Version initial du 2020/09/10

configure-host-oel6/tasks/creation_repertoire.yml

@@ -0,0 +1,24 @@
+---
+# création des répertoires Oracle
+#
+# exemple :
+# oracle_racine         /u01/app
+# oracle_base           /u01/app/oracle
+# oracle_home           /u01/app/oracle/12.1.0.2.dbhome_1
+# grid_home             /u01/app/12.1.0.2/grid
+# stage                 /u01/stage
+#
+
+  - name: Création du répertoire stage
+    file: dest={{ oracle_stage }} mode=775 owner={{ oracle_user }} group={{ oracle_group }} state=directory
+    tags: directoriesdb
+
+  - name: Création du répertoire ORACLE_BASE
+    file: dest={{ oracle_base }} mode=775 owner={{ oracle_user }} group={{ oracle_group }} state=directory
+    tags: directoriesdb
+
+  - name: Création du répertoire ORACLE_HOME
+    file: dest={{ oracle_home }} mode=775 owner={{ oracle_user }} group={{ oracle_group }} state=directory
+    with_items: oracle_databases
+    tags: directoriesdb
+

configure-host-oel6/tasks/grub_configuration.yml

@@ -0,0 +1,38 @@
+---
+  # --------------------------------------------------- 
+  # configuration Linux : grub
+  # ---------------------------------------------------
+  - name: Désactivation de Transparent Hugepages 1/2 (dans grub.conf)
+    shell: grubby --grub2 --remove-args=transparent_hugepage --update-kernel=ALL
+    tags: tphp
+
+  - name: Désactivation de Transparent Hugepages 2/2 (dans grub.conf)
+    shell: grubby --grub2 --args=transparent_hugepage=never --update-kernel=ALL
+    tags: tphp
+
+  - name: Désactivation de Numa 1/2 (dans grub.conf)
+    shell: grubby --grub2 --remove-args=numa --update-kernel=ALL
+    tags: numa
+
+  - name: Désactivation de Numa 2/2 (dans grub.conf)
+    shell: grubby --grub2 --args=numa=off --update-kernel=ALL
+    tags: numa
+
+  - name: Activation DeadLine 1/2 (dans grub.conf)
+    shell: grubby --grub2 --remove-args=elevator --update-kernel=ALL
+    tags: deadline
+
+  - name: Activation DeadLine 2/2 (dans grub.conf)
+    shell: grubby --grub2 --args=elevator=deadline --update-kernel=ALL
+    tags: deadline
+
+  - name: Suppression de rhgb de /etc/grub.conf
+    shell: grubby --grub2 --remove-args=rhgb --update-kernel=ALL
+    tags: rhgb
+
+  - name: Suppression de quiet de /etc/grub.conf
+    shell: grubby --grub2 --remove-args=quiet --update-kernel=ALL
+    tags: quiet
+
+  - name: Configuration du mode 3 comme mode de démarrage par défaut
+    replace: dest=/etc/inittab regexp='id:5:initdefault:' replace='id:3:initdefault:'

configure-host-oel6/tasks/kernel_configuration.yml

@@ -0,0 +1,40 @@
+---
+  # --------------------------------------------------- 
+  # configuration Linux : Paramètres du kernel
+  # ---------------------------------------------------
+  - name: Ajustement des paramètres du Kernel
+    sysctl: name={{ item.name }} value="{{ item.value }}" state=present reload=yes ignoreerrors=yes
+    with_items: 
+      - { name: kernel.shmall, value: "{{ ((0.4 * ansible_memtotal_mb)*1024)|round|int  }}" }
+      - { name: kernel.shmmax, value: "{{ ((0.5 * ansible_memtotal_mb)*1024)|round|int  }}" }
+      - { name: kernel.shmmni, value: 4096 }
+      - { name: kernel.sem, value: "250 32000 100 128" }
+      - { name: fs.file-max, value: 6815744 }
+      - { name: fs.aio-max-nr, value: 1048576 }
+      - { name: net.ipv4.ip_local_port_range, value: "9000 65500" }
+      - { name: net.core.rmem_default, value: 262144 }
+      - { name: net.core.rmem_max, value: 4194304 }
+      - { name: net.core.wmem_default, value: 262144 }
+      - { name: net.core.wmem_max, value: 1048576 }
+      - { name: vm.nr_hugepages, value: "{{ (((percent_hugepages/100) * ansible_memtotal_mb)/2)|round|int  }}" }
+    tags: sysconfig
+  
+  - name: Configuration PAM
+    lineinfile: dest=/etc/pam.d/login state=present line="session required pam_limits.so"
+    tags: pamconfig
+  
+  - name: Ajustement des limits pour Oracle
+    lineinfile: dest=/etc/security/limits.conf state=present line="{{ item }}"
+    with_items:
+      - "* soft nproc 2047"
+      - "* hard nproc 16384"
+      - "* soft nofile 1024"
+      - "* hard nofile 65536"
+      - "* soft memlock {{ ((0.9 * ansible_memtotal_mb)*1024)|round|int }}"
+      - "* hard memlock {{ ((0.9 * ansible_memtotal_mb)*1024)|round|int }}"
+      - "* soft stack 10240"
+      - "* hard stack 32768"
+      - "* soft core  unlimited"
+      - "* hard core  unlimited"
+    tags: seclimit
+  

configure-host-oel6/tasks/main.yml

@@ -0,0 +1,127 @@
+# Common playbook - configuratiom du serveur pour l'installation d'Oracle
+---
+
+  - name: Vérification de la distribution, la version et le kernel
+    assert:
+      that: ansible_distribution_major_version == '6' and ansible_os_family == 'RedHat' and ansible_kernel >= '2.6.32'
+    tags: oscheck
+
+
+  # --------------------------------------------------- 
+  # configuration des packages necessaires pour Linux
+  # ---------------------------------------------------
+  - include: os_configuration.yml
+
+  # --------------------------------------------------- 
+  # configuration réseau
+  # ---------------------------------------------------
+  - include: network_configuration.yml
+
+  # --------------------------------------------------- 
+  # configuration Linux : Utilisateurs et groupes
+  # ---------------------------------------------------
+  - include: users_configuration.yml 
+
+  # --------------------------------------------------- 
+  # configuration Linux : Paramètres du kernel
+  # ---------------------------------------------------
+  - include: kernel_configuration.yml
+
+  # --------------------------------------------------- 
+  # configuration Linux : grub
+  # ---------------------------------------------------
+  - include: grub_configuration.yml
+
+  # --------------------------------------------------- 
+  # configuration Linux : Personnalisation
+  # ---------------------------------------------------
+  - name: Ajout du fichier z_oracle dans /etc/profile.d
+    copy: src=z_oracle.sh dest=/etc/profile.d/z_oracle.sh owner=root mode=644
+    tags: z_oracle
+
+  # --------------------------------------------------- 
+  # configuration Linux : Sécurisation
+  # ---------------------------------------------------
+  - include: secure_configuration.yml
+
+  # --------------------------------------------------- 
+  # configuration des packages necessaires pour Oracle
+  # ---------------------------------------------------
+  - name: Installation des packages pour Oracle
+    yum: name={{ item }} state=installed
+    with_items: 
+      - bind-utils
+      - binutils
+      - btrfs-progs
+      - cloog-ppl
+      - compat-libcap1
+      - compat-libstdc++*i686
+      - compat-libstdc++-33
+      - cpp
+      - ethtool
+      - gcc
+      - gcc-c++
+      - glibc
+      - glibc*i686
+      - glibc-devel
+      - glibc-headers
+      - kernel-headers
+      - kmod-oracleasm
+      - ksh
+      - libaio
+      - libaio*i686
+      - libaio-devel
+      - libaio-devel*i686
+      - libgcc
+      - libselinux-python
+      - libstdc++
+      - libstdc++*i686
+      - libstdc++-devel
+      - libstdc++-devel*i686
+      - libtool-ltdl
+      - libX11
+      - libX11*i686
+      - libXau
+      - libXau*i686
+      - libxcb
+      - libxcb*i686
+      - libXext
+      - libXi
+      - libXp
+      - libXt
+      - libXtst
+      - make
+      - module-init-tools
+      - mpfr
+      - ncurses-devel
+      - ncurses-libs
+      - nfs-utils
+      - nscd
+      - ntp
+      - openssh-clients
+      - oracleasm-support
+      - parted
+      - ppl
+      - procps
+      - readline
+      - readline-devel
+      - sysstat
+      - twm
+      - unixODBC
+      - util-linux-ng
+      - vim-enhanced
+      - xdpyinfo
+      - xfsprogs
+      - xorg-x11-utils
+      - xorg-x11-xauth
+      - xorg-x11-xinit
+      - xsetroot
+      - xterm
+    when: install_os_packages and internet_connection
+    tags: os_packages
+
+  # --------------------------------------------------- 
+  # configuration Linux : Création des répertoires Oracle
+  # ---------------------------------------------------
+#  - include: creation_repertoire.yml
+

configure-host-oel6/tasks/network_configuration.yml

@@ -0,0 +1,32 @@
+---
+  # --------------------------------------------------- 
+  # configuration réseau
+  # ---------------------------------------------------
+  
+  - name: Vérification de l enregistrement DNS
+    command: nslookup {{ ansible_hostname }}
+    register: ns
+    ignore_errors: True
+    tags: etchosts
+  
+  - name: Ajout du host dans /etc/hosts si absent
+    lineinfile: dest=/etc/hosts regexp='.*{{ ansible_fqdn }}$' 
+                line="{{ ansible_default_ipv4.address }} {{ ansible_hostname }} {{ ansible_fqdn }}" 
+                state=present
+    # when: "'find {{ ansible_hostname }}: NXDOMAIN' in ns.stdout"
+    tags: etchosts
+  
+  - name: Modification resolv.conf pour ajouter attempts et timeout
+    lineinfile: dest=/etc/resolv.conf line="{{ item.line }}"
+    with_items:
+     - { line: "options attempts:2" }
+     - { line: "options timeout:1" }
+  
+  - name: Desactivation de IP v6
+    lineinfile: dest=/etc/sysconfig/network line="{{ item.line }}"
+    with_items:
+     - { line: "NETWORKING_IPV6=no" }
+     - { line: "IPV6INIT=no" }
+
+  - name: desactivation permanente
+    copy: src=desactivation_ipv6.conf dest=/etc/modprobe.d/desactivation_ipv6.conf

configure-host-oel6/tasks/os_configuration.yml

@@ -0,0 +1,120 @@
+---
+  # --------------------------------------------------- 
+  # configuration des packages necessaires pour Linux
+  # ---------------------------------------------------
+  - name: Installation du packet libselinux-python
+    yum: name="libselinux-python" state=installed
+
+  - name: Installation du RPM EPEL Repo
+    yum: name={{ epel_rpm }} state=installed
+    when: configure_epel_repo and internet_connection
+    tags: epelrepo
+
+  - name: Copie du fichier local EPEL Repo (pour remplacer https par http)
+    copy: src=epel.repo dest=/etc/yum.repos.d/epel.repo
+    tags: epelrepo
+
+  - name: Récupération du nouveau fichier repository pour OL6 (public-yum)
+    copy: src=public-yum-ol6.repo dest=/etc/yum.repos.d/public-yum-ol6.repo
+    tags: ol6repo
+
+  - name: Installation des packages communs pour Linux
+    yum: name={{ item }} state=installed
+    when: internet_connection
+    with_items: 
+      - bc
+      - bind-utils
+      - btrfs-progs
+      - cloog-ppl
+      - compat-libcap1
+      - ethtool
+      - expect
+      - git
+      - htop
+      - lvm2
+      - make
+      - module-init-tools
+      - mpfr
+      - multitail
+      - ncurses-devel
+      - ncurses-libs
+      - nfs-utils
+      - nscd
+      - nss-softokn-freebl
+      - ntp
+      - openssh-clients
+      - ppl
+      - procps
+      - readline
+      - rlwrap
+      - screen
+      - sysstat
+      - system-config-lvm
+      - tigervnc-server
+      - tree
+      - twm
+      - unzip
+      - wget
+      - vim
+      - xfsprogs
+    tags: commonpackages
+
+  - name: Configuratio du mode panic sur perte du /
+    shell: free_form="tune2fs -e panic `df -P / |tail -1 | awk '{print $1}'`"
+
+  - name: Configuratio du mode panic sur bug du kernel
+    sysctl: name=kernel.panic_on_oops value=1 state=present reload=yes ignoreerrors=yes
+
+  # --------------------------------------------------- 
+  # configuration du serveur NTPD
+  # ---------------------------------------------------
+  - name: Modification de la configuration NTP configuration (ajout du flag -x)
+    lineinfile: dest=/etc/sysconfig/ntpd
+              regexp='^OPTIONS='
+              line='OPTIONS="-x -u ntp:ntp -p /var/run/ntpd.pid -g"'
+              state=present
+              create=yes
+
+  - name: restart ntpd
+    service: name=ntpd  state=started  enabled=yes
+ 
+  # --------------------------------------------------- 
+  # configuration Linux : Selinux
+  # ---------------------------------------------------
+  - name: Disactiver Selinux (de façon permanente)
+    selinux: state=disabled
+    when: disable_selinux
+    tags: selinux
+    register: selinux
+  
+  - name: Disactiver Selinux (runtime)
+    shell: setenforce 0
+    when: disable_selinux
+    tags: selinux
+    ignore_errors: true
+ 
+  # --------------------------------------------------- 
+  # configuration Linux : les services
+  # ---------------------------------------------------
+  - name: arrêter et désactiver les services inutils
+    with_items:
+      - bluetooth
+      - cups
+      - gpm
+      - hidd
+      - hplip
+      - isdn
+      - sendmail
+      - smartd
+      - avahi-daemon
+      - NetworkManager
+      - rhnsd
+      - firstboot
+      - chronyd
+      - ip6tables
+      - iptables
+      - firewalld
+    service: name={{ item }}  state=stopped  enabled=no
+    tags: linuxservices
+    ignore_errors: true
+  

configure-host-oel6/tasks/secure_configuration.yml

@@ -0,0 +1,34 @@
+---
+  # --------------------------------------------------- 
+  # configuration Linux : Sécurisation
+  # ---------------------------------------------------
+  - name: Ajout du soft reboot
+    lineinfile: dest=/etc/rc.local state=present line='/sbin/ctrlaltdel soft'
+    tags: softreboot
+  
+  - name: Sécurisation du vidage mémoire
+    copy: src="00-vidage.conf" dest="/etc/security/limits.d/00-vidage.conf"
+  
+  - name: Application des paramètres de configuration sécurisée
+    sysctl: name="{{ item.name }}" value="{{ item.value }}" state=present reload=yes ignoreerrors=yes
+    when: secure_configuration
+    with_items: 
+      - { name: net.ipv4.conf.all.accept_redirects, value: 0 }
+      - { name: net.ipv4.conf.default.accept_redirects, value: 0 }
+      - { name: net.ipv4.conf.all.secure_redirects, value: 0 }
+      - { name: net.ipv4.conf.default.secure_redirects, value: 0 }
+      - { name: net.ipv4.ip_forward, value: 0 }
+      - { name: net.ipv6.conf.all.accept_redirects, value: 0 } 
+      - { name: net.ipv6.conf.default.accept_redirects, value: 0 }
+      - { name: net.ipv4.conf.default.accept_source_route, value: 0 } 
+      - { name: net.ipv4.conf.all.accept_source_route, value: 0 }
+      - { name: net.ipv6.conf.default.accept_source_route, value: 0 } 
+      - { name: net.ipv6.conf.all.accept_source_route, value: 0 }
+      - { name: net.ipv4.conf.all.log_martians, value: 1 } 
+      - { name: net.ipv4.conf.default.log_martians, value: 1 }
+      - { name: net.ipv4.icmp_echo_ignore_broadcasts, value: 1 }
+      - { name: net.ipv4.icmp_ignore_bogus_error_responses, value: 1 }
+      - { name: net.ipv6.conf.all.accept_ra, value: 0 } 
+      - { name: net.ipv6.conf.default.accept_ra, value: 0 }
+    tags: secure_config
+  

configure-host-oel6/tasks/users_configuration.yml

@@ -0,0 +1,34 @@
+---
+  # --------------------------------------------------- 
+  # configuration Linux : Utilisateurs et groupes
+  # ---------------------------------------------------
+ 
+  - name: Création des groupes
+    group: name={{ item.group }} gid={{ item.gid }} state=present
+    with_items:
+      - { group: asmdba, gid: 1004 }
+      - { group: asmoper, gid: 1005 }
+      - { group: asmadmin, gid: 1003 }
+      - { group: oinstall, gid: 1000}
+      - { group: dba, gid: 1001 }
+      - { group: backupdba, gid: 1006 }
+      - { group: oper, gid: 1002 }
+      - { group: dgdba, gid: 1007 }
+      - { group: kmdba, gid: 1008 }
+    tags: group
+
+  - name: Création du compte Oracle
+    user: name={{ item.username }}  group={{ item.primgroup }} groups={{ item.othergroups }} uid={{ item.uid }} generate_ssh_key=yes append=yes state=present password={{ item.passwd }}
+    with_items:
+     - { username: oracle, uid: 1001, primgroup: oinstall, othergroups: "dba,asmdba,backupdba,dgdba,kmdba,oper", passwd: "$6$0xHoAXXF$K75HKb64Hcb/CEcr3YEj2LGERi/U2moJgsCK.ztGxLsKoaXc4UBiNZPL0hlxB5ng6GL.gyipfQOOXplzcdgvD0" }
+     - { username: grid, uid: 1000, primgroup: oinstall, othergroups: "asmadmin,asmdba,asmoper,dba", passwd: "$6$0xHoAXXF$K75HKb64Hcb/CEcr3YEj2LGERi/U2moJgsCK.ztGxLsKoaXc4UBiNZPL0hlxB5ng6GL.gyipfQOOXplzcdgvD0" }
+    tags: user
+
+  - name: Ajout du compte oracle et grid au sudoers
+    template: src=sudoers.j2 dest=/etc/sudoers.d/{{ item }} owner=root mode=0600
+    with_items:
+      - oracle
+      - grid
+    when: configure_oracle_sudo
+    tags: sudoadd
+