Chapter 16. Configuring Microsoft SQL Server by using the microsoft.sql.server Ansible role
As an administrator, you can use the microsoft.sql.server
Ansible role to install, configure, and start Microsoft SQL Server (SQL Server). The microsoft.sql.server
Ansible role optimizes your operating system to improve performance and throughput for the SQL Server. The role simplifies and automates the configuration of your RHEL host with recommended settings to run the SQL Server workloads.
16.1. Installing and configuring SQL server by using the microsoft.sql.server
Ansible role with existing certificate files
You can use the microsoft.sql.server
Ansible role to install and configure SQL Server version 2019. The playbook in this example also configures the server to use an existing sql_cert
certificate and private key files for TLS encryption.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them. - Minimum 2 GB RAM
-
The
ansible-collection-microsoft-sql
package is installed on the managed node.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Install and configure SQL Server hosts: managed-node-01.example.com roles: - microsoft.sql.server vars: mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true mssql_accept_microsoft_sql_server_standard_eula: true mssql_version: 2019 mssql_manage_firewall: true mssql_tls_enable: true mssql_tls_cert: sql_crt.pem mssql_tls_private_key: sql_cert.key mssql_tls_version: 1.2 mssql_tls_force: false mssql_password: <password> mssql_edition: Developer mssql_tcp_port: 1433
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Additional resources
-
/usr/share/ansible/roles/microsoft.sql-server/README.md
file
16.2. Installing and configuring SQL server by using the microsoft.sql.server
Ansible role with the certificate
role
You can use the microsoft.sql.server
Ansible role to install and configure SQL Server version 2019. The playbook in this example also configures the server to use TLS encryption and creates a self-signed sql_cert
certificate file and private key by using the certificate
system role.
You do not have to call the certificate
system role in the playbook to create the certificate. The microsoft.sql.server
Ansible role calls it automatically.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them. - Minimum 2 GB RAM
-
The
ansible-collection-microsoft-sql
package is installed on the managed node. - The managed nodes are enrolled in a Red Hat Identity Management (IdM) domain.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Install and configure SQL Server hosts: managed-node-01.example.com roles: - microsoft.sql.server vars: mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true mssql_accept_microsoft_sql_server_standard_eula: true mssql_version: 2019 mssql_manage_firewall: true mssql_tls_enable: true mssql_tls_certificates: - name: sql_cert dns: *.example.com ca: self-sign mssql_password: <password> mssql_edition: Developer mssql_tcp_port: 1433
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Additional resources
-
/usr/share/ansible/roles/microsoft.sql-server/README.md
file - Requesting certificates by using RHEL system roles
16.3. TLS-related variables of the microsoft.sql.server
system role
You can use the following variables to configure the Transport Level Security (TLS) protocol.
Table 16.1. TLS role variables
Role variable | Description |
---|---|
mssql_version | Defines which version of SQL server to install. Possible values are 2017, 2019 and 2022. |
mssql_tls_enable | This variable enables or disables TLS encryption.
The
When set to |
mssql_tls_certificates |
Generates a certificate and a private key for TLS encryption using the Important
When you set this variable, you must not set |
mssql_tls_cert | Copies a certificate file from the specified path to SQL Server and uses it for TLS encryption. |
mssql_tls_private_key | Copies a private key file from the specified path to SQL Server and uses it for TLS encryption. |
mssql_tls_remote_src |
Defines if the role searches for
When set to the default
When set to |
mssql_tls_version | Defines which TLS version to use.
The default is |
mssql_tls_force |
If set to
The default is |
Additional resources
-
/usr/share/ansible/roles/microsoft.sql-server/README.md
file
16.4. Setting up custom storage paths for data and logs
To store your data or logs in a different directory than the default one, specify the custom storage path using the mssql_datadir
, mssql_datadir_mode
, mssql_logdir
, and mssql_logdir_mode
variables in an existing playbook. When you define a custom path, the role creates the provided directory and ensures correct permissions and ownership for it.
If you later decide to remove the variables, the storage paths will not change back to the default ones but will store the data or logs in the latest defined paths.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them. - Minimum 2 GB RAM
-
The
ansible-collection-microsoft-sql
package is installed on the managed node.
Procedure
Edit an existing playbook file, for example
~/playbook.yml
, and add the storage and log-related variables:--- - name: Install and configure SQL Server hosts: managed-node-01.example.com roles: - microsoft.sql.server vars: mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true mssql_accept_microsoft_sql_server_standard_eula: true mssql_version: 2019 mssql_manage_firewall: true mssql_tls_enable: true mssql_tls_cert: sql_crt.pem mssql_tls_private_key: sql_cert.key mssql_tls_version: 1.2 mssql_tls_force: false mssql_password: <password> mssql_edition: Developer mssql_tcp_port: 1433 mssql_datadir: /var/lib/mssql/ mssql_datadir_mode: '0700' mssql_logdir: /var/log/mssql/ mssql_logdir_mode: '0700'
Enter the permission modes in single quotation marks so that Ansible parses it as a string and not as an octal number.
If you do not specify the mode and the destination directory does not exist, the role uses the default umask on the system when setting the mode. If you do not specify the mode and the destination directory does exist, the role uses the mode of the existing directory.
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Additional resources
-
/usr/share/ansible/roles/microsoft.sql-server/README.md
file
16.5. Preparing and running a playbook to enable SQL Server authentication with Active Directory
To be able to automatically authenticate your Microsoft SQL server with Active Directory, you need to set up an microsoft.sql.server
Ansible playbook with variables according to your use case.
Prerequisites
- You have prepared the control node and the managed nodes.
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them. - Minimum 2 GB RAM
-
The
ansible-collection-microsoft-sql
package is installed on the managed node.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Configure with AD server authentication hosts: managed-node-01.example.com roles: - microsoft.sql.server vars: # General variables mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula: true mssql_accept_microsoft_cli_utilities_for_sql_server_eula: true mssql_accept_microsoft_sql_server_standard_eula: true mssql_version: 2022 mssql_password: "<password>" mssql_edition: Evaluation mssql_manage_firewall: true # AD Integration required variables mssql_ad_configure: true mssql_ad_sql_user_name: sqluser mssql_ad_sql_password: "<password>" ad_integration_realm: domain.com ad_integration_user: Administrator ad_integration_password: <password>
Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Additional resources
-
/usr/share/ansible/roles/microsoft.sql-server/README.md
file
16.6. Configuring SQL Server to authenticate with Active Directory (AD) Server
The following procedure shows how to configure SQL Server to authenticate with Active Directory (AD) Server.
Prerequisites
- An Active Directory domain controller is configured on your network.
- An applicable RDNS (Reverse DNS) zone exists for both the domain controller and the IP address of the Linux machine that will be running SQL Server.
- A PTR record that points to your domain controllers exists.
- The SQL Server host resolves relative domain name, fully qualified domain name, and the IP of the domain controller to the fully qualified domain name of the domain controller.
Procedure
- Log in to your AD server through the web UI.
- Navigate to Tools > Active Directory Users and Computers > domain.com > Users > sqluser > Account.
- In the Account options list, select This account supports Kerberos AES 128 bit encryption and This account supports Kerberos AES 256 bit encryption.
- Click Apply
Verification
Use
ssh
to log in to the client.domain.com machine:# ssh -l <sqluser>@<domain.com> <client.domain.com>
Obtain the Kerberos ticket for the Administrator user:
# kinit Administrator@<domain.com>
Use the
sqlcmd
utility to log in to the SQL Server and, for example, run the following query to view the current user:# /opt/mssql-tools/bin/sqlcmd -S. -Q 'SELECT SYSTEM_USER'
16.7. Variables for SQL Server integration with Active Directory Server
You can use the following variables to configure the SQL Server to authenticate with Active Directory (AD) Server.
Table 16.2. Active Directory variables
Role variable | Description |
---|---|
mssql_ad_configure |
This variable enables or disables configuration for AD Server authentication. The default value is |
mssql_ad_sql_user_name | You can define a username that is going to be created in SQL server and then used for authentication. |
mssql_ad_sql_password |
You can define a password for a user defined in |
mssql_ad_sql_user_dn |
You have to set the |
mssql_ad_netbios_name |
You have to set the |
16.8. Accepting EULA for MLServices
You must accept all the EULA for the open-source distributions of Python and R packages to install the required SQL Server Machine Learning Services (MLServices).
See /usr/share/doc/mssql-server
for the license terms.
Table 16.3. SQL Server Machine Learning Services EULA variables
Role variable | Description |
---|---|
mssql_accept_microsoft_sql_server_standard_eula |
This variable determines whether to accept the terms and conditions for installing the
To accept the terms and conditions set this variable to
The default is |
Additional resources
-
/usr/share/ansible/roles/microsoft.sql-server/README.md
file
16.9. Accepting EULAs for Microsoft ODBC 17
You must accept all the EULAs to install the Microsoft Open Database Connectivity (ODBC) driver.
See /usr/share/doc/msodbcsql17/LICENSE.txt
and /usr/share/doc/mssql-tools/LICENSE.txt
for the license terms.
Table 16.4. Microsoft ODBC 17 EULA variables
Role variable | Description |
---|---|
mssql_accept_microsoft_odbc_driver_17_for_sql_server_eula |
This variable determines whether to accept the terms and conditions for installing the
To accept the terms and conditions set this variable to
The default is |
mssql_accept_microsoft_cli_utilities_for_sql_server_eula |
This variable determines whether to accept the terms and conditions for installing the
To accept the terms and conditions set this variable to
The default is |
Additional resources
-
/usr/share/ansible/roles/microsoft.sql-server/README.md
file
16.10. High availability variables
You can configure high availability for Microsoft SQL Server with the variables from the table below.
Table 16.5. High availability configuration variables
Variable | Description |
---|---|
|
The default value is
When it is set to
|
|
This variable specifies which type of replica you can configure on the host. You can set this variable to |
|
The default port is The role uses this TCP port to replicate data for an Always On availability group. |
| You must define the name of the certificate to secure transactions between members of an Always On availability group. |
| You must set the password for the master key to use with the certificate. |
| You must set the password for the private key to use with the certificate. |
|
The default value is
If it is set to |
| You must define the name of the endpoint to configure. |
| You must define the name of the availability group to configure. |
| You can define a list of the databases to replicate, otherwise the role creates a cluster without replicating databases. |
| The SQL Server Pacemaker resource agent utilizes this user to perform database health checks and manage state transitions from replica to primary server. |
|
The password for the |
|
The default value is
This variable defines if this role runs the
Note that the
To work around this limitation, the
If you want the |
Note, this role backs up the database to the /var/opt/mssql/data/
directory.
Additional resources
-
/usr/share/ansible/roles/microsoft.sql-server/README.md
file