Skip AIDE initialization by default

The AIDE database initialization consumes a lot of CPU time and I/O resources.
We shouldn't initialize the database by default, but this should be
configurable by the deployer.

Closes-bug: 1534658

Change-Id: If680000619c35914e58ed8b7883c7eaa7928cec4

defaults/main.yml

@@ -31,6 +31,12 @@ aide_exclude_dirs:
   - /var/lib/lxc
   - /openstack
   - /opt
+#
+# By default, the AIDE database won't be initialized immediately since it can
+# consume plenty of CPU and I/O resources while it runs. To initialize the
+# AIDE database immediately when the playbook finishes, set the following
+# variable to 'true':
+initialize_aide: false
 
 ## Audit daemon
 # The following booleans control the rule sets added to auditd's default

doc/source/configuration.rst

@@ -32,6 +32,17 @@ long time indexing the disk.  Additional directories can be added to the
 exclusion list, but the directories currenty listed **should not be removed**.
 Deployers can add directories to ``aide_exlude_dirs``.
 
+The first AIDE database initialization can consume lots of CPU time and I/O
+resources. By default, the role won't run the database initialization after
+the role is applied to avoid causing performance degradation. The database will
+be initialized automatically when the AIDE cron job runs the next day. To force
+the initialization to run as soon as the role finishes running, change the
+the following variable to ``true``:
+
+.. code-block:: yaml
+
+    initialize_aide: true
+
 Audit daemon
 ------------
 

handlers/main.yml

@@ -62,6 +62,7 @@
 # the background so it doesn't hold up the whole playbook.
 - name: initialize AIDE
   shell: "aideinit -b"
+  when: initialize_aide | bool
 
 - name: rehash aliases
   command: newaliases