specified SSH key on remote hosts. Requires remote hosts to be defined in inventory

Example

sanoid_templates:
  - name: production
    frequently: 0
    hourly: 36
    daily: 30
    monthly: 3
    yearly: 0
    autosnap: 'yes'
    auto prune: 'yes'
  - name: backup
    frequently: 0
    hourly: 30
    daily: 90
    monthly: 12
    yearly: 0
    autoprune: 'yes'
    autosnap: 'no'
  - name: ignore
    autoprune: 'no'
    autosnap: 'no'
    monitor: 'no'

sanoid_datasets:
  - name: zpoolname/dataset
    templates:
      - production
      - demo
    overrides:
      hourly: 12
      monthly: 1
  - name: zpoolname/parent
    templates: production
    recursive: 'yes'
    process_children_only: 'yes'
  - name: zpoolname/parent/child
    templates: demo
    overrides:
      hourly: 4

syncoid_syncs:
  - src: zpoolname/parent
    dest: zpoolname/parent-backup
    dest_host: remote
    recursive: yes
  - src: zpoolname/dataset
    dest: zpoolname/dataset-backup

ansible-role-sanoid's People

Contributors

Stargazers

Watchers

Forkers

timvy almereyda

ansible-role-sanoid's Issues

Support insecure send

jimsalterjrs/sanoid#513 implements an insecure mode for syncoid which doesn't use SSH for transfers. This is useful when replicating to devices like a Raspberry Pi which doesn't support hardware AES and is therefore transfer speed is CPU limited.

Additional software (socat and busybox) is required on both ends for the transfer to work, along with firewall rules to allow traffic

Allow adding custom commands to syncoid timer

Adding a healthcheck command to syncoid timers would be beneficial for monitoring purposes

Verify this role works on RHEL/CentOS

Nominally supports RHEL/CentOS for both installing from source/package manager, but this is untested

Change the default source download location

Source files are typically kept in /usr/local/src - downloaded to this directory by default would therefore be more appropriate than /tmp

Optionally create user for sanoid/syncoid

Depends on #8

Allow additional Syncoid options

Only two of the flags Syncoid offers are currently supported:

--recursive
--force-delete

Allow using the `--sshport` Syncoid flag

Syncoid allows to set a --sshport flag to specify connecting to SSH hosts using non-standard ports.

This is currently not surfaced in:

https://github.com/exterrestris/ansible-role-sanoid/blob/main/templates/syncoid.service.j2

The current workaround is to create a /root/.ssh/config file which contains host aliases with the desired configuration.

Reference:

https://github.com/jimsalterjrs/sanoid/blob/master/README.md

Allow removal/uninstall of sanoid

Configuration file creation is not idempotent

When I run the role against a computer that already has configured the /etc/sanoid/sanoid.conf file, the role overwrites this file with the default template.

I guess this task should be changed in main.yaml from:

- name: generate sanoid config
  ansible.builtin.template:
    src: ../templates/sanoid.conf.j2
    dest: "{{ sanoid_conf }}"
    owner: root
    group: root
    mode: '0600'

to:

- name: generate sanoid config
  ansible.builtin.template:
    src: ../templates/sanoid.conf.j2
    dest: "{{ sanoid_conf }}"
    owner: root
    group: root
    mode: '0600'
    force: false

Allow running as different user

Need to investigate potential permissions issues

Allow separate systemd timers per Syncoid task

All Syncoid tasks are currently run in the same timer, meaning there is no way to selectively change frequency for some tasks

Allowing adding source/destination servers to known hosts

Sync will fail initially because the host is unknown

Generate SSH keys with the Ed25519 curve

Currently this role generates RSA keys for Syncoid to pull the contents.

OpenSSH 9.5 uses the Ed25519 curve by default. It is considered more secure than RSA keys, while being more convenient and easier to handle, due to their shorter length.

It is suggested to add (optional) ed25519 key generation in a first step and to make it the default later, when proven stable.

Manually creating the directory worked just fine.