fix rman catalog support in oradb_rman

Author: bartowl

changelogs/fragments/278-oradb_rman-catalog.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - 'fixed/fully implemented rman catalog support in oradb_rman (#278)'

roles/oradb_rman/README.md

@@ -69,9 +69,17 @@ Cronjobs are only created when day, weekday, hour and minute are defined.
 
 * rman_retention_policy
 
-  This could be used to overwrite the global default of `rman_retention_policy`at database level.
+  This could be used to overwrite the global default of `rman_retention_policy` at database level.
+
+## Using RMAN Catalog
+
+It is possible to configure rman jobs to use RMAN Catalog. In order to achieve this, you need to specify following attributes
+at your `oracle_databases` database block:
+* `rman_tnsalias` - tnsnames alias for RMAN Catalog database (has to be a tnsnames alias present in database home)
+* `rman_user` - username for the catalog database
+* `rman_password` - [deprecated] password for the catalog database. Use `dbpasswords[rman_tnsalias][rman_user]` instead.
+* `rman_wallet` (optionally) - when set to true, this role will configure Oracle Wallet for RMAN not to include plaintext password in crontab file.
 
-* 
 ## Example
 
 The backup is configured in oracle_databases with rman_jobs:
@@ -80,7 +88,9 @@ The backup is configured in oracle_databases with rman_jobs:
   oracle_databases:
     - home: db_home1
       oracle_db_name: TEST
-
+      # rman_tnsalias: RCAT
+      # rman_user: rman
+      # rman_wallet: true
       rman_jobs:
          - name: parameter
          - name: archivelog

roles/oradb_rman/defaults/main.yml

@@ -16,17 +16,17 @@ rman_wallet_password: "oracleWallet1"
 rmanautofs: false
 
 rman_cron_mkjob: false
+configure_cluster: false
+listener_port: 1521  # for tnsnames templates
 
 rman_retention_policy_default: "RECOVERY WINDOW OF 14 DAYS"
 rman_channel_disk_default: "'/u10/rmanbackup/%d/%d_%T_%U'"
 rman_controlfile_autobackup_disk_default: "'/u10/rmanbackup/%d/%d_%F'"
 rman_device_type_disk_default: 'PARALLELISM 1 BACKUP TYPE TO COMPRESSED BACKUPSET'
 
-rman_retention_policy: "{% if item.0.rman_retention_policy is defined %}{{ item.0.rman_retention_policy }}{% else %}{{ rman_retention_policy_default }}{% endif %}"
-rman_channel_disk: "{% if item.0.rman_channel_disk is defined %}{{ item.0.rman_channel_disk }}{% else %}{{ rman_channel_disk_default }}{% endif %}"
-rman_controlfile_autobackup_disk: "{% if item.0.rman_controlfile_autobackup_disk is defined %}{{ item.0.rman_controlfile_autobackup_disk }}
-                                   {%- else %}{{ rman_controlfile_autobackup_disk_default }}
-                                   {%- endif %}"
+rman_retention_policy: "{{ item.0.rman_retention_policy | default(rman_retention_policy_default) }}"
+rman_channel_disk: "{{ item.0.rman_channel_disk | default(rman_channel_disk_default) }}"
+rman_controlfile_autobackup_disk: "{{ item.0.rman_controlfile_autobackup_disk | default(rman_controlfile_autobackup_disk_default) }}"
 
 rman_service_param: "{% if item.1.service is defined %}--service {{ item.1.service }}{% else %}{% endif %}"
 
@@ -36,6 +36,6 @@ rmanbackuplogdir: "{% if item.0.rman_log_dir is defined %}-l {{ item.0.rman_log_
 rmanbackupscriptdir: "{% if item.0.rman_script_dir is defined %}-r {{ item.0.rman_script_dir }}{% else %}{% endif %}"
 rman_catalog_param: "{% if item.0.rman_wallet is defined and item.0.rman_wallet %}-c /@{{ item.0.rman_tnsalias }}
                      {%- else %}
-                       {%- if item.0.rman_user is defined %}-c {{ item.0.rman_user }}/{{ item.0.rman_password }}@{{ item.0.rman_tnsalias }}
+                       {%- if item.0.rman_user is defined %}-c {{ item.0.rman_user }}/{{ dbpasswords[item.0.rman_tnsalias][item.0.rman_user] | default(item.0.rman_password) }}@{{ item.0.rman_tnsalias }}
                        {%- endif %}
                      {%- endif %}"

roles/oradb_rman/tasks/main.yml

@@ -9,39 +9,69 @@
   tags:
     - assert
 
+- name: Warn if old style password variable is used
+  ansible.builtin.debug:
+    msg: '[WARNING]: do not use rman_password in oracle_databases, use dbpasswords[rman_tnsname][rman_user] instead!'
+  # make warning red, but continue
+  failed_when: true
+  # noqa ignore-errors
+  ignore_errors: true
+  when: item.rman_password is defined
+  with_items:
+    - "{{ oracle_databases }}"
+  loop_control:
+    label: "{{ item.oracle_db_name | default('') }}"
+
 # autofs is configured in a special way to mount the shares with needed parameters
 - name: configure autofs for RMAN
   ansible.builtin.lineinfile:
-    dest=/etc/auto.master
-    regexp="^{{ rmanautofsmount }} "
-    line="{{ rmanautofsmount }} /etc/auto.net --timeout=60 rw,hard,rsize=32768,wsize=32768,proto=tcp,nfsvers=3"
+    dest: "/etc/auto.master"
+    regexp: "^{{ rmanautofsmount }} "
+    line: "{{ rmanautofsmount }} /etc/auto.net --timeout=60 rw,hard,rsize=32768,wsize=32768,proto=tcp,nfsvers=3"
   when: rmanautofs
   tags: autofs
 
 - name: Create Mountpoint
-  ansible.builtin.file: dest={{ rmanautofsmount }} state=directory mode=0755
+  ansible.builtin.file:
+    dest: "{{ rmanautofsmount }}"
+    state: directory
+    mode: '0755'
   when: rmanautofs
   tags: autofs
 
 - name: Restart autofs
-  ansible.builtin.service: name=autofs enabled=yes state=restarted
+  ansible.builtin.service:
+    name: autofs
+    enabled: true
+    state: restarted
   when: rmanautofs
   tags: autofs
 
 - name: Create bin-Directory for rman_backup
-  ansible.builtin.file: path={{ oracle_base }}/bin state=directory mode=0755
+  ansible.builtin.file:
+    path: "{{ oracle_base }}/bin"
+    state: directory
+    mode: '0755'
   tags:
     - rmancopy
 
 - name: Create log-Directory for cron output
-  ansible.builtin.file: path={{ rman_cron_logdir }} state=directory mode=0755 owner={{ oracle_user }}
+  ansible.builtin.file:
+    path: "{{ rman_cron_logdir }}"
+    state: directory
+    mode: '0755'
+    owner: "{{ oracle_user }}"
   tags:
     - rmancron
     - rmancopy
 
 # dummy with_together for item.0.db_name in default/main.yml
 - name: Create Directory for rman-scripts
-  ansible.builtin.file: path={{ rman_script_dir }} state=directory mode=0755 owner={{ oracle_user }}
+  ansible.builtin.file:
+    path: "{{ rman_script_dir }}"
+    state: directory
+    mode: '0755'
+    owner: "{{ oracle_user }}"
   with_together:
     - "{{ oracle_databases }}"
     - ""
@@ -52,7 +82,11 @@
 
 # dummy with_together for item.0.db_name in default/main.yml
 - name: Create Directory for rman-logfiles
-  ansible.builtin.file: path={{ rman_log_dir }} state=directory mode=0755 owner={{ oracle_user }}
+  ansible.builtin.file:
+    path: "{{ rman_log_dir }}"
+    state: "directory"
+    mode: '0755'
+    owner: "{{ oracle_user }}"
   with_together:
     - "{{ oracle_databases }}"
     - ""
@@ -62,13 +96,22 @@
     - rmancopy
 
 - name: copy rman_backup.sh
-  ansible.builtin.copy: dest={{ oracle_base }}/bin src=rman_backup.sh backup=yes mode=755
+  ansible.builtin.copy:
+    dest: "{{ oracle_base }}/bin"
+    src: "rman_backup.sh"
+    backup: true
+    mode: '0755'
   tags:
     - rmancopy
 
 # rman_script_dir: {{oracle_admin_db}}/rman/
 - name: copy RMAN scipts
-  ansible.builtin.template: dest={{ rman_script_dir }}/{{ item.1.name }}.rman src={{ item.1.name }}.rman.j2 backup=yes mode=644 owner={{ oracle_user }}
+  ansible.builtin.template:
+    dest: "{{ rman_script_dir }}/{{ item.1.name }}.rman"
+    src: "{{ item.1.name }}.rman.j2"
+    backup: true
+    mode: '0644'
+    owner: "{{ oracle_user }}"
   with_subelements:
     - "{{ oracle_databases }}"
     - rman_jobs
@@ -79,51 +122,134 @@
     - rmancopy
 
 - name: Create directory for TNS_ADMIN
-  ansible.builtin.file: dest={{ rman_tns_admin }} state=directory owner={{ oracle_user }} mode=0755
+  ansible.builtin.file:
+    dest: "{{ rman_tns_admin }}"
+    state: directory
+    owner: "{{ oracle_user }}"
+    mode: '0755'
   with_items:
-    - "{{ oracle_databases }}"
-  when: item.rman_tnsalias is defined
+    - "{{ oracle_databases | selectattr('rman_tnsalias','defined') | map(attribute='oracle_db_name') }}"
   tags:
     - tns
 
-- name: copy sqlnet.ora for wallet
-  ansible.builtin.template: src=sqlnet.ora.j2 dest={{ rman_tns_admin }}/sqlnet.ora owner={{ oracle_user }} mode=0644
+- name: Template sqlnet.ora for rman catalog wallet
+  ansible.builtin.template:
+    src: "sqlnet.ora.j2"
+    dest: "{{ rman_tns_admin }}/sqlnet.ora"
+    owner: "{{ oracle_user }}"
+    mode: '0644'
   with_items:
-    - "{{ oracle_databases }}"
-  when: item.rman_tnsalias is defined
+    - "{{ oracle_databases | selectattr('rman_tnsalias','defined') | selectattr('rman_wallet','defined') }}"
+  loop_control:
+    label: "{{ item.oracle_db_name | default('') }}"
+  when: item.rman_wallet
   tags:
     - tns
 
-- name: copy tnsnames.ora for catalog
-  ansible.builtin.template: src=tnsnames.ora.j2 dest={{ rman_tns_admin }}/tnsnames.ora owner={{ oracle_user }} mode=644 backup=true
-  with_items:
+- name: Template tnsnames.ora for rman catalog
+  ansible.builtin.blockinfile:
+    block: "{{ lookup('template', '../../oradb_manage_db/templates/tnsnames' + oracle_tnsnames_config[tnsinst.tnsname]['tnstemplate'] | default('') + '.ora.j2') }}"
+    path: "{{ rman_tns_admin }}/tnsnames.ora"
+    backup: true
+    create: true
+    group: "{{ oracle_group }}"
+    owner: "{{ oracle_user }}"
+    state: present
+    mode: 0644
+    insertafter: "EOF"
+    marker: "# {mark} Ansible managed for  {{ tnsinst.tnsname }}"
+  vars:
+    dbh: "{{ item.0 }}"
+    tnsinst: "{{ item.1 }}"
+  with_nested:
     - "{{ oracle_databases }}"
-  when: item.rman_tnsalias is defined
+    - "{{ tnsnames_installed }}"
+  loop_control:
+    label: "{{ dbh.oracle_db_name | default('') }} -> {{ tnsinst.tnsname | default('') }}"
+  when:
+    - dbh.rman_tnsalias is defined
+    - dbh.home == tnsinst.home
+    - tnsinst.tnsname == dbh.rman_tnsalias
   tags:
     - tns
 
 - name: Wallet create
-  ansible.builtin.shell: "test -d {{ rman_wallet_loc }} || echo -e '{{ rman_wallet_password }}\n{{ rman_wallet_password }}' | {{ oracle_home_db }}/bin/mkstore -create -nologo -wrl {{ rman_wallet_loc }}"
-  # noqa risky-shell-pipe yaml
+  ansible.builtin.shell:
+    cmd: 'echo -e "$stdin" | {{ oracle_home_db }}/bin/mkstore -create -nologo -wrl "{{ rman_wallet_loc }}"'
+    creates: "{{ rman_wallet_loc }}/ewallet.p12"
   become: true
   become_user: "{{ oracle_user }}"
+  environment:
+    stdin: "{{ rman_wallet_password }}\n{{ rman_wallet_password }}"
   with_items:
-    - "{{ oracle_databases }}"
-  when: item.rman_tnsalias is defined
+    - "{{ oracle_databases | selectattr('rman_tnsalias','defined') | selectattr('rman_wallet','defined') }}"
+  loop_control:
+    label: "{{ item.oracle_db_name | default('') }}"
+  when: item.rman_wallet
   tags:
     - wallet
+  register: wallet_created
+
+- name: List wallet contents
+  ansible.builtin.shell:
+    cmd: 'echo "$stdin" | {{ oracle_home_db }}/bin/mkstore -listCredential -nologo -wrl "{{ rman_wallet_loc }}"'
+  become: true
+  become_user: "{{ oracle_user }}"
+  environment:
+    stdin: "{{ rman_wallet_password }}"
+  with_items:
+    - "{{ oracle_databases | selectattr('rman_tnsalias','defined') | selectattr('rman_wallet','defined') }}"
+  when:
+    - item.rman_wallet
+    - not wallet_created.changed
+  changed_when: false  # does not change anything in System
+  loop_control:
+    label: "{{ item.oracle_db_name | default('') }}"
+  tags:
+    - wallet
+  register: wallet_contents
 
-# no_log => secure password against logfiles
-# ignore errors during createCredential when entry is existing
 - name: Wallet createCredential
-  ansible.builtin.shell: "echo -e '{{ rman_wallet_password }}' | {{ oracle_home_db }}/bin/mkstore -wrl {{ rman_wallet_loc }} -nologo -createCredential {{ item.rman_tnsalias }} {{ item.rman_user }} {{ item.rman_password }}; exit 0"
-  # noqa yaml risky-shell-pipe
+  ansible.builtin.shell:
+    cmd: 'echo "$stdin" | {{ oracle_home_db }}/bin/mkstore -wrl "{{ rman_wallet_loc }}" -nologo -createCredential "$rman_tnsalias" "$rman_user" "$rman_password"'
   become: true
   become_user: "{{ oracle_user }}"
-  no_log: true
+  environment:
+    stdin: "{{ rman_wallet_password }}"
+    rman_tnsalias: "{{ item.rman_tnsalias }}"
+    rman_user: "{{ item.rman_user }}"
+    rman_password: "{{ dbpasswords[item.rman_tnsalias][item.rman_user] | default(item.rman_password) }}"
   with_items:
-    - "{{ oracle_databases }}"
-  when: item.rman_tnsalias is defined and item.rman_user is defined and item.rman_password is defined
+    - "{{ oracle_databases | selectattr('rman_tnsalias','defined') | selectattr('rman_wallet','defined') }}"
+  when:
+    - item.rman_wallet
+    - "wallet_created.changed or ((': ' + item.rman_tnsalias + ' ' + item.rman_user) not in (wallet_contents.results[loopidx].stdout | default('')))"
+  loop_control:
+    label: "{{ item.oracle_db_name | default('') }}"
+    index_var: loopidx
+  register: wallet_credential_added
+  tags:
+    - wallet
+
+- name: Wallet modifyCredential to ensure password is up to date
+  ansible.builtin.shell:
+    cmd: 'echo "$stdin" | {{ oracle_home_db }}/bin/mkstore -wrl "{{ rman_wallet_loc }}" -nologo -modifyCredential "$rman_tnsalias" "$rman_user" "$rman_password"'
+  become: true
+  become_user: "{{ oracle_user }}"
+  changed_when: false  # no simple way to figure out whether this changed the password or not, does not matter.
+  environment:
+    stdin: "{{ rman_wallet_password }}"
+    rman_tnsalias: "{{ item.rman_tnsalias }}"
+    rman_user: "{{ item.rman_user }}"
+    rman_password: "{{ dbpasswords[item.rman_tnsalias][item.rman_user] | default(item.rman_password) }}"
+  with_items:
+    - "{{ oracle_databases | selectattr('rman_tnsalias','defined') | selectattr('rman_wallet','defined') }}"
+  when:
+    - item.rman_wallet
+    - not wallet_created.changed
+    - not wallet_credential_added.changed
+  loop_control:
+    label: "{{ item.oracle_db_name | default('') }}"
   tags:
     - wallet
 
@@ -133,8 +259,8 @@
 # The task is only execute once on master_node when GI is installed!
 # no catalog connection, because setting initial parameters with catalog takes much more time
 - name: Execute RMAN-Script at playbook
+  # noqa risky-shell-pipe
   ansible.builtin.shell: "{{ oracle_base }}/bin/rman_backup.sh -a {{ item.1.name }} -s {{ item.0.oracle_db_instance_name | default(item.0.oracle_db_name) }} -r {{ rman_script_dir }} -l {{ rman_log_dir }} | tee -a {{ rman_cron_logdir }}/rman_{{ item.1.name }}.log"
-  # noqa risky-shell-pipe yaml
   environment:
     PATH: /bin:/usr/bin
   become: true
@@ -146,23 +272,25 @@
     - skip_missing: true
   loop_control:
     label: "oracle_db_name {{ item.0.oracle_db_name | default('') }} job {{ item.1.name | default('') }}"
-  when: item.1.immediate is defined and item.1.immediate
-        and ( (configure_cluster and inventory_hostname == cluster_master)
-              or not configure_cluster
-            )
+  when:
+    - item.1.immediate is defined
+    - item.1.immediate
+    - "((configure_cluster and inventory_hostname == cluster_master) or not configure_cluster )"
   tags:
     - rmanexecute
 
-- ansible.builtin.debug: msg={{ item.results.stdout_lines | default("") }}  # noqa unnamed-task
+- name: RMAN-Script at playbook output  # noqa no-handler
+  ansible.builtin.debug:
+    msg: "{{ item.stdout_lines }}"
   with_items:
-    - "{{ rmanexecimmediate }}"
+    - "{{ rmanexecimmediate.results }}"
+  when: item.changed
   loop_control:
-    label: ""
-  when: rmanexecimmediate is defined
+    label: "oracle_db_name {{ item.item[0].oracle_db_name | default(' ') }} job {{ item.item[1].name | default('') }}"
   tags:
     - rmanexecute
 
-- name: Add Environment variables to /ec/cron.d
+- name: Add Environment variables to /etc/cron.d
   ansible.builtin.cron:
     cron_file: "{{ rman_cronfile }}"
     user: "{{ oracle_user }}"
@@ -206,6 +334,10 @@
     - rmancron
 
 - name: Create directory for mk-job
-  ansible.builtin.file: dest=/var/lib/check_mk_agent/job/{{ oracle_user }} state=directory owner={{ oracle_user }} mode=0755
+  ansible.builtin.file:
+    dest: "/var/lib/check_mk_agent/job/{{ oracle_user }}"
+    state: directory
+    owner: "{{ oracle_user }}"
+    mode: '0755'
   when: rman_cron_mkjob
   tags: rmancron