Update to 2021-12-01 19:13

2025-07-27 00:05:44 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/backup/defaults/main.yml
+++ b/roles/backup/defaults/main.yml
@@ -0,0 +1,36 @@
+---
+
+# The shell of the lbkp account
+backup_shell: '/bin/bash'
+
+# List of commands lbkp will be allowed to run as root, with sudo
+backup_sudo_base_commands:
+  - /usr/bin/rsync
+  - /usr/local/bin/pre-backup
+  - /usr/local/bin/post-backup
+  - /bin/tar
+  - /bin/gtar
+backup_sudo_extra_commands: []
+backup_sudo_commands: "{{ backup_sudo_base_commands + backup_sudo_extra_commands }}"
+
+# List of ssh public keys to deploy
+backup_ssh_keys: []
+
+# Options to set for the ssh keys, to restrict what they can do
+backup_ssh_keys_options:
+  - no-X11-forwarding
+  - no-agent-forwarding
+  - no-pty
+
+# List of IP address allowed to use the ssh keys
+# Empty list means no restriction
+backup_src_ip: []
+
+# Custom pre / post script
+backup_pre_script: |
+  #!/bin/bash -e
+  # Nothing to do
+backup_post_script: |
+  #!/bin/bash -e
+  # Nothing to do
+...
--- a/roles/backup/files/dump-megaraid-cfg
+++ b/roles/backup/files/dump-megaraid-cfg
@@ -0,0 +1,57 @@
+#!/usr/bin/perl -w
+
+# This script will backup the config of MegaRAID based
+# RAID controllers. The saved config can be restored with
+# MegaCli -CfgRestore -f /home/lbkp/mega_0.bin for example
+# It also create a backup of the config as text, so you can
+# manually check how things were configured at a certain point in time
+
+# If MegaCli is not installed, then the script does nothing
+
+use strict;
+
+my $megacli = undef;
+
+if (-x '/opt/MegaRAID/MegaCli/MegaCli64'){
+  $megacli = '/opt/MegaRAID/MegaCli/MegaCli64';
+} elsif (-x '/opt/MegaRAID/MegaCli/MegaCli'){
+  $megacli = '/opt/MegaRAID/MegaCli/MegaCli';
+}
+
+if (!$megacli){
+  print "MegaCli not installed, nothing to do\n";
+  exit 0;
+}
+
+my $adapters = 0;
+foreach (qx($megacli -adpCount -NoLog)) {
+  if ( m/Controller Count:\s*(\d+)/ ) {
+    $adapters = $1;
+    last;
+  }
+}
+
+foreach my $adp (0..$adapters-1){
+  my $hba = 0;
+  my $failgrouplist = 0;
+  foreach my $line (qx($megacli -CfgDsply -a$adp -NoLog)) {
+    if ( $line =~ m/Failed to get Disk Group list/ ) {
+      $failgrouplist = 1;
+    } elsif ( $line =~ m/Product Name:.*(JBOD|HBA)/ ) {
+      $hba = 1;
+    }
+  }
+  # Skip adapter if in HBA mode
+  next if ($hba && $failgrouplist);
+
+  # Save the config in binary format
+  print "Saving config for adapter $adp\n";
+  qx($megacli -CfgSave -f /home/lbkp/megaraid/cfg_$adp.bin -a$adp -NoLog);
+  die "Failed to backup conf for adapter $adp\n" unless ($? == 0);
+
+  # Now also save in text representation
+  open TXT, ">/home/lbkp/megaraid/cfg_$adp.txt";
+  print TXT foreach qx($megacli -CfgDsply -a$adp -NoLog);
+  die "Failed to backup Cfg text description for adapter $adp\n" unless ($? == 0);
+  close TXT;
+}
--- a/roles/backup/files/dump-rpms-list
+++ b/roles/backup/files/dump-rpms-list
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/rpm -qa --qf "%{NAME}\t%{VERSION}\t%{RELEASE}\n" | grep -v gpg-pubkey | sort > /home/lbkp/rpms.list
--- a/roles/backup/files/post-backup
+++ b/roles/backup/files/post-backup
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ -d "/etc/backup/post.d" ]; then
+  for H in $(find /etc/backup/post.d -type f -o -type l | sort); do
+    if [ -x $H ]; then
+      echo "Running hook $H"
+      $H "$@"
+      echo "Finished hook $H"
+    else
+      echo "Skiping hook $H as it's not executable"
+    fi
+  done
+fi
+# Remove the lock
+rm -f /var/lock/bkp.lock
--- a/roles/backup/files/pre-backup
+++ b/roles/backup/files/pre-backup
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -e
+
+# 2 locks are needed. The first one ensure we don't run
+# The pre-backup script twice. It's an atomic lock.
+# Then we need a second lock which will last until the post-backup ran
+# This one doesn't need to be atomic (as we already checked this)
+PRELOCKFILE="/var/lock/pre-bkp.lock"
+exec 200>$PRELOCKFILE
+flock -n 200 || ( echo "Couldn't aquire pre-backup lock" && exit 1 )
+PID=$$
+echo $PID 1>&200
+
+if [ -e /var/lock/bkp.lock ]; then
+  # Consider the lock to be stale if it's older than 8 hours
+  if [ "$(( $(date +"%s") - $(stat -c "%Y" /var/lock/bkp.lock) ))" -gt "28800" ]; then
+    rm /var/lock/bkp.lock
+  else
+    echo "Another backup is running"
+    exit 1
+  fi
+fi
+touch /var/lock/bkp.lock
+if [ -d "/etc/backup/pre.d" ]; then
+  for H in $(find /etc/backup/pre.d -type f -o -type l | sort); do
+    if [ -x $H ]; then
+      echo "Running hook $H"
+      $H "$@"
+      echo "Finished hook $H"
+    else
+      echo "Skiping hook $H as it's not executable"
+    fi
+  done
+fi
--- a/roles/backup/files/rm-megaraid-cfg
+++ b/roles/backup/files/rm-megaraid-cfg
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f /home/lbkp/megaraid/*
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@@ -0,0 +1,94 @@
+---
+
+- name: Install backup tools
+  yum: name=rsync
+  when: ansible_os_family == 'RedHat'
+
+- name: Install backup tools
+  apt: name=rsync
+  when: ansible_os_family == 'Debian'
+
+- name: Create a local backup user account
+  user: name=lbkp comment="Local backup account" system=yes shell={{ backup_shell }}
+  tags: backup
+
+- name: Deploy sudo configuration
+  template: src=sudo.j2 dest=/etc/sudoers.d/backup mode=400
+  tags: backup
+
+- name: Deploy SSH keys for the backup account
+  authorized_key:
+    user: lbkp
+    key: "{{ backup_ssh_keys | join(\"\n\") }}"
+    key_options: "{{ backup_ssh_keys_options | join(',') }}"
+    exclusive: yes
+  when: backup_src_ip is not defined or backup_src_ip | length < 1
+  tags: backup
+
+- name: Deploy SSH keys for the backup account (with source IP restriction)
+  authorized_key:
+    user: lbkp
+    key: "{{ backup_ssh_keys | join(\"\n\") }}"
+    key_options: "from=\"{{ backup_src_ip | join(',') }}\",{{ backup_ssh_keys_options | join(',') }}"
+    exclusive: yes
+  when:
+    - backup_src_ip is defined
+    - backup_src_ip | length > 0
+  tags: backup
+
+- name: Create pre and post backup hook dir
+  file: path={{ item }} state=directory mode=750
+  with_items:
+    - /etc/backup/pre.d
+    - /etc/backup/post.d
+  tags: backup
+
+- name: Deploy default pre/post backup hooks
+  copy:
+    content: "{{ item.content }}"
+    dest: /etc/backup/{{ item.type }}.d/default
+    mode: 0755
+  loop:
+    - type: pre
+      content: "{{ backup_pre_script }}"
+    - type: post
+      content: "{{ backup_post_script }}"
+  tags: backup
+
+- name: Copy pre-backup script
+  copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=750 group=lbkp
+  with_items:
+    - pre-backup
+    - post-backup
+  tags: backup
+
+- name: Deploy rpm dump list script
+  copy: src=dump-rpms-list dest=/etc/backup/pre.d/dump-rpms-list mode=755
+  when: ansible_os_family == 'RedHat'
+  tags: backup
+
+- name: Create megaraid dump dir
+  file: path=/home/lbkp/megaraid state=directory
+  tags: backup
+
+- name: Deploy MegaCli backup scripts
+  copy: src={{ item.script }} dest=/etc/backup/{{ item.type }}.d/{{ item.script }} mode=750
+  with_items:
+    - script: dump-megaraid-cfg
+      type: pre
+    - script: rm-megaraid-cfg
+      type: post
+  when: lsi_controllers | default([]) | length > 0
+  tags: backup
+
+- name: Excludes for proxmox backup client
+  copy:
+    dest: /.pxarexclude
+    content: |
+      var/log/lastlog
+  when:
+    - ansible_virtualization_role == 'guest'
+    - ansible_virtualization_type == 'lxc' or ansible_virtualization_type == 'systemd-nspawn'
+  tags: backup
+
+...
--- a/roles/backup/templates/sudo.j2
+++ b/roles/backup/templates/sudo.j2
@@ -0,0 +1,2 @@
+Defaults:lbkp !requiretty
+lbkp ALL=(root) NOPASSWD: {{ backup_sudo_commands | join(',') }}