From 95a9e05cb9502669cbe99a165118c581bd9b1a0e Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 8 Jan 2026 16:33:43 +0100 Subject: [PATCH 01/70] add option single mongo server --- roles/mongo/README.md | 2 ++ roles/mongo/defaults/main.yml | 2 +- roles/mongo/tasks/clusterconfig.yml | 8 ++++---- roles/mongo/tasks/main.yml | 3 +++ roles/mongo/tasks/postinstall.yml | 4 ---- roles/mongo/templates/mongod.conf.j2 | 2 ++ roles/mongo/templates/mongoshrc.js.j2 | 2 +- 7 files changed, 13 insertions(+), 10 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 9e96770e5..e50e5a91a 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -15,5 +15,7 @@ Set the mongo_cluster_private_key variable encrypted in host_vars Please review the official Mongo documentation for more information. # Todo +- [ ] Check mongo_replication_roles and give a clear fail message wehn not set - [ ] Add the possibility for adding and removing cluster members - [ ] Add the possibility for a standalone mongo server +- [ ] Cluster config does not work with serial 1 in the play but for mongo config changes you do want serial 1, split up the role? diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index a58b2a320..e92169f22 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -28,7 +28,7 @@ mongo_servers: [] # Set this in group_vars # setting them separately is not ideal. # The port for mongo server -mongod_port: 27017 +mongo_port: 27017 # The password for admin user mongo_admin_pass: "{{ mongo_admin_password }}" # Set this in secrets diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 45ecf40fa..27bc2e8c6 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,6 +1,6 @@ --- - name: Check if hosts are in clustered - ansible.builtin.command: mongosh --port {{ mongod_port }} --quiet --eval 'db.isMaster().hosts' + ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' register: check_cluster changed_when: false check_mode: false @@ -24,7 +24,7 @@ community.mongodb.mongodb_replicaset: login_host: localhost login_user: admin - login_port: "{{ mongod_port }}" + login_port: "{{ mongo_port }}" login_password: "{{ mongo_admin_password }}" replica_set: "{{ replica_set_name }}" members: "{{ mongo_cluster_members }}" @@ -38,7 +38,7 @@ login_user: admin login_password: "{{ mongo_admin_password }}" login_database: admin - login_port: "{{ mongod_port }}" + login_port: "{{ mongo_port }}" validate: default poll: 5 interval: 12 @@ -50,7 +50,7 @@ database: admin name: admin password: "{{ mongo_admin_password }}" - login_port: "{{ mongod_port }}" + login_port: "{{ mongo_port }}" roles: root state: present when: check_cluster.stdout == "" diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 2485d4b1d..7d9f86679 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -20,6 +20,9 @@ - name: Include cluster installation tasks ansible.builtin.include_tasks: file: clusterconfig.yml + when: + - mongo_cluster_members is defined + - replica_set_name is defined - name: Include user creation ansible.builtin.include_tasks: diff --git a/roles/mongo/tasks/postinstall.yml b/roles/mongo/tasks/postinstall.yml index e474a0b1e..428112194 100644 --- a/roles/mongo/tasks/postinstall.yml +++ b/roles/mongo/tasks/postinstall.yml @@ -34,10 +34,6 @@ owner: root when: mongo_replication_role != 'arbiter' -# TODO: this template gets mongo_servers from -# the inventory, maybe change that to group vars -# this is not on an per app basis. These are mongoservers -# in the same cluster. - name: Create mongosh config file ansible.builtin.template: src: mongoshrc.js.j2 diff --git a/roles/mongo/templates/mongod.conf.j2 b/roles/mongo/templates/mongod.conf.j2 index f5e990add..006200aad 100644 --- a/roles/mongo/templates/mongod.conf.j2 +++ b/roles/mongo/templates/mongod.conf.j2 @@ -16,8 +16,10 @@ net: storage: dbPath: /var/lib/mongo +{% if replica_set_name is defined %} replication: replSetName: {{ replica_set_name }} +{% endif %} security: authorization: enabled diff --git a/roles/mongo/templates/mongoshrc.js.j2 b/roles/mongo/templates/mongoshrc.js.j2 index 9faf2cdb0..973ccf487 100644 --- a/roles/mongo/templates/mongoshrc.js.j2 +++ b/roles/mongo/templates/mongoshrc.js.j2 @@ -1,2 +1,2 @@ -db = connect("mongodb://admin:{{ mongo_admin_password }}@{% for mongo_server in mongo_servers %}{{ mongo_server }}:{{ mongod_port }}{% if not loop.last %},{% endif %}{% endfor %}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") +db = connect("mongodb://admin:{{ mongo_admin_password }}@{% for mongo_server in mongo_servers %}{{ mongo_server }}:{{ mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") From f5c30257a7e65f6de13328b917499604a829f768 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 14 Jan 2026 11:29:55 +0100 Subject: [PATCH 02/70] Fix order of tasks so that it works for single and cluster mongo servers --- roles/mongo/tasks/install.yml | 6 ----- roles/mongo/tasks/main.yml | 8 +++++-- roles/mongo/tasks/services.yml | 6 +++++ roles/mongo/tasks/users.yml | 42 ++++++++++++++++++++++++++++++++-- 4 files changed, 52 insertions(+), 10 deletions(-) create mode 100644 roles/mongo/tasks/services.yml diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index 673d465e3..c1c6e0fc7 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -60,9 +60,3 @@ group: root mode: "0644" notify: Restart mongod - -- name: Enable and start mongod - ansible.builtin.service: - name: mongod.service - enabled: true - state: started diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 7d9f86679..ece543bda 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -11,12 +11,16 @@ ansible.builtin.include_tasks: file: install.yml - - ansible.builtin.meta: flush_handlers - - name: Include Certificate tasks ansible.builtin.include_tasks: file: certs.yml + - name: Include Service tasks + ansible.builtin.include_tasks: + file: services.yml + + - ansible.builtin.meta: flush_handlers + - name: Include cluster installation tasks ansible.builtin.include_tasks: file: clusterconfig.yml diff --git a/roles/mongo/tasks/services.yml b/roles/mongo/tasks/services.yml new file mode 100644 index 000000000..5caa4c54c --- /dev/null +++ b/roles/mongo/tasks/services.yml @@ -0,0 +1,6 @@ +--- +- name: Enable and start mongod + ansible.builtin.service: + name: mongod.service + enabled: true + state: started \ No newline at end of file diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index a218bac46..99fb46552 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -1,4 +1,19 @@ -- name: Create mongo database users # requires pymongo 4+ +- name: Add the admin user + community.mongodb.mongodb_user: + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + #when: check_cluster.stdout == "" + #no_log: true + run_once: true + +- name: Create mongo database users cluster # requires pymongo 4+ + when: + - mongo_cluster_members is defined + - replica_set_name is defined community.mongodb.mongodb_user: login_database: admin database: "{{ item.db_name }}" @@ -8,8 +23,31 @@ password: "{{ item.password }}" roles: readWrite replica_set: "{{ replica_set_name }}" - no_log: true + #no_log: true + run_once: true + with_items: "{{ mongo.users }}" + changed_when: false + tags: mongo_users + +- name: Create mongo database users single server # requires pymongo 4+ + when: + - mongo_cluster_members is not defined + - replica_set_name is not defined + community.mongodb.mongodb_user: + login_database: admin + database: "{{ item.db_name }}" + login_user: admin + login_password: "{{ mongo_admin_pass }}" + name: "{{ item.name }}" + password: "{{ item.password }}" + roles: readWrite + #no_log: true run_once: true with_items: "{{ mongo.users }}" changed_when: false tags: mongo_users + +- name: debug ww + debug: + msg: "{{ mongo_admin_pass }}" + tags: mongo_users \ No newline at end of file From 39df4d21c96668e0b83a61dd159fcabb579744c0 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 14 Jan 2026 14:09:48 +0100 Subject: [PATCH 03/70] introduce varaible mongo_mode for seamless transition to standalone server option and add some helpful checks and fail messages --- roles/mongo/defaults/main.yml | 3 +++ roles/mongo/tasks/clusterconfig.yml | 13 ++++++++++++ roles/mongo/tasks/main.yml | 31 +++++++++++++++++++++------- roles/mongo/templates/mongod.conf.j2 | 2 +- 4 files changed, 40 insertions(+), 9 deletions(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index e92169f22..bce018ca4 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -33,6 +33,9 @@ mongo_port: 27017 # The password for admin user mongo_admin_pass: "{{ mongo_admin_password }}" # Set this in secrets +# Are we using a cluster? +mongo_mode: "cluster" # cluster or standalone + # The name of the replication set replica_set_name: "{{ instance_name }}" # Set this in group_vars diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 27bc2e8c6..dbc564c33 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,4 +1,17 @@ --- + +- name: Debug replica settings + ansible.builtin.debug: + msg: "Replica set name {{ replica_set_name }}" + verbosity: 2 + ignore_errors: true + +- name: Debug cluster members settings + ansible.builtin.debug: + msg: "Cluster members: {{ mongo_cluster_members }}" + verbosity: 2 + ignore_errors: true + - name: Check if hosts are in clustered ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' register: check_cluster diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index ece543bda..63a7a34aa 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -1,6 +1,25 @@ --- +- name: Check some cluster related variables + when: mongo_mode == "cluster" + block: + - name: Fail on undefined replica_set_name + when: replica_set_name is not defined + ansible.builtin.fail: + msg: "Something is wrong, mongo_mode was set to cluster but replica_set_name is undefined." + + - name: Check some variables + when: mongo_cluster_members is not defined + ansible.builtin.fail: + msg: "Something is wrong, mongo_mode was set to cluster but mongo_cluster_members is undefined." + +- name: Message for non redhat family servers + when: ansible_os_family != 'RedHat' + ansible.builtin.fail: + msg: "Sorry, this role only works on RedHat family servers" + - name: Install and configure mongo on redhat family servers - when: ansible_os_family == 'RedHat' + when: + - ansible_os_family == 'RedHat' block: - name: Use temporarily python3 as remote interpreter, this fixes pymongo ansible.builtin.set_fact: @@ -19,14 +38,14 @@ ansible.builtin.include_tasks: file: services.yml - - ansible.builtin.meta: flush_handlers + - name: Flush handlers + ansible.builtin.meta: flush_handlers - name: Include cluster installation tasks ansible.builtin.include_tasks: file: clusterconfig.yml when: - - mongo_cluster_members is defined - - replica_set_name is defined + - mongo_mode == "cluster" - name: Include user creation ansible.builtin.include_tasks: @@ -41,7 +60,3 @@ ansible_python_interpreter: "/usr/bin/python" when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' -- name: Message for non redhat family servers - when: ansible_os_family != 'RedHat' - ansible.builtin.debug: - msg: "Sorry, this role only works on RedHat family servers" diff --git a/roles/mongo/templates/mongod.conf.j2 b/roles/mongo/templates/mongod.conf.j2 index 006200aad..46a3ff062 100644 --- a/roles/mongo/templates/mongod.conf.j2 +++ b/roles/mongo/templates/mongod.conf.j2 @@ -16,7 +16,7 @@ net: storage: dbPath: /var/lib/mongo -{% if replica_set_name is defined %} +{% if replica_set_name is defined and mongo_mode == "cluster" %} replication: replSetName: {{ replica_set_name }} {% endif %} From 815cc86691e950a55ade3fd9f95c3a2ee5d0f070 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 14 Jan 2026 15:08:19 +0100 Subject: [PATCH 04/70] option to change the admin user after creation --- roles/mongo/tasks/users.yml | 50 ++++++++++++++++++++++++------------- 1 file changed, 33 insertions(+), 17 deletions(-) diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index 99fb46552..d8b49698d 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -1,19 +1,37 @@ - name: Add the admin user - community.mongodb.mongodb_user: - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - #when: check_cluster.stdout == "" - #no_log: true - run_once: true + block: + # first run add admin suer without logging in + - name: Add the admin user + community.mongodb.mongodb_user: + login_database: admin + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + #when: check_cluster.stdout == "" + #no_log: true + run_once: true + rescue: + # if the user was set we have to login + - name: Add the admin user + community.mongodb.mongodb_user: + login_database: admin + login_user: admin + login_password: "{{ mongo_admin_pass }}" + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + #when: check_cluster.stdout == "" + #no_log: true + run_once: true - name: Create mongo database users cluster # requires pymongo 4+ - when: - - mongo_cluster_members is defined - - replica_set_name is defined + when: mongo_mode == "cluster" community.mongodb.mongodb_user: login_database: admin database: "{{ item.db_name }}" @@ -30,9 +48,7 @@ tags: mongo_users - name: Create mongo database users single server # requires pymongo 4+ - when: - - mongo_cluster_members is not defined - - replica_set_name is not defined + when: mongo_mode != "cluster" community.mongodb.mongodb_user: login_database: admin database: "{{ item.db_name }}" @@ -49,5 +65,5 @@ - name: debug ww debug: - msg: "{{ mongo_admin_pass }}" + msg: "{{ mongo_admin_pass }} {{ mongo_admin_password }}" tags: mongo_users \ No newline at end of file From 5bb0fdbd851a54d3d6f210906c4b51ed85b0b9ee Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 15 Jan 2026 16:52:44 +0100 Subject: [PATCH 05/70] authentication check --- roles/mongo/README.md | 3 ++- roles/mongo/defaults/main.yml | 2 +- roles/mongo/tasks/install.yml | 36 ++++++++++++++++++++++++++++++ roles/mongo/tasks/users.yml | 41 ++--------------------------------- 4 files changed, 41 insertions(+), 41 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index e50e5a91a..84e2b4695 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -15,7 +15,8 @@ Set the mongo_cluster_private_key variable encrypted in host_vars Please review the official Mongo documentation for more information. # Todo -- [ ] Check mongo_replication_roles and give a clear fail message wehn not set +- [x] Check mongo_replication_roles and give a clear fail message when not set +- [ ] Add option to change the already exisiting admin user - [ ] Add the possibility for adding and removing cluster members - [ ] Add the possibility for a standalone mongo server - [ ] Cluster config does not work with serial 1 in the play but for mongo config changes you do want serial 1, split up the role? diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index bce018ca4..66e3a4d3e 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -31,7 +31,7 @@ mongo_servers: [] # Set this in group_vars mongo_port: 27017 # The password for admin user -mongo_admin_pass: "{{ mongo_admin_password }}" # Set this in secrets +# mongo_admin_password: # set this in secrets # Are we using a cluster? mongo_mode: "cluster" # cluster or standalone diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index c1c6e0fc7..6713791b7 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -52,6 +52,37 @@ value: 128000 state: present +- name: Enable and start mongod for the first time + ansible.builtin.service: + name: mongod.service + enabled: true + state: started + +- name: Check if mongodb authentication is activated + ansible.builtin.shell: + cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" + register: mongo_authentication_enabled + changed_when: false + ignore_errors: true + +- name: Debug mongodb authentication check + ansible.builtin.debug: + msg: "{{ mongo_authentication_enabled.stdout }}" + verbosity: 2 + +# first run add admin user without logging in +- name: Add the admin user + community.mongodb.mongodb_user: + login_database: admin + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + no_log: true + run_once: true + - name: Install mongodb.conf file ansible.builtin.template: src: "mongod.conf.j2" @@ -59,4 +90,9 @@ owner: root group: root mode: "0644" + backup: true notify: Restart mongod + +# restart mongo right away with authentication enabled +- name: Flush handlers + ansible.builtin.meta: flush_handlers diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index d8b49698d..b1c1e91e8 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -1,42 +1,10 @@ -- name: Add the admin user - block: - # first run add admin suer without logging in - - name: Add the admin user - community.mongodb.mongodb_user: - login_database: admin - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - #when: check_cluster.stdout == "" - #no_log: true - run_once: true - rescue: - # if the user was set we have to login - - name: Add the admin user - community.mongodb.mongodb_user: - login_database: admin - login_user: admin - login_password: "{{ mongo_admin_pass }}" - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - #when: check_cluster.stdout == "" - #no_log: true - run_once: true - - name: Create mongo database users cluster # requires pymongo 4+ when: mongo_mode == "cluster" community.mongodb.mongodb_user: login_database: admin database: "{{ item.db_name }}" login_user: admin - login_password: "{{ mongo_admin_pass }}" + login_password: "{{ mongo_admin_password }}" name: "{{ item.name }}" password: "{{ item.password }}" roles: readWrite @@ -53,7 +21,7 @@ login_database: admin database: "{{ item.db_name }}" login_user: admin - login_password: "{{ mongo_admin_pass }}" + login_password: "{{ mongo_admin_password }}" name: "{{ item.name }}" password: "{{ item.password }}" roles: readWrite @@ -62,8 +30,3 @@ with_items: "{{ mongo.users }}" changed_when: false tags: mongo_users - -- name: debug ww - debug: - msg: "{{ mongo_admin_pass }} {{ mongo_admin_password }}" - tags: mongo_users \ No newline at end of file From 5c50a3f53964c27aae74678a96c03eca220c4a59 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 15 Jan 2026 17:01:51 +0100 Subject: [PATCH 06/70] add when statement --- roles/mongo/tasks/install.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index 6713791b7..98d0af059 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -82,6 +82,7 @@ state: present no_log: true run_once: true + when: mongo_authentication_enabled.rc == 0 - name: Install mongodb.conf file ansible.builtin.template: From 3c746f889883013ad8a02844af4c83661c20ef84 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 15 Jan 2026 17:05:10 +0100 Subject: [PATCH 07/70] restore no log --- roles/mongo/tasks/users.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index b1c1e91e8..2e7763cd6 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -25,7 +25,7 @@ name: "{{ item.name }}" password: "{{ item.password }}" roles: readWrite - #no_log: true + no_log: true run_once: true with_items: "{{ mongo.users }}" changed_when: false From 503bf258693c7e433c8dbc817a82522c340fa88b Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 14:03:47 +0100 Subject: [PATCH 08/70] fix check mode change --- roles/mongo/tasks/clusterconfig.yml | 5 ----- roles/mongo/tasks/install.yml | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index d8773ca93..76381066b 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,5 +1,4 @@ --- -<<<<<<< HEAD - name: Debug replica settings ansible.builtin.debug: @@ -13,10 +12,6 @@ verbosity: 2 ignore_errors: true -======= -# todo this weorks only for new deployments -# rewrite so mongo config can be changed and cluster members can be added or removed ->>>>>>> main - name: Check if hosts are in clustered ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' register: check_cluster diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index 98d0af059..26fc77fd3 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -64,6 +64,7 @@ register: mongo_authentication_enabled changed_when: false ignore_errors: true + check_mode: false # This can safely run in check mode because it is not changing anything - name: Debug mongodb authentication check ansible.builtin.debug: From c21cea90c4ac849836612e9aaba89ead7afcd9cf Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 14:41:37 +0100 Subject: [PATCH 09/70] remove obsolete tasks --- environments/template/secrets/secret_example.yml | 2 +- roles/mongo/README.md | 4 ++-- roles/mongo/defaults/main.yml | 6 +++--- roles/mongo/tasks/clusterconfig.yml | 11 ++--------- roles/mongo/tasks/users.yml | 4 ++-- 5 files changed, 10 insertions(+), 17 deletions(-) diff --git a/environments/template/secrets/secret_example.yml b/environments/template/secrets/secret_example.yml index d2faac776..45da8941b 100644 --- a/environments/template/secrets/secret_example.yml +++ b/environments/template/secrets/secret_example.yml @@ -13,7 +13,7 @@ mongo_passwords: oidcng: secret myconext: secret -mongo_admin_password: secret +mongo_admin_password: secret # this works for first time install, if you change it later you will have to do it manually mongo_ca_passphrase: secret engine_api_metadata_push_password: secret diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 84e2b4695..7a0120ddd 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -16,7 +16,7 @@ Please review the official Mongo documentation for more information. # Todo - [x] Check mongo_replication_roles and give a clear fail message when not set -- [ ] Add option to change the already exisiting admin user +- [ ] Add option to change the already existing admin user, for now change the password manually and change it in the ansible config accordingly - [ ] Add the possibility for adding and removing cluster members -- [ ] Add the possibility for a standalone mongo server +- [x] Add the possibility for a standalone mongo server - [ ] Cluster config does not work with serial 1 in the play but for mongo config changes you do want serial 1, split up the role? diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 66e3a4d3e..1ba8f6dfe 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -42,9 +42,9 @@ replica_set_name: "{{ instance_name }}" # Set this in group_vars # Add a database mongo: users: - - { name: managerw, db_name: metadata, password: "{{ mongo_passwords.manage }}" } - - { name: oidcsrw, db_name: oidc, password: "{{ mongo_passwords.oidcng }}" } - - { name: myconextrw, db_name: myconext, password: "{{ mongo_passwords.myconext }}" } + - { name: managerw, db_name: metadata, password: "{{ mongo_passwords.manage }}", role: "readWrite" } + - { name: oidcsrw, db_name: oidc, password: "{{ mongo_passwords.oidcng }}", role: "readWrite"} + - { name: myconextrw, db_name: myconext, password: "{{ mongo_passwords.myconext }}", role: "readWrite" } # Listen on all addresses by default mongo_bind_listen_address: "0.0.0.0" diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 76381066b..a768c6234 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -22,20 +22,13 @@ when: show_debug_info is defined and show_debug_info | bool ansible.builtin.debug: msg: "{{ check_cluster }}" - -- name: Debug mongo_cluster_members variable - when: show_debug_info is defined and show_debug_info | bool - ansible.builtin.debug: - msg: "{{ mongo_cluster_members }}" + verbosity: 2 - name: Debug mongo_replication_role variable when: show_debug_info is defined and show_debug_info | bool ansible.builtin.debug: msg: "{{ mongo_replication_role }}" - -- name: Debug host_id - ansible.builtin.debug: - msg: "{{ hostid }}" + verbosity: 2 - name: Initial cluster initialisation community.mongodb.mongodb_replicaset: diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index 2e7763cd6..13f51261c 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -7,7 +7,7 @@ login_password: "{{ mongo_admin_password }}" name: "{{ item.name }}" password: "{{ item.password }}" - roles: readWrite + roles: "{{ item.role }}" replica_set: "{{ replica_set_name }}" #no_log: true run_once: true @@ -24,7 +24,7 @@ login_password: "{{ mongo_admin_password }}" name: "{{ item.name }}" password: "{{ item.password }}" - roles: readWrite + roles: "{{ item.role }}" no_log: true run_once: true with_items: "{{ mongo.users }}" From dfa498fd899f22962073bb16105c168e4b8c0824 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 14:44:48 +0100 Subject: [PATCH 10/70] use -vv in debug --- environments/template/group_vars/template.yml | 1 - roles/mongo/tasks/clusterconfig.yml | 2 -- 2 files changed, 3 deletions(-) diff --git a/environments/template/group_vars/template.yml b/environments/template/group_vars/template.yml index a3ffd5d53..6ee9d09c3 100644 --- a/environments/template/group_vars/template.yml +++ b/environments/template/group_vars/template.yml @@ -1,7 +1,6 @@ --- env: "%env%" -show_debug_info: false # Show extra debug info mariadb_host: localhost rsyslog_host: localhost database_clients: [ "{{ mariadb_host }}" ] diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index a768c6234..876433971 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -19,13 +19,11 @@ check_mode: false - name: Debug check_cluster variable - when: show_debug_info is defined and show_debug_info | bool ansible.builtin.debug: msg: "{{ check_cluster }}" verbosity: 2 - name: Debug mongo_replication_role variable - when: show_debug_info is defined and show_debug_info | bool ansible.builtin.debug: msg: "{{ mongo_replication_role }}" verbosity: 2 From 78f62443eac1229137d3cc9b3127df71fd9dcdb6 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 15:07:38 +0100 Subject: [PATCH 11/70] separate standalone and cluster config --- roles/mongo/tasks/install.yml | 36 ------------------------- roles/mongo/tasks/main.yml | 8 +++++- roles/mongo/tasks/standaloneconfig.yml | 37 ++++++++++++++++++++++++++ 3 files changed, 44 insertions(+), 37 deletions(-) create mode 100644 roles/mongo/tasks/standaloneconfig.yml diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index 26fc77fd3..d47798d55 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -52,39 +52,6 @@ value: 128000 state: present -- name: Enable and start mongod for the first time - ansible.builtin.service: - name: mongod.service - enabled: true - state: started - -- name: Check if mongodb authentication is activated - ansible.builtin.shell: - cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" - register: mongo_authentication_enabled - changed_when: false - ignore_errors: true - check_mode: false # This can safely run in check mode because it is not changing anything - -- name: Debug mongodb authentication check - ansible.builtin.debug: - msg: "{{ mongo_authentication_enabled.stdout }}" - verbosity: 2 - -# first run add admin user without logging in -- name: Add the admin user - community.mongodb.mongodb_user: - login_database: admin - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - no_log: true - run_once: true - when: mongo_authentication_enabled.rc == 0 - - name: Install mongodb.conf file ansible.builtin.template: src: "mongod.conf.j2" @@ -95,6 +62,3 @@ backup: true notify: Restart mongod -# restart mongo right away with authentication enabled -- name: Flush handlers - ansible.builtin.meta: flush_handlers diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 63a7a34aa..57e7b970e 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -41,7 +41,13 @@ - name: Flush handlers ansible.builtin.meta: flush_handlers - - name: Include cluster installation tasks + - name: Include standalone configuration tasks + ansible.builtin.include_tasks: + file: clusterconfig.yml + when: + - mongo_mode == "standalone" + + - name: Include cluster configuration tasks ansible.builtin.include_tasks: file: clusterconfig.yml when: diff --git a/roles/mongo/tasks/standaloneconfig.yml b/roles/mongo/tasks/standaloneconfig.yml new file mode 100644 index 000000000..f713cb046 --- /dev/null +++ b/roles/mongo/tasks/standaloneconfig.yml @@ -0,0 +1,37 @@ +- name: Enable and start mongod for the first time + ansible.builtin.service: + name: mongod.service + enabled: true + state: started + +- name: Check if mongodb authentication is activated + ansible.builtin.shell: + cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" + register: mongo_authentication_enabled + changed_when: false + ignore_errors: true + check_mode: false # This can safely run in check mode because it is not changing anything + +- name: Debug mongodb authentication check + ansible.builtin.debug: + msg: "{{ mongo_authentication_enabled.stdout }}" + verbosity: 2 + +# first run add admin user without logging in +- name: Add the admin user + community.mongodb.mongodb_user: + login_database: admin + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + no_log: true + run_once: true + when: mongo_authentication_enabled.rc == 0 + + +# restart mongo right away with authentication enabled +- name: Flush handlers + ansible.builtin.meta: flush_handlers \ No newline at end of file From 9e4d1c4d2ec1fbfd953d4ca62e53ae22c4418a6b Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 15:37:04 +0100 Subject: [PATCH 12/70] fix task file name typo --- roles/mongo/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 57e7b970e..d375990cb 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -43,7 +43,7 @@ - name: Include standalone configuration tasks ansible.builtin.include_tasks: - file: clusterconfig.yml + file: standaloneconfig.yml when: - mongo_mode == "standalone" From e1f6796543db81e6261c545a5d4c0859ab9316dc Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 15:42:00 +0100 Subject: [PATCH 13/70] more debugging --- roles/mongo/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index d375990cb..257c53320 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -41,6 +41,11 @@ - name: Flush handlers ansible.builtin.meta: flush_handlers + - name: Debug standalone or cluster mode + ansible.builtin.debug: + msg: "{{ mongo_mode }}" + verbosity: 2 + - name: Include standalone configuration tasks ansible.builtin.include_tasks: file: standaloneconfig.yml From 040a1aefa93c619f6e8c36c9fbdea58576c67513 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 15:45:42 +0100 Subject: [PATCH 14/70] different order --- roles/mongo/tasks/install.yml | 2 ++ roles/mongo/tasks/main.yml | 16 +++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index d47798d55..4f97e3a74 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -52,6 +52,8 @@ value: 128000 state: present +# Mongod is installed, but service is not restarted until after +# the initial admin user is added - name: Install mongodb.conf file ansible.builtin.template: src: "mongod.conf.j2" diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 257c53320..f1f786c07 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -34,13 +34,6 @@ ansible.builtin.include_tasks: file: certs.yml - - name: Include Service tasks - ansible.builtin.include_tasks: - file: services.yml - - - name: Flush handlers - ansible.builtin.meta: flush_handlers - - name: Debug standalone or cluster mode ansible.builtin.debug: msg: "{{ mongo_mode }}" @@ -58,6 +51,15 @@ when: - mongo_mode == "cluster" + - name: Include Service tasks + ansible.builtin.include_tasks: + file: services.yml + + # Mongod is installed, but service is not restarted until after + # the initial admin user is added + - name: Flush handlers + ansible.builtin.meta: flush_handlers + - name: Include user creation ansible.builtin.include_tasks: file: users.yml From fc6ad3aa075e9ad71137ca36ac65ad31a6a47bd4 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 16:00:14 +0100 Subject: [PATCH 15/70] disbale no_log temprarily --- roles/mongo/tasks/clusterconfig.yml | 2 +- roles/mongo/tasks/standaloneconfig.yml | 2 +- roles/mongo/tasks/users.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 876433971..3d0cbe6c5 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -62,5 +62,5 @@ roles: root state: present when: check_cluster.stdout == "" - no_log: true + #no_log: true #todo enable run_once: true diff --git a/roles/mongo/tasks/standaloneconfig.yml b/roles/mongo/tasks/standaloneconfig.yml index f713cb046..b6b1f62ca 100644 --- a/roles/mongo/tasks/standaloneconfig.yml +++ b/roles/mongo/tasks/standaloneconfig.yml @@ -27,7 +27,7 @@ login_port: "{{ mongo_port }}" roles: root state: present - no_log: true + #no_log: true # todo enable run_once: true when: mongo_authentication_enabled.rc == 0 diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index 13f51261c..2fa921f24 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -9,7 +9,7 @@ password: "{{ item.password }}" roles: "{{ item.role }}" replica_set: "{{ replica_set_name }}" - #no_log: true + #no_log: true todo enable run_once: true with_items: "{{ mongo.users }}" changed_when: false @@ -25,7 +25,7 @@ name: "{{ item.name }}" password: "{{ item.password }}" roles: "{{ item.role }}" - no_log: true + #no_log: true todo enable run_once: true with_items: "{{ mongo.users }}" changed_when: false From 61905327b3f17939675164478262f251078c8cb0 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 9 Feb 2026 16:12:57 +0100 Subject: [PATCH 16/70] add config later --- roles/mongo/tasks/clusterconfig.yml | 2 +- roles/mongo/tasks/generalconfig.yml | 12 ++++++++++++ roles/mongo/tasks/install.yml | 12 ------------ roles/mongo/tasks/main.yml | 8 ++++++-- 4 files changed, 19 insertions(+), 15 deletions(-) create mode 100644 roles/mongo/tasks/generalconfig.yml diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 3d0cbe6c5..d4f7c11cd 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,5 +1,5 @@ --- - +# In this task file the cluster is configured - name: Debug replica settings ansible.builtin.debug: msg: "Replica set name {{ replica_set_name }}" diff --git a/roles/mongo/tasks/generalconfig.yml b/roles/mongo/tasks/generalconfig.yml new file mode 100644 index 000000000..71bb8ac1e --- /dev/null +++ b/roles/mongo/tasks/generalconfig.yml @@ -0,0 +1,12 @@ +--- +# Config for standalone and replication server + +- name: Install mongodb.conf file + ansible.builtin.template: + src: "mongod.conf.j2" + dest: "/etc/mongod.conf" + owner: root + group: root + mode: "0644" + backup: true + notify: Restart mongod diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index 4f97e3a74..4d2c09087 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -52,15 +52,3 @@ value: 128000 state: present -# Mongod is installed, but service is not restarted until after -# the initial admin user is added -- name: Install mongodb.conf file - ansible.builtin.template: - src: "mongod.conf.j2" - dest: "/etc/mongod.conf" - owner: root - group: root - mode: "0644" - backup: true - notify: Restart mongod - diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index f1f786c07..8684d32c9 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -51,15 +51,19 @@ when: - mongo_mode == "cluster" - - name: Include Service tasks + - name: Include General config tasks ansible.builtin.include_tasks: - file: services.yml + file: generalconfig.yml # Mongod is installed, but service is not restarted until after # the initial admin user is added - name: Flush handlers ansible.builtin.meta: flush_handlers + - name: Include Service tasks + ansible.builtin.include_tasks: + file: services.yml + - name: Include user creation ansible.builtin.include_tasks: file: users.yml From 171cdfc5a297a62ea602e5ceb0e39c9647919fcb Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 11 Feb 2026 13:03:54 +0100 Subject: [PATCH 17/70] first stab at serial 1 cluster creation --- roles/mongo/tasks/clusterconfig.yml | 92 +++++++++++++++++++---------- roles/mongo/tasks/main.yml | 10 ++-- 2 files changed, 67 insertions(+), 35 deletions(-) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index d4f7c11cd..583d9c44e 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -12,11 +12,11 @@ verbosity: 2 ignore_errors: true -- name: Check if hosts are in clustered - ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' - register: check_cluster - changed_when: false - check_mode: false +# - name: Check if hosts are in clustered +# ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' +# register: check_cluster +# changed_when: false +# check_mode: false - name: Debug check_cluster variable ansible.builtin.debug: @@ -28,30 +28,62 @@ msg: "{{ mongo_replication_role }}" verbosity: 2 -- name: Initial cluster initialisation - community.mongodb.mongodb_replicaset: - login_host: localhost - login_user: admin - login_port: "{{ mongo_port }}" - login_password: "{{ mongo_admin_password }}" - replica_set: "{{ replica_set_name }}" - members: "{{ mongo_cluster_members }}" - arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" - validate: false - run_once: true - when: mongo_replication_role == 'primary' +- name: Ensure mongod is started + systemd: + name: mongod + enabled: yes + state: started -- name: Wait until cluster health is ok - community.mongodb.mongodb_status: - login_user: admin - login_password: "{{ mongo_admin_password }}" - login_database: admin - login_port: "{{ mongo_port }}" - validate: default - poll: 5 - interval: 12 - replica_set: "{{ replica_set_name }}" - when: mongo_replication_role == 'primary' +- name: Wait for MongoDB to be available + wait_for: + port: "{{ mongo_port }}" + delay: 5 + timeout: 60 + +# - name: Initial cluster initialisation +# community.mongodb.mongodb_replicaset: +# login_host: localhost +# login_user: admin +# login_port: "{{ mongo_port }}" +# login_password: "{{ mongo_admin_password }}" +# replica_set: "{{ replica_set_name }}" +# members: "{{ mongo_cluster_members }}" +# arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" +# validate: false +# run_once: true +# when: mongo_replication_role == 'primary' + +- name: Initiate replica set + shell: | + mongosh --eval ' + rs.initiate({ + _id: "{{ replica_set_name }}", + members: [ + { _id: 0, host: "rocky1:{{ mongo_port }}" }, + { _id: 1, host: "rocky2:{{ mongo_port }}" }, + { _id: 2, host: "rocky3:{{ mongo_port }}", arbiterOnly: true } + ] + })' + when: mongo_replication_role == "primary" + register: rs_init + failed_when: false + +- name: Wait for replica set election + pause: + seconds: 20 + when: mongo_replication_role == "primary" + +# - name: Wait until cluster health is ok +# community.mongodb.mongodb_status: +# login_user: admin +# login_password: "{{ mongo_admin_password }}" +# login_database: admin +# login_port: "{{ mongo_port }}" +# validate: default +# poll: 5 +# interval: 12 +# replica_set: "{{ replica_set_name }}" +# when: mongo_replication_role == 'primary' - name: Add the admin user community.mongodb.mongodb_user: @@ -61,6 +93,6 @@ login_port: "{{ mongo_port }}" roles: root state: present - when: check_cluster.stdout == "" + when: mongo_replication_role == "primary" #no_log: true #todo enable - run_once: true + #run_once: true diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 8684d32c9..ed3472b1b 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -45,17 +45,17 @@ when: - mongo_mode == "standalone" + - name: Include General config tasks + ansible.builtin.include_tasks: + file: generalconfig.yml + - name: Include cluster configuration tasks ansible.builtin.include_tasks: file: clusterconfig.yml when: - mongo_mode == "cluster" - - name: Include General config tasks - ansible.builtin.include_tasks: - file: generalconfig.yml - - # Mongod is installed, but service is not restarted until after + # Mongod is installed, but service is not restarted until after # the initial admin user is added - name: Flush handlers ansible.builtin.meta: flush_handlers From 1d183f8a2cccb8911581a9bf06d3b241334b68b0 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 11 Feb 2026 13:09:02 +0100 Subject: [PATCH 18/70] first stab at serial 1 cluster creation --- roles/mongo/tasks/clusterconfig.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 583d9c44e..a9fabf628 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -18,10 +18,10 @@ # changed_when: false # check_mode: false -- name: Debug check_cluster variable - ansible.builtin.debug: - msg: "{{ check_cluster }}" - verbosity: 2 +# - name: Debug check_cluster variable +# ansible.builtin.debug: +# msg: "{{ check_cluster }}" +# verbosity: 2 - name: Debug mongo_replication_role variable ansible.builtin.debug: From 5f3369fb71a5b1c27e1d2b35d1ec96a0804d5b61 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 11 Feb 2026 15:14:26 +0100 Subject: [PATCH 19/70] second stab at serial 1 cluster creation --- roles/mongo/tasks/clusterconfig.yml | 13 ++++++++-- roles/mongo/tasks/main.yml | 8 +++--- .../mongo/templates/mongo_precluster.conf.j2 | 25 +++++++++++++++++++ 3 files changed, 40 insertions(+), 6 deletions(-) create mode 100644 roles/mongo/templates/mongo_precluster.conf.j2 diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index a9fabf628..3d4245cdc 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -28,6 +28,17 @@ msg: "{{ mongo_replication_role }}" verbosity: 2 +# TempConfig for cluster initialisation +- name: Install temporary mongodb.conf file + ansible.builtin.template: + src: "mongod_precluster.conf.j2" + dest: "/etc/mongod.conf" + owner: root + group: root + mode: "0644" + backup: true + notify: Restart mongod + - name: Ensure mongod is started systemd: name: mongod @@ -60,8 +71,6 @@ _id: "{{ replica_set_name }}", members: [ { _id: 0, host: "rocky1:{{ mongo_port }}" }, - { _id: 1, host: "rocky2:{{ mongo_port }}" }, - { _id: 2, host: "rocky3:{{ mongo_port }}", arbiterOnly: true } ] })' when: mongo_replication_role == "primary" diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index ed3472b1b..6b46f1cb4 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -45,16 +45,16 @@ when: - mongo_mode == "standalone" - - name: Include General config tasks - ansible.builtin.include_tasks: - file: generalconfig.yml - - name: Include cluster configuration tasks ansible.builtin.include_tasks: file: clusterconfig.yml when: - mongo_mode == "cluster" + - name: Include General config tasks + ansible.builtin.include_tasks: + file: generalconfig.yml + # Mongod is installed, but service is not restarted until after # the initial admin user is added - name: Flush handlers diff --git a/roles/mongo/templates/mongo_precluster.conf.j2 b/roles/mongo/templates/mongo_precluster.conf.j2 new file mode 100644 index 000000000..029f5aca9 --- /dev/null +++ b/roles/mongo/templates/mongo_precluster.conf.j2 @@ -0,0 +1,25 @@ +systemLog: + destination: file + logRotate: reopen + logAppend: true + path: /var/log/mongodb/mongod.log + +net: + bindIp: {{ mongo_bind_listen_address }} + port: 27017 + tls: + mode: preferTLS + certificateKeyFile: /etc/pki/mongo/keyandcert.pem + CAFile: /etc/pki/mongo/mongoca.pem + allowConnectionsWithoutCertificates: true + +storage: + dbPath: /var/lib/mongo + +{% if replica_set_name is defined and mongo_mode == "cluster" %} +replication: + replSetName: {{ replica_set_name }} +{% endif %} + +security: + clusterAuthMode: x509 From 37b2a7527e2205ac1381b182e8a32ef76a49484f Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 11 Feb 2026 16:08:09 +0100 Subject: [PATCH 20/70] Works for a replication cluster with only primary, to be continued --- roles/mongo/README.md | 9 + roles/mongo/defaults/main.yml | 4 + roles/mongo/tasks/clusterconfig.yml | 178 ++++++++++-------- .../mongo/templates/mongo_precluster.conf.j2 | 25 --- roles/mongo/templates/mongod.conf.j2 | 2 +- 5 files changed, 109 insertions(+), 109 deletions(-) delete mode 100644 roles/mongo/templates/mongo_precluster.conf.j2 diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 7a0120ddd..f47403cee 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -20,3 +20,12 @@ Please review the official Mongo documentation for more information. - [ ] Add the possibility for adding and removing cluster members - [x] Add the possibility for a standalone mongo server - [ ] Cluster config does not work with serial 1 in the play but for mongo config changes you do want serial 1, split up the role? + +- secondary en arbitrator toevoegen. met delegate en rsadd? +- werkt het ook met d emongo replication module? +- hoe afdwingen dat de prmary eerst gaat? +- check todos in de code + +TEST + +- mongo conf veranderen zonder replicatie gedoe \ No newline at end of file diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 1ba8f6dfe..06cfa6c77 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -56,3 +56,7 @@ mongo_pki_dir: "/etc/pki/mongo" # Users and groups mongo_group: "mongod" + +# Paths +mongo_config_file: "/etc/mongod.conf" +mongo_data_path: "/var/lib/mongo" diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 3d4245cdc..90d39a720 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -4,104 +4,116 @@ ansible.builtin.debug: msg: "Replica set name {{ replica_set_name }}" verbosity: 2 - ignore_errors: true - name: Debug cluster members settings ansible.builtin.debug: msg: "Cluster members: {{ mongo_cluster_members }}" verbosity: 2 - ignore_errors: true - -# - name: Check if hosts are in clustered -# ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' -# register: check_cluster -# changed_when: false -# check_mode: false - -# - name: Debug check_cluster variable -# ansible.builtin.debug: -# msg: "{{ check_cluster }}" -# verbosity: 2 - name: Debug mongo_replication_role variable ansible.builtin.debug: msg: "{{ mongo_replication_role }}" verbosity: 2 -# TempConfig for cluster initialisation -- name: Install temporary mongodb.conf file - ansible.builtin.template: - src: "mongod_precluster.conf.j2" - dest: "/etc/mongod.conf" - owner: root - group: root - mode: "0644" - backup: true - notify: Restart mongod - -- name: Ensure mongod is started - systemd: - name: mongod - enabled: yes +- name: Enable and start mongod for the first time + ansible.builtin.service: + name: mongod.service + enabled: true state: started -- name: Wait for MongoDB to be available - wait_for: - port: "{{ mongo_port }}" - delay: 5 - timeout: 60 +- name: Check if mongodb authentication is activated + ansible.builtin.shell: + cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" + register: mongo_authentication_enabled + changed_when: false + ignore_errors: true + check_mode: false # This can safely run in check mode because it is not changing anything + +- name: Create cluster block + when: mongo_authentication_enabled.rc == 0 + block: + # - name: Check if hosts are in clustered + # ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' + # register: check_cluster + # changed_when: false + # check_mode: false + + # - name: Debug check_cluster variable + # ansible.builtin.debug: + # msg: "{{ check_cluster }}" + # verbosity: 2 + + - name: Install precluster mongodb.conf file + ansible.builtin.template: + src: "mongod_precluster.conf.j2" + dest: "/etc/mongod.conf" + owner: root + group: root + mode: "0644" + backup: true + notify: Restart mongod + + # We want a mongo restart right away + - name: Flush handlers + ansible.builtin.meta: flush_handlers + + - name: Wait for MongoDB to be available + wait_for: + port: "{{ mongo_port }}" + delay: 5 + timeout: 60 -# - name: Initial cluster initialisation -# community.mongodb.mongodb_replicaset: -# login_host: localhost -# login_user: admin -# login_port: "{{ mongo_port }}" -# login_password: "{{ mongo_admin_password }}" -# replica_set: "{{ replica_set_name }}" -# members: "{{ mongo_cluster_members }}" -# arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" -# validate: false -# run_once: true -# when: mongo_replication_role == 'primary' + # - name: Initial cluster initialisation + # community.mongodb.mongodb_replicaset: + # login_host: localhost + # login_user: admin + # login_port: "{{ mongo_port }}" + # login_password: "{{ mongo_admin_password }}" + # replica_set: "{{ replica_set_name }}" + # members: "{{ mongo_cluster_members }}" + # arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" + # validate: false + # run_once: true + # when: mongo_replication_role == 'primary' -- name: Initiate replica set - shell: | - mongosh --eval ' - rs.initiate({ - _id: "{{ replica_set_name }}", - members: [ - { _id: 0, host: "rocky1:{{ mongo_port }}" }, - ] - })' - when: mongo_replication_role == "primary" - register: rs_init - failed_when: false + - name: Initiate replica set + shell: | + mongosh --eval ' + rs.initiate({ + _id: "{{ replica_set_name }}", + members: [ + { _id: 0, host: "rocky1:{{ mongo_port }}" }, + ] + })' + when: mongo_replication_role == "primary" + register: rs_init + failed_when: false -- name: Wait for replica set election - pause: - seconds: 20 - when: mongo_replication_role == "primary" + - name: Wait for replica set election + pause: + seconds: 20 + when: mongo_replication_role == "primary" -# - name: Wait until cluster health is ok -# community.mongodb.mongodb_status: -# login_user: admin -# login_password: "{{ mongo_admin_password }}" -# login_database: admin -# login_port: "{{ mongo_port }}" -# validate: default -# poll: 5 -# interval: 12 -# replica_set: "{{ replica_set_name }}" -# when: mongo_replication_role == 'primary' + # - name: Wait until cluster health is ok + # community.mongodb.mongodb_status: + # login_user: admin + # login_password: "{{ mongo_admin_password }}" + # login_database: admin + # login_port: "{{ mongo_port }}" + # validate: default + # poll: 5 + # interval: 12 + # replica_set: "{{ replica_set_name }}" + # when: mongo_replication_role == 'primary' -- name: Add the admin user - community.mongodb.mongodb_user: - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - when: mongo_replication_role == "primary" - #no_log: true #todo enable - #run_once: true + - name: Add the admin user + community.mongodb.mongodb_user: + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + when: mongo_replication_role == "primary" + #no_log: true #todo enable + #run_once: true diff --git a/roles/mongo/templates/mongo_precluster.conf.j2 b/roles/mongo/templates/mongo_precluster.conf.j2 deleted file mode 100644 index 029f5aca9..000000000 --- a/roles/mongo/templates/mongo_precluster.conf.j2 +++ /dev/null @@ -1,25 +0,0 @@ -systemLog: - destination: file - logRotate: reopen - logAppend: true - path: /var/log/mongodb/mongod.log - -net: - bindIp: {{ mongo_bind_listen_address }} - port: 27017 - tls: - mode: preferTLS - certificateKeyFile: /etc/pki/mongo/keyandcert.pem - CAFile: /etc/pki/mongo/mongoca.pem - allowConnectionsWithoutCertificates: true - -storage: - dbPath: /var/lib/mongo - -{% if replica_set_name is defined and mongo_mode == "cluster" %} -replication: - replSetName: {{ replica_set_name }} -{% endif %} - -security: - clusterAuthMode: x509 diff --git a/roles/mongo/templates/mongod.conf.j2 b/roles/mongo/templates/mongod.conf.j2 index 46a3ff062..40b481dfd 100644 --- a/roles/mongo/templates/mongod.conf.j2 +++ b/roles/mongo/templates/mongod.conf.j2 @@ -14,7 +14,7 @@ net: allowConnectionsWithoutCertificates: true storage: - dbPath: /var/lib/mongo + dbPath: {{ mongo_data_path }} {% if replica_set_name is defined and mongo_mode == "cluster" %} replication: From 7d31bca235c974d4debe366507633366b64fab08 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 16 Feb 2026 16:44:01 +0100 Subject: [PATCH 21/70] work in progress --- roles/mongo/README.md | 3 + roles/mongo/defaults/main.yml | 2 +- roles/mongo/tasks/clusterconfig.yml | 135 ++++++++++++++++++---------- roles/mongo/tasks/install.yml | 2 - roles/mongo/tasks/main.yml | 19 ++-- roles/mongo/tasks/users.yml | 4 +- 6 files changed, 103 insertions(+), 62 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index f47403cee..58b66111c 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -25,6 +25,9 @@ Please review the official Mongo documentation for more information. - werkt het ook met d emongo replication module? - hoe afdwingen dat de prmary eerst gaat? - check todos in de code +- extra check is er al een cluster niks aan doen +- optie removen evt +- rs.addArb TEST diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 06cfa6c77..b419068ea 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -37,7 +37,7 @@ mongo_port: 27017 mongo_mode: "cluster" # cluster or standalone # The name of the replication set -replica_set_name: "{{ instance_name }}" # Set this in group_vars +mongo_replica_set_name: "{{ instance_name }}" # Set this in group_vars # Add a database mongo: diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 90d39a720..1bd61da21 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -2,18 +2,13 @@ # In this task file the cluster is configured - name: Debug replica settings ansible.builtin.debug: - msg: "Replica set name {{ replica_set_name }}" + msg: "Replica set name {{ mongo_replica_set_name }}" verbosity: 2 -- name: Debug cluster members settings - ansible.builtin.debug: - msg: "Cluster members: {{ mongo_cluster_members }}" - verbosity: 2 - -- name: Debug mongo_replication_role variable - ansible.builtin.debug: - msg: "{{ mongo_replication_role }}" - verbosity: 2 +# - name: Debug cluster members settings +# ansible.builtin.debug: +# msg: "Cluster members: {{ mongo_cluster.members }}" +# verbosity: 2 - name: Enable and start mongod for the first time ansible.builtin.service: @@ -52,7 +47,7 @@ mode: "0644" backup: true notify: Restart mongod - + # We want a mongo restart right away - name: Flush handlers ansible.builtin.meta: flush_handlers @@ -75,45 +70,87 @@ # validate: false # run_once: true # when: mongo_replication_role == 'primary' - - - name: Initiate replica set - shell: | - mongosh --eval ' - rs.initiate({ - _id: "{{ replica_set_name }}", - members: [ - { _id: 0, host: "rocky1:{{ mongo_port }}" }, - ] - })' + - name: Initiate replica set on primary when: mongo_replication_role == "primary" - register: rs_init - failed_when: false + block: + - name: Initiate replica set + shell: | + mongosh --eval ' + rs.initiate({ + _id: "{{ replica_set_name }}", + members: [ + { _id: 0, + host: "{{ ansible_facts['hostname']}}:{{ mongo_port }}", + priority: 3 + }, + ] + })' + register: rs_init + #failed_when: false - - name: Wait for replica set election - pause: - seconds: 20 - when: mongo_replication_role == "primary" + - name: Wait for replica set election + pause: + seconds: 20 - # - name: Wait until cluster health is ok - # community.mongodb.mongodb_status: - # login_user: admin - # login_password: "{{ mongo_admin_password }}" - # login_database: admin - # login_port: "{{ mongo_port }}" - # validate: default - # poll: 5 - # interval: 12 - # replica_set: "{{ replica_set_name }}" - # when: mongo_replication_role == 'primary' + - name: Debug rs init event + ansible.builtin.debug: + var: rs_init + verbosity: 2 - - name: Add the admin user - community.mongodb.mongodb_user: - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - when: mongo_replication_role == "primary" - #no_log: true #todo enable - #run_once: true + - name: Add the admin user + community.mongodb.mongodb_user: + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + #no_log: true #todo enable + #run_once: true + + - name: Wait until cluster health is ok + community.mongodb.mongodb_status: + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_database: admin + login_port: "{{ mongo_port }}" + validate: default + poll: 5 + interval: 12 + replica_set: "{{ mongo_replica_set_name }}" + register: mongo_cluster_health + + - name: Debug mongo_cluster_health + ansible.builtin.debug: + var: mongo_cluster_health + verbosity: 2 + + # end primary server block + + - name: Add members to cluster + when: mongo_replication_role != "primary" + block: + + - name: Add new mongo server to replication set + when: mongo_replication_role != "arbiter" + shell: | + mongosh -u admin --password {{ mongo_admin_password }} --eval ' + rs.add ("{ host: "{{ ansible_hostname }}:{{ mongo_port }}", + priority: {{ mongo_cluster_priority | default('2') }} }")' + register: rs_add + changed_when: false + delegate_to: "rocky1" # tod variable + + - name: Add new mongo arbitrator to replication set + when: mongo_replication_role == "arbiter" + shell: | + mongosh -u admin --password {{ mongo_admin_password }} --eval ' + rs.addArb (" { host: "{{ ansible_hostname }}:{{ mongo_port }}", + priority: 0 }")' + register: rs_add + delegate_to: "rocky1" # tod variable + + - name: Debug rs add event + ansible.builtin.debug: + var: rs_add + verbosity: 2 diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index 4d2c09087..25b14efa1 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -1,6 +1,5 @@ --- - name: Create the repository for mongodb - when: ansible_os_family == 'RedHat' ansible.builtin.template: src: "mongo.repo.j2" dest: "/etc/yum.repos.d/mongo.repo" @@ -8,7 +7,6 @@ mode: "0640" - name: Install the mongodb package and some helper packages - when: ansible_os_family == 'RedHat' ansible.builtin.yum: name: - mongodb-org diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 6b46f1cb4..02404b483 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -3,23 +3,23 @@ when: mongo_mode == "cluster" block: - name: Fail on undefined replica_set_name - when: replica_set_name is not defined + when: mongo_replica_set_name is not defined ansible.builtin.fail: msg: "Something is wrong, mongo_mode was set to cluster but replica_set_name is undefined." - - name: Check some variables - when: mongo_cluster_members is not defined - ansible.builtin.fail: - msg: "Something is wrong, mongo_mode was set to cluster but mongo_cluster_members is undefined." + # - name: Check some variables + # when: mongo_cluster_members is not defined + # ansible.builtin.fail: + # msg: "Something is wrong, mongo_mode was set to cluster but mongo_cluster_members is undefined." - name: Message for non redhat family servers - when: ansible_os_family != 'RedHat' + when: ansible_facts['os_family'] != 'RedHat' ansible.builtin.fail: msg: "Sorry, this role only works on RedHat family servers" - name: Install and configure mongo on redhat family servers when: - - ansible_os_family == 'RedHat' + - ansible_facts['os_family'] == 'RedHat' block: - name: Use temporarily python3 as remote interpreter, this fixes pymongo ansible.builtin.set_fact: @@ -75,5 +75,6 @@ - name: Use python2 again as remote interpreter ansible.builtin.set_fact: ansible_python_interpreter: "/usr/bin/python" - when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7' - + when: + - ansible_facts['distribution'] == 'CentOS' + - ansible_facts['distribution_major_version'] == '7' diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index 2fa921f24..40afedd8e 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -1,5 +1,7 @@ - name: Create mongo database users cluster # requires pymongo 4+ - when: mongo_mode == "cluster" + when: + - mongo_mode == "cluster" + - mongo_replication_role == "primary" community.mongodb.mongodb_user: login_database: admin database: "{{ item.db_name }}" From c8ce1c873eb7379de721c1855122fe520295f390 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 23 Mar 2026 13:28:09 +0100 Subject: [PATCH 22/70] standalone deployment works --- roles/mongo/tasks/main.yml | 10 ++++---- roles/mongo/tasks/postinstall.yml | 34 +++++++++++++------------- roles/mongo/tasks/standaloneconfig.yml | 11 +++++---- 3 files changed, 28 insertions(+), 27 deletions(-) diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 02404b483..1e56bac29 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -30,15 +30,15 @@ ansible.builtin.include_tasks: file: install.yml - - name: Include Certificate tasks - ansible.builtin.include_tasks: - file: certs.yml - - name: Debug standalone or cluster mode ansible.builtin.debug: msg: "{{ mongo_mode }}" verbosity: 2 + - name: Include Certificate tasks + ansible.builtin.include_tasks: + file: certs.yml + - name: Include standalone configuration tasks ansible.builtin.include_tasks: file: standaloneconfig.yml @@ -75,6 +75,6 @@ - name: Use python2 again as remote interpreter ansible.builtin.set_fact: ansible_python_interpreter: "/usr/bin/python" - when: + when: - ansible_facts['distribution'] == 'CentOS' - ansible_facts['distribution_major_version'] == '7' diff --git a/roles/mongo/tasks/postinstall.yml b/roles/mongo/tasks/postinstall.yml index 428112194..93a8a4a3a 100644 --- a/roles/mongo/tasks/postinstall.yml +++ b/roles/mongo/tasks/postinstall.yml @@ -15,24 +15,24 @@ group: root mode: "0700" -- name: Install the backup script - ansible.builtin.template: - src: "backup_mongo.pl.j2" - dest: "/usr/local/sbin/backup_mongo.pl" - mode: "0700" - owner: root - group: root - when: mongo_replication_role != 'arbiter' +- name: Configure backup + when: mongo_replication_role is not defined or mongo_replication_role != 'arbiter' + block: + - name: Install the backup script + ansible.builtin.template: + src: "backup_mongo.pl.j2" + dest: "/usr/local/sbin/backup_mongo.pl" + mode: "0700" + owner: root + group: root - -- name: Create cron symlink for backup script - ansible.builtin.file: - src: "/usr/local/sbin/backup_mongo.pl" - dest: "/etc/cron.daily/mongodb_backup" - state: link - mode: "0700" - owner: root - when: mongo_replication_role != 'arbiter' + - name: Create cron symlink for backup script + ansible.builtin.file: + src: "/usr/local/sbin/backup_mongo.pl" + dest: "/etc/cron.daily/mongodb_backup" + state: link + mode: "0700" + owner: root - name: Create mongosh config file ansible.builtin.template: diff --git a/roles/mongo/tasks/standaloneconfig.yml b/roles/mongo/tasks/standaloneconfig.yml index b6b1f62ca..ba0bf5ec5 100644 --- a/roles/mongo/tasks/standaloneconfig.yml +++ b/roles/mongo/tasks/standaloneconfig.yml @@ -7,14 +7,15 @@ - name: Check if mongodb authentication is activated ansible.builtin.shell: cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" - register: mongo_authentication_enabled + register: mongo_authentication_disabled changed_when: false ignore_errors: true check_mode: false # This can safely run in check mode because it is not changing anything + failed_when: mongo_authentication_disabled.rc > 1 # rc=1 means command failed because authentication is enabled, we need to know that but we don't need to see an error - name: Debug mongodb authentication check ansible.builtin.debug: - msg: "{{ mongo_authentication_enabled.stdout }}" + msg: "{{ mongo_authentication_disabled.stdout }}" verbosity: 2 # first run add admin user without logging in @@ -27,11 +28,11 @@ login_port: "{{ mongo_port }}" roles: root state: present - #no_log: true # todo enable + no_log: true run_once: true - when: mongo_authentication_enabled.rc == 0 + when: mongo_authentication_disabled.rc == 0 # restart mongo right away with authentication enabled - name: Flush handlers - ansible.builtin.meta: flush_handlers \ No newline at end of file + ansible.builtin.meta: flush_handlers From 8cd50dfdab8d98f474f506eb3ea6b7018025bad0 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 25 Mar 2026 13:11:57 +0100 Subject: [PATCH 23/70] only configure cluster when variabel is set --- roles/mongo/defaults/main.yml | 3 + roles/mongo/tasks/clusterconfig.yml | 361 +++++++++++++++++----------- roles/mongo/tasks/main.yml | 29 +-- 3 files changed, 235 insertions(+), 158 deletions(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index b419068ea..cfb95e2b1 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -60,3 +60,6 @@ mongo_group: "mongod" # Paths mongo_config_file: "/etc/mongod.conf" mongo_data_path: "/var/lib/mongo" + +# to avoid surprises only initiate or reconfigure cluster if this is true (use -e mongo_configure_cluster=true when you run your playbook) +mongo_configure_cluster: false diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 1bd61da21..7ce0e2050 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,4 +1,12 @@ --- +- name: Check some cluster related variables + when: mongo_mode == "cluster" + block: + - name: Fail on undefined replica_set_name + when: mongo_replica_set_name is not defined + ansible.builtin.fail: + msg: "Something is wrong, mongo_mode was set to cluster but replica_set_name is undefined." + # In this task file the cluster is configured - name: Debug replica settings ansible.builtin.debug: @@ -10,147 +18,212 @@ # msg: "Cluster members: {{ mongo_cluster.members }}" # verbosity: 2 -- name: Enable and start mongod for the first time - ansible.builtin.service: - name: mongod.service - enabled: true - state: started - -- name: Check if mongodb authentication is activated - ansible.builtin.shell: - cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" - register: mongo_authentication_enabled - changed_when: false - ignore_errors: true - check_mode: false # This can safely run in check mode because it is not changing anything - -- name: Create cluster block - when: mongo_authentication_enabled.rc == 0 - block: - # - name: Check if hosts are in clustered - # ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' - # register: check_cluster - # changed_when: false - # check_mode: false - - # - name: Debug check_cluster variable - # ansible.builtin.debug: - # msg: "{{ check_cluster }}" - # verbosity: 2 - - - name: Install precluster mongodb.conf file - ansible.builtin.template: - src: "mongod_precluster.conf.j2" - dest: "/etc/mongod.conf" - owner: root - group: root - mode: "0644" - backup: true - notify: Restart mongod - - # We want a mongo restart right away - - name: Flush handlers - ansible.builtin.meta: flush_handlers - - - name: Wait for MongoDB to be available - wait_for: - port: "{{ mongo_port }}" - delay: 5 - timeout: 60 - - # - name: Initial cluster initialisation - # community.mongodb.mongodb_replicaset: - # login_host: localhost - # login_user: admin - # login_port: "{{ mongo_port }}" - # login_password: "{{ mongo_admin_password }}" - # replica_set: "{{ replica_set_name }}" - # members: "{{ mongo_cluster_members }}" - # arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" - # validate: false - # run_once: true - # when: mongo_replication_role == 'primary' - - name: Initiate replica set on primary - when: mongo_replication_role == "primary" - block: - - name: Initiate replica set - shell: | - mongosh --eval ' - rs.initiate({ - _id: "{{ replica_set_name }}", - members: [ - { _id: 0, - host: "{{ ansible_facts['hostname']}}:{{ mongo_port }}", - priority: 3 - }, - ] - })' - register: rs_init - #failed_when: false - - - name: Wait for replica set election - pause: - seconds: 20 - - - name: Debug rs init event - ansible.builtin.debug: - var: rs_init - verbosity: 2 - - - name: Add the admin user - community.mongodb.mongodb_user: - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - #no_log: true #todo enable - #run_once: true - - - name: Wait until cluster health is ok - community.mongodb.mongodb_status: - login_user: admin - login_password: "{{ mongo_admin_password }}" - login_database: admin - login_port: "{{ mongo_port }}" - validate: default - poll: 5 - interval: 12 - replica_set: "{{ mongo_replica_set_name }}" - register: mongo_cluster_health - - - name: Debug mongo_cluster_health - ansible.builtin.debug: - var: mongo_cluster_health - verbosity: 2 - - # end primary server block - - - name: Add members to cluster - when: mongo_replication_role != "primary" - block: - - - name: Add new mongo server to replication set - when: mongo_replication_role != "arbiter" - shell: | - mongosh -u admin --password {{ mongo_admin_password }} --eval ' - rs.add ("{ host: "{{ ansible_hostname }}:{{ mongo_port }}", - priority: {{ mongo_cluster_priority | default('2') }} }")' - register: rs_add - changed_when: false - delegate_to: "rocky1" # tod variable - - - name: Add new mongo arbitrator to replication set - when: mongo_replication_role == "arbiter" - shell: | - mongosh -u admin --password {{ mongo_admin_password }} --eval ' - rs.addArb (" { host: "{{ ansible_hostname }}:{{ mongo_port }}", - priority: 0 }")' - register: rs_add - delegate_to: "rocky1" # tod variable - - - name: Debug rs add event - ansible.builtin.debug: - var: rs_add - verbosity: 2 +- name: Identify designated primary + ansible.builtin.set_fact: + mongo_primary_host: >- + {{ + groups['mongo_servers'] + | map('extract', hostvars) + | selectattr('mongo_replication_role', 'defined') + | selectattr('mongo_replication_role', 'equalto', 'primary') + | map(attribute='inventory_hostname') + | first + }} + failed_when: mongo_primary_host is not defined or mongo_primary_host == '' + +# Who is primary +- name: Debug primary settings + ansible.builtin.debug: + msg: "Primary is {{ mongo_primary_host }}" + verbosity: 2 + +# What is the replication role of the current host +- name: Debug replication role settings + ansible.builtin.debug: + msg: "This nodes replication role is {{ mongo_replication_role }}" + verbosity: 2 + +# Bestaat het cluster? +- name: Query replica set status + community.mongodb.mongodb_status: + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_database: admin + login_port: "{{ mongo_port }}" + validate: default + poll: 5 + interval: 12 + replica_set: "{{ replica_set_name }}" + register: mongo_cluster_status + when: mongo_replication_role == 'primary' + +# What is the cluster status? +- name: Debug mongo cluster status + ansible.builtin.debug: + msg: "Cluster status is {{ mongo_cluster_status }}" + # todo verbosity: 2 + + + + + # todo is de replica set bestaand + # is iedereen member? + # zo nee niet naar wens + # melding amken + # run role met optie ja nieuwe replica + # of ja reconfigure replica + # evt serial niet 1 + + # todo write concern zetten + + # todo normale config changes + + # todo admin suer + + # - name: Enable and start mongod for the first time + # ansible.builtin.service: + # name: mongod.service + # enabled: true + # state: started + + # - name: Check if mongodb authentication is activated + # ansible.builtin.shell: + # cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" + # register: mongo_authentication_disabled + # changed_when: false + # ignore_errors: true + # check_mode: false # This can safely run in check mode because it is not changing anything + # failed_when: mongo_authentication_disabled.rc > 1 # rc=1 means command failed because authentication is enabled, we need to know that but we don't need to see an error + + + # - name: Create cluster block + # when: mongo_authentication_disabled.rc == 0 + # block: + # # - name: Check if hosts are in clustered + # # ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' + # # register: check_cluster + # # changed_when: false + # # check_mode: false + + # # - name: Debug check_cluster variable + # # ansible.builtin.debug: + # # msg: "{{ check_cluster }}" + # # verbosity: 2 + + # - name: Install precluster mongodb.conf file + # ansible.builtin.template: + # src: "mongod_precluster.conf.j2" + # dest: "/etc/mongod.conf" + # owner: root + # group: root + # mode: "0644" + # backup: true + # notify: Restart mongod + + # # We want a mongo restart right away + # - name: Flush handlers + # ansible.builtin.meta: flush_handlers + + # - name: Wait for MongoDB to be available + # wait_for: + # port: "{{ mongo_port }}" + # delay: 5 + # timeout: 60 + + # # - name: Initial cluster initialisation + # # community.mongodb.mongodb_replicaset: + # # login_host: localhost + # # login_user: admin + # # login_port: "{{ mongo_port }}" + # # login_password: "{{ mongo_admin_password }}" + # # replica_set: "{{ replica_set_name }}" + # # members: "{{ mongo_cluster_members }}" + # # arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" + # # validate: false + # # run_once: true + # # when: mongo_replication_role == 'primary' + # - name: Initiate replica set on primary + # when: mongo_replication_role == "primary" + # block: + # - name: Initiate replica set + # shell: | + # mongosh --eval ' + # rs.initiate({ + # _id: "{{ replica_set_name }}", + # members: [ + # { _id: 0, + # host: "{{ ansible_facts['hostname']}}:{{ mongo_port }}", + # priority: 3 + # }, + # ] + # })' + # register: rs_init + # #failed_when: false + + # - name: Wait for replica set election + # pause: + # seconds: 20 + + # - name: Debug rs init event + # ansible.builtin.debug: + # var: rs_init + # verbosity: 2 + + # - name: Add the admin user + # community.mongodb.mongodb_user: + # database: admin + # name: admin + # password: "{{ mongo_admin_password }}" + # login_port: "{{ mongo_port }}" + # roles: root + # state: present + # #no_log: true #todo enable + # #run_once: true + + # - name: Wait until cluster health is ok + # community.mongodb.mongodb_status: + # login_user: admin + # login_password: "{{ mongo_admin_password }}" + # login_database: admin + # login_port: "{{ mongo_port }}" + # validate: default + # poll: 5 + # interval: 12 + # replica_set: "{{ mongo_replica_set_name }}" + # register: mongo_cluster_health + + # - name: Debug mongo_cluster_health + # ansible.builtin.debug: + # var: mongo_cluster_health + # verbosity: 2 + + # # end primary server block + + # - name: Add members to cluster + # when: mongo_replication_role != "primary" + # block: + + # - name: Add new mongo server to replication set + # when: mongo_replication_role != "arbiter" + # shell: | + # mongosh -u admin --password {{ mongo_admin_password }} --eval ' + # rs.add ("{ host: "{{ ansible_hostname }}:{{ mongo_port }}", + # priority: {{ mongo_cluster_priority | default('2') }} }")' + # register: rs_add + # changed_when: false + # delegate_to: "rocky1" # tod variable + + # - name: Add new mongo arbitrator to replication set + # when: mongo_replication_role == "arbiter" + # shell: | + # mongosh -u admin --password {{ mongo_admin_password }} --eval ' + # rs.addArb (" { host: "{{ ansible_hostname }}:{{ mongo_port }}", + # priority: 0 }")' + # register: rs_add + # delegate_to: "rocky1" # tod variable + + # - name: Debug rs add event + # ansible.builtin.debug: + # var: rs_add + # verbosity: 2 + diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 1e56bac29..2a4d915a3 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -1,12 +1,4 @@ --- -- name: Check some cluster related variables - when: mongo_mode == "cluster" - block: - - name: Fail on undefined replica_set_name - when: mongo_replica_set_name is not defined - ansible.builtin.fail: - msg: "Something is wrong, mongo_mode was set to cluster but replica_set_name is undefined." - # - name: Check some variables # when: mongo_cluster_members is not defined # ansible.builtin.fail: @@ -21,6 +13,16 @@ when: - ansible_facts['os_family'] == 'RedHat' block: + - name: Debug standalone or cluster mode + ansible.builtin.debug: + msg: "{{ mongo_mode }}" + verbosity: 2 + + - name: Debug cluster reconfiguration is allowed + ansible.builtin.debug: + msg: "{{ mongo_configure_cluster }}" + verbosity: 2 + - name: Use temporarily python3 as remote interpreter, this fixes pymongo ansible.builtin.set_fact: ansible_python_interpreter: "/usr/bin/python3" @@ -30,11 +32,6 @@ ansible.builtin.include_tasks: file: install.yml - - name: Debug standalone or cluster mode - ansible.builtin.debug: - msg: "{{ mongo_mode }}" - verbosity: 2 - - name: Include Certificate tasks ansible.builtin.include_tasks: file: certs.yml @@ -50,7 +47,11 @@ file: clusterconfig.yml when: - mongo_mode == "cluster" + - mongo_configure_cluster | bool # safest option is to set this to false and enable with -e mongo_configure_cluster=true + + # todo: add admin user for cluster and standalone in a separate file? + # Install configuration file after cluster is up, some settings will not work before that - name: Include General config tasks ansible.builtin.include_tasks: file: generalconfig.yml @@ -72,7 +73,7 @@ ansible.builtin.include_tasks: file: postinstall.yml - - name: Use python2 again as remote interpreter + - name: Use python2 again as remote interpreter on centos 7 ansible.builtin.set_fact: ansible_python_interpreter: "/usr/bin/python" when: From ea8d1c19c5743f2a9e410c01ae027502e909aef4 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 25 Mar 2026 13:16:43 +0100 Subject: [PATCH 24/70] add some comments --- roles/mongo/tasks/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 2a4d915a3..87a3ed9bb 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -52,12 +52,15 @@ # todo: add admin user for cluster and standalone in a separate file? # Install configuration file after cluster is up, some settings will not work before that + # For example authentication enabling before we insert the first admin user + # or replication enabled before the cluster is initialized - name: Include General config tasks ansible.builtin.include_tasks: file: generalconfig.yml - # Mongod is installed, but service is not restarted until after - # the initial admin user is added + # todo: are both tasks necesary?? below + + # Mongod is installed, restart the service one more time - name: Flush handlers ansible.builtin.meta: flush_handlers From f4e39cf6ac2b2de946fc69c19747701d5a7d2ff5 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 25 Mar 2026 15:58:23 +0100 Subject: [PATCH 25/70] kind of works --- roles/mongo/defaults/main.yml | 7 + roles/mongo/tasks/clusterconfig.yml | 235 ++++++------------------- roles/mongo/tasks/generalconfig.yml | 40 ++++- roles/mongo/tasks/main.yml | 28 ++- roles/mongo/tasks/standaloneconfig.yml | 39 +--- 5 files changed, 109 insertions(+), 240 deletions(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index cfb95e2b1..c93803017 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -61,5 +61,12 @@ mongo_group: "mongod" mongo_config_file: "/etc/mongod.conf" mongo_data_path: "/var/lib/mongo" +# cluster members +# set in group_vars +# mongo_cluster_members: +# - host: mongo1.example.com:{{ mongo_port }} +# - host: mongo2.example.com:{{ mongo_port }} +# - host: mongo3.example.com:{{ mongo_port }} + # to avoid surprises only initiate or reconfigure cluster if this is true (use -e mongo_configure_cluster=true when you run your playbook) mongo_configure_cluster: false diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 7ce0e2050..6f258d918 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,4 +1,16 @@ --- +# In this task file the cluster is configured + +# todo rs.add add stees opnieuw dat willen we niet +# todo arbiter optie +# todo set votes, priority, hidden (uit hostvars?) +# todo write concern zetten +# todo test alle servers leeg in 1 keer deployen +# todo test primary eerst dan secundaries +# todo test config wijziging zonder cluster wijziging +# todo node verwijderen +# todo prio wijzigen + - name: Check some cluster related variables when: mongo_mode == "cluster" block: @@ -7,17 +19,11 @@ ansible.builtin.fail: msg: "Something is wrong, mongo_mode was set to cluster but replica_set_name is undefined." -# In this task file the cluster is configured - name: Debug replica settings ansible.builtin.debug: msg: "Replica set name {{ mongo_replica_set_name }}" verbosity: 2 -# - name: Debug cluster members settings -# ansible.builtin.debug: -# msg: "Cluster members: {{ mongo_cluster.members }}" -# verbosity: 2 - - name: Identify designated primary ansible.builtin.set_fact: mongo_primary_host: >- @@ -43,187 +49,46 @@ msg: "This nodes replication role is {{ mongo_replication_role }}" verbosity: 2 -# Bestaat het cluster? -- name: Query replica set status - community.mongodb.mongodb_status: +- name: Enable and start mongod + ansible.builtin.service: + name: mongod.service + enabled: true + state: started + +- name: Initial cluster initialisation + community.mongodb.mongodb_replicaset: + login_host: localhost login_user: admin - login_password: "{{ mongo_admin_password }}" - login_database: admin login_port: "{{ mongo_port }}" - validate: default - poll: 5 - interval: 12 + login_password: "{{ mongo_admin_password }}" replica_set: "{{ replica_set_name }}" - register: mongo_cluster_status + members: "{{ mongo_cluster_members }}" + arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" + validate: false + run_once: true when: mongo_replication_role == 'primary' -# What is the cluster status? -- name: Debug mongo cluster status - ansible.builtin.debug: - msg: "Cluster status is {{ mongo_cluster_status }}" - # todo verbosity: 2 - - - - - # todo is de replica set bestaand - # is iedereen member? - # zo nee niet naar wens - # melding amken - # run role met optie ja nieuwe replica - # of ja reconfigure replica - # evt serial niet 1 - - # todo write concern zetten - - # todo normale config changes - - # todo admin suer - - # - name: Enable and start mongod for the first time - # ansible.builtin.service: - # name: mongod.service - # enabled: true - # state: started - - # - name: Check if mongodb authentication is activated - # ansible.builtin.shell: - # cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" - # register: mongo_authentication_disabled - # changed_when: false - # ignore_errors: true - # check_mode: false # This can safely run in check mode because it is not changing anything - # failed_when: mongo_authentication_disabled.rc > 1 # rc=1 means command failed because authentication is enabled, we need to know that but we don't need to see an error - - - # - name: Create cluster block - # when: mongo_authentication_disabled.rc == 0 - # block: - # # - name: Check if hosts are in clustered - # # ansible.builtin.command: mongosh --port {{ mongo_port }} --quiet --eval 'db.isMaster().hosts' - # # register: check_cluster - # # changed_when: false - # # check_mode: false - - # # - name: Debug check_cluster variable - # # ansible.builtin.debug: - # # msg: "{{ check_cluster }}" - # # verbosity: 2 - - # - name: Install precluster mongodb.conf file - # ansible.builtin.template: - # src: "mongod_precluster.conf.j2" - # dest: "/etc/mongod.conf" - # owner: root - # group: root - # mode: "0644" - # backup: true - # notify: Restart mongod - - # # We want a mongo restart right away - # - name: Flush handlers - # ansible.builtin.meta: flush_handlers - - # - name: Wait for MongoDB to be available - # wait_for: - # port: "{{ mongo_port }}" - # delay: 5 - # timeout: 60 - - # # - name: Initial cluster initialisation - # # community.mongodb.mongodb_replicaset: - # # login_host: localhost - # # login_user: admin - # # login_port: "{{ mongo_port }}" - # # login_password: "{{ mongo_admin_password }}" - # # replica_set: "{{ replica_set_name }}" - # # members: "{{ mongo_cluster_members }}" - # # arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" - # # validate: false - # # run_once: true - # # when: mongo_replication_role == 'primary' - # - name: Initiate replica set on primary - # when: mongo_replication_role == "primary" - # block: - # - name: Initiate replica set - # shell: | - # mongosh --eval ' - # rs.initiate({ - # _id: "{{ replica_set_name }}", - # members: [ - # { _id: 0, - # host: "{{ ansible_facts['hostname']}}:{{ mongo_port }}", - # priority: 3 - # }, - # ] - # })' - # register: rs_init - # #failed_when: false - - # - name: Wait for replica set election - # pause: - # seconds: 20 - - # - name: Debug rs init event - # ansible.builtin.debug: - # var: rs_init - # verbosity: 2 - - # - name: Add the admin user - # community.mongodb.mongodb_user: - # database: admin - # name: admin - # password: "{{ mongo_admin_password }}" - # login_port: "{{ mongo_port }}" - # roles: root - # state: present - # #no_log: true #todo enable - # #run_once: true - - # - name: Wait until cluster health is ok - # community.mongodb.mongodb_status: - # login_user: admin - # login_password: "{{ mongo_admin_password }}" - # login_database: admin - # login_port: "{{ mongo_port }}" - # validate: default - # poll: 5 - # interval: 12 - # replica_set: "{{ mongo_replica_set_name }}" - # register: mongo_cluster_health - - # - name: Debug mongo_cluster_health - # ansible.builtin.debug: - # var: mongo_cluster_health - # verbosity: 2 - - # # end primary server block - - # - name: Add members to cluster - # when: mongo_replication_role != "primary" - # block: - - # - name: Add new mongo server to replication set - # when: mongo_replication_role != "arbiter" - # shell: | - # mongosh -u admin --password {{ mongo_admin_password }} --eval ' - # rs.add ("{ host: "{{ ansible_hostname }}:{{ mongo_port }}", - # priority: {{ mongo_cluster_priority | default('2') }} }")' - # register: rs_add - # changed_when: false - # delegate_to: "rocky1" # tod variable - - # - name: Add new mongo arbitrator to replication set - # when: mongo_replication_role == "arbiter" - # shell: | - # mongosh -u admin --password {{ mongo_admin_password }} --eval ' - # rs.addArb (" { host: "{{ ansible_hostname }}:{{ mongo_port }}", - # priority: 0 }")' - # register: rs_add - # delegate_to: "rocky1" # tod variable - - # - name: Debug rs add event - # ansible.builtin.debug: - # var: rs_add - # verbosity: 2 - +- name: Add members to cluster + when: mongo_replication_role != "primary" + block: + - name: Add new mongo server to replication set + when: mongo_replication_role != "arbiter" + shell: | + mongosh -u admin --password {{ mongo_admin_password }} --eval 'rs.add ( { host: "{{ ansible_hostname }}:{{ mongo_port }}" } )' + register: rs_add + changed_when: false + delegate_to: "{{ mongo_primary_host }}" + + - name: Add new mongo arbitrator to replication set + when: mongo_replication_role == "arbiter" + shell: | + mongosh -u admin --password {{ mongo_admin_password }} --eval ' + rs.addArb (" { host: "{{ ansible_hostname }}:{{ mongo_port }}", + priority: 0 }")' + register: rs_add + delegate_to: "{{ mongo_primary_host }}" + + - name: Debug rs add event + ansible.builtin.debug: + var: rs_add + verbosity: 2 \ No newline at end of file diff --git a/roles/mongo/tasks/generalconfig.yml b/roles/mongo/tasks/generalconfig.yml index 71bb8ac1e..270ab2fd0 100644 --- a/roles/mongo/tasks/generalconfig.yml +++ b/roles/mongo/tasks/generalconfig.yml @@ -1,6 +1,40 @@ --- -# Config for standalone and replication server +- name: Enable and start mongod for the first time + ansible.builtin.service: + name: mongod.service + enabled: true + state: started + +- name: Check if mongodb authentication is activated + ansible.builtin.shell: + cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" + register: mongo_authentication_disabled + changed_when: false + ignore_errors: true + check_mode: false # This can safely run in check mode because it is not changing anything + failed_when: mongo_authentication_disabled.rc > 1 # rc=1 means command failed because authentication is enabled, we need to know that but we don't need to see an error + +- name: Debug mongodb authentication check + ansible.builtin.debug: + msg: "{{ mongo_authentication_disabled.stdout }}" + verbosity: 2 + +# first run add admin user without logging in +- name: Add the admin user + community.mongodb.mongodb_user: + login_database: admin + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + no_log: true + run_once: true + when: mongo_authentication_disabled.rc == 0 + +# Config for standalone and replication server - name: Install mongodb.conf file ansible.builtin.template: src: "mongod.conf.j2" @@ -10,3 +44,7 @@ mode: "0644" backup: true notify: Restart mongod + +# restart mongo right away with authentication enabled +- name: Flush handlers + ansible.builtin.meta: flush_handlers \ No newline at end of file diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 87a3ed9bb..bbd197576 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -23,7 +23,7 @@ msg: "{{ mongo_configure_cluster }}" verbosity: 2 - - name: Use temporarily python3 as remote interpreter, this fixes pymongo + - name: Use temporarily python3 as remote interpreter, this fixes pymongo # todo is this still necessary? ansible.builtin.set_fact: ansible_python_interpreter: "/usr/bin/python3" tags: mongo_users @@ -36,11 +36,18 @@ ansible.builtin.include_tasks: file: certs.yml - - name: Include standalone configuration tasks + # todo: magw eg? + # - name: Include standalone configuration tasks + # ansible.builtin.include_tasks: + # file: standaloneconfig.yml + # when: + # - mongo_mode == "standalone" + + - name: Include General config tasks ansible.builtin.include_tasks: - file: standaloneconfig.yml - when: - - mongo_mode == "standalone" + file: generalconfig.yml + + # todo: are both tasks necesary?? below - name: Include cluster configuration tasks ansible.builtin.include_tasks: @@ -51,18 +58,7 @@ # todo: add admin user for cluster and standalone in a separate file? - # Install configuration file after cluster is up, some settings will not work before that - # For example authentication enabling before we insert the first admin user - # or replication enabled before the cluster is initialized - - name: Include General config tasks - ansible.builtin.include_tasks: - file: generalconfig.yml - - # todo: are both tasks necesary?? below - # Mongod is installed, restart the service one more time - - name: Flush handlers - ansible.builtin.meta: flush_handlers - name: Include Service tasks ansible.builtin.include_tasks: diff --git a/roles/mongo/tasks/standaloneconfig.yml b/roles/mongo/tasks/standaloneconfig.yml index ba0bf5ec5..a8ec00126 100644 --- a/roles/mongo/tasks/standaloneconfig.yml +++ b/roles/mongo/tasks/standaloneconfig.yml @@ -1,38 +1 @@ -- name: Enable and start mongod for the first time - ansible.builtin.service: - name: mongod.service - enabled: true - state: started - -- name: Check if mongodb authentication is activated - ansible.builtin.shell: - cmd: "mongosh 'mongodb://127.0.0.1:{{ mongo_port }}/admin' --eval 'db.runCommand({ usersInfo: 1 })'" - register: mongo_authentication_disabled - changed_when: false - ignore_errors: true - check_mode: false # This can safely run in check mode because it is not changing anything - failed_when: mongo_authentication_disabled.rc > 1 # rc=1 means command failed because authentication is enabled, we need to know that but we don't need to see an error - -- name: Debug mongodb authentication check - ansible.builtin.debug: - msg: "{{ mongo_authentication_disabled.stdout }}" - verbosity: 2 - -# first run add admin user without logging in -- name: Add the admin user - community.mongodb.mongodb_user: - login_database: admin - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - no_log: true - run_once: true - when: mongo_authentication_disabled.rc == 0 - - -# restart mongo right away with authentication enabled -- name: Flush handlers - ansible.builtin.meta: flush_handlers +# todo mag weg? \ No newline at end of file From 20a048f87c30ed98d070f3f483ec022364676ae7 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 25 Mar 2026 17:19:08 +0100 Subject: [PATCH 26/70] replication-set_name variable rename --- roles/mongo/tasks/clusterconfig.yml | 44 ++++++++++++---------------- roles/mongo/tasks/generalconfig.yml | 2 +- roles/mongo/templates/mongod.conf.j2 | 2 +- 3 files changed, 21 insertions(+), 27 deletions(-) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 6f258d918..c7fe6f149 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -4,6 +4,7 @@ # todo rs.add add stees opnieuw dat willen we niet # todo arbiter optie # todo set votes, priority, hidden (uit hostvars?) +# priority moet matchen met replication role, of replication role uit cluster mebers halen? # todo write concern zetten # todo test alle servers leeg in 1 keer deployen # todo test primary eerst dan secundaries @@ -61,34 +62,27 @@ login_user: admin login_port: "{{ mongo_port }}" login_password: "{{ mongo_admin_password }}" - replica_set: "{{ replica_set_name }}" + replica_set: "{{ mongo_replica_set_name }}" members: "{{ mongo_cluster_members }}" - arbiter_at_index: "{{ mongo_arbiter_index | default(0) }}" validate: false run_once: true when: mongo_replication_role == 'primary' -- name: Add members to cluster - when: mongo_replication_role != "primary" - block: - - name: Add new mongo server to replication set - when: mongo_replication_role != "arbiter" - shell: | - mongosh -u admin --password {{ mongo_admin_password }} --eval 'rs.add ( { host: "{{ ansible_hostname }}:{{ mongo_port }}" } )' - register: rs_add - changed_when: false - delegate_to: "{{ mongo_primary_host }}" - - - name: Add new mongo arbitrator to replication set - when: mongo_replication_role == "arbiter" - shell: | - mongosh -u admin --password {{ mongo_admin_password }} --eval ' - rs.addArb (" { host: "{{ ansible_hostname }}:{{ mongo_port }}", - priority: 0 }")' - register: rs_add - delegate_to: "{{ mongo_primary_host }}" +# - name: Add members to cluster +# when: mongo_replication_role != "primary" +# block: +# - name: Add new mongo server to replication set +# when: mongo_replication_role != "arbiter" +# community.mongodb.mongodb_shell: +# login_host: localhost +# login_user: admin +# login_password: "{{ mongo_admin_password }}" +# login_database: admin +# eval: 'rs.add({ host: "{{ ansible_hostname }}:{{ mongo_port }}" })' +# register: rs_add +# delegate_to: "{{ mongo_primary_host }}" - - name: Debug rs add event - ansible.builtin.debug: - var: rs_add - verbosity: 2 \ No newline at end of file + # - name: Debug rs add event + # ansible.builtin.debug: + # var: rs_add + # verbosity: 2 \ No newline at end of file diff --git a/roles/mongo/tasks/generalconfig.yml b/roles/mongo/tasks/generalconfig.yml index 270ab2fd0..b20f4c45a 100644 --- a/roles/mongo/tasks/generalconfig.yml +++ b/roles/mongo/tasks/generalconfig.yml @@ -30,7 +30,7 @@ login_port: "{{ mongo_port }}" roles: root state: present - no_log: true + # todo enable no_log: true run_once: true when: mongo_authentication_disabled.rc == 0 diff --git a/roles/mongo/templates/mongod.conf.j2 b/roles/mongo/templates/mongod.conf.j2 index 40b481dfd..30affdf12 100644 --- a/roles/mongo/templates/mongod.conf.j2 +++ b/roles/mongo/templates/mongod.conf.j2 @@ -18,7 +18,7 @@ storage: {% if replica_set_name is defined and mongo_mode == "cluster" %} replication: - replSetName: {{ replica_set_name }} + replSetName: {{ mongo_replica_set_name }} {% endif %} security: From c200530526503ea8eb8236485fe55c0363228899 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Fri, 27 Mar 2026 11:47:21 +0100 Subject: [PATCH 27/70] clear error message broken cluster --- roles/mongo/tasks/clustercheck.yml | 27 +++++++++++++++++++++++++++ roles/mongo/tasks/clusterconfig.yml | 2 +- roles/mongo/tasks/main.yml | 11 +++++++---- 3 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 roles/mongo/tasks/clustercheck.yml diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml new file mode 100644 index 000000000..d000ca410 --- /dev/null +++ b/roles/mongo/tasks/clustercheck.yml @@ -0,0 +1,27 @@ +--- +# task file to check if cluster is up and running + +# Get the replicaset status and then lookup the primary's hostname and save to a variable +- name: Check replicaset status + community.mongodb.mongodb_status: + login_host: localhost + login_user: admin + login_port: "{{ mongo_port }}" + login_password: "{{ mongo_admin_password }}" + replica_set: "{{ mongo_replica_set_name }}" + poll: 3 + interval: 10 + register: replica_status + ignore_errors: true + when: mongo_replication_role == 'primary' + +- name: Debug replica set status + ansible.builtin.debug: + msg: "{{ replica_status }}" + +- name: Fail when there is no cluster reconfiguration options set + ansible.builtin.fail: + msg: "Your mongo cluster is broken or non existent and mongo_configure_cluster is disabled, consider enabling it and fix your cluster." + when: + - replica_status.failed + - not mongo_configure_cluster | bool \ No newline at end of file diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index c7fe6f149..c9d2d3ca8 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -64,7 +64,7 @@ login_password: "{{ mongo_admin_password }}" replica_set: "{{ mongo_replica_set_name }}" members: "{{ mongo_cluster_members }}" - validate: false + validate: false # todo moet dat niet true zijn run_once: true when: mongo_replication_role == 'primary' diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index bbd197576..56815d85a 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -47,8 +47,6 @@ ansible.builtin.include_tasks: file: generalconfig.yml - # todo: are both tasks necesary?? below - - name: Include cluster configuration tasks ansible.builtin.include_tasks: file: clusterconfig.yml @@ -56,9 +54,13 @@ - mongo_mode == "cluster" - mongo_configure_cluster | bool # safest option is to set this to false and enable with -e mongo_configure_cluster=true - # todo: add admin user for cluster and standalone in a separate file? - + - name: Include cluster check tasks + ansible.builtin.include_tasks: + file: clustercheck.yml + when: + - mongo_mode == "cluster" + # todo: add admin user for cluster and standalone in a separate file? - name: Include Service tasks ansible.builtin.include_tasks: @@ -67,6 +69,7 @@ - name: Include user creation ansible.builtin.include_tasks: file: users.yml + when: not replica_status.failed OR mongo_mode == "standalone" # Cannot add users on a broken cluster - name: Include postinstallation tasks ansible.builtin.include_tasks: From 8876227e45732bbf894942a74bf3d13e9c78e0d9 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Fri, 27 Mar 2026 12:22:14 +0100 Subject: [PATCH 28/70] cluster intialise almost works --- roles/mongo/tasks/clustercheck.yml | 3 +- roles/mongo/tasks/clusterconfig.yml | 60 ++++++++++++++++++++++------ roles/mongo/tasks/main.yml | 6 ++- roles/mongo/templates/mongod.conf.j2 | 2 +- 4 files changed, 54 insertions(+), 17 deletions(-) diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml index d000ca410..84d3b61d3 100644 --- a/roles/mongo/tasks/clustercheck.yml +++ b/roles/mongo/tasks/clustercheck.yml @@ -13,8 +13,7 @@ interval: 10 register: replica_status ignore_errors: true - when: mongo_replication_role == 'primary' - + - name: Debug replica set status ansible.builtin.debug: msg: "{{ replica_status }}" diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index c9d2d3ca8..b176ad501 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,7 +1,8 @@ --- # In this task file the cluster is configured -# todo rs.add add stees opnieuw dat willen we niet +# todo "replica set IDs do not match, ours: 69c663d0733acfe1f8d30e5b; remote node's: 69c663d08003f534c4bac5d3" +# todo overrule serial for cluster initialize https://stackoverflow.com/questions/50026802/override-ansible-playbook-serial-from-command-line # todo arbiter optie # todo set votes, priority, hidden (uit hostvars?) # priority moet matchen met replication role, of replication role uit cluster mebers halen? @@ -9,8 +10,7 @@ # todo test alle servers leeg in 1 keer deployen # todo test primary eerst dan secundaries # todo test config wijziging zonder cluster wijziging -# todo node verwijderen -# todo prio wijzigen +# todo node verwijderen of andere reconfiguring - name: Check some cluster related variables when: mongo_mode == "cluster" @@ -56,17 +56,51 @@ enabled: true state: started -- name: Initial cluster initialisation - community.mongodb.mongodb_replicaset: - login_host: localhost - login_user: admin - login_port: "{{ mongo_port }}" - login_password: "{{ mongo_admin_password }}" - replica_set: "{{ mongo_replica_set_name }}" - members: "{{ mongo_cluster_members }}" - validate: false # todo moet dat niet true zijn - run_once: true +- name: initialise cluster when: mongo_replication_role == 'primary' + block: + + - name: Check if replica set is already initialised + community.mongodb.mongodb_shell: + login_host: localhost + login_user: admin + login_port: "{{ mongo_port }}" + login_password: "{{ mongo_admin_password }}" + eval: "rs.status().ok" + db: admin + register: rs_already_init + ignore_errors: true + + - name: Initialise replica set (if not already done) + community.mongodb.mongodb_shell: + login_host: localhost + login_user: admin + login_port: "{{ mongo_port }}" + login_password: "{{ mongo_admin_password }}" + eval: | + rs.initiate({ + _id: "{{ mongo_replica_set_name }}", + members: [ + {% for m in mongo_cluster_members %} + { _id: {{ loop.index0 }}, host: "{{ m.host }}", priority: {{ m.priority }}, votes: {{ m.votes }} }{{ "," if not loop.last else "" }} + {% endfor %} + ] + }) + db: admin + when: rs_already_init.failed or rs_already_init.transformed_output[0] != 1 + register: rs_init + + # - name: Initial cluster initialisation + # community.mongodb.mongodb_replicaset: + # login_host: localhost + # login_user: admin + # login_port: "{{ mongo_port }}" + # login_password: "{{ mongo_admin_password }}" + # replica_set: "{{ mongo_replica_set_name }}" + # members: "{{ mongo_cluster_members }}" + # validate: false # todo moet dat niet true zijn + # run_once: true + # when: mongo_replication_role == 'primary' # - name: Add members to cluster # when: mongo_replication_role != "primary" diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 56815d85a..7da1c290e 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -59,6 +59,7 @@ file: clustercheck.yml when: - mongo_mode == "cluster" + - mongo_replication_role == 'primary' # todo: add admin user for cluster and standalone in a separate file? @@ -69,7 +70,10 @@ - name: Include user creation ansible.builtin.include_tasks: file: users.yml - when: not replica_status.failed OR mongo_mode == "standalone" # Cannot add users on a broken cluster + # Cannot add users on a broken cluster + when: > + (mongo_replication_role == 'primary' and not replica_status.failed) + or mongo_mode == 'standalone' - name: Include postinstallation tasks ansible.builtin.include_tasks: diff --git a/roles/mongo/templates/mongod.conf.j2 b/roles/mongo/templates/mongod.conf.j2 index 30affdf12..ebd13a88f 100644 --- a/roles/mongo/templates/mongod.conf.j2 +++ b/roles/mongo/templates/mongod.conf.j2 @@ -16,7 +16,7 @@ net: storage: dbPath: {{ mongo_data_path }} -{% if replica_set_name is defined and mongo_mode == "cluster" %} +{% if mongo_replica_set_name is defined and mongo_mode == "cluster" %} replication: replSetName: {{ mongo_replica_set_name }} {% endif %} From a6227861bf54281123f8bf53e4c66a6ecb8a8a6f Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 30 Mar 2026 11:42:35 +0200 Subject: [PATCH 29/70] cluster creation works --- roles/mongo/tasks/generalconfig.yml | 28 +++++++++++++++------------- roles/mongo/tasks/users.yml | 2 +- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/roles/mongo/tasks/generalconfig.yml b/roles/mongo/tasks/generalconfig.yml index b20f4c45a..08029a136 100644 --- a/roles/mongo/tasks/generalconfig.yml +++ b/roles/mongo/tasks/generalconfig.yml @@ -20,19 +20,21 @@ msg: "{{ mongo_authentication_disabled.stdout }}" verbosity: 2 -# first run add admin user without logging in -- name: Add the admin user - community.mongodb.mongodb_user: - login_database: admin - database: admin - name: admin - password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - roles: root - state: present - # todo enable no_log: true - run_once: true - when: mongo_authentication_disabled.rc == 0 +- name: configure primary or standalone + when: mongo_mode == "standalone" or mongo_replication_role == "primary" + block: + # first run add admin user without logging in + - name: Add the admin user + community.mongodb.mongodb_user: + login_database: admin + database: admin + name: admin + password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + roles: root + state: present + # todo enable no_log: true + when: mongo_authentication_disabled.rc == 0 # Config for standalone and replication server - name: Install mongodb.conf file diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index 40afedd8e..22badb15e 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -10,7 +10,7 @@ name: "{{ item.name }}" password: "{{ item.password }}" roles: "{{ item.role }}" - replica_set: "{{ replica_set_name }}" + replica_set: "{{ mongo_replica_set_name }}" #no_log: true todo enable run_once: true with_items: "{{ mongo.users }}" From 7215c520e2dfd906d2e3aa8d3dfc690687cccee9 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 30 Mar 2026 11:48:33 +0200 Subject: [PATCH 30/70] some cleanuo --- roles/mongo/defaults/main.yml | 8 +++++++- roles/mongo/tasks/clusterconfig.yml | 3 ++- roles/mongo/tasks/main.yml | 12 +----------- 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index c93803017..a708ca0d9 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -65,8 +65,14 @@ mongo_data_path: "/var/lib/mongo" # set in group_vars # mongo_cluster_members: # - host: mongo1.example.com:{{ mongo_port }} +# prioriy: 3 +# votes: 1 # - host: mongo2.example.com:{{ mongo_port }} +# prioriy: 2 +# votes: 1 # - host: mongo3.example.com:{{ mongo_port }} +# prioriy: 2 +# votes: 1 -# to avoid surprises only initiate or reconfigure cluster if this is true (use -e mongo_configure_cluster=true when you run your playbook) +# to avoid surprises only initiate or reconfigure cluster if this is true (safest option is to use -e mongo_configure_cluster=true with your deployemnt when cluster configuration is necessary) mongo_configure_cluster: false diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index b176ad501..ba6a88324 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,12 +1,13 @@ --- # In this task file the cluster is configured -# todo "replica set IDs do not match, ours: 69c663d0733acfe1f8d30e5b; remote node's: 69c663d08003f534c4bac5d3" # todo overrule serial for cluster initialize https://stackoverflow.com/questions/50026802/override-ansible-playbook-serial-from-command-line # todo arbiter optie # todo set votes, priority, hidden (uit hostvars?) # priority moet matchen met replication role, of replication role uit cluster mebers halen? # todo write concern zetten + +# testen # todo test alle servers leeg in 1 keer deployen # todo test primary eerst dan secundaries # todo test config wijziging zonder cluster wijziging diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 7da1c290e..4cca44299 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -1,8 +1,5 @@ --- - # - name: Check some variables - # when: mongo_cluster_members is not defined - # ansible.builtin.fail: - # msg: "Something is wrong, mongo_mode was set to cluster but mongo_cluster_members is undefined." +# Main task file mongo role - name: Message for non redhat family servers when: ansible_facts['os_family'] != 'RedHat' @@ -36,13 +33,6 @@ ansible.builtin.include_tasks: file: certs.yml - # todo: magw eg? - # - name: Include standalone configuration tasks - # ansible.builtin.include_tasks: - # file: standaloneconfig.yml - # when: - # - mongo_mode == "standalone" - - name: Include General config tasks ansible.builtin.include_tasks: file: generalconfig.yml From ac4c45c67b5fdfc3e1e60774cf8fe5a11d1133f8 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 30 Mar 2026 12:46:23 +0200 Subject: [PATCH 31/70] add reconfigure option --- roles/mongo/tasks/clusterconfig.yml | 59 +++++++++++++---------------- roles/mongo/tasks/main.yml | 2 - 2 files changed, 27 insertions(+), 34 deletions(-) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index ba6a88324..b7a8c2659 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,7 +1,6 @@ --- # In this task file the cluster is configured -# todo overrule serial for cluster initialize https://stackoverflow.com/questions/50026802/override-ansible-playbook-serial-from-command-line # todo arbiter optie # todo set votes, priority, hidden (uit hostvars?) # priority moet matchen met replication role, of replication role uit cluster mebers halen? @@ -72,7 +71,19 @@ register: rs_already_init ignore_errors: true - - name: Initialise replica set (if not already done) + - name: Debug cluster initialization check + ansible.builtin.debug: + msg: "{{ rs_already_init }}" + verbosity: 2 + + - name: Debug cluster initialization check failed + ansible.builtin.debug: + msg: "{{ rs_already_init.failed }}" + verbosity: 2 + + # This should be possible with community.mongodb.mongodb_replicaset + # But we keep getting authenticatione error so leave it like this for now + - name: Initialise replica set if necessary community.mongodb.mongodb_shell: login_host: localhost login_user: admin @@ -88,36 +99,20 @@ ] }) db: admin - when: rs_already_init.failed or rs_already_init.transformed_output[0] != 1 + when: rs_already_init.failed register: rs_init - # - name: Initial cluster initialisation - # community.mongodb.mongodb_replicaset: - # login_host: localhost - # login_user: admin - # login_port: "{{ mongo_port }}" - # login_password: "{{ mongo_admin_password }}" - # replica_set: "{{ mongo_replica_set_name }}" - # members: "{{ mongo_cluster_members }}" - # validate: false # todo moet dat niet true zijn - # run_once: true - # when: mongo_replication_role == 'primary' + - name: Debug cluster initialization + ansible.builtin.debug: + msg: "{{ rs_init }}" + verbosity: 2 -# - name: Add members to cluster -# when: mongo_replication_role != "primary" -# block: -# - name: Add new mongo server to replication set -# when: mongo_replication_role != "arbiter" -# community.mongodb.mongodb_shell: -# login_host: localhost -# login_user: admin -# login_password: "{{ mongo_admin_password }}" -# login_database: admin -# eval: 'rs.add({ host: "{{ ansible_hostname }}:{{ mongo_port }}" })' -# register: rs_add -# delegate_to: "{{ mongo_primary_host }}" - - # - name: Debug rs add event - # ansible.builtin.debug: - # var: rs_add - # verbosity: 2 \ No newline at end of file + - name: Reconfigure cluster if necessary + community.mongodb.mongodb_replicaset: + login_host: localhost + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + reconfigure: true + replica_set: "{{ mongo_replica_set_name }}" + members: "{{ mongo_cluster_members }}" diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 4cca44299..a8a1901ec 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -51,8 +51,6 @@ - mongo_mode == "cluster" - mongo_replication_role == 'primary' - # todo: add admin user for cluster and standalone in a separate file? - - name: Include Service tasks ansible.builtin.include_tasks: file: services.yml From b88be2c6d88ca7d36cc01ed8526aae6e94b5858f Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 1 Apr 2026 16:06:34 +0200 Subject: [PATCH 32/70] change readme, add arbiter option --- roles/mongo/README.md | 21 +++++++++------------ roles/mongo/defaults/main.yml | 9 +++++---- roles/mongo/tasks/clusterconfig.yml | 16 +++++++--------- 3 files changed, 21 insertions(+), 25 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 58b66111c..dd8f31950 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -14,21 +14,18 @@ Set the mongo_cluster_private_key variable encrypted in host_vars Please review the official Mongo documentation for more information. +# Mongo deployment + +To avoid surprisesyou can enable or disable cluster configuration with the boolean option mongo_configure_cluster. The role willonly initiate or reconfigure cluster if this is true (safest option is to use -e mongo_configure_cluster=true with your deployment when cluster configuration is necessary). +Another issue is the serial value, it is safest to set it to 1 in your playbook, if it is higher multiple mongo nodes can will be restarted at once and it can break your cluster. However when you want to intialise a new cluster you need to run the tasks parallel and serial needs to be as high as the amount of nodes. We handled this with a variable serial with the name serial_number in our playbook with a default 1. If cluster initialisation or reconfiguration is necessary use -e "serial_number=" + + +See also https://docs.ansible.com/projects/ansible/latest/playbook_guide/playbooks_strategies.html#setting-the-batch-size-with-serial + + # Todo - [x] Check mongo_replication_roles and give a clear fail message when not set - [ ] Add option to change the already existing admin user, for now change the password manually and change it in the ansible config accordingly - [ ] Add the possibility for adding and removing cluster members - [x] Add the possibility for a standalone mongo server - [ ] Cluster config does not work with serial 1 in the play but for mongo config changes you do want serial 1, split up the role? - -- secondary en arbitrator toevoegen. met delegate en rsadd? -- werkt het ook met d emongo replication module? -- hoe afdwingen dat de prmary eerst gaat? -- check todos in de code -- extra check is er al een cluster niks aan doen -- optie removen evt -- rs.addArb - -TEST - -- mongo conf veranderen zonder replicatie gedoe \ No newline at end of file diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index a708ca0d9..8b4c4d5b7 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -65,14 +65,15 @@ mongo_data_path: "/var/lib/mongo" # set in group_vars # mongo_cluster_members: # - host: mongo1.example.com:{{ mongo_port }} -# prioriy: 3 +# priority: 3 # votes: 1 # - host: mongo2.example.com:{{ mongo_port }} -# prioriy: 2 +# priority: 2 # votes: 1 # - host: mongo3.example.com:{{ mongo_port }} -# prioriy: 2 +# priority: 1 # votes: 1 +# arbiterOnly: true -# to avoid surprises only initiate or reconfigure cluster if this is true (safest option is to use -e mongo_configure_cluster=true with your deployemnt when cluster configuration is necessary) +# to avoid surprises only initiate or reconfigure cluster if this is true (safest option is to use -e mongo_configure_cluster=true with your deployment when cluster configuration is necessary) mongo_configure_cluster: false diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index b7a8c2659..4b15632eb 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -12,6 +12,7 @@ # todo test config wijziging zonder cluster wijziging # todo node verwijderen of andere reconfiguring +# Do some preflight checks - name: Check some cluster related variables when: mongo_mode == "cluster" block: @@ -25,6 +26,7 @@ msg: "Replica set name {{ mongo_replica_set_name }}" verbosity: 2 +# Who is primary - name: Identify designated primary ansible.builtin.set_fact: mongo_primary_host: >- @@ -38,7 +40,6 @@ }} failed_when: mongo_primary_host is not defined or mongo_primary_host == '' -# Who is primary - name: Debug primary settings ansible.builtin.debug: msg: "Primary is {{ mongo_primary_host }}" @@ -50,16 +51,17 @@ msg: "This nodes replication role is {{ mongo_replication_role }}" verbosity: 2 +# Cannot initialise a cluster without starting....... - name: Enable and start mongod ansible.builtin.service: name: mongod.service enabled: true state: started -- name: initialise cluster +# Initialise cluster block +- name: initialise or reconfigure cluster block when: mongo_replication_role == 'primary' block: - - name: Check if replica set is already initialised community.mongodb.mongodb_shell: login_host: localhost @@ -76,11 +78,6 @@ msg: "{{ rs_already_init }}" verbosity: 2 - - name: Debug cluster initialization check failed - ansible.builtin.debug: - msg: "{{ rs_already_init.failed }}" - verbosity: 2 - # This should be possible with community.mongodb.mongodb_replicaset # But we keep getting authenticatione error so leave it like this for now - name: Initialise replica set if necessary @@ -94,7 +91,7 @@ _id: "{{ mongo_replica_set_name }}", members: [ {% for m in mongo_cluster_members %} - { _id: {{ loop.index0 }}, host: "{{ m.host }}", priority: {{ m.priority }}, votes: {{ m.votes }} }{{ "," if not loop.last else "" }} + { _id: {{ loop.index0 }}, host: "{{ m.host }}", priority: {{ m.priority }}, votes: {{ m.votes }}{% if m.arbiterOnly is defined and m.arbiterOnly and m.arbiterOnly == true %}, arbiterOnly: true {% endif %} }{{ "," if not loop.last else "" }} {% endfor %} ] }) @@ -107,6 +104,7 @@ msg: "{{ rs_init }}" verbosity: 2 + # Reconfigure cluster - name: Reconfigure cluster if necessary community.mongodb.mongodb_replicaset: login_host: localhost From cd5b3b0db6a45fd72b4a28d11f9a45d3074a3b74 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 1 Apr 2026 16:10:02 +0200 Subject: [PATCH 33/70] add more reconfigure info --- roles/mongo/tasks/clusterconfig.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 4b15632eb..9cbdb4d9f 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -114,3 +114,9 @@ reconfigure: true replica_set: "{{ mongo_replica_set_name }}" members: "{{ mongo_cluster_members }}" + register: rs_reconfigure + + - name: Debug cluster reconfiguration + ansible.builtin.debug: + msg: "{{ rs_reconfigure }}" + verbosity: 2 \ No newline at end of file From 6f56e74c583db786db9dcec704dcbae6abbd14b1 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 1 Apr 2026 16:13:26 +0200 Subject: [PATCH 34/70] change readme --- roles/mongo/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index dd8f31950..f34b3c019 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -26,6 +26,6 @@ See also https://docs.ansible.com/projects/ansible/latest/playbook_guide/playboo # Todo - [x] Check mongo_replication_roles and give a clear fail message when not set - [ ] Add option to change the already existing admin user, for now change the password manually and change it in the ansible config accordingly -- [ ] Add the possibility for adding and removing cluster members +- [x] Add the possibility for adding and removing cluster members - [x] Add the possibility for a standalone mongo server -- [ ] Cluster config does not work with serial 1 in the play but for mongo config changes you do want serial 1, split up the role? +- [x] Cluster changes can be enabled or disabled From a0a404e3d00999061e6fa338bda9dd9348317e4c Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 1 Apr 2026 16:28:01 +0200 Subject: [PATCH 35/70] better errors --- roles/mongo/README.md | 1 + roles/mongo/tasks/clustercheck.yml | 12 +++++++++--- roles/mongo/tasks/clusterconfig.yml | 8 -------- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index f34b3c019..bf83b9ba9 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -29,3 +29,4 @@ See also https://docs.ansible.com/projects/ansible/latest/playbook_guide/playboo - [x] Add the possibility for adding and removing cluster members - [x] Add the possibility for a standalone mongo server - [x] Cluster changes can be enabled or disabled +- [ ] Reconfigure cluster always reports changed diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml index 84d3b61d3..1563e736c 100644 --- a/roles/mongo/tasks/clustercheck.yml +++ b/roles/mongo/tasks/clustercheck.yml @@ -13,14 +13,20 @@ interval: 10 register: replica_status ignore_errors: true - + - name: Debug replica set status ansible.builtin.debug: msg: "{{ replica_status }}" - name: Fail when there is no cluster reconfiguration options set ansible.builtin.fail: - msg: "Your mongo cluster is broken or non existent and mongo_configure_cluster is disabled, consider enabling it and fix your cluster." + msg: "Your mongo cluster is broken or non existent and mongo_configure_cluster is disabled, consider enabling it and fix your cluster. The error: {{ replica_status.msg }}." when: - replica_status.failed - - not mongo_configure_cluster | bool \ No newline at end of file + - not mongo_configure_cluster | bool + +- name: Fail when you misconfigured your replica cluster + ansible.builtin.fail: + msg: "Your mongo cluster is broken, error: {{ replica_status.msg }}." + when: + - replica_status.failed \ No newline at end of file diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 9cbdb4d9f..cbb5b8dac 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -1,17 +1,9 @@ --- # In this task file the cluster is configured -# todo arbiter optie -# todo set votes, priority, hidden (uit hostvars?) # priority moet matchen met replication role, of replication role uit cluster mebers halen? # todo write concern zetten -# testen -# todo test alle servers leeg in 1 keer deployen -# todo test primary eerst dan secundaries -# todo test config wijziging zonder cluster wijziging -# todo node verwijderen of andere reconfiguring - # Do some preflight checks - name: Check some cluster related variables when: mongo_mode == "cluster" From 1ac754ccc002e6f95033c9334956568aade22869 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 2 Apr 2026 09:40:32 +0200 Subject: [PATCH 36/70] last changes --- roles/mongo/defaults/main.yml | 3 +++ roles/mongo/tasks/clusterconfig.yml | 42 ++++++++++++++++++++++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 8b4c4d5b7..4125fc9ae 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -75,5 +75,8 @@ mongo_data_path: "/var/lib/mongo" # votes: 1 # arbiterOnly: true +mongo_cluster_write_concern: "majority" +mongo_cluster_write_timeout: 5000 + # to avoid surprises only initiate or reconfigure cluster if this is true (safest option is to use -e mongo_configure_cluster=true with your deployment when cluster configuration is necessary) mongo_configure_cluster: false diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index cbb5b8dac..0dc99a799 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -111,4 +111,44 @@ - name: Debug cluster reconfiguration ansible.builtin.debug: msg: "{{ rs_reconfigure }}" - verbosity: 2 \ No newline at end of file + verbosity: 2 + + - name: Wait for the replicaset to stabilise + community.mongodb.mongodb_status: + replica_set: "{{ mongo_replica_set_name }}" + login_host: localhost + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + poll: 5 + interval: 30 + + # Cluster settings that cannot be changed with mongodb_replicaset + + - name: Get current default write concern + community.mongodb.mongodb_shell: + login_host: localhost + login_port: 27017 + login_user: admin + login_password: "{{ mongo_admin_password }}" + eval: "db.adminCommand({ getDefaultRWConcern: 1 })" + #transform: raw + register: current_write_concern + changed_when: false + + - name: Debug write concern check + ansible.builtin.debug: + msg: "{{ current_write_concern.transformed_output.defaultWriteConcern }}" + verbosity: 2 + + - name: Set default write concern + community.mongodb.mongodb_shell: + login_host: localhost + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + eval: "db.adminCommand({ setDefaultRWConcern: 1, defaultWriteConcern: { w: {{ mongo_cluster_write_concern | default('majority') }}, wtimeout: {{ mongo_cluster_write_timeout | default(5000) }} } })" + when: > + current_write_concern.transformed_output.defaultWriteConcern.w | string != mongo_cluster_write_concern | default('majority') | string + or + current_write_concern.transformed_output.defaultWriteConcern.wtimeout | int != mongo_cluster_write_timeout | default(5000) | int \ No newline at end of file From b9c8c56d03f93c48af6e6edd1dfd92c63fe8e06f Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 13 Apr 2026 17:10:07 +0200 Subject: [PATCH 37/70] more documentation and fix for writeconcern number format issue --- roles/mongo/README.md | 4 ++++ roles/mongo/tasks/clusterconfig.yml | 36 +++++++++++++++++++++-------- 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index bf83b9ba9..2b27a712f 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -22,6 +22,9 @@ Another issue is the serial value, it is safest to set it to 1 in your playbook, See also https://docs.ansible.com/projects/ansible/latest/playbook_guide/playbooks_strategies.html#setting-the-batch-size-with-serial +# Cluster reconfiguration + +Warning: the cluster reconfiguration option in the mongodb_replicationset module is experimental. and you can only add or remove one node at a time. # Todo - [x] Check mongo_replication_roles and give a clear fail message when not set @@ -30,3 +33,4 @@ See also https://docs.ansible.com/projects/ansible/latest/playbook_guide/playboo - [x] Add the possibility for a standalone mongo server - [x] Cluster changes can be enabled or disabled - [ ] Reconfigure cluster always reports changed +- [ ] Initialise cluster always reports changed diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 0dc99a799..e7f56c784 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -51,7 +51,7 @@ state: started # Initialise cluster block -- name: initialise or reconfigure cluster block +- name: Initialise or reconfigure cluster block when: mongo_replication_role == 'primary' block: - name: Check if replica set is already initialised @@ -97,6 +97,7 @@ verbosity: 2 # Reconfigure cluster + # todo: this alwasy returns changed even wehn nothing changes - name: Reconfigure cluster if necessary community.mongodb.mongodb_replicaset: login_host: localhost @@ -132,7 +133,6 @@ login_user: admin login_password: "{{ mongo_admin_password }}" eval: "db.adminCommand({ getDefaultRWConcern: 1 })" - #transform: raw register: current_write_concern changed_when: false @@ -140,15 +140,31 @@ ansible.builtin.debug: msg: "{{ current_write_concern.transformed_output.defaultWriteConcern }}" verbosity: 2 + when: current_write_concern.transformed_output.defaultWriteConcern is defined - name: Set default write concern - community.mongodb.mongodb_shell: - login_host: localhost - login_user: admin - login_password: "{{ mongo_admin_password }}" - login_port: "{{ mongo_port }}" - eval: "db.adminCommand({ setDefaultRWConcern: 1, defaultWriteConcern: { w: {{ mongo_cluster_write_concern | default('majority') }}, wtimeout: {{ mongo_cluster_write_timeout | default(5000) }} } })" when: > - current_write_concern.transformed_output.defaultWriteConcern.w | string != mongo_cluster_write_concern | default('majority') | string + current_write_concern.transformed_output.defaultWriteConcern is defined + and + (current_write_concern.transformed_output.defaultWriteConcern.w | string != mongo_cluster_write_concern | default('majority') | string or - current_write_concern.transformed_output.defaultWriteConcern.wtimeout | int != mongo_cluster_write_timeout | default(5000) | int \ No newline at end of file + current_write_concern.transformed_output.defaultWriteConcern.wtimeout | int != mongo_cluster_write_timeout | default(5000) | int) + or current_write_concern.transformed_output.defaultWriteConcern is not defined + block: + - name: "set write concern majority" + when: mongo_cluster_write_concern == "majority" + community.mongodb.mongodb_shell: + login_host: localhost + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + eval: "db.adminCommand({ setDefaultRWConcern: 1, defaultWriteConcern: { w: \"{{ mongo_cluster_write_concern | default('majority') }}\", wtimeout: {{ mongo_cluster_write_timeout | default(5000) }} } })" + # could not get this to work with either majority with quotes or number without quotes so for now an ugly fix + - name: "set write concern numeric" + when: mongo_cluster_write_concern != "majority" + community.mongodb.mongodb_shell: + login_host: localhost + login_user: admin + login_password: "{{ mongo_admin_password }}" + login_port: "{{ mongo_port }}" + eval: "db.adminCommand({ setDefaultRWConcern: 1, defaultWriteConcern: { w: {{ mongo_cluster_write_concern | default('majority') }}, wtimeout: {{ mongo_cluster_write_timeout | default(5000) }} } })" From 6feb77b315e8119d78590b2bb12fa3018a213dcb Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 13 Apr 2026 17:12:06 +0200 Subject: [PATCH 38/70] more documentation --- roles/mongo/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 2b27a712f..9a9718bcb 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -34,3 +34,4 @@ Warning: the cluster reconfiguration option in the mongodb_replicationset module - [x] Cluster changes can be enabled or disabled - [ ] Reconfigure cluster always reports changed - [ ] Initialise cluster always reports changed +- [ ] Check replication role of a host in host_vars against the settings in the cluster_members array From 6ff561e2409ae89c64a07c8886a3823bca2c0afb Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 22 Apr 2026 10:33:28 +0200 Subject: [PATCH 39/70] add role default --- roles/mongo/tasks/users.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index 22badb15e..4834d3dee 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -9,7 +9,7 @@ login_password: "{{ mongo_admin_password }}" name: "{{ item.name }}" password: "{{ item.password }}" - roles: "{{ item.role }}" + roles: "{{ item.role | default('readWrite')}}" replica_set: "{{ mongo_replica_set_name }}" #no_log: true todo enable run_once: true From 64be4bed5bc85151b89a7ef9a9cc5b1f7f5c7e83 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 22 Apr 2026 11:04:16 +0200 Subject: [PATCH 40/70] pymongo version --- roles/mongo/defaults/main.yml | 1 + roles/mongo/tasks/install.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 4125fc9ae..048b0f389 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -60,6 +60,7 @@ mongo_group: "mongod" # Paths mongo_config_file: "/etc/mongod.conf" mongo_data_path: "/var/lib/mongo" +mongo_pymongo_version: 4.16 # cluster members # set in group_vars diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index 25b14efa1..b851fd203 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -15,7 +15,7 @@ - name: Install pymongo ansible.builtin.pip: - name: pymongo + name: pymongo="{{ mongo_pymongo_version }}" - name: Install kernel settings script ansible.builtin.copy: From 6f558701f3dfe620895caff90d8ee13325071a8e Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 22 Apr 2026 11:08:21 +0200 Subject: [PATCH 41/70] pymongo version --- roles/mongo/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index b851fd203..ea604e500 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -15,7 +15,7 @@ - name: Install pymongo ansible.builtin.pip: - name: pymongo="{{ mongo_pymongo_version }}" + name: pymongo=="{{ mongo_pymongo_version }}" - name: Install kernel settings script ansible.builtin.copy: From 4eb897186254148d156f287a0f4da4f334b5a49f Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 22 Apr 2026 11:11:53 +0200 Subject: [PATCH 42/70] pymongo version --- roles/mongo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 048b0f389..9e9ba721a 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -60,7 +60,7 @@ mongo_group: "mongod" # Paths mongo_config_file: "/etc/mongod.conf" mongo_data_path: "/var/lib/mongo" -mongo_pymongo_version: 4.16 +mongo_pymongo_version: 4.16.0 # cluster members # set in group_vars From 1521493b41dd4b8e1b37d3b5496eaaac1764d6d9 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 22 Apr 2026 11:12:56 +0200 Subject: [PATCH 43/70] pymongo version --- roles/mongo/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/tasks/install.yml b/roles/mongo/tasks/install.yml index ea604e500..9103a2ca8 100644 --- a/roles/mongo/tasks/install.yml +++ b/roles/mongo/tasks/install.yml @@ -15,7 +15,7 @@ - name: Install pymongo ansible.builtin.pip: - name: pymongo=="{{ mongo_pymongo_version }}" + name: pymongo=={{ mongo_pymongo_version }} - name: Install kernel settings script ansible.builtin.copy: From 8d484729f872227f3e95a645b50cd40310e677d4 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 22 Apr 2026 11:33:44 +0200 Subject: [PATCH 44/70] rename replica_set to mongo_ --- environments/template/group_vars/mongo_servers.yml | 2 +- roles/mongo/tasks/clusterconfig.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/environments/template/group_vars/mongo_servers.yml b/environments/template/group_vars/mongo_servers.yml index 70bb40871..d9f3e10cc 100644 --- a/environments/template/group_vars/mongo_servers.yml +++ b/environments/template/group_vars/mongo_servers.yml @@ -1,5 +1,5 @@ --- -replica_set_name: my_mongo_cluster +mongo_replica_set_name: my_mongo_cluster mongo_cluster_members: - host: "mongo3.example.com:{{ mongo_port }}" # arbiter first or change mongo_arbiter_index diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index e7f56c784..6e8b2bffa 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -8,10 +8,10 @@ - name: Check some cluster related variables when: mongo_mode == "cluster" block: - - name: Fail on undefined replica_set_name + - name: Fail on undefined mongo_replica_set_name when: mongo_replica_set_name is not defined ansible.builtin.fail: - msg: "Something is wrong, mongo_mode was set to cluster but replica_set_name is undefined." + msg: "Something is wrong, mongo_mode was set to cluster but mongo_replica_set_name is undefined." - name: Debug replica settings ansible.builtin.debug: From abf763d31bf26b2c021e86f90044a8ca12b9b1c5 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Fri, 24 Apr 2026 10:55:28 +0200 Subject: [PATCH 45/70] fix merge conflict --- roles/mongo/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index 8d0dc03e9..a8a1901ec 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -33,7 +33,6 @@ ansible.builtin.include_tasks: file: certs.yml -<<<<<<< HEAD - name: Include General config tasks ansible.builtin.include_tasks: file: generalconfig.yml @@ -55,11 +54,6 @@ - name: Include Service tasks ansible.builtin.include_tasks: file: services.yml -======= - # - name: Include cluster installation tasks - # ansible.builtin.include_tasks: - # file: clusterconfig.yml ->>>>>>> main - name: Include user creation ansible.builtin.include_tasks: From 15cce53f941bc04688f8aa0d51a9e0297f38b13f Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Fri, 24 Apr 2026 11:51:58 +0200 Subject: [PATCH 46/70] add task --- roles/mongo/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 9a9718bcb..2bd0900ca 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -34,4 +34,5 @@ Warning: the cluster reconfiguration option in the mongodb_replicationset module - [x] Cluster changes can be enabled or disabled - [ ] Reconfigure cluster always reports changed - [ ] Initialise cluster always reports changed +- [ ] check mode for writeconcern change tasks does not report change () same for any other mongodb_shell task "remote module (community.mongodb.mongodb_shell) does not support check mode"} - [ ] Check replication role of a host in host_vars against the settings in the cluster_members array From 4717b5fbbbb2f33da0e6b5a36c845bfb8f3b2b8c Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 29 Apr 2026 11:56:49 +0200 Subject: [PATCH 47/70] add error --- roles/mongo/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 2bd0900ca..ce3a3fc8c 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -36,3 +36,4 @@ Warning: the cluster reconfiguration option in the mongodb_replicationset module - [ ] Initialise cluster always reports changed - [ ] check mode for writeconcern change tasks does not report change () same for any other mongodb_shell task "remote module (community.mongodb.mongodb_shell) does not support check mode"} - [ ] Check replication role of a host in host_vars against the settings in the cluster_members array +- [ ] Fail when you misconfigured your replica cluster task is executed when a node is added and the total amount is an even number, this however hard to avoid because the cluster reconfiguration task can opnly add 1 node at a time From 371da40a635fbbe7976f079479e1f4462d9ff4f0 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 30 Apr 2026 12:56:19 +0200 Subject: [PATCH 48/70] fix fail pn even numbers --- roles/mongo/tasks/clusterconfig.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index 6e8b2bffa..d0472afbf 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -123,6 +123,7 @@ login_port: "{{ mongo_port }}" poll: 5 interval: 30 + validate: minimal # default fails on even number of servers and although this is not a great situation, it is sometimes the temporary situation because we can onlye add or remove 1 node at a time # Cluster settings that cannot be changed with mongodb_replicaset From e23fc7523d4ceeeb8cc04bb029a6e985c094977e Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 30 Apr 2026 13:15:40 +0200 Subject: [PATCH 49/70] readable cluster config check --- roles/mongo/tasks/clustercheck.yml | 74 +++++++++++++++++++----------- 1 file changed, 48 insertions(+), 26 deletions(-) diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml index 1563e736c..3096a8f5c 100644 --- a/roles/mongo/tasks/clustercheck.yml +++ b/roles/mongo/tasks/clustercheck.yml @@ -1,32 +1,54 @@ --- # task file to check if cluster is up and running -# Get the replicaset status and then lookup the primary's hostname and save to a variable -- name: Check replicaset status - community.mongodb.mongodb_status: - login_host: localhost - login_user: admin - login_port: "{{ mongo_port }}" - login_password: "{{ mongo_admin_password }}" - replica_set: "{{ mongo_replica_set_name }}" - poll: 3 - interval: 10 - register: replica_status - ignore_errors: true +- name: Cluster check when we are not in cluster config mode + when: not mongo_configure_cluster | bool + block: + # Get the replicaset status and fail on minimal (everything but even number of nodes) + - name: Check replicaset status + community.mongodb.mongodb_status: + login_host: localhost + login_user: admin + login_port: "{{ mongo_port }}" + login_password: "{{ mongo_admin_password }}" + replica_set: "{{ mongo_replica_set_name }}" + poll: 3 + interval: 10 + register: replica_status + ignore_errors: true -- name: Debug replica set status - ansible.builtin.debug: - msg: "{{ replica_status }}" + - name: Debug replica set status + ansible.builtin.debug: + msg: "{{ replica_status }}" + verbose: 2 -- name: Fail when there is no cluster reconfiguration options set - ansible.builtin.fail: - msg: "Your mongo cluster is broken or non existent and mongo_configure_cluster is disabled, consider enabling it and fix your cluster. The error: {{ replica_status.msg }}." - when: - - replica_status.failed - - not mongo_configure_cluster | bool + # Message for non cluster config mode + - name: Fail when there is no cluster reconfiguration options set + ansible.builtin.fail: + msg: "Your mongo cluster is broken or non existent and mongo_configure_cluster is disabled, consider enabling it and fix your cluster. The error: {{ replica_status.msg }}." + when: + - replica_status_minimal.failed -- name: Fail when you misconfigured your replica cluster - ansible.builtin.fail: - msg: "Your mongo cluster is broken, error: {{ replica_status.msg }}." - when: - - replica_status.failed \ No newline at end of file +- name: Cluster check when we are in cluster config mode + when: mongo_configure_cluster | bool + block: + # Get the replicaset status and fail on minimal (everything but even number of nodes) + - name: Check replicaset status + community.mongodb.mongodb_status: + login_host: localhost + login_user: admin + login_port: "{{ mongo_port }}" + login_password: "{{ mongo_admin_password }}" + replica_set: "{{ mongo_replica_set_name }}" + poll: 3 + interval: 10 + validate: minimal + register: replica_status_minimal + ignore_errors: true + + # Message for cluster config mode gone wrong + - name: Fail when you misconfigured your replica cluster + ansible.builtin.fail: + msg: "Your mongo cluster is broken, error: {{ replica_status_minimal.msg }}." + when: + - replica_status_minimal.failed From 7a5dc77484649e8115f66faad86c2a71d994bcd1 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 30 Apr 2026 13:22:04 +0200 Subject: [PATCH 50/70] some typos --- roles/mongo/tasks/clustercheck.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml index 3096a8f5c..06d6f48c9 100644 --- a/roles/mongo/tasks/clustercheck.yml +++ b/roles/mongo/tasks/clustercheck.yml @@ -20,14 +20,14 @@ - name: Debug replica set status ansible.builtin.debug: msg: "{{ replica_status }}" - verbose: 2 + verbosity: 2 # Message for non cluster config mode - name: Fail when there is no cluster reconfiguration options set ansible.builtin.fail: msg: "Your mongo cluster is broken or non existent and mongo_configure_cluster is disabled, consider enabling it and fix your cluster. The error: {{ replica_status.msg }}." when: - - replica_status_minimal.failed + - replica_status.failed - name: Cluster check when we are in cluster config mode when: mongo_configure_cluster | bool From 08c6106bc00c9cbbcea835f759dab54176ca952e Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 30 Apr 2026 13:36:15 +0200 Subject: [PATCH 51/70] better error message --- roles/mongo/tasks/clustercheck.yml | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml index 06d6f48c9..1664a122e 100644 --- a/roles/mongo/tasks/clustercheck.yml +++ b/roles/mongo/tasks/clustercheck.yml @@ -33,7 +33,7 @@ when: mongo_configure_cluster | bool block: # Get the replicaset status and fail on minimal (everything but even number of nodes) - - name: Check replicaset status + - name: Check replicaset status ninimal community.mongodb.mongodb_status: login_host: localhost login_user: admin @@ -52,3 +52,28 @@ msg: "Your mongo cluster is broken, error: {{ replica_status_minimal.msg }}." when: - replica_status_minimal.failed + + # Get the replicaset status votes + - name: Check replicaset status ninimal + community.mongodb.mongodb_status: + login_host: localhost + login_user: admin + login_port: "{{ mongo_port }}" + login_password: "{{ mongo_admin_password }}" + replica_set: "{{ mongo_replica_set_name }}" + poll: 3 + interval: 10 + validate: votes + register: replica_status_votes + ignore_errors: true + + # Message for cluster config mode wrong amount of votes + - name: Fail when you misconfigured your replica cluster + ansible.builtin.fail: + msg: | + Your mongo cluster doensn't have the right amount of members, + perhaps you are adding new nodes one by one, + in that case add the next node to cluster_members and run the play again. + The error message is: {{ replica_status_votes.msg }}." + when: + - replica_status_votes.failed \ No newline at end of file From c0b67003a4496a3f2709b5354ef0ec30540cd1ec Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 30 Apr 2026 13:38:55 +0200 Subject: [PATCH 52/70] readme item checked --- roles/mongo/README.md | 2 +- roles/mongo/tasks/clustercheck.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index ce3a3fc8c..881c9e24e 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -36,4 +36,4 @@ Warning: the cluster reconfiguration option in the mongodb_replicationset module - [ ] Initialise cluster always reports changed - [ ] check mode for writeconcern change tasks does not report change () same for any other mongodb_shell task "remote module (community.mongodb.mongodb_shell) does not support check mode"} - [ ] Check replication role of a host in host_vars against the settings in the cluster_members array -- [ ] Fail when you misconfigured your replica cluster task is executed when a node is added and the total amount is an even number, this however hard to avoid because the cluster reconfiguration task can opnly add 1 node at a time +- [X] Clearer error messaging for even number of votes diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml index 1664a122e..af5da46d6 100644 --- a/roles/mongo/tasks/clustercheck.yml +++ b/roles/mongo/tasks/clustercheck.yml @@ -54,7 +54,7 @@ - replica_status_minimal.failed # Get the replicaset status votes - - name: Check replicaset status ninimal + - name: Check replicaset status minimal community.mongodb.mongodb_status: login_host: localhost login_user: admin @@ -71,7 +71,7 @@ - name: Fail when you misconfigured your replica cluster ansible.builtin.fail: msg: | - Your mongo cluster doensn't have the right amount of members, + Your mongo cluster doesn't have the right amount of members, perhaps you are adding new nodes one by one, in that case add the next node to cluster_members and run the play again. The error message is: {{ replica_status_votes.msg }}." From b58c07d23ce6553acd212db2a823396268f431e7 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 30 Apr 2026 14:31:37 +0200 Subject: [PATCH 53/70] fix mongoshrc --- roles/mongo/tasks/postinstall.yml | 7 +++++++ roles/mongo/templates/mongoshrc.js.j2 | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/mongo/tasks/postinstall.yml b/roles/mongo/tasks/postinstall.yml index 93a8a4a3a..26d108eb9 100644 --- a/roles/mongo/tasks/postinstall.yml +++ b/roles/mongo/tasks/postinstall.yml @@ -34,6 +34,13 @@ mode: "0700" owner: root +- name: Debug mongo_cluster_members + debug: + msg: "{{ item.host }}" + verbosity: 2 + loop: + "{{ mongo_cluster_members }}" + - name: Create mongosh config file ansible.builtin.template: src: mongoshrc.js.j2 diff --git a/roles/mongo/templates/mongoshrc.js.j2 b/roles/mongo/templates/mongoshrc.js.j2 index 973ccf487..02b228673 100644 --- a/roles/mongo/templates/mongoshrc.js.j2 +++ b/roles/mongo/templates/mongoshrc.js.j2 @@ -1,2 +1,2 @@ -db = connect("mongodb://admin:{{ mongo_admin_password }}@{% for mongo_server in mongo_servers %}{{ mongo_server }}:{{ mongo_port }}{% if not loop.last %},{% endif %}{% endfor %}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") +db = connect("mongodb://admin:{{ mongo_admin_password }}@{% for mongo_server in mongo_cluster_members %}{{ mongo_server.host }}{% if not loop.last %},{% endif %}{% endfor %}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") From 43a738070d42386b1502bfd5900bbb8976f597a9 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Fri, 1 May 2026 15:41:57 +0200 Subject: [PATCH 54/70] add todo items --- roles/mongo/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 881c9e24e..28165ec68 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -37,3 +37,7 @@ Warning: the cluster reconfiguration option in the mongodb_replicationset module - [ ] check mode for writeconcern change tasks does not report change () same for any other mongodb_shell task "remote module (community.mongodb.mongodb_shell) does not support check mode"} - [ ] Check replication role of a host in host_vars against the settings in the cluster_members array - [X] Clearer error messaging for even number of votes +- [ ] Role refuses to add users when a new cluster is built (3 nodes) (cannot add users on a broken cluster) +- [ ] it would be helpfull if role (for example primary) is not defined in host_vars but in the mongo_cluster_members array +- [ ] removing primary from the cluster will not work but the error is unclear, this is related to the todo above +- [ ] is it necessary to make votes configurable? From ce4e2caa0b701eabf1dada479c8021b90cfeabad Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 4 May 2026 09:47:14 +0200 Subject: [PATCH 55/70] some typos --- roles/mongo/tasks/clustercheck.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml index af5da46d6..53af6d809 100644 --- a/roles/mongo/tasks/clustercheck.yml +++ b/roles/mongo/tasks/clustercheck.yml @@ -33,7 +33,7 @@ when: mongo_configure_cluster | bool block: # Get the replicaset status and fail on minimal (everything but even number of nodes) - - name: Check replicaset status ninimal + - name: Check replicaset status minimal community.mongodb.mongodb_status: login_host: localhost login_user: admin @@ -54,7 +54,7 @@ - replica_status_minimal.failed # Get the replicaset status votes - - name: Check replicaset status minimal + - name: Check replicaset status votes community.mongodb.mongodb_status: login_host: localhost login_user: admin From e288ea42917b5b7292cde195b7e5acc652ec45a7 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 4 May 2026 10:42:52 +0200 Subject: [PATCH 56/70] fixed users error --- roles/mongo/README.md | 4 ++-- roles/mongo/tasks/clustercheck.yml | 11 ++++++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 28165ec68..3f7775f41 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -35,9 +35,9 @@ Warning: the cluster reconfiguration option in the mongodb_replicationset module - [ ] Reconfigure cluster always reports changed - [ ] Initialise cluster always reports changed - [ ] check mode for writeconcern change tasks does not report change () same for any other mongodb_shell task "remote module (community.mongodb.mongodb_shell) does not support check mode"} -- [ ] Check replication role of a host in host_vars against the settings in the cluster_members array - [X] Clearer error messaging for even number of votes -- [ ] Role refuses to add users when a new cluster is built (3 nodes) (cannot add users on a broken cluster) +- [X] Role refuses to add users when a new cluster is built (3 nodes) (cannot add users on a broken cluster) - [ ] it would be helpfull if role (for example primary) is not defined in host_vars but in the mongo_cluster_members array - [ ] removing primary from the cluster will not work but the error is unclear, this is related to the todo above - [ ] is it necessary to make votes configurable? +- [ ] preflight check are cluster members in the inventory and monog_servers group diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clustercheck.yml index 53af6d809..aa129ed5b 100644 --- a/roles/mongo/tasks/clustercheck.yml +++ b/roles/mongo/tasks/clustercheck.yml @@ -76,4 +76,13 @@ in that case add the next node to cluster_members and run the play again. The error message is: {{ replica_status_votes.msg }}." when: - - replica_status_votes.failed \ No newline at end of file + - replica_status_votes.failed + + # In non cluster config mode we use replica_status + # and here replica_status_votes and replica_status_minimal + # for better error messages, but we need a general replica_status + # for for example users.yml, so lets set it here + - name: Set a value for replica_status + ansible.builtin.set_fact: + replica_status: + failed: False From f7db56c56df946f9512615f1a7a0fa711273a6a7 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 4 May 2026 11:28:19 +0200 Subject: [PATCH 57/70] better check file name --- .../mongo/tasks/{clustercheck.yml => clusterhealthcheck.yml} | 0 roles/mongo/tasks/main.yml | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename roles/mongo/tasks/{clustercheck.yml => clusterhealthcheck.yml} (100%) diff --git a/roles/mongo/tasks/clustercheck.yml b/roles/mongo/tasks/clusterhealthcheck.yml similarity index 100% rename from roles/mongo/tasks/clustercheck.yml rename to roles/mongo/tasks/clusterhealthcheck.yml diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index a8a1901ec..e2cc15cd1 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -44,9 +44,9 @@ - mongo_mode == "cluster" - mongo_configure_cluster | bool # safest option is to set this to false and enable with -e mongo_configure_cluster=true - - name: Include cluster check tasks + - name: Include cluster health check tasks ansible.builtin.include_tasks: - file: clustercheck.yml + file: clusterhealthcheck.yml when: - mongo_mode == "cluster" - mongo_replication_role == 'primary' From 0c8716a59c7cef70cfaf4754d6560d6f9c8ede80 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 4 May 2026 12:13:49 +0200 Subject: [PATCH 58/70] fix mebers format --- roles/mongo/tasks/clusterconfig.yml | 50 ++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index d0472afbf..adfdc86cd 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -18,19 +18,24 @@ msg: "Replica set name {{ mongo_replica_set_name }}" verbosity: 2 -# Who is primary -- name: Identify designated primary +# Loop over cluster members and check their presence in mong_servers group and their mode (not standalone) + +- name: Check if mongo_cluster_members exist in inventory group + ansible.builtin.assert: + that: + - item.host in groups['mongo_servers'] + fail_msg: "Server '{{ item.host }}' is not in the mongo_servers inventory group" + success_msg: "Server '{{ item.host }}' found in mongo_servers inventory group" + run_once: true + loop: "{{ mongo_cluster_members }}" + +# Loop over cluster members and check for primary + +- name: Set primary host fact ansible.builtin.set_fact: - mongo_primary_host: >- - {{ - groups['mongo_servers'] - | map('extract', hostvars) - | selectattr('mongo_replication_role', 'defined') - | selectattr('mongo_replication_role', 'equalto', 'primary') - | map(attribute='inventory_hostname') - | first - }} - failed_when: mongo_primary_host is not defined or mongo_primary_host == '' + mongo_primary_host: "{{ (mongo_cluster_members | max(attribute='priority')).host }}" + +# Loop over cluster members and check for multiple primaries and if so fail - name: Debug primary settings ansible.builtin.debug: @@ -83,7 +88,7 @@ _id: "{{ mongo_replica_set_name }}", members: [ {% for m in mongo_cluster_members %} - { _id: {{ loop.index0 }}, host: "{{ m.host }}", priority: {{ m.priority }}, votes: {{ m.votes }}{% if m.arbiterOnly is defined and m.arbiterOnly and m.arbiterOnly == true %}, arbiterOnly: true {% endif %} }{{ "," if not loop.last else "" }} + { _id: {{ loop.index0 }}, host: "{{ m.host }}:{{ m.port }}", priority: {{ m.priority }}, votes: {{ m.votes }}{% if m.arbiterOnly is defined and m.arbiterOnly and m.arbiterOnly == true %}, arbiterOnly: true {% endif %} }{{ "," if not loop.last else "" }} {% endfor %} ] }) @@ -96,8 +101,23 @@ msg: "{{ rs_init }}" verbosity: 2 + - name: Format members list + ansible.builtin.set_fact: + mongo_cluster_members_formatted: "{{ mongo_cluster_members_formatted | default([]) + [m | combine({'host': m.host ~ ':' ~ (m.port | string)}) | dict2items | rejectattr('key', 'eq', 'port') | list | items2dict] }}" + loop: "{{ mongo_cluster_members }}" + loop_control: + loop_var: m + + - name: Debug members list + ansible.builtin.debug: + msg: "{{ mongo_cluster_members }}" + + - name: Debug formatted members list + ansible.builtin.debug: + msg: "{{ mongo_cluster_members_formatted }}" + # Reconfigure cluster - # todo: this alwasy returns changed even wehn nothing changes + # todo: this always returns changed even when nothing changes - name: Reconfigure cluster if necessary community.mongodb.mongodb_replicaset: login_host: localhost @@ -106,7 +126,7 @@ login_port: "{{ mongo_port }}" reconfigure: true replica_set: "{{ mongo_replica_set_name }}" - members: "{{ mongo_cluster_members }}" + members: "{{ mongo_cluster_members_formatted }}" register: rs_reconfigure - name: Debug cluster reconfiguration From 9f9530ab6377cbe15408055424e70d47e160a6a7 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 4 May 2026 12:16:06 +0200 Subject: [PATCH 59/70] some housekeeping --- roles/mongo/tasks/clusterconfig.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mongo/tasks/clusterconfig.yml b/roles/mongo/tasks/clusterconfig.yml index adfdc86cd..dd819d3da 100644 --- a/roles/mongo/tasks/clusterconfig.yml +++ b/roles/mongo/tasks/clusterconfig.yml @@ -35,8 +35,6 @@ ansible.builtin.set_fact: mongo_primary_host: "{{ (mongo_cluster_members | max(attribute='priority')).host }}" -# Loop over cluster members and check for multiple primaries and if so fail - - name: Debug primary settings ansible.builtin.debug: msg: "Primary is {{ mongo_primary_host }}" @@ -111,10 +109,12 @@ - name: Debug members list ansible.builtin.debug: msg: "{{ mongo_cluster_members }}" + verbosity: 2 - name: Debug formatted members list ansible.builtin.debug: msg: "{{ mongo_cluster_members_formatted }}" + verbosity: 2 # Reconfigure cluster # todo: this always returns changed even when nothing changes From 58c50e3b99cb95dbab980f7f97b8a09c9da1d6a3 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Mon, 4 May 2026 12:17:55 +0200 Subject: [PATCH 60/70] some housekeeping --- roles/mongo/README.md | 6 +++--- roles/mongo/defaults/main.yml | 13 ++++++------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 3f7775f41..3eff686d7 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -37,7 +37,7 @@ Warning: the cluster reconfiguration option in the mongodb_replicationset module - [ ] check mode for writeconcern change tasks does not report change () same for any other mongodb_shell task "remote module (community.mongodb.mongodb_shell) does not support check mode"} - [X] Clearer error messaging for even number of votes - [X] Role refuses to add users when a new cluster is built (3 nodes) (cannot add users on a broken cluster) -- [ ] it would be helpfull if role (for example primary) is not defined in host_vars but in the mongo_cluster_members array -- [ ] removing primary from the cluster will not work but the error is unclear, this is related to the todo above +- [X] it would be helpfull if role (for example primary) is not defined in host_vars but in the mongo_cluster_members array +- [X] removing primary from the cluster will not work but the error is unclear, this is related to the todo above - [ ] is it necessary to make votes configurable? -- [ ] preflight check are cluster members in the inventory and monog_servers group +- [X] preflight check are cluster members in the inventory and monog_servers group diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 9e9ba721a..41e0a2631 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -13,16 +13,15 @@ mongo_servers: [] # Set this in group_vars # Not all mongo servers in the inventory are cluster members, so we use a separate list for this. # Set this in group_vars of your environment(s). The arbiter should go first, or change the mongo_arbiter_index. # mongo_cluster_members: -# - host: "mongoarbiter.example.com:27017" +# - host: "mongoarbiter.example.com" # priority: 1 # can vote, cannot become primary -# - host: "mongo2.example.com:27017" +# port: 27017 +# - host: "mongo2.example.com" # priority: 2 -# - host: "mongo1.example.com:27017" +# port: 27017 +# - host: "mongo1.example.com" # priority: 3 -# mongo_arbiter_index: 0 - -# The replication role -# mongo_replication_role: # Set this in host_vars, it can have the values: "primary", "secondary" or arbiter +# port: 27017 # Todo: there is a link between mongo_replication_role and priority (arbiter is priority 1, primary the highest) so # setting them separately is not ideal. From f7176ee139d3ad2f243cd8e7dae05d1117b50125 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 6 May 2026 10:44:09 +0200 Subject: [PATCH 61/70] add comment --- roles/mongo/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongo/README.md b/roles/mongo/README.md index 3eff686d7..035dd0f2d 100644 --- a/roles/mongo/README.md +++ b/roles/mongo/README.md @@ -41,3 +41,4 @@ Warning: the cluster reconfiguration option in the mongodb_replicationset module - [X] removing primary from the cluster will not work but the error is unclear, this is related to the todo above - [ ] is it necessary to make votes configurable? - [X] preflight check are cluster members in the inventory and monog_servers group +- [ ] Standalone mongo also requires cluster certificates, not logical although it doens't hurt From 60910c0fadcb8c82293f59b4b5dbbbf6f7217ae2 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Wed, 6 May 2026 11:27:52 +0200 Subject: [PATCH 62/70] change check or standalone mode will not get users --- roles/mongo/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/tasks/main.yml b/roles/mongo/tasks/main.yml index e2cc15cd1..d55d8fa8a 100644 --- a/roles/mongo/tasks/main.yml +++ b/roles/mongo/tasks/main.yml @@ -60,7 +60,7 @@ file: users.yml # Cannot add users on a broken cluster when: > - (mongo_replication_role == 'primary' and not replica_status.failed) + (mongo_mode == 'cluster' and mongo_replication_role is defined and mongo_replication_role == 'primary' and not replica_status.failed) or mongo_mode == 'standalone' - name: Include postinstallation tasks From cf9a0f91831108ffc847ac07ebd91acda05a540f Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 7 May 2026 10:17:01 +0200 Subject: [PATCH 63/70] fix users error no role and disable logging --- roles/mongo/tasks/users.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index 4834d3dee..8e4e6c2dd 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -11,7 +11,7 @@ password: "{{ item.password }}" roles: "{{ item.role | default('readWrite')}}" replica_set: "{{ mongo_replica_set_name }}" - #no_log: true todo enable + no_log: true run_once: true with_items: "{{ mongo.users }}" changed_when: false @@ -26,8 +26,8 @@ login_password: "{{ mongo_admin_password }}" name: "{{ item.name }}" password: "{{ item.password }}" - roles: "{{ item.role }}" - #no_log: true todo enable + roles: "{{ item.role | default("readWrite") }}" + no_log: true run_once: true with_items: "{{ mongo.users }}" changed_when: false From 27d64ffe25ccda1e86bb296e4d879fb46dbaba42 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 7 May 2026 10:18:39 +0200 Subject: [PATCH 64/70] quote gedeoe --- roles/mongo/tasks/users.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/tasks/users.yml b/roles/mongo/tasks/users.yml index 8e4e6c2dd..5afa45151 100644 --- a/roles/mongo/tasks/users.yml +++ b/roles/mongo/tasks/users.yml @@ -26,7 +26,7 @@ login_password: "{{ mongo_admin_password }}" name: "{{ item.name }}" password: "{{ item.password }}" - roles: "{{ item.role | default("readWrite") }}" + roles: "{{ item.role | default('readWrite') }}" no_log: true run_once: true with_items: "{{ mongo.users }}" From 98b58f4589cb7ae5ca98e770dcf19ec150b5fee9 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 7 May 2026 10:31:31 +0200 Subject: [PATCH 65/70] fix mongoshrc for standalone --- roles/mongo/templates/mongoshrc.js.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/mongo/templates/mongoshrc.js.j2 b/roles/mongo/templates/mongoshrc.js.j2 index 02b228673..c4b8af9f6 100644 --- a/roles/mongo/templates/mongoshrc.js.j2 +++ b/roles/mongo/templates/mongoshrc.js.j2 @@ -1,2 +1,5 @@ +{% if mongo_mode == "cluster" %} db = connect("mongodb://admin:{{ mongo_admin_password }}@{% for mongo_server in mongo_cluster_members %}{{ mongo_server.host }}{% if not loop.last %},{% endif %}{% endfor %}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") - +{% else %} +db = connect("mongodb://admin:{{ mongo_admin_password }}@{{ ansible_facts['fqdn'] }}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") +{% endif %} From aeef30c5061ca8711a9d6bf12a50b91922bf1cdb Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 7 May 2026 10:40:14 +0200 Subject: [PATCH 66/70] no output --- roles/mongo/tasks/generalconfig.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/tasks/generalconfig.yml b/roles/mongo/tasks/generalconfig.yml index 08029a136..7bc094d4f 100644 --- a/roles/mongo/tasks/generalconfig.yml +++ b/roles/mongo/tasks/generalconfig.yml @@ -17,7 +17,7 @@ - name: Debug mongodb authentication check ansible.builtin.debug: - msg: "{{ mongo_authentication_disabled.stdout }}" + msg: "{{ mongo_authentication_disabled }}" verbosity: 2 - name: configure primary or standalone From bf8f1945657863ecfce508549fef12aba5ef17ff Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 7 May 2026 10:57:23 +0200 Subject: [PATCH 67/70] do not check cluster memers in standalone --- roles/mongo/tasks/postinstall.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mongo/tasks/postinstall.yml b/roles/mongo/tasks/postinstall.yml index 26d108eb9..027d05f1c 100644 --- a/roles/mongo/tasks/postinstall.yml +++ b/roles/mongo/tasks/postinstall.yml @@ -40,6 +40,7 @@ verbosity: 2 loop: "{{ mongo_cluster_members }}" + when: mongo_mode == "cluster" - name: Create mongosh config file ansible.builtin.template: From 246ecafec4bbcced9635c523e6a7328fd1b532d8 Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 7 May 2026 14:47:25 +0200 Subject: [PATCH 68/70] update example --- roles/mongo/defaults/main.yml | 11 +++++++---- roles/mongo/templates/mongoshrc.js.j2 | 4 ++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 41e0a2631..11cbc2857 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -27,7 +27,7 @@ mongo_servers: [] # Set this in group_vars # setting them separately is not ideal. # The port for mongo server -mongo_port: 27017 +mongo_default_port: 27017 # The password for admin user # mongo_admin_password: # set this in secrets @@ -64,15 +64,18 @@ mongo_pymongo_version: 4.16.0 # cluster members # set in group_vars # mongo_cluster_members: -# - host: mongo1.example.com:{{ mongo_port }} +# - host: mongo1.example.com # priority: 3 # votes: 1 -# - host: mongo2.example.com:{{ mongo_port }} +# port: 27017 +# - host: mongo2.example.com # priority: 2 # votes: 1 -# - host: mongo3.example.com:{{ mongo_port }} +# port: 27017 +# - host: mongo3.example.com # priority: 1 # votes: 1 +# port: 27017 # arbiterOnly: true mongo_cluster_write_concern: "majority" diff --git a/roles/mongo/templates/mongoshrc.js.j2 b/roles/mongo/templates/mongoshrc.js.j2 index c4b8af9f6..0b4d6b1ec 100644 --- a/roles/mongo/templates/mongoshrc.js.j2 +++ b/roles/mongo/templates/mongoshrc.js.j2 @@ -1,5 +1,5 @@ {% if mongo_mode == "cluster" %} -db = connect("mongodb://admin:{{ mongo_admin_password }}@{% for mongo_server in mongo_cluster_members %}{{ mongo_server.host }}{% if not loop.last %},{% endif %}{% endfor %}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") +db = connect("mongodb://admin:{{ mongo_admin_password }}@{% for mongo_server in mongo_cluster_members %}{{ mongo_server.host }}:{{ mongo_server.port }}{% if not loop.last %},{% endif %}{% endfor %}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") {% else %} -db = connect("mongodb://admin:{{ mongo_admin_password }}@{{ ansible_facts['fqdn'] }}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") +db = connect("mongodb://admin:{{ mongo_admin_password }}@{{ ansible_facts['fqdn'] }}:{{ mongo_standalone_port }}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") {% endif %} From a6fb76639a9222f9e9ab84b4109135a9b9b782df Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 7 May 2026 14:49:07 +0200 Subject: [PATCH 69/70] keep mongo_port --- roles/mongo/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/defaults/main.yml b/roles/mongo/defaults/main.yml index 11cbc2857..ce2f16235 100644 --- a/roles/mongo/defaults/main.yml +++ b/roles/mongo/defaults/main.yml @@ -27,7 +27,7 @@ mongo_servers: [] # Set this in group_vars # setting them separately is not ideal. # The port for mongo server -mongo_default_port: 27017 +mongo_port: 27017 # The password for admin user # mongo_admin_password: # set this in secrets From 10ac1d1b0b96bcb88d67c6ea74418d16e3e6985a Mon Sep 17 00:00:00 2001 From: Chantal Rosmuller Date: Thu, 7 May 2026 15:03:00 +0200 Subject: [PATCH 70/70] keep mongo_port --- roles/mongo/templates/mongoshrc.js.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mongo/templates/mongoshrc.js.j2 b/roles/mongo/templates/mongoshrc.js.j2 index 0b4d6b1ec..c8b4c92f4 100644 --- a/roles/mongo/templates/mongoshrc.js.j2 +++ b/roles/mongo/templates/mongoshrc.js.j2 @@ -1,5 +1,5 @@ {% if mongo_mode == "cluster" %} db = connect("mongodb://admin:{{ mongo_admin_password }}@{% for mongo_server in mongo_cluster_members %}{{ mongo_server.host }}:{{ mongo_server.port }}{% if not loop.last %},{% endif %}{% endfor %}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") {% else %} -db = connect("mongodb://admin:{{ mongo_admin_password }}@{{ ansible_facts['fqdn'] }}:{{ mongo_standalone_port }}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") +db = connect("mongodb://admin:{{ mongo_admin_password }}@{{ ansible_facts['fqdn'] }}:{{ mongo_port }}?ssl=true&tlsCAFile=/etc/pki/mongo/mongoca.pem") {% endif %}