Batch of fixes for old-style playbooks (#43)

- support storage expansion via the ydb_init role
- explicit owners and permissions for files and directories (to avoid failures on system with umask enforcement)
- self-signed TLS certificates get longer lifetime

group_vars/all.example

@@ -78,3 +78,7 @@ unified_agent_home: /opt/ydb/unified_agent
 ydb_congestion_setting: htcp
 # Optional module to load the congestion control algorithm
 ydb_congestion_module: tcp_htcp
+
+# Should only be defined when YDB cluster extension is performed.
+# Must not be defined during the initial cluster setup.
+# ydb_cluster_extension: true

roles/ydbd/tasks/main.yml

@@ -46,12 +46,20 @@
     state: present
 
 - name: Copy the thp-config.sh script
-  copy: src=thp-config.sh dest=/usr/local/bin/ydbd-thp-config.sh
+  copy:
+    src: thp-config.sh
+    dest: /usr/local/bin/ydbd-thp-config.sh
+    owner: root
+    group: bin
+    mode: '0755'
 
 - name: Generate the THP service files
   template:
     src: thp-service.j2
     dest: "/etc/systemd/system/ydb-hugepages.service"
+    owner: root
+    group: root
+    mode: '0644'
 
 - name: Refresh systemd services configuration
   ansible.builtin.systemd:
@@ -74,6 +82,9 @@
       template:
         src: network-modules.j2
         dest: /etc/modules-load.d/50-ydbd.conf
+        owner: root
+        group: root
+        mode: '0644'
     - name: Load the {{ ydb_congestion_module }} module
       command: "/sbin/modprobe {{ ydb_congestion_module }}"
   when: ydb_congestion_module is defined
@@ -82,10 +93,16 @@
   template:
     src: kernel-settings.j2
     dest: /etc/sysctl.d/50-ydbd.conf
+    owner: root
+    group: root
+    mode: '0644'
 
 - name: Refresh the current sysctl settings
   command: "/sbin/sysctl --system"
 
+- name: Create the YDB base directory
+  file: state=directory path={{ ydb_dir }} group=bin owner=root mode='0755'
+
 - name: Create the ydb group
   group: name=ydb system=true
 
@@ -101,26 +118,27 @@
     owner: ydb
 
 - name: Create the YDB release directory
-  file: state=directory path={{ ydb_dir }}/release group=bin owner=root mode='755'
+  file: state=directory path={{ ydb_dir }}/release group=bin owner=root mode='0755'
 
 - name: Create the YDB configuration directory
-  file: state=directory path={{ ydb_dir }}/cfg group=bin owner=root mode='755'
+  file: state=directory path={{ ydb_dir }}/cfg group=bin owner=root mode='0755'
 
 - name: Create the YDB audit base directory
-  file: state=directory path={{ ydb_dir }}/audit group=ydb owner=ydb mode='700'
+  file: state=directory path={{ ydb_dir }}/audit group=ydb owner=ydb mode='0700'
 
 - name: Create the YDB certs directory
-  file: state=directory path={{ ydb_dir }}/certs group=ydb owner=ydb mode='700'
+  file: state=directory path={{ ydb_dir }}/certs group=ydb owner=ydb mode='0700'
 
 - name: Create the YDB configuration backup directory
-  file: state=directory path={{ ydb_dir }}/reserve group=ydb owner=ydb mode='700'
+  file: state=directory path={{ ydb_dir }}/reserve group=ydb owner=ydb mode='0700'
 
 - name: Create the YDB server binary directory
   file: state=directory
         path="{{ ydb_dir }}/release/{{ ydb_version }}"
         recurse=true
         group=bin
         owner=root
+        mode='0755'
 
 - name: Install the YDB server binary package
   ansible.builtin.unarchive:
@@ -144,7 +162,7 @@
         force=yes
 
 - name: Create the YDB CLI default binary directory
-  file: state=directory path={{ ydb_dir }}/home/ydb/bin recurse=true group=ydb owner=ydb mode='700'
+  file: state=directory path={{ ydb_dir }}/home/ydb/bin recurse=true group=ydb owner=ydb mode='0700'
 
 - name: Disable YDB CLI version checks
-  copy: src=ydb-cli-config.json dest={{ ydb_dir }}/home/ydb/bin/config.json group=ydb owner=ydb
+  copy: src=ydb-cli-config.json dest={{ ydb_dir }}/home/ydb/bin/config.json group=ydb owner=ydb mode='0644'

roles/ydbd_config/tasks/main.yml

@@ -2,10 +2,10 @@
 # ydbd configuration
 
 - name: Add the configuration backup script
-  template: src=backup_config.j2 dest={{ ydb_dir }}/home/backup_config.sh mode='755'
+  template: src=backup_config.j2 dest={{ ydb_dir }}/home/backup_config.sh group=ydb owner=ydb mode='0755'
 
 - name: Add the configuration file updater script
-  template: src=update_config_file.j2 dest={{ ydb_dir }}/home/update_config_file.sh mode='755'
+  template: src=update_config_file.j2 dest={{ ydb_dir }}/home/update_config_file.sh group=ydb owner=ydb  mode='0755'
 
 # ydb_config_backup is passed via extra vars, generated as "date '+%Y-%m-%d_%H-%M-%S'"
 - name: Backup the existing configuration files

roles/ydbd_dynamic/tasks/main.yml

@@ -1,17 +1,38 @@
 ---
 # ydbd dynamic node deployment
 
-- name: Create the dynamic node startup script
-  template: src=wait_dynamic.j2 dest={{ ydb_dir }}/home/wait_dynamic.sh mode='755'
+- name: Create the YDB audit base directory
+  file:
+    state: directory
+    path: "{{ ydb_dir }}/audit"
+    group: ydb
+    owner: ydb
+    mode: '0700'
 
 - name: Create the YDB audit directories for database nodes
-  file: state=directory path={{ ydb_dir }}/audit/{{ ydb_dbname }}-{{ item.instance }} group=ydb owner=ydb mode='700'
+  file:
+    state: directory
+    path: "{{ ydb_dir }}/audit/{{ ydb_dbname }}-{{ item.instance }}"
+    group: ydb
+    owner: ydb
+    mode: '0700'
   loop: "{{ ydb_dynnodes }}"
 
+- name: Create the dynamic node startup wait script
+  template:
+    src: wait_dynamic.j2
+    dest: "{{ ydb_dir }}/home/wait_dynamic.sh"
+    group: ydb
+    owner: ydb
+    mode: '0755'
+
 - name: Generate the dynamic node service files
   template:
     src: dynnode-service.j2
     dest: "/etc/systemd/system/ydbd-{{ ydb_dbname }}-{{ item.instance }}.service"
+    owner: root
+    group: root
+    mode: '0644'
   loop: "{{ ydb_dynnodes }}"
 
 - name: Refresh systemd services configuration
@@ -25,7 +46,12 @@
   loop: "{{ ydb_dynnodes }}"
 
 - name: Transfer the secrets
-  copy: src=secret dest={{ ydb_dir }}/certs/secret
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
 
 - name: Wait for the dynamic nodes availability
   command: "{{ ydb_dir }}/home/wait_dynamic.sh {{ inventory_hostname }} {{ 2136 + item.offset }} {{ ydb_dbname }}"

roles/ydbd_init/tasks/main.yml

@@ -1,6 +1,14 @@
 ---
 # ydbd storage initialization
 
+- name: Add the disk formatting script
+  template:
+    src: safe_format.j2
+    dest: "{{ ydb_dir }}/home/safe_format.sh"
+    group: ydb
+    owner: ydb
+    mode: '0755'
+
 - name: Execute disk formatting
   command: "{{ ydb_dir }}/home/safe_format.sh {{ item['name'] }} {{ item['label'] }}"
   with_items: "{{ ydb_disks }}"
@@ -11,6 +19,20 @@
     name: ydbd-storage
   any_errors_fatal: true
 
+- name: Cleanup the secrets
+  file:
+    path: "{{ ydb_dir }}/certs/secret"
+    state: absent
+
+- name: Transfer the secrets
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
+  when: ydb_cluster_extension is defined
+
 - name: Wait for storage node startup
   command: "{{ ydb_dir }}/home/wait_initial.sh {{ inventory_hostname }}"
   become: true
@@ -19,6 +41,21 @@
 
 - name: Initial YDB cluster setup
   block:
+    - name: Add the storage initialization script
+      template:
+        src: init_storage.j2
+        dest: "{{ ydb_dir }}/home/init_storage.sh"
+        group: ydb
+        owner: ydb
+        mode: '0755'
+    - name: Add the password initialization script
+      template:
+        src: init_password.j2
+        dest: "{{ ydb_dir }}/home/init_password.sh"
+        group: ydb
+        owner: ydb
+        mode: '0755'
+      when: ydb_cluster_extension is undefined
     - name: Initialize the YDB storage
       command: "{{ ydb_dir }}/home/init_storage.sh {{ inventory_hostname }}"
       become: true
@@ -28,11 +65,18 @@
       become: true
       become_user: ydb
     - name: Transfer the secrets
-      copy: src=secret dest={{ ydb_dir }}/certs/secret
+      copy:
+        src: secret
+        dest: "{{ ydb_dir }}/certs/secret"
+        group: ydb
+        owner: ydb
+        mode: '0700'
+      when: ydb_cluster_extension is undefined
     - name: Set the initial cluster password
       command: "{{ ydb_dir }}/home/init_password.sh {{ inventory_hostname }}"
       become: true
       become_user: ydb
+      when: ydb_cluster_extension is undefined
   run_once: true
 
 - name: Cleanup the transferred secrets

roles/ydbd_newdb/tasks/main.yml

@@ -3,10 +3,22 @@
 
 - name: YDB database creation
   block:
+    - name: Add the database creation script
+      template:
+        src: create_database.j2
+        dest: "{{ ydb_dir }}/home/create_database.sh"
+        group: ydb
+        owner: ydb
+        mode: '0755'
     - name: Transfer the secrets
-      copy: src=secret dest={{ ydb_dir }}/certs/secret
+      copy:
+        src: secret
+        dest: "{{ ydb_dir }}/certs/secret"
+        group: ydb
+        owner: ydb
+        mode: '0700'
     - name: Run the database creation script
-      command: "{{ ydb_dir }}/home/create_database.sh {{ inventory_hostname }} {{ ydb_dbname }} {{ ydb_default_groups }}"
+      command: "{{ ydb_dir }}/home/create_database.sh {{ inventory_hostname }} {{ ydb_dbname }} {{ ydb_pool_kind }} {{ ydb_default_groups }}"
       become: true
       become_user: ydb
     - name: Cleanup the transferred secrets

roles/ydbd_static/templates/create_database.j2 → roles/ydbd_newdb/templates/create_database.j2

@@ -3,19 +3,20 @@
 # Parameters:
 # * static node fqdn
 # * database name
+# * storage pool name
 # * initial number of storage groups
 
 set +e
 set +u
 
 DB_ENDPOINT=grpcs://"$1":2135
 DB_DOMAIN=/{{ ydb_domain }}
-DB_POOL={{ ydb_pool_kind }}
 CAFILE={{ ydb_dir }}/certs/ca.crt
 TOKEN={{ ydb_dir }}/home/ydbd-token-file
 PASSFILE={{ ydb_dir }}/certs/secret
 DB_NAME="$2"
-DB_GROUPS="$3"
+DB_POOL="$3"
+DB_GROUPS="$4"
 
 LD_LIBRARY_PATH={{ ydb_dir }}/lib
 export LD_LIBRARY_PATH

roles/ydbd_rolling_dynamic/tasks/restart_dynamic.yml

@@ -12,7 +12,12 @@
   any_errors_fatal: true
 
 - name: Transfer the secrets to {{ dynnode_name }}
-  copy: src=secret dest={{ ydb_dir }}/certs/secret
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
   delegate_to: "{{ dynnode_name }}"
   delegate_facts: true
   any_errors_fatal: true

roles/ydbd_rolling_static/tasks/restart_static.yml

@@ -10,7 +10,12 @@
   any_errors_fatal: true
 
 - name: Transfer the secrets
-  copy: src=secret dest={{ ydb_dir }}/certs/secret
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
   delegate_to: "{{ snode_name }}"
   delegate_facts: true
   any_errors_fatal: true

roles/ydbd_static/tasks/main.yml

@@ -1,31 +1,45 @@
 ---
 # ydbd static node deployment
 
-- name: Create the YDB audit directory for the storage node
-  file: state=directory path={{ ydb_dir }}/audit/storage group=ydb owner=ydb mode='700'
-
-- name: Generate the static node service files
-  template:
-    src: static-service.j2
-    dest: "/etc/systemd/system/ydbd-storage.service"
+- name: Create the YDB audit base directory
+  file:
+    state: directory
+    path: "{{ ydb_dir }}/audit"
+    group: ydb
+    owner: ydb
+    mode: '0700'
 
-- name: Add the disk formatting script
-  template: src=safe_format.j2 dest={{ ydb_dir }}/home/safe_format.sh mode='755'
+- name: Create the YDB audit directory for the storage node
+  file:
+    state: directory
+    path: "{{ ydb_dir }}/audit/storage"
+    group: ydb
+    owner: ydb
+    mode: '0700'
 
 - name: Add the static node startup wait script
-  template: src=wait_initial.j2 dest={{ ydb_dir }}/home/wait_initial.sh mode='755'
+  template:
+    src: wait_initial.j2
+    dest: "{{ ydb_dir }}/home/wait_initial.sh"
+    group: ydb
+    owner: ydb
+    mode: '0755'
 
 - name: Add the storage recovery wait script
-  template: src=wait_normal.j2 dest={{ ydb_dir }}/home/wait_normal.sh mode='755'
-
-- name: Add the storage initialization script
-  template: src=init_storage.j2 dest={{ ydb_dir }}/home/init_storage.sh mode='755'
-
-- name: Add the password initialization script
-  template: src=init_password.j2 dest={{ ydb_dir }}/home/init_password.sh mode='755'
+  template:
+    src: wait_normal.j2
+    dest: "{{ ydb_dir }}/home/wait_normal.sh"
+    group: ydb
+    owner: ydb
+    mode: '0755'
 
-- name: Add the database creation script
-  template: src=create_database.j2 dest={{ ydb_dir }}/home/create_database.sh mode='755'
+- name: Generate the static node service files
+  template:
+    src: static-service.j2
+    dest: "/etc/systemd/system/ydbd-storage.service"
+    group: root
+    owner: root
+    mode: '0644'
 
 - name: Refresh systemd services configuration
   ansible.builtin.systemd: