Getting started
debops.mariadb
role is only the "client" part. To have working a
MariaDB/MySQL installation, you also need to setup debops.mariadb_server
role somewhere. It can be either on the same host, or on a separate host.
See the debops.mariadb_server
documentation to learn how to install the
database server itself.
Server configuration
The role supports different modes of operation, depending on the presence of a MariaDB or MySQL server installed locally or not, or presence of a tunneled connection to a remote server.
Local database server
If the database server is installed locally, it will be automatically detected
and used by the debops.mariadb
role without any additional configuration. Also,
if a remote server was used previously, and a local one was installed, it will
automatically override the remote configuration. You might need to recreate the
databases and user accounts in that case.
Remote database server
If your MariaDB server is configured on a remote host and you don't have
a local installation, debops.mariadb
will detect that and won't manage the
databases/user accounts without a server specified. To point it to a server,
you need to set a variable in the inventory:
mariadb__server: 'db.example.org'
This needs to be a FQDN address or an IP address of a host with MariaDB server installed. This host will be accessed by Ansible using task delegation, so it needs to be accessible and managed by Ansible. Currently only 1 server at a time is supported by the role.
If debops.pki role is used to configure a PKI environment, with default
domain
PKI realm enabled, role will configure the provided private keys and
X.509 certificates to enable SSL connections to the database by default.
Support for client-side X.509 authentication will depend on a given user having
access to the PKI private keys - see the documentation of debops.pki role
for more details.
If the PKI environment is not configured or disabled, connections to the
database server will be performed in cleartext, so you might want to consider
securing them by configuring server on a separate internal network, or
accessing it over a VPN connection. You can use debops.subnetwork
,
debops.tinc and debops.dnsmasq Ansible roles to set up a VPN internal
network to secure communication between hosts.
Remote database server over a SSL tunnel
If local MariaDB installation is not detected, but port 3306
is active and
awaiting connections, debops.mariadb
role assumes that MariaDB server is
accessible over a VPN connection. In this case you need to specify the remote
host in inventory for Ansible to delegate its tasks:
mariadb__server: 'db.example.org'
User accounts will automatically be configured with localhost
as the "host"
part of the account.
If you want to use tunneled connection to a MariaDB server, you can use debops.stunnel Ansible role to configure a SSL tunnel, although it might be more complex than using a VPN network.
Example inventory
To enable MariaDB client support on a host, you need to add that host to
[debops_service_mariadb]
Ansible group:
[debops_service_mariadb]
hostname
When MariaDB server is properly configured, or installed locally, you can create user accounts and databases using inventory variables:
mariadb__databases:
- name: 'application_production'
mariadb__users:
- name: 'application'
owner: 'application'
Above set of variables will create local system UNIX account application
if
it doesn't already exist, with a supplementary UNIX group of the same name,
grant all privileges to application.*
and application\_%.*
databases,
create a ~/.my.cnf
configuration file with database credentials and
finally, create a database application_production
on the database server.
Example playbook
Here's an example Ansible playbook that uses the debops.mariadb
role:
---
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_mariadb' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
keyring__dependent_apt_keys:
- '{{ mariadb__keyring__dependent_apt_keys }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
python__dependent_packages3:
- '{{ mariadb__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb__python__dependent_packages2 }}'
- role: mariadb
tags: [ 'role::mariadb', 'skip::mariadb' ]
Usage as a role dependency
debops.mariadb
role can be used by another Ansible role as a dependency.
The easiest way to do so is to have a separate set of variables for an user
account, group, home directory, and MariaDB user. debops.mariadb
will the
create MariaDB user account, as wall as local UNIX account with
a ~/.my.cnf
configuration file as needed.
Database creation is best left for the application role, since then you can use the state change to perform other actions, like importing or initializing the database. See the next section for details.
Example usage as a role dependency:
dependencies:
- role: debops.mariadb
mariadb__dependent_users:
- user: '{{ application__database_user }}'
database: '{{ application__database_name }}'
owner: '{{ application__user }}'
group: '{{ application__group }}'
home: '{{ application__home }}'
system: True
priv_aux: False
Password to the database user account can either be retrieved directly from the
secret/
directory by the application role using debops.secret role, or
set by the application role and provided as:
mariadb__dependent_users:
- user: '{{ application__database_user }}'
password: '{{ application__database_password }}'
In that case it's best to use debops.secret role to store the password securely in a separate directory.
Local Ansible facts, custom tasks
Role creates a set of local Ansible facts which can be used by other roles to create database management tasks that work both with local and remote MariaDB servers. These facts are:
ansible_local.mariadb.client
ansible_local.mariadb.delegate_to
ansible_local.mariadb.host
ansible_local.mariadb.port
ansible_local.mariadb.server
These variables can be used in Ansible tasks to provide correct values pointing to the correct MariaDB server. An example set of tasks to create user account and database:
- name: Create database user
mysql_user:
name: '{{ application__database_user }}'
host: '{{ ansible_local.mariadb.host }}'
password: '{{ application__database_password }}'
priv: '{{ application__database_name }}.*:ALL'
state: 'present'
delegate_to: '{{ ansible_local.mariadb.delegate_to }}'
- name: Create application database
mysql_db:
name: '{{ application__database_name }}'
state: 'present'
delegate_to: '{{ ansible_local.mariadb.delegate_to }}'
register: application__register_database