fixed security groups and optimized mongodb installation

Author: merlijntishauser

Diff for: ansible/pegski.yml

@@ -9,5 +9,6 @@
   become: yes
   roles:
     - {role: base, tags: ['base']}
+    - {role: storage, tags: ['storage']}
     - {role: ssh_access, tags: ['ssh_access']}
     - {role: mongodb, tags: ['mongodb']}

Diff for: ansible/roles/base/handlers/main.yml

@@ -1,2 +1,5 @@
 - name: restart NTP daemon
-  service: name=ntp state=restarted
+  service: name=ntp state=restarted
+
+- name: dpkg-reconfigure locales
+  command: /usr/sbin/dpkg-reconfigure --frontend noninteractive locales

Diff for: ansible/roles/base/tasks/base.yml

@@ -16,7 +16,24 @@
     - curl
 
 - name: install nl_NL.UTF-8 locale
-  shell: locale-gen nl_NL.UTF-8
+  locale_gen:
+    name=nl_NL.UTF-8
+    state=present
+  notify: dpkg-reconfigure locales
+
+- name: Set LC_LANG
+  lineinfile:
+    dest=/etc/environment
+    state=present
+    regexp='^LC_LANG'
+    line='LC_LANG="nl_NL.UTF-8"'
+
+- name: Set LC_ALL
+  lineinfile:
+    dest=/etc/environment
+    state=present
+    regexp='^LC_ALL'
+    line='LC_ALL="nl_NL.UTF-8"'
 
 - name: set timezone to UTC
   when: ansible_date_time.tz != 'UTC'

Diff for: ansible/roles/mongodb/files/85-ebs.rules

@@ -0,0 +1 @@
+ACTION=="add", KERNEL=="xvdf", ATTR{bdi/read_ahead_kb}="16"

Diff for: ansible/roles/mongodb/files/90-mongodb.conf

@@ -0,0 +1,4 @@
+*   soft    nofile  64000
+*   hard    nofile  64000
+*   soft    nproc   64000
+*   hard    nproc   64000

Diff for: ansible/roles/mongodb/tasks/filesystem.yml

@@ -0,0 +1,49 @@
+---
+- name: create persistent storage directory
+  file:
+    dest=/persistent_storage/mongodb
+    state=directory
+    recurse=true
+    owner=mongodb
+    group=mongodb
+    mode=755
+
+- name: create subdirectories for mongodb within persistent storage directory
+  file:
+    dest=/persistent_storage/mongodb/{{ item }}
+    state=directory
+    recurse=true
+    owner=mongodb
+    group=mongodb
+    mode=755
+  with_items:
+    - log
+    - data
+
+- name: create journal subdirectory
+  file:
+    dest=/persistent_storage/mongodb/data/journal
+    state=directory
+    recurse=true
+    owner=mongodb
+    group=mongodb
+    mode=755
+
+- name: create symobolic link for /journal
+  file:
+    src=/persistent_storage/mongodb/data/journal
+    dest=/persistent_storage/mongodb/journal
+    owner=mongodb
+    group=mongodb
+    state=link
+
+- name: adjust ulimits for mongodb
+  copy:
+    src: 90-mongodb.conf
+    dest: "/etc/security/limits.d/90-mongodb.conf"
+
+- name: set udev config for mongodb
+  copy:
+    src: 85-ebs.rules
+    dest: "/etc/udev/rules.d/85-ebs.rules"
+

Diff for: ansible/roles/mongodb/tasks/install-mongod.yml

@@ -0,0 +1,31 @@
+# This is a very basic playbook for installing mongodb.
+# If we want something more advanced, we might consider using
+# https://github.com/UnderGreen/ansible-role-mongodb
+---
+- name: import the public key used by the package management system
+  apt_key: keyserver=hkp://keyserver.ubuntu.com:80 id=EA312927 state=present
+
+- name: add MongoDB repository
+  apt_repository: repo='deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.2 multiverse' state=present
+
+- name: set correct (advised by mongodb) kernelsettings
+  copy:
+    src: mongo_vm_settings.conf
+    dest: "/etc/init/mongod_vm_settings.conf"
+
+- name: load custom config file to allow incoming traffic
+  template:
+    src: templates/mongod.conf.j2
+    dest: "/etc/mongod.conf"
+  notify:
+  - start mongodb
+
+- name: install mongodb
+  apt: pkg=mongodb-org state=latest update_cache=yes
+  notify:
+  - start mongodb
+
+- name: check if mongodb is running and accepting connections
+  wait_for:
+    port:  27017
+    timeout: 10

Diff for: ansible/roles/mongodb/tasks/main.yml

@@ -1,31 +1,3 @@
-# This is a very basic playbook for installing mongodb.
-# If we want something more advanced, we might consider using
-# https://github.com/UnderGreen/ansible-role-mongodb
 ---
-- name: import the public key used by the package management system
-  apt_key: keyserver=hkp://keyserver.ubuntu.com:80 id=EA312927 state=present
-
-- name: add MongoDB repository
-  apt_repository: repo='deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.2 multiverse' state=present
-
-- name: set correct (advised by mongodb) kernelsettings
-  copy:
-    src: mongo_vm_settings.conf
-    dest: "/etc/init/mongod_vm_settings.conf"
-
-- name: load custom config file to allow incoming traffic
-  template:
-    src: templates/mongod.conf.j2
-    dest: "/etc/mongod.conf"
-  notify:
-  - start mongodb
-
-- name: install mongodb
-  apt: pkg=mongodb-org state=latest update_cache=yes
-  notify:
-  - start mongodb
-
-- name: check if mongodb is running and accepting connections
-  wait_for:
-    port:  27017
-    timeout: 10
+- include: filesystem.yml
+- include: install-mongod.yml

Diff for: ansible/roles/mongodb/templates/mongod.conf.j2

@@ -5,7 +5,7 @@
 
 # Where and how to store data.
 storage:
-  dbPath: /var/lib/mongodb
+  dbPath: /persistent_storage/mongodb/data
   journal:
     enabled: true
 #  engine:
@@ -16,7 +16,7 @@ storage:
 systemLog:
   destination: file
   logAppend: true
-  path: /var/log/mongodb/mongod.log
+  path: /persistent_storage/mongodb/log/mongod.log
 
 # network interfaces
 net:

Diff for: ansible/roles/storage/tasks/install-boto.yml

@@ -0,0 +1,20 @@
+- name: python pip and boto
+  apt:
+    name={{ item }}
+    update_cache=yes
+  with_items:
+    - python-boto
+    - python-pip
+
+- name: ensure pip is properly installed
+  easy_install: name=pip
+
+- name: update pip to latest version
+  pip:
+   name=pip
+   state=latest
+
+- name: update boto to latest version
+  pip:
+   name=boto
+   state=latest

Diff for: ansible/roles/storage/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- include: install-boto.yml
+- include: storage.yml

Diff for: ansible/roles/storage/tasks/storage.yml

@@ -0,0 +1,39 @@
+---
+- name: check if mount already exist
+  shell: df -h | grep xvdf1
+  register: mount_exist
+  ignore_errors: True
+
+- name: Display all variables/facts known for a host
+  debug: var=hostvars[inventory_hostname] verbosity=1
+
+- name: ensure that external EBS volume exists and is attached to the instance
+  ec2_vol:
+    instance: "{{ hostvars[inventory_hostname].id }}"
+    volume_size: 50
+    volume_type: gp2
+    device_name: /dev/xvdf
+    state: present
+    region: "{{ aws.region }}"
+    encrypted: yes
+    aws_access_key: "{{ aws.access_key }}"
+    aws_secret_key: "{{ aws.secret_key }}"
+
+- name: hack fdisk with echo commands
+  shell: (echo n; echo; echo; echo; echo; echo w) | fdisk /dev/xvdf
+  when: mount_exist.stdout.find("xvdf1") < 1
+
+- name: create a ext4 filesystem on /dev/xvdf1
+  filesystem:
+    fstype: ext4
+    dev: /dev/xvdf1
+  when: mount_exist.stdout.find("xvdf1") < 1
+
+- name: mount our new disk
+  mount:
+    name: /persistent_storage
+    src: /dev/xvdf1
+    fstype: ext4
+    opts: noatime
+    state: mounted
+  when: mount_exist.stdout.find("xvdf1") < 1

Diff for: ansible/roles/storage/vars/main.yml

@@ -0,0 +1,7 @@
+# For security reasons we use environment variables, so we avoid having secrets in git.
+# We reuse the environment variables set for using terraform
+
+aws:
+  region: "{{ lookup('env','TF_VAR_region') }}"
+  access_key: "{{ lookup('env','TF_VAR_access_key') }}"
+  secret_key: "{{ lookup('env','TF_VAR_secret_key') }}"

Diff for: terraform/Makefile

@@ -42,6 +42,9 @@ output:
 	@echo "*** VPC ***"
 	@terraform output --module=vpc
 
+ping:
+	ansible -i bin/terraform.py/terraform.py -m ping all
+
 clean:
 	terraform destroy
 	rm -rf $(CURDIR)/.terraform

Diff for: terraform/main.tf

@@ -49,7 +49,8 @@ module "mongodbnodes" {
   zones           = "${var.zones}"
   key_name        = "${aws_key_pair.terraform-deployer.id}"
 
-  vpc_id          = "${module.vpc.vpc_id}"
-  default_sg_id   = "${module.vpc.default_sg_id}"
-  subnet_id_zones = "${module.vpc.subnet_id_zones}"
+  vpc_id           = "${module.vpc.vpc_id}"
+  vpc_private_cidr = "${module.vpc.vpc_private_cidr}"
+  default_sg_id    = "${module.vpc.default_sg_id}"
+  subnet_id_zones  = "${module.vpc.subnet_id_zones}"
 }

Diff for: terraform/mongodb/mongodb.tf

@@ -7,10 +7,8 @@ resource "aws_security_group" "mongodb" {
     from_port = 27017
     to_port   = 27017
     protocol  = "tcp"
-    self      = true
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["${var.vpc_private_cidr}"]
   }
-
 }
 
 resource "aws_instance" "mongodbnodes" {

Diff for: terraform/mongodb/variables.tf

@@ -4,6 +4,7 @@ variable "key_name" {}
 
 variable "vpc_id" {}
 variable "default_sg_id" {}
+variable "vpc_private_cidr" {}
 variable "subnet_id_zones" {
   type = "list"
 }

Diff for: terraform/vpc/outputs.tf

@@ -2,6 +2,10 @@ output "vpc_id" {
   value = "${aws_vpc.main.id}"
 }
 
+output "vpc_private_cidr" {
+  value = "${aws_vpc.main.cidr_block}"
+}
+
 output "default_sg_id" {
   value = "${aws_security_group.default.id}"
 }

Diff for: terraform/vpc/variables.tf

@@ -13,9 +13,9 @@ variable "zones" {
 variable "cidr_blocks" {
   type    = "list"
   default = [
-      "10.0.0.0/22",
-      "10.0.8.0/22",
-      "10.0.16.0/22"
+      "10.0.1.0/23",
+      "10.0.10.0/23",
+      "10.0.12.0/23"
   ]
 }
 

Diff for: terraform/vpc/vpc.tf

@@ -44,13 +44,20 @@ resource "aws_security_group" "default" {
   description = "Default SSH and HTTP only from whitelisted cidr blocks"
   vpc_id      = "${aws_vpc.main.id}"
 
+  # Allow all traffic from instances attached to same sceurity group
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    self        = true
+  }
+
   # SSH from the whitelisted CIDR blocks
   ingress {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
     cidr_blocks = ["${split(",", var.whitelisted_cidrs)}"]
-    self        = true
   }
 
   # Outbound internet access