3e06f195b7
Changes in patchset #11:
1) moved to putting default port variables in group_vars/all.yml
2) updated README to specify changing port variables for undercloud deployments
3) removed setting variables in the nginx task, but we can utilize fail: checks
for variable checks instead (cleaner).
Changes in patchet #10:
1) added become: true for filebeat per jtaleric comments
2) added no_log: True to reduce unecessary firewall debug discovery
during the playbook run
Changes in patchset #9:
Rebased against commit 5ef39f88dd
Changes in patchset #8:
1) use restart instead of start for ansible service
this will address when you re-run playbooks if you
decide to change the listener ports
Changes in patchset #7:
1) use rpm_key ansible module instead of rpm command
for GPG key management
Changes in patchset #6:
1) ensure elk_server_ssl_cert_port variable can be set
for non-standard port access like elk_server
Changes in patchset #5:
1) use 'become=true' for all operations within filebeat
so that elk clients running as non-root (but privileged)
users can run client deployments.
Changes in patchset #4:
1) turn logstash stdout off by default
2) remove unneeded logstash refresh
Changes in patchset #3:
1) remove debug statements for port variable testing
Changes in patchset #2:
1) remove unneeded conditional logic, only comparison
for 'none' is needed.
2) fix duplicate variable assignment
3) add more info to group_vars/all comments that you
need to use nonstandard ports for both if you need one
only.
Changes introduced in patchset #1:
This provides the following functionality:
1) adds two new variables to group_vars/all:
* nginx_kibana_port
* elk_server_ssl_cert_port
2) sets a normal default for these ports if
they are not defined explicitly.
If these are not defined then default ports of 80/TCP
and 8080/TCP will be used respectively.
If they are defined (in case of undercloud install where lots
of services/ports are listening on standard ports) then both
nginx jinja2 templates will be updated along with firewall rules.
Why we need this functionality, and why we should use it:
1) Avoid hard-coded defaults like 1.1.1.1 or service ports
2) Minimize the amount of editing needed for variables before
Browbeat can be run by users
Change-Id: Ia689f73d9c0c83de4d34a1954824afbee8205c25
167 lines
4.6 KiB
YAML
167 lines
4.6 KiB
YAML
---
|
|
#
|
|
# Install/run logstash for browbeat
|
|
#
|
|
|
|
- name: Copy logstash yum repo file
|
|
copy:
|
|
src=logstash.repo
|
|
dest=/etc/yum.repos.d/logstash.repo
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
- name: Install logstash rpms
|
|
yum: name={{ item }} state=present
|
|
become: true
|
|
with_items:
|
|
- logstash
|
|
|
|
- name: Copy logstash input filters
|
|
copy:
|
|
src=01-lumberjack-input.conf
|
|
dest=/etc/logstash/conf.d/01-lumberjack-input.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
- name: Copy logstash output filters
|
|
copy:
|
|
src=30-elasticsearch-output.conf
|
|
dest=/etc/logstash/conf.d/30-lumberjack-output.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
- name: Copy logstash syslog filters
|
|
copy:
|
|
src=10-syslog.conf
|
|
dest=/etc/logstash/conf.d/10-syslog.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
- name: Copy logstash local syslog filter
|
|
copy:
|
|
src=10-syslog-filter.conf
|
|
dest=/etc/logstash/conf.d/10-syslog-filter.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
register: logstash_needs_restart
|
|
|
|
- name: Copy filebeat input filter
|
|
copy:
|
|
src=02-beats-input.conf
|
|
dest=/etc/logstash/conf.d/02-beats-input.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
- name: Stage filebeat JSON index template
|
|
copy:
|
|
src=filebeat-index-template.json
|
|
dest=/tmp/filebeat-index-template.json
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
- name: Load OpenSSL CA Extended Configuration
|
|
template:
|
|
src=openssl_extras.cnf.j2
|
|
dest=/etc/pki/tls/openssl_extras.cnf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
- name: Check OpenSSL SANs (SubjectAltName) entry for CA
|
|
shell: grep "{{ ansible_default_ipv4.address }}" /etc/pki/tls/openssl.cnf | wc -l
|
|
ignore_errors: true
|
|
register: subjectAltName_exists
|
|
|
|
- name: Add OpenSSL SANs (SubjectAltName) entry for CA
|
|
lineinfile:
|
|
dest: /etc/pki/tls/openssl.cnf
|
|
line: 'subjectAltName = "{{ ansible_default_ipv4.address }}"'
|
|
regexp: '^ Extensions for a typical CA'
|
|
insertbefore: '# Extensions for a typical CA'
|
|
backup: yes
|
|
when: subjectAltName_exists.stdout|int == 0
|
|
|
|
# note: we can't currently use the Ansible uri module here, curl is a workaround
|
|
# https://github.com/ansible/ansible-modules-core/issues/265
|
|
# http://stackoverflow.com/questions/28997007/translate-curl-put-into-ansible-uri-module
|
|
- name: Load filebeat JSON index template
|
|
command: curl -XPOST 'http://localhost:9200/_template/filebeat?pretty' -d@/tmp/filebeat-index-template.json
|
|
ignore_errors: true
|
|
become: true
|
|
|
|
- name: Setup logstash service
|
|
service: name=logstash state=started enabled=true
|
|
become: true
|
|
|
|
# we need TCP/80 and TCP/8080 open
|
|
# determine firewall status and take action
|
|
# 1) use firewall-cmd if firewalld is utilized
|
|
# 2) insert iptables rule if iptables is used
|
|
|
|
# Firewalld
|
|
- name: Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: True
|
|
|
|
- name: Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | grep -vq inactive
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: True
|
|
|
|
- name: Determine if TCP/5044 is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^5044/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_tcp5044_exists
|
|
no_log: True
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: Add firewall rule for TCP/5044 (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port=5044/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp5044_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: check firewall rules for TCP/5044 (iptables-services)
|
|
shell: grep "dport 5044 \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_tcp5044_exists
|
|
failed_when: iptables_tcp5044_exists == 127
|
|
no_log: True
|
|
|
|
- name: Add firewall rule for TCP/5044 (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport 5044 -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp5044_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: Restart iptables-services for TCP/5044 (iptables-services)
|
|
shell: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|