-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Puneet Kala
committed
Apr 22, 2024
1 parent
5b96368
commit 701b546
Showing
9 changed files
with
531 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
#!/bin/sh | ||
|
||
export PWD=$(pwd) | ||
export HOST=localhost | ||
mkdir -p certificates | ||
pushd certificates | ||
echo -e "\n=== Generating SSL certificates in ${PWD} ===" | ||
# Generate self signed root CA cert | ||
openssl req -nodes -x509 -newkey rsa:4096 -keyout ca.key -out ca.crt -subj "/C=US/ST=California/L=San Francisco/O=Percona/OU=root/CN=${HOST}/[email protected]" | ||
# Generate server cert to be signed | ||
openssl req -nodes -newkey rsa:4096 -keyout server.key -out server.csr -subj "/C=US/ST=California/L=San Francisco/O=Percona/OU=server/CN=${HOST}/[email protected]" | ||
# Sign server sert | ||
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt | ||
# Create server PEM file | ||
cat server.key server.crt > server.pem | ||
# Generate client cert to be signed | ||
openssl req -nodes -newkey rsa:4096 -keyout client.key -out client.csr -subj "/C=US/ST=California/L=San Francisco/O=Percona/OU=client/CN=${HOST}/[email protected]" | ||
# Sign the client cert | ||
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt | ||
# Create client PEM file | ||
cat client.key client.crt > client.pem | ||
popd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
#!/bin/sh | ||
|
||
|
||
while [ $# -gt 0 ]; do | ||
|
||
if [[ $1 == *"--"* ]]; then | ||
param="${1/--/}" | ||
declare $param="$2" | ||
fi | ||
|
||
shift | ||
done | ||
|
||
if [ -z "$mongodb_version" ] | ||
then | ||
export mongodb_version=4.4 | ||
fi | ||
|
||
apt-get update | ||
apt-get -y install wget curl git | ||
wget https://repo.percona.com/apt/percona-release_latest.generic_all.deb | ||
dpkg -i percona-release_latest.generic_all.deb | ||
wget https://raw.githubusercontent.com/Percona-QA/percona-qa/master/mongo_startup.sh | ||
chmod +x mongo_startup.sh | ||
wget https://raw.githubusercontent.com/percona/pmm-qa/main/pmm-tests/mongodb_user_setup.js | ||
if [ "$mongodb_version" == "4.4" ]; then | ||
wget -O percona_server_mongodb.tar.gz https://downloads.percona.com/downloads/percona-server-mongodb-4.4/percona-server-mongodb-4.4.13-13/binary/tarball/percona-server-mongodb-4.4.13-13-x86_64.glibc2.17-minimal.tar.gz | ||
fi | ||
|
||
if [ "$mongodb_version" == "4.2" ]; then | ||
wget -O percona_server_mongodb.tar.gz https://downloads.percona.com/downloads/percona-server-mongodb-4.2/percona-server-mongodb-4.2.19-19/binary/tarball/percona-server-mongodb-4.2.19-19-x86_64.glibc2.17-minimal.tar.gz | ||
fi | ||
|
||
if [ "$mongodb_version" == "4.0" ]; then | ||
wget -O percona_server_mongodb.tar.gz https://downloads.percona.com/downloads/percona-server-mongodb-4.0/percona-server-mongodb-4.0.28-23/binary/tarball/percona-server-mongodb-4.0.28-23-x86_64.glibc2.17-minimal.tar.gz | ||
fi | ||
|
||
if [ "$mongodb_version" == "5.0" ]; then | ||
wget -O percona_server_mongodb.tar.gz https://downloads.percona.com/downloads/percona-server-mongodb-5.0/percona-server-mongodb-5.0.7-6/binary/tarball/percona-server-mongodb-5.0.7-6-x86_64.glibc2.17-minimal.tar.gz | ||
fi | ||
|
||
tar -xvf percona_server_mongodb.tar.gz | ||
rm percona_server_mongodb.tar.gz* | ||
mv percona-server-mongodb-${mongodb_version}.* psmdb_${mongodb_version} | ||
|
||
bash ./mongo_startup.sh -m --ssl -x -e wiredTiger --mongodExtra="--profile 2 --slowms 1 --bind_ip_all" --b=/psmdb_${mongodb_version}/bin | ||
sleep 20 | ||
/nodes/cl.sh mongodb_user_setup.js | ||
cat > add_new_ssl_user.js <<EOF | ||
db.getSiblingDB("\$external").runCommand( | ||
{ | ||
createUser: "[email protected],CN=localhost,OU=client,O=Percona,L=San Francisco,ST=California,C=US", | ||
roles: [ | ||
{ role: "readWrite", db: 'test' }, | ||
{ role: "explainRole", db: "admin" }, | ||
{ role: "clusterMonitor", db: "admin" }, | ||
{ role: "read", db: "local" }, | ||
{ role: 'root', db: 'admin' } | ||
], | ||
writeConcern: { w: "majority" , wtimeout: 5000 } | ||
} | ||
); | ||
db.getSiblingDB("\$external").auth( | ||
{ | ||
mechanism: "MONGODB-X509", | ||
user: "[email protected],CN=localhost,OU=client,O=Percona,L=San Francisco,ST=California,C=US" | ||
} | ||
); | ||
print("Added new user ssl"); | ||
db.getSiblingDB("test").test.insert({a:1}); | ||
db.getSiblingDB("test").test.insert({b:2}); | ||
EOF | ||
/nodes/cl.sh add_new_ssl_user.js |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
--- | ||
# This playbook does following: | ||
# enables Percona testing repository | ||
# Install Percona Server at Version 8.0.25 | ||
# Install all required tools for backups in compatible version | ||
|
||
- hosts: all | ||
become: true | ||
become_method: sudo | ||
vars: | ||
mongodb_version: "{{ lookup('vars', 'extra_mongodb_version', default=lookup('env','MONGODB_VERSION') | default('4.4', true) ) }}" | ||
mongodb_ssl_container: "{{ lookup('vars', 'extra_mongodb_ssl_container', default=lookup('env','MONGODB_SSL_CONTAINER') | default('mongodb_ssl', true) ) }}" | ||
pmm_server_ip: "{{ lookup('vars', 'extra_pmm_server_ip', default=lookup('env','PMM_SERVER_IP') | default('127.0.0.1', true) ) }}" | ||
client_version: "{{ lookup('vars', 'extra_client_version', default=lookup('env','CLIENT_VERSION') | default('dev-latest', true) ) }}" | ||
admin_password: "{{ lookup('vars', 'extra_admin_password', default=lookup('env','ADMIN_PASSWORD') | default('admin', true) ) }}" | ||
pmm_qa_branch: "{{ lookup('vars', 'extra_pmm_qa_branch', default=lookup('env','PMM_QA_GIT_BRANCH') | default('main', true) ) }}" | ||
|
||
tasks: | ||
- name: Cleanup Docker container for client and DB setup | ||
shell: > | ||
docker ps -a --filter "name={{ mongodb_ssl_container }}" | grep -q . && docker stop {{ mongodb_ssl_container }} && docker rm -fv {{ mongodb_ssl_container }} | ||
ignore_errors: true | ||
tags: | ||
- cleanup | ||
- name: delete network if exist | ||
shell: docker network rm "{{ mongodb_ssl_container }}_network" | ||
ignore_errors: true | ||
tags: | ||
- cleanup | ||
|
||
- name: Create a network | ||
shell: docker network create "{{ mongodb_ssl_container }}_network" | ||
|
||
- name: Create pmm-qa network if not exist | ||
shell: docker network create pmm-qa | ||
ignore_errors: true | ||
|
||
- name: Prepare Container for mongodb ssl container | ||
shell: > | ||
docker run -d --name={{ mongodb_ssl_container }} | ||
--network "{{ mongodb_ssl_container }}_network" | ||
phusion/baseimage:focal-1.1.0 | ||
- name: Copy all required Artifacts to the docker mongodb_ssl_container | ||
shell: "{{ item }}" | ||
with_items: | ||
- docker exec {{ mongodb_ssl_container }} mkdir -p artifacts | ||
- docker cp ./mongodb/mongodb_ssl_setup.sh {{ mongodb_ssl_container }}:/ | ||
|
||
- name: Execute Setup script inside the mongodb mongodb_ssl_container | ||
shell: "{{ item }}" | ||
with_items: | ||
- docker exec {{ mongodb_ssl_container }} bash -xe ./mongodb_ssl_setup.sh --mongodb_version {{ mongodb_version }} > mongodb/setup_mongodb_ssl_{{ mongodb_version }}.log | ||
|
||
- name: Install pmm2-client on the mongodb_ssl_container | ||
shell: "{{ item }}" | ||
with_items: | ||
- docker exec {{ mongodb_ssl_container }} wget https://raw.githubusercontent.com/percona/pmm-qa/{{ pmm_qa_branch }}/pmm-tests/pmm2-client-setup.sh | ||
- docker network connect pmm-qa {{ mongodb_ssl_container }} | ||
- docker exec {{ mongodb_ssl_container }} bash -x ./pmm2-client-setup.sh --pmm_server_ip {{ pmm_server_ip }} --client_version {{ client_version }} --admin_password {{ admin_password }} --use_metrics_mode no | ||
|
||
- name: Add pmm-admin binary to path when tar ball installation | ||
shell: docker exec {{ mongodb_ssl_container }} echo "export PATH=$PATH:/pmm2-client/bin" > setup_path.sh | ||
when: '"http" in client_version' | ||
|
||
- name: Remove mongodb service if already added previously | ||
shell: "{{ item }}" | ||
with_items: | ||
- docker exec {{ mongodb_ssl_container }} bash -c 'source ~/.bash_profile || true; pmm-admin remove mongodb {{ mongodb_ssl_container }}_service' | ||
ignore_errors: true | ||
|
||
- name: Add mongodb_ssl for monitoring | ||
shell: "{{ item }}" | ||
with_items: | ||
- docker exec {{ mongodb_ssl_container }} bash -c 'source ~/.bash_profile || true; pmm-admin list' | ||
- docker exec {{ mongodb_ssl_container }} bash -c 'source ~/.bash_profile || true; pmm-admin add mongodb --tls --tls-skip-verify --authentication-mechanism=MONGODB-X509 --authentication-database=$external --tls-certificate-key-file=/nodes/certificates/client.pem --tls-certificate-key-file-password=/nodes/certificates/client.key --tls-ca-file=/nodes/certificates/ca.crt {{ mongodb_ssl_container }}_ssl_service' | ||
|
||
- name: Get client cert Files on host | ||
shell: "{{ item }}" | ||
with_items: | ||
- mkdir -p mongodb/{{ mongodb_version }} || true | ||
- docker exec {{ mongodb_ssl_container }} cat /nodes/certificates/ca.crt > mongodb/{{ mongodb_version }}/ca.crt | ||
- docker exec {{ mongodb_ssl_container }} cat /nodes/certificates/client.key > mongodb/{{ mongodb_version }}/client.key | ||
- docker exec {{ mongodb_ssl_container }} cat /nodes/certificates/client.pem > mongodb/{{ mongodb_version }}/client.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
#!/bin/sh | ||
|
||
|
||
while [ $# -gt 0 ]; do | ||
|
||
if [[ $1 == *"--"* ]]; then | ||
param="${1/--/}" | ||
declare $param="$2" | ||
fi | ||
|
||
shift | ||
done | ||
|
||
if [ -z "$mysql_version" ] | ||
then | ||
export mysql_version=8.0 | ||
fi | ||
|
||
apt-get update | ||
apt-get -y install wget curl git | ||
wget https://repo.percona.com/apt/percona-release_latest.generic_all.deb | ||
dpkg -i percona-release_latest.generic_all.deb | ||
sleep 10 | ||
if [ "$mysql_version" == "8.0" ]; then | ||
percona-release setup ps80 | ||
sleep 10 | ||
DEBIAN_FRONTEND=noninteractive apt-get -y install percona-server-server sysbench sysbench-tpcc bc screen | ||
cat > /etc/mysql/my.cnf << EOF | ||
[mysqld] | ||
innodb_buffer_pool_size=256M | ||
innodb_buffer_pool_instances=1 | ||
innodb_log_file_size=1G | ||
innodb_flush_method=O_DIRECT | ||
innodb_numa_interleave=1 | ||
innodb_flush_neighbors=0 | ||
log_bin | ||
server_id=1 | ||
binlog_expire_logs_seconds=600 | ||
log_output=file | ||
slow_query_log=ON | ||
long_query_time=0 | ||
log_slow_rate_limit=1 | ||
log_slow_rate_type=query | ||
log_slow_verbosity=full | ||
log_slow_admin_statements=ON | ||
log_slow_slave_statements=ON | ||
slow_query_log_always_write_time=1 | ||
slow_query_log_use_global_control=all | ||
innodb_monitor_enable=all | ||
userstat=1 | ||
bind-address=0.0.0.0 | ||
require_secure_transport=ON | ||
EOF | ||
|
||
fi | ||
|
||
if [ "$mysql_version" == "5.7" ]; then | ||
percona-release setup ps57 | ||
sleep 10 | ||
DEBIAN_FRONTEND=noninteractive apt-get -y install percona-server-server-5.7 | ||
cat > /etc/mysql/my.cnf << EOF | ||
[mysqld] | ||
innodb_buffer_pool_size=256M | ||
innodb_buffer_pool_instances=1 | ||
innodb_log_file_size=1G | ||
innodb_flush_method=O_DIRECT | ||
innodb_numa_interleave=1 | ||
innodb_flush_neighbors=0 | ||
log_bin | ||
server_id=1 | ||
expire_logs_days=1 | ||
log_output=file | ||
slow_query_log=ON | ||
long_query_time=0 | ||
log_slow_rate_limit=1 | ||
log_slow_rate_type=query | ||
log_slow_verbosity=full | ||
log_slow_admin_statements=ON | ||
log_slow_slave_statements=ON | ||
slow_query_log_always_write_time=1 | ||
slow_query_log_use_global_control=all | ||
innodb_monitor_enable=all | ||
userstat=1 | ||
bind-address=0.0.0.0 | ||
require_secure_transport=ON | ||
EOF | ||
|
||
fi | ||
service mysql restart | ||
mysql -e "create user pmm@'%' identified by \"pmm\"" | ||
mysql -e "grant all on *.* to pmm@'%'" | ||
service mysql restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
CREATE DATABASE sbtest1; | ||
CREATE DATABASE sbtest2; | ||
CREATE USER pmm WITH PASSWORD 'pmm'; | ||
GRANT pg_monitor TO pmm; | ||
CREATE EXTENSION pg_stat_statements; | ||
ALTER SYSTEM SET shared_preload_libraries TO 'pg_stat_statements'; | ||
ALTER SYSTEM SET track_activity_query_size=2048; | ||
ALTER SYSTEM SET track_io_timing=ON; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
#!/bin/sh | ||
|
||
|
||
while [ $# -gt 0 ]; do | ||
|
||
if [[ $1 == *"--"* ]]; then | ||
param="${1/--/}" | ||
declare $param="$2" | ||
fi | ||
|
||
shift | ||
done | ||
|
||
if [ -z "$pgsql_version" ] | ||
then | ||
export pgsql_version=13 | ||
fi | ||
|
||
apt-get update | ||
apt-get -y install wget curl git | ||
wget https://repo.percona.com/apt/percona-release_latest.generic_all.deb | ||
dpkg -i percona-release_latest.generic_all.deb | ||
percona-release setup ppg${pgsql_version} | ||
sleep 10 | ||
pushd artifacts | ||
bash -x create_certs.sh | ||
popd | ||
sleep 10 | ||
pwd | ||
apt -y install percona-postgresql-${pgsql_version} | ||
apt -y install percona-postgresql-contrib | ||
sleep 10 | ||
sed -i 's/\(host\s*all\s*all\s*127.0.0.1.*\) md5/\1 trust/g' /etc/postgresql/${pgsql_version}/main/pg_hba.conf | ||
sed -i 's/\(host\s*all\s*all\s*::1.*\) md5/\1 trust/g' /etc/postgresql/${pgsql_version}/main/pg_hba.conf | ||
sed -i 's/\(local\s*all\s*postgres.*\) peer/\1 trust/g' /etc/postgresql/${pgsql_version}/main/pg_hba.conf | ||
sed -i 's/\(local\s*all\s*all.*\) peer/\1 trust/g' /etc/postgresql/${pgsql_version}/main/pg_hba.conf | ||
service postgresql restart | ||
sleep 10 | ||
cp -a ./artifacts/certificates/. /var/lib/postgresql/${pgsql_version}/main/ | ||
ls -la ./artifacts/certificates/ | ||
chown -R postgres:postgres /var/lib/postgresql/${pgsql_version}/main | ||
chmod 0700 -R /var/lib/postgresql/${pgsql_version}/main | ||
sed -i "s/ssl_cert_file.*/ssl_cert_file = 'server.crt'/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf | ||
sed -i "s/#listen_addresses.*/listen_addresses = '*'/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf | ||
sed -i "s/ssl_key_file.*/ssl_key_file = 'server.key'/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf | ||
sed -i "s/ssl_ca_file.*/ssl_ca_file = 'ca.crt'/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf | ||
sed -i "s/#ssl_prefer_server_ciphers.*/ssl_prefer_server_ciphers = on/g" /etc/postgresql/${pgsql_version}/main/postgresql.conf | ||
echo "hostssl all all 0.0.0.0/0 md5" >> /etc/postgresql/${pgsql_version}/main/pg_hba.conf | ||
echo "host all all 0.0.0.0/0 md5" >> /etc/postgresql/${pgsql_version}/main/pg_hba.conf | ||
sleep 10 | ||
service postgresql restart | ||
su postgres bash -c 'psql -f init.sql' | ||
service postgresql restart |
Oops, something went wrong.