diff --git a/.gitignore b/.gitignore index 84fd904ca..9c786c34a 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,7 @@ /pkg/ /Gemfile.lock /Gemfile.local +/Gemfile.local.lock /vendor/ /.vendor/ /spec/fixtures/manifests/ diff --git a/REFERENCE.md b/REFERENCE.md index d47dcafd2..6a818d5ee 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -8,20 +8,18 @@ #### Public Classes -* [`mongodb::client`](#mongodb--client): Class for installing a MongoDB client shell (CLI). -* [`mongodb::globals`](#mongodb--globals): Class for setting cross-class global overrides. See README.md for more details. -* [`mongodb::mongos`](#mongodb--mongos): This installs a Mongo Shard daemon. See README.md for more details. -* [`mongodb::mongos::config`](#mongodb--mongos--config): PRIVATE CLASS: do not call directly -* [`mongodb::mongos::install`](#mongodb--mongos--install): PRIVATE CLASS: do not call directly +* [`mongodb::client`](#mongodb--client) +* [`mongodb::globals`](#mongodb--globals): Class for setting cross-class global overrides. +* [`mongodb::mongos`](#mongodb--mongos): This installs a Mongo Shard daemon. +* [`mongodb::mongos::config`](#mongodb--mongos--config): Configs mongos +* [`mongodb::mongos::install`](#mongodb--mongos--install): Installs mongos * [`mongodb::mongos::params`](#mongodb--mongos--params): PRIVATE CLASS: do not use directly -* [`mongodb::mongos::service`](#mongodb--mongos--service): PRIVATE CLASS: do not call directly -* [`mongodb::opsmanager`](#mongodb--opsmanager): This installs Ops Manager -* [`mongodb::params`](#mongodb--params): PRIVATE CLASS: do not use directly +* [`mongodb::mongos::service`](#mongodb--mongos--service): Manages the mongos service. +* [`mongodb::opsmanager`](#mongodb--opsmanager) * [`mongodb::replset`](#mongodb--replset): Wrapper class useful for hiera based deployments -* [`mongodb::repo`](#mongodb--repo): PRIVATE CLASS: do not use directly * [`mongodb::repo::apt`](#mongodb--repo--apt): PRIVATE CLASS: do not use directly * [`mongodb::repo::yum`](#mongodb--repo--yum): PRIVATE CLASS: do not use directly -* [`mongodb::server`](#mongodb--server): This installs a MongoDB server. See README.md for more details. +* [`mongodb::server`](#mongodb--server): This installs a MongoDB server. * [`mongodb::server::config`](#mongodb--server--config): PRIVATE CLASS: do not call directly * [`mongodb::server::install`](#mongodb--server--install): PRIVATE CLASS: do not call directly * [`mongodb::server::service`](#mongodb--server--service): PRIVATE CLASS: do not call directly @@ -30,6 +28,8 @@ #### Private Classes * `mongodb::client::params` +* `mongodb::params`: Private class to set default values. +* `mongodb::repo`: Private clas to manage the mongodb repo * `mongodb::repo::zypper`: This is a repo class for zypper ### Defined types @@ -52,7 +52,7 @@ ### `mongodb::client` -Class for installing a MongoDB client shell (CLI). +The mongodb::client class. #### Parameters @@ -65,7 +65,7 @@ The following parameters are available in the `mongodb::client` class: Data type: `String[1]` -Desired ensure state of the package. +Used to ensure that the package is installed, or that the package is absent/purged Default value: `$mongodb::client::params::package_ensure` @@ -73,13 +73,52 @@ Default value: `$mongodb::client::params::package_ensure` Data type: `String[1]` -Name of the package to install the client from. Default is repository dependent. +This setting can be used to specify the name of the package that should be installed. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `$mongodb::client::params::package_name` ### `mongodb::globals` -Class for setting cross-class global overrides. See README.md for more details. +Class for setting cross-class global overrides. + +#### Examples + +##### Use a more recent MongoDB version to install from the community repository. + +```puppet + +class {'mongodb::globals': + manage_package_repo => true, + version => '3.6', +} +-> class {'mongodb::client': } +-> class {'mongodb::server': } +``` + +##### Install MongoDB from a custom repository. + +```puppet + +class {'mongodb::globals': + manage_package_repo => true, + repo_location => 'http://example.com/repo' +} +-> class {'mongodb::server': } +-> class {'mongodb::client': } +``` + +##### To disable managing of repository, but still enable managing packages. + +```puppet + +class {'mongodb::globals': + manage_package_repo => false, + manage_package => true, +} +-> class {'mongodb::server': } +-> class {'mongodb::client': } +``` #### Parameters @@ -98,6 +137,7 @@ The following parameters are available in the `mongodb::globals` class: * [`ipv6`](#-mongodb--globals--ipv6) * [`bind_ip`](#-mongodb--globals--bind_ip) * [`version`](#-mongodb--globals--version) +* [`mongosh_version`](#-mongodb--globals--mongosh_version) * [`manage_package_repo`](#-mongodb--globals--manage_package_repo) * [`manage_package`](#-mongodb--globals--manage_package) * [`repo_proxy`](#-mongodb--globals--repo_proxy) @@ -113,7 +153,8 @@ The following parameters are available in the `mongodb::globals` class: Data type: `Any` - +This setting can be used to override the default MongoDB server package name. +If not specified, the module will use whatever package name is the default for your OS distro. Default value: `undef` @@ -121,7 +162,8 @@ Default value: `undef` Data type: `Any` - +This setting can be used to specify the name of the client package that should be installed. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `undef` @@ -129,7 +171,8 @@ Default value: `undef` Data type: `Any` - +This setting can be used to override the default management of the mongod service. +By default the module will manage the mongod process. Default value: `undef` @@ -137,7 +180,7 @@ Default value: `undef` Data type: `Any` - +This setting can be used to specify if the service should be enable at boot Default value: `undef` @@ -145,7 +188,7 @@ Default value: `undef` Data type: `Any` - +This setting can be used to specify if the service should be running Default value: `undef` @@ -153,7 +196,8 @@ Default value: `undef` Data type: `Any` - +This setting can be used to override the default MongoDB service name. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `undef` @@ -161,7 +205,8 @@ Default value: `undef` Data type: `Any` - +This setting can be used to override the default MongoDB service provider. +If not specified, the module will use whatever service provider is the default for your OS distro. Default value: `undef` @@ -169,7 +214,8 @@ Default value: `undef` Data type: `Any` - +This setting can be used to override the default status check command for your MongoDB service. + If not specified, the module will use whatever service name is the default for your OS distro. Default value: `undef` @@ -177,7 +223,8 @@ Default value: `undef` Data type: `Any` - +This setting can be used to override the default MongoDB user and owner of the service and related files in the file system. +If not specified, the module will use the default for your OS distro. Default value: `undef` @@ -185,7 +232,8 @@ Default value: `undef` Data type: `Any` - +This setting can be used to override the default MongoDB user group to be used for related files in the file system. +If not specified, the module will use the default for your OS distro. Default value: `undef` @@ -193,7 +241,8 @@ Default value: `undef` Data type: `Any` - +This setting is used to configure MongoDB to turn on ipv6 support. +If not specified and ipv6 address is passed to MongoDB bind_ip it will just fail. Default value: `undef` @@ -201,7 +250,9 @@ Default value: `undef` Data type: `Any` - +This setting can be used to configure MonogDB process to bind to and listen for connections from applications on this address. +If not specified, the module will use the default for your OS distro. +Note: This value should be passed as an array. Default value: `undef` @@ -209,7 +260,17 @@ Default value: `undef` Data type: `Optional[String[1]]` -Version of mongodb to install +The version of MonogDB to install/manage. This is needed when managing repositories. +If not specified, the module will use the default for your OS distro. + +Default value: `undef` + +##### `mongosh_version` + +Data type: `Any` + +The version of MonogDB-mongosh to install/manage. This package is mandatory to make this module work. +If not specified, the module will use the default for your OS distro. Default value: `undef` @@ -217,15 +278,21 @@ Default value: `undef` Data type: `Optional[Boolean]` -If `true` configure upstream mongodb repos +Whether to use the MongoDB software repository or the OS packages (True) or a Custom repo (False) -Default value: `undef` +Default value: + +```puppet +fact('os.distro.codename') ? { # Debian 10 doesn't provide mongodb packages. So manage it! + 'buster' => true, + default => undef +``` ##### `manage_package` Data type: `Any` - +wgether this module willm manage the mongoDB server package Default value: `undef` @@ -233,7 +300,8 @@ Default value: `undef` Data type: `Any` - +This will allow you to set a proxy for your repository in case you are behind a corporate firewall. +Currently this is only supported with yum repositories Default value: `undef` @@ -241,7 +309,7 @@ Default value: `undef` Data type: `Any` - +This sets the username for the proxyserver, should authentication be required. Default value: `undef` @@ -249,31 +317,26 @@ Default value: `undef` Data type: `Any` - +This sets the password for the proxyserver, should authentication be required Default value: `undef` ##### `repo_location` -Data type: `Any` - - - -Default value: `undef` +This setting can be used to override the default MongoDB repository location. +If not specified, the module will use the default repository for your OS distro. ##### `use_enterprise_repo` -Data type: `Any` - - - -Default value: `undef` +When manage_package_repo is set to true, this setting indicates if it will use the Community Edition +(false, the default) or the Enterprise one (true). ##### `pidfilepath` Data type: `Any` - +Specify a file location to hold the PID or process ID of the mongod process. +If not specified, the module will use the default for your OS distro. Default value: `undef` @@ -281,7 +344,7 @@ Default value: `undef` Data type: `Any` - +The file mode of the pid file Default value: `undef` @@ -289,13 +352,25 @@ Default value: `undef` Data type: `Any` - +If true, the pidfile will be managed by puppet Default value: `undef` ### `mongodb::mongos` -This installs a Mongo Shard daemon. See README.md for more details. +This class should only be used if you want to implement sharding within your mongodb deployment. + This class allows you to configure the mongos daemon (responsible for routing) on your platform. + + } + +#### Examples + +##### mongos can be installed the following way. + +```puppet +class {'mongodb::mongos' : + configdb => ['configsvr1.example.com:27018'], +``` #### Parameters @@ -327,7 +402,7 @@ The following parameters are available in the `mongodb::mongos` class: Data type: `Stdlib::Absolutepath` - +Path of the config file. If not specified, the module will use the default for your OS distro. Default value: `$mongodb::mongos::params::config` @@ -335,7 +410,7 @@ Default value: `$mongodb::mongos::params::config` Data type: `Optional[String[1]]` - +Config content if the default doesn't match one needs. Default value: `$mongodb::mongos::params::config_content` @@ -343,7 +418,7 @@ Default value: `$mongodb::mongos::params::config_content` Data type: `Optional[String[1]]` - +Path to the config template if the default doesn't match one needs. Default value: `$mongodb::mongos::params::config_template` @@ -351,7 +426,7 @@ Default value: `$mongodb::mongos::params::config_template` Data type: `Variant[String[1], Array[String[1]]]` - +Array of the config servers IP addresses the mongos should connect to. Default value: `$mongodb::mongos::params::configdb` @@ -359,7 +434,7 @@ Default value: `$mongodb::mongos::params::configdb` Data type: `Optional[Hash]` - +Hash containing key-value pairs to allow for additional configuration options to be set in user-provided template. Default value: `$mongodb::mongos::params::config_data` @@ -367,7 +442,7 @@ Default value: `$mongodb::mongos::params::config_data` Data type: `Boolean` - +Whether or not the MongoDB sharding service resource should be part of the catalog. Default value: `$mongodb::mongos::params::service_manage` @@ -375,7 +450,8 @@ Default value: `$mongodb::mongos::params::service_manage` Data type: `Optional[String]` - +This setting can be used to override the default Mongos service provider. +If not specified, the module will use whatever service provider is the default for your OS distro. Default value: `$mongodb::mongos::params::service_provider` @@ -383,7 +459,8 @@ Default value: `$mongodb::mongos::params::service_provider` Data type: `Optional[String]` - +This setting can be used to override the default Mongos service name. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `$mongodb::mongos::params::service_name` @@ -391,7 +468,7 @@ Default value: `$mongodb::mongos::params::service_name` Data type: `Optional[String[1]]` - +Path to the service template if the default doesn't match one needs. Default value: `$mongodb::mongos::params::service_template` @@ -399,7 +476,7 @@ Default value: `$mongodb::mongos::params::service_template` Data type: `Boolean` - +This setting can be used to specify if the service should be enable at boot Default value: `$mongodb::mongos::params::service_enable` @@ -407,7 +484,7 @@ Default value: `$mongodb::mongos::params::service_enable` Data type: `Stdlib::Ensure::Service` - +This setting can be used to specify if the service should be running Default value: `$mongodb::mongos::params::service_ensure` @@ -415,7 +492,8 @@ Default value: `$mongodb::mongos::params::service_ensure` Data type: `Optional[String]` - +This setting can be used to override the default status check command for your Mongos service. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `$mongodb::mongos::params::service_status` @@ -423,7 +501,7 @@ Default value: `$mongodb::mongos::params::service_status` Data type: `Variant[Boolean, String]` - +This setting can be used to specify if puppet should install the package or not Default value: `$mongodb::mongos::params::package_ensure` @@ -431,7 +509,8 @@ Default value: `$mongodb::mongos::params::package_ensure` Data type: `String` - +This setting can be used to specify the name of the package that should be installed. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `$mongodb::mongos::params::package_name` @@ -439,7 +518,7 @@ Default value: `$mongodb::mongos::params::package_name` Data type: `Optional[Stdlib::Absolutepath]` - +The path for the UNIX socket. If this option has no value, the mongos process creates a socket with /tmp as a prefix. Default value: `$mongodb::mongos::params::unixsocketprefix` @@ -447,7 +526,8 @@ Default value: `$mongodb::mongos::params::unixsocketprefix` Data type: `Optional[Stdlib::Absolutepath]` - +Specify a file location to hold the PID or process ID of the mongod process. +If not specified, the module will use the default for your OS distro. Default value: `$mongodb::mongos::params::pidfilepath` @@ -455,7 +535,8 @@ Default value: `$mongodb::mongos::params::pidfilepath` Data type: `Optional[Variant[Boolean, Stdlib::Absolutepath]]` - +Specify the path to a file name for the log file that will hold all diagnostic logging information. +Unless specified, mongod will output all log information to the standard output. Default value: `$mongodb::mongos::params::logpath` @@ -463,7 +544,7 @@ Default value: `$mongodb::mongos::params::logpath` Data type: `Optional[Boolean]` - +Set to true to fork server process at launch time. The default setting depends on the operating system. Default value: `$mongodb::mongos::params::fork` @@ -471,7 +552,8 @@ Default value: `$mongodb::mongos::params::fork` Data type: `Optional[Array[Stdlib::IP::Address]]` - +Set this option to configure the mongod or mongos process to bind to and listen for connections from applications on this address. +If not specified, the module will use the default for your OS distro. Default value: `$mongodb::mongos::params::bind_ip` @@ -479,7 +561,7 @@ Default value: `$mongodb::mongos::params::bind_ip` Data type: `Optional[Stdlib::Port]` - +Specifies a TCP port for the server instance to listen for client connections. Default value: `$mongodb::mongos::params::port` @@ -487,13 +569,13 @@ Default value: `$mongodb::mongos::params::port` Data type: `Boolean` - +Specifies whether the service should be restarted on config changes. Default value: `$mongodb::mongos::params::restart` ### `mongodb::mongos::config` -PRIVATE CLASS: do not call directly +Configs mongos #### Parameters @@ -517,7 +599,7 @@ The following parameters are available in the `mongodb::mongos::config` class: Data type: `Any` - +This setting can be used to specify if puppet should install the package or not Default value: `$mongodb::mongos::package_ensure` @@ -525,7 +607,7 @@ Default value: `$mongodb::mongos::package_ensure` Data type: `Any` - +Path of the config file. If not specified, the module will use the default for your OS distro. Default value: `$mongodb::mongos::config` @@ -533,7 +615,7 @@ Default value: `$mongodb::mongos::config` Data type: `Any` - +Config content if the default doesn't match one needs. Default value: `$mongodb::mongos::config_content` @@ -541,7 +623,7 @@ Default value: `$mongodb::mongos::config_content` Data type: `Any` - +Path to the config template if the default doesn't match one needs. Default value: `$mongodb::mongos::config_template` @@ -549,7 +631,7 @@ Default value: `$mongodb::mongos::config_template` Data type: `Any` - +Whether or not the MongoDB sharding service resource should be part of the catalog. Default value: `$mongodb::mongos::service_manage` @@ -557,7 +639,7 @@ Default value: `$mongodb::mongos::service_manage` Data type: `Any` - +Array of the config servers IP addresses the mongos should connect to. Default value: `$mongodb::mongos::configdb` @@ -565,7 +647,8 @@ Default value: `$mongodb::mongos::configdb` Data type: `Any` - +Set this option to configure the mongod or mongos process to bind to and listen for connections from applications on this address. +If not specified, the module will use the default for your OS distro. Default value: `$mongodb::mongos::bind_ip` @@ -573,7 +656,7 @@ Default value: `$mongodb::mongos::bind_ip` Data type: `Any` - +Specifies a TCP port for the server instance to listen for client connections. Default value: `$mongodb::mongos::port` @@ -581,7 +664,7 @@ Default value: `$mongodb::mongos::port` Data type: `Any` - +Set to true to fork server process at launch time. The default setting depends on the operating system. Default value: `$mongodb::mongos::fork` @@ -589,7 +672,8 @@ Default value: `$mongodb::mongos::fork` Data type: `Any` - +Specify a file location to hold the PID or process ID of the mongod process. +If not specified, the module will use the default for your OS distro. Default value: `$mongodb::mongos::pidfilepath` @@ -597,7 +681,8 @@ Default value: `$mongodb::mongos::pidfilepath` Data type: `Any` - +Specify the path to a file name for the log file that will hold all diagnostic logging information. +Unless specified, mongod will output all log information to the standard output. Default value: `$mongodb::mongos::logpath` @@ -605,7 +690,7 @@ Default value: `$mongodb::mongos::logpath` Data type: `Any` - +The path for the UNIX socket. If this option has no value, the mongos process creates a socket with /tmp as a prefix. Default value: `$mongodb::mongos::unixsocketprefix` @@ -613,13 +698,13 @@ Default value: `$mongodb::mongos::unixsocketprefix` Data type: `Any` - +Hash containing key-value pairs to allow for additional configuration options to be set in user-provided templ ate. Default value: `$mongodb::mongos::config_data` ### `mongodb::mongos::install` -PRIVATE CLASS: do not call directly +Installs mongos #### Parameters @@ -632,7 +717,7 @@ The following parameters are available in the `mongodb::mongos::install` class: Data type: `Any` - +This setting can be used to specify if puppet should install the package or not Default value: `$mongodb::mongos::package_ensure` @@ -640,7 +725,8 @@ Default value: `$mongodb::mongos::package_ensure` Data type: `Any` - +This setting can be used to specify the name of the package that should be installed. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `$mongodb::mongos::package_name` @@ -650,7 +736,7 @@ PRIVATE CLASS: do not use directly ### `mongodb::mongos::service` -PRIVATE CLASS: do not call directly +Manages the mongos service. #### Parameters @@ -671,7 +757,7 @@ The following parameters are available in the `mongodb::mongos::service` class: Data type: `Any` - +This setting can be used to specify if puppet should install the package or not. Default value: `$mongodb::mongos::package_ensure` @@ -679,7 +765,7 @@ Default value: `$mongodb::mongos::package_ensure` Data type: `Any` - +Whether or not the MongoDB sharding service resource should be part of the catalog. Default value: `$mongodb::mongos::service_manage` @@ -687,7 +773,8 @@ Default value: `$mongodb::mongos::service_manage` Data type: `Any` - +This setting can be used to override the default Mongos service name. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `$mongodb::mongos::service_name` @@ -695,7 +782,7 @@ Default value: `$mongodb::mongos::service_name` Data type: `Any` - +This setting can be used to specify if the service should be enable at boot. Default value: `$mongodb::mongos::service_enable` @@ -703,7 +790,7 @@ Default value: `$mongodb::mongos::service_enable` Data type: `Any` - +This setting can be used to specify if the service should be running. Default value: `$mongodb::mongos::service_ensure` @@ -711,7 +798,8 @@ Default value: `$mongodb::mongos::service_ensure` Data type: `Any` - +This setting can be used to override the default status check command for your Mongos service. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `$mongodb::mongos::service_status` @@ -719,7 +807,8 @@ Default value: `$mongodb::mongos::service_status` Data type: `Any` - +This setting can be used to override the default Mongos service provider. +If not specified, the module will use whatever service provider is the default for your OS distro. Default value: `$mongodb::mongos::service_provider` @@ -727,7 +816,8 @@ Default value: `$mongodb::mongos::service_provider` Data type: `Any` - +Set this option to configure the mongod or mongos process to bind to and listen for connections from applicati ons on this address. +If not specified, the module will use the default for your OS distro. Default value: `$mongodb::mongos::bind_ip` @@ -735,7 +825,7 @@ Default value: `$mongodb::mongos::bind_ip` Data type: `Any` - +Specifies a TCP port for the server instance to listen for client connections. Default value: `$mongodb::mongos::port` @@ -743,18 +833,26 @@ Default value: `$mongodb::mongos::port` Data type: `Any` - +Path to the service template if the default doesn't match one needs. Default value: `$mongodb::mongos::service_template` ### `mongodb::opsmanager` -This installs Ops Manager +The mongodb::opsmanager class. #### Parameters The following parameters are available in the `mongodb::opsmanager` class: +* [`pem_key_password`](#-mongodb--opsmanager--pem_key_password) +* [`user_svc_class`](#-mongodb--opsmanager--user_svc_class) +* [`snapshot_interval`](#-mongodb--opsmanager--snapshot_interval) +* [`snapshot_interval_retention`](#-mongodb--opsmanager--snapshot_interval_retention) +* [`snapshot_daily_retention`](#-mongodb--opsmanager--snapshot_daily_retention) +* [`snapshot_weekly_retention`](#-mongodb--opsmanager--snapshot_weekly_retention) +* [`snapshot_monthly_retention`](#-mongodb--opsmanager--snapshot_monthly_retention) +* [`versions_directory`](#-mongodb--opsmanager--versions_directory) * [`user`](#-mongodb--opsmanager--user) * [`group`](#-mongodb--opsmanager--group) * [`ensure`](#-mongodb--opsmanager--ensure) @@ -778,20 +876,79 @@ The following parameters are available in the `mongodb::opsmanager` class: * [`ignore_ui_setup`](#-mongodb--opsmanager--ignore_ui_setup) * [`ca_file`](#-mongodb--opsmanager--ca_file) * [`pem_key_file`](#-mongodb--opsmanager--pem_key_file) -* [`pem_key_password`](#-mongodb--opsmanager--pem_key_password) -* [`user_svc_class`](#-mongodb--opsmanager--user_svc_class) -* [`snapshot_interval`](#-mongodb--opsmanager--snapshot_interval) -* [`snapshot_interval_retention`](#-mongodb--opsmanager--snapshot_interval_retention) -* [`snapshot_daily_retention`](#-mongodb--opsmanager--snapshot_daily_retention) -* [`snapshot_weekly_retention`](#-mongodb--opsmanager--snapshot_weekly_retention) -* [`snapshot_monthly_retention`](#-mongodb--opsmanager--snapshot_monthly_retention) -* [`versions_directory`](#-mongodb--opsmanager--versions_directory) + +##### `pem_key_password` + +Data type: `Optional[String[1]]` + +The password to the pem key file. + +Default value: `undef` + +##### `user_svc_class` + +Data type: `Optional[String[1]]` + +The user svc class +Default: com.xgen.svc.mms.svc.user.UserSvcDb +External Source: com.xgen.svc.mms.svc.user.UserSvcCrowd +Internal Database: com.xgen.svc.mms.svc.user.UserSvcDb + +Default value: `undef` + +##### `snapshot_interval` + +Data type: `Optional[Integer]` + +The snapshot interval to use + +Default value: `undef` + +##### `snapshot_interval_retention` + +Data type: `Optional[Integer]` + +The snapshot interval retention period + +Default value: `undef` + +##### `snapshot_daily_retention` + +Data type: `Optional[Integer]` + +The dayly snapshot interval retention period + +Default value: `undef` + +##### `snapshot_weekly_retention` + +Data type: `Optional[Integer]` + +The weekly snapshot interval retention period + +Default value: `undef` + +##### `snapshot_monthly_retention` + +Data type: `Optional[Integer]` + +The monthly snapshot interval retention period + +Default value: `undef` + +##### `versions_directory` + +Data type: `Optional[Integer]` + +The directory where to store the snapshot versions + +Default value: `undef` ##### `user` Data type: `String[1]` -The user that owns the config file + Default value: `'mongodb-mms'` @@ -799,7 +956,7 @@ Default value: `'mongodb-mms'` Data type: `String[1]` -The group that owns the config file + Default value: `'mongodb-mms'` @@ -871,7 +1028,7 @@ Default value: `'mongodb://127.0.0.1:27017'` Data type: `Stdlib::Httpurl` -The fully qualified url where opsmanager runs. Must include the port. + Default value: `"http://${facts['networking']['fqdn']}:8080"` @@ -959,27 +1116,11 @@ Default value: `true` Data type: `Optional[String[1]]` -Ca file for secure connection to backup agents. -Default value: `undef` - -##### `pem_key_file` - -Data type: `Optional[String[1]]` - -Pem key file containing the cert and private key used for secure connections to backup agents. - -Default value: `undef` - -##### `pem_key_password` - -Data type: `Optional[String[1]]` - -The password to the pem key file. Default value: `undef` -##### `user_svc_class` +##### `pem_key_file` Data type: `Optional[String[1]]` @@ -987,61 +1128,24 @@ Data type: `Optional[String[1]]` Default value: `undef` -##### `snapshot_interval` - -Data type: `Optional[Integer]` - - - -Default value: `undef` - -##### `snapshot_interval_retention` - -Data type: `Optional[Integer]` - - - -Default value: `undef` - -##### `snapshot_daily_retention` - -Data type: `Optional[Integer]` - - - -Default value: `undef` - -##### `snapshot_weekly_retention` - -Data type: `Optional[Integer]` - - - -Default value: `undef` - -##### `snapshot_monthly_retention` - -Data type: `Optional[Integer]` - - - -Default value: `undef` - -##### `versions_directory` - -Data type: `Optional[Integer]` - - +### `mongodb::replset` -Default value: `undef` +Wrapper class useful for hiera based deployments -### `mongodb::params` +#### Examples -PRIVATE CLASS: do not use directly +##### hieradata -### `mongodb::replset` +```puppet -Wrapper class useful for hiera based deployments +mongodb::replset::sets: + replicaset01: + ensure: present + members: + - member01.example.com:27017 + - member02.example.com:27017 + - member03.example.com:27017 +``` #### Parameters @@ -1053,130 +1157,65 @@ The following parameters are available in the `mongodb::replset` class: Data type: `Any` - +Hash of attributes as described in the mongodb_replset custom type Default value: `undef` -### `mongodb::repo` +### `mongodb::repo::apt` PRIVATE CLASS: do not use directly -#### Parameters - -The following parameters are available in the `mongodb::repo` class: +### `mongodb::repo::yum` -* [`ensure`](#-mongodb--repo--ensure) -* [`version`](#-mongodb--repo--version) -* [`use_enterprise_repo`](#-mongodb--repo--use_enterprise_repo) -* [`repo_location`](#-mongodb--repo--repo_location) -* [`proxy`](#-mongodb--repo--proxy) -* [`proxy_username`](#-mongodb--repo--proxy_username) -* [`proxy_password`](#-mongodb--repo--proxy_password) -* [`aptkey_options`](#-mongodb--repo--aptkey_options) +PRIVATE CLASS: do not use directly -##### `ensure` +### `mongodb::server` -Data type: `Variant[Enum['present', 'absent'], Boolean]` +Most of the parameters manipulate the mongod.conf file. + For more details about configuration parameters consult the MongoDB Configuration File Options. + } -Default value: `'present'` +This setting can be used to specify if the service should be running. -##### `version` +#### Examples -Data type: `Optional[String]` +##### Basic usage. -Optional repo version string. +```puppet +include mongodb::server +``` -Default value: `undef` +##### Overrule settings -##### `use_enterprise_repo` +```puppet +class {'mongodb::server': + port => 27018, + verbose => true, +``` -Data type: `Boolean` +#### Parameters -Boolean value to use enterprise repository. Defaults to false. +The following parameters are available in the `mongodb::server` class: -Default value: `false` - -##### `repo_location` - -Data type: `Optional[String]` - -Optional location of the repository - -Default value: `undef` - -##### `proxy` - -Data type: `Optional[String]` - - - -Default value: `undef` - -##### `proxy_username` - -Data type: `Optional[String]` - - - -Default value: `undef` - -##### `proxy_password` - -Data type: `Optional[String]` - - - -Default value: `undef` - -##### `aptkey_options` - -Data type: `Optional[String[1]]` - - - -Default value: `undef` - -### `mongodb::repo::apt` - -PRIVATE CLASS: do not use directly - -### `mongodb::repo::yum` - -PRIVATE CLASS: do not use directly - -### `mongodb::server` - -This installs a MongoDB server. See README.md for more details. - -#### Parameters - -The following parameters are available in the `mongodb::server` class: - -* [`tls`](#-mongodb--server--tls) -* [`tls_key`](#-mongodb--server--tls_key) -* [`tls_ca`](#-mongodb--server--tls_ca) -* [`tls_conn_without_cert`](#-mongodb--server--tls_conn_without_cert) -* [`tls_invalid_hostnames`](#-mongodb--server--tls_invalid_hostnames) -* [`tls_mode`](#-mongodb--server--tls_mode) -* [`admin_password_hash`](#-mongodb--server--admin_password_hash) * [`ensure`](#-mongodb--server--ensure) * [`user`](#-mongodb--server--user) * [`group`](#-mongodb--server--group) * [`config`](#-mongodb--server--config) * [`dbpath`](#-mongodb--server--dbpath) * [`dbpath_fix`](#-mongodb--server--dbpath_fix) -* [`pidfilepath`](#-mongodb--server--pidfilepath) * [`pidfilemode`](#-mongodb--server--pidfilemode) +* [`pidfilepath`](#-mongodb--server--pidfilepath) * [`manage_pidfile`](#-mongodb--server--manage_pidfile) * [`rcfile`](#-mongodb--server--rcfile) * [`service_manage`](#-mongodb--server--service_manage) -* [`service_provider`](#-mongodb--server--service_provider) +* [`service_manage`](#-mongodb--server--service_manage) * [`service_name`](#-mongodb--server--service_name) +* [`service_provider`](#-mongodb--server--service_provider) +* [`service_status`](#-mongodb--server--service_status) * [`service_enable`](#-mongodb--server--service_enable) * [`service_ensure`](#-mongodb--server--service_ensure) -* [`service_status`](#-mongodb--server--service_status) * [`package_ensure`](#-mongodb--server--package_ensure) * [`package_name`](#-mongodb--server--package_name) * [`logpath`](#-mongodb--server--logpath) @@ -1232,78 +1271,32 @@ The following parameters are available in the `mongodb::server` class: * [`ssl_weak_cert`](#-mongodb--server--ssl_weak_cert) * [`ssl_invalid_hostnames`](#-mongodb--server--ssl_invalid_hostnames) * [`ssl_mode`](#-mongodb--server--ssl_mode) +* [`tls`](#-mongodb--server--tls) +* [`tls_key`](#-mongodb--server--tls_key) +* [`tls_ca`](#-mongodb--server--tls_ca) +* [`tls_conn_without_cert`](#-mongodb--server--tls_conn_without_cert) +* [`tls_invalid_hostnames`](#-mongodb--server--tls_invalid_hostnames) +* [`tls_mode`](#-mongodb--server--tls_mode) +* [`admin_password_hash`](#-mongodb--server--admin_password_hash) * [`restart`](#-mongodb--server--restart) * [`storage_engine`](#-mongodb--server--storage_engine) * [`create_admin`](#-mongodb--server--create_admin) * [`admin_username`](#-mongodb--server--admin_username) * [`admin_password`](#-mongodb--server--admin_password) * [`admin_auth_mechanism`](#-mongodb--server--admin_auth_mechanism) +* [`supported_auth_mechanisms`](#-mongodb--server--supported_auth_mechanisms) +* [`admin_tls_key`](#-mongodb--server--admin_tls_key) * [`admin_update_password`](#-mongodb--server--admin_update_password) +* [`admin_roles`](#-mongodb--server--admin_roles) * [`handle_creds`](#-mongodb--server--handle_creds) * [`store_creds`](#-mongodb--server--store_creds) -* [`admin_roles`](#-mongodb--server--admin_roles) - -##### `tls` - -Data type: `Boolean` - -Ensure tls is enabled. - -Default value: `false` - -##### `tls_key` - -Data type: `Optional[Stdlib::Absolutepath]` - -Defines the path of the file that contains the TLS/SSL certificate and key. - -Default value: `undef` - -##### `tls_ca` - -Data type: `Optional[Stdlib::Absolutepath]` - -Defines the path of the file that contains the certificate chain for verifying client certificates. - -Default value: `undef` - -##### `tls_conn_without_cert` - -Data type: `Boolean` - -Set to true to bypass client certificate validation for clients that do not present a certificate. - -Default value: `false` - -##### `tls_invalid_hostnames` - -Data type: `Boolean` - -Set to true to disable the validation of the hostnames in TLS certificates. - -Default value: `false` - -##### `tls_mode` - -Data type: `Enum['requireTLS', 'preferTLS', 'allowTLS']` - -Defines if TLS is used for all network connections. Allowed values are 'requireTLS', 'preferTLS' or 'allowTLS'. - -Default value: `'requireTLS'` - -##### `admin_password_hash` - -Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` - -Hashed password. Hex encoded md5 hash of mongodb password. - -Default value: `undef` ##### `ensure` Data type: `Variant[Boolean, String]` - +Used to ensure that the package is installed and the service is running, or that the package is +absent/purged and the service is stopped. Default value: `$mongodb::params::ensure` @@ -1311,7 +1304,8 @@ Default value: `$mongodb::params::ensure` Data type: `String` - +This setting can be used to override the default MongoDB user and owner of the service and related files in the file system. +If not specified, the module will use the default for your OS distro. Default value: `$mongodb::params::user` @@ -1319,7 +1313,8 @@ Default value: `$mongodb::params::user` Data type: `String` - +This setting can be used to override the default MongoDB user group to be used for related files in the file system. +If not specified, the module will use the default for your OS distro. Default value: `$mongodb::params::group` @@ -1327,7 +1322,7 @@ Default value: `$mongodb::params::group` Data type: `Stdlib::Absolutepath` - +Path of the config file. If not specified, the module will use the default for your OS distro. Default value: `$mongodb::params::config` @@ -1335,7 +1330,8 @@ Default value: `$mongodb::params::config` Data type: `Stdlib::Absolutepath` - +Set this value to designate a directory for the mongod instance to store it's data. +If not specified, the module will use the default for your OS distro. Default value: `$mongodb::params::dbpath` @@ -1343,31 +1339,34 @@ Default value: `$mongodb::params::dbpath` Data type: `Boolean` - +Set this value to true if you want puppet to recursively manage the permissions of the files in the dbpath +directory. If you are using the default dbpath, this should probably be false. Set this to true if you are +using a custom dbpath. Default value: `$mongodb::params::dbpath_fix` -##### `pidfilepath` - -Data type: `Optional[Stdlib::Absolutepath]` - +##### `pidfilemode` +Data type: `String` -Default value: `$mongodb::params::pidfilepath` +The file mode of the pidfilepath -##### `pidfilemode` +Default value: `$mongodb::params::pidfilemode` -Data type: `String` +##### `pidfilepath` +Data type: `Optional[Stdlib::Absolutepath]` +Specify a file location to hold the PID or process ID of the mongod process. +If not specified, the module will use the default for your OS distro. -Default value: `$mongodb::params::pidfilemode` +Default value: `$mongodb::params::pidfilepath` ##### `manage_pidfile` Data type: `Boolean` - +Should puppet create the pidfile. Mongod 6.2.10 will not start if pidfile exists Default value: `$mongodb::params::manage_pidfile` @@ -1375,7 +1374,7 @@ Default value: `$mongodb::params::manage_pidfile` Data type: `String` - +The path to the custom mongosh rc file. Default value: `$mongodb::params::rcfile` @@ -1383,31 +1382,48 @@ Default value: `$mongodb::params::rcfile` Data type: `Boolean` +Whether or not the MongoDB service resource should be part of the catalog. + +Default value: `$mongodb::params::service_manage` + +##### `service_manage` +Whether or not the MongoDB sharding service resource should be part of the catalog. Default value: `$mongodb::params::service_manage` -##### `service_provider` +##### `service_name` Data type: `Optional[String]` +This setting can be used to override the default Mongos service name. +If not specified, the module will use whatever service name is the default for your OS distro. +Default value: `$mongodb::params::service_name` -Default value: `$mongodb::params::service_provider` - -##### `service_name` +##### `service_provider` Data type: `Optional[String]` +This setting can be used to override the default Mongos service provider. +If not specified, the module will use whatever service provider is the default for your OS distro. +Default value: `$mongodb::params::service_provider` -Default value: `$mongodb::params::service_name` +##### `service_status` + +Data type: `Optional[Enum['stopped', 'running']]` + +This setting can be used to override the default status check command for your Mongos service. +If not specified, the module will use whatever service name is the default for your OS distro. + +Default value: `$mongodb::params::service_status` ##### `service_enable` Data type: `Boolean` - +This setting can be used to specify if the service should be enable at boot. Default value: `$mongodb::params::service_enable` @@ -1419,19 +1435,11 @@ Data type: `Enum['stopped', 'running']` Default value: `$mongodb::params::service_ensure` -##### `service_status` - -Data type: `Optional[Enum['stopped', 'running']]` - - - -Default value: `$mongodb::params::service_status` - ##### `package_ensure` Data type: `Variant[Boolean, String]` - +This setting can be used to specify if puppet should install the package or not. Default value: `$mongodb::params::package_ensure` @@ -1439,7 +1447,8 @@ Default value: `$mongodb::params::package_ensure` Data type: `String` - +This setting can be used to specify the name of the package that should be installed. +If not specified, the module will use whatever service name is the default for your OS distro. Default value: `$mongodb::params::server_package_name` @@ -1447,7 +1456,8 @@ Default value: `$mongodb::params::server_package_name` Data type: `Variant[Boolean, Stdlib::Absolutepath]` - +Specify the path to a file name for the log file that will hold all diagnostic logging information. +Unless specified, mongod will output all log information to the standard output. Default value: `$mongodb::params::logpath` @@ -1455,7 +1465,8 @@ Default value: `$mongodb::params::logpath` Data type: `Array[Stdlib::IP::Address]` - +Set this option to configure the mongod or mongos process to bind to and listen for connections from +applications on this address. If not specified, the module will use the default for your OS distro. Default value: `$mongodb::params::bind_ip` @@ -1463,7 +1474,8 @@ Default value: `$mongodb::params::bind_ip` Data type: `Optional[Boolean]` - +This setting has to be true to configure MongoDB to turn on ipv6 support. If not specified and ipv6 +address is passed to MongoDB bind_ip it will just fail. Default value: `undef` @@ -1471,7 +1483,8 @@ Default value: `undef` Data type: `Boolean` - +Set to true to add new entries to the end of the logfile rather than overwriting the content of the log +when the process restarts. Default value: `true` @@ -1479,7 +1492,8 @@ Default value: `true` Data type: `Optional[String]` - +Set to reopen for mongo to close a log file then reopen it so that logrotations handled outside of mongo +perform as expected. Default value: `undef` @@ -1487,7 +1501,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set to true to fork server process at launch time. The default setting depends on the operating system. Default value: `$mongodb::params::fork` @@ -1495,7 +1509,7 @@ Default value: `$mongodb::params::fork` Data type: `Optional[Integer[1, 65535]]` - +Specifies a TCP port for the server instance to listen for client connections. Default value: `undef` @@ -1503,7 +1517,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set to true to enable operation journaling to ensure write durability and data consistency. Default value: `$mongodb::params::journal` @@ -1511,7 +1525,8 @@ Default value: `$mongodb::params::journal` Data type: `Optional[Boolean]` - +Set nojournal = true to disable durability journaling. By default, mongod enables journaling in 64-bit versions after v2.0. +Note: You must use journal to enable journaling on 32-bit systems. Default value: `undef` @@ -1519,7 +1534,8 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set to true to modify MongoDB to use a smaller default data file size. Specifically, smallfiles reduces +the initial size for data files and limits them to 512 megabytes. Default value: `undef` @@ -1527,7 +1543,8 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set to true to force mongod to report every four seconds CPU utilization and the amount of time that the +processor waits for I/O operations to complete (i.e. I/O wait.) Default value: `undef` @@ -1535,7 +1552,8 @@ Default value: `undef` Data type: `Boolean` - +et to true to enable database authentication for users connecting from remote hosts. If no users exist, +the localhost interface will continue to have access to the database until you create the first user. Default value: `false` @@ -1543,7 +1561,7 @@ Default value: `false` Data type: `Optional[Boolean]` - +Disable authentication. Default value: `undef` @@ -1551,7 +1569,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Increases the amount of internal reporting returned on standard output or in the log file generated by logpath. Default value: `undef` @@ -1559,7 +1577,7 @@ Default value: `undef` Data type: `Optional[String]` - +MongoDB has the following levels of verbosity: v, vv, vvv, vvvv and vvvvv. Default value: `undef` @@ -1567,7 +1585,8 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Forces the mongod to validate all requests from clients upon receipt to ensure that clients never insert +invalid documents into the database. Default value: `undef` @@ -1575,7 +1594,8 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set to true to enable a maximum limit for the number of data files each database can have. The default +quota is 8 data files, when quota is true. Default value: `undef` @@ -1583,7 +1603,7 @@ Default value: `undef` Data type: `Optional[Integer]` - +Modify limit on the number of data files per database. This option requires the quota setting. Default value: `undef` @@ -1591,7 +1611,8 @@ Default value: `undef` Data type: `Optional[Integer[0, 7]]` - +Creates a very verbose diagnostic log for troubleshooting and recording various errors. For more +information please refer to MongoDB Configuration File Options. Default value: `undef` @@ -1599,7 +1620,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set to true to modify the storage pattern of the data directory to store each database’s files in a distinct folder. Default value: `undef` @@ -1607,7 +1628,8 @@ Default value: `undef` Data type: `Any` - +Modify this value to changes the level of database profiling, which inserts information about operation +performance into output of mongod or the log file if specified by logpath. Default value: `undef` @@ -1615,7 +1637,8 @@ Default value: `undef` Data type: `Optional[Integer]` - +Specifies a value to set the maximum number of simultaneous connections that MongoDB will accept. +Unless set, MongoDB will not limit its own connections. Default value: `undef` @@ -1623,7 +1646,9 @@ Default value: `undef` Data type: `Optional[Integer]` - +Specifies a maximum size in megabytes for the replication operation log (e.g. oplog.) mongod creates an +oplog based on the maximum amount of space available. For 64-bit systems, the oplog is typically 5% of +available disk space. Default value: `undef` @@ -1631,7 +1656,7 @@ Default value: `undef` Data type: `Any` - +Ignore query hints. Default value: `undef` @@ -1639,7 +1664,8 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set to true to disable the HTTP interface. This command will override the rest and disable the HTTP +interface if you specify both. Default value: `undef` @@ -1647,7 +1673,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set noscripting = true to disable the scripting engine. Default value: `undef` @@ -1655,7 +1681,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set notablescan = true to forbid operations that require a table scan. Default value: `undef` @@ -1663,7 +1689,8 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set noprealloc = true to disable the preallocation of data files. This will shorten the start up time in +some cases, but can cause significant performance penalties during normal operations. Default value: `undef` @@ -1671,7 +1698,7 @@ Default value: `undef` Data type: `Optional[Integer]` - +Use this setting to control the default size for all newly created namespace files (i.e .ns). Default value: `undef` @@ -1679,7 +1706,7 @@ Default value: `undef` Data type: `Any` - +MMS token for mms monitoring. Default value: `undef` @@ -1687,7 +1714,7 @@ Default value: `undef` Data type: `Any` - +MMS identifier for mms monitoring. Default value: `undef` @@ -1695,7 +1722,7 @@ Default value: `undef` Data type: `Any` - +MMS interval for mms monitoring. Default value: `undef` @@ -1703,7 +1730,8 @@ Default value: `undef` Data type: `Optional[String]` - +Use this setting to configure replication with replica sets. Specify a replica set name as an argument to +this set. All hosts must have the same set name. Default value: `undef` @@ -1711,7 +1739,14 @@ Default value: `undef` Data type: `Optional[Hash]` - +A hash that is used to configure the replica set. Mutually exclusive with replset_members param. +class mongodb::server { + replset => 'rsmain', + replset_config => { 'rsmain' => { + ensure => present, + settings => { heartbeatTimeoutSecs => 15, getLastErrorModes => { ttmode => { dc => 1 } } }, + members => [{'host' => 'host1:27017', 'tags':{ 'dc' : 'east'}}, { 'host' => 'host2:27017'}, 'host3:27017'] }}, +} Default value: `undef` @@ -1719,7 +1754,7 @@ Default value: `undef` Data type: `Optional[Array]` - +An array of member hosts for the replica set. Mutually exclusive with replset_config param. Default value: `undef` @@ -1727,7 +1762,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Use this setting to enable config server mode for mongod. Default value: `undef` @@ -1735,7 +1770,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Use this setting to enable shard server mode for mongod. Default value: `undef` @@ -1743,7 +1778,7 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Set to true to enable a simple REST interface. Default value: `undef` @@ -1751,7 +1786,12 @@ Default value: `undef` Data type: `Optional[Boolean]` +Runs the mongod or mongos instance in a quiet mode that attempts to limit the amount of output. +This option suppresses : "output from database commands, including drop, dropIndexes, diagLogging, +validate, and clean", "replication activity", "connection accepted events" and "connection closed events". +For production systems this option is not recommended as it may make tracking problems during particular +connections much more difficult. Default value: `undef` @@ -1759,7 +1799,7 @@ Default value: `undef` Data type: `Optional[Integer]` - +Sets the threshold for mongod to consider a query “slow” for the database profiler. Default value: `undef` @@ -1767,7 +1807,8 @@ Default value: `undef` Data type: `Optional[Stdlib::Absolutepath]` - +Specify the path to a key file to store authentication information. This option is only useful for the +connection between replica set members. Default value: `undef` @@ -1775,7 +1816,8 @@ Default value: `undef` Data type: `Optional[Variant[String[6], Sensitive[String[6]]]]` - +Specify the key contained within the keyfile. This option is only useful for the connection between +replica set members. Default value: `undef` @@ -1783,7 +1825,7 @@ Default value: `undef` Data type: `Optional[Variant[String[1], Array[String[1]]]]` - +Specify extra configuration file parameters (i.e. textSearchEnabled=true). Default value: `undef` @@ -1791,7 +1833,8 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Sends all logging output to the host’s syslog system rather than to standard output or a log file. +Important: You cannot use syslog with logpath. Set logpath to false to disable it. Default value: `undef` @@ -1799,7 +1842,7 @@ Default value: `undef` Data type: `Any` - +Config content if the default doesn't match one needs. Default value: `undef` @@ -1807,7 +1850,7 @@ Default value: `undef` Data type: `Optional[String]` - +Path to the config template if the default doesn't match one needs. Default value: `undef` @@ -1815,7 +1858,7 @@ Default value: `undef` Data type: `Optional[Hash]` - +A hash to allow for additional configuration options to be set in user-provided template. Default value: `undef` @@ -1823,7 +1866,9 @@ Default value: `undef` Data type: `Optional[Boolean]` - +Use SSL validation. +Important: You need to have ssl_key set as well, and the file needs to pre-exist on node. If you wish to +use certificate validation, ssl_ca must also be set. Default value: `undef` @@ -1831,7 +1876,7 @@ Default value: `undef` Data type: `Optional[Stdlib::Absolutepath]` - +Defines the path of the file that contains the TLS/SSL certificate and key. Default value: `undef` @@ -1839,7 +1884,7 @@ Default value: `undef` Data type: `Optional[Stdlib::Absolutepath]` - +Defines the path of the file that contains the certificate chain for verifying client certificates. Default value: `undef` @@ -1847,7 +1892,7 @@ Default value: `undef` Data type: `Boolean` - +Set to true to disable mandatory SSL client authentication. Default value: `false` @@ -1855,7 +1900,7 @@ Default value: `false` Data type: `Boolean` - +Set to true to disable fqdn SSL cert check. Default value: `false` @@ -1863,15 +1908,71 @@ Default value: `false` Data type: `Enum['requireSSL', 'preferSSL', 'allowSSL']` - +Ssl authorization mode. Default value: `'requireSSL'` -##### `restart` +##### `tls` + +Data type: `Boolean` + +Ensure tls is enabled. + +Default value: `false` + +##### `tls_key` + +Data type: `Optional[Stdlib::Absolutepath]` + +Defines the path of the file that contains the TLS/SSL certificate and key. + +Default value: `undef` + +##### `tls_ca` + +Data type: `Optional[Stdlib::Absolutepath]` + +Defines the path of the file that contains the certificate chain for verifying client certificates. + +Default value: `undef` + +##### `tls_conn_without_cert` + +Data type: `Boolean` + +Set to true to bypass client certificate validation for clients that do not present a certificate. + +Default value: `false` + +##### `tls_invalid_hostnames` Data type: `Boolean` +Set to true to disable the validation of the hostnames in TLS certificates. + +Default value: `false` +##### `tls_mode` + +Data type: `Enum['requireTLS', 'preferTLS', 'allowTLS']` + +Defines if TLS is used for all network connections. Allowed values are 'requireTLS', 'preferTLS' or 'allowTLS'. + +Default value: `'requireTLS'` + +##### `admin_password_hash` + +Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` + +Hashed password. Hex encoded md5 hash of mongodb password. + +Default value: `undef` + +##### `restart` + +Data type: `Boolean` + +Specifies whether the service should be restarted on config changes. Default value: `$mongodb::params::restart` @@ -1879,7 +1980,8 @@ Default value: `$mongodb::params::restart` Data type: `Optional[String]` - +Only needed for MongoDB 3.x versions, where it's possible to select the 'wiredTiger' engine in addition to +the default 'mmapv1' engine. If not set, the config is left out and mongo will default to 'mmapv1'. Default value: `undef` @@ -1887,7 +1989,7 @@ Default value: `undef` Data type: `Boolean` - +Allows to create admin user for admin database. Default value: `$mongodb::params::create_admin` @@ -1895,7 +1997,7 @@ Default value: `$mongodb::params::create_admin` Data type: `String` - +Administrator user name Default value: `$mongodb::params::admin_username` @@ -1903,49 +2005,66 @@ Default value: `$mongodb::params::admin_username` Data type: `Optional[Variant[String, Sensitive[String]]]` - +Administrator user password Default value: `undef` ##### `admin_auth_mechanism` -Data type: `Enum['scram_sha_1', 'scram_sha_256']` - +Data type: `Enum['scram_sha_1', 'scram_sha_256', 'x509']` +Administrator authentication mechanism. scram_sha_256 password synchronization verification is not supported. Default value: `$mongodb::params::admin_auth_mechanism` -##### `admin_update_password` +##### `supported_auth_mechanisms` -Data type: `Boolean` +Data type: `Optional[Array[Enum['scram_sha_1', 'scram_sha_256', 'x509']]]` +Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the $admin_auth_mechanism is also included. +Default value: `undef` -Default value: `false` +##### `admin_tls_key` -##### `handle_creds` +Data type: `Optional[Stdlib::Absolutepath]` + +Filepath of the administrators x509 certificate. Its the user of this class that needs to manage this certificate. + +Default value: `undef` + +##### `admin_update_password` Data type: `Boolean` +Update password. Used with SCRAM-SHA-256 because password verification is not supported. +Default value: `false` -Default value: `$mongodb::params::handle_creds` +##### `admin_roles` -##### `store_creds` +Data type: `Array` -Data type: `Boolean` +Administrator user roles +Default value: `$mongodb::params::admin_roles` +##### `handle_creds` -Default value: `$mongodb::params::store_creds` +Data type: `Boolean` -##### `admin_roles` +Set this to false to avoid having puppet handle .mongoshrc.js in case you wish to deliver it by other +means. This is needed for facts and providers to work if you have auth set to true. -Data type: `Array` +Default value: `$mongodb::params::handle_creds` +##### `store_creds` +Data type: `Boolean` -Default value: `$mongodb::params::admin_roles` +Store admin credentials in mongoshrc.js file. Uses with create_admin parameter + +Default value: `$mongodb::params::store_creds` ### `mongodb::server::config` @@ -1963,6 +2082,21 @@ PRIVATE CLASS: do not call directly Wrapper class useful for hiera based deployments +#### Examples + +##### hieradata + +```puppet +mongodb::shardsvr::shards: + shard01: + keys: + - {x: 1} + members: + - shardhost01.exmaple.com:30000 + - shardhost02.exmaple.com:30000 + - shardhost03.exmaple.com:30000 +``` + #### Parameters The following parameters are available in the `mongodb::shardsvr` class: @@ -1973,7 +2107,7 @@ The following parameters are available in the `mongodb::shardsvr` class: Data type: `Any` - +Hash of attributes as described in the mongodb_shardsvr custom type Default value: `undef` @@ -2004,9 +2138,9 @@ Database username. ##### `auth_mechanism` -Data type: `Enum['scram_sha_1', 'scram_sha_256']` +Data type: `Enum['scram_sha_1', 'scram_sha_256', 'x509']` -Authentication mechanism. scram_sha_256 password verification is not supported. Defaults to 'scram_sha_1'. +- Authentication mechanism. scram_sha_256 password verification is not supported. Defaults to 'scram_sha_1'. Default value: `'scram_sha_1'` @@ -2014,7 +2148,7 @@ Default value: `'scram_sha_1'` Data type: `String` -Database name. Defaults to $name. +- Database name. Defaults to $name. Default value: `$name` @@ -2022,7 +2156,7 @@ Default value: `$name` Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` -Hashed password. Hex encoded md5 hash of "$username:mongo:$password". +- Hashed password. Hex encoded md5 hash of "$username:mongo:$password". Default value: `undef` @@ -2030,7 +2164,7 @@ Default value: `undef` Data type: `Optional[Variant[String[1], Sensitive[String[1]]]]` -Plain text user password. This is UNSAFE, use 'password_hash' instead. +- Plain text user password. This is UNSAFE, use 'password_hash' instead. Default value: `undef` @@ -2038,7 +2172,7 @@ Default value: `undef` Data type: `Array[String]` -Array with user roles. Deaults to ['dbAdmin'] +(default: ['dbAdmin']) - array with user roles. Default value: `['dbAdmin']` @@ -2046,7 +2180,7 @@ Default value: `['dbAdmin']` Data type: `Integer[0]` -The maximum amount of two second tries to wait MongoDB startup. Defaults to 10. +(default: 10) - The maximum amount of two second tries to wait MongoDB startup. Default value: `10` @@ -2054,7 +2188,7 @@ Default value: `10` Data type: `Boolean` -Force an update of the password when scram_sha_256 is used. Defaults to false. +(default: false) - Force an update of the password when scram_sha_256 is used. Default value: `false` @@ -2076,7 +2210,7 @@ The following properties are available in the `mongodb_conn_validator` type. Valid values: `present`, `absent` -Ensurable property +Ensure to verify the connection to mongodb Default value: `present` @@ -2178,7 +2312,7 @@ The following properties are available in the `mongodb_replset` type. Valid values: `present` -Ensurable property +Ensure the replicaset is either present or absent Default value: `present` @@ -2232,7 +2366,7 @@ The following properties are available in the `mongodb_shard` type. Valid values: `present` -Ensurable property +Ensure the shard is either present or absent Default value: `present` @@ -2322,7 +2456,7 @@ The following parameters are available in the `mongodb_user` type. ##### `auth_mechanism` -Valid values: `scram_sha_256`, `scram_sha_1` +Valid values: `scram_sha_256`, `scram_sha_1`, `x509` Authentication mechanism. Password verification is not supported with SCRAM-SHA-256. diff --git a/lib/facter/is_master.rb b/lib/facter/is_master.rb index 1e406f28a..a42c04d1c 100644 --- a/lib/facter/is_master.rb +++ b/lib/facter/is_master.rb @@ -8,7 +8,23 @@ def mongod_conf_file locations.find { |location| File.exist? location } end +def mongosh_conf_file + '/root/.mongosh.yaml' if File.exist?('/root/mongosh.yaml') +end + def get_options_from_hash_config(config) + # read also the mongoshrc.yaml yaml file, to retrieve the admins certkey file + if mongosh_conf_file + mongosh_config = YAML.load_file(mongosh_conf_file) + # check which tlscert we need to use + if mongosh_config['admin'] + tlscert = mongosh_config['admin']['tlsCertificateKeyFile'] if mongosh_config['admin']['tlsCertificateKeyFile'] + auth_mech = mongosh_config['admin']['auth_mechanism'] if mongosh_config['admin']['auth_mechanism'] + end + else + tlscert = config['net.tls.certificateKeyFile'] + end + result = [] result << "--port #{config['net.port']}" unless config['net.port'].nil? @@ -23,67 +39,38 @@ def get_options_from_hash_config(config) # - tlsMode is "requireTLS" # - Parameter --tlsCertificateKeyFile is set # - Parameter --tlsCAFile is set - result << "--tls --host #{Facter.value(:fqdn)}" if config['net.tls.mode'] == 'requireTLS' || !config['net.tls.certificateKeyFile'].nil? || !config['net.tls.CAFile'].nil? - result << "--tlsCertificateKeyFile #{config['net.tls.certificateKeyFile']}" unless config['net.tls.certificateKeyFile'].nil? + result << "--tls --host #{Facter.value(:fqdn)}" if config['net.tls.mode'] == 'requireTLS' || !tlscert.nil? || !config['net.tls.CAFile'].nil? + result << "--tlsCertificateKeyFile #{tlscert}" unless tlscert.nil? result << "--tlsCAFile #{config['net.tls.CAFile']}" unless config['net.tls.CAFile'].nil? - result << '--ipv6' unless config['net.ipv6'].nil? - - result.join(' ') -end - -def get_options_from_keyvalue_config(file) - config = {} - File.readlines(file).map do |line| - k, v = line.split('=') - config[k.rstrip] = v.lstrip.chomp if k && v - end - - result = [] - - result << "--port #{config['port']}" unless config['port'].nil? - # use --ssl and --host if: - # - sslMode is "requireSSL" - # - Parameter --sslPEMKeyFile is set - # - Parameter --sslCAFile is set - result << "--ssl --host #{Facter.value(:fqdn)}" if config['ssl'] == 'requireSSL' || !config['sslcert'].nil? || !config['sslca'].nil? - result << "--sslPEMKeyFile #{config['sslcert']}" unless config['sslcert'].nil? - result << "--sslCAFile #{config['sslca']}" unless config['sslca'].nil? - # use --tls and --host if: - # - tlsMode is "requireTLS" - # - Parameter --tlsCertificateKeyFile is set - # - Parameter --tlsCAFile is set - result << "--tls --host #{Facter.value(:fqdn)}" if config['tls'] == 'requireTLS' || !config['tlscert'].nil? || !config['tlsca'].nil? - result << "--tlsCertificateKeyFile #{config['tlscert']}" unless config['tlscert'].nil? - result << "--tlsCAFile #{config['tlsca']}" unless config['tlsca'].nil? + # use --authenticationMechanism, ---authenticationDatabase + # when + # - authenticationMechanism MONGODB-X509 + result << "--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509" if auth_mech && auth_mech == 'x509' - result << '--ipv6' unless config['ipv6'].nil? + result << '--ipv6' unless config['net.ipv6'].nil? result.join(' ') end def get_options_from_config(file) config = YAML.load_file(file) - if config.is_a?(Hash) # Using a valid YAML file for mongo 2.6 - get_options_from_hash_config(config) - else # It has to be a key-value config file - get_options_from_keyvalue_config(file) - end + get_options_from_hash_config(config) end Facter.add('mongodb_is_master') do setcode do - if %w[mongo mongod].all? { |m| Facter::Util::Resolution.which m } + if %w[mongosh mongod].all? { |m| Facter::Util::Resolution.which m } file = mongod_conf_file if file options = get_options_from_config(file) - e = File.exist?('/root/.mongorc.js') ? 'load(\'/root/.mongorc.js\'); ' : '' + e = File.exist?('/root/.mongoshrc.js') ? 'load(\'/root/.mongoshrc.js\'); ' : '' # Check if the mongodb server is responding: - Facter::Core::Execution.exec("mongo --quiet #{options} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"") + Facter::Core::Execution.exec("mongosh --quiet #{options} --eval \"#{e}printjson(db.adminCommand({ ping: 1 }))\"") if $CHILD_STATUS.success? - Facter::Core::Execution.exec("mongo --quiet #{options} --eval \"#{e}db.isMaster().ismaster\"") + Facter::Core::Execution.exec("mongosh --quiet #{options} --eval \"#{e}db.isMaster().ismaster\"") else 'not_responding' end diff --git a/lib/facter/mongodb_version.rb b/lib/facter/mongodb_version.rb index 97fb1937b..a16a1602a 100644 --- a/lib/facter/mongodb_version.rb +++ b/lib/facter/mongodb_version.rb @@ -2,9 +2,9 @@ Facter.add(:mongodb_version) do setcode do - if Facter::Core::Execution.which('mongo') - mongodb_version = Facter::Core::Execution.execute('mongo --version 2>&1') - %r{MongoDB shell version:?\s+v?([\w.]+)}.match(mongodb_version)[1] + if Facter::Core::Execution.which('mongod') + mongodb_version = Facter::Core::Execution.execute('mongod --version 2>&1') + %r{^db version:?\s+v?([\w.]+)}.match(mongodb_version)[1] end end end diff --git a/lib/puppet/provider/mongodb.rb b/lib/puppet/provider/mongodb.rb index 4e9554426..b9a62e94a 100644 --- a/lib/puppet/provider/mongodb.rb +++ b/lib/puppet/provider/mongodb.rb @@ -8,15 +8,15 @@ class Puppet::Provider::Mongodb < Puppet::Provider # Without initvars commands won't work. initvars - commands mongo: 'mongo' + commands mongosh: 'mongosh' # Optional defaults file - def self.mongorc_file - "load('#{Facter.value(:root_home)}/.mongorc.js'); " if File.file?("#{Facter.value(:root_home)}/.mongorc.js") + def self.mongoshrc_file + "load('#{Facter.value(:root_home)}/.mongoshrc.js'); " if File.file?("#{Facter.value(:root_home)}/.mongoshrc.js") end - def mongorc_file - self.class.mongorc_file + def mongoshrc_file + self.class.mongoshrc_file end def self.mongod_conf_file @@ -29,6 +29,16 @@ def self.mongod_conf_file def self.mongo_conf config = YAML.load_file(mongod_conf_file) || {} + mongosh_config = {} + mongosh_config = YAML.load_file("#{Facter.value(:root_home)}/.mongosh.yaml") if File.file?("#{Facter.value(:root_home)}/.mongosh.yaml") + # determine if we need tls for the admin user + if mongosh_config['admin'] && mongosh_config['admin']['tlsCertificateKeyFile'] + tlscert = mongosh_config['admin']['tlsCertificateKeyFile'] + auth_mech = mongosh_config['admin']['auth_mechanism'] if mongosh_config['admin']['auth_mechanism'] + else + tlscert =config['net.tls.certificateKeyFile'] + end + { 'bindip' => config['net.bindIp'], 'port' => config['net.port'], @@ -39,9 +49,10 @@ def self.mongo_conf 'sslca' => config['net.ssl.CAFile'], 'tlsallowInvalidHostnames' => config['net.tls.allowInvalidHostnames'], 'tls' => config['net.tls.mode'], - 'tlscert' => config['net.tls.certificateKeyFile'], + 'tlscert' => tlscert, 'tlsca' => config['net.tls.CAFile'], 'auth' => config['security.authorization'], + 'auth_mechanism' => auth_mech, 'shardsvr' => config['sharding.clusterRole'], 'confsvr' => config['sharding.clusterRole'] } @@ -74,7 +85,7 @@ def self.tls_invalid_hostnames(config = nil) config['tlsallowInvalidHostnames'] end - def self.mongo_cmd(db, host, cmd) + def self.mongosh_cmd(db, host, cmd) config = mongo_conf args = [db, '--quiet', '--host', host] @@ -92,16 +103,20 @@ def self.mongo_cmd(db, host, cmd) if tls_is_enabled(config) args.push('--tls') - args += ['--tlsCertificateKeyFile', config['tlscert']] tls_ca = config['tlsca'] args += ['--tlsCAFile', tls_ca] unless tls_ca.nil? + args += ['--tlsCertificateKeyFile', config['tlscert']] args.push('--tlsAllowInvalidHostnames') if tls_invalid_hostnames(config) end - args += ['--eval', cmd] - mongo(args) + if config['auth_mechanism'] && config['auth_mechanism'] == 'x509' + args.push("--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509") + end + + args += ['--eval', "\"#{cmd}\""] + mongosh(args) end def self.conn_string @@ -137,9 +152,15 @@ def self.conn_string def self.db_ismaster cmd_ismaster = 'db.isMaster().ismaster' - cmd_ismaster = mongorc_file + cmd_ismaster if mongorc_file + cmd_ismaster = mongoshrc_file + cmd_ismaster if mongoshrc_file db = 'admin' - res = mongo_cmd(db, conn_string, cmd_ismaster).to_s.split(%r{\n}).last.chomp + + begin + res = mongosh_cmd(db, conn_string, cmd_ismaster).to_s.split(%r{\n}).last.chomp + rescue StandardError => e + res = mongosh_cmd(db, conn_string, 'db.isMaster().ismaster').to_s.chomp if auth_enabled && e.message =~ %r{Authentication failed} + end + res.eql?('true') end @@ -152,29 +173,53 @@ def self.auth_enabled(config = nil) config['auth'] && config['auth'] != 'disabled' end + def self.rs_initiated? + # TODO: not used yet, generates a stack level to deep error + cmd_status = "rs.status('localhost').set" + cmd_status = mongoshrc_file + cmd_status if mongoshrc_file + db = 'admin' + res = mongosh_cmd(db, conn_string, cmd_status).to_s.split(%r{\n}).last.chomp + + # Retry command without authentication when mongorc_file is set and authentication failed + res = mongosh_cmd(db, conn_string, "rs.status('localhost').set").to_s.chomp if mongorc_file && res =~ %r{Authentication failed} + + res == @resource[:name] + end + # Mongo Command Wrapper def self.mongo_eval(cmd, db = 'admin', retries = 10, host = nil) retry_count = retries retry_sleep = 3 - cmd = mongorc_file + cmd if mongorc_file + no_auth_cmd = cmd + cmd = mongoshrc_file + cmd if mongoshrc_file out = nil begin out = if host - mongo_cmd(db, host, cmd) + mongosh_cmd(db, host, cmd) else - mongo_cmd(db, conn_string, cmd) + mongosh_cmd(db, conn_string, cmd) end rescue StandardError => e - retry_count -= 1 - if retry_count.positive? - Puppet.debug "Request failed: '#{e.message}' Retry: '#{retries - retry_count}'" - sleep retry_sleep - retry + # When using the rc file, we get this eror because in most cases the admin user is not created yet + # Can/must we move this out of the resue block ? + if auth_enabled && e.message =~ %r{Authentication failed} + out = if host + mongosh_cmd(db, host, no_auth_cmd) + else + mongosh_cmd(db, conn_string, no_auth_cmd) + end + else + retry_count -= 1 + if retry_count.positive? + sleep retry_sleep + retry + end end end - raise Puppet::ExecutionFailure, "Could not evaluate MongoDB shell command: #{cmd}" unless out + # return also the error message, so caller can react on it + raise Puppet::ExecutionFailure, "Could not evaluate MongoDB shell command: #{cmd} with #{e.message}" unless out Puppet::Util::MongodbOutput.sanitize(out) end @@ -191,31 +236,4 @@ def self.mongo_version def mongo_version self.class.mongo_version end - - def self.mongo_26? - v = mongo_version - !v[%r{^2\.6\.}].nil? - end - - def mongo_26? - self.class.mongo_26? - end - - def self.mongo_4? - v = mongo_version - !v[%r{^4\.}].nil? - end - - def mongo_4? - self.class.mongo_4? - end - - def self.mongo_5? - v = mongo_version - !v[%r{^5\.}].nil? - end - - def mongo_5? - self.class.mongo_5? - end end diff --git a/lib/puppet/provider/mongodb_database/mongodb.rb b/lib/puppet/provider/mongodb_database/mongodb.rb index 5dabe4365..9601b585b 100644 --- a/lib/puppet/provider/mongodb_database/mongodb.rb +++ b/lib/puppet/provider/mongodb_database/mongodb.rb @@ -9,13 +9,16 @@ def self.instances require 'json' - pre_cmd = 'try { rs.secondaryOk() } catch (err) { rs.slaveOk() }' - dbs = JSON.parse mongo_eval("#{pre_cmd};printjson(db.getMongo().getDBs())") + pre_cmd = 'db.getMongo().setReadPref("primaryPreferred")' + dbs = JSON.parse mongo_eval("#{pre_cmd};EJSON.stringify(db.getMongo().getDBs())") dbs['databases'].map do |db| new(name: db['name'], ensure: :present) end + rescue StandardError => e + Puppet.warning("Getting instances of mongodb_database failed: #{e}") + [] end # Assign prefetched dbs based on name. @@ -27,10 +30,23 @@ def self.prefetch(resources) end end + def auth_enabled + self.class.auth_enabled + end + def create if db_ismaster - out = mongo_eval('db.dummyData.insert({"created_by_puppet": 1})', @resource[:name]) - raise "Failed to create DB '#{@resource[:name]}'\n#{out}" if %r{writeError} =~ out + begin + out = mongo_eval('db.dummyData.insertOne({"created_by_puppet": 1})', @resource[:name]) + rescue StandardError => e + if auth_enabled && e.message =~ %r{not authorized on admin to execute command} && @resource[:name] == 'admin' + Puppet.warning 'Skipping database creation for admin, need admin user first when security is enabled' + @property_hash[:ensure] = :present + @property_hash[:name] = @resource[:name] + elsif %r{writeError} =~ out + raise "Failed to create DB '#{@resource[:name]}'\n#{out}" + end + end else Puppet.warning 'Database creation is available only from master host' end diff --git a/lib/puppet/provider/mongodb_replset/mongo.rb b/lib/puppet/provider/mongodb_replset/mongo.rb index 57f01511a..aab8c8cec 100644 --- a/lib/puppet/provider/mongodb_replset/mongo.rb +++ b/lib/puppet/provider/mongodb_replset/mongo.rb @@ -133,51 +133,67 @@ def self.replset_properties conn_string = conn_string begin output = mongo_command('rs.conf()', conn_string) - rescue Puppet::ExecutionFailure - output = {} - end - if output['members'] - return { - name: output['_id'], # replica set name - ensure: :present, - members: output['members'], - settings: output['settings'], - provider: :mongo - } + if output['members'] + return { + name: output['_id'], # replica set name + ensure: :present, + members: output['members'], + settings: output['settings'], + provider: :mongo + } + end + nil + rescue Puppet::ExecutionFailure => e + if e.message =~ %r{command replSetGetConfig requires authentication} || e.message =~ %r{not authorized on admin to execute command} + output = mongo_command('rs.status()', conn_string) + if output['members'] + memb = [] + output['members'].each do |m| + memb << { 'host' => m['name'] } + end + return { + name: output['set'], + ensure: :present, + members: memb, + provider: :mongo + } + end + nil + end end - nil end def get_hosts_status(members) alive = [] members.select do |member| host = member['host'] - Puppet.debug "Checking replicaset member #{host} ..." - status = rs_status(host) - raise Puppet::Error, "Can't configure replicaset #{name}, host #{host} is not supposed to be part of a replicaset." if status.key?('errmsg') && status['errmsg'] == 'not running with --replSet' - - if auth_enabled && status.key?('errmsg') && (status['errmsg'].include?('unauthorized') || status['errmsg'].include?('not authorized') || status['errmsg'].include?('requires authentication')) - Puppet.warning "Host #{host} is available, but you are unauthorized because of authentication is enabled: #{auth_enabled}" - alive.push(member) - end + begin + status = rs_status(host) + raise Puppet::Error, "Can't configure replicaset #{name}, host #{host} is not supposed to be part of a replicaset." if status.key?('errmsg') && status['errmsg'] == 'not running with --replSet' - if status.key?('errmsg') && status['errmsg'].include?('no replset config has been received') - Puppet.debug 'Mongo v4 rs.status() RS not initialized output' - alive.push(member) - end - - if status.key?('set') - raise Puppet::Error, "Can't configure replicaset #{name}, host #{host} is already part of another replicaset." if status['set'] != name + if status.key?('set') + raise Puppet::Error, "Can't configure replicaset #{name}, host #{host} is already part of another replicaset." if status['set'] != name - # This node is alive and supposed to be a member of our set - Puppet.debug "Host #{host} is available for replset #{status['set']}" - alive.push(member) - elsif status.key?('info') - Puppet.debug "Host #{host} is alive but unconfigured: #{status['info']}" - alive.push(member) + # This node is alive and supposed to be a member of our set + alive.push(member) + elsif status.key?('info') + alive.push(member) + end + rescue Puppet::ExecutionFailure => e + if auth_enabled + case e.message + when %r{no replset config has been received} + Puppet.warning('No replicaset config received, needs initialisation') + when %r{Authentication failed}, %r{not authorized on admin} + Puppet.warning "Host #{host} is available, but you are unauthorized because of authentication is enabled: #{auth_enabled}" + when %r{command replSetGetStatus requires authentication} + Puppet.warning("Node #{host} is reachable but requires authentication: ReplicaSet not initialized") + end + alive.push(member) + else + Puppet.warning "Can't connect to replicaset member #{host} (Errormsg: #{e.message})." + end end - rescue Puppet::ExecutionFailure - Puppet.warning "Can't connect to replicaset member #{host}." end alive.uniq! dead = members - alive @@ -232,18 +248,20 @@ def set_members return end - Puppet.debug 'Checking for dead and alive members' + # When no replicaset is initiated yet, and authenticatoin is anabled, + # mongo_eval still adds the mongorcsh.js. This gives an 'MongoServerError: Authentication failed.' error. + # In this stage, we only can connect to localhost, and only rs.status() and rs.initiate() is possible. + # All other commands generate 'MongoServerError: not authorized on admin to execute command' error + # So we need to check first if the replicaset is already available, then the admin user can be created, and after that + # authentication should be working. + # if !@property_flush[:members].nil? && !@property_flush[:members].empty? # Find the alive members so we don't try to add dead members to the replset using new config alive_hosts, dead_hosts = get_hosts_status(@property_flush[:members]) - Puppet.debug "Alive members: #{alive_hosts.inspect}" - Puppet.debug "Dead members: #{dead_hosts.inspect}" unless dead_hosts.empty? raise Puppet::Error, "Can't connect to any member of replicaset #{name}." if alive_hosts.empty? elsif !resource[:members].nil? && !resource[:members].empty? # Find the alive members using current 'is' config alive_hosts, dead_hosts = get_hosts_status(@resource[:members]) - Puppet.debug "Alive members: #{alive_hosts.inspect}" - Puppet.debug "Dead members: #{dead_hosts.inspect}" unless dead_hosts.empty? raise Puppet::Error, "Can't connect to any member of replicaset #{name}." if alive_hosts.empty? else alive_hosts = [] @@ -251,7 +269,6 @@ def set_members Puppet.debug 'Checking for new replset' if @property_flush[:ensure] == :present && @property_hash[:ensure] != :present && !master_host(alive_hosts) - Puppet.debug "Initializing the replset #{name}" # Create a replset configuration members_conf = alive_hosts.each_with_index.map do |host, id| @@ -266,7 +283,6 @@ def set_members settings: (@property_flush[:settings].nil? ? {} : @property_flush[:settings]) }.to_json - Puppet.debug "Starting replset config is #{replset_conf.to_json}" # Set replset members with the first host as the master output = rs_initiate(replset_conf, alive_hosts[0]['host']) raise Puppet::Error, "rs.initiate() failed for replicaset #{name}: #{output['errmsg']}" if output['ok'].zero? @@ -277,10 +293,9 @@ def set_members retry_limit.times do |n| if db_ismaster(alive_hosts[0]['host'])['ismaster'] - Puppet.debug 'Replica set initialization has successfully ended' return true else - Puppet.debug "Wainting for replica initialization. Retry: #{n}" + Puppet.debug "Waiting for replica initialization. Retry: #{n}" sleep retry_sleep next end @@ -288,14 +303,12 @@ def set_members raise Puppet::Error, "rs.initiate() failed for replicaset #{name}: host #{alive_hosts[0]['host']} didn't become master" else - Puppet.debug "Checking for replset #{name} changes" master = master_host(alive_hosts) raise Puppet::Error, "Can't find master host for replicaset #{name}." unless master master_rs_config = rs_config(master) add_members, remove_members, update_members = get_members_changes(master_rs_config['members'], @property_flush[:members]) - Puppet.debug "Members to be Added: #{add_members.inspect}" unless add_members.empty? add_members.each do |member| retry_limit = 10 retry_sleep = 3 @@ -304,18 +317,15 @@ def set_members retry_limit.times do |n| output = rs_add(member, master) if output['ok'].zero? - Puppet.debug "Retry adding host to replicaset. Retry: #{n}" sleep retry_sleep master = master_host(alive_hosts) else - Puppet.debug 'Host successfully added to replicaset' break end end raise Puppet::Error, "rs.add() failed to add host to replicaset #{name}: #{output['errmsg']}" if output['ok'].zero? end - Puppet.debug "Members to be Removed: #{remove_members.inspect}" unless remove_members.empty? remove_members.each do |member| retry_limit = 10 retry_sleep = 3 @@ -324,18 +334,15 @@ def set_members retry_limit.times do |n| output = rs_remove(member, master) if output['ok'].zero? - Puppet.debug "Retry removing host from replicaset. Retry: #{n}" sleep retry_sleep master = master_host(alive_hosts) else - Puppet.debug 'Host successfully removed from replicaset' break end end raise Puppet::Error, "rs.remove() failed to remove host from replicaset #{name}: #{output['errmsg']}" if output['ok'].zero? end - Puppet.debug "Members to be Updated: #{update_members.inspect}" unless update_members.empty? update_members.each do |member| retry_limit = 10 retry_sleep = 3 @@ -382,14 +389,13 @@ def mongo_command(command, host, retries = 4) end def self.mongo_command(command, host = nil, retries = 4) - begin - output = mongo_eval("printjson(#{command})", 'admin', retries, host) - rescue Puppet::ExecutionFailure => e - Puppet.debug "Got an exception: #{e}" - raise + output = mongo_eval("EJSON.stringify(#{command})", 'admin', retries, host) + if output =~ %r{no replset config has been received} || output =~ %r{Authentication failed} + output = '{}' end # Hack to avoid non-json empty sets + output = '{}' if output =~ %r{no replset config} || output =~ %r{Authentication failed} output = '{}' if output == "null\n" output = '{}' if output == "\nnull\n" diff --git a/lib/puppet/provider/mongodb_shard/mongo.rb b/lib/puppet/provider/mongodb_shard/mongo.rb index 283d6cce2..6347bf59b 100644 --- a/lib/puppet/provider/mongodb_shard/mongo.rb +++ b/lib/puppet/provider/mongodb_shard/mongo.rb @@ -13,7 +13,7 @@ mk_resource_methods - commands mongo: 'mongo' + commands mongosh: 'mongosh' def initialize(value = {}) super(value) @@ -152,8 +152,8 @@ def self.mongo_command(command, host = nil, _retries = 4) args = [] args << '--quiet' args << ['--host', host] if host - args << ['--eval', "printjson(#{command})"] - output = mongo(args.flatten) + args << ['--eval', "EJSON.stringify(#{command})"] + output = mongosh(args.flatten) rescue Puppet::ExecutionFailure => e raise unless e =~ %r{Error: couldn't connect to server} && wait <= (2**max_wait) diff --git a/lib/puppet/provider/mongodb_user/mongodb.rb b/lib/puppet/provider/mongodb_user/mongodb.rb index 3b21a2ee0..fa584f407 100644 --- a/lib/puppet/provider/mongodb_user/mongodb.rb +++ b/lib/puppet/provider/mongodb_user/mongodb.rb @@ -10,24 +10,31 @@ def self.instances require 'json' if db_ismaster - script = 'printjson(db.system.users.find().toArray())' + script = 'EJSON.stringify(db.system.users.find().toArray())' # A hack to prevent prefetching failures until admin user is created - script = "try {#{script}} catch (e) { if (e.message.match(/not authorized on admin/)) { 'not authorized on admin' } else {throw e}}" if auth_enabled + script = "try {#{script}} catch (e) { if (e.message.match(/requires authentication/) || e.message.match(/not authorized on admin/)) { 'not authorized on admin' } else {throw e}}" if auth_enabled out = mongo_eval(script) - - return [] if auth_enabled && out.include?('not authorized on admin') + return [] if auth_enabled && (out.include?('requires authentication') || out.include?('not authorized on admin')) users = JSON.parse out users.map do |user| - new(name: user['_id'], + db = if user['db'] == '$external' + # For external users, we need to retreive the original DB name from here. + user['customData']['createdBy'][%r{.* (.*)'\]$}, 1] + else + user['db'] + end + u = new(name: user['_id'], ensure: :present, username: user['user'], - database: user['db'], - roles: from_roles(user['roles'], user['db']), + database: db, + roles: from_roles(user['roles'], db), password_hash: user['credentials']['MONGODB-CR'], scram_credentials: user['credentials']['SCRAM-SHA-1']) + Puppet.debug("Fetching users, creating the found resources: #{u}") + u end else Puppet.warning 'User info is available only from master host' @@ -51,6 +58,7 @@ def create password_hash = @resource[:password_hash] password_hash = Puppet::Util::MongodbMd5er.md5(@resource[:username], @resource[:password]) if !password_hash && @resource[:password] + command = { createUser: @resource[:username], customData: { @@ -59,24 +67,27 @@ def create roles: role_hashes(@resource[:roles], @resource[:database]), } - if mongo_4? || mongo_5? - if @resource[:auth_mechanism] == :scram_sha_256 - command[:mechanisms] = ['SCRAM-SHA-256'] - command[:pwd] = @resource[:password] - command[:digestPassword] = true - else - command[:mechanisms] = ['SCRAM-SHA-1'] - command[:pwd] = password_hash - command[:digestPassword] = false - end + case @resource[:auth_mechanism] + when :scram_sha_256 # rubocop:disable Naming/VariableNumber + command[:mechanisms] = ['SCRAM-SHA-256'] + command[:pwd] = @resource[:password] + command[:digestPassword] = true + when :scram_sha_1 # rubocop:disable Naming/VariableNumber + command[:mechanisms] = ['SCRAM-SHA-1'] + command[:pwd] = password_hash + command[:digestPassword] = false + when :x509 + command[:mechanisms] = ['MONGODB-X509'] else command[:pwd] = password_hash command[:digestPassword] = false end - mongo_eval("db.runCommand(#{command.to_json})", @resource[:database]) - else - Puppet.warning 'User creation is available only from master host' + if @resource[:auth_mechanism] == :x509 + mongo_eval("db.getSiblingDB(\"$external\").runCommand(#{command.to_json})", @resource[:database]) + else + mongo_eval("db.runCommand(#{command.to_json})", @resource[:database]) + end @property_hash[:ensure] = :present @property_hash[:username] = @resource[:username] @@ -85,6 +96,9 @@ def create @property_hash[:roles] = @resource[:roles] exists? + + else + Puppet.warning 'User creation is available only from master host' end end @@ -110,22 +124,16 @@ def password_hash=(_value) end end - def password=(value) - if mongo_26? - mongo_eval("db.changeUserPassword(#{@resource[:username].to_json}, #{value.to_json})", @resource[:database]) - else - command = { - updateUser: @resource[:username], - pwd: @resource[:password], - digestPassword: true - } + def password=(_value) + command = { + updateUser: @resource[:username], + pwd: @resource[:password], + digestPassword: true + } - if mongo_4? || mongo_5? - command[:mechanisms] = @resource[:auth_mechanism] == :scram_sha_256 ? ['SCRAM-SHA-256'] : ['SCRAM-SHA-1'] - end + command[:mechanisms] = @resource[:auth_mechanism] == :scram_sha_256 ? ['SCRAM-SHA-256'] : ['SCRAM-SHA-1'] - mongo_eval("db.runCommand(#{command.to_json})", @resource[:database]) - end + mongo_eval("db.runCommand(#{command.to_json})", @resource[:database]) end def roles=(roles) diff --git a/lib/puppet/type/mongodb_conn_validator.rb b/lib/puppet/type/mongodb_conn_validator.rb index 672e58e25..1a8676197 100644 --- a/lib/puppet/type/mongodb_conn_validator.rb +++ b/lib/puppet/type/mongodb_conn_validator.rb @@ -8,7 +8,7 @@ purposes such as monitoring." ensurable do - desc 'Ensurable property' + desc 'Ensure to verify the connection to mongodb' defaultvalues defaultto :present end diff --git a/lib/puppet/type/mongodb_replset.rb b/lib/puppet/type/mongodb_replset.rb index 3fdcbe0c4..07dad5712 100644 --- a/lib/puppet/type/mongodb_replset.rb +++ b/lib/puppet/type/mongodb_replset.rb @@ -8,7 +8,7 @@ @doc = 'Manage a MongoDB replicaSet' ensurable do - desc 'Ensurable property' + desc 'Ensure the replicaset is either present or absent' defaultto :present newvalue(:present) do diff --git a/lib/puppet/type/mongodb_shard.rb b/lib/puppet/type/mongodb_shard.rb index e9ad7955a..b1c2ea18f 100644 --- a/lib/puppet/type/mongodb_shard.rb +++ b/lib/puppet/type/mongodb_shard.rb @@ -8,7 +8,7 @@ @doc = 'Manage a MongoDB Shard' ensurable do - desc 'Ensurable property' + desc 'Ensure the shard is either present or absent' defaultto :present newvalue(:present) do diff --git a/lib/puppet/type/mongodb_user.rb b/lib/puppet/type/mongodb_user.rb index 592075407..6fee4dd3b 100644 --- a/lib/puppet/type/mongodb_user.rb +++ b/lib/puppet/type/mongodb_user.rb @@ -57,7 +57,7 @@ def to_s?(value) newproperty(:password_hash) do desc 'The password hash of the user. Use mongodb_password() for creating hash. Only available on MongoDB 3.0 and later. SCRAM-SHA-256 authentication mechanism is not supported.' defaultto do - raise Puppet::Error, "Property 'password_hash' must be set. Use mongodb_password() for creating hash." if @resource[:password].nil? && (provider.database == :absent) + raise Puppet::Error, "Property 'password_hash' must be set. Use mongodb_password() for creating hash." if @resource[:auth_mechanism] != :x509 && @resource[:password].nil? && (@resource[:password].nil? && (provider.database == :absent)) end newvalue(%r{^\w+$}) @@ -97,7 +97,7 @@ def insync?(_is) newparam(:auth_mechanism) do desc 'Authentication mechanism. Password verification is not supported with SCRAM-SHA-256.' defaultto :scram_sha_1 - newvalues(:scram_sha_256, :scram_sha_1) + newvalues(:scram_sha_256, :scram_sha_1, :x509) end newparam(:update_password, boolean: true) do @@ -122,12 +122,14 @@ def insync?(_is) end validate do - if self[:password_hash].nil? && self[:password].nil? && provider.password.nil? && provider.password_hash.nil? - err("Either 'password_hash' or 'password' should be provided") - elsif !self[:password_hash].nil? && !self[:password].nil? - err("Only one of 'password_hash' or 'password' should be provided") - elsif !self[:password_hash].nil? && self[:auth_mechanism] == :scram_sha_256 - err("'password_hash' is not supported with SCRAM-SHA-256 authentication mechanism") + if self[:auth_mechanism] != :x509 + if self[:password_hash].nil? && self[:password].nil? && provider.password.nil? && provider.password_hash.nil? + err("Either 'password_hash' or 'password' should be provided") + elsif !self[:password_hash].nil? && !self[:password].nil? + err("Only one of 'password_hash' or 'password' should be provided") + elsif !self[:password_hash].nil? && self[:auth_mechanism] == :scram_sha_256 + err("'password_hash' is not supported with SCRAM-SHA-256 authentication mechanism") + end end raise("The parameter 'scram_credentials' is read-only and cannot be changed") if should(:scram_credentials) end diff --git a/manifests/client.pp b/manifests/client.pp index 817584d97..e2c35c2e9 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -1,9 +1,14 @@ # @summary Class for installing a MongoDB client shell (CLI). # +# @example Basic usage +# include mongodb::client + # @param ensure -# Desired ensure state of the package. +# Used to ensure that the package is installed, or that the package is absent/purged +# # @param package_name -# Name of the package to install the client from. Default is repository dependent. +# This setting can be used to specify the name of the package that should be installed. +# If not specified, the module will use whatever service name is the default for your OS distro. # class mongodb::client ( String[1] $ensure = $mongodb::client::params::package_ensure, diff --git a/manifests/client/params.pp b/manifests/client/params.pp index bbc4d07ea..5374cd9ad 100644 --- a/manifests/client/params.pp +++ b/manifests/client/params.pp @@ -1,15 +1,9 @@ # @api private class mongodb::client::params inherits mongodb::globals { - $package_ensure = pick($mongodb::globals::version, 'present') + $package_ensure = pick($mongodb::globals::mongosh_version, 'present') $manage_package = pick($mongodb::globals::manage_package, $mongodb::globals::manage_package_repo, false) - if $manage_package { - $package_name = "mongodb-${mongodb::globals::edition}-shell" - } else { - $package_name = $facts['os']['family'] ? { - 'Debian' => 'mongodb-clients', - 'Redhat' => "mongodb-${mongodb::globals::edition}-shell", - default => 'mongodb', - } - } + # the new mongosh package is the same for all distros. + # and it follows its own versioning + $package_name = 'mongodb-mongosh' } diff --git a/manifests/db.pp b/manifests/db.pp index 3d20b9864..58786a0a3 100644 --- a/manifests/db.pp +++ b/manifests/db.pp @@ -1,25 +1,25 @@ # @summary Class for creating mongodb databases and users. # -# @param user +# @param user # Database username. -# @param auth_mechanism -# Authentication mechanism. scram_sha_256 password verification is not supported. Defaults to 'scram_sha_1'. -# @param db_name -# Database name. Defaults to $name. -# @param password_hash -# Hashed password. Hex encoded md5 hash of "$username:mongo:$password". -# @param password -# Plain text user password. This is UNSAFE, use 'password_hash' instead. -# @param roles -# Array with user roles. Deaults to ['dbAdmin'] -# @param tries -# The maximum amount of two second tries to wait MongoDB startup. Defaults to 10. -# @param update_password -# Force an update of the password when scram_sha_256 is used. Defaults to false. +# @param +# auth_mechanism - Authentication mechanism. scram_sha_256 password verification is not supported. Defaults to 'scram_sha_1'. +# @param +# db_name - Database name. Defaults to $name. +# @param +# password_hash - Hashed password. Hex encoded md5 hash of "$username:mongo:$password". +# @param +# password - Plain text user password. This is UNSAFE, use 'password_hash' instead. +# @param +# roles (default: ['dbAdmin']) - array with user roles. +# @param +# tries (default: 10) - The maximum amount of two second tries to wait MongoDB startup. +# @param +# update_password (default: false) - Force an update of the password when scram_sha_256 is used. # define mongodb::db ( String $user, - Enum['scram_sha_1', 'scram_sha_256'] $auth_mechanism = 'scram_sha_1', + Enum['scram_sha_1', 'scram_sha_256', 'x509'] $auth_mechanism = 'scram_sha_1', String $db_name = $name, Optional[Variant[String[1], Sensitive[String[1]]]] $password_hash = undef, Optional[Variant[String[1], Sensitive[String[1]]]] $password = undef, @@ -33,25 +33,29 @@ tries => $tries, } - if $password_hash =~ Sensitive[String] { - $hash = $password_hash.unwrap - } elsif $password_hash { - $hash = $password_hash - } elsif $password { - $hash = mongodb_password($user, $password) - } else { - fail("Parameter 'password_hash' or 'password' should be provided to mongodb::db.") - } + if $auth_mechanism != 'x509' { + if $password_hash =~ Sensitive[String] { + $hash = $password_hash.unwrap + } elsif $password_hash { + $hash = $password_hash + } elsif $password { + $hash = mongodb_password($user, $password) + } else { + fail("Parameter 'password_hash' or 'password' should be provided to mongodb::db.") + } - if $auth_mechanism == 'scram_sha_256' { - $password_config = { - password => $password, - update_password => $update_password, + if $auth_mechanism == 'scram_sha_256' { + $password_config = { + password => $password, + update_password => $update_password, + } + } else { + $password_config = { + password_hash => $hash, + } } } else { - $password_config = { - password_hash => $hash, - } + $password_config = {} } mongodb_user { "User ${user} on db ${db_name}": diff --git a/manifests/globals.pp b/manifests/globals.pp index 593326417..bed54c30f 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -1,28 +1,119 @@ -# @summary Class for setting cross-class global overrides. See README.md for more details. +# @summary Class for setting cross-class global overrides. +# +# @example Use a more recent MongoDB version to install from the community repository. +# +# class {'mongodb::globals': +# manage_package_repo => true, +# version => '3.6', +# } +# -> class {'mongodb::client': } +# -> class {'mongodb::server': } +# +# @example Install MongoDB from a custom repository. +# +# class {'mongodb::globals': +# manage_package_repo => true, +# repo_location => 'http://example.com/repo' +# } +# -> class {'mongodb::server': } +# -> class {'mongodb::client': } +# +# @example To disable managing of repository, but still enable managing packages. +# +# class {'mongodb::globals': +# manage_package_repo => false, +# manage_package => true, +# } +# -> class {'mongodb::server': } +# -> class {'mongodb::client': } # # @param server_package_name +# This setting can be used to override the default MongoDB server package name. +# If not specified, the module will use whatever package name is the default for your OS distro. +# # @param client_package_name +# This setting can be used to specify the name of the client package that should be installed. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param mongod_service_manage +# This setting can be used to override the default management of the mongod service. +# By default the module will manage the mongod process. # @param service_enable +# This setting can be used to specify if the service should be enable at boot +# # @param service_ensure +# This setting can be used to specify if the service should be running +# # @param service_name +# This setting can be used to override the default MongoDB service name. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param service_provider +# This setting can be used to override the default MongoDB service provider. +# If not specified, the module will use whatever service provider is the default for your OS distro. +# # @param service_status +# This setting can be used to override the default status check command for your MongoDB service. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param user +# This setting can be used to override the default MongoDB user and owner of the service and related files in the file system. +# If not specified, the module will use the default for your OS distro. +# # @param group +# This setting can be used to override the default MongoDB user group to be used for related files in the file system. +# If not specified, the module will use the default for your OS distro. +# # @param ipv6 +# This setting is used to configure MongoDB to turn on ipv6 support. +# If not specified and ipv6 address is passed to MongoDB bind_ip it will just fail. +# # @param bind_ip -# @param version Version of mongodb to install -# @param manage_package_repo If `true` configure upstream mongodb repos +# This setting can be used to configure MonogDB process to bind to and listen for connections from applications on this address. +# If not specified, the module will use the default for your OS distro. +# Note: This value should be passed as an array. +# +# @param version +# The version of MonogDB to install/manage. This is needed when managing repositories. +# If not specified, the module will use the default for your OS distro. +# +# @param mongosh_version +# The version of MonogDB-mongosh to install/manage. This package is mandatory to make this module work. +# If not specified, the module will use the default for your OS distro. +# +# @param manage_package_repo +# Whether to use the MongoDB software repository or the OS packages (True) or a Custom repo (False) +# # @param manage_package +# wgether this module willm manage the mongoDB server package +# # @param repo_proxy +# This will allow you to set a proxy for your repository in case you are behind a corporate firewall. +# Currently this is only supported with yum repositories +# # @param proxy_username +# This sets the username for the proxyserver, should authentication be required. +# # @param proxy_password +# This sets the password for the proxyserver, should authentication be required +# # @param repo_location +# This setting can be used to override the default MongoDB repository location. +# If not specified, the module will use the default repository for your OS distro. +# # @param use_enterprise_repo +# When manage_package_repo is set to true, this setting indicates if it will use the Community Edition +# (false, the default) or the Enterprise one (true). +# # @param pidfilepath +# Specify a file location to hold the PID or process ID of the mongod process. +# If not specified, the module will use the default for your OS distro. +# # @param pidfilemode +# The file mode of the pid file +# # @param manage_pidfile +# If true, the pidfile will be managed by puppet # class mongodb::globals ( $server_package_name = undef, @@ -40,7 +131,10 @@ $ipv6 = undef, $bind_ip = undef, Optional[String[1]] $version = undef, - Optional[Boolean] $manage_package_repo = undef, + Optional[Boolean] $manage_package_repo = fact('os.distro.codename') ? { # Debian 10 doesn't provide mongodb packages. So manage it! + 'buster' => true, + default => undef + }, $manage_package = undef, $repo_proxy = undef, $proxy_username = undef, @@ -49,6 +143,8 @@ $repo_location = undef, $use_enterprise_repo = undef, + $mongosh_version = undef, + $pidfilepath = undef, $pidfilemode = undef, $manage_pidfile = undef, @@ -60,27 +156,34 @@ } # Setup of the repo only makes sense globally, so we are doing it here. - if $manage_package_repo or $manage_package_repo == undef and $facts['os']['family'] in ['RedHat','Linux','Suse'] { - if $use_enterprise_repo == true and $version == undef { - fail('You must set mongodb::globals::version when mongodb::globals::use_enterprise_repo is true') - } - - # Set some default working repositories per OS if no version - # specified. - $_repo_version = $version ? { - Undef => $facts['os']['family'] in ['RedHat', 'Linux', 'Suse'] ? { - true => '3.6', - default => $version, - }, - default => $version, + case $facts['os']['family'] { + 'RedHat', 'Linux', 'Suse': { + # For RedHat, Linux and Suse family: if manage_package_repo is set at undef that include mongodb::repo + if $manage_package_repo != false { + class { 'mongodb::repo': + ensure => present, + version => pick($version, '6.0'), + use_enterprise_repo => $use_enterprise_repo, + repo_location => $repo_location, + proxy => $repo_proxy, + } + } } + default: { + # For other (Debian) family: if manage_package_repo is set at undef that not include mongodb::repo + if $manage_package_repo { + if $use_enterprise_repo == true and $version == undef { + fail('You must set mongodb::globals::version when mongodb::globals::use_enterprise_repo is true') + } - class { 'mongodb::repo': - ensure => present, - version => $_repo_version, - use_enterprise_repo => $use_enterprise_repo, - repo_location => $repo_location, - proxy => $repo_proxy, + class { 'mongodb::repo': + ensure => present, + version => pick($version, '6.0'), + use_enterprise_repo => $use_enterprise_repo, + repo_location => $repo_location, + proxy => $repo_proxy, + } + } } } } diff --git a/manifests/mongos.pp b/manifests/mongos.pp index 1d2724576..6d68095ef 100644 --- a/manifests/mongos.pp +++ b/manifests/mongos.pp @@ -1,26 +1,82 @@ -# @summary This installs a Mongo Shard daemon. See README.md for more details. +# @summary This installs a Mongo Shard daemon. +# +# This class should only be used if you want to implement sharding within your mongodb deployment. +# This class allows you to configure the mongos daemon (responsible for routing) on your platform. +# +# @example mongos can be installed the following way. +# class {'mongodb::mongos' : +# configdb => ['configsvr1.example.com:27018'], +# } # # @param config +# Path of the config file. If not specified, the module will use the default for your OS distro. +# # @param config_content +# Config content if the default doesn't match one needs. +# # @param config_template +# Path to the config template if the default doesn't match one needs. +# # @param configdb +# Array of the config servers IP addresses the mongos should connect to. +# # @param config_data +# Hash containing key-value pairs to allow for additional configuration options to be set in user-provided template. +# # @param service_manage +# Whether or not the MongoDB sharding service resource should be part of the catalog. +# # @param service_provider +# This setting can be used to override the default Mongos service provider. +# If not specified, the module will use whatever service provider is the default for your OS distro. +# # @param service_name +# This setting can be used to override the default Mongos service name. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param service_template +# Path to the service template if the default doesn't match one needs. +# # @param service_enable +# This setting can be used to specify if the service should be enable at boot +# # @param service_ensure +# This setting can be used to specify if the service should be running +# # @param service_status +# This setting can be used to override the default status check command for your Mongos service. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param package_ensure +# This setting can be used to specify if puppet should install the package or not +# # @param package_name +# This setting can be used to specify the name of the package that should be installed. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param unixsocketprefix +# The path for the UNIX socket. If this option has no value, the mongos process creates a socket with /tmp as a prefix. +# # @param pidfilepath +# Specify a file location to hold the PID or process ID of the mongod process. +# If not specified, the module will use the default for your OS distro. +# # @param logpath +# Specify the path to a file name for the log file that will hold all diagnostic logging information. +# Unless specified, mongod will output all log information to the standard output. +# # @param fork +# Set to true to fork server process at launch time. The default setting depends on the operating system. +# # @param bind_ip +# Set this option to configure the mongod or mongos process to bind to and listen for connections from applications on this address. +# If not specified, the module will use the default for your OS distro. +# # @param port +# Specifies a TCP port for the server instance to listen for client connections. +# # @param restart +# Specifies whether the service should be restarted on config changes. # class mongodb::mongos ( Stdlib::Absolutepath $config = $mongodb::mongos::params::config, diff --git a/manifests/mongos/config.pp b/manifests/mongos/config.pp index 1824202a2..60e404706 100644 --- a/manifests/mongos/config.pp +++ b/manifests/mongos/config.pp @@ -1,18 +1,47 @@ -# @summary PRIVATE CLASS: do not call directly +# @private +# @summary Configs mongos # # @param package_ensure +# This setting can be used to specify if puppet should install the package or not +# # @param config +# Path of the config file. If not specified, the module will use the default for your OS distro. +# # @param config_content +# Config content if the default doesn't match one needs. +# # @param config_template +# Path to the config template if the default doesn't match one needs. +# # @param service_manage +# Whether or not the MongoDB sharding service resource should be part of the catalog. +# # @param configdb +# Array of the config servers IP addresses the mongos should connect to. +# # @param bind_ip +# Set this option to configure the mongod or mongos process to bind to and listen for connections from applications on this address. +# If not specified, the module will use the default for your OS distro. +# # @param port +# Specifies a TCP port for the server instance to listen for client connections. +# # @param fork +# Set to true to fork server process at launch time. The default setting depends on the operating system. +# # @param pidfilepath +# Specify a file location to hold the PID or process ID of the mongod process. +# If not specified, the module will use the default for your OS distro. +# # @param logpath +# Specify the path to a file name for the log file that will hold all diagnostic logging information. +# Unless specified, mongod will output all log information to the standard output. +# # @param unixsocketprefix +# The path for the UNIX socket. If this option has no value, the mongos process creates a socket with /tmp as a prefix. +# # @param config_data +# Hash containing key-value pairs to allow for additional configuration options to be set in user-provided templ ate. # class mongodb::mongos::config ( $package_ensure = $mongodb::mongos::package_ensure, diff --git a/manifests/mongos/install.pp b/manifests/mongos/install.pp index 1cf8de4f2..d22551e18 100644 --- a/manifests/mongos/install.pp +++ b/manifests/mongos/install.pp @@ -1,7 +1,13 @@ -# @summary PRIVATE CLASS: do not call directly +# @private +# +# @summary Installs mongos # # @param package_ensure +# This setting can be used to specify if puppet should install the package or not +# # @param package_name +# This setting can be used to specify the name of the package that should be installed. +# If not specified, the module will use whatever service name is the default for your OS distro. # class mongodb::mongos::install ( $package_ensure = $mongodb::mongos::package_ensure, diff --git a/manifests/mongos/params.pp b/manifests/mongos/params.pp index 7be61d997..3b06eaebd 100644 --- a/manifests/mongos/params.pp +++ b/manifests/mongos/params.pp @@ -5,13 +5,8 @@ $version = $mongodb::globals::version $package_ensure = pick($version, 'present') - if $manage_package { - $package_name = "mongodb-${mongodb::globals::edition}-mongos" - } elsif $facts['os']['family'] in ['RedHat', 'Suse'] { - $package_name = "mongodb-${mongodb::globals::edition}-mongos" - } else { - $package_name = 'mongodb-server' - } + # from versoin 4.4 on, package name is all the same in the upstream repositories + $package_name = "mongodb-${mongodb::globals::edition}-mongos" $config_content = undef $config_template = undef @@ -45,7 +40,7 @@ $pidfilepath = '/var/run/mongodb/mongos.pid' $unixsocketprefix = '/var/run/mongodb' $logpath = '/var/log/mongodb/mongos.log' - $fork = true + $fork = undef # https://github.com/voxpupuli/puppet-mongodb/issues/667 $service_template = 'mongodb/mongos/RedHat/mongos.service-dropin.epp' } } diff --git a/manifests/mongos/service.pp b/manifests/mongos/service.pp index 99d80e548..0e0e1c388 100644 --- a/manifests/mongos/service.pp +++ b/manifests/mongos/service.pp @@ -1,15 +1,40 @@ -# @summary PRIVATE CLASS: do not call directly +# @private +# +# @summary Manages the mongos service. # # @param package_ensure +# This setting can be used to specify if puppet should install the package or not. +# # @param service_manage +# Whether or not the MongoDB sharding service resource should be part of the catalog. +# # @param service_name +# This setting can be used to override the default Mongos service name. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param service_enable +# This setting can be used to specify if the service should be enable at boot. +# # @param service_ensure +# This setting can be used to specify if the service should be running. +# # @param service_status +# This setting can be used to override the default status check command for your Mongos service. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param service_provider +# This setting can be used to override the default Mongos service provider. +# If not specified, the module will use whatever service provider is the default for your OS distro. +# # @param bind_ip +# Set this option to configure the mongod or mongos process to bind to and listen for connections from applicati ons on this address. +# If not specified, the module will use the default for your OS distro. +# # @param port +# Specifies a TCP port for the server instance to listen for client connections. +# # @param service_template +# Path to the service template if the default doesn't match one needs. # class mongodb::mongos::service ( $package_ensure = $mongodb::mongos::package_ensure, diff --git a/manifests/opsmanager.pp b/manifests/opsmanager.pp index 7ac1db000..dccf8b737 100644 --- a/manifests/opsmanager.pp +++ b/manifests/opsmanager.pp @@ -1,42 +1,112 @@ # @summary This installs Ops Manager # +# @example To install Ops Manager and have it run with a local MongoDB application server do the following: +# class {'mongodb::opsmanager': +# opsmanager_url => 'http://opsmanager.yourdomain.com' +# mongo_uri => 'mongodb://yourmongocluster:27017, +# from_email_addr => 'opsmanager@yourdomain.com', +# reply_to_email_addr => 'replyto@yourdomain.com', +# admin_email_addr => 'admin@yourdomain.com', +# smtp_server_hostname => 'email-relay.yourdomain.com' +# } +# # @param user # The user that owns the config file # @param group # The group that owns the config file +# # @param ensure +# Used to ensure that the package is installed and the service is running, or that the package is absent/purged +# and the service is stopped. +# # @param package_name +# his setting can be used to specify the name of the package that should be installed. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param package_ensure +# This setting can be used to specify if puppet should install the package or not. +# # @param service_enable +# This setting can be used to specify if the service should be enable at boot. +# # @param service_manage +# Whether or not the MongoDB sharding service resource should be part of the catalog. +# # @param service_name +# This setting can be used to override the default Mongos service name. +# If not specified, the module will use whatever service name is the default for your OS distro. +# # @param download_url +# This setting can be used to override the default MongoDB Ops-Manager download location. +# # @param mongo_uri +# Connection string to the mongod cluster. +# # @param opsmanager_url # The fully qualified url where opsmanager runs. Must include the port. +# # @param client_certificate_mode +# Client certificate authorization mode. +# # @param from_email_addr +# Email address ussed as sender +# # @param reply_to_email_addr +# Reply to email address to use +# # @param admin_email_addr +# Adminsitrator's email address +# # @param email_dao_class +# The email delivery agent class to use +# # @param mail_transport +# The email transport type to use +# # @param smtp_server_hostname +# Hostname of the email server to use. +# # @param smtp_server_port +# email port on the email server to use. +# # @param ssl +# Set to true to enable ssl. +# # @param ignore_ui_setup +# Wheter to install ui or not. +# # @param ca_file # Ca file for secure connection to backup agents. + # @param pem_key_file # Pem key file containing the cert and private key used for secure connections to backup agents. + # @param pem_key_password # The password to the pem key file. +# # @param user_svc_class +# The user svc class +# Default: com.xgen.svc.mms.svc.user.UserSvcDb +# External Source: com.xgen.svc.mms.svc.user.UserSvcCrowd +# Internal Database: com.xgen.svc.mms.svc.user.UserSvcDb +# # @param snapshot_interval +# The snapshot interval to use +# # @param snapshot_interval_retention +# The snapshot interval retention period +# # @param snapshot_daily_retention +# The dayly snapshot interval retention period +# # @param snapshot_weekly_retention +# The weekly snapshot interval retention period +# # @param snapshot_monthly_retention +# The monthly snapshot interval retention period +# # @param versions_directory +# The directory where to store the snapshot versions # class mongodb::opsmanager ( String[1] $user = 'mongodb-mms', @@ -79,7 +149,7 @@ } default: { $my_package_ensure = $package_ensure - $file_ensure = 'present' + $file_ensure = 'file' } } diff --git a/manifests/params.pp b/manifests/params.pp index f71e512d5..dc7781518 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,7 +1,9 @@ -# PRIVATE CLASS: do not use directly +# @summary Private class to set default values. +# +# @api private class mongodb::params inherits mongodb::globals { $ensure = true - $dbpath = '/var/lib/mongodb' + $dbpath = '/var/lib/mongo' $bind_ip = pick($mongodb::globals::bind_ip, ['127.0.0.1']) $ipv6 = undef $service_manage = pick($mongodb::globals::mongod_service_manage, true) @@ -19,13 +21,12 @@ ] $handle_creds = true $store_creds = false - $rcfile = "${facts['root_home']}/.mongorc.js" + $rcfile = "${facts['root_home']}/.mongoshrc.js" $dbpath_fix = false $manage_package = pick($mongodb::globals::manage_package, $mongodb::globals::manage_package_repo, false) $pidfilemode = pick($mongodb::globals::pidfilemode, '0644') $manage_pidfile = pick($mongodb::globals::manage_pidfile, true) - $version = $mongodb::globals::version $config_data = undef @@ -49,7 +50,7 @@ $logpath = '/var/log/mongodb/mongod.log' $pidfilepath = '/var/run/mongodb/mongod.pid' $config = '/etc/mongod.conf' - $fork = true + $fork = undef # https://github.com/voxpupuli/puppet-mongodb/issues/667 $journal = true } 'Debian': { @@ -59,7 +60,8 @@ $config = '/etc/mongod.conf' $pidfilepath = pick($mongodb::globals::pidfilepath, '/var/run/mongod.pid') } else { - $server_package_name = pick($mongodb::globals::server_package_name, 'mongodb-server') + # as of verion 5.0, we will use the upstream repo. Seems 4.4 is provided in distro repo ? + $server_package_name = pick($mongodb::globals::server_package_name, "mongodb-${mongodb::globals::edition}-server") $service_name = pick($mongodb::globals::service_name, 'mongodb') $config = '/etc/mongodb.conf' $pidfilepath = $mongodb::globals::pidfilepath diff --git a/manifests/replset.pp b/manifests/replset.pp index e95191858..0d2eca460 100644 --- a/manifests/replset.pp +++ b/manifests/replset.pp @@ -1,6 +1,17 @@ # @summary Wrapper class useful for hiera based deployments # +# @example hieradata +# +# mongodb::replset::sets: +# replicaset01: +# ensure: present +# members: +# - member01.example.com:27017 +# - member02.example.com:27017 +# - member03.example.com:27017 +# # @param sets +# Hash of attributes as described in the mongodb_replset custom type # class mongodb::replset ( $sets = undef diff --git a/manifests/repo.pp b/manifests/repo.pp index 4479235c8..5a2fc7919 100644 --- a/manifests/repo.pp +++ b/manifests/repo.pp @@ -1,16 +1,30 @@ -# PRIVATE CLASS: do not use directly +# @api private +# +# @summary Private clas to manage the mongodb repo +# +# @param ensure +# present or absent # -# @param ensure # @param version -# Optional repo version string. +# The version of the mongodb repo +# # @param use_enterprise_repo -# Boolean value to use enterprise repository. Defaults to false. +# Wether to use the OS or Enterprise repo +# # @param repo_location -# Optional location of the repository +# Location of the upstream repository +# # @param proxy +# Proxy hostnam +# # @param proxy_username +# Proxy user name +# # @param proxy_password +# Proxy pasword +# # @param aptkey_options +# Options for debian aptkey # class mongodb::repo ( Variant[Enum['present', 'absent'], Boolean] $ensure = 'present', @@ -27,8 +41,8 @@ if $repo_location != undef { $location = $repo_location $description = 'MongoDB Custom Repository' - } elsif $version == undef or versioncmp($version, '3.0.0') < 0 { - fail('Package repositories for versions older than 3.0 are unsupported') + } elsif $version == undef or versioncmp($version, '4.4.0') < 0 { + fail('Package repositories for versions older than 4.4 are unsupported') } else { $mongover = split($version, '[.]') if $use_enterprise_repo { @@ -47,8 +61,8 @@ if $repo_location { $location = $repo_location $description = 'MongoDB Custom Repository' - } elsif $version == undef or versioncmp($version, '3.2.0') < 0 { - fail('Package repositories for versions older than 3.2 are unsupported') + } elsif $version == undef or versioncmp($version, '4.4.0') < 0 { + fail('Package repositories for versions older than 4.4 are unsupported') } else { $mongover = split($version, '[.]') $location = "https://repo.mongodb.org/zypper/suse/\$releasever_major/mongodb-org/${mongover[0]}.${mongover[1]}/\$basearch/" @@ -61,8 +75,8 @@ 'Debian': { if $repo_location != undef { $location = $repo_location - } elsif $version == undef or versioncmp($version, '3.0.0') < 0 { - fail('Package repositories for versions older than 3.0 are unsupported') + } elsif $version == undef or versioncmp($version, '4.4.0') < 0 { + fail('Package repositories for versions older than 4.4 are unsupported') } else { if $use_enterprise_repo == true { $repo_domain = 'repo.mongodb.com' @@ -85,13 +99,11 @@ default => undef } $key = "${mongover[0]}.${mongover[1]}" ? { + '6.0' => '39BD841E4BE5FB195A65400E6A26B1AE64C3C388', '5.0' => 'F5679A222C647C87527C2F8CB00A0BD1E2C63C11', + '4.8' => '1283B7BB8CF331A5BE0E1E100EBB00BA3BC3DCCB', + '4.6' => '99DC630F00A2F97F27C6A02A253612A09571B484', '4.4' => '20691EEC35216C63CAF66CE1656408E390CFB1F5', - '4.2' => 'E162F504A20CDF15827F718D4B7C549A058F8B6B', - '4.0' => '9DA31620334BD75D9DCB49F368818C72E52529D4', - '3.6' => '2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5', - '3.4' => '0C49F3730359A14518585931BC711F9BA15703C6', - '3.2' => '42F3E95A2C4F08279C4960ADD68FA50FEA312927', default => '492EAFE8CD016A07919F1D2B9ECBEC467F0CEB10' } $key_server = 'hkp://keyserver.ubuntu.com:80' @@ -102,7 +114,7 @@ default: { if($ensure == 'present' or $ensure == true) { - fail("Unsupported managed repository for osfamily: ${facts['os']['family']}, operatingsystem: ${facts['os']['name']}, module ${module_name} currently only supports managing repos for osfamily RedHat, Suse, Debian and Ubuntu") + fail("Unsupported managed repository for osfamily: ${facts['os']['family']}, operatingsystem: ${facts['os']['name']}, module ${module_name} currently only supports managing repos for osfamily RedHat, Suse, Debian and Ubuntu") # lint:ignore:140chars } } } diff --git a/manifests/repo/zypper.pp b/manifests/repo/zypper.pp index bb463fcbc..7c7bf0f02 100644 --- a/manifests/repo/zypper.pp +++ b/manifests/repo/zypper.pp @@ -1,5 +1,3 @@ -# PRIVATE CLASS: do not use directly -# # @summary This is a repo class for zypper # # This is a private class and cannot be used from outside this module. diff --git a/manifests/server.pp b/manifests/server.pp index e64eb600a..71514289f 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -1,109 +1,451 @@ -# @summary This installs a MongoDB server. See README.md for more details. +# @summary This installs a MongoDB server. +# +# Most of the parameters manipulate the mongod.conf file. +# +# For more details about configuration parameters consult the MongoDB Configuration File Options. +# +# @example Basic usage. +# include mongodb::server +# +# @example Overrule settings +# class {'mongodb::server': +# port => 27018, +# verbose => true, +# } +# +# @param ensure +# Used to ensure that the package is installed and the service is running, or that the package is +# absent/purged and the service is stopped. +# +# @param user +# This setting can be used to override the default MongoDB user and owner of the service and related files in the file system. +# If not specified, the module will use the default for your OS distro. +# +# @param group +# This setting can be used to override the default MongoDB user group to be used for related files in the file system. +# If not specified, the module will use the default for your OS distro. +# +# @param config +# Path of the config file. If not specified, the module will use the default for your OS distro. +# +# @param dbpath +# Set this value to designate a directory for the mongod instance to store it's data. +# If not specified, the module will use the default for your OS distro. +# +# @param dbpath_fix +# Set this value to true if you want puppet to recursively manage the permissions of the files in the dbpath +# directory. If you are using the default dbpath, this should probably be false. Set this to true if you are +# using a custom dbpath. +# +# @param pidfilemode +# The file mode of the pidfilepath +# +# @param pidfilepath +# Specify a file location to hold the PID or process ID of the mongod process. +# If not specified, the module will use the default for your OS distro. +# +# @param manage_pidfile +# Should puppet create the pidfile. Mongod 6.2.10 will not start if pidfile exists +# +# @param rcfile +# The path to the custom mongosh rc file. +# +# @param service_manage +# Whether or not the MongoDB service resource should be part of the catalog. +# +# @param service_manage +# Whether or not the MongoDB sharding service resource should be part of the catalog. +# +# @param service_name +# This setting can be used to override the default Mongos service name. +# If not specified, the module will use whatever service name is the default for your OS distro. +# +# @param service_provider +# This setting can be used to override the default Mongos service provider. +# If not specified, the module will use whatever service provider is the default for your OS distro. +# +# @param service_status +# This setting can be used to override the default status check command for your Mongos service. +# If not specified, the module will use whatever service name is the default for your OS distro. +# +# @param service_enable +# This setting can be used to specify if the service should be enable at boot. +# +# @param service_ensure +# This setting can be used to specify if the service should be running. +# +# @param package_ensure +# This setting can be used to specify if puppet should install the package or not. +# +# @param package_name +# This setting can be used to specify the name of the package that should be installed. +# If not specified, the module will use whatever service name is the default for your OS distro. +# +# @param logpath +# Specify the path to a file name for the log file that will hold all diagnostic logging information. +# Unless specified, mongod will output all log information to the standard output. +# +# @param bind_ip +# Set this option to configure the mongod or mongos process to bind to and listen for connections from +# applications on this address. If not specified, the module will use the default for your OS distro. +# +# @param ipv6 +# This setting has to be true to configure MongoDB to turn on ipv6 support. If not specified and ipv6 +# address is passed to MongoDB bind_ip it will just fail. +# +# @param logappend +# Set to true to add new entries to the end of the logfile rather than overwriting the content of the log +# when the process restarts. +# +# @param system_logrotate +# Set to reopen for mongo to close a log file then reopen it so that logrotations handled outside of mongo +# perform as expected. +# +# @param fork +# Set to true to fork server process at launch time. The default setting depends on the operating system. +# +# @param port +# Specifies a TCP port for the server instance to listen for client connections. +# +# @param journal +# Set to true to enable operation journaling to ensure write durability and data consistency. +# +# @param nojournal +# Set nojournal = true to disable durability journaling. By default, mongod enables journaling in 64-bit versions after v2.0. +# Note: You must use journal to enable journaling on 32-bit systems. +# +# @param smallfiles +# Set to true to modify MongoDB to use a smaller default data file size. Specifically, smallfiles reduces +# the initial size for data files and limits them to 512 megabytes. +# +# @param cpu +# Set to true to force mongod to report every four seconds CPU utilization and the amount of time that the +# processor waits for I/O operations to complete (i.e. I/O wait.) +# +# @param auth +# et to true to enable database authentication for users connecting from remote hosts. If no users exist, +# the localhost interface will continue to have access to the database until you create the first user. +# +# @param noauth +# Disable authentication. +# +# @param verbose +# Increases the amount of internal reporting returned on standard output or in the log file generated by logpath. +# +# @param verbositylevel +# MongoDB has the following levels of verbosity: v, vv, vvv, vvvv and vvvvv. +# +# @param objcheck +# Forces the mongod to validate all requests from clients upon receipt to ensure that clients never insert +# invalid documents into the database. +# +# @param quota +# Set to true to enable a maximum limit for the number of data files each database can have. The default +# quota is 8 data files, when quota is true. +# +# @param quotafiles +# Modify limit on the number of data files per database. This option requires the quota setting. +# +# @param diaglog +# Creates a very verbose diagnostic log for troubleshooting and recording various errors. For more +# information please refer to MongoDB Configuration File Options. +# +# @param directoryperdb +# Set to true to modify the storage pattern of the data directory to store each database’s files in a distinct folder. +# +# @param profile +# Modify this value to changes the level of database profiling, which inserts information about operation +# performance into output of mongod or the log file if specified by logpath. +# +# @param maxconns +# Specifies a value to set the maximum number of simultaneous connections that MongoDB will accept. +# Unless set, MongoDB will not limit its own connections. +# +# @param oplog_size +# Specifies a maximum size in megabytes for the replication operation log (e.g. oplog.) mongod creates an +# oplog based on the maximum amount of space available. For 64-bit systems, the oplog is typically 5% of +# available disk space. +# +# @param nohints +# Ignore query hints. +# +# @param nohttpinterface +# Set to true to disable the HTTP interface. This command will override the rest and disable the HTTP +# interface if you specify both. +# +# @param noscripting +# Set noscripting = true to disable the scripting engine. +# +# @param notablescan +# Set notablescan = true to forbid operations that require a table scan. +# +# @param noprealloc +# Set noprealloc = true to disable the preallocation of data files. This will shorten the start up time in +# some cases, but can cause significant performance penalties during normal operations. +# +# @param nssize +# Use this setting to control the default size for all newly created namespace files (i.e .ns). +# +# @param mms_token +# MMS token for mms monitoring. +# +# @param mms_name +# MMS identifier for mms monitoring. +# +# @param mms_interval +# MMS interval for mms monitoring. +# +# @param replset +# Use this setting to configure replication with replica sets. Specify a replica set name as an argument to +# this set. All hosts must have the same set name. +# +# @param replset_config +# A hash that is used to configure the replica set. Mutually exclusive with replset_members param. +# class mongodb::server { +# replset => 'rsmain', +# replset_config => { 'rsmain' => { +# ensure => present, +# settings => { heartbeatTimeoutSecs => 15, getLastErrorModes => { ttmode => { dc => 1 } } }, +# members => [{'host' => 'host1:27017', 'tags':{ 'dc' : 'east'}}, { 'host' => 'host2:27017'}, 'host3:27017'] }}, +# } +# +# @param replset_members +# An array of member hosts for the replica set. Mutually exclusive with replset_config param. +# +# @param configsvr +# Use this setting to enable config server mode for mongod. +# +# @param shardsvr +# Use this setting to enable shard server mode for mongod. +# +# @param rest +# Set to true to enable a simple REST interface. +# +# @param quiet +# Runs the mongod or mongos instance in a quiet mode that attempts to limit the amount of output. +# This option suppresses : "output from database commands, including drop, dropIndexes, diagLogging, +# validate, and clean", "replication activity", "connection accepted events" and "connection closed events". +# +# For production systems this option is not recommended as it may make tracking problems during particular +# connections much more difficult. +# +# @param slowms +# Sets the threshold for mongod to consider a query “slow” for the database profiler. +# +# @param keyfile +# Specify the path to a key file to store authentication information. This option is only useful for the +# connection between replica set members. +# +# @param key +# Specify the key contained within the keyfile. This option is only useful for the connection between +# replica set members. +# +# @param set_parameter +# Specify extra configuration file parameters (i.e. textSearchEnabled=true). +# +# @param syslog +# Sends all logging output to the host’s syslog system rather than to standard output or a log file. +# Important: You cannot use syslog with logpath. Set logpath to false to disable it. +# +# @param config_content +# Config content if the default doesn't match one needs. +# +# @param config_template +# Path to the config template if the default doesn't match one needs. +# +# @param config_data +# A hash to allow for additional configuration options to be set in user-provided template. +# +# @param ssl +# Use SSL validation. +# Important: You need to have ssl_key set as well, and the file needs to pre-exist on node. If you wish to +# use certificate validation, ssl_ca must also be set. +# +# @param ssl_key +# Defines the path of the file that contains the TLS/SSL certificate and key. +# +# @param ssl_ca +# Defines the path of the file that contains the certificate chain for verifying client certificates. +# +# @param ssl_weak_cert +# Set to true to disable mandatory SSL client authentication. +# +# @param ssl_invalid_hostnames +# Set to true to disable fqdn SSL cert check. +# +# @param ssl_mode +# Ssl authorization mode. # # @param tls # Ensure tls is enabled. +# # @param tls_key # Defines the path of the file that contains the TLS/SSL certificate and key. +# # @param tls_ca # Defines the path of the file that contains the certificate chain for verifying client certificates. +# # @param tls_conn_without_cert # Set to true to bypass client certificate validation for clients that do not present a certificate. +# # @param tls_invalid_hostnames # Set to true to disable the validation of the hostnames in TLS certificates. +# # @param tls_mode # Defines if TLS is used for all network connections. Allowed values are 'requireTLS', 'preferTLS' or 'allowTLS'. +# +# @param tls_use_system_ca +# Use the system-wide CA certificate store when connecting to a TLS-enabled server. +# +# @param tls_cluster_key +# File that contains the x.509 certificate-key file for membership authentication for the cluster or replica set. +# +# @param tls_cluster_ca +# file that contains the root certificate chain from the Certificate Authority used to validate the certificate +# presented by a client establishing a connection. +# +# @param tls_invalid_certificates +# Enable or disable the validation checks for TLS/SSL certificates on other servers in the cluster and allows +# the use of invalid certificates. +# # @param admin_password_hash # Hashed password. Hex encoded md5 hash of mongodb password. # +# @param restart +# Specifies whether the service should be restarted on config changes. +# +# @param storage_engine +# Only needed for MongoDB 3.x versions, where it's possible to select the 'wiredTiger' engine in addition to +# the default 'mmapv1' engine. If not set, the config is left out and mongo will default to 'mmapv1'. +# +# @param create_admin +# Allows to create admin user for admin database. +# +# @param admin_username +# Administrator user name +# +# @param admin_password +# Administrator user password +# +# @param admin_auth_mechanism +# Administrator authentication mechanism. scram_sha_256 password synchronization verification is not supported. +# +# @param supported_auth_mechanisms +# Set the supported authentication mechanisms that the mmongoserver will support. Is set, make sure the +# $admin_auth_mechanism is also included. +# +# @param admin_tls_key +# Filepath of the administrators x509 certificate. Its the user of this class that needs to manage this certificate. +# @param admin_update_password +# Update password. Used with SCRAM-SHA-256 because password verification is not supported. +# +# @param admin_roles +# Administrator user roles +# +# @param handle_creds +# Set this to false to avoid having puppet handle .mongoshrc.js in case you wish to deliver it by other +# means. This is needed for facts and providers to work if you have auth set to true. +# +# @param store_creds +# Store admin credentials in mongoshrc.js file. Uses with create_admin parameter +# class mongodb::server ( - Variant[Boolean, String] $ensure = $mongodb::params::ensure, - String $user = $mongodb::params::user, - String $group = $mongodb::params::group, - Stdlib::Absolutepath $config = $mongodb::params::config, - Stdlib::Absolutepath $dbpath = $mongodb::params::dbpath, - Boolean $dbpath_fix = $mongodb::params::dbpath_fix, - Optional[Stdlib::Absolutepath] $pidfilepath = $mongodb::params::pidfilepath, - String $pidfilemode = $mongodb::params::pidfilemode, - Boolean $manage_pidfile = $mongodb::params::manage_pidfile, - String $rcfile = $mongodb::params::rcfile, - Boolean $service_manage = $mongodb::params::service_manage, - Optional[String] $service_provider = $mongodb::params::service_provider, - Optional[String] $service_name = $mongodb::params::service_name, - Boolean $service_enable = $mongodb::params::service_enable, - Enum['stopped', 'running'] $service_ensure = $mongodb::params::service_ensure, - Optional[Enum['stopped', 'running']] $service_status = $mongodb::params::service_status, - Variant[Boolean, String] $package_ensure = $mongodb::params::package_ensure, - String $package_name = $mongodb::params::server_package_name, - Variant[Boolean, Stdlib::Absolutepath] $logpath = $mongodb::params::logpath, - Array[Stdlib::IP::Address] $bind_ip = $mongodb::params::bind_ip, - Optional[Boolean] $ipv6 = undef, - Boolean $logappend = true, - Optional[String] $system_logrotate = undef, - Optional[Boolean] $fork = $mongodb::params::fork, - Optional[Integer[1, 65535]] $port = undef, - Optional[Boolean] $journal = $mongodb::params::journal, - Optional[Boolean] $nojournal = undef, - Optional[Boolean] $smallfiles = undef, - Optional[Boolean] $cpu = undef, - Boolean $auth = false, - Optional[Boolean] $noauth = undef, - Optional[Boolean] $verbose = undef, - Optional[String] $verbositylevel = undef, - Optional[Boolean] $objcheck = undef, - Optional[Boolean] $quota = undef, - Optional[Integer] $quotafiles = undef, - Optional[Integer[0, 7]] $diaglog = undef, - Optional[Boolean] $directoryperdb = undef, - $profile = undef, - Optional[Integer] $maxconns = undef, - Optional[Integer] $oplog_size = undef, - $nohints = undef, - Optional[Boolean] $nohttpinterface = undef, - Optional[Boolean] $noscripting = undef, - Optional[Boolean] $notablescan = undef, - Optional[Boolean] $noprealloc = undef, - Optional[Integer] $nssize = undef, - $mms_token = undef, - $mms_name = undef, - $mms_interval = undef, - Optional[String] $replset = undef, - Optional[Hash] $replset_config = undef, - Optional[Array] $replset_members = undef, - Optional[Boolean] $configsvr = undef, - Optional[Boolean] $shardsvr = undef, - Optional[Boolean] $rest = undef, - Optional[Boolean] $quiet = undef, - Optional[Integer] $slowms = undef, - Optional[Stdlib::Absolutepath] $keyfile = undef, - Optional[Variant[String[6], Sensitive[String[6]]]] $key = undef, - Optional[Variant[String[1], Array[String[1]]]] $set_parameter = undef, - Optional[Boolean] $syslog = undef, - $config_content = undef, - Optional[String] $config_template = undef, - Optional[Hash] $config_data = undef, - Optional[Boolean] $ssl = undef, - Optional[Stdlib::Absolutepath] $ssl_key = undef, - Optional[Stdlib::Absolutepath] $ssl_ca = undef, - Boolean $ssl_weak_cert = false, - Boolean $ssl_invalid_hostnames = false, - Enum['requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'requireSSL', - Boolean $tls = false, - Optional[Stdlib::Absolutepath] $tls_key = undef, - Optional[Stdlib::Absolutepath] $tls_ca = undef, - Boolean $tls_conn_without_cert = false, - Boolean $tls_invalid_hostnames = false, - Enum['requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS', - Boolean $restart = $mongodb::params::restart, - Optional[String] $storage_engine = undef, - Boolean $create_admin = $mongodb::params::create_admin, - String $admin_username = $mongodb::params::admin_username, - Optional[Variant[String, Sensitive[String]]] $admin_password = undef, + Variant[Boolean, String] $ensure = $mongodb::params::ensure, + String $user = $mongodb::params::user, + String $group = $mongodb::params::group, + Stdlib::Absolutepath $config = $mongodb::params::config, + Stdlib::Absolutepath $dbpath = $mongodb::params::dbpath, + Boolean $dbpath_fix = $mongodb::params::dbpath_fix, + Optional[Stdlib::Absolutepath] $pidfilepath = $mongodb::params::pidfilepath, + String $pidfilemode = $mongodb::params::pidfilemode, + Boolean $manage_pidfile = $mongodb::params::manage_pidfile, + String $rcfile = $mongodb::params::rcfile, + Boolean $service_manage = $mongodb::params::service_manage, + Optional[String] $service_provider = $mongodb::params::service_provider, + Optional[String] $service_name = $mongodb::params::service_name, + Boolean $service_enable = $mongodb::params::service_enable, + Enum['stopped', 'running'] $service_ensure = $mongodb::params::service_ensure, + Optional[Enum['stopped', 'running']] $service_status = $mongodb::params::service_status, + Variant[Boolean, String] $package_ensure = $mongodb::params::package_ensure, + String $package_name = $mongodb::params::server_package_name, + Variant[Boolean, Stdlib::Absolutepath] $logpath = $mongodb::params::logpath, + Array[Stdlib::IP::Address] $bind_ip = $mongodb::params::bind_ip, + Optional[Boolean] $ipv6 = undef, + Boolean $logappend = true, + Optional[String] $system_logrotate = undef, + Optional[Boolean] $fork = $mongodb::params::fork, + Optional[Integer[1, 65535]] $port = undef, + Optional[Boolean] $journal = $mongodb::params::journal, + Optional[Boolean] $nojournal = undef, + Optional[Boolean] $smallfiles = undef, + Optional[Boolean] $cpu = undef, + Boolean $auth = false, + Optional[Boolean] $noauth = undef, + Optional[Boolean] $verbose = undef, + Optional[String] $verbositylevel = undef, + Optional[Boolean] $objcheck = undef, + Optional[Boolean] $quota = undef, + Optional[Integer] $quotafiles = undef, + Optional[Integer[0, 7]] $diaglog = undef, + Optional[Boolean] $directoryperdb = undef, + $profile = undef, + Optional[Integer] $maxconns = undef, + Optional[Integer] $oplog_size = undef, + $nohints = undef, + Optional[Boolean] $nohttpinterface = undef, + Optional[Boolean] $noscripting = undef, + Optional[Boolean] $notablescan = undef, + Optional[Boolean] $noprealloc = undef, + Optional[Integer] $nssize = undef, + $mms_token = undef, + $mms_name = undef, + $mms_interval = undef, + Optional[String] $replset = undef, + Optional[Hash] $replset_config = undef, + Optional[Array] $replset_members = undef, + Optional[Boolean] $configsvr = undef, + Optional[Boolean] $shardsvr = undef, + Optional[Boolean] $rest = undef, + Optional[Boolean] $quiet = undef, + Optional[Integer] $slowms = undef, + Optional[Stdlib::Absolutepath] $keyfile = undef, + Optional[Variant[String[6], Sensitive[String[6]]]] $key = undef, + Optional[Variant[String[1], Array[String[1]]]] $set_parameter = undef, + Optional[Boolean] $syslog = undef, + $config_content = undef, + Optional[String] $config_template = undef, + Optional[Hash] $config_data = undef, + Boolean $ssl = false, + Optional[Stdlib::Absolutepath] $ssl_key = undef, + Optional[Stdlib::Absolutepath] $ssl_ca = undef, + Boolean $ssl_weak_cert = false, + Boolean $ssl_invalid_hostnames = false, + Enum['disabled', 'requireSSL', 'preferSSL', 'allowSSL'] $ssl_mode = 'disabled', + Boolean $tls = true, + Enum['disabled', 'requireTLS', 'preferTLS', 'allowTLS'] $tls_mode = 'requireTLS', + # cluster tls settings + Optional[Boolean] $tls_use_system_ca = undef, + Optional[Stdlib::Absolutepath] $tls_cluster_key = undef, + Optional[Stdlib::Absolutepath] $tls_cluster_ca = undef, + #client tls settings + Optional[Stdlib::Absolutepath] $tls_key = undef, + Optional[Stdlib::Absolutepath] $tls_ca = undef, + Boolean $tls_conn_without_cert = false, + Boolean $tls_invalid_hostnames = false, + Boolean $tls_invalid_certificates = false, + Boolean $restart = $mongodb::params::restart, + Optional[String] $storage_engine = undef, + Boolean $create_admin = $mongodb::params::create_admin, + String $admin_username = $mongodb::params::admin_username, + Optional[Variant[String, Sensitive[String]]] $admin_password = undef, Optional[Variant[String[1], Sensitive[String[1]]]] $admin_password_hash = undef, - Enum['scram_sha_1', 'scram_sha_256'] $admin_auth_mechanism = $mongodb::params::admin_auth_mechanism, - Boolean $admin_update_password = false, - Boolean $handle_creds = $mongodb::params::handle_creds, - Boolean $store_creds = $mongodb::params::store_creds, - Array $admin_roles = $mongodb::params::admin_roles, + Enum['scram_sha_1', 'scram_sha_256', 'x509'] $admin_auth_mechanism = $mongodb::params::admin_auth_mechanism, + Optional[Array[Enum['scram_sha_1', 'scram_sha_256', 'x509']]] $supported_auth_mechanisms = undef, + Optional[Stdlib::Absolutepath] $admin_tls_key = undef, + Boolean $admin_update_password = false, + Boolean $handle_creds = $mongodb::params::handle_creds, + Boolean $store_creds = $mongodb::params::store_creds, + Array $admin_roles = $mongodb::params::admin_roles, ) inherits mongodb::params { contain mongodb::server::install contain mongodb::server::config @@ -128,6 +470,13 @@ } else { $admin_password } + + # Using x509, we need the admin client certificate in the parameter --tlsCertificateKeyFile + # there is no way where we can set this in neither the /etc/momgosh.yaml or the /etc/mongod.conf + # The mongodb provider reads in /etc/mongod.conf setParameters.authenticationMechanisms: MONGODB-X509 settings + # to determine that a client cert authentication is used. There is no setting to set the client cert to be used. + # so we store it in a file in roots home directory. (this is done in mongodb::server::config) + if $create_admin and ($service_ensure == 'running' or $service_ensure == true) { mongodb::db { 'admin': user => $admin_username, diff --git a/manifests/server/config.pp b/manifests/server/config.pp index 4514fbc4c..26085dbca 100644 --- a/manifests/server/config.pp +++ b/manifests/server/config.pp @@ -1,78 +1,81 @@ # PRIVATE CLASS: do not call directly class mongodb::server::config { - $ensure = $mongodb::server::ensure - $user = $mongodb::server::user - $group = $mongodb::server::group - $config = $mongodb::server::config - $config_content = $mongodb::server::config_content - $config_template = $mongodb::server::config_template - $config_data = $mongodb::server::config_data - $dbpath = $mongodb::server::dbpath - $dbpath_fix = $mongodb::server::dbpath_fix - $pidfilepath = $mongodb::server::pidfilepath - $pidfilemode = $mongodb::server::pidfilemode - $manage_pidfile = $mongodb::server::manage_pidfile - $logpath = $mongodb::server::logpath - $logappend = $mongodb::server::logappend - $system_logrotate = $mongodb::server::system_logrotate - $fork = $mongodb::server::fork - $port = $mongodb::server::port - $journal = $mongodb::server::journal - $nojournal = $mongodb::server::nojournal - $smallfiles = $mongodb::server::smallfiles - $cpu = $mongodb::server::cpu - $auth = $mongodb::server::auth - $noath = $mongodb::server::noauth - $create_admin = $mongodb::server::create_admin - $admin_username = $mongodb::server::admin_username - $admin_password = $mongodb::server::admin_password - $handle_creds = $mongodb::server::handle_creds - $store_creds = $mongodb::server::store_creds - $rcfile = $mongodb::server::rcfile - $verbose = $mongodb::server::verbose - $verbositylevel = $mongodb::server::verbositylevel - $objcheck = $mongodb::server::objcheck - $quota = $mongodb::server::quota - $quotafiles = $mongodb::server::quotafiles - $diaglog = $mongodb::server::diaglog - $oplog_size = $mongodb::server::oplog_size - $nohints = $mongodb::server::nohints - $nohttpinterface = $mongodb::server::nohttpinterface - $noscripting = $mongodb::server::noscripting - $notablescan = $mongodb::server::notablescan - $noprealloc = $mongodb::server::noprealloc - $nssize = $mongodb::server::nssize - $mms_token = $mongodb::server::mms_token - $mms_name = $mongodb::server::mms_name - $mms_interval = $mongodb::server::mms_interval - $configsvr = $mongodb::server::configsvr - $shardsvr = $mongodb::server::shardsvr - $replset = $mongodb::server::replset - $rest = $mongodb::server::rest - $quiet = $mongodb::server::quiet - $slowms = $mongodb::server::slowms - $keyfile = $mongodb::server::keyfile - $key = $mongodb::server::key - $ipv6 = $mongodb::server::ipv6 - $bind_ip = $mongodb::server::bind_ip - $directoryperdb = $mongodb::server::directoryperdb - $profile = $mongodb::server::profile - $maxconns = $mongodb::server::maxconns - $set_parameter = $mongodb::server::set_parameter - $syslog = $mongodb::server::syslog - $ssl = $mongodb::server::ssl - $ssl_key = $mongodb::server::ssl_key - $ssl_ca = $mongodb::server::ssl_ca - $ssl_weak_cert = $mongodb::server::ssl_weak_cert + $ensure = $mongodb::server::ensure + $user = $mongodb::server::user + $group = $mongodb::server::group + $config = $mongodb::server::config + $config_content = $mongodb::server::config_content + $config_template = $mongodb::server::config_template + $config_data = $mongodb::server::config_data + $dbpath = $mongodb::server::dbpath + $dbpath_fix = $mongodb::server::dbpath_fix + $pidfilepath = $mongodb::server::pidfilepath + $pidfilemode = $mongodb::server::pidfilemode + $manage_pidfile = $mongodb::server::manage_pidfile + $logpath = $mongodb::server::logpath + $logappend = $mongodb::server::logappend + $system_logrotate = $mongodb::server::system_logrotate + $fork = $mongodb::server::fork + $port = $mongodb::server::port + $journal = $mongodb::server::journal + $nojournal = $mongodb::server::nojournal + $smallfiles = $mongodb::server::smallfiles + $cpu = $mongodb::server::cpu + $auth = $mongodb::server::auth + $noath = $mongodb::server::noauth + $create_admin = $mongodb::server::create_admin + $admin_username = $mongodb::server::admin_username + $admin_password = $mongodb::server::admin_password + $admin_auth_mechanism = $mongodb::server::admin_auth_mechanism + $supported_auth_mechanisms = $mongodb::server::supported_auth_mechanisms + $admin_tls_key = $mongodb::server::admin_tls_key + $handle_creds = $mongodb::server::handle_creds + $store_creds = $mongodb::server::store_creds + $rcfile = $mongodb::server::rcfile + $verbose = $mongodb::server::verbose + $verbositylevel = $mongodb::server::verbositylevel + $objcheck = $mongodb::server::objcheck + $quota = $mongodb::server::quota + $quotafiles = $mongodb::server::quotafiles + $diaglog = $mongodb::server::diaglog + $oplog_size = $mongodb::server::oplog_size + $nohints = $mongodb::server::nohints + $nohttpinterface = $mongodb::server::nohttpinterface + $noscripting = $mongodb::server::noscripting + $notablescan = $mongodb::server::notablescan + $noprealloc = $mongodb::server::noprealloc + $nssize = $mongodb::server::nssize + $mms_token = $mongodb::server::mms_token + $mms_name = $mongodb::server::mms_name + $mms_interval = $mongodb::server::mms_interval + $configsvr = $mongodb::server::configsvr + $shardsvr = $mongodb::server::shardsvr + $replset = $mongodb::server::replset + $rest = $mongodb::server::rest + $quiet = $mongodb::server::quiet + $slowms = $mongodb::server::slowms + $keyfile = $mongodb::server::keyfile + $key = $mongodb::server::key + $ipv6 = $mongodb::server::ipv6 + $bind_ip = $mongodb::server::bind_ip + $directoryperdb = $mongodb::server::directoryperdb + $profile = $mongodb::server::profile + $maxconns = $mongodb::server::maxconns + $set_parameter = $mongodb::server::set_parameter + $syslog = $mongodb::server::syslog + $ssl = $mongodb::server::ssl + $ssl_key = $mongodb::server::ssl_key + $ssl_ca = $mongodb::server::ssl_ca + $ssl_weak_cert = $mongodb::server::ssl_weak_cert $ssl_invalid_hostnames = $mongodb::server::ssl_invalid_hostnames - $ssl_mode = $mongodb::server::ssl_mode - $tls = $mongodb::server::tls - $tls_key = $mongodb::server::tls_key - $tls_ca = $mongodb::server::tls_ca + $ssl_mode = $mongodb::server::ssl_mode + $tls = $mongodb::server::tls + $tls_key = $mongodb::server::tls_key + $tls_ca = $mongodb::server::tls_ca $tls_conn_without_cert = $mongodb::server::tls_conn_without_cert $tls_invalid_hostnames = $mongodb::server::tls_invalid_hostnames - $tls_mode = $mongodb::server::tls_mode - $storage_engine = $mongodb::server::storage_engine + $tls_mode = $mongodb::server::tls_mode + $storage_engine = $mongodb::server::storage_engine File { owner => $user, @@ -116,7 +119,7 @@ } else { # Template has available user-supplied data # - $config_data - $cfg_content = template('mongodb/mongodb.conf.2.6.erb') + $cfg_content = template('mongodb/mongodb.conf.erb') } file { $config: @@ -126,6 +129,22 @@ mode => '0644', } + # TODO: we kind of use this file to force x509 authentication in the providers when it exsists + # Open for suggestions how to deal with this + if $admin_auth_mechanism == 'x509' and $handle_creds { + $_ensure = 'file' + } else { + $_ensure = 'absent' + } + + file { '/root/.mongosh.yaml': + ensure => $_ensure, + owner => 'root', + group => 'root', + mode => '0600', + content => "---admin:\n name:${admin_username}\n auth_mechanism: ${admin_auth_mechanism}\n tlsCertificateKeyFile: ${admin_tls_key}\n", + } + file { $dbpath: ensure => directory, mode => '0750', @@ -176,7 +195,7 @@ if $handle_creds { file { $rcfile: ensure => file, - content => template('mongodb/mongorc.js.erb'), + content => template('mongodb/mongoshrc.js.erb'), owner => 'root', group => 'root', mode => '0600', diff --git a/manifests/server/install.pp b/manifests/server/install.pp index b40502ada..2214c31ec 100644 --- a/manifests/server/install.pp +++ b/manifests/server/install.pp @@ -33,4 +33,6 @@ tag => 'mongodb_package', } } + + include mongodb::client } diff --git a/manifests/shardsvr.pp b/manifests/shardsvr.pp index 486fe5fc7..df8940802 100644 --- a/manifests/shardsvr.pp +++ b/manifests/shardsvr.pp @@ -1,6 +1,17 @@ # @summary Wrapper class useful for hiera based deployments # +# @example hieradata +# mongodb::shardsvr::shards: +# shard01: +# keys: +# - {x: 1} +# members: +# - shardhost01.exmaple.com:30000 +# - shardhost02.exmaple.com:30000 +# - shardhost03.exmaple.com:30000 +# # @param shards +# Hash of attributes as described in the mongodb_shardsvr custom type # class mongodb::shardsvr ( $shards = undef diff --git a/metadata.json b/metadata.json index a55f34340..5835e3311 100644 --- a/metadata.json +++ b/metadata.json @@ -2,7 +2,7 @@ "name": "puppet-mongodb", "version": "4.2.1-rc0", "author": "Vox Pupuli", - "summary": "Installs MongoDB on RHEL/Ubuntu/Debian.", + "summary": "Installs MongoDB on RHEL/Ubuntu/Debian/Sles.", "license": "Apache-2.0", "source": "https://github.com/voxpupuli/puppet-mongodb", "project_page": "https://github.com/voxpupuli/puppet-mongodb", @@ -11,26 +11,31 @@ { "operatingsystem": "RedHat", "operatingsystemrelease": [ - "7" + "7", + "8", + "9" ] }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ - "7" + "7", + "8" ] }, { "operatingsystem": "Debian", "operatingsystemrelease": [ - "10" + "10", + "11", + "12" ] }, { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ - "18.04", - "20.04" + "22.04", + "23.04" ] }, { diff --git a/spec/acceptance/database_spec.rb b/spec/acceptance/database_spec.rb index 100c21892..35a8e5525 100644 --- a/spec/acceptance/database_spec.rb +++ b/spec/acceptance/database_spec.rb @@ -8,7 +8,6 @@ it 'compiles with no errors' do pp = <<-EOS class { 'mongodb::server': } - -> class { 'mongodb::client': } -> mongodb::db { 'testdb1': user => 'testuser', password => 'testpass', @@ -23,8 +22,8 @@ class { 'mongodb::server': } end it 'creates the databases' do - shell("mongo testdb1 --eval 'printjson(db.getMongo().getDBs())'") - shell("mongo testdb2 --eval 'printjson(db.getMongo().getDBs())'") + shell("mongosh testdb1 --eval 'EJSON.stringify(db.getMongo().getDBs())'") + shell("mongosh testdb2 --eval 'EJSON.stringify(db.getMongo().getDBs())'") end end @@ -34,7 +33,6 @@ class { 'mongodb::server': } class { 'mongodb::server': port => 27018, } - -> class { 'mongodb::client': } -> mongodb::db { 'testdb1': user => 'testuser', password => 'testpass', @@ -50,8 +48,8 @@ class { 'mongodb::server': end it 'creates the database' do - shell("mongo testdb1 --port 27018 --eval 'printjson(db.getMongo().getDBs())'") - shell("mongo testdb2 --port 27018 --eval 'printjson(db.getMongo().getDBs())'") + shell("mongosh testdb1 --port 27018 --eval 'EJSON.stringify(db.getMongo().getDBs())'") + shell("mongosh testdb2 --port 27018 --eval 'EJSON.stringify(db.getMongo().getDBs())'") end end end diff --git a/spec/acceptance/mongos_spec.rb b/spec/acceptance/mongos_spec.rb index eefcafd83..7a498c044 100644 --- a/spec/acceptance/mongos_spec.rb +++ b/spec/acceptance/mongos_spec.rb @@ -3,18 +3,13 @@ require 'spec_helper_acceptance' describe 'mongodb::mongos class' do - case fact('osfamily') - when 'Debian' - package_name = if fact('os.distro.codename') =~ %r{^(buster|bullseye)$} - 'mongodb-org-server' - else - 'mongodb-server' - end - config_file = '/etc/mongodb-shard.conf' - else - package_name = 'mongodb-org-server' - config_file = '/etc/mongos.conf' - end + package_name = 'mongodb-org-server' + config_file = case fact('osfamily') + when 'Debian' + '/etc/mongodb-shard.conf' + else + '/etc/mongos.conf' + end describe 'installation' do it 'works with no errors' do @@ -25,7 +20,6 @@ class { 'mongodb::server': replset_members => ['127.0.0.1:27019'], port => 27019, } - -> class { 'mongodb::client': } -> class { 'mongodb::mongos': configdb => ['test/127.0.0.1:27019'], } @@ -56,7 +50,7 @@ class { 'mongodb::server': it { is_expected.to be_listening } end - describe command('mongo --version') do + describe command('mongod --version') do its(:exit_status) { is_expected.to eq 0 } end end @@ -73,9 +67,6 @@ class { 'mongodb::mongos': service_ensure => stopped, service_enable => false } - -> class { 'mongodb::client': - ensure => absent, - } EOS apply_manifest(pp, catch_failures: true) apply_manifest(pp, catch_changes: true) diff --git a/spec/acceptance/replset_spec.rb b/spec/acceptance/replset_spec.rb index 97f9c9bc9..f532b931f 100644 --- a/spec/acceptance/replset_spec.rb +++ b/spec/acceptance/replset_spec.rb @@ -6,7 +6,7 @@ describe 'mongodb_replset resource' do after :all do # Have to drop the DB to disable replsets for further testing - on hosts, %{mongo local --verbose --eval 'db.dropDatabase()'} + on hosts, %{mongosh local --verbose --eval 'db.dropDatabase()'} pp = <<-EOS class { 'mongodb::globals': } @@ -15,11 +15,6 @@ class { 'mongodb::globals': } package_ensure => absent, service_ensure => stopped } - if $::osfamily == 'RedHat' { - class { 'mongodb::client': - ensure => absent - } - } EOS apply_manifest_on(hosts.reverse, pp, catch_failures: true) @@ -32,9 +27,6 @@ class { 'mongodb::globals': } bind_ip => '0.0.0.0', replset => 'test', } - if $::osfamily == 'RedHat' { - class { 'mongodb::client': } - } EOS apply_manifest_on(hosts.reverse, pp, catch_failures: true) @@ -48,7 +40,7 @@ class { 'mongodb::client': } } EOS apply_manifest_on(hosts_as('master'), pp, catch_failures: true) - on(hosts_as('master'), 'mongo --quiet --eval "printjson(rs.conf())"') do |r| + on(hosts_as('master'), 'mongosh --quiet --eval "EJSON.stringify(rs.conf())"') do |r| expect(r.stdout).to match %r{#{hosts[0]}:27017} expect(r.stdout).to match %r{#{hosts[1]}:27017} end @@ -56,18 +48,18 @@ class { 'mongodb::client': } it 'inserts data on the master' do sleep(30) - on hosts_as('master'), %{mongo --verbose --eval 'db.test.save({name:"test1",value:"some value"})'} + on hosts_as('master'), %{mongosh --verbose --eval 'db.test.save({name:"test1",value:"some value"})'} end it 'checks the data on the master' do - on hosts_as('master'), %{mongo --verbose --eval 'printjson(db.test.findOne({name:"test1"}))'} do |r| + on hosts_as('master'), %{mongosh --verbose --eval 'EJSON.stringify(db.test.findOne({name:"test1"}))'} do |r| expect(r.stdout).to match %r{some value} end end it 'checks the data on the slave' do sleep(10) - on hosts_as('slave'), %{mongo --verbose --eval 'try { rs.secondaryOk() } catch (err) { rs.slaveOk() }; printjson(db.test.findOne({name:"test1"}))'} do |r| + on hosts_as('slave'), %{mongosh --verbose --eval 'db.getMongo().setReadPref("primaryPreferred"); EJSON.stringify(db.test.findOne({name:"test1"}))'} do |r| expect(r.stdout).to match %r{some value} end end @@ -76,7 +68,7 @@ class { 'mongodb::client': } describe 'mongodb_replset resource with auth => true' do after :all do # Have to drop the DB to disable replsets for further testing - on hosts, %{mongo local --verbose --eval 'db.dropDatabase()'} + on hosts, %{mongosh local --verbose --eval 'db.dropDatabase()'} pp = <<-EOS class { 'mongodb::globals': } @@ -85,11 +77,6 @@ class { 'mongodb::globals': } package_ensure => absent, service_ensure => stopped } - if $::osfamily == 'RedHat' { - class { 'mongodb::client': - ensure => absent - } - } EOS apply_manifest_on(hosts.reverse, pp, catch_failures: true) @@ -126,9 +113,6 @@ class { 'mongodb::server': YXIsJ0gYcu9XG3mx10LbdPJvxSMg' } - if $::osfamily == 'RedHat' { - include mongodb::client - } EOS apply_manifest_on(hosts.reverse, pp, catch_failures: true) @@ -166,9 +150,6 @@ class { 'mongodb::server': nc1ohyB0lNt8lHf1U00mtgDSV3fwo5LkwhRi6d+bDBTL/C6MZETMLdyCqDlTdUWG YXIsJ0gYcu9XG3mx10LbdPJvxSMg' } - if $::osfamily == 'RedHat' { - include mongodb::client - } mongodb_replset { 'test': auth_enabled => true, members => [#{hosts.map { |x| "'#{x}:27017'" }.join(',')}], @@ -177,7 +158,7 @@ class { 'mongodb::server': EOS apply_manifest_on(hosts_as('master'), pp, catch_failures: true) apply_manifest_on(hosts_as('master'), pp, catch_changes: true) - on(hosts_as('master'), 'mongo --quiet --eval "load(\'/root/.mongorc.js\');printjson(rs.conf())"') do |r| + on(hosts_as('master'), 'mongosh --quiet --eval "load(\'/root/.mongoshrc.js\');EJSON.stringify(rs.conf())"') do |r| expect(r.stdout).to match %r{#{hosts[0]}:27017} expect(r.stdout).to match %r{#{hosts[1]}:27017} end @@ -185,18 +166,18 @@ class { 'mongodb::server': it 'inserts data on the master' do sleep(30) - on hosts_as('master'), %{mongo test --verbose --eval 'load("/root/.mongorc.js");db.dummyData.insert({"created_by_puppet": 1})'} + on hosts_as('master'), %{mongosh test --verbose --eval 'load("/root/.mongoshrc.js");db.dummyData.insert({"created_by_puppet": 1})'} end it 'checks the data on the master' do - on hosts_as('master'), %{mongo test --verbose --eval 'load("/root/.mongorc.js");printjson(db.dummyData.findOne())'} do |r| + on hosts_as('master'), %{mongosh test --verbose --eval 'load("/root/.mongoshrc.js");EJSON.stringify(db.dummyData.findOne())'} do |r| expect(r.stdout).to match %r{created_by_puppet} end end it 'checks the data on the slave' do sleep(10) - on hosts_as('slave'), %{mongo test --verbose --eval 'load("/root/.mongorc.js");try { rs.secondaryOk() } catch (err) { rs.slaveOk() };printjson(db.dummyData.findOne())'} do |r| + on hosts_as('slave'), %{mongosh test --verbose --eval 'load("/root/.mongoshrc.js");db.getMongo().setReadPref("primaryPreferred");EJSON.stringify(db.dummyData.findOne())'} do |r| expect(r.stdout).to match %r{created_by_puppet} end end diff --git a/spec/acceptance/server_spec.rb b/spec/acceptance/server_spec.rb index 560282853..7526bb3fa 100644 --- a/spec/acceptance/server_spec.rb +++ b/spec/acceptance/server_spec.rb @@ -15,22 +15,16 @@ else 'mongodb' end - package_name = if fact('os.distro.codename') =~ %r{^(buster)$} - 'mongodb-org-server' - else - 'mongodb-server' - end else config_file = '/etc/mongod.conf' service_name = 'mongod' - package_name = 'mongodb-org-server' end + package_name = 'mongodb-org-server' describe 'installation' do it 'works with no errors' do pp = <<-EOS class { 'mongodb::server': } - -> class { 'mongodb::client': } EOS apply_manifest(pp, catch_failures: true) @@ -54,7 +48,7 @@ class { 'mongodb::server': } it { is_expected.to be_listening } end - describe command('mongo --version') do + describe command('mongod --version') do its(:exit_status) { is_expected.to eq 0 } end end @@ -65,7 +59,6 @@ class { 'mongodb::server': } class { 'mongodb::server': port => 27018, } - -> class { 'mongodb::client': } EOS apply_manifest(pp, catch_failures: true) @@ -107,7 +100,6 @@ class { 'mongodb::server': restart => true, set_parameter => ['enableLocalhostAuthBypass: true'] } - class { 'mongodb::client': } mongodb_user { "User admin on db admin": ensure => present, @@ -139,11 +131,11 @@ class { 'mongodb::client': } it { is_expected.to be_listening } end - describe command('mongo --quiet --eval "db.serverCmdLineOpts().code"') do + describe command('mongosh --quiet --eval "db.serverCmdLineOpts().code"') do its(:stdout) { is_expected.to match '13' } end - describe file('/root/.mongorc.js') do + describe file('/root/.mongoshrc.js') do it { is_expected.to be_file } it { is_expected.to be_owned_by 'root' } it { is_expected.to be_grouped_into 'root' } @@ -151,12 +143,12 @@ class { 'mongodb::client': } it { is_expected.to contain 'db.auth(\'admin\', \'password\')' } end - describe command("mongo admin --quiet --eval \"load('/root/.mongorc.js');printjson(db.getUser('admin')['customData'])\"") do + describe command("mongosh admin --quiet --eval \"load('/root/.mongoshrc.js');EJSON.stringify(db.getUser('admin')['customData'])\"") do its(:exit_status) { is_expected.to eq 0 } - its(:stdout) { is_expected.to match "{ \"createdBy\" : \"Puppet Mongodb_user['User admin on db admin']\" }\n" } + its(:stdout) { is_expected.to match "{\"createdBy\":\"Puppet Mongodb_user['User admin on db admin']\"}\n" } end - describe command('mongo --version') do + describe command('mongod --version') do its(:exit_status) { is_expected.to eq 0 } end end @@ -170,7 +162,6 @@ class { 'mongodb::server': service_ensure => stopped, service_enable => false } - -> class { 'mongodb::client': ensure => absent, } EOS apply_manifest(pp, catch_failures: true) apply_manifest(pp, catch_changes: true) diff --git a/spec/acceptance/sharding_spec.rb b/spec/acceptance/sharding_spec.rb index d659c1eb6..2a4770d93 100644 --- a/spec/acceptance/sharding_spec.rb +++ b/spec/acceptance/sharding_spec.rb @@ -15,9 +15,6 @@ class { 'mongodb::globals': } mongodb_replset { 'foo' : members => ["shard:27018"], } - if $::osfamily == 'RedHat' { - class { 'mongodb::client': } - } EOS apply_manifest_on(hosts_as('shard'), pp, catch_failures: true) @@ -40,13 +37,10 @@ class { 'mongodb::mongos' : member => 'foo/shard:27018', keys => [{'foo.toto' => {'name' => 1}}] } - if $::osfamily == 'RedHat' { - class { 'mongodb::client': } - } EOS apply_manifest_on(hosts_as('router'), pp, catch_failures: true) - on(hosts_as('router'), 'mongo --quiet --eval "printjson(sh.status())"') do |r| + on(hosts_as('router'), 'mongosh --quiet --eval "EJSON.stringify(sh.status())"') do |r| expect(r.stdout).to match %r{foo/shard:27018} expect(r.stdout).to match %r{foo\.toto} end diff --git a/spec/acceptance/user_spec.rb b/spec/acceptance/user_spec.rb index ee119561f..5e7673640 100644 --- a/spec/acceptance/user_spec.rb +++ b/spec/acceptance/user_spec.rb @@ -7,7 +7,6 @@ it 'compiles with no errors' do pp = <<-EOS class { 'mongodb::server': } - -> class { 'mongodb::client': } -> mongodb_database { 'testdb': ensure => present } -> mongodb_user {'testuser': @@ -22,15 +21,14 @@ class { 'mongodb::server': } end it 'creates the user' do - shell("mongo testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| - expect(r.stdout.chomp).to eq('1') + shell("mongosh testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| + expect(r.stdout.chomp).to eq('{ ok: 1 }') end end it 'removes a user with no errors' do pp = <<-EOS class { 'mongodb::server': } - -> class { 'mongodb::client': } -> mongodb_database { 'testdb': ensure => present } -> mongodb_user {'testuser': @@ -45,7 +43,7 @@ class { 'mongodb::server': } end it 'auth should fail' do - shell("mongo testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| + shell("mongosh testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| expect(r.stdout.chomp).to contain('Error: Authentication failed') end end @@ -55,7 +53,6 @@ class { 'mongodb::server': } it 'works with no errors' do pp = <<-EOS class { 'mongodb::server': port => 27018 } - -> class { 'mongodb::client': } -> mongodb_database { 'testdb': ensure => present } -> mongodb_user {'testuser': @@ -70,8 +67,8 @@ class { 'mongodb::server': port => 27018 } end it 'creates the user' do - shell("mongo testdb --quiet --port 27018 --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| - expect(r.stdout.chomp).to eq('1') + shell("mongosh testdb --quiet --port 27018 --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| + expect(r.stdout.chomp).to eq('{ ok: 1 }') end end end @@ -80,7 +77,6 @@ class { 'mongodb::server': port => 27018 } it 'compiles with no errors' do pp = <<-EOS class { 'mongodb::server': } - -> class { 'mongodb::client': } -> mongodb_database { 'testdb': ensure => present } -> mongodb_user {'testuser': @@ -96,8 +92,8 @@ class { 'mongodb::server': } end it 'creates the user' do - shell("mongo testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| - expect(r.stdout.chomp).to eq('1') + shell("mongosh testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| + expect(r.stdout.chomp).to eq('{ ok: 1 }') end end end @@ -106,7 +102,6 @@ class { 'mongodb::server': } it 'compiles with no errors' do pp = <<-EOS class { 'mongodb::server': } - -> class { 'mongodb::client': } -> mongodb_database { 'testdb': ensure => present } -> mongodb_database { 'testdb2': ensure => present } -> @@ -130,25 +125,25 @@ class { 'mongodb::server': } end it 'allows the testuser' do - shell("mongo testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| - expect(r.stdout.chomp).to eq('1') + shell("mongosh testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\")'") do |r| + expect(r.stdout.chomp).to eq('{ ok: 1 }') end end it 'assigns roles to testuser' do - shell("mongo testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\"); db.getUser(\"testuser\")[\"roles\"].forEach(function(role){print(role.role + \"@\" + role.db)})'") do |r| + shell("mongosh testdb --quiet --eval 'db.auth(\"testuser\",\"passw0rd\"); db.getUser(\"testuser\")[\"roles\"].forEach(function(role){print(role.role + \"@\" + role.db)})'") do |r| expect(r.stdout.split(%r{\n})).to contain_exactly('readWrite@testdb', 'dbAdmin@testdb') end end it 'allows the second user to connect to its default database' do - shell("mongo testdb2 --quiet --eval 'db.auth(\"testuser2\",\"passw0rd\")'") do |r| - expect(r.stdout.chomp).to eq('1') + shell("mongosh testdb2 --quiet --eval 'db.auth(\"testuser2\",\"passw0rd\")'") do |r| + expect(r.stdout.chomp).to eq('{ ok: 1 }') end end it 'assigns roles to testuser2' do - shell("mongo testdb2 --quiet --eval 'db.auth(\"testuser2\",\"passw0rd\"); db.getUser(\"testuser2\")[\"roles\"].forEach(function(role){print(role.role + \"@\" + role.db)})'") do |r| + shell("mongosh testdb2 --quiet --eval 'db.auth(\"testuser2\",\"passw0rd\"); db.getUser(\"testuser2\")[\"roles\"].forEach(function(role){print(role.role + \"@\" + role.db)})'") do |r| expect(r.stdout.split(%r{\n})).to contain_exactly('readWrite@testdb2', 'dbAdmin@testdb2', 'readWrite@testdb', 'dbAdmin@testdb') end end diff --git a/spec/classes/client_spec.rb b/spec/classes/client_spec.rb index b97a517d6..c0e2ce44f 100644 --- a/spec/classes/client_spec.rb +++ b/spec/classes/client_spec.rb @@ -9,12 +9,7 @@ context 'with defaults' do it { is_expected.to compile.with_all_deps } - - if facts[:os]['release']['major'] =~ %r{(10)} - it { is_expected.to create_package('mongodb_client').with_ensure('4.4.8') } - else - it { is_expected.to create_package('mongodb_client').with_ensure('present') } - end + it { is_expected.to create_package('mongodb_client').with_ensure('present') } end context 'with manage_package' do @@ -23,12 +18,7 @@ end it { is_expected.to compile.with_all_deps } - - if facts[:os]['release']['major'] =~ %r{(10)} - it { is_expected.to create_package('mongodb_client').with_ensure('4.4.8').with_name('mongodb-org-shell').with_tag('mongodb_package') } - else - it { is_expected.to create_package('mongodb_client').with_ensure('present').with_name('mongodb-org-shell').with_tag('mongodb_package') } - end + it { is_expected.to create_package('mongodb_client').with_ensure('present').with_name('mongodb-mongosh').with_tag('mongodb_package') } end end end diff --git a/spec/classes/mongos_spec.rb b/spec/classes/mongos_spec.rb index bbccc8c85..213e19a4b 100644 --- a/spec/classes/mongos_spec.rb +++ b/spec/classes/mongos_spec.rb @@ -7,30 +7,20 @@ context "on #{os}" do let(:facts) { facts } - case facts[:os]['family'] - when 'Debian' - package_name = if facts[:os]['release']['major'] =~ %r{(10)} - 'mongodb-org-mongos' - else - 'mongodb-server' - end - config_file = '/etc/mongodb-shard.conf' - else - package_name = 'mongodb-org-mongos' - config_file = '/etc/mongos.conf' - end + package_name = 'mongodb-org-mongos' + config_file = case facts[:os]['family'] + when 'Debian' + '/etc/mongodb-shard.conf' + else + '/etc/mongos.conf' + end context 'with defaults' do it { is_expected.to compile.with_all_deps } # install it { is_expected.to contain_class('mongodb::mongos::install') } - - if facts[:os]['release']['major'] =~ %r{(10)} - it { is_expected.to contain_package('mongodb_mongos').with_ensure('4.4.8').with_name(package_name).with_tag('mongodb_package') } - else - it { is_expected.to contain_package('mongodb_mongos').with_ensure('present').with_name(package_name).with_tag('mongodb_package') } - end + it { is_expected.to contain_package('mongodb_mongos').with_ensure('present').with_name(package_name).with_tag('mongodb_package') } # config it { is_expected.to contain_class('mongodb::mongos::config') } @@ -39,7 +29,6 @@ when 'RedHat', 'Suse' expected_content = <<~CONFIG configdb = 127.0.0.1:27019 - fork = true pidfilepath = /var/run/mongodb/mongos.pid logpath = /var/log/mongodb/mongos.log unixSocketPrefix = /var/run/mongodb @@ -90,12 +79,7 @@ end it { is_expected.to compile.with_all_deps } - - if facts[:os]['release']['major'] =~ %r{(10)} - it { is_expected.to contain_package('mongodb_mongos').with_name('mongo-foo').with_ensure('4.4.8').with_tag('mongodb_package') } - else - it { is_expected.to contain_package('mongodb_mongos').with_name('mongo-foo').with_ensure('present').with_tag('mongodb_package') } - end + it { is_expected.to contain_package('mongodb_mongos').with_name('mongo-foo').with_ensure('present').with_tag('mongodb_package') } end context 'service_manage => false' do diff --git a/spec/opsmanager_spec.rb b/spec/classes/opsmanager_spec.rb similarity index 100% rename from spec/opsmanager_spec.rb rename to spec/classes/opsmanager_spec.rb diff --git a/spec/classes/repo_spec.rb b/spec/classes/repo_spec.rb index 796014ac3..7e833904e 100644 --- a/spec/classes/repo_spec.rb +++ b/spec/classes/repo_spec.rb @@ -16,7 +16,7 @@ describe 'with version set' do let :params do { - version: '3.6.1' + version: '6.0.7' } end @@ -26,14 +26,14 @@ it do is_expected.to contain_yumrepo('mongodb'). - with_baseurl('https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.6/$basearch/') + with_baseurl('https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/$basearch/') end when 'Suse' it { is_expected.to contain_class('mongodb::repo::zypper') } it do is_expected.to contain_zypprepo('mongodb'). - with_baseurl('https://repo.mongodb.org/zypper/suse/$releasever_major/mongodb-org/3.6/$basearch/') + with_baseurl('https://repo.mongodb.org/zypper/suse/$releasever_major/mongodb-org/6.0/$basearch/') end when 'Debian' it { is_expected.to contain_class('mongodb::repo::apt') } @@ -43,13 +43,13 @@ it do is_expected.to contain_apt__source('mongodb'). with_location('https://repo.mongodb.org/apt/debian'). - with_release("#{facts[:lsbdistcodename]}/mongodb-org/3.6") + with_release("#{facts[:lsbdistcodename]}/mongodb-org/6.0") end when 'Ubuntu' it do is_expected.to contain_apt__source('mongodb'). with_location('https://repo.mongodb.org/apt/ubuntu'). - with_release("#{facts[:lsbdistcodename]}/mongodb-org/3.6") + with_release("#{facts[:lsbdistcodename]}/mongodb-org/6.0") end end else @@ -60,7 +60,7 @@ describe 'with proxy' do let :params do { - version: '3.6.1', + version: '6.0.7', proxy: 'http://proxy-server:8080', proxy_username: 'proxyuser1', proxy_password: 'proxypassword1' @@ -86,6 +86,16 @@ it { is_expected.to raise_error(Puppet::Error, %r{not supported}) } end end + + describe 'with older version' do + let :params do + { + version: '3.0.2' + } + end + + it { is_expected.to raise_error(Puppet::Error, %r{older than 4.4 are unsupported}) } + end end end end diff --git a/spec/classes/server_spec.rb b/spec/classes/server_spec.rb index 2d8451b41..a9e175983 100644 --- a/spec/classes/server_spec.rb +++ b/spec/classes/server_spec.rb @@ -43,35 +43,43 @@ end end - describe 'with defaults' do - it_behaves_like 'server classes' + let(:mongo_user) do + if facts[:os]['family'] == 'Debian' + 'mongodb' + else + 'mongod' + end + end - if facts[:os]['family'] == 'RedHat' || facts[:os]['family'] == 'Suse' - it { is_expected.to contain_package('mongodb_server').with_ensure('present').with_name('mongodb-org-server').with_tag('mongodb_package') } - elsif facts[:os]['release']['major'] =~ %r{(10)} - it { is_expected.to contain_package('mongodb_server').with_ensure('4.4.8').with_name('mongodb-org-server').with_tag('mongodb_package') } + let(:mongo_group) do + if facts[:os]['family'] == 'Debian' + 'mongodb' else - it { is_expected.to contain_package('mongodb_server').with_ensure('present').with_name('mongodb-server').with_tag('mongodb_package') } + 'mongod' end + end + + describe 'with defaults' do + it_behaves_like 'server classes' + + it { is_expected.to contain_package('mongodb_server').with_ensure('present').with_name('mongodb-org-server').with_tag('mongodb_package') } it do is_expected.to contain_file(config_file). with_mode('0644'). with_owner('root'). with_group('root'). - with_content(%r{^storage\.dbPath: /var/lib/mongodb$}). + with_content(%r{^storage\.dbPath: /var/lib/mongo$}). with_content(%r{^net\.bindIp: 127\.0\.0\.1$}). with_content(%r{^systemLog\.logAppend: true$}). with_content(%r{^systemLog\.path: #{log_path}$}) end - if facts[:os]['family'] == 'Debian' - it { is_expected.not_to contain_file(config_file).with_content(%r{fork}) } - else - it { is_expected.to contain_file(config_file).with_content(%r{^ fork: true$}) } - end + it { is_expected.not_to contain_file(config_file).with_content(%r{fork}) } + + it { is_expected.to contain_file('/root/.mongoshrc.js').with_ensure('file').without_content(%r{db\.auth}) } + it { is_expected.to contain_file('/var/lib/mongo').with(ensure: 'directory', mode: '0750', owner: mongo_user, group: mongo_group) } - it { is_expected.to contain_file('/root/.mongorc.js').with_ensure('file').without_content(%r{db\.auth}) } it { is_expected.not_to contain_exec('fix dbpath permissions') } end @@ -188,7 +196,7 @@ end it { is_expected.to contain_file(config_file).with_content(%r{^security\.authorization: enabled$}) } - it { is_expected.to contain_file('/root/.mongorc.js') } + it { is_expected.to contain_file('/root/.mongoshrc.js') } end describe 'when specifying set_parameter array value' do @@ -274,18 +282,40 @@ end describe 'with store_creds' do - context 'true' do + context 'true with scram_sha_1' do + let :params do + { + admin_username: 'admin', + admin_password: 'password', + auth: true, + store_creds: true + } + end + + it { + is_expected.to contain_file('/root/.mongoshrc.js'). + with_ensure('file'). + with_owner('root'). + with_group('root'). + with_mode('0600'). + with_content(%r{db\.auth\('admin', 'password'\)}) + } + end + + context 'true with scram_sha_256' do let :params do { admin_username: 'admin', admin_password: 'password', + admin_auth_mechanism: 'scram_sha_256', + admin_update_password: true, auth: true, store_creds: true } end it { - is_expected.to contain_file('/root/.mongorc.js'). + is_expected.to contain_file('/root/.mongoshrc.js'). with_ensure('file'). with_owner('root'). with_group('root'). @@ -294,6 +324,38 @@ } end + context 'true with x509' do + let :params do + { + admin_username: 'subject=CN=admin,OU=some,O=company,ST=somewhere,C=EX', + admin_auth_mechanism: 'x509', + admin_tls_key: '/path/to/key', + auth: true, + store_creds: true + } + end + + it { + is_expected.to contain_file('/root/.mongoshrc.js'). + with_ensure('file'). + with_owner('root'). + with_group('root'). + with_mode('0600'). + with_content(%r{db\.getSiblingDB\('\$external'\)\.auth}). + with_content(%r{mechanism: 'MONGODB-X509'}) + } + + it { + is_expected.to contain_file('/root/.mongosh.yaml'). + with_ensure('file'). + with_owner('root'). + with_group('root'). + with_mode('0600'). + with_content(%r{^subject=CN=admin,OU=some,O=company,ST=somewhere,C=EX:$}). + with_content(%r{tlsCertificateKeyFile: /path/to/key}) + } + end + context 'false' do let :params do { @@ -301,7 +363,7 @@ } end - it { is_expected.to contain_file('/root/.mongorc.js').with_ensure('file').without_content(%r{db\.auth}) } + it { is_expected.to contain_file('/root/.mongoshrc.js').with_ensure('file').without_content(%r{db\.auth}) } end end @@ -327,10 +389,10 @@ it do is_expected.to contain_exec('fix dbpath permissions'). - with_command('chown -R foo:bar /var/lib/mongodb'). + with_command('chown -R foo:bar /var/lib/mongo'). with_path(['/usr/bin', '/bin']). - with_onlyif("find /var/lib/mongodb -not -user foo -o -not -group bar -print -quit | grep -q '.*'"). - that_subscribes_to('File[/var/lib/mongodb]') + with_onlyif("find /var/lib/mongo -not -user foo -o -not -group bar -print -quit | grep -q '.*'"). + that_subscribes_to('File[/var/lib/mongo]') end end diff --git a/spec/unit/mongodb_version_spec.rb b/spec/unit/mongodb_version_spec.rb index a7ede5d3d..31832131c 100644 --- a/spec/unit/mongodb_version_spec.rb +++ b/spec/unit/mongodb_version_spec.rb @@ -10,12 +10,12 @@ describe 'mongodb_version' do context 'with value' do before do - allow(Facter::Core::Execution).to receive(:which).with('mongo').and_return(true) - allow(Facter::Core::Execution).to receive(:execute).with('mongo --version 2>&1').and_return('MongoDB shell version: 3.2.1') + allow(Facter::Core::Execution).to receive(:which).with('mongod').and_return(true) + allow(Facter::Core::Execution).to receive(:execute).with('mongod --version 2>&1').and_return('db version v6.0.7') end it { - expect(Facter.fact(:mongodb_version).value).to eq('3.2.1') + expect(Facter.fact(:mongodb_version).value).to eq('6.0.7') } end end diff --git a/spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb b/spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb index c783d6898..8f25fb384 100644 --- a/spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb +++ b/spec/unit/puppet/provider/mongodb_database/mongodb_spec.rb @@ -38,7 +38,7 @@ tmp = Tempfile.new('test') mongodconffile = tmp.path allow(provider.class).to receive(:mongod_conf_file).and_return(mongodconffile) - allow(provider.class).to receive(:mongo_eval).with('try { rs.secondaryOk() } catch (err) { rs.slaveOk() };printjson(db.getMongo().getDBs())').and_return(raw_dbs) + allow(provider.class).to receive(:mongo_eval).with('db.getMongo().setReadPref("primaryPreferred");EJSON.stringify(db.getMongo().getDBs())').and_return(raw_dbs) allow(provider.class).to receive(:db_ismaster).and_return(true) end diff --git a/spec/unit/puppet/provider/mongodb_spec.rb b/spec/unit/puppet/provider/mongodb_spec.rb index 0b71a4742..a04af823a 100644 --- a/spec/unit/puppet/provider/mongodb_spec.rb +++ b/spec/unit/puppet/provider/mongodb_spec.rb @@ -14,18 +14,15 @@ describe 'mongo version detection' do v = { - '2.6.x' => { '26' => true, '4' => false, '5' => false }, - '4.x.x' => { '26' => false, '4' => true, '5' => false }, - '5.x.x' => { '26' => false, '4' => false, '5' => true }, - 'x.x.x' => { '26' => false, '4' => false, '5' => false } + '4.x.x' => { '4' => true, '5' => false, '6' => false }, + '5.x.x' => { '4' => false, '5' => true, '6' => false }, + '6.x.x' => { '4' => false, '5' => false, '6' => true }, + 'x.x.x' => { '4' => false, '5' => false, '6' => false } } - v.each do |key, results| + v.each do |key, _results| it "version detection for [#{key}]" do allow(provider_class).to receive(:mongo_eval).with('db.version()').and_return(key) - expect(provider_class.mongo_26?).to be results['26'] - expect(provider_class.mongo_4?).to be results['4'] - expect(provider_class.mongo_5?).to be results['5'] end end end diff --git a/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb b/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb index 7a397718b..bbd44ad2c 100644 --- a/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb +++ b/spec/unit/puppet/provider/mongodb_user/mongodb_spec.rb @@ -7,7 +7,7 @@ describe Puppet::Type.type(:mongodb_user).provider(:mongodb) do let(:raw_users) do [ - { '_id' => 'admin.root', 'user' => 'root', 'db' => 'admin', 'credentials' => { 'MONGODB-CR' => 'pass', 'SCRAM-SHA-1' => { 'iterationCount' => 10_000, 'salt' => 'salt', 'storedKey' => 'storedKey', 'serverKey' => 'serverKey' } }, 'roles' => [{ 'role' => 'role2', 'db' => 'admin' }, { 'role' => 'role3', 'db' => 'user_database' }, { 'role' => 'role1', 'db' => 'admin' }] } + { '_id' => 'admin.root', 'user' => 'root', 'db' => 'admin', 'credentials' => { 'MONGODB-CR' => 'pass', 'SCRAM-SHA-1' => { 'iterationCount' => 10_000, 'salt' => 'salt', 'storedKey' => 'storedKey', 'serverKey' => 'serverKey' } }, 'roles' => [{ 'role' => 'role1', 'db' => 'admin' }, { 'role' => 'role3', 'db' => 'user_database' }, { 'role' => 'role2', 'db' => 'other_database' },] } ].to_json end @@ -32,8 +32,8 @@ tmp = Tempfile.new('test') mongodconffile = tmp.path allow(provider.class).to receive(:mongod_conf_file).and_return(mongodconffile) - allow(provider.class).to receive(:mongo_eval).with('printjson(db.system.users.find().toArray())').and_return(raw_users) - allow(provider.class).to receive(:mongo_version).and_return('2.6.x') + allow(provider.class).to receive(:mongo_eval).with('EJSON.stringify(db.system.users.find().toArray())').and_return(raw_users) + allow(provider.class).to receive(:mongo_version).and_return('6.0.x') allow(provider.class).to receive(:db_ismaster).and_return(true) end @@ -58,6 +58,7 @@ "createUser":"new_user", "customData":{"createdBy":"Puppet Mongodb_user['new_user']"}, "roles":[{"role":"role1","db":"new_database"},{"role":"role2","db":"other_database"}], + "mechanisms":["SCRAM-SHA-1"], "pwd":"pass", "digestPassword":false } @@ -119,7 +120,7 @@ describe 'roles' do it 'returns a sorted roles' do - expect(instance.roles).to eq(%w[role1 role2 role3@user_database]) + expect(instance.roles).to eq(%w[role1 role2@other_database role3@user_database]) end end diff --git a/templates/mongodb.conf.2.6.erb b/templates/mongodb.conf.erb similarity index 84% rename from templates/mongodb.conf.2.6.erb rename to templates/mongodb.conf.erb index 5c846a254..709e688bb 100644 --- a/templates/mongodb.conf.2.6.erb +++ b/templates/mongodb.conf.erb @@ -71,7 +71,6 @@ storage.quota.maxFilesPerDB: <%= @quotafiles %> storage.engine: <%= @storage_engine_internal %> <% end -%> - #Security <% if @auth -%> security.authorization: enabled @@ -85,7 +84,6 @@ security.keyFile: <%= @keyfile %> security.javascriptEnabled: <%= @noscripting %> <% end -%> - #Net <% if @ipv6 -%> net.ipv6: <%= @ipv6 %> @@ -123,10 +121,22 @@ net.ssl.allowInvalidHostnames: <%= @ssl_invalid_hostnames %> <% end -%> <% if @tls -%> net.tls.mode: <%= @tls_mode %> +<% if @tls_key -%> net.tls.certificateKeyFile: <%= @tls_key %> +<% end -%> +<% if @tls_cluster_key -%> +net.tls.ClusterFile = <%= @tls_cluster_key %> +<% end -%> +<% if ! @tls_use_system_ca -%> +<%# its this parameter or the explicit ca file location %> +<%# This options will be set in the setparameter section below %> <% if @tls_ca -%> net.tls.CAFile: <%= @tls_ca %> <% end -%> +<% if @tls_cluster_ca -%> +net.tls.clusterCAFile: <%= @tls_ca %> +<% end -%> +<% end -%> <% if @tls_conn_without_cert -%> net.tls.allowConnectionsWithoutCertificates: <%= @tls_conn_without_cert %> <% end -%> @@ -169,6 +179,18 @@ setParameter: <%= v %> <% end -%> <% end -%> +<% if @supported_auth_mechanisms || @tls_use_system_ca -%> +<% if !@set_parameter -%> +setParameter: +<% end -%> +<% if @supported_auth_mechanisms -%> + <%# setParameters.auth... gives an error on startup status=2/INVALIDARGUMENT -%> + authenticationMechanisms: <%= @supported_auth_mechanisms.join(',') %> +<% end -%> +<% if @tls_use_system_ca -%> + tlsUseSystemCA: true +<% end -%> +<% end -%> <% if @config_data -%> <% @config_data.each do |k,v| -%> diff --git a/templates/mongorc.js.erb b/templates/mongoshrc.js.erb similarity index 58% rename from templates/mongorc.js.erb rename to templates/mongoshrc.js.erb index 9e060306f..c9ee3c379 100644 --- a/templates/mongorc.js.erb +++ b/templates/mongoshrc.js.erb @@ -19,31 +19,43 @@ function rsReconfigSettings(settings){ <% if @auth and @store_creds -%> function authRequired() { try { - return db.serverCmdLineOpts().code == 13; + return db.serverCmdLineOpts().ok != 1; } catch (err) { - return false; + if (err.message.match(/requires authentication/) || err.message.match(/not authorized on admin/)) { + return true + } else { + throw("Unknown error :" + err) + } } } if (authRequired()) { <%- if @replset -%> - // rs.slaveOk has been deprecated, use secondaryOk if available + db.getMongo().setReadPref('primaryPreferred') + <%- end -%> + <%- if @admin_auth_mechanism == 'x509' -%> try { - rs.secondaryOk() + db.getSiblingDB('$external').auth( + { + mechanism: 'MONGODB-X509' + } + ) } - catch (err) { - rs.slaveOk() + catch(err) { + // This isn't catching authentication errors as I'd expect... + throw(err) } - <%- end -%> + <%- else -%> try { - var prev_db = db + var prev_db = db.getName() db = db.getSiblingDB('admin') db.auth('<%= @admin_username %>', '<%= @admin_password_unsensitive %>') db = db.getSiblingDB(prev_db) } catch (err) { // This isn't catching authentication errors as I'd expect... - abort('Unknown error') + throw(err) } + <%- end -%> } <% end -%>