Refactor zabbix web (#1235)

* Single common task to install zabbix-web RedHat can pin the minor version, and has a toggle to disable repo. Debian can't pin minor version. The other debian option cache_valid_time seems irrelevant? We use the common package module, which is just a wrapper around apt/yum, and use this construction; user_supplied_var | default(_calculated_var | default(omit)) to send additional parameters to the respective modules. The workaround ZBX-10467 is dependent on packages being installed, so had to get moved aswell. * Remove mysql install tasks It doesn't really make sense installing this package on all of RedHat family, when there's no corresponding Debian task doing the same. MySQL/mariadb is gets installed by the zabbix_server role. And the PyMySQL dependency is only needed for the ansible collection community.mysql, which we don't use in this role. * Improve when condition logic for os_family It's better to check for what it IS we're looking for rather than what it's not. You could be looking at 'Suse' at some point, and this logic wouldn't hold. * Swap out remi for appstream php:8.0/common Use dnf module instead of command, this makes the task idempotent. * Make it clear tasks are a workaround Remove ubuntu-22.04 from this workaround, support for ubuntu-22.04 was added in 5.0.0[1]. Not sure if it's a good idea to pin the geerlingguy role? We can pin it to a specific version, but I haven't figured out why it's not respecting a relative version, like '>=5.0.0' [1] geerlingguy/ansible-role-php#406 * Remove zabbix 5.0 related task Zabbix 5 wanted to install the sql-scripts to /usr/share/doc, and this task removes a line in yum.conf that prevented that from happening. But since 6.0 we haven't had to deal with that, so out it goes. * Remove tasks and checks guarding against EL7 This role doesn't support EL7 anymore, so we can remove these tasks/checks. * Move delegated_dbhost to first block This calculation doesn't change. So let's provide/reuse it across the whole block. * Bump mysql container image, add workarounds PyMySQL 9>=,<10 did not have issues with this pinned mysql:8.0.32, but does with later releases, so we bump pymysql for additional debian and ubuntu releases. * Increase similarity in init-mysql between roles * Provide the default port for database servers This could have been an if-statement, I just don't like the "looseness" of the else part, so I opted for a lookup-table. * Remove unused zabbix_selinux_dependencies This lookup goes unused. * Group selinux booleans, and apply regardless Having them only applied with a when condition leaves no way to undo the booleans once set. So we apply them regardless. If the booleans are defaulting to false, we set them false on the system. * Install selinux packages regardless Use the generic `package` module for package installs, and install this ansible dependency regardless. * RedHat: zabbix_web_php_dependencies goes unused * Single task for installing zabbix-apache-conf Also, this zabbix_agent_disable_repo is probably a copy-paste error introduced at some point. * Single task for installing zabbix-nginx-conf * Move installation of debian php deps By converting zabbix_web_http_server_package to a list of one package, we can add zabbix_web_php_dependencies to it during installation of those packages. * Move installation of debian php-pgsql There is a corresponding php-mysql package, and we might aswell make sure that is installed based on zabbix_server_database. * RedHat: Remove zabbix-{{ ..._http_server }}-conf I'm not sure what this when condition is for; when: - zabbix_web_version is version('6.0', '!=') - ansible_distribution_major_version == '9' But we're installing the package anyway. So just drop this task, maybe? * zabbix_underscore_version goes unused * Remove useless when conditions and notifies We don't need restart apache/nginx when a php file gets updated, they are completely separate from running configuration. We can also drop the >= zabbix-5.0 condition. In the rest of the role, we're only calling the respective handler when we need to, so no more when conditions needed. --------- Co-authored-by: Troy W <[email protected]>
ansible-collections · Jun 11, 2024 · 78658d6 · 78658d6
1 parent 825d112
commit 78658d6
Show file tree

Hide file tree

Showing 17 changed files with 143 additions and 354 deletions.
diff --git a/molecule/zabbix_proxy/prepare.yml b/molecule/zabbix_proxy/prepare.yml
@@ -60,24 +60,21 @@
       ansible.builtin.shell: "apt-get update && echo exit 0 > /usr/sbin/policy-rc.d"
       register: installation_dependencies
       until: installation_dependencies is succeeded
-      when:
-        - ansible_os_family != 'RedHat'
+      when: ansible_facts['os_family'] == 'Debian'
 
-    - name: "Installing packages on NON-CentOS"
+    - name: "Installing packages on Debian family"
       ansible.builtin.apt:
         name:
           - net-tools
           - apt-utils
           - python3-pip
           - gpg-agent
           - sudo
-          - doc-base
         update_cache: true
         state: present
       register: installation_dependencies
       until: installation_dependencies is succeeded
-      when:
-        - ansible_os_family != 'RedHat'
+      when: ansible_facts['os_family'] == 'Debian'
 
     - name: "Configure SUDO."
       ansible.builtin.lineinfile:

diff --git a/molecule/zabbix_server/prepare.yml b/molecule/zabbix_server/prepare.yml
@@ -6,7 +6,7 @@
     - name: "Create MySQL Container"
       docker_container:
         name: "{{ item.name }}-db"
-        image: mysql:8.0.32
+        image: mysql:8.0
         state: started
         recreate: true
         networks:
@@ -56,25 +56,13 @@
       when:
         - ansible_os_family == 'RedHat'
 
-    - name: "Installing packages on CentOS"
-      ansible.builtin.yum:
-        name:
-          - mysql
-        state: present
-      register: installation_dependencies
-      until: installation_dependencies is succeeded
-      when:
-        - ansible_os_family == 'RedHat'
-        - inventory_hostname in groups['mysql']
-
     - name: "Apt update"
       ansible.builtin.shell: "apt-get update && echo exit 0 > /usr/sbin/policy-rc.d"
       register: installation_dependencies
       until: installation_dependencies is succeeded
-      when:
-        - ansible_os_family != 'RedHat'
+      when: ansible_facts['os_family'] == 'Debian'
 
-    - name: "Installing packages on NON-CentOS"
+    - name: "Installing packages on Debian family"
       ansible.builtin.apt:
         name:
           - net-tools
@@ -86,19 +74,10 @@
         state: present
       register: installation_dependencies
       until: installation_dependencies is succeeded
-      when:
-        - ansible_os_family != 'RedHat'
+      when: ansible_facts['os_family'] == 'Debian'
 
     - name: "Configure SUDO."
       ansible.builtin.lineinfile:
         dest: /etc/sudoers
         line: "Defaults    !requiretty"
         state: present
-
-    - name: "Make sure the docs are installed."
-      ansible.builtin.lineinfile:
-        dest: /etc/yum.conf
-        line: "tsflags=nodocs"
-        state: absent
-      when:
-        - ansible_os_family == 'RedHat'
diff --git a/molecule/zabbix_web/molecule.yml b/molecule/zabbix_web/molecule.yml
@@ -46,7 +46,6 @@ provisioner:
         zabbix_web_version: 6.0
       mysql:
         zabbix_server_database: mysql
-        zabbix_server_dbport: 3306
         zabbix_server_dbhost: "{{ inventory_hostname }}-db"
         zabbix_server_dbhost_run_install: false
         zabbix_server_privileged_host: "%"
@@ -56,7 +55,6 @@ provisioner:
         zabbix_server_mysql_login_port: 3306
       pgsql:
         zabbix_server_database: pgsql
-        zabbix_server_dbport: 5432
         zabbix_server_dbhost: "{{ inventory_hostname }}-db"
         zabbix_server_dbhost_run_install: false
         zabbix_server_pgsql_login_host: "{{ inventory_hostname }}-db"

diff --git a/molecule/zabbix_web/prepare.yml b/molecule/zabbix_web/prepare.yml
@@ -56,25 +56,13 @@
       when:
         - ansible_os_family == 'RedHat'
 
-    - name: "Installing MySQL on CentOS"
-      ansible.builtin.yum:
-        name:
-          - mysql
-        state: present
-      register: installation_dependencies
-      until: installation_dependencies is succeeded
-      when:
-        - ansible_os_family == 'RedHat'
-        - inventory_hostname in groups['mysql']
-
     - name: "Apt update"
       ansible.builtin.shell: "apt-get update"
       register: installation_dependencies
       until: installation_dependencies is succeeded
-      when:
-        - ansible_os_family != 'RedHat'
+      when: ansible_facts['os_family'] == 'Debian'
 
-    - name: "Installing packages on NON-CentOS"
+    - name: "Installing packages on Debian family"
       ansible.builtin.apt:
         name:
           - net-tools
@@ -87,46 +75,17 @@
         state: present
       register: installation_dependencies
       until: installation_dependencies is succeeded
-      when:
-        - ansible_os_family != 'RedHat'
+      when: ansible_facts['os_family'] == 'Debian'
 
     - name: "Configure SUDO."
       ansible.builtin.lineinfile:
         dest: /etc/sudoers
         line: "Defaults    !requiretty"
         state: present
 
-    - name: "Make sure the docs are installed."
-      ansible.builtin.lineinfile:
-        dest: /etc/yum.conf
-        line: "tsflags=nodocs"
-        state: absent
-      when:
-        - ansible_os_family == 'RedHat'
-
-    - name: PyMySQL
-      ansible.builtin.pip:
-        name: PyMySQL
-      register: installation_dependencies
-      until: installation_dependencies is succeeded
-      when:
-        - inventory_hostname in groups['mysql']
-
-    - name: Enabeling PHP 8.0
-      block:
-        - name: Add epel
-          ansible.builtin.include_role:
-            name: geerlingguy.repo-epel
-
-        - name: Add remi
-          ansible.builtin.include_role:
-            name: geerlingguy.repo-remi
-
-        - name: Reset dnf library
-          ansible.builtin.shell: dnf module reset php
-
-        - name: Set php Version
-          ansible.builtin.shell: dnf module enable -y php:remi-8.0
+    - name: Enabling PHP 8.0
+      ansible.builtin.dnf:
+        name: "@php:8.0/common"
       when:
         - ansible_os_family == 'RedHat'
         - ansible_distribution_major_version == "8"
@@ -148,43 +107,34 @@
           - php-pecl-apcu
           - php-xml
       when:
-        - ansible_distribution_major_version >= '8'
         - ansible_os_family == "RedHat"
 
-    - name: Set PHP Version (Ubuntu 2204)
-      ansible.builtin.set_fact:
-        __php_default_version_debian: "8.1"
-      when:
-        - ansible_distribution_major_version >= '22'
-        - ansible_os_family == "Debian"
-
-    - name: Set PHP Version (Ubuntu 2404)
-      ansible.builtin.set_fact:
-        __php_default_version_debian: "8.3"
+    - name: Workaround for geerlingguy.php missing ubuntu-24.04 support
       when:
-        - ansible_distribution_major_version >= '24'
-        - ansible_os_family == "Debian"
-
-    - name: Set PHP packages (Ubuntu 2204 & 2404)
-      ansible.builtin.set_fact:
-        __php_packages:
-          - php{{ __php_default_version_debian }}-common
-          - php{{ __php_default_version_debian }}-cli
-          - php{{ __php_default_version_debian }}-dev
-          - php{{ __php_default_version_debian }}-fpm
-          - libpcre3-dev
-          - php{{ __php_default_version_debian }}-gd
-          - php{{ __php_default_version_debian }}-curl
-          - php{{ __php_default_version_debian }}-imap
-          - php-json
-          - php{{ __php_default_version_debian }}-opcache
-          - php{{ __php_default_version_debian }}-xml
-          - php{{ __php_default_version_debian }}-mbstring
-          - php{{ __php_default_version_debian }}-apcu
-          - php{{ __php_default_version_debian }}-sqlite3
-      when:
-        - ansible_distribution_major_version >= '22'
-        - ansible_os_family == "Debian"
+        - ansible_facts['distribution'] == "Ubuntu"
+        - ansible_facts['distribution_major_version'] >= '24'
+      block:
+        - name: Set PHP Version
+          ansible.builtin.set_fact:
+            __php_default_version_debian: "8.3"
+
+        - name: Set PHP packages
+          ansible.builtin.set_fact:
+            __php_packages:
+              - php{{ __php_default_version_debian }}-common
+              - php{{ __php_default_version_debian }}-cli
+              - php{{ __php_default_version_debian }}-dev
+              - php{{ __php_default_version_debian }}-fpm
+              - libpcre3-dev
+              - php{{ __php_default_version_debian }}-gd
+              - php{{ __php_default_version_debian }}-curl
+              - php{{ __php_default_version_debian }}-imap
+              - php-json
+              - php{{ __php_default_version_debian }}-opcache
+              - php{{ __php_default_version_debian }}-xml
+              - php{{ __php_default_version_debian }}-mbstring
+              - php{{ __php_default_version_debian }}-apcu
+              - php{{ __php_default_version_debian }}-sqlite3
 
   roles:
     - role: geerlingguy.apache

diff --git a/molecule/zabbix_web/requirements.yml b/molecule/zabbix_web/requirements.yml
@@ -1,6 +1,6 @@
 ---
-- src: geerlingguy.apache
-- src: geerlingguy.nginx
-- src: geerlingguy.php
-- src: geerlingguy.repo-epel
-- src: geerlingguy.repo-remi
+roles:
+  - src: geerlingguy.apache
+  - src: geerlingguy.nginx
+  - src: geerlingguy.php
+    version: '5.0.1'
diff --git a/roles/zabbix_proxy/tasks/initialize-mysql.yml b/roles/zabbix_proxy/tasks/initialize-mysql.yml
@@ -27,6 +27,7 @@
 
 - name: "MySQL Database prep"
   when: zabbix_proxy_database_creation | bool
+  become: "{{ zabbix_proxy_dbhost_run_install }}"
   delegate_to: "{{ zabbix_proxy_real_dbhost | default(zabbix_proxy_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname)) }}"
   vars:
     delegated_dbhost: "{{ (zabbix_proxy_dbhost == 'localhost') | ternary(inventory_hostname, zabbix_proxy_dbhost) }}"
@@ -56,12 +57,14 @@
         login_unix_socket: "{{ zabbix_proxy_mysql_login_unix_socket | default(omit) }}"
         name: "{{ zabbix_proxy_dbuser }}"
         password: "{{ zabbix_proxy_dbpassword }}"
-        priv: "{{ zabbix_proxy_dbname }}.*:ALL"
         host: "{{ zabbix_proxy_privileged_host }}"
+        priv: "{{ zabbix_proxy_dbname }}.*:ALL"
         state: present
 
 - name: "MySQL verify or create schema"
   when: zabbix_proxy_database_sqlload | bool
+  vars:
+    delegated_dbhost: "{{ (zabbix_proxy_dbhost == 'localhost') | ternary(inventory_hostname, zabbix_proxy_dbhost) }}"
   tags:
     - database
   block:
@@ -76,8 +79,6 @@
   rescue:
     - name: "MySQL | Get and set schema import overrides"
       delegate_to: "{{ zabbix_proxy_real_dbhost | default(zabbix_proxy_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname)) }}"
-      vars:
-        delegated_dbhost: "{{ (zabbix_proxy_dbhost == 'localhost') | ternary(inventory_hostname, zabbix_proxy_dbhost) }}"
       block:
         - name: "MySQL | Get current value for variables"
           community.mysql.mysql_variables:
@@ -95,15 +96,15 @@
           register: _mysql_variable_defaults
 
         - name: "MySQL | Set variable overrides for schema import"
-          when: item.msg != _mysql_schema_import_overrides[item.name]
           community.mysql.mysql_variables:
             variable: "{{ item.name }}"
             value: "{{ _mysql_schema_import_overrides[item.name] }}"
-            login_host: "{{ zabbix_proxy_mysql_login_host | default(omit) }}"
             login_user: "{{ zabbix_proxy_mysql_login_user | default(omit) }}"
             login_password: "{{ zabbix_proxy_mysql_login_password | default(omit) }}"
+            login_host: "{{ zabbix_proxy_mysql_login_host | default(omit) }}"
             login_port: "{{ zabbix_proxy_mysql_login_port | default(omit) }}"
             login_unix_socket: "{{ zabbix_proxy_mysql_login_unix_socket | default(omit) }}"
+          when: item.msg != _mysql_schema_import_overrides[item.name]
           loop: "{{ _mysql_variable_defaults.results }}"
           loop_control:
             label: "{{ item.name }}: {{ _mysql_schema_import_overrides[item.name] }}"
@@ -126,10 +127,7 @@
 
   always:
     - name: "MySQL | Revert variable overrides for schema import"
-      when: _mysql_variable_defaults is defined
       delegate_to: "{{ zabbix_proxy_real_dbhost | default(zabbix_proxy_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname)) }}"
-      vars:
-        delegated_dbhost: "{{ (zabbix_proxy_dbhost == 'localhost') | ternary(inventory_hostname, zabbix_proxy_dbhost) }}"
       community.mysql.mysql_variables:
         variable: "{{ item.name }}"
         value: "{{ item.msg }}"

diff --git a/roles/zabbix_server/tasks/initialize-mysql.yml b/roles/zabbix_server/tasks/initialize-mysql.yml
@@ -14,8 +14,18 @@
     - database
     - dependencies
 
+# NOTE: Upgrading system-packages with pip is generally a bad idea, but
+# these packaged older versions seems to have a problem with mysql 8 and above
+- name: Upgrade pymysql
+  when:
+    - ansible_facts['distribution'] in ['Debian', 'Ubuntu']
+    - ansible_facts['distribution_release'] in ['bullseye', 'focal']
+  ansible.builtin.pip:
+    name: "pymysql>=0.10.0,<0.11.0"
+    state: latest
+
 - name: "MySQL Database prep"
-  when: zabbix_server_database_creation
+  when: zabbix_server_database_creation | bool
   become: "{{ zabbix_server_dbhost_run_install }}"
   delegate_to: "{{ zabbix_server_real_dbhost | default(zabbix_server_dbhost_run_install | ternary(delegated_dbhost, inventory_hostname)) }}"
   vars:

diff --git a/roles/zabbix_web/defaults/main.yml b/roles/zabbix_web/defaults/main.yml
@@ -43,15 +43,16 @@ zabbix_server_dbhost: localhost
 zabbix_server_dbname: zabbix-server
 zabbix_server_dbuser: zabbix-server
 zabbix_server_dbpassword: zabbix-server
-zabbix_server_dbport: 5432
+_zabbix_server_database_default_port:
+  mysql: 3306
+  pgsql: 5432
+zabbix_server_dbport: "{{ _zabbix_server_database_default_port[zabbix_server_database] }}"
 zabbix_server_dbencryption: false
 zabbix_server_dbverifyhost: false
 zabbix_server_dbschema:
 
 # Yum/APT Variables
 zabbix_web_version_minor: "*"
-zabbix_web_disable_repo:
-  - epel
 
 # Elasticsearch
 # zabbix_server_history_url:
@@ -68,7 +69,6 @@ zabbix_server_history_types:
   - "dbl"
 
 # SELinux specific
-zabbix_web_selinux: false
 selinux_allow_httpd_can_connect_ldap: false
 selinux_allow_httpd_can_network_connect_db: false
 selinux_allow_httpd_can_connect_zabbix: false