From 3e06f195b72548e6a8c33e671fccbd846a3afec5 Mon Sep 17 00:00:00 2001 From: Will Foster Date: Thu, 5 May 2016 15:01:12 -0400 Subject: [PATCH] Make nginx ports and firewall rules a variable. Changes in patchset #11: 1) moved to putting default port variables in group_vars/all.yml 2) updated README to specify changing port variables for undercloud deployments 3) removed setting variables in the nginx task, but we can utilize fail: checks for variable checks instead (cleaner). Changes in patchet #10: 1) added become: true for filebeat per jtaleric comments 2) added no_log: True to reduce unecessary firewall debug discovery during the playbook run Changes in patchset #9: Rebased against commit 5ef39f88ddd6b2f26ae080be3a63301f5395a30e Changes in patchset #8: 1) use restart instead of start for ansible service this will address when you re-run playbooks if you decide to change the listener ports Changes in patchset #7: 1) use rpm_key ansible module instead of rpm command for GPG key management Changes in patchset #6: 1) ensure elk_server_ssl_cert_port variable can be set for non-standard port access like elk_server Changes in patchset #5: 1) use 'become=true' for all operations within filebeat so that elk clients running as non-root (but privileged) users can run client deployments. Changes in patchset #4: 1) turn logstash stdout off by default 2) remove unneeded logstash refresh Changes in patchset #3: 1) remove debug statements for port variable testing Changes in patchset #2: 1) remove unneeded conditional logic, only comparison for 'none' is needed. 2) fix duplicate variable assignment 3) add more info to group_vars/all comments that you need to use nonstandard ports for both if you need one only. Changes introduced in patchset #1: This provides the following functionality: 1) adds two new variables to group_vars/all: * nginx_kibana_port * elk_server_ssl_cert_port 2) sets a normal default for these ports if they are not defined explicitly. If these are not defined then default ports of 80/TCP and 8080/TCP will be used respectively. If they are defined (in case of undercloud install where lots of services/ports are listening on standard ports) then both nginx jinja2 templates will be updated along with firewall rules. Why we need this functionality, and why we should use it: 1) Avoid hard-coded defaults like 1.1.1.1 or service ports 2) Minimize the amount of editing needed for variables before Browbeat can be run by users Change-Id: Ia689f73d9c0c83de4d34a1954824afbee8205c25 --- ansible/README.md | 17 ++++++- ansible/install/group_vars/all.yml | 13 +++++ ansible/install/roles/filebeat/tasks/main.yml | 15 ++++-- ansible/install/roles/kibana/tasks/main.yml | 6 +-- .../roles/logstash/files/10-syslog.conf | 2 +- ansible/install/roles/logstash/tasks/main.yml | 9 ++-- ansible/install/roles/nginx/tasks/main.yml | 51 +++++++++++-------- .../roles/nginx/templates/kibana.conf.j2 | 2 +- .../nginx.conf => templates/nginx.conf.j2} | 4 +- 9 files changed, 79 insertions(+), 40 deletions(-) rename ansible/install/roles/nginx/{files/nginx.conf => templates/nginx.conf.j2} (91%) diff --git a/ansible/README.md b/ansible/README.md index 2a79b7828..f46049998 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -58,11 +58,24 @@ Requires Ansible 2.0 ``` # ansible-playbook -i hosts install/connmon.yml ``` -##### Install ELK Stack +##### Install Generic ELK Stack ``` ansible-playbook -i hosts install/elk.yml ``` -##### Install ELK Clients +##### Install ELK Stack (on an OpenStack Undercloud) +``` +sed -i 's/nginx_kibana_port: 80/nginx_kibana_port: 8888/' install/group_vars/all.yml +sed -i 's/elk_server_ssl_cert_port: 8080/elk_server_ssl_cert_port: 9999/' install/group_vars/all.yml +``` +``` +ansible-playbook -i hosts install/elk.yml +``` +##### Install Generic ELK Clients +``` +ansible-playbook -i hosts install/elk-client.yml --extra-vars 'elk_server=X.X.X.X' +``` + - elk_server variable will be generated after the ELK stack playbook runs +#### Install ELK Clients for OpenStack nodes ``` ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server=X.X.X.X' ``` diff --git a/ansible/install/group_vars/all.yml b/ansible/install/group_vars/all.yml index 2dc5a352e..b452db5be 100644 --- a/ansible/install/group_vars/all.yml +++ b/ansible/install/group_vars/all.yml @@ -104,3 +104,16 @@ browbeat_pri_pool_gw: 172.16.10.1 browbeat_pri_pool_dns: 8.8.8.8 browbeat_router_name: browbeat_router + +######################################## +# ELK Server Variables +######################################## +### nginx ### +# add nonstandard port here for undercloud usage +# usage: port nginx listens to reverse-proxy Kibana +# e.g. 8888 +nginx_kibana_port: 80 +# +# usage: port filebeat client grabs the client SSL certificate +# e.g. 9999 +elk_server_ssl_cert_port: 8080 diff --git a/ansible/install/roles/filebeat/tasks/main.yml b/ansible/install/roles/filebeat/tasks/main.yml index 12dc34183..bed52487b 100644 --- a/ansible/install/roles/filebeat/tasks/main.yml +++ b/ansible/install/roles/filebeat/tasks/main.yml @@ -12,9 +12,9 @@ mode=0644 become: true -- name: Import filebeat GPG key - command: rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch - ignore_errors: true +- name: Import Filebeat GPG Key + rpm_key: key=http://packages.elastic.co/GPG-KEY-elasticsearch + state=present become: true - name: Install filebeat rpms @@ -38,14 +38,21 @@ ignore_errors: true register: elk_client_ssl_cert_exists +# Set standard nginx ports if we're not pointing towards an undercloud +- name: Assign ELK nginx port value for SSL client certificate + set_fact: + elk_server_ssl_cert_port: 8080 + when: elk_server_ssl_cert_port is none + - name: Install ELK server SSL client certificate - shell: curl http://"{{ elk_server }}":8080/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt + shell: curl http://"{{ elk_server }}":{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt become: true when: elk_client_ssl_cert_exists != 0 - name: Start filebeat service command: systemctl start filebeat.service ignore_errors: true + become: true when: filebeat_needs_restart != 0 - name: Setup filebeat service diff --git a/ansible/install/roles/kibana/tasks/main.yml b/ansible/install/roles/kibana/tasks/main.yml index 0b3b204e6..9fe802c21 100644 --- a/ansible/install/roles/kibana/tasks/main.yml +++ b/ansible/install/roles/kibana/tasks/main.yml @@ -99,13 +99,13 @@ become: true - name: Print SSL post-setup information - debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:8080/filebeat-forwarder.crt" + debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt" - name: Print post-setup URL - debug: msg="*** ELK Services available at http://{{ ansible_hostname }}/ ***" + debug: msg="*** ELK Services available at http://{{ ansible_hostname }}:{{ nginx_kibana_port }} ***" - name: Print index creation instructions - debug: msg="** 1) Navigate to http://{{ ansible_hostname }} and login with admin/admin, click 'create' on the green index button ***" + debug: msg="** 1) Navigate to http://{{ ansible_hostname }}:{{ nginx_kibana_port }} and login with admin/admin, click 'create' on the green index button ***" - name: Print filebeat openstack client setup instructions debug: msg="** 2) Run ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server={{ ansible_default_ipv4.address }}' to setup OpenStack clients ***" diff --git a/ansible/install/roles/logstash/files/10-syslog.conf b/ansible/install/roles/logstash/files/10-syslog.conf index 574d8430d..0d71cfb68 100644 --- a/ansible/install/roles/logstash/files/10-syslog.conf +++ b/ansible/install/roles/logstash/files/10-syslog.conf @@ -4,7 +4,7 @@ input { } } output { - stdout {codec => rubydebug } +# stdout {codec => rubydebug } elasticsearch { hosts => "localhost:9200" } diff --git a/ansible/install/roles/logstash/tasks/main.yml b/ansible/install/roles/logstash/tasks/main.yml index fbff13e98..120a067f1 100644 --- a/ansible/install/roles/logstash/tasks/main.yml +++ b/ansible/install/roles/logstash/tasks/main.yml @@ -104,11 +104,6 @@ ignore_errors: true become: true -- name: Refresh logstash service - command: systemctl restart logstash.service - ignore_errors: true - become: true - - name: Setup logstash service service: name=logstash state=started enabled=true become: true @@ -123,16 +118,19 @@ shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' ignore_errors: true register: firewalld_in_use + no_log: True - name: Determine if firewalld is active shell: systemctl is-active firewalld.service | grep -vq inactive ignore_errors: true register: firewalld_is_active + no_log: True - name: Determine if TCP/5044 is already active shell: firewall-cmd --list-ports | egrep -q "^5044/tcp" ignore_errors: true register: firewalld_tcp5044_exists + no_log: True # add firewall rule via firewall-cmd - name: Add firewall rule for TCP/5044 (firewalld) @@ -150,6 +148,7 @@ ignore_errors: true register: iptables_tcp5044_exists failed_when: iptables_tcp5044_exists == 127 + no_log: True - name: Add firewall rule for TCP/5044 (iptables-services) lineinfile: diff --git a/ansible/install/roles/nginx/tasks/main.yml b/ansible/install/roles/nginx/tasks/main.yml index 8e197ac72..7a3fe9932 100644 --- a/ansible/install/roles/nginx/tasks/main.yml +++ b/ansible/install/roles/nginx/tasks/main.yml @@ -37,18 +37,17 @@ # deploy basic nginx.conf 8080 vhost - name: Setup nginx TCP/8080 vhost for SSL certificate - copy: - src=nginx.conf + template: + src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644 - ignore_errors: true become: true # start nginx service - name: Start nginx service - command: systemctl start nginx.service + command: systemctl restart nginx.service ignore_errors: true when: nginx_needs_restart != 0 @@ -66,45 +65,49 @@ shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' ignore_errors: true register: firewalld_in_use + no_log: True - name: Determine if firewalld is active shell: systemctl is-active firewalld.service | grep -vq inactive ignore_errors: true register: firewalld_is_active + no_log: True -- name: Determine if TCP/80 is already active - shell: firewall-cmd --list-ports | egrep -q "^80/tcp" +- name: Determine if TCP/{{nginx_kibana_port}} is already active + shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp" ignore_errors: true register: firewalld_tcp80_exists + no_log: True # add firewall rule via firewall-cmd -- name: Add firewall rule for TCP/80 (firewalld) +- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld) command: "{{ item }}" with_items: - - firewall-cmd --zone=public --add-port=80/tcp --permanent + - firewall-cmd --zone=public --add-port={{nginx_kibana_port}}/tcp --permanent - firewall-cmd --reload ignore_errors: true become: true when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0 # iptables-services -- name: check firewall rules for TCP/80 (iptables-services) - shell: grep "dport 80 \-j ACCEPT" /etc/sysconfig/iptables | wc -l +- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services) + shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l ignore_errors: true register: iptables_tcp80_exists failed_when: iptables_tcp80_exists == 127 + no_log: True -- name: Add firewall rule for TCP/80 (iptables-services) +- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services) lineinfile: dest: /etc/sysconfig/iptables - line: '-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT' + line: '-A INPUT -p tcp -m tcp --dport {{nginx_kibana_port}} -j ACCEPT' regexp: '^INPUT -i lo -j ACCEPT' insertbefore: '-A INPUT -i lo -j ACCEPT' backup: yes when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0 register: iptables_needs_restart -- name: Restart iptables-services for TCP/80 (iptables-services) +- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services) shell: systemctl restart iptables.service ignore_errors: true when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 @@ -114,45 +117,49 @@ shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' ignore_errors: true register: firewalld_in_use + no_log: True - name: Determine if firewalld is active shell: systemctl is-active firewalld.service | grep -vq inactive ignore_errors: true register: firewalld_is_active + no_log: True -- name: Determine if TCP/8080 is already active - shell: firewall-cmd --list-ports | egrep -q "^8080/tcp" +- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active + shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp" ignore_errors: true register: firewalld_tcp8080_exists + no_log: True # add firewall rule via firewall-cmd -- name: Add firewall rule for TCP/8080 (firewalld) +- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld) command: "{{ item }}" with_items: - - firewall-cmd --zone=public --add-port=8080/tcp --permanent + - firewall-cmd --zone=public --add-port={{elk_server_ssl_cert_port}}/tcp --permanent - firewall-cmd --reload ignore_errors: true become: true when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0 # iptables-services -- name: check firewall rules for TCP/8080 (iptables-services) - shell: grep "dport 8080 \-j ACCEPT" /etc/sysconfig/iptables | wc -l +- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services) + shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l ignore_errors: true register: iptables_tcp8080_exists failed_when: iptables_tcp8080_exists == 127 + no_log: True -- name: Add firewall rule for TCP/8080 (iptables-services) +- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services) lineinfile: dest: /etc/sysconfig/iptables - line: '-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT' + line: '-A INPUT -p tcp -m tcp --dport {{elk_server_ssl_cert_port}} -j ACCEPT' regexp: '^INPUT -i lo -j ACCEPT' insertbefore: '-A INPUT -i lo -j ACCEPT' backup: yes when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0 register: iptables_needs_restart -- name: Restart iptables-services for TCP/8080 (iptables-services) +- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services) shell: systemctl restart iptables.service ignore_errors: true when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 diff --git a/ansible/install/roles/nginx/templates/kibana.conf.j2 b/ansible/install/roles/nginx/templates/kibana.conf.j2 index 62dd5f9bc..82e54d40d 100644 --- a/ansible/install/roles/nginx/templates/kibana.conf.j2 +++ b/ansible/install/roles/nginx/templates/kibana.conf.j2 @@ -1,5 +1,5 @@ server { - listen 80; + listen {{nginx_kibana_port}}; server_name {{ansible_hostname}}; diff --git a/ansible/install/roles/nginx/files/nginx.conf b/ansible/install/roles/nginx/templates/nginx.conf.j2 similarity index 91% rename from ansible/install/roles/nginx/files/nginx.conf rename to ansible/install/roles/nginx/templates/nginx.conf.j2 index d5a7478bb..f050d198c 100644 --- a/ansible/install/roles/nginx/files/nginx.conf +++ b/ansible/install/roles/nginx/templates/nginx.conf.j2 @@ -33,8 +33,8 @@ http { include /etc/nginx/conf.d/*.conf; server { - listen 8080 default_server; - listen [::]:8080 default_server; + listen {{elk_server_ssl_cert_port}} default_server; + listen [::]:{{elk_server_ssl_cert_port}} default_server; server_name _; root /usr/share/nginx/html;