Commit 7c4fcb1b authored by Tharyrok's avatar Tharyrok
Browse files

Merge branch '122-federation-prometheus-remote-storage' into 'main'

Resolve "Fédération Prometheus / remote storage"

Closes #122

See merge request Neutrinet/infra!171
parents 55081f3a a3718c74
Pipeline #776 passed with stage
in 4 minutes and 40 seconds
- name: restart postgresql
service:
name: postgresql
state: restarted
- name: restart promscale
systemd:
name: promscale
daemon_reload: true
state: restarted
*********************************
Vagrant driver installation guide
*********************************
Requirements
============
* Vagrant
* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
Install
=======
Please refer to the `Virtual environment`_ documentation for installation best
practices. If not using a virtual environment, please consider passing the
widely recommended `'--user' flag`_ when invoking ``pip``.
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
.. code-block:: bash
$ pip install 'molecule_vagrant'
---
- name: Converge
hosts: all
become: true
roles:
- promscale
dependency:
name: galaxy
driver:
name: vagrant
provider:
name: virtualbox
platforms:
- name: buster-promscale-molecule
box: debian/buster64
cpu: 2
memory: 1024
interfaces:
- network_name: private_network
type: dhcp
auto_config: true
provisioner:
name: ansible
config_options:
defaults:
interpreter_python: /usr/bin/python3
ssh_connection:
pipelining: true
verifier:
name: ansible
---
- name: Prepare
hosts: all
become: true
pre_tasks:
- name: Mise à jour du cache APT
apt:
update_cache: true
roles:
- telegraf
- postgres_standalone
- name: Récupération de la liste des binaires
find:
path: /opt/promscale
file_type: file
use_regex: true
pattern: '^[0-9]+\.[0-9]+\.[0-9]+$'
register: _promscale_binaries
- name: Suppression des anciens binaires
file:
path: "{{ binary.path }}"
state: absent
loop: "{{ _promscale_binaries.files }}"
loop_control:
loop_var: binary
label: "{{ binary.path }}"
when: promscale_old_version != promscale_version
vars:
promscale_old_version: "{{ binary.path | replace('/opt/promscale/', '') }}"
- name: Création de l'utilisateur
import_tasks: user.yml
tags: ['user']
- name: Installation de TimescaleDB
import_tasks: timescaledb.yml
tags: ['timescaledb']
- name: Installation de Promscale
import_tasks: promscale.yml
tags: ['promscale']
- name: Nettoyage des anciennes versions
import_tasks: cleanup.yml
tags: ['cleanup']
- name: Création du dossier d'installation de Promscale
file:
path: /opt/promscale
owner: root
group: root
mode: "u=rwx,go=rx"
state: directory
- name: Téléchargement du binaire de Promscale v{{ promscale_version }}
get_url:
url: https://github.com/timescale/promscale/releases/download/{{ promscale_version }}/promscale_{{ promscale_version }}_Linux_x86_64
dest: /opt/promscale/{{ promscale_version }}
owner: root
group: root
mode: "u=rwx,go=rx"
checksum: "sha256:https://github.com/timescale/promscale/releases/download/{{ promscale_version }}/checksums.txt"
- name: Création du lien symbolique pour le binaire promscale
file:
src: /opt/promscale/{{ promscale_version }}
dest: /usr/local/bin/promscale
state: link
owner: root
group: root
mode: "u=rwx,go=rx"
- name: Installation de l'extension Promscale v{{ promscale_extension_version }} pour PostgreSQL
apt:
deb: https://github.com/timescale/promscale_extension/releases/download/{{ promscale_extension_version }}/promscale_extension-{{ promscale_extension_version }}.pg{{ postgresql_major_version }}.x86_64.deb
state: present
- name: Création du dossier de configuration de Promscale
file:
path: /etc/promscale
owner: promscale
group: promscale
mode: "u=rwx,g=rx,o="
state: directory
- name: Configuration de Promscale
template:
src: promscale/config.yml.j2
dest: /etc/promscale/config.yml
owner: promscale
group: promscale
mode: "u=rw,g=r,o="
no_log: true
notify: restart promscale
- name: Vérification si la base de données est initialisée
postgresql_query:
db: "{{ promscale_postgresql_database }}"
# ou alors vérifier que l'extension promscale est installée ? puisque cette étape n'est là que pour ça…
query: select exists (select from pg_tables where schemaname = 'public' and tablename = 'prom_installation_info');
become_user: postgres
register: _timescaledb_check_init
- name: Définition de l'état d'initialisation de la base de données
set_fact:
timescaledb_initialized: "{{ timescaledb_check_init_query_result.exists }}"
vars:
timescaledb_check_init_query_result: "{{ _timescaledb_check_init.query_result | first }}"
- name: Initialisation de la base de données de Promscale
command:
cmd: promscale --startup.only --startup.install-extensions false
chdir: /etc/promscale
become_user: promscale
when: not timescaledb_initialized
- name: Configuration de la durée de rétention
# Note: Due to the SELECT query, we don't get any information when the
# retention period is modified. In that sense, this task isn't idempotent.
postgresql_query:
db: "{{ promscale_postgresql_database }}"
query: select prom_api.set_default_retention_period('{{ promscale_retention }}');
become_user: postgres
- name: Activation de l'extension Promscale
postgresql_ext:
name: promscale
db: "{{ promscale_postgresql_database }}"
state: present
become_user: postgres
- name: Configuration du service systemd
template:
src: systemd/promscale.service.j2
dest: /etc/systemd/system/promscale.service
owner: root
group: root
mode: "u=rw,go=r"
notify:
- restart promscale
- name: Activation de Promscale au démarrage
service:
name: promscale
state: started
enabled: true
- name: Ajout de la clé GPG de TimescaleDB dans APT
apt_key:
url: https://packagecloud.io/timescale/timescaledb/gpgkey
state: present
- name: Ajout du dépôt APT TimescaleDB
apt_repository:
repo: deb https://packagecloud.io/timescale/timescaledb/debian {{ ansible_distribution_release | lower }} main
filename: caddy-stable
state: present
- name: Installation de TimescaleDB
package:
name: timescaledb-2-postgresql-{{ postgresql_major_version }}
state: present
- name: Optimisation de PostgreSQL pour TimescaleDB
command:
cmd: timescaledb-tune --yes --memory={{ timescaledb_memory_limit }} --cpus={{ timescaledb_cpu_limit }}
register: _timescaledb_tuned
changed_when: "'updated' in _timescaledb_tuned.stderr"
notify: restart postgresql
- name: Désactivation de la télémétrie de TimescaleDB
lineinfile:
dest: /etc/postgresql/{{ postgresql_major_version }}/main/postgresql.conf
insertafter: '^timescaledb\.'
regex: '^timescaledb\.telemetry_level'
line: timescaledb.telemetry_level = off
notify: restart postgresql
- name: Trigger PostgreSQL handler
# We need to restart postgresql to apply the timescaledb extension
meta: flush_handlers
- name: Configuration de la base de données PostgreSQL
import_role:
name: postgres_db
vars:
postgresql_db_name: "{{ promscale_postgresql_database }}"
postgresql_db_password: "{{ promscale_postgresql_password }}"
postgresql_db_role_attributes: CREATEROLE
postgresql_db_change_owner: true
tags: ['postgres']
- name: Activation de l'extension TimescaleDB
postgresql_ext:
name: timescaledb
db: "{{ promscale_postgresql_database }}"
state: present
become_user: postgres
- name: Création de l'utilisateur promscale
user:
name: promscale
home: /opt/promscale
shell: /sbin/nologin
system: true
state: present
{{ ansible_managed | comment }}
db.host: localhost
db.name: "{{ promscale_postgresql_database }}"
db.user: "{{ promscale_postgresql_database }}"
db.password: {{ promscale_postgresql_password | to_json }}
web.listen-address: localhost:9201
cache.memory-target: {{ promscale_memory_limit | human_to_bytes }}
{{ ansible_managed | comment }}
[Unit]
Description=TimescaleDB Promscale
Documentation=https://github.com/timescale/promscale
After=network.target
After=postgresql.target
[Service]
Type=simple
User=promscale
Group=promscale
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/promscale --config /etc/promscale/config.yml
Restart=always
WorkingDirectory=/etc/promscale
# Systemd hardening
CapabilityBoundingSet=
LimitNOFILE=65000
LockPersonality=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateUsers=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectClock=true
ProtectHostname=true
ProtectProc=noaccess
ProtectSystem=strict
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment