From 3e265a467d1f981ae85d126bfcf4cd694f00abfc Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Thu, 27 Dec 2018 16:42:14 +0100 Subject: [PATCH 01/71] Allow switching between oss and standard packages Before only going from the standard package to oss was supported. Now this works properly in both directions. --- tasks/compatibility-variables.yml | 2 ++ tasks/elasticsearch-Debian.yml | 11 +++++------ tasks/elasticsearch-RedHat.yml | 5 ++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index e56e3c1..639534d 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -14,6 +14,7 @@ es_xpack_conf_subdir: "" es_repo_name: "{{ es_major_version }}" es_xpack_users_command: "elasticsearch-users" + es_other_package_name: "elasticsearch-oss" - name: Detect if es_version is before X-Pack was open and included set_fact: @@ -33,6 +34,7 @@ set_fact: es_repo_name: "{{ 'oss-' + es_major_version }}" es_package_name: "elasticsearch-oss" + es_other_package_name: "elasticsearch" when: - es_open_xpack - not es_enable_xpack diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index eec8be8..680f654 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -26,12 +26,10 @@ when: es_use_repository -- name: Gracefully stop and remove elasticsearch if we are switching to the oss version - when: - - es_package_name == 'elasticsearch-oss' +- name: Gracefully stop and remove elasticsearch package if switching between OSS and standard block: - name: Check if the elasticsearch package is installed - shell: dpkg-query -W -f'${Status}' elasticsearch + shell: "dpkg-query -W -f'${Status}' {{ es_other_package_name }}" register: elasticsearch_package failed_when: False changed_when: False @@ -43,13 +41,14 @@ state: stopped when: elasticsearch_package.stdout == 'install ok installed' - - name: Debian - Remove elasticsearch package if we are installing the oss package + - name: Debian - Remove elasticsearch package if we are switching to a different package type become: yes apt: - name: 'elasticsearch' + name: '{{ es_other_package_name }}' state: absent when: elasticsearch_package.stdout == 'install ok installed' + - name: Debian - Ensure elasticsearch is installed become: yes apt: diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index a57ab71..aa59b9c 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -20,12 +20,11 @@ include: elasticsearch-RedHat-version-lock.yml when: es_version_lock -- name: RedHat - Remove non oss package if the old elasticsearch package is installed +- name: RedHat - Remove the other elasticsearch package if switching between OSS and standard become: yes yum: - name: 'elasticsearch' + name: es_other_package_name state: 'absent' - when: es_package_name == 'elasticsearch-oss' - name: RedHat - Install Elasticsearch become: yes From c2e51f8ecfdcb99c8e2b0b177b372ac7fcd432ee Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Thu, 27 Dec 2018 17:35:44 +0100 Subject: [PATCH 02/71] Fix jinja syntax variable fun How it was previously "worked" but just ignored trying to remove the package. Luckily it was caught by the test-kitchen testing! --- tasks/elasticsearch-RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index aa59b9c..d002991 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -23,7 +23,7 @@ - name: RedHat - Remove the other elasticsearch package if switching between OSS and standard become: yes yum: - name: es_other_package_name + name: '{{ es_other_package_name }}' state: 'absent' - name: RedHat - Install Elasticsearch From 69c49fc0cd28569458a09182a356ab4c4dfb8615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karri=20Niemel=C3=A4?= Date: Mon, 19 Nov 2018 09:32:30 +0200 Subject: [PATCH 03/71] Update elasticsearch-parameters.yml Fixing data_dirs name typo --- tasks/elasticsearch-parameters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index dc8a177..df1ba0e 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -71,5 +71,5 @@ set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}} - name: set fact log_dir set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}} -- name: set fact log_dir +- name: set fact data_dirs set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }} From 124775740aacece7d8bd51f235d0578da33aa0a4 Mon Sep 17 00:00:00 2001 From: Michel Weitbrecht Date: Thu, 27 Dec 2018 21:54:45 +0100 Subject: [PATCH 04/71] Fix package download URL and set ES_PATH_CONF The old URL yields a 404. ES_PATH_CONF is also needed when installing elasticsearch using the downloaded package. --- tasks/elasticsearch-Debian.yml | 2 ++ vars/main.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index eec8be8..fc2bcec 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -78,3 +78,5 @@ when: not es_use_repository register: elasticsearch_install_from_package notify: restart elasticsearch + environment: + ES_PATH_CONF: "/etc/elasticsearch" diff --git a/vars/main.yml b/vars/main.yml index 165a45c..2c07de1 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,5 @@ --- -es_package_url: "https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch" +es_package_url: "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch" es_conf_dir: "/etc/elasticsearch" sysd_script: "/usr/lib/systemd/system/elasticsearch.service" init_script: "/etc/init.d/elasticsearch" From a10676384f54bfbee1d36192ab6fdbab52a50523 Mon Sep 17 00:00:00 2001 From: Michel Weitbrecht Date: Thu, 27 Dec 2018 22:47:24 +0100 Subject: [PATCH 05/71] Refactor deprecated filter calls Previously, each of the calls generated a warning : "Using tests as filters is deprecated. Instead of using `result|version_compare` use `result is version_compare`. This feature will be removed in version 2.9.". --- defaults/main.yml | 2 +- tasks/compatibility-variables.yml | 2 +- tasks/xpack/elasticsearch-xpack.yml | 2 +- .../xpack/security/elasticsearch-security.yml | 2 +- templates/elasticsearch.yml.j2 | 2 +- templates/init/debian/elasticsearch.j2 | 2 +- templates/init/redhat/elasticsearch.j2 | 2 +- templates/log4j2.properties.j2 | 18 +++++++++--------- templates/systemd/elasticsearch.j2 | 4 ++-- 9 files changed, 18 insertions(+), 18 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f9f140b..91177cb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -27,7 +27,7 @@ es_data_dirs: "/var/lib/elasticsearch" es_log_dir: "/var/log/elasticsearch" es_action_auto_create_index: true es_max_open_files: 65536 -es_max_threads: "{{ 2048 if ( es_version | version_compare('6.0.0', '<')) else 8192 }}" +es_max_threads: "{{ 2048 if ( es_version is version_compare('6.0.0', '<')) else 8192 }}" es_max_map_count: 262144 es_allow_downgrades: false es_xpack_features: ["alerting","monitoring","graph","ml","security"] diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index e56e3c1..b5cf31c 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -18,7 +18,7 @@ - name: Detect if es_version is before X-Pack was open and included set_fact: es_open_xpack: false - when: "es_version | version_compare('6.3.0', '<')" + when: "es_version is version_compare('6.3.0', '<')" - name: If this is an older version we need to install X-Pack as a plugin and use a differet users command set_fact: diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 2074dcb..c3c3906 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -20,4 +20,4 @@ - name: Set elasticsearch.keystore Permissions become: yes file: state=file path={{ conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }} - when: es_enable_xpack and "security" in es_xpack_features and (es_version | version_compare('6.0.0', '>')) + when: es_enable_xpack and "security" in es_xpack_features and (es_version is version_compare('6.0.0', '>')) diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 8f749f8..048351b 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -14,7 +14,7 @@ #-----------------------------Create Bootstrap User----------------------------------- ### START BLOCK elasticsearch keystore ### - name: create the elasticsearch keystore - when: (es_enable_xpack and "security" in es_xpack_features) and (es_version | version_compare('6.0.0', '>')) + when: (es_enable_xpack and "security" in es_xpack_features) and (es_version is version_compare('6.0.0', '>')) block: - name: create the keystore if it doesn't exist yet become: yes diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index ef8dd9b..09f8af0 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -15,7 +15,7 @@ node.name: {{inventory_hostname}}-{{es_instance_name}} # Path to directory containing configuration (this file and logging.yml): -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} path.conf: {{ conf_dir }} {% endif %} diff --git a/templates/init/debian/elasticsearch.j2 b/templates/init/debian/elasticsearch.j2 index efe2c37..7d7e346 100755 --- a/templates/init/debian/elasticsearch.j2 +++ b/templates/init/debian/elasticsearch.j2 @@ -92,7 +92,7 @@ fi # Define other required variables PID_FILE="$PID_DIR/$NAME.pid" DAEMON=$ES_HOME/bin/elasticsearch -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} DAEMON_OPTS="-d -p $PID_FILE -Edefault.path.logs=$LOG_DIR -Edefault.path.data=$DATA_DIR -Edefault.path.conf=$CONF_DIR" {% else %} DAEMON_OPTS="-d -p $PID_FILE" diff --git a/templates/init/redhat/elasticsearch.j2 b/templates/init/redhat/elasticsearch.j2 index c993e14..8ba1164 100755 --- a/templates/init/redhat/elasticsearch.j2 +++ b/templates/init/redhat/elasticsearch.j2 @@ -140,7 +140,7 @@ start() { cd $ES_HOME echo -n $"Starting $prog: " # if not running, start it up here, usually something like "daemon $exec" -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} daemon --user $ES_USER --pidfile $pidfile $exec -p $pidfile -d -Edefault.path.logs=$LOG_DIR -Edefault.path.data=$DATA_DIR -Edefault.path.conf=$CONF_DIR {% else %} daemon --user $ES_USER --pidfile $pidfile $exec -p $pidfile -d diff --git a/templates/log4j2.properties.j2 b/templates/log4j2.properties.j2 index 269be52..dbfb23e 100644 --- a/templates/log4j2.properties.j2 +++ b/templates/log4j2.properties.j2 @@ -11,14 +11,14 @@ appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n appender.rolling.type = RollingFile appender.rolling.name = rolling -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} appender.rolling.fileName = ${sys:es.logs}.log {% else %} appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log {% endif %} appender.rolling.layout.type = PatternLayout appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} appender.rolling.filePattern = ${sys:es.logs}-%d{yyyy-MM-dd}.log {% else %} appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz @@ -27,7 +27,7 @@ appender.rolling.policies.type = Policies appender.rolling.policies.time.type = TimeBasedTriggeringPolicy appender.rolling.policies.time.interval = 1 appender.rolling.policies.time.modulate = true -{% if (es_version | version_compare('6.0.0', '>')) %} +{% if (es_version is version_compare('6.0.0', '>')) %} appender.rolling.policies.size.type = SizeBasedTriggeringPolicy appender.rolling.policies.size.size = 128MB appender.rolling.strategy.type = DefaultRolloverStrategy @@ -45,14 +45,14 @@ rootLogger.appenderRef.rolling.ref = rolling appender.deprecation_rolling.type = RollingFile appender.deprecation_rolling.name = deprecation_rolling -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} appender.deprecation_rolling.fileName = ${sys:es.logs}_deprecation.log {% else %} appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log {% endif %} appender.deprecation_rolling.layout.type = PatternLayout appender.deprecation_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} appender.deprecation_rolling.filePattern = ${sys:es.logs}_deprecation-%i.log.gz {% else %} appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.log.gz @@ -70,14 +70,14 @@ logger.deprecation.additivity = false appender.index_search_slowlog_rolling.type = RollingFile appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} appender.index_search_slowlog_rolling.fileName = ${sys:es.logs}_index_search_slowlog.log {% else %} appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog.log {% endif %} appender.index_search_slowlog_rolling.layout.type = PatternLayout appender.index_search_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs}_index_search_slowlog-%d{yyyy-MM-dd}.log {% else %} appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog-%d{yyyy-MM-dd}.log @@ -94,14 +94,14 @@ logger.index_search_slowlog_rolling.additivity = false appender.index_indexing_slowlog_rolling.type = RollingFile appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs}_index_indexing_slowlog.log {% else %} appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog.log {% endif %} appender.index_indexing_slowlog_rolling.layout.type = PatternLayout appender.index_indexing_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs}_index_indexing_slowlog-%d{yyyy-MM-dd}.log {% else %} appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog-%d{yyyy-MM-dd}.log diff --git a/templates/systemd/elasticsearch.j2 b/templates/systemd/elasticsearch.j2 index 8bd5545..a1747d0 100644 --- a/templates/systemd/elasticsearch.j2 +++ b/templates/systemd/elasticsearch.j2 @@ -18,13 +18,13 @@ WorkingDirectory={{es_home}} User={{es_user}} Group={{es_group}} -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec {% endif %} ExecStart={{es_home}}/bin/elasticsearch \ -p ${PID_DIR}/elasticsearch.pid \ -{% if (es_version | version_compare('6.0.0', '<')) %} +{% if (es_version is version_compare('6.0.0', '<')) %} -Edefault.path.logs=${LOG_DIR} \ -Edefault.path.data=${DATA_DIR} \ -Edefault.path.conf=${CONF_DIR} \ From 486717bc6f4936c244a6c9497f2f8686cab289dd Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Mon, 31 Dec 2018 17:28:37 +0100 Subject: [PATCH 06/71] Remove the other Elasticsearch repo when switching versions --- tasks/compatibility-variables.yml | 2 ++ tasks/elasticsearch-RedHat.yml | 11 ++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index 639534d..2116dfd 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -15,6 +15,7 @@ es_repo_name: "{{ es_major_version }}" es_xpack_users_command: "elasticsearch-users" es_other_package_name: "elasticsearch-oss" + es_other_repo_name: "{{ 'oss-' + es_major_version }}" - name: Detect if es_version is before X-Pack was open and included set_fact: @@ -33,6 +34,7 @@ - name: Use the oss repo and package if xpack is not being used set_fact: es_repo_name: "{{ 'oss-' + es_major_version }}" + es_other_repo_name: "{{ es_major_version }}" es_package_name: "elasticsearch-oss" es_other_package_name: "elasticsearch" when: diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index d002991..190adc3 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -13,7 +13,16 @@ - name: RedHat - add Elasticsearch repo become: yes - template: src=elasticsearch.repo dest=/etc/yum.repos.d/elasticsearch-{{ es_repo_name }}.repo + template: + src: 'elasticsearch.repo' + dest: '/etc/yum.repos.d/elasticsearch-{{ es_repo_name }}.repo' + when: es_use_repository + +- name: RedHat - remove unused Elasticsearch repo + become: yes + template: + src: 'elasticsearch.repo' + dest: '/etc/yum.repos.d/elasticsearch-{{ es_other_repo_name }}.repo' when: es_use_repository - name: RedHat - include versionlock From 5126dbc5e8fe7364e7b3a2c30e66c132e3966108 Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Wed, 2 Jan 2019 10:06:47 +0100 Subject: [PATCH 07/71] Actually remove the unused RedHat repository --- tasks/elasticsearch-RedHat.yml | 6 ++--- .../helpers/serverspec/shared_spec.rb | 25 +++++++++++++++++++ 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index 190adc3..c872fc3 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -20,9 +20,9 @@ - name: RedHat - remove unused Elasticsearch repo become: yes - template: - src: 'elasticsearch.repo' - dest: '/etc/yum.repos.d/elasticsearch-{{ es_other_repo_name }}.repo' + file: + path: '/etc/yum.repos.d/elasticsearch-{{ es_other_repo_name }}.repo' + state: absent when: es_use_repository - name: RedHat - include versionlock diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index d707cde..eca6682 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -167,4 +167,29 @@ shared_examples 'shared::init' do |vars| its(:content) { should match "path.data: #{vars['data_dirs'].join(',')}" } its(:content) { should match "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } end + + if vars['es_use_repository'] + if vars['ansible_os_family'] == 'RedHat' + describe file("/etc/yum.repos.d/elasticsearch-#{vars['es_repo_name']}.repo") do + it { should exist } + end + describe yumrepo("elasticsearch-#{vars['es_repo_name']}") do + it { should exist } + it { should be_enabled } + end + describe file("/etc/yum.repos.d/elasticsearch-#{vars['es_other_repo_name']}.repo") do + it { should_not exist } + end + describe yumrepo("elasticsearch-#{vars['es_other_repo_name']}") do + it { should_not exist } + it { should_not be_enabled } + end + end + if vars['ansible_os_family'] == 'Debian' + describe command('apt-cache policy') do + its(:stdout) { should match /elastic.co.*\/#{Regexp.quote(vars['es_repo_name'])}\//} + its(:stdout) { should_not match /elastic.co.*\/#{Regexp.quote(vars['es_other_repo_name'])}\//} + end + end + end end From f7d402369c4185bed3c4b909afb310e22ec578fc Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Wed, 2 Jan 2019 10:39:48 +0100 Subject: [PATCH 08/71] Properly cleanup the other apt repository when switching packages --- tasks/compatibility-variables.yml | 2 ++ tasks/elasticsearch-Debian.yml | 47 +++++++++++++++++-------------- 2 files changed, 28 insertions(+), 21 deletions(-) diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index 2116dfd..0907ad2 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -16,6 +16,7 @@ es_xpack_users_command: "elasticsearch-users" es_other_package_name: "elasticsearch-oss" es_other_repo_name: "{{ 'oss-' + es_major_version }}" + es_other_apt_url: "deb https://artifacts.elastic.co/packages/{{ 'oss-' + es_major_version }}/apt stable main" - name: Detect if es_version is before X-Pack was open and included set_fact: @@ -35,6 +36,7 @@ set_fact: es_repo_name: "{{ 'oss-' + es_major_version }}" es_other_repo_name: "{{ es_major_version }}" + es_other_apt_url: "deb https://artifacts.elastic.co/packages/{{ es_major_version }}/apt stable main" es_package_name: "elasticsearch-oss" es_other_package_name: "elasticsearch" when: diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 680f654..2739e51 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -7,26 +7,8 @@ set_fact: force_install=yes when: es_allow_downgrades -- name: Debian - Install apt-transport-https to support https APT downloads - become: yes - apt: name=apt-transport-https state=present - when: es_use_repository - -- name: Debian - Add Elasticsearch repository key - become: yes - apt_key: url="{{ es_apt_key }}" state=present - when: es_use_repository and es_apt_key - -- name: Debian - Add elasticsearch repository - become: yes - apt_repository: repo={{ item.repo }} state={{ item.state}} - with_items: - - { repo: "{{ es_apt_url_old }}", state: "absent" } - - { repo: "{{ es_apt_url }}", state: "present" } - when: es_use_repository - - - name: Gracefully stop and remove elasticsearch package if switching between OSS and standard + become: yes block: - name: Check if the elasticsearch package is installed shell: "dpkg-query -W -f'${Status}' {{ es_other_package_name }}" @@ -35,20 +17,43 @@ changed_when: False - name: stop elasticsearch - become: yes service: name: '{{ instance_init_script | basename }}' state: stopped when: elasticsearch_package.stdout == 'install ok installed' - name: Debian - Remove elasticsearch package if we are switching to a different package type - become: yes apt: name: '{{ es_other_package_name }}' state: absent when: elasticsearch_package.stdout == 'install ok installed' +- name: Install Elasticsearch repository + when: es_use_repository + become: yes + block: + - name: Debian - Install apt-transport-https to support https APT downloads + apt: + name: apt-transport-https + state: present + + - name: Debian - Add Elasticsearch repository key + apt_key: + url: '{{ es_apt_key }}' + state: present + when: es_apt_key is defined + + - name: Debian - Add elasticsearch repository + apt_repository: + repo: '{{ item.repo }}' + state: '{{ item.state }}' + with_items: + - { repo: "{{ es_apt_url_old }}", state: "absent" } + - { repo: "{{ es_apt_url }}", state: "present" } + - { repo: "{{ es_other_apt_url }}", state: "absent" } + + - name: Debian - Ensure elasticsearch is installed become: yes apt: From 596f313b170ee372188ac851036eceebae76bd9c Mon Sep 17 00:00:00 2001 From: Frank Fischer Date: Mon, 14 Jan 2019 11:24:32 +0100 Subject: [PATCH 09/71] Allow not installing Elasticsearch deb repository key If a variable is set in Ansible, there is no way to unset it ever again, i.e. 'null' or '~' do not work. Since this value is set in defaults we have to check for content instead of defined. --- tasks/elasticsearch-Debian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 41a2256..7b9a735 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -42,7 +42,7 @@ apt_key: url: '{{ es_apt_key }}' state: present - when: es_apt_key is defined + when: es_apt_key | string - name: Debian - Add elasticsearch repository apt_repository: From 5d0dcbe147d294add938f864f6a7c0fdeb908af3 Mon Sep 17 00:00:00 2001 From: "shin.katsumaru" Date: Tue, 15 Jan 2019 17:19:02 +0900 Subject: [PATCH 10/71] Execute java version check in check mode --- tasks/java.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/java.yml b/tasks/java.yml index a7174da..68abc53 100644 --- a/tasks/java.yml +++ b/tasks/java.yml @@ -18,6 +18,7 @@ register: java_full_path failed_when: False changed_when: False + check_mode: no when: ansible_os_family == 'RedHat' - name: correct java version selected From 2aa0b38449336cd5072457c01efb2d31c08823d3 Mon Sep 17 00:00:00 2001 From: Branen Salmon Date: Wed, 16 Jan 2019 16:11:51 -0500 Subject: [PATCH 11/71] Template out the base of repo URLs Some popular artifact caches (e.g. Artifactory) do not provide HTTP CONNECT endpoints and thus aren't supported by es_proxy_host and es_proxy_port. This patch templates out the scheme and authority components (i.e. "https://artifacts.elastic.co" ) of the apt and yum repo URLs to accommodate the use of such artifact caches. --- defaults/main.yml | 5 +++-- tasks/compatibility-variables.yml | 4 ++-- templates/elasticsearch.repo | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f9f140b..c01ea48 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,8 +7,9 @@ es_package_name: "elasticsearch" es_version_lock: false es_use_repository: true es_templates_fileglob: "files/templates/*.json" -es_apt_key: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" -es_apt_url: "deb https://artifacts.elastic.co/packages/{{ es_repo_name }}/apt stable main" +es_repo_base: "https://artifacts.elastic.co" +es_apt_key: "{{ es_repo_base }}/GPG-KEY-elasticsearch" +es_apt_url: "deb {{ es_repo_base }}/packages/{{ es_repo_name }}/apt stable main" es_apt_url_old: "deb http://packages.elastic.co/elasticsearch/{{ es_repo_name }}/debian stable main" es_start_service: true es_java_install: true diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index 0907ad2..39f210f 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -16,7 +16,7 @@ es_xpack_users_command: "elasticsearch-users" es_other_package_name: "elasticsearch-oss" es_other_repo_name: "{{ 'oss-' + es_major_version }}" - es_other_apt_url: "deb https://artifacts.elastic.co/packages/{{ 'oss-' + es_major_version }}/apt stable main" + es_other_apt_url: "deb {{ es_repo_base }}/packages/{{ 'oss-' + es_major_version }}/apt stable main" - name: Detect if es_version is before X-Pack was open and included set_fact: @@ -36,7 +36,7 @@ set_fact: es_repo_name: "{{ 'oss-' + es_major_version }}" es_other_repo_name: "{{ es_major_version }}" - es_other_apt_url: "deb https://artifacts.elastic.co/packages/{{ es_major_version }}/apt stable main" + es_other_apt_url: "deb {{ es_repo_base }}/packages/{{ es_major_version }}/apt stable main" es_package_name: "elasticsearch-oss" es_other_package_name: "elasticsearch" when: diff --git a/templates/elasticsearch.repo b/templates/elasticsearch.repo index 833463c..0cf2fb7 100644 --- a/templates/elasticsearch.repo +++ b/templates/elasticsearch.repo @@ -1,8 +1,8 @@ [elasticsearch-{{ es_repo_name }}] name=Elasticsearch repository for {{ es_repo_name }} packages -baseurl=https://artifacts.elastic.co/packages/{{ es_repo_name }}/yum +baseurl={{ es_repo_base }}/packages/{{ es_repo_name }}/yum gpgcheck=1 -gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch +gpgkey={{ es_repo_base }}/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md From fd8ea77fa483e889e580f3ecb6e90f7168d6f0fb Mon Sep 17 00:00:00 2001 From: Frank Fischer Date: Mon, 14 Jan 2019 15:53:01 +0100 Subject: [PATCH 12/71] Use systemd's RequiresMountsFor User might be interested in separating data in ephemeral and persistent state, especially in cloud environments, e.g. data_dir on another disk. --- templates/systemd/elasticsearch.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/systemd/elasticsearch.j2 b/templates/systemd/elasticsearch.j2 index 8bd5545..79fe382 100644 --- a/templates/systemd/elasticsearch.j2 +++ b/templates/systemd/elasticsearch.j2 @@ -3,6 +3,8 @@ Description=Elasticsearch-{{es_instance_name}} Documentation=http://www.elastic.co Wants=network-online.target After=network-online.target +{# Directive 'WorkingDirectory' creates an implicit dependecy for {{es_home}}, so it can be omitted here #} +RequiresMountsFor={{ data_dirs | array_to_str(separator=' ') }} {{log_dir}} {{pid_dir}} {{conf_dir}} [Service] Environment=ES_HOME={{es_home}} From 2d7bc5607eb708476afac7034c5a705e2da63687 Mon Sep 17 00:00:00 2001 From: Lilian Deloche Date: Thu, 24 Jan 2019 15:30:49 +0100 Subject: [PATCH 13/71] Use dpkg_selections to lock elasticsearch version --- tasks/elasticsearch-Debian-version-lock.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/elasticsearch-Debian-version-lock.yml b/tasks/elasticsearch-Debian-version-lock.yml index 4ca9b24..6d52493 100644 --- a/tasks/elasticsearch-Debian-version-lock.yml +++ b/tasks/elasticsearch-Debian-version-lock.yml @@ -1,6 +1,6 @@ --- - name: Debian - hold elasticsearch version become: yes - command: "apt-mark hold {{ es_package_name }}" - register: hold_elasticsearch_result - changed_when: "hold_elasticsearch_result.stdout != '{{ es_package_name }} was already set on hold.'" + dpkg_selections: + name: "{{ es_package_name }}" + selection: "hold" From f169a434d8da84805506437cc54e4ee161dc9b11 Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Tue, 29 Jan 2019 17:13:59 +0100 Subject: [PATCH 14/71] Bump default version to 6.6.0 --- CHANGELOG.md | 16 ++++++++++++++++ defaults/main.yml | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e75d7a..df21779 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,19 @@ +## 6.6.0 - 2019/01/29 + +### Features + +* 6.6.0 as default Elasticsearch version +* [#521](https://github.com/elastic/ansible-elasticsearch/pull/521) - @Crazybus - Allow switching between oss and standard packages +* [#528](https://github.com/elastic/ansible-elasticsearch/pull/528) - @Fra-nk - Use systemd's RequiresMountsFor +* [#530](https://github.com/elastic/ansible-elasticsearch/pull/530) - @lde - Use dpkg_selections to lock elasticsearch version + +### Fixes + +* [#513](https://github.com/elastic/ansible-elasticsearch/pull/513) - @kakoni - Fix typo in elasticsearch-parameters.yml +* [#522](https://github.com/elastic/ansible-elasticsearch/pull/522) - @SlothOfAnarchy - Fix package download URL +* [#526](https://github.com/elastic/ansible-elasticsearch/pull/527) - @Fra-nk - Allow not installing Elasticsearch deb repository key +* [#527](https://github.com/elastic/ansible-elasticsearch/pull/527) - @katsukamaru - Execute java version check in check mode + ## 6.5.1.1 - 2018/11/27 ### Fixes diff --git a/defaults/main.yml b/defaults/main.yml index f9f140b..1aac16d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- es_major_version: "6.x" -es_version: "6.5.1" +es_version: "6.6.0" es_use_snapshot_release: false es_enable_xpack: true es_package_name: "elasticsearch" From eed3efbb85353f3829c46f14c21c65bc4a8185ee Mon Sep 17 00:00:00 2001 From: Lilian Deloche Date: Thu, 7 Feb 2019 12:24:16 +0100 Subject: [PATCH 15/71] Use sleep command in remplacement of pause --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index e98b98d..cb4735e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -73,7 +73,7 @@ # If playbook runs too fast, Native commands could fail as the Native Realm is not yet up - name: Wait 15 seconds for the Native Relm to come up - pause: seconds=15 + command: sleep 15 when: manage_native_realm - name: activate-license From c4b51482c10c4daa5ad55bd6fd79f39abceaf578 Mon Sep 17 00:00:00 2001 From: Grzegorz Nowak Date: Thu, 28 Feb 2019 14:33:53 +0100 Subject: [PATCH 16/71] make playbook (tested for debians) compatible with the mode --- tasks/elasticsearch-Debian.yml | 1 + tasks/java.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 7b9a735..037ea23 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -15,6 +15,7 @@ register: elasticsearch_package failed_when: False changed_when: False + check_mode: no - name: stop elasticsearch service: diff --git a/tasks/java.yml b/tasks/java.yml index 68abc53..26d6b15 100644 --- a/tasks/java.yml +++ b/tasks/java.yml @@ -44,6 +44,7 @@ register: open_jdk ignore_errors: yes changed_when: false + check_mode: no #https://github.com/docker-library/openjdk/issues/19 - ensures tests pass due to java 8 broken certs - name: refresh the java ca-certificates From 81f30e79725b270a9bcc9e23163eea867435d058 Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Mon, 11 Mar 2019 23:07:01 +1000 Subject: [PATCH 17/71] Update readme to include versioned install command In #538 it was discovered that recent versions of the ansible galaxy command will fail if there aren't semver compatible releases in the history. The error says: > Please contact the role author to resolve versioning conflicts, or > specify an explicit role version to install. Removing the old releases is not such a great idea so instead updating the install command is the best option. Fixes: #538 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8986566..4e9846f 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ This role uses the json_query filter which [requires jmespath](https://github.co Create your Ansible playbook with your own tasks, and include the role elasticsearch. You will have to have this repository accessible within the context of playbook. ```sh -ansible-galaxy install elastic.elasticsearch +ansible-galaxy install elastic.elasticsearch,6.6.0 ``` Then create your playbook yaml adding the role elasticsearch. By default, the user is only required to specify a unique es_instance_name per role application. This should be unique per node. From 785ce1cd2645d25c0ce092f989bb8602ca254e1d Mon Sep 17 00:00:00 2001 From: Grzegorz Nowak Date: Thu, 14 Mar 2019 09:23:24 +0100 Subject: [PATCH 18/71] add a few more 'check_mode:no' props for compatiblity with --check mode of ansible --- tasks/elasticsearch-config.yml | 2 +- tasks/snapshot-release.yml | 1 + tasks/xpack/security/elasticsearch-security-file.yml | 2 ++ tasks/xpack/security/elasticsearch-security-native.yml | 2 ++ tasks/xpack/security/elasticsearch-security.yml | 1 + 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index c2d8304..b6cd067 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -16,7 +16,6 @@ with_items: - "{{data_dirs}}" - #Copy the config template - name: Copy Configuration File become: yes @@ -93,6 +92,7 @@ stat: path: "{{ sysd_script }}" register: sysd_stat_result + check_mode: no - name: Remove if it is a normal file become: yes diff --git a/tasks/snapshot-release.yml b/tasks/snapshot-release.yml index f151c18..97e8b89 100644 --- a/tasks/snapshot-release.yml +++ b/tasks/snapshot-release.yml @@ -27,6 +27,7 @@ delay: 1 ignore_errors: true until: "'status' in snapshots and snapshots.status == 200" + check_mode: no - name: use the custom package url instead of the repository set_fact: diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 13fd42d..0debff1 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -6,6 +6,7 @@ stat: path: '{{ conf_dir }}/x-pack/users' register: old_users_file + check_mode: no - name: Copy the old users file from the old depreacted location copy: @@ -31,6 +32,7 @@ register: current_file_users when: manage_file_users changed_when: False + check_mode: no - name: set fact users_to_remove set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys()) }} diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 63024fa..151365b 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -29,6 +29,7 @@ status_code: 200 register: user_list_response when: manage_native_users + check_mode: no - name: set fact reserved_users equals user_list_response.json set_fact: reserved_users={{ user_list_response.json | filter_reserved }} @@ -138,6 +139,7 @@ status_code: 200 register: role_list_response when: manage_native_roles + check_mode: no - name: set fact reserved roles set_fact: reserved_roles={{ role_list_response.json | filter_reserved }} diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 048351b..0e81709 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -33,6 +33,7 @@ changed_when: False environment: ES_PATH_CONF: "{{ conf_dir }}" + check_mode: no - name: Create Bootstrap password for elastic user become: yes From 739f50fc7bc8197dedf5fff662f950a7affa9f9c Mon Sep 17 00:00:00 2001 From: Victor Gonzalez Date: Fri, 15 Mar 2019 21:39:24 +0100 Subject: [PATCH 19/71] Typo in Makefile s/cerify/verify/g --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index d5e4d14..8e33fcd 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ SHELL:=/bin/bash -eux VERSION := 6.x PATTERN := xpack-ubuntu-1604 -.PHONY: converge cerify test login destroy list +.PHONY: converge verify test login destroy list setup: bundle install From 0858b11b85186f6587dca726dcc2714aa6dc0c5f Mon Sep 17 00:00:00 2001 From: Jonah Bull Date: Mon, 18 Mar 2019 14:46:14 -0500 Subject: [PATCH 20/71] [ci] add JJBB job definitions Add JJBB job definitions to the repo so they can be managed here. Modified jobs so they will auto-generate the `inject-passwords` section containing `VAULT_ROLE_ID`, `VAULT_SECRET_ID` and `VAULT_ADDR`. --- .ci/jobs/defaults.yml | 68 +++++++++++++++++++ .../elastic+ansible-elasticsearch+master.yml | 26 +++++++ ...tic+ansible-elasticsearch+pull-request.yml | 39 +++++++++++ 3 files changed, 133 insertions(+) create mode 100644 .ci/jobs/defaults.yml create mode 100644 .ci/jobs/elastic+ansible-elasticsearch+master.yml create mode 100644 .ci/jobs/elastic+ansible-elasticsearch+pull-request.yml diff --git a/.ci/jobs/defaults.yml b/.ci/jobs/defaults.yml new file mode 100644 index 0000000..5b4d20b --- /dev/null +++ b/.ci/jobs/defaults.yml @@ -0,0 +1,68 @@ +--- + +##### GLOBAL METADATA + +- meta: + cluster: devops-ci + +##### JOB DEFAULTS + +- job: + project-type: matrix + logrotate: + daysToKeep: 30 + numToKeep: 100 + parameters: + - string: + name: branch_specifier + default: master + description: the Git branch specifier to build (<branchName>, <tagName>, + <commitId>, etc.) + properties: + - github: + url: https://github.com/elastic/ansible-elasticsearch/ + - inject: + properties-content: HOME=$JENKINS_HOME + concurrent: true + node: master + scm: + - git: + name: origin + credentials-id: f6c7695a-671e-4f4f-a331-acdce44ff9ba + reference-repo: /var/lib/jenkins/.git-references/ansible-elasticsearch.git + branches: + - ${branch_specifier} + url: git@github.com:elastic/ansible-elasticsearch.git + basedir: elasticsearch + wipe-workspace: 'False' + axes: + - axis: + type: slave + name: label + values: + - linux + - axis: + name: VERSION + filename: elasticsearch/test/matrix.yml + type: yaml + - axis: + name: OS + filename: elasticsearch/test/matrix.yml + type: yaml + - axis: + name: TEST_TYPE + filename: elasticsearch/test/matrix.yml + type: yaml + vault: + url: https://secrets.elastic.co:8200 + role_id: cff5d4e0-61bf-2497-645f-fcf019d10c13 + wrappers: + - ansicolor + - timeout: + type: absolute + timeout: 360 + fail: true + - timestamps + publishers: + - email: + recipients: infra-root+build@elastic.co diff --git a/.ci/jobs/elastic+ansible-elasticsearch+master.yml b/.ci/jobs/elastic+ansible-elasticsearch+master.yml new file mode 100644 index 0000000..658b352 --- /dev/null +++ b/.ci/jobs/elastic+ansible-elasticsearch+master.yml @@ -0,0 +1,26 @@ +--- +- job: + name: elastic+ansible-elasticsearch+master + display-name: elastic / ansible-elasticsearch - master + description: Master branch testing with test kitchen + triggers: + - timed: H H(02-04) * * * + builders: + - shell: |- + #!/usr/local/bin/runbld + set -euo pipefail + + export RBENV_VERSION='2.3.0' + export PATH="$HOME/.rbenv/bin:$PATH" + eval "$(rbenv init -)" + rbenv local $RBENV_VERSION + + export ES_XPACK_LICENSE_FILE="$(pwd)/license.json" + echo "Getting xpack_license from secrets service" + set +x + VAULT_TOKEN=$( curl -s -X POST -H "Content-Type: application/json" -L -d "{\"role_id\":\"$VAULT_ROLE_ID\",\"secret_id\":\"$VAULT_SECRET_ID\"}" $VAULT_ADDR/v1/auth/approle/login | jq -r '.auth.client_token' ) + curl -s -L -H "X-Vault-Token:$VAULT_TOKEN" $VAULT_ADDR/v1/secret/devops-ci/ansible-elasticsearch/xpack_license | jq -r '.data.value' > ${ES_XPACK_LICENSE_FILE} + set -x + echo "Finished getting xpack_license from secrets service" + make setup + make verify VERSION=$VERSION PATTERN=$TEST_TYPE-$OS diff --git a/.ci/jobs/elastic+ansible-elasticsearch+pull-request.yml b/.ci/jobs/elastic+ansible-elasticsearch+pull-request.yml new file mode 100644 index 0000000..0cb82a6 --- /dev/null +++ b/.ci/jobs/elastic+ansible-elasticsearch+pull-request.yml @@ -0,0 +1,39 @@ +--- +- job: + name: elastic+ansible-elasticsearch+pull-request + display-name: elastic / ansible-elasticsearch - pull-request + description: Pull request testing with test kitchen + project-type: matrix + parameters: [] + scm: + - git: + branches: + - $ghprbActualCommit + refspec: +refs/pull/*:refs/remotes/origin/pr/* + triggers: + - github-pull-request: + github-hooks: true + org-list: + - elastic + allow-whitelist-orgs-as-admins: true + cancel-builds-on-update: true + status-context: devops-ci + builders: + - shell: |- + #!/usr/local/bin/runbld + set -euo pipefail + + export RBENV_VERSION='2.3.0' + export PATH="$HOME/.rbenv/bin:$PATH" + eval "$(rbenv init -)" + rbenv local $RBENV_VERSION + + export ES_XPACK_LICENSE_FILE="$(pwd)/license.json" + echo "Getting xpack_license from secrets service" + set +x + VAULT_TOKEN=$( curl -s -X POST -H "Content-Type: application/json" -L -d "{\"role_id\":\"$VAULT_ROLE_ID\",\"secret_id\":\"$VAULT_SECRET_ID\"}" $VAULT_ADDR/v1/auth/approle/login | jq -r '.auth.client_token' ) + curl -s -L -H "X-Vault-Token:$VAULT_TOKEN" $VAULT_ADDR/v1/secret/devops-ci/ansible-elasticsearch/xpack_license | jq -r '.data.value' > ${ES_XPACK_LICENSE_FILE} + set -x + echo "Finished getting xpack_license from secrets service" + make setup + make verify VERSION=$VERSION PATTERN=$TEST_TYPE-$OS From 88d283e216f9468a0163bee4da03b0d056eb1380 Mon Sep 17 00:00:00 2001 From: Thiago Nache Carvalho Date: Tue, 19 Mar 2019 15:41:09 -0300 Subject: [PATCH 21/71] Fixes first example syntax in README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4e9846f..c7b1ff8 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,8 @@ The simplest configuration therefore consists of: hosts: localhost roles: - role: elastic.elasticsearch - es_instance_name: "node1" + vars: + es_instance_name: "node1" ``` The above installs a single node 'node1' on the hosts 'localhost'. From 18c93324194f648e78d3b1d77d05ebf3533f1754 Mon Sep 17 00:00:00 2001 From: Chris Koehnke Date: Thu, 21 Mar 2019 17:16:04 -0400 Subject: [PATCH 22/71] Remove url in jenkins job configuration --- .ci/jobs/defaults.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.ci/jobs/defaults.yml b/.ci/jobs/defaults.yml index 5b4d20b..9f4a9b7 100644 --- a/.ci/jobs/defaults.yml +++ b/.ci/jobs/defaults.yml @@ -54,7 +54,6 @@ filename: elasticsearch/test/matrix.yml type: yaml vault: - url: https://secrets.elastic.co:8200 role_id: cff5d4e0-61bf-2497-645f-fcf019d10c13 wrappers: - ansicolor From 07258e5be58993de146be708e8cc7081beb72562 Mon Sep 17 00:00:00 2001 From: Nathan Young Date: Wed, 27 Mar 2019 16:29:22 +0000 Subject: [PATCH 23/71] Fix template conditional --- tasks/compatibility-variables.yml | 2 +- tasks/elasticsearch-template.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index 725317b..a00ca00 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -23,7 +23,7 @@ es_open_xpack: false when: "es_version is version_compare('6.3.0', '<')" -- name: If this is an older version we need to install X-Pack as a plugin and use a differet users command +- name: If this is an older version we need to install X-Pack as a plugin and use a different users command set_fact: es_install_xpack: true es_xpack_users_command: "x-pack/users" diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index febe338..e999d35 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -20,7 +20,7 @@ status_code: 200 body_format: json body: "{{ lookup('file', item) }}" - when: load_templates.changed and es_start_service and not es_enable_xpack or not es_xpack_features is defined or "security" not in es_xpack_features + when: load_templates.changed and es_start_service and (not es_enable_xpack or not es_xpack_features is defined or "security" not in es_xpack_features) with_fileglob: - "{{ es_templates_fileglob | default('') }}" run_once: True From 07287ebecdccc6be9e6327f8cf9267f8c10731ce Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Mon, 29 Apr 2019 11:07:59 +0200 Subject: [PATCH 24/71] [test] fix debian-8 provisioning in kitchen tests (#556) Jessie backport repos have been removed from debian mirrors and moved to archive mirrors (cf. https://lists.debian.org/debian-devel-announce/2019/03/msg00006.html). We also need to disable validity checks as this repo is no more updated (https://unix.stackexchange.com/questions/508724/failed-to-fetch-jessie-backports-repository) --- .kitchen.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index 8aa3c37..0a741e3 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -75,7 +75,8 @@ platforms: image: debian:8 privileged: true provision_command: - - echo "deb http://http.debian.net/debian jessie-backports main" > /etc/apt/sources.list.d/jessie-backports.list + - echo "deb http://archive.debian.org/debian jessie-backports main" > /etc/apt/sources.list.d/jessie-backports.list + - echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf - apt-get update && apt-get -y install -t jessie-backports openjdk-8-jre-headless - apt-get update && apt-get -y install python python-dev python-pip build-essential libyaml-dev python-yaml curl wget net-tools - sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config From 2d96084251122df85ce52e32c20007d15b5b807c Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Tue, 30 Apr 2019 12:34:41 +0200 Subject: [PATCH 25/71] [gem] update dependencies This should fix vulnerability on ffi and rubyzip dependencies (cf. https://nvd.nist.gov/vuln/detail/CVE-2018-1000544 and https://nvd.nist.gov/vuln/detail/CVE-2018-1000201) --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 9550977..39738be 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -3,7 +3,7 @@ GEM specs: builder (3.2.3) erubis (2.7.0) - ffi (1.9.18) + ffi (1.9.24) gssapi (1.2.0) ffi (>= 1.0.1) gyoku (1.3.1) @@ -32,7 +32,7 @@ GEM net-ssh (>= 2.6.5) nori (2.6.0) rubyntlm (0.6.2) - rubyzip (1.2.1) + rubyzip (1.2.2) test-kitchen (1.20.0) mixlib-install (~> 3.6) mixlib-shellout (>= 1.2, < 3.0) From a1c81884e2b0ab3838fb338c38d43b9759fd704e Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 9 May 2019 09:06:02 +0200 Subject: [PATCH 26/71] [7.x] add support for elasticsearch 7.x and remove support for 5.x (#558) - add support for elasticsearch 7.x - remove support for elasticsearch 5.x - update kitchen-ansible configuration (install ansible and jmespath dependencies using os repositories) - replace geoip plugin in tests as this one is now embeded in elasticsearch since 6.7.0 (cf. https://www.elastic.co/guide/en/elasticsearch/plugins/6.7/ingest-geoip.html) - update discovery configuration for 7.x (in ES 7.x, discovery.zen.ping.unicast.hosts is replaced by discovery.seed_hosts and transport.tcp.port is replaced by transport.port, also discovery.seed_hosts is disabled on master nodes to avoid "master_not_discovered_exception" error when creating templates in the same play) - update index template structure for 7.x - update security realms settings for 7.x (cf. https://www.elastic.co/guide/en/elasticsearch/reference/current/breaking-changes-7.0.html#include-realm-type-in-setting) --- .kitchen.yml | 49 ++++++----------- Makefile | 2 +- README.md | 55 ++++++++++--------- defaults/main.yml | 5 +- files/{templates => templates-6.x}/basic.json | 0 files/templates-7.x/basic.json | 9 +++ tasks/compatibility-variables.yml | 1 + tasks/elasticsearch-parameters.yml | 8 --- tasks/main.yml | 5 ++ templates/jvm.options.j2 | 8 --- .../helpers/serverspec/multi_spec.rb | 24 ++++---- .../helpers/serverspec/shared_spec.rb | 38 ++----------- .../helpers/serverspec/xpack_spec.rb | 6 +- .../helpers/serverspec/xpack_upgrade_spec.rb | 28 ++++------ test/integration/issue-test.yml | 8 +-- test/integration/multi.yml | 24 ++++++-- test/integration/oss-to-xpack-upgrade.yml | 2 +- test/integration/oss-upgrade.yml | 2 +- test/integration/oss.yml | 2 +- test/integration/xpack-upgrade.yml | 34 +++++++----- test/integration/xpack.yml | 2 - test/matrix.yml | 2 +- 22 files changed, 139 insertions(+), 175 deletions(-) rename files/{templates => templates-6.x}/basic.json (100%) create mode 100644 files/templates-7.x/basic.json diff --git a/.kitchen.yml b/.kitchen.yml index 0a741e3..1bf6f48 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -6,11 +6,9 @@ provisioner: name: ansible_playbook hosts: localhost roles_path: ../ - require_ansible_repo: false + require_ansible_repo: true require_ansible_omnibus: false require_ansible_source: false - require_pip: true - ansible_version: 2.4.3.0 http_proxy: <%= ENV['HTTP_PROXY'] %> https_proxy: <%= ENV['HTTPS_PROXY'] %> no_proxy: localhost,127.0.0.1 @@ -20,8 +18,8 @@ provisioner: attributes: extra_vars: es_major_version: "<%= ENV['VERSION'] %>" - <% if ENV['VERSION'] == '5.x' %> - es_version: '5.6.11' + <% if ENV['VERSION'] == '6.x' %> + es_version: '6.7.2' <% end %> <% end %> @@ -34,10 +32,9 @@ platforms: image: ubuntu:14.04 privileged: true provision_command: - - apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible && add-apt-repository -y ppa:openjdk-r/ppa - - apt-get update && apt-get -y -q install python-apt python-pycurl python-pip python-openssl build-essential libssl-dev libffi-dev python-dev locales openjdk-8-jre + - apt-get update -q && apt-get install -y -q software-properties-common && add-apt-repository -y ppa:ansible/ansible && add-apt-repository -y ppa:openjdk-r/ppa + - apt-get update -q && apt-get -y -q install ansible openjdk-8-jre python-jmespath - locale-gen en_US.UTF-8 && localedef -i en_US -c -f UTF-8 en_US.UTF-8 - - pip install jmespath pyOpenSSL ndg-httpsclient cryptography==1.8.1 use_sudo: false volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json @@ -47,11 +44,9 @@ platforms: image: ubuntu:16.04 privileged: true provision_command: - - apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible - - apt-get install -y -q net-tools - - apt-get update && apt-get -y -q install python-apt python-pycurl python-pip locales + - apt-get update -q && apt-get install -y -q iproute locales software-properties-common && add-apt-repository -y ppa:ansible/ansible + - apt-get update -q && apt-get install -y -q ansible python-jmespath - locale-gen en_US.UTF-8 && localedef -i en_US -c -f UTF-8 en_US.UTF-8 - - pip install jmespath use_sudo: false volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json @@ -62,9 +57,7 @@ platforms: image: ubuntu:18.04 privileged: true provision_command: - - apt-get update && apt-get install -y software-properties-common && add-apt-repository -y ppa:ansible/ansible - - apt-get update && apt-get -y -q install python-apt python-pycurl python-pip net-tools iproute2 - - pip install jmespath + - apt-get install -y -q ansible iproute2 python-jmespath use_sudo: false volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json @@ -75,14 +68,13 @@ platforms: image: debian:8 privileged: true provision_command: + - apt-get update -q && apt-get install -y -q gnupg2 python-jmespath - echo "deb http://archive.debian.org/debian jessie-backports main" > /etc/apt/sources.list.d/jessie-backports.list - echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf - apt-get update && apt-get -y install -t jessie-backports openjdk-8-jre-headless - - apt-get update && apt-get -y install python python-dev python-pip build-essential libyaml-dev python-yaml curl wget net-tools - - sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config - - sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config - - sed -ri 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config - - pip install jmespath setuptools --upgrade + - echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" > /etc/apt/sources.list.d/ansible.list + - apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367 + - apt-get update -q && apt-get install -y -q ansible volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers @@ -93,12 +85,10 @@ platforms: image: debian:9 privileged: true provision_command: - - apt-get update && apt-get -y install python python-dev python-pip build-essential libyaml-dev python-yaml curl wget systemd-sysv - - apt-get install -y -q net-tools - - sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config - - sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config - - sed -ri 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config - - pip install jmespath + - apt-get update -q && apt-get install -y -q gnupg2 python-jmespath systemd-sysv + - echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" > /etc/apt/sources.list.d/ansible.list + - apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367 + - apt-get update -q && apt-get install -y -q ansible volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers @@ -108,13 +98,8 @@ platforms: driver_config: image: centos:7 provision_command: - - sed -ri 's/^#?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config - - sed -ri 's/^#?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config - - sed -ri 's/^#?UsePAM .*/UsePAM no/' /etc/ssh/sshd_config - yum -y install epel-release - - yum -y install initscripts python-pip - - yum clean all - - pip install jmespath + - yum -y install ansible iproute python2-jmespath volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers diff --git a/Makefile b/Makefile index 8e33fcd..92d598f 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ default: build SHELL:=/bin/bash -eux -VERSION := 6.x +VERSION := 7.x PATTERN := xpack-ubuntu-1604 .PHONY: converge verify test login destroy list diff --git a/README.md b/README.md index c7b1ff8..703ed5b 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,18 @@ [![Build Status](https://img.shields.io/jenkins/s/https/devops-ci.elastic.co/job/elastic+ansible-elasticsearch+master.svg)](https://devops-ci.elastic.co/job/elastic+ansible-elasticsearch+master/) [![Ansible Galaxy](https://img.shields.io/badge/ansible--galaxy-elastic.elasticsearch-blue.svg)](https://galaxy.ansible.com/elastic/elasticsearch/) -**THIS ROLE IS FOR 6.x, 5.x. FOR 2.x SUPPORT PLEASE USE THE 2.x BRANCH.** +**THIS ROLE IS FOR 7.x & 6.x** -Ansible role for 6.x/5.x Elasticsearch. Currently this works on Debian and RedHat based linux systems. Tested platforms are: +Ansible role for 7.x/6.x Elasticsearch. Currently this works on Debian and RedHat based linux systems. Tested platforms are: * Ubuntu 14.04 * Ubuntu 16.04 +* Ubuntu 18.04 * Debian 8 +* Debian 9 * CentOS 7 -The latest Elasticsearch versions of 6.x and 5.x are actively tested. **Only Ansible versions > 2.4.3.0 are supported, as this is currently the only version tested.** +The latest Elasticsearch versions of 7.x & 6.x are actively tested. **Only Ansible versions > 2.4.3.0 are supported, as this is currently the only version tested.** ##### Dependency This role uses the json_query filter which [requires jmespath](https://github.com/ansible/ansible/issues/24319) on the local machine. @@ -21,7 +23,7 @@ This role uses the json_query filter which [requires jmespath](https://github.co Create your Ansible playbook with your own tasks, and include the role elasticsearch. You will have to have this repository accessible within the context of playbook. ```sh -ansible-galaxy install elastic.elasticsearch,6.6.0 +ansible-galaxy install elastic.elasticsearch,7.0.1 ``` Then create your playbook yaml adding the role elasticsearch. By default, the user is only required to specify a unique es_instance_name per role application. This should be unique per node. @@ -91,9 +93,9 @@ The `PATTERN` is a kitchen pattern which can match multiple suites. To run all t $ make converge PATTERN=centos-7 ``` -The default version is 6.x If you want to test 5.x you can override it with the `VERSION` variable to test 5.x +The default version is 7.x. If you want to test 6.x you can override it with the `VERSION` variable, for example: ```sh -$ make converge VERSION=5.x PATTERN=oss-centos-7 +$ make converge VERSION=6.x PATTERN=oss-centos-7 ``` When you are finished testing you can clean up everything with @@ -123,9 +125,9 @@ The following illustrates applying configuration parameters to an Elasticsearch es_config: node.name: "node1" cluster.name: "custom-cluster" - discovery.zen.ping.unicast.hosts: "localhost:9301" + discovery.seed_hosts: "localhost:9301" http.port: 9201 - transport.tcp.port: 9301 + transport.port: 9301 node.data: false node.master: true bootstrap.memory_lock: true @@ -139,8 +141,8 @@ The following illustrates applying configuration parameters to an Elasticsearch Whilst the role installs Elasticsearch with the default configuration parameters, the following should be configured to ensure a cluster successfully forms: * ```es_config['http.port']``` - the http port for the node -* ```es_config['transport.tcp.port']``` - the transport port for the node -* ```es_config['discovery.zen.ping.unicast.hosts']``` - the unicast discovery list, in the comma separated format ```":,:"``` (typically the clusters dedicated masters) +* ```es_config['transport.port']``` - the transport port for the node +* ```es_config['discovery.seed_hosts']``` - the unicast discovery list, in the comma separated format ```":,:"``` (typically the clusters dedicated masters) * ```es_config['network.host']``` - sets both network.bind_host and network.publish_host to the same host value. The network.bind_host setting allows to control the host different network components will bind on. The network.publish_host setting allows to control the host the node will publish itself within the cluster so other nodes will be able to connect to it. @@ -163,9 +165,9 @@ A more complex example: es_config: node.name: "node1" cluster.name: "custom-cluster" - discovery.zen.ping.unicast.hosts: "localhost:9301" + discovery.seed_hosts: "localhost:9301" http.port: 9201 - transport.tcp.port: 9301 + transport.port: 9301 node.data: false node.master: true bootstrap.memory_lock: true @@ -177,7 +179,7 @@ A more complex example: es_plugins_reinstall: false es_api_port: 9201 es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment proxy_host: proxy.example.com proxy_port: 8080 ``` @@ -204,9 +206,9 @@ An example of a two server deployment is shown below. The first server holds th es_heap_size: "1g" es_config: cluster.name: "test-cluster" - discovery.zen.ping.unicast.hosts: "elastic02:9300" + discovery.seed_hosts: "elastic02:9300" http.port: 9200 - transport.tcp.port: 9300 + transport.port: 9300 node.data: false node.master: true bootstrap.memory_lock: false @@ -215,7 +217,7 @@ An example of a two server deployment is shown below. The first server holds th es_version_lock: false ansible_user: ansible es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment - hosts: data_nodes roles: @@ -226,9 +228,9 @@ An example of a two server deployment is shown below. The first server holds th - "/opt/elasticsearch" es_config: cluster.name: "test-cluster" - discovery.zen.ping.unicast.hosts: "elastic02:9300" + discovery.seed_hosts: "elastic02:9300" http.port: 9200 - transport.tcp.port: 9300 + transport.port: 9300 node.data: true node.master: false bootstrap.memory_lock: false @@ -238,7 +240,7 @@ An example of a two server deployment is shown below. The first server holds th ansible_user: ansible es_api_port: 9200 es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment - hosts: data_nodes roles: @@ -247,9 +249,9 @@ An example of a two server deployment is shown below. The first server holds th es_instance_name: "node2" es_api_port: 9201 es_config: - discovery.zen.ping.unicast.hosts: "elastic02:9300" + discovery.seed_hosts: "elastic02:9300" http.port: 9201 - transport.tcp.port: 9301 + transport.port: 9301 node.data: true node.master: false bootstrap.memory_lock: false @@ -260,7 +262,7 @@ An example of a two server deployment is shown below. The first server holds th es_api_port: 9201 ansible_user: ansible es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment ``` Parameters can additionally be assigned to hosts using the inventory file if desired. @@ -385,8 +387,7 @@ These can either be set to a user declared in the file based realm, with admin p In addition to es_config, the following parameters allow the customization of the Java and Elasticsearch versions as well as the role behaviour. Options include: * ```es_enable_xpack``` Default `true`. Setting this to `false` will install the oss release of elasticsearch -* ```es_major_version``` Should be consistent with es_version. For versions >= 5.0 and < 6.0 this must be "5.x". For versions >= 6.0 this must be "6.x". -* ```es_version``` (e.g. "6.3.0"). +* ```es_version``` (e.g. "7.0.0"). * ```es_api_host``` The host name used for actions requiring HTTP e.g. installing templates. Defaults to "localhost". * ```es_api_port``` The port used for actions requiring HTTP e.g. installing templates. Defaults to 9200. **CHANGE IF THE HTTP PORT IS NOT 9200** * ```es_api_basic_auth_username``` The Elasticsearch username for making admin changing actions. Used if Security is enabled. Ensure this user is admin. @@ -396,7 +397,7 @@ In addition to es_config, the following parameters allow the customization of th * ```es_plugins``` an array of plugin definitions e.g.: ```yaml es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment ``` * ```es_path_repo``` Sets the whitelist for allowing local back-up repositories * ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): @@ -459,7 +460,7 @@ To define proxy only for a particular plugin during its installation: ```yaml es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment proxy_host: proxy.example.com proxy_port: 8080 ``` @@ -471,7 +472,7 @@ To define proxy only for a particular plugin during its installation: * The role assumes the user/group exists on the server. The elasticsearch packages create the default elasticsearch user. If this needs to be changed, ensure the user exists. * The playbook relies on the inventory_name of each host to ensure its directories are unique * Changing an instance_name for a role application will result in the installation of a new component. The previous component will remain. -* KitchenCI has been used for testing. This is used to confirm images reach the correct state after a play is first applied. We currently test the latest version of 6.x and 5.x on all supported platforms. +* KitchenCI has been used for testing. This is used to confirm images reach the correct state after a play is first applied. We currently test the latest version of 7.x and 6.x on all supported platforms. * The role aims to be idempotent. Running the role multiple times, with no changes, should result in no state change on the server. If the configuration is changed, these will be applied and Elasticsearch restarted where required. * Systemd is used for Ubuntu versions >= 15, Debian >=8, Centos >=7. All other versions use init for service scripts. * In order to run x-pack tests a license file with security enabled is required. A trial license is appropriate. Set the environment variable `ES_XPACK_LICENSE_FILE` to the full path of the license file prior to running tests. diff --git a/defaults/main.yml b/defaults/main.yml index 8c4c868..ec69115 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,12 +1,11 @@ --- -es_major_version: "6.x" -es_version: "6.6.0" +es_version: "7.0.1" es_use_snapshot_release: false es_enable_xpack: true es_package_name: "elasticsearch" es_version_lock: false es_use_repository: true -es_templates_fileglob: "files/templates/*.json" +es_templates_fileglob: "files/templates-{{ es_major_version }}/*.json" es_repo_base: "https://artifacts.elastic.co" es_apt_key: "{{ es_repo_base }}/GPG-KEY-elasticsearch" es_apt_url: "deb {{ es_repo_base }}/packages/{{ es_repo_name }}/apt stable main" diff --git a/files/templates/basic.json b/files/templates-6.x/basic.json similarity index 100% rename from files/templates/basic.json rename to files/templates-6.x/basic.json diff --git a/files/templates-7.x/basic.json b/files/templates-7.x/basic.json new file mode 100644 index 0000000..31796da --- /dev/null +++ b/files/templates-7.x/basic.json @@ -0,0 +1,9 @@ +{ + "index_patterns" : "te*", + "settings" : { + "number_of_shards" : 1 + }, + "mappings" : { + "_source" : { "enabled" : false } + } +} \ No newline at end of file diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index a00ca00..0ed0c21 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -14,6 +14,7 @@ es_xpack_conf_subdir: "" es_repo_name: "{{ es_major_version }}" es_xpack_users_command: "elasticsearch-users" + es_package_name: "elasticsearch" es_other_package_name: "elasticsearch-oss" es_other_repo_name: "{{ 'oss-' + es_major_version }}" es_other_apt_url: "deb {{ es_repo_base }}/packages/{{ 'oss-' + es_major_version }}/apt stable main" diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index df1ba0e..6cee59f 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -12,14 +12,6 @@ debug: msg="WARNING - It is recommended you specify the parameter 'http.port'" when: es_config['http.port'] is not defined -- name: debug message - debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port'" - when: es_config['transport.tcp.port'] is not defined - -- name: debug message - debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts'" - when: es_config['discovery.zen.ping.unicast.hosts'] is not defined - #If the user attempts to lock memory they must specify a heap size - name: fail when heap size is not specified when using memory lock fail: msg="If locking memory with bootstrap.memory_lock a heap size must be specified" diff --git a/tasks/main.yml b/tasks/main.yml index cb4735e..465540c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,9 @@ --- + +- set_fact: "es_major_version={{ es_version.split('.')[0] }}.x" + when: + - es_major_version is undefined + - name: os-specific vars include_vars: "{{ansible_os_family}}.yml" tags: diff --git a/templates/jvm.options.j2 b/templates/jvm.options.j2 index ad30851..9832782 100644 --- a/templates/jvm.options.j2 +++ b/templates/jvm.options.j2 @@ -103,14 +103,6 @@ #-XX:+UseGCLogFileRotation #-XX:NumberOfGCLogFiles=32 #-XX:GCLogFileSize=128M - -# Elasticsearch 5.0.0 will throw an exception on unquoted field names in JSON. -# If documents were already indexed with unquoted fields in a previous version -# of Elasticsearch, some operations may throw errors. -# -# WARNING: This option will be removed in Elasticsearch 6.0.0 and is provided -# only for migration purposes. -#-Delasticsearch.json.allow_unquoted_field_names=true {% if es_jvm_custom_parameters !='' %} {% for item in es_jvm_custom_parameters %} {{ item }} diff --git a/test/integration/helpers/serverspec/multi_spec.rb b/test/integration/helpers/serverspec/multi_spec.rb index e2a34ae..278ed42 100644 --- a/test/integration/helpers/serverspec/multi_spec.rb +++ b/test/integration/helpers/serverspec/multi_spec.rb @@ -11,16 +11,16 @@ shared_examples 'multi::init' do |vars| describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do it { should be_file } it { should contain 'http.port: 9201' } - it { should contain 'transport.tcp.port: 9301' } + if vars['es_major_version'] == '7.x' + it { should contain 'transport.port: 9301' } + else + it { should contain 'transport.tcp.port: 9301' } + end it { should contain 'node.data: true' } it { should contain 'node.master: false' } it { should contain "node.name: localhost-#{vars['es_instance_name']}" } it { should_not contain 'bootstrap.memory_lock: true' } - if vars['es_major_version'] == '6.x' - it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - else - it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - end + it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } it { should contain "path.data: /opt/elasticsearch/data-1/localhost-#{vars['es_instance_name']},/opt/elasticsearch/data-2/localhost-#{vars['es_instance_name']}" } it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } end @@ -30,16 +30,16 @@ shared_examples 'multi::init' do |vars| describe file('/etc/elasticsearch/master/elasticsearch.yml') do it { should be_file } it { should contain 'http.port: 9200' } - it { should contain 'transport.tcp.port: 9300' } + if vars['es_major_version'] == '7.x' + it { should contain 'transport.port: 9300' } + else + it { should contain 'transport.tcp.port: 9300' } + end it { should contain 'node.data: false' } it { should contain 'node.master: true' } it { should contain 'node.name: localhost-master' } it { should contain 'bootstrap.memory_lock: true' } - if vars['es_major_version'] == '6.x' - it { should_not contain 'path.conf: /etc/elasticsearch/master' } - else - it { should contain 'path.conf: /etc/elasticsearch/master' } - end + it { should_not contain 'path.conf: /etc/elasticsearch/master' } it { should contain 'path.data: /opt/elasticsearch/master/localhost-master' } it { should contain 'path.logs: /var/log/elasticsearch/localhost-master' } end diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index eca6682..0402dca 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -43,32 +43,6 @@ shared_examples 'shared::init' do |vars| expect(values['enabled'] = enabled) end end - # X-Pack is no longer installed as a plugin in elasticsearch - if vars['es_major_version'] == '5.x' - describe file('/usr/share/elasticsearch/plugins/x-pack') do - it { should be_directory } - it { should be_owned_by vars['es_user'] } - end - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/x-pack") do - it { should be_directory } - it { should be_owned_by vars['es_user'] } - end - describe 'x-pack-core plugin' do - it 'should be installed with the correct version' do - plugins = curl_json("#{es_api_url}/_nodes/plugins", username=username, password=password) - node, data = plugins['nodes'].first - version = 'plugin not found' - name = 'x-pack' - - data['plugins'].each do |plugin| - if plugin['name'] == name - version = plugin['version'] - end - end - expect(version).to eql(vars['es_version']) - end - end - end end end describe user(vars['es_user']) do @@ -108,7 +82,11 @@ shared_examples 'shared::init' do |vars| template = curl_json("#{es_api_url}/_template/basic", username=username, password=password) expect(template.key?('basic')) expect(template['basic']['settings']['index']['number_of_shards']).to eq("1") - expect(template['basic']['mappings']['type1']['_source']['enabled']).to eq(false) + if vars['es_major_version'] == '7.x' + expect(template['basic']['mappings']['_source']['enabled']).to eq(false) + else + expect(template['basic']['mappings']['type1']['_source']['enabled']).to eq(false) + end end end end @@ -159,11 +137,7 @@ shared_examples 'shared::init' do |vars| describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do it { should contain "node.name: localhost-#{vars['es_instance_name']}" } it { should contain 'cluster.name: elasticsearch' } - if vars['es_major_version'] == '6.x' - it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - else - it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - end + it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } its(:content) { should match "path.data: #{vars['data_dirs'].join(',')}" } its(:content) { should match "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } end diff --git a/test/integration/helpers/serverspec/xpack_spec.rb b/test/integration/helpers/serverspec/xpack_spec.rb index 2b962ed..77b0a0b 100644 --- a/test/integration/helpers/serverspec/xpack_spec.rb +++ b/test/integration/helpers/serverspec/xpack_spec.rb @@ -4,11 +4,7 @@ shared_examples 'xpack::init' do |vars| describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do it { should contain "node.name: localhost-#{vars['es_instance_name']}" } it { should contain 'cluster.name: elasticsearch' } - if vars['es_major_version'] == '6.x' - it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - else - it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - end + it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } it { should contain "path.data: /var/lib/elasticsearch/localhost-#{vars['es_instance_name']}" } it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } it { should contain 'xpack.security.enabled: false' } diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index 4afc622..d9784d1 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -6,11 +6,7 @@ shared_examples 'xpack_upgrade::init' do |vars| describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do it { should contain "node.name: localhost-#{vars['es_instance_name']}" } it { should contain 'cluster.name: elasticsearch' } - if vars['es_major_version'] == '6.x' - it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - else - it { should contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - end + it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } it { should contain "path.data: /var/lib/elasticsearch/localhost-#{vars['es_instance_name']}" } it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } end @@ -36,10 +32,15 @@ shared_examples 'xpack_upgrade::init' do |vars| end describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do - it { should contain 'security.authc.realms.file1.order: 0' } - it { should contain 'security.authc.realms.file1.type: file' } - it { should contain 'security.authc.realms.native1.order: 1' } - it { should contain 'security.authc.realms.native1.type: native' } + if vars['es_major_version'] == '7.x' + it { should contain 'security.authc.realms.file.file1.order: 0' } + it { should contain 'security.authc.realms.native.native1.order: 1' } + else + it { should contain 'security.authc.realms.file1.order: 0' } + it { should contain 'security.authc.realms.file1.type: file' } + it { should contain 'security.authc.realms.native1.order: 1' } + it { should contain 'security.authc.realms.native1.type: native' } + end end #Test contents of role_mapping.yml @@ -91,13 +92,4 @@ shared_examples 'xpack_upgrade::init' do |vars| expect(command.exit_status).to eq(0) end end - - if vars['es_major_version'] == '5.x' # kibana default password has been removed in 6.x - describe 'kibana access check' do - it 'should be reported as version '+vars['es_version'] do - result = curl_json('http://localhost:9200/', username='kibana', password='changeme') - expect(result['version']['number']).to eq(vars['es_version']) - end - end - end end diff --git a/test/integration/issue-test.yml b/test/integration/issue-test.yml index 30a2cba..aa32534 100644 --- a/test/integration/issue-test.yml +++ b/test/integration/issue-test.yml @@ -14,14 +14,12 @@ es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_config: xpack.security.enabled: True - xpack.security.authc.realms.file1.type: "file" - xpack.security.authc.realms.file1.order: 1 - xpack.security.authc.realms.native1.type: "native" - xpack.security.authc.realms.native1.order: 0 + xpack.security.authc.realms.file.file1.order: 1 + xpack.security.authc.realms.native.native1.type: "native" es_heap_size: "1g" es_enable_xpack: true es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment es_xpack_features: - security - alerting diff --git a/test/integration/multi.yml b/test/integration/multi.yml index 27fd3df..f018bd4 100644 --- a/test/integration/multi.yml +++ b/test/integration/multi.yml @@ -10,20 +10,27 @@ es_instance_name: "master" es_data_dirs: - "/opt/elasticsearch/master" - es_config: + es_config_6x: discovery.zen.ping.unicast.hosts: "localhost:9300" http.port: 9200 transport.tcp.port: 9300 node.data: false node.master: true bootstrap.memory_lock: true + es_config_7x: + http.port: 9200 + transport.port: 9300 + node.data: false + node.master: true + bootstrap.memory_lock: true + es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_enable_xpack: false es_scripts: true es_templates: true es_heap_size: "1g" es_api_port: 9200 es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment - name: Elasticsearch Multi test - data on 9201 hosts: localhost @@ -38,14 +45,21 @@ es_heap_size: "1g" es_api_port: 9201 es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment es_instance_name: "node1" - es_data_dirs: + es_data_dirs: - "/opt/elasticsearch/data-1" - "/opt/elasticsearch/data-2" - es_config: + es_config_6x: discovery.zen.ping.unicast.hosts: "localhost:9300" http.port: 9201 transport.tcp.port: 9301 node.data: true node.master: false + es_config_7x: + discovery.seed_hosts: "localhost:9300" + http.port: 9201 + transport.port: 9301 + node.data: true + node.master: false + es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" diff --git a/test/integration/oss-to-xpack-upgrade.yml b/test/integration/oss-to-xpack-upgrade.yml index c1ea558..71e3798 100644 --- a/test/integration/oss-to-xpack-upgrade.yml +++ b/test/integration/oss-to-xpack-upgrade.yml @@ -7,7 +7,7 @@ - elasticsearch vars: es_instance_name: "node1" - es_version: "{{ '6.2.4' if es_major_version == '6.x' else '5.6.9' }}" # This is set to an older version than the current default to force an upgrade + es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade es_enable_xpack: false es_heap_size: "1g" diff --git a/test/integration/oss-upgrade.yml b/test/integration/oss-upgrade.yml index e90ac82..62c2089 100644 --- a/test/integration/oss-upgrade.yml +++ b/test/integration/oss-upgrade.yml @@ -7,7 +7,7 @@ - elasticsearch vars: es_instance_name: "node1" - es_version: "{{ '6.2.4' if es_major_version == '6.x' else '5.6.9' }}" # This is set to an older version than the current default to force an upgrade + es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade es_enable_xpack: false es_heap_size: "1g" diff --git a/test/integration/oss.yml b/test/integration/oss.yml index 4bcf6b9..4dfdee2 100644 --- a/test/integration/oss.yml +++ b/test/integration/oss.yml @@ -10,6 +10,6 @@ es_enable_xpack: false es_heap_size: "1g" es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment #Do not add tests here. This test is run twice and confirms idempotency. diff --git a/test/integration/xpack-upgrade.yml b/test/integration/xpack-upgrade.yml index 5620489..000fdb5 100644 --- a/test/integration/xpack-upgrade.yml +++ b/test/integration/xpack-upgrade.yml @@ -8,21 +8,26 @@ vars: es_instance_name: "node1" es_api_port: 9200 - es_config: + es_config_6x: http.port: 9200 - transport.tcp.port: 9300 - discovery.zen.ping.unicast.hosts: "localhost:9300" - xpack.security.authc.realms.file1.type: "file" xpack.security.authc.realms.file1.order: 0 - xpack.security.authc.realms.native1.type: "native" + xpack.security.authc.realms.file1.type: file xpack.security.authc.realms.native1.order: 1 + xpack.security.authc.realms.native1.type: native + es_config_7x: + http.port: 9200 + xpack.security.enabled: True + xpack.security.authc.realms.file.file1.order: 0 + xpack.security.authc.realms.native.native1.order: 1 + es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_heap_size: "1g" es_templates: true - es_version: "{{ '6.2.4' if es_major_version == '6.x' else '5.6.9' }}" # This is set to an older version than the current default to force an upgrade + es_major_version: "7.x" + es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade es_enable_xpack: true es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_plugins: - - plugin: ingest-geoip + - plugin: ingest-attachment es_xpack_features: - security - alerting @@ -118,15 +123,18 @@ vars: es_api_port: 9200 es_instance_name: "node1" - es_config: + es_config_6x: http.port: 9200 - transport.tcp.port: 9300 - discovery.zen.ping.unicast.hosts: "localhost:9300" - xpack.security.enabled: True - xpack.security.authc.realms.file1.type: "file" xpack.security.authc.realms.file1.order: 0 - xpack.security.authc.realms.native1.type: "native" + xpack.security.authc.realms.file1.type: file xpack.security.authc.realms.native1.order: 1 + xpack.security.authc.realms.native1.type: native + es_config_7x: + http.port: 9200 + xpack.security.enabled: True + xpack.security.authc.realms.file.file1.order: 0 + xpack.security.authc.realms.native.native1.order: 1 + es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_heap_size: "1g" es_templates: true es_enable_xpack: true diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index 25d03af..5be3d03 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -11,8 +11,6 @@ es_instance_name: "node1" es_config: http.port: 9200 - transport.tcp.port: 9300 - discovery.zen.ping.unicast.hosts: "localhost:9300" es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{{ es_version }}.zip" es_heap_size: 2g es_enable_xpack: true diff --git a/test/matrix.yml b/test/matrix.yml index 4b30ed1..e27a5ac 100644 --- a/test/matrix.yml +++ b/test/matrix.yml @@ -1,6 +1,6 @@ VERSION: + - 7.x - 6.x - - 5.x OS: - ubuntu-1404 - ubuntu-1604 From a677218fa85a5cbbc7e835a3ede8e5a6c7cee2bf Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 9 May 2019 19:39:09 +0200 Subject: [PATCH 27/71] [templates] simplify template install task --- tasks/elasticsearch-template.yml | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index e999d35..e1bc80d 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -13,29 +13,16 @@ with_fileglob: - "{{ es_templates_fileglob | default('') }}" -- name: Install templates without auth +- name: Install templates uri: url: "http://{{es_api_host}}:{{es_api_port}}/_template/{{item | filename}}" method: PUT status_code: 200 + user: "{{es_api_basic_auth_username | default(omit)}}" + password: "{{es_api_basic_auth_password | default(omit)}}" body_format: json body: "{{ lookup('file', item) }}" - when: load_templates.changed and es_start_service and (not es_enable_xpack or not es_xpack_features is defined or "security" not in es_xpack_features) - with_fileglob: - - "{{ es_templates_fileglob | default('') }}" - run_once: True - -- name: Install templates with auth - uri: - url: "http://{{es_api_host}}:{{es_api_port}}/_template/{{item | filename}}" - method: PUT - status_code: 200 - user: "{{es_api_basic_auth_username}}" - password: "{{es_api_basic_auth_password}}" - force_basic_auth: yes - body_format: json - body: "{{ lookup('file', item) }}" - when: load_templates.changed and es_start_service and es_enable_xpack and es_xpack_features is defined and "security" in es_xpack_features + when: load_templates.changed and es_start_service with_fileglob: - "{{ es_templates_fileglob | default('') }}" run_once: True From d00bd5f3f1de8b31890afd5a40d0cb1bf581550c Mon Sep 17 00:00:00 2001 From: Hamish Forbes Date: Wed, 15 May 2019 14:14:02 +0100 Subject: [PATCH 28/71] Configurable instance_suffix --- tasks/elasticsearch-parameters.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index 6cee59f..a0b08ff 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -58,7 +58,8 @@ #For directories we also use the {{inventory_hostname}}-{{ es_instance_name }} - this helps if we have a shared SAN. - name: set fact instance_suffix - set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }} + set_fact: + instance_suffix: "{{ es_instance_suffix | default([inventory_hostname, es_instance_name] | join('-')) }}" - name: set fact pid_dir set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}} - name: set fact log_dir From e420d482cc85af7cbfb7d1e9758f0a77b2798fa4 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 17 May 2019 23:02:46 -0400 Subject: [PATCH 29/71] [kitchen] update gem dependencies (#564) this should fix an issue with busser install in kitchen testing containers (related to https://github.com/test-kitchen/test-kitchen/pull/1536) --- Gemfile | 8 ++--- Gemfile.lock | 98 +++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 74 insertions(+), 32 deletions(-) diff --git a/Gemfile b/Gemfile index 5dac49d..bf42881 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,6 @@ source 'https://rubygems.org' -gem 'test-kitchen', '1.20.0' -gem 'kitchen-docker', '2.6.0' -gem 'kitchen-ansible', '0.48.1' -gem 'net-ssh', '4.2.0' +gem 'test-kitchen' +gem 'kitchen-docker' +gem 'kitchen-ansible' +gem 'net-ssh' diff --git a/Gemfile.lock b/Gemfile.lock index 39738be..b7d8dcc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,50 +1,91 @@ GEM remote: https://rubygems.org/ specs: + bcrypt_pbkdf (1.0.1) builder (3.2.3) + ed25519 (1.2.4) + equatable (0.5.0) erubis (2.7.0) - ffi (1.9.24) - gssapi (1.2.0) + ffi (1.10.0) + gssapi (1.3.0) ffi (>= 1.0.1) gyoku (1.3.1) builder (>= 2.1.2) httpclient (2.8.3) - kitchen-ansible (0.48.1) + kitchen-ansible (0.50.0) net-ssh (>= 3) - test-kitchen (~> 1.4) - kitchen-docker (2.6.0) + test-kitchen (>= 1.4) + kitchen-docker (2.9.0) test-kitchen (>= 1.0.0) + license-acceptance (1.0.11) + pastel (~> 0.7) + tomlrb (~> 1.2) + tty-box (~> 0.3) + tty-prompt (~> 0.18) little-plugger (1.1.4) logging (2.2.2) little-plugger (~> 1.1) multi_json (~> 1.10) - mixlib-install (3.9.0) + mixlib-install (3.11.18) mixlib-shellout mixlib-versioning thor - mixlib-shellout (2.3.2) - mixlib-versioning (1.2.2) + mixlib-shellout (2.4.4) + mixlib-versioning (1.2.7) multi_json (1.13.1) - net-scp (1.2.1) - net-ssh (>= 2.6.5) - net-ssh (4.2.0) - net-ssh-gateway (1.3.0) - net-ssh (>= 2.6.5) + necromancer (0.4.0) + net-scp (2.0.0) + net-ssh (>= 2.6.5, < 6.0.0) + net-ssh (5.2.0) + net-ssh-gateway (2.0.0) + net-ssh (>= 4.0.0) nori (2.6.0) + pastel (0.7.2) + equatable (~> 0.5.0) + tty-color (~> 0.4.0) rubyntlm (0.6.2) rubyzip (1.2.2) - test-kitchen (1.20.0) + strings (0.1.5) + strings-ansi (~> 0.1) + unicode-display_width (~> 1.5) + unicode_utils (~> 1.4) + strings-ansi (0.1.0) + test-kitchen (2.2.5) + bcrypt_pbkdf (~> 1.0) + ed25519 (~> 1.2) + license-acceptance (~> 1.0, >= 1.0.11) mixlib-install (~> 3.6) mixlib-shellout (>= 1.2, < 3.0) - net-scp (~> 1.1) - net-ssh (>= 2.9, < 5.0) - net-ssh-gateway (~> 1.2) - thor (~> 0.19, < 0.19.2) + net-scp (>= 1.1, < 3.0) + net-ssh (>= 2.9, < 6.0) + net-ssh-gateway (>= 1.2, < 3.0) + thor (~> 0.19) winrm (~> 2.0) winrm-elevated (~> 1.0) - winrm-fs (~> 1.1.0) - thor (0.19.1) - winrm (2.2.3) + winrm-fs (~> 1.1) + thor (0.20.3) + timers (4.3.0) + tomlrb (1.2.8) + tty-box (0.3.0) + pastel (~> 0.7.2) + strings (~> 0.1.4) + tty-cursor (~> 0.6.0) + tty-color (0.4.3) + tty-cursor (0.6.1) + tty-prompt (0.18.1) + necromancer (~> 0.4.0) + pastel (~> 0.7.0) + timers (~> 4.0) + tty-cursor (~> 0.6.0) + tty-reader (~> 0.5.0) + tty-reader (0.5.0) + tty-cursor (~> 0.6.0) + tty-screen (~> 0.6.4) + wisper (~> 2.0.0) + tty-screen (0.6.5) + unicode-display_width (1.6.0) + unicode_utils (1.4.0) + winrm (2.3.2) builder (>= 2.1.2) erubis (~> 2.7) gssapi (~> 1.2) @@ -53,23 +94,24 @@ GEM logging (>= 1.6.1, < 3.0) nori (~> 2.0) rubyntlm (~> 0.6.0, >= 0.6.1) - winrm-elevated (1.1.0) + winrm-elevated (1.1.1) winrm (~> 2.0) winrm-fs (~> 1.0) - winrm-fs (1.1.1) + winrm-fs (1.3.2) erubis (~> 2.7) logging (>= 1.6.1, < 3.0) rubyzip (~> 1.1) winrm (~> 2.0) + wisper (2.0.0) PLATFORMS ruby DEPENDENCIES - kitchen-ansible (= 0.48.1) - kitchen-docker (= 2.6.0) - net-ssh (= 4.2.0) - test-kitchen (= 1.20.0) + kitchen-ansible + kitchen-docker + net-ssh + test-kitchen BUNDLED WITH - 1.16.1 + 1.17.0 From 1585ec2c1c19962d2c5879bc6fdc018bc0c45fb1 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Mon, 27 May 2019 18:16:50 +0200 Subject: [PATCH 30/71] remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) --- README.md | 51 ++++++++----------- defaults/main.yml | 1 - files/scripts/calculate-score.groovy | 1 - tasks/elasticsearch-scripts.yml | 26 ---------- tasks/main.yml | 6 --- .../helpers/serverspec/multi_spec.rb | 11 ---- .../helpers/serverspec/shared_spec.rb | 10 ---- test/integration/multi.yml | 2 - 8 files changed, 22 insertions(+), 86 deletions(-) delete mode 100644 files/scripts/calculate-score.groovy delete mode 100644 tasks/elasticsearch-scripts.yml diff --git a/README.md b/README.md index 703ed5b..949140d 100644 --- a/README.md +++ b/README.md @@ -26,10 +26,10 @@ Create your Ansible playbook with your own tasks, and include the role elasticse ansible-galaxy install elastic.elasticsearch,7.0.1 ``` -Then create your playbook yaml adding the role elasticsearch. By default, the user is only required to specify a unique es_instance_name per role application. This should be unique per node. +Then create your playbook yaml adding the role elasticsearch. By default, the user is only required to specify a unique es_instance_name per role application. This should be unique per node. The application of the elasticsearch role results in the installation of a node on a host. -The simplest configuration therefore consists of: +The simplest configuration therefore consists of: ```yaml - name: Simple Example @@ -93,7 +93,7 @@ The `PATTERN` is a kitchen pattern which can match multiple suites. To run all t $ make converge PATTERN=centos-7 ``` -The default version is 7.x. If you want to test 6.x you can override it with the `VERSION` variable, for example: +The default version is 7.x. If you want to test 6.x you can override it with the `VERSION` variable, for example: ```sh $ make converge VERSION=6.x PATTERN=oss-centos-7 ``` @@ -105,7 +105,7 @@ $ make destroy-all ### Basic Elasticsearch Configuration -All Elasticsearch configuration parameters are supported. This is achieved using a configuration map parameter 'es_config' which is serialized into the elasticsearch.yml file. +All Elasticsearch configuration parameters are supported. This is achieved using a configuration map parameter 'es_config' which is serialized into the elasticsearch.yml file. The use of a map ensures the Ansible playbook does not need to be updated to reflect new/deprecated/plugin configuration parameters. In addition to the es_config map, several other parameters are supported for additional functions e.g. script installation. These can be found in the role's defaults/main.yml file. @@ -131,7 +131,6 @@ The following illustrates applying configuration parameters to an Elasticsearch node.data: false node.master: true bootstrap.memory_lock: true - es_scripts: false es_templates: false es_version_lock: false es_heap_size: 1g @@ -143,9 +142,9 @@ Whilst the role installs Elasticsearch with the default configuration parameters * ```es_config['http.port']``` - the http port for the node * ```es_config['transport.port']``` - the transport port for the node * ```es_config['discovery.seed_hosts']``` - the unicast discovery list, in the comma separated format ```":,:"``` (typically the clusters dedicated masters) -* ```es_config['network.host']``` - sets both network.bind_host and network.publish_host to the same host value. The network.bind_host setting allows to control the host different network components will bind on. +* ```es_config['network.host']``` - sets both network.bind_host and network.publish_host to the same host value. The network.bind_host setting allows to control the host different network components will bind on. -The network.publish_host setting allows to control the host the node will publish itself within the cluster so other nodes will be able to connect to it. +The network.publish_host setting allows to control the host the node will publish itself within the cluster so other nodes will be able to connect to it. See https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html for further details on default binding behaviour and available options. The role makes no attempt to enforce the setting of these are requires users to specify them appropriately. IT is recommended master nodes are listed and thus deployed first where possible. @@ -171,7 +170,6 @@ A more complex example: node.data: false node.master: true bootstrap.memory_lock: true - es_scripts: false es_templates: false es_version_lock: false es_heap_size: 1g @@ -186,12 +184,12 @@ A more complex example: #### Important Note -**The role uses es_api_host and es_api_port to communicate with the node for actions only achievable via http e.g. to install templates and to check the NODE IS ACTIVE. These default to "localhost" and 9200 respectively. +**The role uses es_api_host and es_api_port to communicate with the node for actions only achievable via http e.g. to install templates and to check the NODE IS ACTIVE. These default to "localhost" and 9200 respectively. If the node is deployed to bind on either a different host or port, these must be changed.** ### Multi Node Server Installations -The application of the elasticsearch role results in the installation of a node on a host. Specifying the role multiple times for a host therefore results in the installation of multiple nodes for the host. +The application of the elasticsearch role results in the installation of a node on a host. Specifying the role multiple times for a host therefore results in the installation of multiple nodes for the host. An example of a two server deployment is shown below. The first server holds the master and is thus declared first. Whilst not mandatory, this is recommended in any multi node cluster configuration. The second server hosts two data nodes. @@ -212,7 +210,6 @@ An example of a two server deployment is shown below. The first server holds th node.data: false node.master: true bootstrap.memory_lock: false - es_scripts: false es_templates: false es_version_lock: false ansible_user: ansible @@ -224,7 +221,7 @@ An example of a two server deployment is shown below. The first server holds th - role: elastic.elasticsearch vars: es_instance_name: "node1" - es_data_dirs: + es_data_dirs: - "/opt/elasticsearch" es_config: cluster.name: "test-cluster" @@ -234,14 +231,13 @@ An example of a two server deployment is shown below. The first server holds th node.data: true node.master: false bootstrap.memory_lock: false - es_scripts: false es_templates: false es_version_lock: false ansible_user: ansible es_api_port: 9200 es_plugins: - plugin: ingest-attachment - + - hosts: data_nodes roles: - role: elastic.elasticsearch @@ -256,7 +252,6 @@ An example of a two server deployment is shown below. The first server holds th node.master: false bootstrap.memory_lock: false cluster.name: "test-cluster" - es_scripts: false es_templates: false es_version_lock: false es_api_port: 9201 @@ -317,8 +312,8 @@ es_users: - power_user - user ``` - - + + * ```es_roles``` - Elasticsearch roles can be declared here as yml. Two sub keys 'native' and 'file' determine how the role is created i.e. either through a file or http(native) call. Beneath each key list the roles with appropriate permissions, using the file based format described [here] (https://www.elastic.co/guide/en/x-pack/current/file-realm.html) e.g. ```yaml @@ -360,13 +355,13 @@ es_roles: - write - delete - create_index -``` - +``` + * ```es_xpack_license``` - X-Pack license. The license is a json blob. Set the variable directly (possibly protected by Ansible vault) or from a file in the Ansible project on the control machine via a lookup: ```yaml es_xpack_license: "{{ lookup('file', playbook_dir + '/files/' + es_cluster_name + '/license.json') }}" -``` +``` X-Pack configuration parameters can be added to the elasticsearch.yml file using the normal `es_config` parameter. @@ -397,7 +392,7 @@ In addition to es_config, the following parameters allow the customization of th * ```es_plugins``` an array of plugin definitions e.g.: ```yaml es_plugins: - - plugin: ingest-attachment + - plugin: ingest-attachment ``` * ```es_path_repo``` Sets the whitelist for allowing local back-up repositories * ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): @@ -413,7 +408,7 @@ In addition to es_config, the following parameters allow the customization of th * ```es_custom_package_url``` the URL to the rpm or deb package for Ansible to install. When using this you will also need to set `es_use_repository: false` and make sure that the `es_version` matches the version being installed from your custom URL. E.g. `es_custom_package_url: https://downloads.example.com/elasticsearch.rpm` Earlier examples illustrate the installation of plugins using `es_plugins`. For officially supported plugins no version or source delimiter is required. The plugin script will determine the appropriate plugin version based on the target Elasticsearch version. For community based plugins include the full url. This approach should NOT be used for the X-Pack plugin. See X-Pack below for details here. - + If installing Monitoring or Alerting, ensure the license plugin is also specified. Security configuration currently has limited support, but more support is planned for later versions. To configure X-pack to send mail, the following configuration can be added to the role. When require_auth is true, you will also need to provide the user and password. If not these can be removed: @@ -434,7 +429,7 @@ To configure X-pack to send mail, the following configuration can be added to th * ```es_user_id``` - default is undefined. * ```es_group_id``` - default is undefined. -Both ```es_user_id``` and ```es_group_id``` must be set for the user and group ids to be set. +Both ```es_user_id``` and ```es_group_id``` must be set for the user and group ids to be set. By default, each node on a host will be installed to use unique pid, plugin, work, data and log directories. These directories are created, using the instance and host name, beneath default locations ] controlled by the following parameters: @@ -443,11 +438,9 @@ controlled by the following parameters: * ```es_data_dirs``` - defaults to "/var/lib/elasticsearch". This can be a list or comma separated string e.g. ["/opt/elasticsearch/data-1","/opt/elasticsearch/data-2"] or "/opt/elasticsearch/data-1,/opt/elasticsearch/data-2" * ```es_log_dir``` - defaults to "/var/log/elasticsearch". * ```es_restart_on_change``` - defaults to true. If false, changes will not result in Elasticsearch being restarted. -* ```es_plugins_reinstall``` - defaults to false. If true, all currently installed plugins will be removed from a node. Listed plugins will then be re-installed. +* ```es_plugins_reinstall``` - defaults to false. If true, all currently installed plugins will be removed from a node. Listed plugins will then be re-installed. -This role ships with sample scripts and templates located in the [files/scripts/](files/scripts) and [files/templates/](files/templates) directories, respectively. These variables are used with the Ansible [with_fileglob](http://docs.ansible.com/ansible/playbooks_loops.html#id4) loop. When setting the globs, be sure to use an absolute path. -* ```es_scripts_fileglob``` - defaults to `/files/scripts/`. -* ```es_templates_fileglob``` - defaults to `/files/templates/`. +This role ships with sample templates located in the [files/templates/](files/templates) directory. `es_templates_fileglob` variable (defaults to `/files/templates/`) is used with the Ansible [with_fileglob](http://docs.ansible.com/ansible/playbooks_loops.html#id4) loop. When setting the globs, be sure to use an absolute path. ### Proxy @@ -460,7 +453,7 @@ To define proxy only for a particular plugin during its installation: ```yaml es_plugins: - - plugin: ingest-attachment + - plugin: ingest-attachment proxy_host: proxy.example.com proxy_port: 8080 ``` @@ -472,7 +465,7 @@ To define proxy only for a particular plugin during its installation: * The role assumes the user/group exists on the server. The elasticsearch packages create the default elasticsearch user. If this needs to be changed, ensure the user exists. * The playbook relies on the inventory_name of each host to ensure its directories are unique * Changing an instance_name for a role application will result in the installation of a new component. The previous component will remain. -* KitchenCI has been used for testing. This is used to confirm images reach the correct state after a play is first applied. We currently test the latest version of 7.x and 6.x on all supported platforms. +* KitchenCI has been used for testing. This is used to confirm images reach the correct state after a play is first applied. We currently test the latest version of 7.x and 6.x on all supported platforms. * The role aims to be idempotent. Running the role multiple times, with no changes, should result in no state change on the server. If the configuration is changed, these will be applied and Elasticsearch restarted where required. * Systemd is used for Ubuntu versions >= 15, Debian >=8, Centos >=7. All other versions use init for service scripts. * In order to run x-pack tests a license file with security enabled is required. A trial license is appropriate. Set the environment variable `ES_XPACK_LICENSE_FILE` to the full path of the license file prior to running tests. diff --git a/defaults/main.yml b/defaults/main.yml index ec69115..30687a8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,7 +15,6 @@ es_java_install: true update_java: false es_restart_on_change: true es_plugins_reinstall: false -es_scripts: false es_templates: false es_user: elasticsearch es_group: elasticsearch diff --git a/files/scripts/calculate-score.groovy b/files/scripts/calculate-score.groovy deleted file mode 100644 index 442c25c..0000000 --- a/files/scripts/calculate-score.groovy +++ /dev/null @@ -1 +0,0 @@ -log(_score * 2) + my_modifier \ No newline at end of file diff --git a/tasks/elasticsearch-scripts.yml b/tasks/elasticsearch-scripts.yml deleted file mode 100644 index e38c3b4..0000000 --- a/tasks/elasticsearch-scripts.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: set fact es_script_dir - set_fact: es_script_dir={{ es_conf_dir }}/{{es_instance_name}} - tags: - - always - -- name: set fact es_script_dir when path.scripts - set_fact: es_script_dir={{es_config['path.scripts']}} - when: es_config['path.scripts'] is defined - tags: - - always - -- name: Create script dir - become: yes - file: state=directory path={{ es_script_dir }} owner={{ es_user }} group={{ es_group }} recurse=yes - -- name: Copy default scripts to elasticsearch - become: yes - copy: src=scripts dest={{ es_script_dir }} owner={{ es_user }} group={{ es_group }} - when: es_scripts_fileglob is not defined - -- name: Copy scripts to elasticsearch - become: yes - copy: src={{ item }} dest={{ es_script_dir }} owner={{ es_user }} group={{ es_group }} - with_fileglob: "{{ es_scripts_fileglob | default('') }}" diff --git a/tasks/main.yml b/tasks/main.yml index 465540c..c055151 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,12 +39,6 @@ tags: - config -- name: include elasticsearch-scripts.yml - include: elasticsearch-scripts.yml - when: es_scripts - tags: - - scripts - - name: include elasticsearch-plugins.yml include: elasticsearch-plugins.yml when: es_plugins is defined or es_plugins_reinstall diff --git a/test/integration/helpers/serverspec/multi_spec.rb b/test/integration/helpers/serverspec/multi_spec.rb index 278ed42..f961f56 100644 --- a/test/integration/helpers/serverspec/multi_spec.rb +++ b/test/integration/helpers/serverspec/multi_spec.rb @@ -64,17 +64,6 @@ shared_examples 'multi::init' do |vars| end end - #Confirm scripts are on both nodes - describe file('/etc/elasticsearch/master/scripts') do - it { should be_directory } - it { should be_owned_by 'elasticsearch' } - end - - describe file('/etc/elasticsearch/master/scripts/calculate-score.groovy') do - it { should be_file } - it { should be_owned_by 'elasticsearch' } - end - #Confirm that the data directory has only been set for the first node describe file('/opt/elasticsearch/master/localhost-master') do it { should be_directory } diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index 0402dca..596cd42 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -90,16 +90,6 @@ shared_examples 'shared::init' do |vars| end end end - if vars['es_scripts'] - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/scripts") do - it { should be_directory } - it { should be_owned_by 'elasticsearch' } - end - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/scripts/calculate-score.groovy") do - it { should be_file } - it { should be_owned_by 'elasticsearch' } - end - end describe file('/etc/init.d/elasticsearch') do it { should_not exist } end diff --git a/test/integration/multi.yml b/test/integration/multi.yml index f018bd4..8f1b8e0 100644 --- a/test/integration/multi.yml +++ b/test/integration/multi.yml @@ -25,7 +25,6 @@ bootstrap.memory_lock: true es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_enable_xpack: false - es_scripts: true es_templates: true es_heap_size: "1g" es_api_port: 9200 @@ -40,7 +39,6 @@ - elasticsearch vars: es_enable_xpack: false - es_scripts: true es_templates: true es_heap_size: "1g" es_api_port: 9201 From a879b74def842df34b8b1393ab7a5135898edc53 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 29 May 2019 12:10:11 +0200 Subject: [PATCH 31/71] [xpack] use elasticsearch default xpack features (#560) - Stop forcing es_xpack_features variable in order to let elasticsearch install default features described in http://localhost:9200/_xpack - Change xpack test scope to be able to test default xpack install - xpack scenario will test xpack install with default features - xpack upgrade scenario will fully test security feature - oss-to-xpack-upgrade will test installing only other specific features - Cleanup some duplicate serverspec tests - Remove `system_key`feature (deprecated in 5.6 and removed in 6.0 - [Breaking Changes 6.0.0](https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking-6.0.0-xes.html)) - Cleanup some ansible code (especially in `when` conditions) --- README.md | 7 +-- defaults/main.yml | 2 +- files/system_key | Bin 128 -> 0 bytes tasks/elasticsearch-parameters.yml | 5 +- tasks/main.yml | 5 +- tasks/xpack/elasticsearch-xpack.yml | 3 +- .../xpack/security/elasticsearch-security.yml | 15 +----- .../elasticsearch-xpack-activation.yml | 4 +- templates/elasticsearch.yml.j2 | 24 ++------- .../helpers/serverspec/multi_spec.rb | 6 --- .../helpers/serverspec/shared_spec.rb | 50 +++++++++++++++--- .../helpers/serverspec/xpack_spec.rb | 13 ----- .../helpers/serverspec/xpack_upgrade_spec.rb | 10 +--- test/integration/issue-test.yml | 1 - test/integration/oss-to-xpack-upgrade.yml | 6 +-- test/integration/xpack-upgrade.yml | 3 -- test/integration/xpack.yml | 4 -- .../xpack/serverspec/default_spec.rb | 2 - vars/main.yml | 2 - 19 files changed, 70 insertions(+), 92 deletions(-) delete mode 100644 files/system_key delete mode 100644 test/integration/helpers/serverspec/xpack_spec.rb diff --git a/README.md b/README.md index 949140d..239dc9a 100644 --- a/README.md +++ b/README.md @@ -272,14 +272,15 @@ ansible-playbook -i hosts ./your-playbook.yml ### Installing X-Pack Features -X-Pack features, such as Security, are supported. This feature is currently experimental. +X-Pack features, such as Security, are supported. -The parameter `es_xpack_features` by default enables all features i.e. it defaults to ["alerting","monitoring","graph","security","ml"] +The parameter `es_xpack_features` allows to list xpack features to install (example: `["alerting","monitoring","graph","security","ml"]`). +When the list is empty, it install all features available with the current licence. The following additional parameters allow X-Pack to be configured: -* ```es_message_auth_file``` System Key field to allow message authentication. This file should be placed in the 'files' directory. * ```es_xpack_custom_url``` Url from which X-Pack can be downloaded. This can be used for installations in isolated environments where the elastic.co repo is not accessible. e.g. ```es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-5.5.1.zip"``` + * ```es_role_mapping``` Role mappings file declared as yml as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html) diff --git a/defaults/main.yml b/defaults/main.yml index 30687a8..393acbd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -29,7 +29,7 @@ es_max_open_files: 65536 es_max_threads: "{{ 2048 if ( es_version is version_compare('6.0.0', '<')) else 8192 }}" es_max_map_count: 262144 es_allow_downgrades: false -es_xpack_features: ["alerting","monitoring","graph","ml","security"] +es_xpack_features: [] #These are used for internal operations performed by ansible. #They do not affect the current configuration es_api_host: "localhost" diff --git a/files/system_key b/files/system_key deleted file mode 100644 index 91962910d2ac82a5dd768c0d6077bddf45a03aad..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 128 zcmV-`0Du2|Yyd3#hjw*u2-sNq2k+!W|LHL$o!$SJ=TOS9HAo93=wva67++&x1ZX22 iC9y`8Cr1#H`9wh$Jp}(^gZ=AWGL)^kJFe;$+g!f+r9nyn diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index a0b08ff..1d432c8 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -20,7 +20,10 @@ #Check if working with security we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work - name: fail when api credentials are not declared when using security fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations" - when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined + when: + - es_enable_xpack and "security" in es_xpack_features + - es_api_basic_auth_username is not defined + - es_api_basic_auth_password is not defined - name: set fact file_reserved_users set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }} diff --git a/tasks/main.yml b/tasks/main.yml index c055151..6a622bb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -68,7 +68,10 @@ - name: set fact manage_native_realm to true set_fact: manage_native_realm=true - when: es_start_service and (es_enable_xpack and "security" in es_xpack_features) and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)) + when: + - es_start_service + - es_enable_xpack + - (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined) # If playbook runs too fast, Native commands could fail as the Native Realm is not yet up - name: Wait 15 seconds for the Native Relm to come up diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index c3c3906..607343b 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -10,6 +10,7 @@ #Security configuration - name: include security/elasticsearch-security.yml include: security/elasticsearch-security.yml + when: es_enable_xpack #Add any feature specific configuration here - name: Set Plugin Directory Permissions @@ -20,4 +21,4 @@ - name: Set elasticsearch.keystore Permissions become: yes file: state=file path={{ conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }} - when: es_enable_xpack and "security" in es_xpack_features and (es_version is version_compare('6.0.0', '>')) + when: es_enable_xpack diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 0e81709..32e1b97 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -7,14 +7,11 @@ - name: Ensure x-pack conf directory exists (file) file: path={{ conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }} changed_when: False - when: - - es_enable_xpack and "security" in es_xpack_features - - (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined) + when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined) #-----------------------------Create Bootstrap User----------------------------------- ### START BLOCK elasticsearch keystore ### - name: create the elasticsearch keystore - when: (es_enable_xpack and "security" in es_xpack_features) and (es_version is version_compare('6.0.0', '>')) block: - name: create the keystore if it doesn't exist yet become: yes @@ -48,7 +45,7 @@ #-----------------------------FILE BASED REALM---------------------------------------- - include: elasticsearch-security-file.yml - when: (es_enable_xpack and "security" in es_xpack_features) and ((es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)) + when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) #-----------------------------ROLE MAPPING ---------------------------------------- @@ -58,13 +55,6 @@ template: src=security/role_mapping.yml.j2 dest={{conf_dir}}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_role_mapping is defined -#-----------------------------AUTH FILE---------------------------------------- - -- name: Copy message auth key to elasticsearch - become: yes - copy: src={{ es_message_auth_file }} dest={{conf_dir}}{{es_xpack_conf_subdir}}/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes - when: es_message_auth_file is defined - #------------------------------------------------------------------------------------ #Ensure security conf directory is created @@ -72,4 +62,3 @@ become: yes file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }} changed_when: False - when: es_enable_xpack and "security" in es_xpack_features diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index cd72d6a..2bce5bb 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -9,7 +9,7 @@ return_content: yes register: license_activated no_log: True - when: not "security" in es_xpack_features + when: es_api_basic_auth_username is not defined or es_api_basic_auth_password is not defined failed_when: > license_activated.status != 200 or license_activated.json.license_status is not defined or @@ -27,7 +27,7 @@ return_content: yes register: license_activated no_log: True - when: "'security' in es_xpack_features" + when: es_api_basic_auth_username is defined and es_api_basic_auth_password is defined failed_when: > license_activated.status != 200 or license_activated.json.license_status is not defined or diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 09f8af0..f7ecae0 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -35,26 +35,8 @@ action.auto_create_index: false action.auto_create_index: {{ es_action_auto_create_index }} {% endif %} -{% if es_enable_xpack %} -{% if not "security" in es_xpack_features %} -xpack.security.enabled: false -{% endif %} - -{% if not "monitoring" in es_xpack_features %} -xpack.monitoring.enabled: false -{% endif %} - -{% if not "alerting" in es_xpack_features %} -xpack.watcher.enabled: false -{% endif %} - -{% if not "ml" in es_xpack_features %} -xpack.ml.enabled: false -{% endif %} - -{% if not "graph" in es_xpack_features %} -xpack.graph.enabled: false -{% endif %} +{% if es_enable_xpack and es_api_basic_auth_username is defined and es_api_basic_auth_password is defined %} +xpack.security.enabled: true {% endif %} {% if es_mail_config is defined %} @@ -71,5 +53,5 @@ xpack.notification.email: {% if es_mail_config['require_auth'] == true %} user: {{ es_mail_config['user'] }} password: {{ es_mail_config['pass'] }} - {% endif %} + {% endif %} {% endif %} diff --git a/test/integration/helpers/serverspec/multi_spec.rb b/test/integration/helpers/serverspec/multi_spec.rb index f961f56..3f42e2f 100644 --- a/test/integration/helpers/serverspec/multi_spec.rb +++ b/test/integration/helpers/serverspec/multi_spec.rb @@ -16,13 +16,7 @@ shared_examples 'multi::init' do |vars| else it { should contain 'transport.tcp.port: 9301' } end - it { should contain 'node.data: true' } - it { should contain 'node.master: false' } - it { should contain "node.name: localhost-#{vars['es_instance_name']}" } it { should_not contain 'bootstrap.memory_lock: true' } - it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - it { should contain "path.data: /opt/elasticsearch/data-1/localhost-#{vars['es_instance_name']},/opt/elasticsearch/data-2/localhost-#{vars['es_instance_name']}" } - it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } end diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index 596cd42..92ddfa8 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -21,6 +21,22 @@ es_api_url = "http://localhost:#{vars['es_api_port']}" username = vars['es_api_basic_auth_username'] password = vars['es_api_basic_auth_password'] +# Sample of default features status +features = { + 'monitoring' => { + 'enabled' => 'true', + 'available' => 'true' + }, + 'ml' => { + 'enabled' => 'true', + 'available' => 'false' + }, + 'sql' => { + 'enabled' => 'true', + 'available' => 'true' + } +} + shared_examples 'shared::init' do |vars| describe 'version check' do it 'should be reported as version '+vars['es_version'] do @@ -35,12 +51,34 @@ shared_examples 'shared::init' do |vars| it 'xpack should be activated' do expect(curl_json("#{es_api_url}/_license", username=username, password=password)['license']['status']).to eq('active') end - features = curl_json("#{es_api_url}/_xpack", username=username, password=password) - curl_json("#{es_api_url}/_xpack", username=username, password=password)['features'].each do |feature,values| - enabled = vars['es_xpack_features'].include? feature - status = if enabled then 'enabled' else 'disabled' end - it "the xpack feature '#{feature}' to be #{status}" do - expect(values['enabled'] = enabled) + if vars.key?('es_xpack_features') + curl_json("#{es_api_url}/_xpack", username=username, password=password)['features'].each do |feature,values| + enabled = vars['es_xpack_features'].include? feature + status = if enabled then 'enabled' else 'disabled' end + it "the xpack feature '#{feature}' to be #{status}" do + expect(values['enabled'] = enabled) + end + end + else + features.each do |feature, status| + feature_available = curl_json("#{es_api_url}/_xpack", username=username, password=password)['features'][feature]['available'] + if feature_available == "true" + status = "available" + else + status = "unavailable" + end + it "the xpack feature '#{feature}' to be #{status}" do + expect(feature_available = status['available']) + end + feature_enabled = curl_json("#{es_api_url}/_xpack", username=username, password=password)['features'][feature]['enabled'] + if feature_enabled == "true" + status = "enabled" + else + status = "disabled" + end + it "the xpack feature '#{feature}' to be #{status}" do + expect(feature_available = status['enabled']) + end end end end diff --git a/test/integration/helpers/serverspec/xpack_spec.rb b/test/integration/helpers/serverspec/xpack_spec.rb deleted file mode 100644 index 77b0a0b..0000000 --- a/test/integration/helpers/serverspec/xpack_spec.rb +++ /dev/null @@ -1,13 +0,0 @@ -require 'spec_helper' - -shared_examples 'xpack::init' do |vars| - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do - it { should contain "node.name: localhost-#{vars['es_instance_name']}" } - it { should contain 'cluster.name: elasticsearch' } - it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - it { should contain "path.data: /var/lib/elasticsearch/localhost-#{vars['es_instance_name']}" } - it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } - it { should contain 'xpack.security.enabled: false' } - it { should contain 'xpack.watcher.enabled: false' } - end -end diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index d9784d1..96ec36e 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -3,14 +3,6 @@ require 'json' vars = JSON.parse(File.read('/tmp/vars.json')) shared_examples 'xpack_upgrade::init' do |vars| - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do - it { should contain "node.name: localhost-#{vars['es_instance_name']}" } - it { should contain 'cluster.name: elasticsearch' } - it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - it { should contain "path.data: /var/lib/elasticsearch/localhost-#{vars['es_instance_name']}" } - it { should contain "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } - end - #Test users file, users_roles and roles.yml describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/users_roles") do it { should be_owned_by 'elasticsearch' } @@ -39,7 +31,7 @@ shared_examples 'xpack_upgrade::init' do |vars| it { should contain 'security.authc.realms.file1.order: 0' } it { should contain 'security.authc.realms.file1.type: file' } it { should contain 'security.authc.realms.native1.order: 1' } - it { should contain 'security.authc.realms.native1.type: native' } + it { should contain 'security.authc.realms.native1.type: native' } end end diff --git a/test/integration/issue-test.yml b/test/integration/issue-test.yml index aa32534..5660ae6 100644 --- a/test/integration/issue-test.yml +++ b/test/integration/issue-test.yml @@ -13,7 +13,6 @@ es_instance_name: "security_node" es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_config: - xpack.security.enabled: True xpack.security.authc.realms.file.file1.order: 1 xpack.security.authc.realms.native.native1.type: "native" es_heap_size: "1g" diff --git a/test/integration/oss-to-xpack-upgrade.yml b/test/integration/oss-to-xpack-upgrade.yml index 71e3798..96679a6 100644 --- a/test/integration/oss-to-xpack-upgrade.yml +++ b/test/integration/oss-to-xpack-upgrade.yml @@ -20,8 +20,8 @@ vars: es_instance_name: "node1" es_enable_xpack: true - es_api_basic_auth_username: elastic - es_api_basic_auth_password: changeme es_heap_size: "1g" es_xpack_features: - - security + - monitoring + - graph + - ml diff --git a/test/integration/xpack-upgrade.yml b/test/integration/xpack-upgrade.yml index 000fdb5..560a1ca 100644 --- a/test/integration/xpack-upgrade.yml +++ b/test/integration/xpack-upgrade.yml @@ -16,7 +16,6 @@ xpack.security.authc.realms.native1.type: native es_config_7x: http.port: 9200 - xpack.security.enabled: True xpack.security.authc.realms.file.file1.order: 0 xpack.security.authc.realms.native.native1.order: 1 es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" @@ -33,7 +32,6 @@ - alerting es_api_basic_auth_username: elastic es_api_basic_auth_password: changeme - es_message_auth_file: system_key es_role_mapping: power_user: - "cn=admins,dc=example,dc=com" @@ -131,7 +129,6 @@ xpack.security.authc.realms.native1.type: native es_config_7x: http.port: 9200 - xpack.security.enabled: True xpack.security.authc.realms.file.file1.order: 0 xpack.security.authc.realms.native.native1.order: 1 es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index 5be3d03..d3c4c36 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -14,7 +14,3 @@ es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{{ es_version }}.zip" es_heap_size: 2g es_enable_xpack: true - es_xpack_features: - - monitoring - - graph - - ml diff --git a/test/integration/xpack/serverspec/default_spec.rb b/test/integration/xpack/serverspec/default_spec.rb index eaf7a10..496a28c 100644 --- a/test/integration/xpack/serverspec/default_spec.rb +++ b/test/integration/xpack/serverspec/default_spec.rb @@ -1,9 +1,7 @@ -require 'xpack_spec' require 'shared_spec' require 'json' vars = JSON.parse(File.read('/tmp/vars.json')) describe 'Xpack upgrade Tests' do include_examples 'shared::init', vars - include_examples 'xpack::init', vars end diff --git a/vars/main.yml b/vars/main.yml index 2c07de1..c4a0183 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,6 +3,4 @@ es_package_url: "https://artifacts.elastic.co/downloads/elasticsearch/elasticsea es_conf_dir: "/etc/elasticsearch" sysd_script: "/usr/lib/systemd/system/elasticsearch.service" init_script: "/etc/init.d/elasticsearch" -#add supported features here -supported_xpack_features: ["alerting","monitoring","graph","security"] reserved_xpack_users: ["elastic","kibana","logstash_system"] From 7f5be969e07173c5697432141e909b6ced5a2e94 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 29 May 2019 17:51:02 +0200 Subject: [PATCH 32/71] skip java install on 7.x (java embeded in 7.x version) (#568) --- README.md | 2 +- defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 239dc9a..404f982 100644 --- a/README.md +++ b/README.md @@ -399,7 +399,7 @@ In addition to es_config, the following parameters allow the customization of th * ```es_action_auto_create_index ``` Sets the value for auto index creation, use the syntax below for specifying indexes (else true/false): es_action_auto_create_index: '[".watches", ".triggered_watches", ".watcher-history-*"]' * ```es_allow_downgrades``` For development purposes only. (true or false (default) ) -* ```es_java_install``` If set to false, Java will not be installed. (true (default) or false) +* ```es_java_install``` If set to true, Java will be installed. (false (default for 7.x) or true (default for 6.x)) * ```update_java``` Updates Java to the latest version. (true or false (default)) * ```es_max_map_count``` maximum number of VMA (Virtual Memory Areas) a process can own. Defaults to 262144. * ```es_max_open_files``` the maximum file descriptor number that can be opened by this process. Defaults to 65536. diff --git a/defaults/main.yml b/defaults/main.yml index 393acbd..2c5f858 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,7 +11,7 @@ es_apt_key: "{{ es_repo_base }}/GPG-KEY-elasticsearch" es_apt_url: "deb {{ es_repo_base }}/packages/{{ es_repo_name }}/apt stable main" es_apt_url_old: "deb http://packages.elastic.co/elasticsearch/{{ es_repo_name }}/debian stable main" es_start_service: true -es_java_install: true +es_java_install: "{{ false if (es_version is version_compare('7.0.0', '>=')) else true }}" update_java: false es_restart_on_change: true es_plugins_reinstall: false From 25bd09f6835b476b6a078676a7d614489a6739c5 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 31 May 2019 08:50:00 +0200 Subject: [PATCH 33/71] Small fixes and improvements (#569) - add .ruby-version - update ansible min version - update ansible galaxy tags - fix doc and changelog --- .ruby-version | 1 + CHANGELOG.md | 16 ++++++++-------- README.md | 6 +++--- meta/main.yml | 10 ++++++---- 4 files changed, 18 insertions(+), 15 deletions(-) create mode 100644 .ruby-version diff --git a/.ruby-version b/.ruby-version new file mode 100644 index 0000000..276cbf9 --- /dev/null +++ b/.ruby-version @@ -0,0 +1 @@ +2.3.0 diff --git a/CHANGELOG.md b/CHANGELOG.md index df21779..744e522 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ * [#513](https://github.com/elastic/ansible-elasticsearch/pull/513) - @kakoni - Fix typo in elasticsearch-parameters.yml * [#522](https://github.com/elastic/ansible-elasticsearch/pull/522) - @SlothOfAnarchy - Fix package download URL -* [#526](https://github.com/elastic/ansible-elasticsearch/pull/527) - @Fra-nk - Allow not installing Elasticsearch deb repository key +* [#526](https://github.com/elastic/ansible-elasticsearch/pull/526) - @Fra-nk - Allow not installing Elasticsearch deb repository key * [#527](https://github.com/elastic/ansible-elasticsearch/pull/527) - @katsukamaru - Execute java version check in check mode ## 6.5.1.1 - 2018/11/27 @@ -30,7 +30,7 @@ * [#487](https://github.com/elastic/ansible-elasticsearch/pull/487) - @lazouz - Disable check mode to make install plugins idempotent * [#501](https://github.com/elastic/ansible-elasticsearch/pull/501) - @kaxil - Make the order of configs consistent for comparing -* [#497](https://github.com/elastic/ansible-elasticsearch/pull/497) - @Crazybus - Document es_use_repository and es_custom_package_url +* [#497](https://github.com/elastic/ansible-elasticsearch/pull/497) - @Crazybus - Document es_use_repository and es_custom_package_url * [#504](https://github.com/elastic/ansible-elasticsearch/pull/504) - @victorgs - Using tests as filters is deprecated * [#493](https://github.com/elastic/ansible-elasticsearch/pull/493) - @Crazybus - Only use the first found java version if there are multiple installed @@ -72,7 +72,7 @@ When upgrading from module versions prior to 6.3, there are a number of upgrade * oss to oss * oss to xpack * xpack to xpack -* X-Pack configuration files which used to be in `${ES_PATH_CONF}/x-pack` are now in `${ES_PATH_CONF}/`. If you have any configuration files in this directory not managed by ansible you will need to move them manually. +* X-Pack configuration files which used to be in `${ES_PATH_CONF}/x-pack` are now in `${ES_PATH_CONF}/`. If you have any configuration files in this directory not managed by ansible you will need to move them manually. #### Features @@ -92,14 +92,14 @@ When upgrading from module versions prior to 6.3, there are a number of upgrade ## 6.2.4.1 - 2018/06/14 -Patch release requested by @average-joe in #453 +Patch release requested by @average-joe in #453 #### Pull requests -* [#445](https://github.com/elastic/ansible-elasticsearch/pull/445) - @gekkeharry13 - Added configuration options for configuring x-pack notifications via email with some other nice fixes. +* [#445](https://github.com/elastic/ansible-elasticsearch/pull/445) - @gekkeharry13 - Added configuration options for configuring x-pack notifications via email with some other nice fixes. * [#450](https://github.com/elastic/ansible-elasticsearch/pull/450) - @Crazybus - improving some flakey tests which were randomly failing. * [#447](https://github.com/elastic/ansible-elasticsearch/pull/447) - @chaintng - Fix to make sure sudo is used when running `update-alternatives` for java. -* [#423](https://github.com/elastic/ansible-elasticsearch/pull/423) - @eRadical - Fixing the until condition being used when installing rpms from a custom repository. +* [#423](https://github.com/elastic/ansible-elasticsearch/pull/423) - @eRadical - Fixing the until condition being used when installing rpms from a custom repository. ## 6.2.4 - 2018/04/24 @@ -120,9 +120,9 @@ Patch release requested by @average-joe in #453 ## 6.1.3 - 2018/02/01 * `6.x` is now the default `es_major_version` with `6.1.3` as the default `es_version` -* Special thanks to @shribigb, @toddlers and @remil1000 for their efforts in getting `6.x` support working! +* Special thanks to @shribigb, @toddlers and @remil1000 for their efforts in getting `6.x` support working! * `.kitchen.yml` has been updated to allow testing both `6.x` and `5.x` versions -* A new [Jenkins job](https://devops-ci.elastic.co/job/elastic+ansible-elasticsearch+pull-request/) has been added for pull requests to automatically test all combinations of `6.x` and `5.x` on ubuntu-1404, ubuntu-1604, debian-8 and centos-7 with the various test suites. +* A new [Jenkins job](https://devops-ci.elastic.co/job/elastic+ansible-elasticsearch+pull-request/) has been added for pull requests to automatically test all combinations of `6.x` and `5.x` on ubuntu-1404, ubuntu-1604, debian-8 and centos-7 with the various test suites. ## 5.5.1 - 2017/08/20 diff --git a/README.md b/README.md index 404f982..ba26cf6 100644 --- a/README.md +++ b/README.md @@ -13,9 +13,9 @@ Ansible role for 7.x/6.x Elasticsearch. Currently this works on Debian and RedH * Debian 9 * CentOS 7 -The latest Elasticsearch versions of 7.x & 6.x are actively tested. **Only Ansible versions > 2.4.3.0 are supported, as this is currently the only version tested.** +The latest Elasticsearch versions of 7.x & 6.x are actively tested. -##### Dependency +## Dependency This role uses the json_query filter which [requires jmespath](https://github.com/ansible/ansible/issues/24319) on the local machine. ## Usage @@ -23,7 +23,7 @@ This role uses the json_query filter which [requires jmespath](https://github.co Create your Ansible playbook with your own tasks, and include the role elasticsearch. You will have to have this repository accessible within the context of playbook. ```sh -ansible-galaxy install elastic.elasticsearch,7.0.1 +ansible-galaxy install git+https://github.com/elastic/ansible-elasticsearch.git,7f5be969e07173c5697432141e909b6ced5a2e94 ``` Then create your playbook yaml adding the role elasticsearch. By default, the user is only required to specify a unique es_instance_name per role application. This should be unique per node. diff --git a/meta/main.yml b/meta/main.yml index aeecec7..3ca10f6 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: description: Elasticsearch for Linux company: "Elastic.co" license: "license (Apache)" - min_ansible_version: 2.3.2 + min_ansible_version: 2.4.2 platforms: - name: EL versions: @@ -19,7 +19,9 @@ galaxy_info: - name: Ubuntu versions: - all - categories: - - system - + - galaxy_tags: + - elastic + - elasticsearch + - elk + - logging dependencies: [] From 2cb020a4c227710d29d0fb71004ccf203e608dec Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Mon, 3 Jun 2019 14:18:09 +0200 Subject: [PATCH 34/71] Remove multi instances support (#566) * remove multi instances support The goal is to stop supporting installation of more than one node in the same host. This commit update the Ansible role README documentation and remove the multi instances kitchen test. * remove systemd and init.d templates As we no more need to support more than one node on the same host, we no more need to override init files provided by elasticsearch official packages. * remove file script feature File scripts have been removed since elasticsearch 6.0 (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_scripting_changes.html#_file_scripts_removed) * remove custom user and custom group ES_USER and ES_GROUP settings are no longer supported (https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_packaging_changes.html#_configuring_custom_user_and_group_for_package_is_no_longer_allowed) * add upgrade procedure * use same task for license activation with and without authentication --- .kitchen.yml | 20 +- README.md | 126 ++++++---- defaults/main.yml | 10 +- handlers/main.yml | 2 +- tasks/elasticsearch-Debian.yml | 2 +- tasks/elasticsearch-config.yml | 117 +-------- tasks/elasticsearch-parameters.yml | 37 --- tasks/elasticsearch-plugins.yml | 18 +- tasks/main.yml | 2 +- tasks/xpack/elasticsearch-xpack-install.yml | 24 +- tasks/xpack/elasticsearch-xpack.yml | 2 +- .../security/elasticsearch-security-file.yml | 28 +-- .../xpack/security/elasticsearch-security.yml | 14 +- .../elasticsearch-xpack-activation.yml | 22 +- templates/elasticsearch.j2 | 22 +- templates/elasticsearch.yml.j2 | 8 +- templates/init/debian/elasticsearch.j2 | 229 ------------------ templates/init/redhat/elasticsearch.j2 | 217 ----------------- templates/systemd/elasticsearch.j2 | 78 ------ .../helpers/serverspec/multi_spec.rb | 122 ---------- .../helpers/serverspec/oss_spec.rb | 4 +- .../helpers/serverspec/shared_spec.rb | 23 +- .../helpers/serverspec/xpack_upgrade_spec.rb | 8 +- test/integration/issue-test.yml | 2 - test/integration/multi.yml | 63 ----- test/integration/multi/multi.yml | 2 - .../multi/serverspec/default_spec.rb | 9 - test/integration/oss-to-xpack-upgrade.yml | 2 - test/integration/oss-upgrade.yml | 2 - test/integration/oss.yml | 1 - test/integration/xpack-upgrade.yml | 6 - test/integration/xpack.yml | 3 - test/matrix.yml | 1 - vars/main.yml | 3 - 34 files changed, 176 insertions(+), 1053 deletions(-) delete mode 100755 templates/init/debian/elasticsearch.j2 delete mode 100755 templates/init/redhat/elasticsearch.j2 delete mode 100644 templates/systemd/elasticsearch.j2 delete mode 100644 test/integration/helpers/serverspec/multi_spec.rb delete mode 100644 test/integration/multi.yml delete mode 100644 test/integration/multi/multi.yml delete mode 100644 test/integration/multi/serverspec/default_spec.rb diff --git a/.kitchen.yml b/.kitchen.yml index 1bf6f48..2ebe577 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -36,7 +36,7 @@ platforms: - apt-get update -q && apt-get -y -q install ansible openjdk-8-jre python-jmespath - locale-gen en_US.UTF-8 && localedef -i en_US -c -f UTF-8 en_US.UTF-8 use_sudo: false - volume: + volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers - name: ubuntu-16.04 @@ -45,10 +45,10 @@ platforms: privileged: true provision_command: - apt-get update -q && apt-get install -y -q iproute locales software-properties-common && add-apt-repository -y ppa:ansible/ansible - - apt-get update -q && apt-get install -y -q ansible python-jmespath + - apt-get update -q && apt-get install -y -q ansible python-jmespath - locale-gen en_US.UTF-8 && localedef -i en_US -c -f UTF-8 en_US.UTF-8 use_sudo: false - volume: + volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers run_command: "/sbin/init" @@ -57,9 +57,9 @@ platforms: image: ubuntu:18.04 privileged: true provision_command: - - apt-get install -y -q ansible iproute2 python-jmespath + - apt-get install -y -q ansible iproute2 python-jmespath use_sudo: false - volume: + volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers run_command: "/sbin/init" @@ -75,7 +75,7 @@ platforms: - echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" > /etc/apt/sources.list.d/ansible.list - apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367 - apt-get update -q && apt-get install -y -q ansible - volume: + volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers use_sudo: false @@ -89,7 +89,7 @@ platforms: - echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu trusty main" > /etc/apt/sources.list.d/ansible.list - apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367 - apt-get update -q && apt-get install -y -q ansible - volume: + volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers use_sudo: false @@ -100,7 +100,7 @@ platforms: provision_command: - yum -y install epel-release - yum -y install ansible iproute python2-jmespath - volume: + volume: - <%=ENV['ES_XPACK_LICENSE_FILE']%>:/tmp/license.json - /etc # This fixes certain java file actions that check the mount point. Without this adding users fails for some docker storage drivers run_command: "/usr/sbin/init" @@ -128,10 +128,6 @@ suites: provisioner: playbook: test/integration/xpack-upgrade.yml idempotency_test: false - - name: multi - provisioner: - playbook: test/integration/multi.yml - idempotency_test: true - name: issue-test provisioner: playbook: test/integration/issue-test.yml diff --git a/README.md b/README.md index ba26cf6..6bdcbb1 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,81 @@ Ansible role for 7.x/6.x Elasticsearch. Currently this works on Debian and RedH The latest Elasticsearch versions of 7.x & 6.x are actively tested. +**BREAKING CHANGES** + +### Notice about multi-instance support + +Starting with ansible-elasticsearch:7.0.0, installing more than one instance of Elasticsearch **on the same host** is no more supported. + +See [554#issuecomment-496804929](https://github.com/elastic/ansible-elasticsearch/issues/554#issuecomment-496804929) for more details about why we remove it. + +If you install more than one instance of ElasticSearch on the same host (with different ports, directory and config files), **do not update to ansible-elasticsearch >= 7.0.0**. + +You are still be able to install Elasticsearch 6.x and 7.x in multi-instance mode by using ansible-elasticsearch commit [25bd09f](https://github.com/elastic/ansible-elasticsearch/commit/25bd09f6835b476b6a078676a7d614489a6739c5) (last commit before multi-instance removal) and overriding `es_version` variable: + +```sh +$ cat << EOF >> requirements.yml # require git +- src: https://github.com/elastic/ansible-elasticsearch + version: 25bd09f + name: elasticsearch +EOF +$ ansible-galaxy install -r requirements.yml +$ cat << EOF >> playbook.yml +- hosts: localhost + roles: + - role: elasticsearch + vars: + es_instance_name: "node1" + es_version: 7.0.1 # or 6.7.2 for example +EOF +$ ansible-playbook playbook.yml +``` + +However for multi-instances use cases, we are now recommending using Docker containers using our official images (https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html). + +#### Upgrade procedure + +If you have single-instances hosts and want to upgrade from previous versions of the role: + +1. Override these variables to match previous values: +```yaml + +es_conf_dir: /etc/elasticsearch/{{ instance_name }} +es_data_dirs: + - /var/lib/elasticsearch/{{ node_name }}-{{ instance_name }} +es_log_dir: /var/log/elasticsearch/{{ node_name }}-{{ instance_name }} +es_pid_dir: /var/run/elasticsearch/{{ node_name }}-{{ instance_name }} +``` + +2. Deploy ansible-role. **Even if these variables are overrided, Elasticsearch config file and default option file will change, which imply an Elasticsearch restart.** + +3. After ansible-role new deployment, you can do some cleanup of old Init file and Default file. + +Example: +```bash +$ ansible-playbook -e '{"es_conf_dir":"/etc/elasticsearch/node1","es_data_dirs":["/var/lib/elasticsearch/localhost-node1"],"es_log_dir":"/var/log/elasticsearch/localhost-node1","es_pid_dir":"/var/run/elasticsearch/localhost-node1"}' playbook.yml +... +TASK [elasticsearch : Create Directories] ********************************************************************************************************************************************************************************************************************** +ok: [localhost] => (item=/var/run/elasticsearch/localhost-node1) +ok: [localhost] => (item=/var/log/elasticsearch/localhost-node1) +ok: [localhost] => (item=/etc/elasticsearch/node1) +ok: [localhost] => (item=/var/lib/elasticsearch/localhost-node1) + +TASK [elasticsearch : Copy Configuration File] ***************************************************************************************************************************************************************************************************************** +changed: [localhost] + +TASK [elasticsearch : Copy Default File] *********************************************************************************************************************************************************************************************************************** +changed: [localhost] +... +PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************** +localhost : ok=32 changed=3 unreachable=0 failed=0 + +$ find /etc -name 'node1_elasticsearch*' +/etc/default/node1_elasticsearch +/etc/systemd/system/multi-user.target.wants/node1_elasticsearch.service +$ rm /etc/default/node1_elasticsearch /etc/systemd/system/multi-user.target.wants/node1_elasticsearch.service +``` + ## Dependency This role uses the json_query filter which [requires jmespath](https://github.com/ansible/ansible/issues/24319) on the local machine. @@ -26,7 +101,7 @@ Create your Ansible playbook with your own tasks, and include the role elasticse ansible-galaxy install git+https://github.com/elastic/ansible-elasticsearch.git,7f5be969e07173c5697432141e909b6ced5a2e94 ``` -Then create your playbook yaml adding the role elasticsearch. By default, the user is only required to specify a unique es_instance_name per role application. This should be unique per node. +Then create your playbook yaml adding the role elasticsearch. The application of the elasticsearch role results in the installation of a node on a host. The simplest configuration therefore consists of: @@ -36,8 +111,6 @@ The simplest configuration therefore consists of: hosts: localhost roles: - role: elastic.elasticsearch - vars: - es_instance_name: "node1" ``` The above installs a single node 'node1' on the hosts 'localhost'. @@ -118,7 +191,6 @@ The following illustrates applying configuration parameters to an Elasticsearch roles: - role: elastic.elasticsearch vars: - es_instance_name: "node1" es_data_dirs: - "/opt/elasticsearch/data" es_log_dir: "/opt/elasticsearch/logs" @@ -131,8 +203,6 @@ The following illustrates applying configuration parameters to an Elasticsearch node.data: false node.master: true bootstrap.memory_lock: true - es_templates: false - es_version_lock: false es_heap_size: 1g es_api_port: 9201 ``` @@ -157,7 +227,6 @@ A more complex example: roles: - role: elastic.elasticsearch vars: - es_instance_name: "node1" es_data_dirs: - "/opt/elasticsearch/data" es_log_dir: "/opt/elasticsearch/logs" @@ -170,11 +239,8 @@ A more complex example: node.data: false node.master: true bootstrap.memory_lock: true - es_templates: false - es_version_lock: false es_heap_size: 1g es_start_service: false - es_plugins_reinstall: false es_api_port: 9201 es_plugins: - plugin: ingest-attachment @@ -191,71 +257,53 @@ If the node is deployed to bind on either a different host or port, these must b The application of the elasticsearch role results in the installation of a node on a host. Specifying the role multiple times for a host therefore results in the installation of multiple nodes for the host. -An example of a two server deployment is shown below. The first server holds the master and is thus declared first. Whilst not mandatory, this is recommended in any multi node cluster configuration. The second server hosts two data nodes. +An example of a three server deployment is shown below. The first server holds the master and is thus declared first. Whilst not mandatory, this is recommended in any multi node cluster configuration. The two others servers hosts data nodes. -**Note the structure of the below playbook for the data nodes. Whilst a more succinct structures are possible which allow the same role to be applied to a host multiple times, we have found the below structure to be the most reliable with respect to var behaviour. This is the tested approach.** +**Note that we do not support anymore installation of more than one node in the same host** ```yaml -- hosts: master_nodes +- hosts: master_node roles: - role: elastic.elasticsearch vars: - es_instance_name: "node1" es_heap_size: "1g" es_config: cluster.name: "test-cluster" discovery.seed_hosts: "elastic02:9300" http.port: 9200 - transport.port: 9300 node.data: false node.master: true bootstrap.memory_lock: false - es_templates: false - es_version_lock: false - ansible_user: ansible es_plugins: - plugin: ingest-attachment -- hosts: data_nodes +- hosts: data_node_1 roles: - role: elastic.elasticsearch vars: - es_instance_name: "node1" es_data_dirs: - "/opt/elasticsearch" es_config: cluster.name: "test-cluster" discovery.seed_hosts: "elastic02:9300" http.port: 9200 - transport.port: 9300 node.data: true node.master: false bootstrap.memory_lock: false - es_templates: false - es_version_lock: false - ansible_user: ansible - es_api_port: 9200 es_plugins: - plugin: ingest-attachment -- hosts: data_nodes +- hosts: data_node_2 roles: - role: elastic.elasticsearch vars: - es_instance_name: "node2" - es_api_port: 9201 es_config: + cluster.name: "test-cluster" discovery.seed_hosts: "elastic02:9300" - http.port: 9201 - transport.port: 9301 + http.port: 9200 node.data: true node.master: false bootstrap.memory_lock: false - cluster.name: "test-cluster" - es_templates: false - es_version_lock: false - es_api_port: 9201 - ansible_user: ansible es_plugins: - plugin: ingest-attachment ``` @@ -432,12 +480,6 @@ To configure X-pack to send mail, the following configuration can be added to th Both ```es_user_id``` and ```es_group_id``` must be set for the user and group ids to be set. -By default, each node on a host will be installed to use unique pid, plugin, work, data and log directories. These directories are created, using the instance and host name, beneath default locations ] -controlled by the following parameters: - -* ```es_pid_dir``` - defaults to "/var/run/elasticsearch". -* ```es_data_dirs``` - defaults to "/var/lib/elasticsearch". This can be a list or comma separated string e.g. ["/opt/elasticsearch/data-1","/opt/elasticsearch/data-2"] or "/opt/elasticsearch/data-1,/opt/elasticsearch/data-2" -* ```es_log_dir``` - defaults to "/var/log/elasticsearch". * ```es_restart_on_change``` - defaults to true. If false, changes will not result in Elasticsearch being restarted. * ```es_plugins_reinstall``` - defaults to false. If true, all currently installed plugins will be removed from a node. Listed plugins will then be re-installed. @@ -465,10 +507,8 @@ To define proxy only for a particular plugin during its installation: * The role assumes the user/group exists on the server. The elasticsearch packages create the default elasticsearch user. If this needs to be changed, ensure the user exists. * The playbook relies on the inventory_name of each host to ensure its directories are unique -* Changing an instance_name for a role application will result in the installation of a new component. The previous component will remain. * KitchenCI has been used for testing. This is used to confirm images reach the correct state after a play is first applied. We currently test the latest version of 7.x and 6.x on all supported platforms. * The role aims to be idempotent. Running the role multiple times, with no changes, should result in no state change on the server. If the configuration is changed, these will be applied and Elasticsearch restarted where required. -* Systemd is used for Ubuntu versions >= 15, Debian >=8, Centos >=7. All other versions use init for service scripts. * In order to run x-pack tests a license file with security enabled is required. A trial license is appropriate. Set the environment variable `ES_XPACK_LICENSE_FILE` to the full path of the license file prior to running tests. ## IMPORTANT NOTES RE PLUGIN MANAGEMENT diff --git a/defaults/main.yml b/defaults/main.yml index 2c5f858..9b93e40 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -21,8 +21,10 @@ es_group: elasticsearch es_config: {} es_config_log4j2: log4j2.properties.j2 #Need to provide default directories +es_conf_dir: "/etc/elasticsearch" es_pid_dir: "/var/run/elasticsearch" -es_data_dirs: "/var/lib/elasticsearch" +es_data_dirs: + - "/var/lib/elasticsearch" es_log_dir: "/var/log/elasticsearch" es_action_auto_create_index: true es_max_open_files: 65536 @@ -36,11 +38,5 @@ es_api_host: "localhost" es_api_port: 9200 es_debian_startup_timeout: 10 -# Since ansible 2.2 the following variables need to be defined -# to allow the role to be conditionally played with a when condition. -pid_dir: '' -log_dir: '' -conf_dir: '' -data_dirs: '' # JVM custom parameters es_jvm_custom_parameters: '' diff --git a/handlers/main.yml b/handlers/main.yml index d71397a..200fd67 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -7,7 +7,7 @@ - name: restart elasticsearch become: yes - service: name={{instance_init_script | basename}} state=restarted enabled=yes + service: name=elasticsearch state=restarted enabled=yes when: - es_restart_on_change - es_start_service diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 037ea23..3b696c7 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -19,7 +19,7 @@ - name: stop elasticsearch service: - name: '{{ instance_init_script | basename }}' + name: 'elasticsearch' state: stopped when: elasticsearch_package.stdout == 'install ok installed' diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index b6cd067..3d4f304 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -6,124 +6,31 @@ become: yes file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} with_items: - - "{{pid_dir}}" - - "{{log_dir}}" - - "{{conf_dir}}" - -- name: Create Data Directories - become: yes - file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} - with_items: - - "{{data_dirs}}" + - "{{ es_pid_dir }}" + - "{{ es_log_dir }}" + - "{{ es_conf_dir }}" + - "{{ es_data_dirs }}" #Copy the config template - name: Copy Configuration File become: yes - template: src=elasticsearch.yml.j2 dest={{conf_dir}}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes register: system_change notify: restart elasticsearch -#Copy the instance specific default file -- name: Copy Default File for Instance +#Copy the default file +- name: Copy Default File become: yes - template: src=elasticsearch.j2 dest={{instance_default_file}} mode=0644 force=yes + template: src=elasticsearch.j2 dest={{ default_file }} mode=0644 force=yes notify: restart elasticsearch -#Copy the instance specific init file -- name: Copy Debian Init File for Instance - become: yes - template: src=init/debian/elasticsearch.j2 dest={{instance_init_script}} mode=0755 force=yes - when: ansible_os_family == 'Debian' and not use_system_d - notify: restart elasticsearch - -#Copy the instance specific init file -- name: Copy Redhat Init File for Instance - become: yes - template: src=init/redhat/elasticsearch.j2 dest={{instance_init_script}} mode=0755 force=yes - when: ansible_os_family == 'RedHat' and not use_system_d - notify: restart elasticsearch - -#Copy the systemd specific file if systemd is installed -- name: Copy Systemd File for Instance - become: yes - template: src=systemd/elasticsearch.j2 dest={{instance_sysd_script}} mode=0644 force=yes - when: use_system_d - notify: - - reload systemd configuration - - restart elasticsearch - #Copy the logging.yml -- name: Copy log4j2.properties File for Instance +- name: Copy log4j2.properties File become: yes - template: src={{es_config_log4j2}} dest={{conf_dir}}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src={{es_config_log4j2}} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes notify: restart elasticsearch -- name: Copy jvm.options File for Instance +- name: Copy jvm.options File become: yes - template: src=jvm.options.j2 dest={{conf_dir}}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes notify: restart elasticsearch - -#Clean up un-wanted package scripts to avoid confusion - -- name: Delete Default Init - become: yes - file: dest=/etc/init.d/elasticsearch state=absent - -- name: Create empty default environment file - become: yes - changed_when: False - copy: - dest: /etc/default/elasticsearch - content: '' - when: ansible_os_family == 'Debian' - -- name: Create empty default environment file - become: yes - changed_when: False - copy: - dest: /etc/sysconfig/elasticsearch - content: '' - when: ansible_os_family == 'RedHat' - -- name: Symlink default systemd service to first instance of elasticsearch - when: use_system_d - block: - - name: Check if default systemd file exists - stat: - path: "{{ sysd_script }}" - register: sysd_stat_result - check_mode: no - - - name: Remove if it is a normal file - become: yes - file: - path: "{{ sysd_script }}" - state: absent - when: sysd_stat_result.stat.exists and not sysd_stat_result.stat.islnk - - - name: Create a symbolic link to the default systemd location to the first instance running on this host - become: yes - file: - state: link - src: "{{ instance_sysd_script }}" - path: "{{ sysd_script }}" - when: sysd_stat_result.stat.exists and not sysd_stat_result.stat.islnk - notify: - - reload systemd configuration - - restart elasticsearch - -- name: Delete Default Configuration File - become: yes - file: dest=/etc/elasticsearch/elasticsearch.yml state=absent - -- name: Delete Default Logging File - become: yes - file: dest=/etc/elasticsearch/logging.yml state=absent - -- name: Delete Default Logging File - become: yes - file: dest=/etc/elasticsearch/log4j2.properties state=absent - -- name: Delete Default JVM Options File - become: yes - file: dest=/etc/elasticsearch/jvm.options state=absent diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index 1d432c8..08af2bc 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -1,9 +1,5 @@ # Check for mandatory parameters -- name: fail when es_instance is not defined - fail: msg="es_instance_name must be specified and cannot be blank" - when: es_instance_name is not defined or es_instance_name == '' - - name: fail when es_proxy_port is not defined or is blank fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined" when: (es_proxy_port is not defined or es_proxy_port == '') and (es_proxy_host is defined and es_proxy_host != '') @@ -34,38 +30,5 @@ msg: "ERROR: INVALID CONFIG - YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING CANNOT BE CHANGED: {{file_reserved_users}}. USE THE NATIVE REALM." when: file_reserved_users | default([]) | length > 0 -- name: set fact instance_default_file - set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}} -- name: set fact instance_init_script - set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}} -- name: set fact conf_dir - set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}} - name: set fact m_lock_enabled set_fact: m_lock_enabled={{ es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True }} - -#TODO - if transport.host is not local maybe error on boostrap checks - - -#Use systemd for the following distributions: -#Ubuntu 15 and up -#Debian 8 and up -#Centos 7 and up -#Relies on elasticsearch distribution installing a serviced script to determine whether one should be copied. - -- name: set fact use_system_d - set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version is version_compare('8', '>=')) or (ansible_distribution in ['RedHat','CentOS'] and ansible_distribution_version is version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('15', '>=')) }} - -- name: set fact instance_sysd_script - set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}} - when: use_system_d -#For directories we also use the {{inventory_hostname}}-{{ es_instance_name }} - this helps if we have a shared SAN. - -- name: set fact instance_suffix - set_fact: - instance_suffix: "{{ es_instance_suffix | default([inventory_hostname, es_instance_name] | join('-')) }}" -- name: set fact pid_dir - set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}} -- name: set fact log_dir - set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}} -- name: set fact data_dirs - set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }} diff --git a/tasks/elasticsearch-plugins.yml b/tasks/elasticsearch-plugins.yml index 5aafade..b0a300d 100644 --- a/tasks/elasticsearch-plugins.yml +++ b/tasks/elasticsearch-plugins.yml @@ -27,9 +27,9 @@ changed_when: False ignore_errors: yes environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" - ES_INCLUDE: "{{ instance_default_file }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" + ES_INCLUDE: "{{ default_file }}" check_mode: no #if es_plugins_reinstall is set to true we remove ALL plugins @@ -60,9 +60,9 @@ notify: restart elasticsearch register: plugin_removed environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" - ES_INCLUDE: "{{ instance_default_file }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" + ES_INCLUDE: "{{ default_file }}" - name: Install elasticsearch plugins become: yes @@ -73,9 +73,9 @@ when: item.plugin in plugins_to_install notify: restart elasticsearch environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" - ES_INCLUDE: "{{ instance_default_file }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" + ES_INCLUDE: "{{ default_file }}" ES_JAVA_OPTS: "{% if item.proxy_host is defined and item.proxy_host != '' and item.proxy_port is defined and item.proxy_port != ''%} -Dhttp.proxyHost={{ item.proxy_host }} -Dhttp.proxyPort={{ item.proxy_port }} -Dhttps.proxyHost={{ item.proxy_host }} -Dhttps.proxyPort={{ item.proxy_port }} {% elif es_proxy_host is defined and es_proxy_host != '' %} -Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }} {% endif %}" until: plugin_installed.rc == 0 retries: 5 diff --git a/tasks/main.yml b/tasks/main.yml index 6a622bb..c41ab6e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -56,7 +56,7 @@ - name: Make sure elasticsearch is started become: yes - service: name={{instance_init_script | basename}} state=started enabled=yes + service: name=elasticsearch state=started enabled=yes when: es_start_service - name: Wait for elasticsearch to startup diff --git a/tasks/xpack/elasticsearch-xpack-install.yml b/tasks/xpack/elasticsearch-xpack-install.yml index 522f816..421a475 100644 --- a/tasks/xpack/elasticsearch-xpack-install.yml +++ b/tasks/xpack/elasticsearch-xpack-install.yml @@ -10,9 +10,9 @@ check_mode: no ignore_errors: yes environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" - ES_INCLUDE: "{{ instance_default_file }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" + ES_INCLUDE: "{{ default_file }}" #Remove X-Pack if installed and its not been requested or the ES version has changed @@ -25,9 +25,9 @@ when: x_pack_installed.rc == 0 and (not es_enable_xpack or es_version_changed) notify: restart elasticsearch environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" - ES_INCLUDE: "{{ instance_default_file }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" + ES_INCLUDE: "{{ default_file }}" #Install plugin if not installed, or the es version has changed (so removed above), and its been requested @@ -44,9 +44,9 @@ when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined) notify: restart elasticsearch environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" - ES_INCLUDE: "{{ instance_default_file }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" + ES_INCLUDE: "{{ default_file }}" - name: Delete x-pack zip file file: dest=/tmp/x-pack-{{ es_version }}.zip state=absent @@ -62,7 +62,7 @@ when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is not defined) notify: restart elasticsearch environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" - ES_INCLUDE: "{{ instance_default_file }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" + ES_INCLUDE: "{{ default_file }}" ES_JAVA_OPTS: "{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}" diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 607343b..3347bd4 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -20,5 +20,5 @@ #Make sure elasticsearch.keystore has correct Permissions - name: Set elasticsearch.keystore Permissions become: yes - file: state=file path={{ conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }} + file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }} when: es_enable_xpack diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 0debff1..fe14bab 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -4,7 +4,7 @@ - name: Check if old users file exists stat: - path: '{{ conf_dir }}/x-pack/users' + path: '{{ es_conf_dir }}/x-pack/users' register: old_users_file check_mode: no @@ -12,14 +12,14 @@ copy: remote_src: yes force: no # only copy it if the new path doesn't exist yet - src: "{{ conf_dir }}/x-pack/users" - dest: "{{ conf_dir }}{{ es_xpack_conf_subdir }}/users" + src: "{{ es_conf_dir }}/x-pack/users" + dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users" when: old_users_file.stat.exists - name: Create the users file if it doesn't exist copy: content: "" - dest: "{{ conf_dir }}{{ es_xpack_conf_subdir }}/users" + dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users" force: no # this ensures it only creates it if it does not exist group: "{{ es_group }}" owner: "{{ es_user }}" @@ -28,7 +28,7 @@ #List current users - name: List Users become: yes - shell: cat {{conf_dir}}{{es_xpack_conf_subdir}}/users | awk -F':' '{print $1}' + shell: cat {{ es_conf_dir }}{{es_xpack_conf_subdir}}/users | awk -F':' '{print $1}' register: current_file_users when: manage_file_users changed_when: False @@ -46,8 +46,8 @@ with_items: "{{users_to_remove | default([])}}" when: manage_file_users environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" ES_HOME: "{{es_home}}" - name: set fact users_to_add @@ -63,8 +63,8 @@ when: manage_file_users no_log: True environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" ES_HOME: "{{es_home}}" #Set passwords for all users declared - Required as the useradd will not change existing user passwords @@ -78,8 +78,8 @@ changed_when: False no_log: True environment: - CONF_DIR: "{{ conf_dir }}" - ES_PATH_CONF: "{{ conf_dir }}" + CONF_DIR: "{{ es_conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" ES_HOME: "{{es_home}}" - name: set fact users_roles @@ -89,16 +89,16 @@ #Copy Roles files - name: Copy roles.yml File for Instance become: yes - template: src=security/roles.yml.j2 dest={{conf_dir}}{{es_xpack_conf_subdir}}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/roles.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_roles is defined and es_roles.file is defined #Overwrite users_roles file - name: Copy User Roles become: yes - template: src=security/users_roles.j2 dest={{conf_dir}}{{es_xpack_conf_subdir}}/users_roles mode=0644 force=yes + template: src=security/users_roles.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 #Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions. - name: Set Security Directory Permissions Recursive become: yes - file: state=directory path={{conf_dir}}{{es_xpack_conf_subdir}}/ owner={{ es_user }} group={{ es_group }} recurse=yes + file: state=directory path={{ es_conf_dir }}{{es_xpack_conf_subdir}}/ owner={{ es_user }} group={{ es_group }} recurse=yes diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 32e1b97..2c18019 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -5,7 +5,7 @@ #Ensure x-pack conf directory is created if necessary - name: Ensure x-pack conf directory exists (file) - file: path={{ conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }} + file: path={{ es_conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }} changed_when: False when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined) @@ -18,9 +18,9 @@ command: > {{es_home}}/bin/elasticsearch-keystore create args: - creates: "{{ conf_dir }}/elasticsearch.keystore" + creates: "{{ es_conf_dir }}/elasticsearch.keystore" environment: - ES_PATH_CONF: "{{ conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" - name: Check if bootstrap password is set become: yes @@ -29,7 +29,7 @@ register: list_keystore changed_when: False environment: - ES_PATH_CONF: "{{ conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" check_mode: no - name: Create Bootstrap password for elastic user @@ -38,7 +38,7 @@ when: - es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines environment: - ES_PATH_CONF: "{{ conf_dir }}" + ES_PATH_CONF: "{{ es_conf_dir }}" no_log: true ### END BLOCK elasticsearch keystore ### @@ -52,7 +52,7 @@ #Copy Roles files - name: Copy role_mapping.yml File for Instance become: yes - template: src=security/role_mapping.yml.j2 dest={{conf_dir}}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_role_mapping is defined #------------------------------------------------------------------------------------ @@ -60,5 +60,5 @@ #Ensure security conf directory is created - name: Ensure security conf directory exists become: yes - file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }} + file: path={{ es_conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }} changed_when: False diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index 2bce5bb..996d86a 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -1,33 +1,15 @@ --- - -- name: Activate ES license (without security authentication) - uri: - method: PUT - url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" - body_format: json - body: "{{ es_xpack_license }}" - return_content: yes - register: license_activated - no_log: True - when: es_api_basic_auth_username is not defined or es_api_basic_auth_password is not defined - failed_when: > - license_activated.status != 200 or - license_activated.json.license_status is not defined or - license_activated.json.license_status != 'valid' - - name: Activate ES license (with security authentication) uri: method: PUT url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true" - user: "{{es_api_basic_auth_username}}" - password: "{{es_api_basic_auth_password}}" + user: "{{es_api_basic_auth_username | default(omit)}}" + password: "{{es_api_basic_auth_password | default(omit)}}" body_format: json - force_basic_auth: yes body: "{{ es_xpack_license }}" return_content: yes register: license_activated no_log: True - when: es_api_basic_auth_username is defined and es_api_basic_auth_password is defined failed_when: > license_activated.status != 200 or license_activated.json.license_status is not defined or diff --git a/templates/elasticsearch.j2 b/templates/elasticsearch.j2 index 5bf5746..912cc38 100644 --- a/templates/elasticsearch.j2 +++ b/templates/elasticsearch.j2 @@ -9,19 +9,19 @@ ES_HOME={{es_home}} #JAVA_HOME= # Elasticsearch configuration directory -CONF_DIR={{conf_dir}} -ES_PATH_CONF={{conf_dir}} +CONF_DIR={{ es_conf_dir }} +ES_PATH_CONF={{ es_conf_dir }} # Elasticsearch data directory -DATA_DIR={{ data_dirs | array_to_str }} +DATA_DIR={{ es_data_dirs | array_to_str }} # Elasticsearch logs directory -LOG_DIR={{log_dir}} +LOG_DIR={{ es_log_dir }} # Elasticsearch PID directory -PID_DIR={{pid_dir}} +PID_DIR={{ es_pid_dir }} -ES_JVM_OPTIONS={{conf_dir}}/jvm.options +ES_JVM_OPTIONS={{ es_conf_dir }}/jvm.options # Configure restart on package upgrade (true, every other setting will lead to not restarting) #ES_RESTART_ON_UPGRADE=true @@ -33,16 +33,6 @@ ES_JVM_OPTIONS={{conf_dir}}/jvm.options # Elasticsearch service ################################ -# SysV init.d -# -# When executing the init script, this user will be used to run the elasticsearch service. -# The default value is 'elasticsearch' and is declared in the init.d file. -# Note that this setting is only used by the init script. If changed, make sure that -# the configured user can read and write into the data, work, plugins and log directories. -# For systemd service, the user is usually configured in file /usr/lib/systemd/system/elasticsearch.service -ES_USER={{es_user}} -ES_GROUP={{es_group}} - # The number of seconds to wait before checking if Elasticsearch started successfully as a daemon process ES_STARTUP_SLEEP_TIME=5 diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index f7ecae0..47346ed 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -8,7 +8,7 @@ cluster.name: elasticsearch {% endif %} {% if es_config['node.name'] is not defined %} -node.name: {{inventory_hostname}}-{{es_instance_name}} +node.name: {{inventory_hostname}} {% endif %} #################################### Paths #################################### @@ -16,12 +16,12 @@ node.name: {{inventory_hostname}}-{{es_instance_name}} # Path to directory containing configuration (this file and logging.yml): {% if (es_version is version_compare('6.0.0', '<')) %} -path.conf: {{ conf_dir }} +path.conf: {{ es_conf_dir }} {% endif %} -path.data: {{ data_dirs | array_to_str }} +path.data: {{ es_data_dirs | array_to_str }} -path.logs: {{ log_dir }} +path.logs: {{ es_log_dir }} {% if es_path_repo is defined %} path.repo: {{ es_path_repo }} diff --git a/templates/init/debian/elasticsearch.j2 b/templates/init/debian/elasticsearch.j2 deleted file mode 100755 index 7d7e346..0000000 --- a/templates/init/debian/elasticsearch.j2 +++ /dev/null @@ -1,229 +0,0 @@ -#!/bin/bash -# -# /etc/init.d/elasticsearch -- startup script for Elasticsearch -# -### BEGIN INIT INFO -# Provides: elasticsearch -# Required-Start: $network $remote_fs $named -# Required-Stop: $network $remote_fs $named -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Starts elasticsearch -# Description: Starts elasticsearch using start-stop-daemon -### END INIT INFO - -PATH=/bin:/usr/bin:/sbin:/usr/sbin -NAME={{es_instance_name}}_{{default_file | basename}} -{% if es_config['node.name'] is defined %} -DESC="Elasticsearch Server - {{es_config['node.name']}}" -{% else %} -DESC="Elasticsearch Server - {{es_instance_name}}" -{% endif %} - -DEFAULT=/etc/default/$NAME - -if [ `id -u` -ne 0 ]; then - echo "You need root privileges to run this script" - exit 1 -fi - -. /lib/lsb/init-functions -if [ -r /etc/default/rcS ]; then - . /etc/default/rcS -fi - -# The following variables can be overwritten in $DEFAULT - -# Run Elasticsearch as this user ID and group ID -ES_USER={{es_user}} -ES_GROUP={{es_group}} - -# Directory where the Elasticsearch binary distribution resides -ES_HOME={{es_home}} - -# Maximum number of open files -{% if es_max_open_files is defined %} -MAX_OPEN_FILES={{es_max_open_files}} -{% endif %} - -# Maximum amount of locked memory -#MAX_LOCKED_MEMORY= -{% if m_lock_enabled %} -MAX_LOCKED_MEMORY=unlimited -{% endif %} - -# Elasticsearch log directory -LOG_DIR={{log_dir}} - -# Elasticsearch data directory -DATA_DIR={{ data_dirs | array_to_str }} - -# Elasticsearch configuration directory -CONF_DIR={{conf_dir}} -ES_PATH_CONF={{ conf_dir }} - -# Maximum number of VMA (Virtual Memory Areas) a process can own -{% if es_max_map_count is defined %} -MAX_MAP_COUNT={{es_max_map_count}} -{% endif %} - -# Elasticsearch PID file directory -PID_DIR={{pid_dir}} - -ES_JVM_OPTIONS="{{conf_dir}}/jvm.options" - -# End of variables that can be overwritten in $DEFAULT - -# overwrite settings from default file -if [ -f "$DEFAULT" ]; then - . "$DEFAULT" -fi - -# CONF_FILE setting was removed -if [ ! -z "$CONF_FILE" ]; then - echo "CONF_FILE setting is no longer supported. elasticsearch.yml must be placed in the config directory and cannot be renamed." - exit 1 -fi - -if [ "$ES_USER" != "elasticsearch" ] || [ "$ES_GROUP" != "elasticsearch" ]; then - echo "WARNING: ES_USER and ES_GROUP are deprecated and will be removed in the next major version of Elasticsearch, got: [$ES_USER:$ES_GROUP]" -fi - -# Define other required variables -PID_FILE="$PID_DIR/$NAME.pid" -DAEMON=$ES_HOME/bin/elasticsearch -{% if (es_version is version_compare('6.0.0', '<')) %} -DAEMON_OPTS="-d -p $PID_FILE -Edefault.path.logs=$LOG_DIR -Edefault.path.data=$DATA_DIR -Edefault.path.conf=$CONF_DIR" -{% else %} -DAEMON_OPTS="-d -p $PID_FILE" -{% endif %} - -export ES_JAVA_OPTS -export JAVA_HOME -export ES_INCLUDE -export ES_JVM_OPTIONS -export ES_PATH_CONF - -# export unsupported variables so bin/elasticsearch can reject them and inform the user these are unsupported -if test -n "$ES_MIN_MEM"; then export ES_MIN_MEM; fi -if test -n "$ES_MAX_MEM"; then export ES_MAX_MEM; fi -if test -n "$ES_HEAP_SIZE"; then export ES_HEAP_SIZE; fi -if test -n "$ES_HEAP_NEWSIZE"; then export ES_HEAP_NEWSIZE; fi -if test -n "$ES_DIRECT_SIZE"; then export ES_DIRECT_SIZE; fi -if test -n "$ES_USE_IPV4"; then export ES_USE_IPV4; fi -if test -n "$ES_GC_OPTS"; then export ES_GC_OPTS; fi -if test -n "$ES_GC_LOG_FILE"; then export ES_GC_LOG_FILE; fi - -# Check DAEMON exists -if [ ! -x "$DAEMON" ]; then - echo "The elasticsearch startup script does not exists or it is not executable, tried: $DAEMON" - exit 1 -fi - -checkJava() { - if [ -x "$JAVA_HOME/bin/java" ]; then - JAVA="$JAVA_HOME/bin/java" - else - JAVA=`which java` - fi - - if [ ! -x "$JAVA" ]; then - echo "Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME" - exit 1 - fi -} - -case "$1" in - start) - checkJava - - log_daemon_msg "Starting $DESC" - - pid=`pidofproc -p $PID_FILE elasticsearch` - if [ -n "$pid" ] ; then - log_begin_msg "Already running." - log_end_msg 0 - exit 0 - fi - - # Ensure that the PID_DIR exists (it is cleaned at OS startup time) - if [ -n "$PID_DIR" ] && [ ! -e "$PID_DIR" ]; then - mkdir -p "$PID_DIR" && chown "$ES_USER":"$ES_GROUP" "$PID_DIR" - fi - if [ -n "$PID_FILE" ] && [ ! -e "$PID_FILE" ]; then - touch "$PID_FILE" && chown "$ES_USER":"$ES_GROUP" "$PID_FILE" - fi - - if [ -n "$MAX_OPEN_FILES" ]; then - ulimit -n $MAX_OPEN_FILES - fi - - if [ -n "$MAX_LOCKED_MEMORY" ]; then - ulimit -l $MAX_LOCKED_MEMORY - fi - - if [ -n "$MAX_THREADS" ]; then - ulimit -u $MAX_THREADS - fi - - if [ -n "$MAX_MAP_COUNT" -a -f /proc/sys/vm/max_map_count ]; then - sysctl -q -w vm.max_map_count=$MAX_MAP_COUNT - fi - - # Start Daemon - start-stop-daemon -d $ES_HOME --start --user "$ES_USER" -c "$ES_USER" --pidfile "$PID_FILE" --exec $DAEMON -- $DAEMON_OPTS - return=$? - if [ $return -eq 0 ]; then - i=0 - timeout={{es_debian_startup_timeout}} - # Wait for the process to be properly started before exiting - until { kill -0 `cat "$PID_FILE"`; } >/dev/null 2>&1 - do - sleep 1 - i=$(($i + 1)) - if [ $i -gt $timeout ]; then - log_end_msg 1 - exit 1 - fi - done - fi - log_end_msg $return - exit $return - ;; - stop) - log_daemon_msg "Stopping $DESC" - - if [ -f "$PID_FILE" ]; then - start-stop-daemon --stop --pidfile "$PID_FILE" \ - --user "$ES_USER" \ - --quiet \ - --retry forever/TERM/20 > /dev/null - if [ $? -eq 1 ]; then - log_progress_msg "$DESC is not running but pid file exists, cleaning up" - elif [ $? -eq 3 ]; then - PID="`cat $PID_FILE`" - log_failure_msg "Failed to stop $DESC (pid $PID)" - exit 1 - fi - rm -f "$PID_FILE" - else - log_progress_msg "(not running)" - fi - log_end_msg 0 - ;; - status) - status_of_proc -p $PID_FILE elasticsearch elasticsearch && exit 0 || exit $? - ;; - restart|force-reload) - if [ -f "$PID_FILE" ]; then - $0 stop - fi - $0 start - ;; - *) - log_success_msg "Usage: $0 {start|stop|restart|force-reload|status}" - exit 1 - ;; -esac - -exit 0 diff --git a/templates/init/redhat/elasticsearch.j2 b/templates/init/redhat/elasticsearch.j2 deleted file mode 100755 index 8ba1164..0000000 --- a/templates/init/redhat/elasticsearch.j2 +++ /dev/null @@ -1,217 +0,0 @@ -#!/bin/bash -# -# elasticsearch -# -# chkconfig: 2345 80 20 -# description: Starts and stops a single elasticsearch instance on this system -# - -### BEGIN INIT INFO -# Provides: Elasticsearch -# Required-Start: $network $named -# Required-Stop: $network $named -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: This service manages the elasticsearch daemon -# Description: Elasticsearch is a very scalable, schema-free and high-performance search solution supporting multi-tenancy and near realtime search. -### END INIT INFO - -# -# init.d / servicectl compatibility (openSUSE) -# -if [ -f /etc/rc.status ]; then - . /etc/rc.status - rc_reset -fi - -# -# Source function library. -# -if [ -f /etc/rc.d/init.d/functions ]; then - . /etc/rc.d/init.d/functions -fi - -# Sets the default values for elasticsearch variables used in this script -ES_USER="{{es_user}}" -ES_GROUP="{{es_group}}" -ES_HOME="{{es_home}}" -{% if es_max_open_files is defined %} -MAX_OPEN_FILES={{es_max_open_files}} -{% endif %} -# Maximum number of VMA (Virtual Memory Areas) a process can own -{% if es_max_map_count is defined %} -MAX_MAP_COUNT={{es_max_map_count}} -{% endif %} - -LOG_DIR="{{log_dir}}" -DATA_DIR={{ data_dirs | array_to_str }} -CONF_DIR="{{conf_dir}}" -ES_PATH_CONF="{{ conf_dir }}" - -PID_DIR="{{pid_dir}}" - -# Source the default env file -ES_ENV_FILE="{{instance_default_file}}" -if [ -f "$ES_ENV_FILE" ]; then - . "$ES_ENV_FILE" -fi - -if [ "$ES_USER" != "elasticsearch" ] || [ "$ES_GROUP" != "elasticsearch" ]; then - echo "WARNING: ES_USER and ES_GROUP are deprecated and will be removed in the next major version of Elasticsearch, got: [$ES_USER:$ES_GROUP]" -fi - -# CONF_FILE setting was removed -if [ ! -z "$CONF_FILE" ]; then - echo "CONF_FILE setting is no longer supported. elasticsearch.yml must be placed in the config directory and cannot be renamed." - exit 1 -fi - -exec="$ES_HOME/bin/elasticsearch" -prog="{{es_instance_name}}_{{default_file | basename}}" -pidfile="$PID_DIR/${prog}.pid" - -export ES_JAVA_OPTS -export JAVA_HOME -export ES_INCLUDE -export ES_JVM_OPTIONS -export ES_STARTUP_SLEEP_TIME -export ES_PATH_CONF - -# export unsupported variables so bin/elasticsearch can reject them and inform the user these are unsupported -if test -n "$ES_MIN_MEM"; then export ES_MIN_MEM; fi -if test -n "$ES_MAX_MEM"; then export ES_MAX_MEM; fi -if test -n "$ES_HEAP_SIZE"; then export ES_HEAP_SIZE; fi -if test -n "$ES_HEAP_NEWSIZE"; then export ES_HEAP_NEWSIZE; fi -if test -n "$ES_DIRECT_SIZE"; then export ES_DIRECT_SIZE; fi -if test -n "$ES_USE_IPV4"; then export ES_USE_IPV4; fi -if test -n "$ES_GC_OPTS"; then export ES_GC_OPTS; fi -if test -n "$ES_GC_LOG_FILE"; then export ES_GC_LOG_FILE; fi - -lockfile=/var/lock/subsys/$prog - -# backwards compatibility for old config sysconfig files, pre 0.90.1 -if [ -n $USER ] && [ -z $ES_USER ] ; then - ES_USER=$USER -fi - -if [ ! -x "$exec" ]; then - echo "The elasticsearch startup script does not exists or it is not executable, tried: $exec" - exit 1 -fi - -checkJava() { - if [ -x "$JAVA_HOME/bin/java" ]; then - JAVA="$JAVA_HOME/bin/java" - else - JAVA=`which java` - fi - - if [ ! -x "$JAVA" ]; then - echo "Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME" - exit 1 - fi -} - -start() { - checkJava - [ -x $exec ] || exit 5 - - if [ -n "$MAX_OPEN_FILES" ]; then - ulimit -n $MAX_OPEN_FILES - fi - if [ -n "$MAX_LOCKED_MEMORY" ]; then - ulimit -l $MAX_LOCKED_MEMORY - fi - if [ -n "$MAX_THREADS" ]; then - ulimit -u $MAX_THREADS - fi - if [ -n "$MAX_MAP_COUNT" -a -f /proc/sys/vm/max_map_count ]; then - sysctl -q -w vm.max_map_count=$MAX_MAP_COUNT - fi - - # Ensure that the PID_DIR exists (it is cleaned at OS startup time) - if [ -n "$PID_DIR" ] && [ ! -e "$PID_DIR" ]; then - mkdir -p "$PID_DIR" && chown "$ES_USER":"$ES_GROUP" "$PID_DIR" - fi - if [ -n "$pidfile" ] && [ ! -e "$pidfile" ]; then - touch "$pidfile" && chown "$ES_USER":"$ES_GROUP" "$pidfile" - fi - - cd $ES_HOME - echo -n $"Starting $prog: " - # if not running, start it up here, usually something like "daemon $exec" -{% if (es_version is version_compare('6.0.0', '<')) %} - daemon --user $ES_USER --pidfile $pidfile $exec -p $pidfile -d -Edefault.path.logs=$LOG_DIR -Edefault.path.data=$DATA_DIR -Edefault.path.conf=$CONF_DIR -{% else %} - daemon --user $ES_USER --pidfile $pidfile $exec -p $pidfile -d -{% endif %} - retval=$? - echo - [ $retval -eq 0 ] && touch $lockfile - return $retval -} - -stop() { - echo -n $"Stopping $prog: " - # stop it here, often "killproc $prog" - killproc -p $pidfile -d 86400 $prog - retval=$? - echo - [ $retval -eq 0 ] && rm -f $lockfile - return $retval -} - -restart() { - stop - start -} - -reload() { - restart -} - -force_reload() { - restart -} - -rh_status() { - # run checks to determine if the service is running or use generic status - status -p $pidfile $prog -} - -rh_status_q() { - rh_status >/dev/null 2>&1 -} - - -case "$1" in - start) - rh_status_q && exit 0 - $1 - ;; - stop) - rh_status_q || exit 0 - $1 - ;; - restart) - $1 - ;; - reload) - rh_status_q || exit 7 - $1 - ;; - force-reload) - force_reload - ;; - status) - rh_status - ;; - condrestart|try-restart) - rh_status_q || exit 0 - restart - ;; - *) - echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" - exit 2 -esac -exit $? diff --git a/templates/systemd/elasticsearch.j2 b/templates/systemd/elasticsearch.j2 deleted file mode 100644 index cd7366b..0000000 --- a/templates/systemd/elasticsearch.j2 +++ /dev/null @@ -1,78 +0,0 @@ -[Unit] -Description=Elasticsearch-{{es_instance_name}} -Documentation=http://www.elastic.co -Wants=network-online.target -After=network-online.target -{# Directive 'WorkingDirectory' creates an implicit dependecy for {{es_home}}, so it can be omitted here #} -RequiresMountsFor={{ data_dirs | array_to_str(separator=' ') }} {{log_dir}} {{pid_dir}} {{conf_dir}} - -[Service] -Environment=ES_HOME={{es_home}} -Environment=CONF_DIR={{conf_dir}} -Environment=ES_PATH_CONF={{conf_dir}} -Environment=DATA_DIR={{ data_dirs | array_to_str }} -Environment=LOG_DIR={{log_dir}} -Environment=PID_DIR={{pid_dir}} -EnvironmentFile=-{{instance_default_file}} - -WorkingDirectory={{es_home}} - -User={{es_user}} -Group={{es_group}} - -{% if (es_version is version_compare('6.0.0', '<')) %} -ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec -{% endif %} - -ExecStart={{es_home}}/bin/elasticsearch \ - -p ${PID_DIR}/elasticsearch.pid \ -{% if (es_version is version_compare('6.0.0', '<')) %} - -Edefault.path.logs=${LOG_DIR} \ - -Edefault.path.data=${DATA_DIR} \ - -Edefault.path.conf=${CONF_DIR} \ -{% endif %} - --quiet - - -# StandardOutput is configured to redirect to journalctl since -# some error messages may be logged in standard output before -# elasticsearch logging system is initialized. Elasticsearch -# stores its logs in /var/log/elasticsearch and does not use -# journalctl by default. If you also want to enable journalctl -# logging, you can simply remove the "quiet" option from ExecStart. -StandardOutput=journal -StandardError=inherit - -# Specifies the maximum file descriptor number that can be opened by this process -{% if es_max_open_files is defined %} -LimitNOFILE={{es_max_open_files}} -{% endif %} - -# Specifies the maximum number of bytes of memory that may be locked into RAM -# Set to "infinity" if you use the 'bootstrap.memory_lock: true' option -# in elasticsearch.yml and 'MAX_LOCKED_MEMORY=unlimited' in {{instance_default_file}} -{% if m_lock_enabled %} -LimitMEMLOCK=infinity -{% endif %} - -# Specifies the maximum number of threads that can be started. Elasticsearch requires a -# minimum of 2048. -LimitNPROC={{ es_max_threads }} - -# Disable timeout logic and wait until process is stopped -TimeoutStopSec=0 - -# SIGTERM signal is used to stop the Java process -KillSignal=SIGTERM - -# Send the signal only to the JVM rather than its control group -KillMode=process - -# Java process is never killed -SendSIGKILL=no - -# When a JVM receives a SIGTERM signal it exits with code 143 -SuccessExitStatus=143 - -[Install] -WantedBy=multi-user.target diff --git a/test/integration/helpers/serverspec/multi_spec.rb b/test/integration/helpers/serverspec/multi_spec.rb deleted file mode 100644 index 3f42e2f..0000000 --- a/test/integration/helpers/serverspec/multi_spec.rb +++ /dev/null @@ -1,122 +0,0 @@ -require 'spec_helper' -require 'json' -vars = JSON.parse(File.read('/tmp/vars.json')) - -shared_examples 'multi::init' do |vars| - - describe service('master_elasticsearch') do - it { should be_running } - end - #test configuration parameters have been set - test all appropriately set in config file - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do - it { should be_file } - it { should contain 'http.port: 9201' } - if vars['es_major_version'] == '7.x' - it { should contain 'transport.port: 9301' } - else - it { should contain 'transport.tcp.port: 9301' } - end - it { should_not contain 'bootstrap.memory_lock: true' } - end - - - #test configuration parameters have been set for master - test all appropriately set in config file - describe file('/etc/elasticsearch/master/elasticsearch.yml') do - it { should be_file } - it { should contain 'http.port: 9200' } - if vars['es_major_version'] == '7.x' - it { should contain 'transport.port: 9300' } - else - it { should contain 'transport.tcp.port: 9300' } - end - it { should contain 'node.data: false' } - it { should contain 'node.master: true' } - it { should contain 'node.name: localhost-master' } - it { should contain 'bootstrap.memory_lock: true' } - it { should_not contain 'path.conf: /etc/elasticsearch/master' } - it { should contain 'path.data: /opt/elasticsearch/master/localhost-master' } - it { should contain 'path.logs: /var/log/elasticsearch/localhost-master' } - end - - describe 'Master listening' do - it 'listening in port 9200' do - expect(port 9200).to be_listening - end - end - - #test we started on the correct port was used for master - describe 'master started' do - it 'master node should be running', :retry => 3, :retry_wait => 10 do - expect(curl_json('http://localhost:9200')['name']).to eq('localhost-master') - end - end - - #test we started on the correct port was used for node 1 - describe "#{vars['es_instance_name']} started" do - it 'node should be running', :retry => 3, :retry_wait => 10 do - expect(curl_json('http://localhost:9201')['name']).to eq("localhost-#{vars['es_instance_name']}") - end - end - - #Confirm that the data directory has only been set for the first node - describe file('/opt/elasticsearch/master/localhost-master') do - it { should be_directory } - it { should be_owned_by 'elasticsearch' } - end - - describe file("/opt/elasticsearch/data-1/localhost-#{vars['es_instance_name']}") do - it { should be_directory } - it { should be_owned_by 'elasticsearch' } - end - - - describe file("/opt/elasticsearch/data-2/localhost-#{vars['es_instance_name']}") do - it { should be_directory } - it { should be_owned_by 'elasticsearch' } - end - - #test to make sure mlock was applied - describe command('curl -s "localhost:9200/_nodes/localhost-master/process?pretty=true" | grep mlockall') do - its(:stdout) { should match /true/ } - its(:exit_status) { should eq 0 } - end - - #test to make sure mlock was not applied - describe command("curl -s 'localhost:9201/_nodes/localhost-#{vars['es_instance_name']}/process?pretty=true' | grep mlockall") do - its(:stdout) { should match /false/ } - its(:exit_status) { should eq 0 } - end - - describe 'version check on master' do - it 'should be reported as version '+vars['es_version'] do - command = command('curl -s localhost:9200 | grep number') - expect(command.stdout).to match(vars['es_version']) - expect(command.exit_status).to eq(0) - end - end - - describe 'version check on data' do - it 'should be reported as version '+vars['es_version'] do - command = command('curl -s localhost:9201 | grep number') - expect(command.stdout).to match(vars['es_version']) - expect(command.exit_status).to eq(0) - end - end - - for plugin in vars['es_plugins'] - plugin = plugin['plugin'] - - describe command('curl -s localhost:9200/_nodes/plugins?pretty=true | grep '+plugin) do - its(:exit_status) { should eq 0 } - end - - describe command('curl -s localhost:9201/_nodes/plugins?pretty=true | grep '+plugin) do - its(:exit_status) { should eq 0 } - end - - describe file('/usr/share/elasticsearch/plugins/'+plugin) do - it { should be_directory } - it { should be_owned_by 'elasticsearch' } - end - end -end diff --git a/test/integration/helpers/serverspec/oss_spec.rb b/test/integration/helpers/serverspec/oss_spec.rb index d8d9409..abe9df3 100644 --- a/test/integration/helpers/serverspec/oss_spec.rb +++ b/test/integration/helpers/serverspec/oss_spec.rb @@ -1,12 +1,12 @@ require 'spec_helper' shared_examples 'oss::init' do |vars| - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/log4j2.properties") do + describe file("/etc/elasticsearch/log4j2.properties") do it { should be_file } it { should be_owned_by 'elasticsearch' } it { should_not contain 'CUSTOM LOG4J FILE' } end - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/jvm.options") do + describe file("/etc/elasticsearch/jvm.options") do it { should be_file } it { should be_owned_by vars['es_user'] } end diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index 92ddfa8..cbeb2ed 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -97,7 +97,7 @@ shared_examples 'shared::init' do |vars| it { should be_installed } end - describe service("#{vars['es_instance_name']}_elasticsearch") do + describe service("elasticsearch") do it { should be_running } end @@ -128,22 +128,11 @@ shared_examples 'shared::init' do |vars| end end end - describe file('/etc/init.d/elasticsearch') do - it { should_not exist } - end describe file(family['defaults_path']) do its(:content) { should match '' } end - describe file('/etc/elasticsearch/elasticsearch.yml') do - it { should_not exist } - end - - describe file('/etc/elasticsearch/logging.yml') do - it { should_not exist } - end - if vars.key?('es_plugins') vars['es_plugins'].each do |plugin| name = plugin['plugin'] @@ -162,12 +151,12 @@ shared_examples 'shared::init' do |vars| end end end - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do - it { should contain "node.name: localhost-#{vars['es_instance_name']}" } + describe file("/etc/elasticsearch/elasticsearch.yml") do + it { should contain "node.name: localhost" } it { should contain 'cluster.name: elasticsearch' } - it { should_not contain "path.conf: /etc/elasticsearch/#{vars['es_instance_name']}" } - its(:content) { should match "path.data: #{vars['data_dirs'].join(',')}" } - its(:content) { should match "path.logs: /var/log/elasticsearch/localhost-#{vars['es_instance_name']}" } + it { should_not contain "path.conf: /etc/elasticsearch" } + its(:content) { should match "path.data: #{vars['es_data_dirs'].join(',')}" } + its(:content) { should match "path.logs: /var/log/elasticsearch" } end if vars['es_use_repository'] diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index 96ec36e..4223234 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -4,13 +4,13 @@ vars = JSON.parse(File.read('/tmp/vars.json')) shared_examples 'xpack_upgrade::init' do |vars| #Test users file, users_roles and roles.yml - describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/users_roles") do + describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/users_roles") do it { should be_owned_by 'elasticsearch' } it { should contain 'admin:es_admin' } it { should contain 'power_user:testUser' } end - describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/users") do + describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/users") do it { should be_owned_by 'elasticsearch' } it { should contain 'testUser:' } it { should contain 'es_admin:' } @@ -23,7 +23,7 @@ shared_examples 'xpack_upgrade::init' do |vars| end end - describe file("/etc/elasticsearch/#{vars['es_instance_name']}/elasticsearch.yml") do + describe file("/etc/elasticsearch/elasticsearch.yml") do if vars['es_major_version'] == '7.x' it { should contain 'security.authc.realms.file.file1.order: 0' } it { should contain 'security.authc.realms.native.native1.order: 1' } @@ -36,7 +36,7 @@ shared_examples 'xpack_upgrade::init' do |vars| end #Test contents of role_mapping.yml - describe file("/etc/elasticsearch/#{vars['es_instance_name']}#{vars['es_xpack_conf_subdir']}/role_mapping.yml") do + describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/role_mapping.yml") do it { should be_owned_by 'elasticsearch' } it { should contain 'power_user:' } it { should contain '- cn=admins,dc=example,dc=com' } diff --git a/test/integration/issue-test.yml b/test/integration/issue-test.yml index 5660ae6..3c5f77a 100644 --- a/test/integration/issue-test.yml +++ b/test/integration/issue-test.yml @@ -10,13 +10,11 @@ roles: - elasticsearch vars: - es_instance_name: "security_node" es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_config: xpack.security.authc.realms.file.file1.order: 1 xpack.security.authc.realms.native.native1.type: "native" es_heap_size: "1g" - es_enable_xpack: true es_plugins: - plugin: ingest-attachment es_xpack_features: diff --git a/test/integration/multi.yml b/test/integration/multi.yml deleted file mode 100644 index 8f1b8e0..0000000 --- a/test/integration/multi.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -# Test ability to deploy multiple instances to a machine -- name: Elasticsearch Multi test - master on 9200 - hosts: localhost - post_tasks: - - include: elasticsearch/test/integration/debug.yml - roles: - - elasticsearch - vars: - es_instance_name: "master" - es_data_dirs: - - "/opt/elasticsearch/master" - es_config_6x: - discovery.zen.ping.unicast.hosts: "localhost:9300" - http.port: 9200 - transport.tcp.port: 9300 - node.data: false - node.master: true - bootstrap.memory_lock: true - es_config_7x: - http.port: 9200 - transport.port: 9300 - node.data: false - node.master: true - bootstrap.memory_lock: true - es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" - es_enable_xpack: false - es_templates: true - es_heap_size: "1g" - es_api_port: 9200 - es_plugins: - - plugin: ingest-attachment - -- name: Elasticsearch Multi test - data on 9201 - hosts: localhost - post_tasks: - - include: elasticsearch/test/integration/debug.yml - roles: - - elasticsearch - vars: - es_enable_xpack: false - es_templates: true - es_heap_size: "1g" - es_api_port: 9201 - es_plugins: - - plugin: ingest-attachment - es_instance_name: "node1" - es_data_dirs: - - "/opt/elasticsearch/data-1" - - "/opt/elasticsearch/data-2" - es_config_6x: - discovery.zen.ping.unicast.hosts: "localhost:9300" - http.port: 9201 - transport.tcp.port: 9301 - node.data: true - node.master: false - es_config_7x: - discovery.seed_hosts: "localhost:9300" - http.port: 9201 - transport.port: 9301 - node.data: true - node.master: false - es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" diff --git a/test/integration/multi/multi.yml b/test/integration/multi/multi.yml deleted file mode 100644 index a3c37e1..0000000 --- a/test/integration/multi/multi.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- host: test-kitchen diff --git a/test/integration/multi/serverspec/default_spec.rb b/test/integration/multi/serverspec/default_spec.rb deleted file mode 100644 index 718b681..0000000 --- a/test/integration/multi/serverspec/default_spec.rb +++ /dev/null @@ -1,9 +0,0 @@ -require 'multi_spec' -require 'shared_spec' -require 'json' -vars = JSON.parse(File.read('/tmp/vars.json')) - -describe 'Multi Tests' do - include_examples 'shared::init', vars - include_examples 'multi::init', vars -end \ No newline at end of file diff --git a/test/integration/oss-to-xpack-upgrade.yml b/test/integration/oss-to-xpack-upgrade.yml index 96679a6..5648ebb 100644 --- a/test/integration/oss-to-xpack-upgrade.yml +++ b/test/integration/oss-to-xpack-upgrade.yml @@ -6,7 +6,6 @@ roles: - elasticsearch vars: - es_instance_name: "node1" es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade es_enable_xpack: false es_heap_size: "1g" @@ -18,7 +17,6 @@ roles: - elasticsearch vars: - es_instance_name: "node1" es_enable_xpack: true es_heap_size: "1g" es_xpack_features: diff --git a/test/integration/oss-upgrade.yml b/test/integration/oss-upgrade.yml index 62c2089..b841519 100644 --- a/test/integration/oss-upgrade.yml +++ b/test/integration/oss-upgrade.yml @@ -6,7 +6,6 @@ roles: - elasticsearch vars: - es_instance_name: "node1" es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade es_enable_xpack: false es_heap_size: "1g" @@ -18,6 +17,5 @@ roles: - elasticsearch vars: - es_instance_name: "node1" es_enable_xpack: false es_heap_size: "1g" diff --git a/test/integration/oss.yml b/test/integration/oss.yml index 4dfdee2..f94d585 100644 --- a/test/integration/oss.yml +++ b/test/integration/oss.yml @@ -6,7 +6,6 @@ roles: - elasticsearch vars: - es_instance_name: "node1" es_enable_xpack: false es_heap_size: "1g" es_plugins: diff --git a/test/integration/xpack-upgrade.yml b/test/integration/xpack-upgrade.yml index 560a1ca..c1944fe 100644 --- a/test/integration/xpack-upgrade.yml +++ b/test/integration/xpack-upgrade.yml @@ -6,8 +6,6 @@ roles: - elasticsearch vars: - es_instance_name: "node1" - es_api_port: 9200 es_config_6x: http.port: 9200 xpack.security.authc.realms.file1.order: 0 @@ -23,7 +21,6 @@ es_templates: true es_major_version: "7.x" es_version: "{{ '7.0.0' if es_major_version == '7.x' else '6.7.1' }}" # This is set to an older version than the current default to force an upgrade - es_enable_xpack: true es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_plugins: - plugin: ingest-attachment @@ -119,8 +116,6 @@ roles: - elasticsearch vars: - es_api_port: 9200 - es_instance_name: "node1" es_config_6x: http.port: 9200 xpack.security.authc.realms.file1.order: 0 @@ -134,7 +129,6 @@ es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" es_heap_size: "1g" es_templates: true - es_enable_xpack: true es_xpack_license: "{{ lookup('file', '/tmp/license.json') }}" es_plugins: - plugin: ingest-attachment diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index d3c4c36..aa02d61 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -7,10 +7,7 @@ roles: - elasticsearch vars: - es_api_port: 9200 - es_instance_name: "node1" es_config: http.port: 9200 es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{{ es_version }}.zip" es_heap_size: 2g - es_enable_xpack: true diff --git a/test/matrix.yml b/test/matrix.yml index e27a5ac..3e4e616 100644 --- a/test/matrix.yml +++ b/test/matrix.yml @@ -14,4 +14,3 @@ TEST_TYPE: - oss-to-xpack-upgrade - xpack - xpack-upgrade - - multi diff --git a/vars/main.yml b/vars/main.yml index c4a0183..d640fc4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,3 @@ --- es_package_url: "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch" -es_conf_dir: "/etc/elasticsearch" -sysd_script: "/usr/lib/systemd/system/elasticsearch.service" -init_script: "/etc/init.d/elasticsearch" reserved_xpack_users: ["elastic","kibana","logstash_system"] From c0238edb380629b6df9a71714efae5964d93b571 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Tue, 4 Jun 2019 12:18:30 +0200 Subject: [PATCH 35/71] release 7.1.1 version (#573) --- .kitchen.yml | 2 +- CHANGELOG.md | 41 ++++++++++++++++++++-- README.md | 79 ++++-------------------------------------- defaults/main.yml | 2 +- docs/multi-instance.md | 69 ++++++++++++++++++++++++++++++++++++ 5 files changed, 116 insertions(+), 77 deletions(-) create mode 100644 docs/multi-instance.md diff --git a/.kitchen.yml b/.kitchen.yml index 2ebe577..ede0f71 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -19,7 +19,7 @@ provisioner: extra_vars: es_major_version: "<%= ENV['VERSION'] %>" <% if ENV['VERSION'] == '6.x' %> - es_version: '6.7.2' + es_version: '6.8.0' <% end %> <% end %> diff --git a/CHANGELOG.md b/CHANGELOG.md index 744e522..6c279ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,40 @@ +## 7.1.1 - 2019/06/04 + +### Breaking changes + +#### End of multi-instance support + +* Starting with ansible-elasticsearch:7.1.1, installing more than one instance of Elasticsearch **on the same host** is no longer supported. +* Configuration, datas, logs and PID directories are now using standard paths like in the official Elasticsearch packages. + +* If you use only one instance but want to upgrade from an older ansible-elasticsearch version, follow [upgrade procedure](./docs/multi-instance.md#upgrade-procedure) +* If you install more than one instance of Elasticsearch on the same host (with different ports, directory and config files), **do not update to ansible-elasticsearch >= 7.1.1**, please follow this [workaround](./docs/multi-instance.md#workaround) instead. +* For multi-instances use cases, we are now recommending Docker containers using our official images (https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html). + +#### Moved some security features to basic + +You can now using basic authentication by overriding `es_api_basic_auth_username` and `es_api_basic_auth_password` variables without providing a license file. + +### Features + +* 7.1.1 as default Elasticsearch version +* [#539](https://github.com/elastic/ansible-elasticsearch/pull/539) and [#542](https://github.com/elastic/ansible-elasticsearch/pull/542) - @grzegorznowak - Make ansible role compatible with ansible [check mode](https://docs.ansible.com/ansible/latest/user_guide/playbooks_checkmode.html) +* [#558](https://github.com/elastic/ansible-elasticsearch/pull/558) - @jmlrt - Add support for Elasticsearch 7.x, remove 5.x support and update tests +* [#560](https://github.com/elastic/ansible-elasticsearch/pull/560) - @jmlrt - Use default xpack features and remove system_key deprecated feature +* [#562](https://github.com/elastic/ansible-elasticsearch/pull/562) - @hamishforbes - Allow to customize instance suffix +* [#566](https://github.com/elastic/ansible-elasticsearch/pull/566) - @jmlrt - Remove multi-instances support +* [#567](https://github.com/elastic/ansible-elasticsearch/pull/567) - @jmlrt - Remove file scripts deprecated feature +* [#568](https://github.com/elastic/ansible-elasticsearch/pull/568) - @jmlrt - Skip Java install for Elasticsearch 7.x (java is now embeded) + +### Fixes + +* [#543](https://github.com/elastic/ansible-elasticsearch/pull/543) - @victorgs - Fix typo in Makefile +* [#546](https://github.com/elastic/ansible-elasticsearch/pull/546) - @thiagonache - Fix README example +* [#550](https://github.com/elastic/ansible-elasticsearch/pull/550) - @pemontto - Fix template conditional +* [#556](https://github.com/elastic/ansible-elasticsearch/pull/556) - @jmlrt - Fix debian-8 test +* [#557](https://github.com/elastic/ansible-elasticsearch/pull/557) - @jmlrt - Bump gem dependencies to fix [CVE-2018-1000544](https://nvd.nist.gov/vuln/detail/CVE-2018-1000544) and [CVE-2018-1000201](https://nvd.nist.gov/vuln/detail/CVE-2018-1000201) +* [#564](https://github.com/elastic/ansible-elasticsearch/pull/564) - @jmlrt - Bump all gem dependencies to fix kitchen tests + ## 6.6.0 - 2019/01/29 ### Features @@ -5,7 +42,7 @@ * 6.6.0 as default Elasticsearch version * [#521](https://github.com/elastic/ansible-elasticsearch/pull/521) - @Crazybus - Allow switching between oss and standard packages * [#528](https://github.com/elastic/ansible-elasticsearch/pull/528) - @Fra-nk - Use systemd's RequiresMountsFor -* [#530](https://github.com/elastic/ansible-elasticsearch/pull/530) - @lde - Use dpkg_selections to lock elasticsearch version +* [#530](https://github.com/elastic/ansible-elasticsearch/pull/530) - @lde - Use dpkg_selections to lock Elasticsearch version ### Fixes @@ -77,7 +114,7 @@ When upgrading from module versions prior to 6.3, there are a number of upgrade #### Features * Integration testing has been refactored in [#457](https://github.com/elastic/ansible-elasticsearch/pull/457). This removed a lot of duplicate tests and added new tests to make sure all upgrade paths work. -* It is now possible to test elasticsearch snapshot builds by setting `es_use_snapshot_release` to `true` +* It is now possible to test Elasticsearch snapshot builds by setting `es_use_snapshot_release` to `true` #### Fixes diff --git a/README.md b/README.md index 6bdcbb1..e9e9e99 100644 --- a/README.md +++ b/README.md @@ -15,80 +15,13 @@ Ansible role for 7.x/6.x Elasticsearch. Currently this works on Debian and RedH The latest Elasticsearch versions of 7.x & 6.x are actively tested. -**BREAKING CHANGES** +## BREAKING CHANGES ### Notice about multi-instance support -Starting with ansible-elasticsearch:7.0.0, installing more than one instance of Elasticsearch **on the same host** is no more supported. - -See [554#issuecomment-496804929](https://github.com/elastic/ansible-elasticsearch/issues/554#issuecomment-496804929) for more details about why we remove it. - -If you install more than one instance of ElasticSearch on the same host (with different ports, directory and config files), **do not update to ansible-elasticsearch >= 7.0.0**. - -You are still be able to install Elasticsearch 6.x and 7.x in multi-instance mode by using ansible-elasticsearch commit [25bd09f](https://github.com/elastic/ansible-elasticsearch/commit/25bd09f6835b476b6a078676a7d614489a6739c5) (last commit before multi-instance removal) and overriding `es_version` variable: - -```sh -$ cat << EOF >> requirements.yml # require git -- src: https://github.com/elastic/ansible-elasticsearch - version: 25bd09f - name: elasticsearch -EOF -$ ansible-galaxy install -r requirements.yml -$ cat << EOF >> playbook.yml -- hosts: localhost - roles: - - role: elasticsearch - vars: - es_instance_name: "node1" - es_version: 7.0.1 # or 6.7.2 for example -EOF -$ ansible-playbook playbook.yml -``` - -However for multi-instances use cases, we are now recommending using Docker containers using our official images (https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html). - -#### Upgrade procedure - -If you have single-instances hosts and want to upgrade from previous versions of the role: - -1. Override these variables to match previous values: -```yaml - -es_conf_dir: /etc/elasticsearch/{{ instance_name }} -es_data_dirs: - - /var/lib/elasticsearch/{{ node_name }}-{{ instance_name }} -es_log_dir: /var/log/elasticsearch/{{ node_name }}-{{ instance_name }} -es_pid_dir: /var/run/elasticsearch/{{ node_name }}-{{ instance_name }} -``` - -2. Deploy ansible-role. **Even if these variables are overrided, Elasticsearch config file and default option file will change, which imply an Elasticsearch restart.** - -3. After ansible-role new deployment, you can do some cleanup of old Init file and Default file. - -Example: -```bash -$ ansible-playbook -e '{"es_conf_dir":"/etc/elasticsearch/node1","es_data_dirs":["/var/lib/elasticsearch/localhost-node1"],"es_log_dir":"/var/log/elasticsearch/localhost-node1","es_pid_dir":"/var/run/elasticsearch/localhost-node1"}' playbook.yml -... -TASK [elasticsearch : Create Directories] ********************************************************************************************************************************************************************************************************************** -ok: [localhost] => (item=/var/run/elasticsearch/localhost-node1) -ok: [localhost] => (item=/var/log/elasticsearch/localhost-node1) -ok: [localhost] => (item=/etc/elasticsearch/node1) -ok: [localhost] => (item=/var/lib/elasticsearch/localhost-node1) - -TASK [elasticsearch : Copy Configuration File] ***************************************************************************************************************************************************************************************************************** -changed: [localhost] - -TASK [elasticsearch : Copy Default File] *********************************************************************************************************************************************************************************************************************** -changed: [localhost] -... -PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************** -localhost : ok=32 changed=3 unreachable=0 failed=0 - -$ find /etc -name 'node1_elasticsearch*' -/etc/default/node1_elasticsearch -/etc/systemd/system/multi-user.target.wants/node1_elasticsearch.service -$ rm /etc/default/node1_elasticsearch /etc/systemd/system/multi-user.target.wants/node1_elasticsearch.service -``` +* If you use only one instance but want to upgrade from an older ansible-elasticsearch version, follow [upgrade procedure](./docs/multi-instance.md#upgrade-procedure) +* If you install more than one instance of Elasticsearch on the same host (with different ports, directory and config files), **do not update to ansible-elasticsearch >= 7.1.1**, please follow this [workaround](./docs/multi-instance.md#workaround) instead. +* For multi-instances use cases, we are now recommending Docker containers using our official images (https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html). ## Dependency This role uses the json_query filter which [requires jmespath](https://github.com/ansible/ansible/issues/24319) on the local machine. @@ -98,7 +31,7 @@ This role uses the json_query filter which [requires jmespath](https://github.co Create your Ansible playbook with your own tasks, and include the role elasticsearch. You will have to have this repository accessible within the context of playbook. ```sh -ansible-galaxy install git+https://github.com/elastic/ansible-elasticsearch.git,7f5be969e07173c5697432141e909b6ced5a2e94 +ansible-galaxy install ansible-elasticsearch,7.1.1 ``` Then create your playbook yaml adding the role elasticsearch. @@ -431,7 +364,7 @@ These can either be set to a user declared in the file based realm, with admin p In addition to es_config, the following parameters allow the customization of the Java and Elasticsearch versions as well as the role behaviour. Options include: * ```es_enable_xpack``` Default `true`. Setting this to `false` will install the oss release of elasticsearch -* ```es_version``` (e.g. "7.0.0"). +* ```es_version``` (e.g. "7.1.1"). * ```es_api_host``` The host name used for actions requiring HTTP e.g. installing templates. Defaults to "localhost". * ```es_api_port``` The port used for actions requiring HTTP e.g. installing templates. Defaults to 9200. **CHANGE IF THE HTTP PORT IS NOT 9200** * ```es_api_basic_auth_username``` The Elasticsearch username for making admin changing actions. Used if Security is enabled. Ensure this user is admin. diff --git a/defaults/main.yml b/defaults/main.yml index 9b93e40..02ae64d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -es_version: "7.0.1" +es_version: "7.1.1" es_use_snapshot_release: false es_enable_xpack: true es_package_name: "elasticsearch" diff --git a/docs/multi-instance.md b/docs/multi-instance.md new file mode 100644 index 0000000..b934904 --- /dev/null +++ b/docs/multi-instance.md @@ -0,0 +1,69 @@ +# Multi-instance Support + +Starting with ansible-elasticsearch:7.1.1, installing more than one instance of Elasticsearch **on the same host** is no longer supported. + +See [554#issuecomment-496804929](https://github.com/elastic/ansible-elasticsearch/issues/554#issuecomment-496804929) for more details about why we removed it. + +## Upgrade procedure + +If you have single-instances hosts and want to upgrade from previous versions of the role: + +1. Override these variables to match previous values: +```yaml +es_conf_dir: /etc/elasticsearch/{{ instance_name }} +es_data_dirs: + - /var/lib/elasticsearch/{{ node_name }}-{{ instance_name }} +es_log_dir: /var/log/elasticsearch/{{ node_name }}-{{ instance_name }} +es_pid_dir: /var/run/elasticsearch/{{ node_name }}-{{ instance_name }} +``` + +2. Deploy ansible-role. **Even if these variables are overrided, Elasticsearch config file and default option file will change, which imply an Elasticsearch restart.** + +3. After ansible-role new deployment, you can do some cleanup of old Init file and Default file. + +Example: +```bash +$ ansible-playbook -e '{"es_conf_dir":"/etc/elasticsearch/node1","es_data_dirs":["/var/lib/elasticsearch/localhost-node1"],"es_log_dir":"/var/log/elasticsearch/localhost-node1","es_pid_dir":"/var/run/elasticsearch/localhost-node1"}' playbook.yml +... +TASK [elasticsearch : Create Directories] ********************************************************************************************************************************************************************************************************************** +ok: [localhost] => (item=/var/run/elasticsearch/localhost-node1) +ok: [localhost] => (item=/var/log/elasticsearch/localhost-node1) +ok: [localhost] => (item=/etc/elasticsearch/node1) +ok: [localhost] => (item=/var/lib/elasticsearch/localhost-node1) + +TASK [elasticsearch : Copy Configuration File] ***************************************************************************************************************************************************************************************************************** +changed: [localhost] + +TASK [elasticsearch : Copy Default File] *********************************************************************************************************************************************************************************************************************** +changed: [localhost] +... +PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************** +localhost : ok=32 changed=3 unreachable=0 failed=0 + +$ find /etc -name 'node1_elasticsearch*' +/etc/default/node1_elasticsearch +/etc/systemd/system/multi-user.target.wants/node1_elasticsearch.service +$ rm /etc/default/node1_elasticsearch /etc/systemd/system/multi-user.target.wants/node1_elasticsearch.service +``` + +## Workaround + +If you use more than one instance of Elasticsearch on the same host (with different ports, directory and config files), you are still be able to install Elasticsearch 6.x and 7.x in multi-instance mode by using ansible-elasticsearch commit [25bd09f](https://github.com/elastic/ansible-elasticsearch/commit/25bd09f6835b476b6a078676a7d614489a6739c5) (last commit before multi-instance removal) and overriding `es_version` variable: + +```sh +$ cat << EOF >> requirements.yml # require git +- src: https://github.com/elastic/ansible-elasticsearch + version: 25bd09f + name: elasticsearch +EOF +$ ansible-galaxy install -r requirements.yml +$ cat << EOF >> playbook.yml +- hosts: localhost + roles: + - role: elasticsearch + vars: + es_instance_name: "node1" + es_version: 7.1.1 # or 6.8.0 for example +EOF +$ ansible-playbook playbook.yml +``` From 3bfc8b1b2eb1a30f48cb472a3b06cad8cf54efff Mon Sep 17 00:00:00 2001 From: Julian Date: Wed, 5 Jun 2019 14:48:53 +0200 Subject: [PATCH 36/71] Fix name of elasticsearch ansible role Use correct role name from ansible galaxy --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e9e9e99..2074676 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ This role uses the json_query filter which [requires jmespath](https://github.co Create your Ansible playbook with your own tasks, and include the role elasticsearch. You will have to have this repository accessible within the context of playbook. ```sh -ansible-galaxy install ansible-elasticsearch,7.1.1 +ansible-galaxy install elastic.elasticsearch,7.1.1 ``` Then create your playbook yaml adding the role elasticsearch. From 5b1d028bd2f81e343f7dc90c4f5b8b23ad8e80e5 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 7 Jun 2019 15:54:10 +0200 Subject: [PATCH 37/71] fix ''dict object has no attribute dict_keys" issue with python3 (#578) In Python2, the dict.keys(), dict.values(), and dict.items() methods returns a list. Jinja2 returns that to Ansible via a string representation that Ansible can turn back into a list. In Python3, those methods return a dictionary view object. resource: https://docs.ansible.com/ansible/2.4/playbooks_python_version.html#dictionary-views --- tasks/elasticsearch-parameters.yml | 4 ++-- .../security/elasticsearch-security-file.yml | 8 ++++---- .../elasticsearch-security-native.yml | 20 +++++++++---------- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index 08af2bc..f20c2d2 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -22,8 +22,8 @@ - es_api_basic_auth_password is not defined - name: set fact file_reserved_users - set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }} - when: es_users is defined and es_users.file is defined and (es_users.file.keys() | length > 0) and (es_users.file.keys() | intersect (reserved_xpack_users) | length > 0) + set_fact: file_reserved_users={{ es_users.file.keys() | list | intersect (reserved_xpack_users) }} + when: es_users is defined and es_users.file is defined and (es_users.file.keys() | list | length > 0) and (es_users.file.keys() | list | intersect (reserved_xpack_users) | length > 0) - name: fail when changing users through file realm fail: diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index fe14bab..ab77be1 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -1,6 +1,6 @@ --- - name: set fact manage_file_users - set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | length > 0 + set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0 - name: Check if old users file exists stat: @@ -35,7 +35,7 @@ check_mode: no - name: set fact users_to_remove - set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys()) }} + set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys() | list) }} when: manage_file_users #Remove users @@ -51,7 +51,7 @@ ES_HOME: "{{es_home}}" - name: set fact users_to_add - set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }} + set_fact: users_to_add={{ es_users.file.keys() | list | difference (current_file_users.stdout_lines) }} when: manage_file_users #Add users @@ -72,7 +72,7 @@ become: yes command: > {{es_home}}/bin/{{es_xpack_users_command}} passwd {{ item }} -p {{es_users.file[item].password}} - with_items: "{{ es_users.file.keys() | default([]) }}" + with_items: "{{ es_users.file.keys() | list }}" when: manage_file_users #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip. changed_when: False diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 151365b..6235952 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -7,14 +7,14 @@ - name: set fact manage_native_users to true set_fact: manage_native_users=true - when: es_users is defined and es_users.native is defined and es_users.native.keys() | length > 0 + when: es_users is defined and es_users.native is defined and es_users.native.keys() | list | length > 0 - name: set fact manage_native_role to false set_fact: manage_native_roles=false - name: set fact manange_native_roles to true set_fact: manage_native_roles=true - when: es_roles is defined and es_roles.native is defined and es_roles.native.keys() | length > 0 + when: es_roles is defined and es_roles.native is defined and es_roles.native.keys() | list | length > 0 #If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load @@ -37,7 +37,7 @@ #Current users not inc. those reserved - name: set fact current_users equals user_list_response.json.keys not including reserved - set_fact: current_users={{ user_list_response.json.keys() | difference (reserved_users) }} + set_fact: current_users={{ user_list_response.json.keys() | list | difference (reserved_users) }} when: manage_native_users #We are changing the es_api_basic_auth_username password, so we need to do it first and update the param @@ -67,7 +67,7 @@ #Identify users that are present in ES but not declared and thus should be removed - name: set fact users_to_remove - set_fact: users_to_remove={{ current_users | difference ( native_users.keys() ) }} + set_fact: users_to_remove={{ current_users | difference ( native_users.keys() | list) }} when: manage_native_users #Delete all non required users NOT inc. reserved @@ -83,7 +83,7 @@ with_items: "{{ users_to_remove | default([]) }}" - name: set fact users_to_ignore - set_fact: users_to_ignore={{ native_users.keys() | intersect (reserved_users) }} + set_fact: users_to_ignore={{ native_users.keys() | list | intersect (reserved_users) }} when: manage_native_users - name: debug message @@ -107,7 +107,7 @@ with_items: "{{ users_to_ignore | default([]) }}" - name: set fact users_to_modify - set_fact: users_to_modify={{ native_users.keys() | difference (reserved_users) }} + set_fact: users_to_modify={{ native_users.keys() | list | difference (reserved_users) }} when: manage_native_users #Overwrite all other users NOT inc. those reserved @@ -146,11 +146,11 @@ when: manage_native_roles - name: set fact current roles - set_fact: current_roles={{ role_list_response.json.keys() | difference (reserved_roles) }} + set_fact: current_roles={{ role_list_response.json.keys() | list | difference (reserved_roles) }} when: manage_native_roles - name: set fact roles to ignore - set_fact: roles_to_ignore={{ es_roles.native.keys() | intersect (reserved_roles) | default([]) }} + set_fact: roles_to_ignore={{ es_roles.native.keys() | list | intersect (reserved_roles) | default([]) }} when: manage_native_roles - name: debug message @@ -159,7 +159,7 @@ when: manage_native_roles and roles_to_ignore | length > 0 - name: set fact roles_to_remove - set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }} + set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() | list) }} when: manage_native_roles #Delete all non required roles NOT inc. reserved @@ -175,7 +175,7 @@ with_items: "{{roles_to_remove | default([]) }}" - name: set fact roles_to_modify - set_fact: roles_to_modify={{ es_roles.native.keys() | difference (reserved_roles) }} + set_fact: roles_to_modify={{ es_roles.native.keys() | list | difference (reserved_roles) }} when: manage_native_roles #Update other roles - NOT inc. reserved roles From c52eed7aa11590e44d7ad54a1bc7323e5dbc4bb8 Mon Sep 17 00:00:00 2001 From: Ludovic Petetin Date: Fri, 28 Jun 2019 14:15:03 +0200 Subject: [PATCH 38/71] Set userid and groupid between ElasticSearch removal and installation --- tasks/elasticsearch-Debian.yml | 3 +++ tasks/elasticsearch-RedHat.yml | 4 ++++ tasks/elasticsearch.yml | 4 ---- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 3b696c7..5809a45 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -54,6 +54,9 @@ - { repo: "{{ es_apt_url }}", state: "present" } - { repo: "{{ es_other_apt_url }}", state: "absent" } +- name: Include optional user and group creation. + when: (es_user_id is defined) and (es_group_id is defined) + include: elasticsearch-optional-user.yml - name: Debian - Ensure elasticsearch is installed become: yes diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index c872fc3..3445b00 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -35,6 +35,10 @@ name: '{{ es_other_package_name }}' state: 'absent' +- name: Include optional user and group creation. + when: (es_user_id is defined) and (es_group_id is defined) + include: elasticsearch-optional-user.yml + - name: RedHat - Install Elasticsearch become: yes yum: diff --git a/tasks/elasticsearch.yml b/tasks/elasticsearch.yml index e2361d4..05fd93b 100644 --- a/tasks/elasticsearch.yml +++ b/tasks/elasticsearch.yml @@ -1,9 +1,5 @@ --- -- name: Include optional user and group creation. - when: (es_user_id is defined) and (es_group_id is defined) - include: elasticsearch-optional-user.yml - - name: Include specific Elasticsearch include: elasticsearch-Debian.yml when: ansible_os_family == 'Debian' From 812faf9596587ba438f9dacff89b9c8ce4fb6657 Mon Sep 17 00:00:00 2001 From: Kevin Tibi Date: Mon, 24 Jun 2019 11:32:27 +0200 Subject: [PATCH 39/71] Add option for disable the addition of official repository --- README.md | 3 ++- defaults/main.yml | 1 + tasks/elasticsearch-Debian.yml | 3 ++- tasks/elasticsearch-RedHat.yml | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2074676..b8d8e7d 100644 --- a/README.md +++ b/README.md @@ -386,7 +386,8 @@ In addition to es_config, the following parameters allow the customization of th * ```es_max_open_files``` the maximum file descriptor number that can be opened by this process. Defaults to 65536. * ```es_max_threads``` the maximum number of threads the process can start. Defaults to 2048 (the minimum required by elasticsearch). * ```es_debian_startup_timeout``` how long Debian-family SysV init scripts wait for the service to start, in seconds. Defaults to 10 seconds. -* ```es_use_repository``` Setting this to `false` will stop Ansible from using the official Elastic package repositories. +* ```es_use_repository``` Setting this to `false` will stop Ansible from using the official Elastic package from any repository configured on the system. +* ```es_add_repository``` Setting this to `false` will stop Ansible to add the official Elastic package repositories (if es_use_repository is true) if you want to use a repo already present. * ```es_custom_package_url``` the URL to the rpm or deb package for Ansible to install. When using this you will also need to set `es_use_repository: false` and make sure that the `es_version` matches the version being installed from your custom URL. E.g. `es_custom_package_url: https://downloads.example.com/elasticsearch.rpm` Earlier examples illustrate the installation of plugins using `es_plugins`. For officially supported plugins no version or source delimiter is required. The plugin script will determine the appropriate plugin version based on the target Elasticsearch version. For community based plugins include the full url. This approach should NOT be used for the X-Pack plugin. See X-Pack below for details here. diff --git a/defaults/main.yml b/defaults/main.yml index 02ae64d..8de86f4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,7 @@ es_enable_xpack: true es_package_name: "elasticsearch" es_version_lock: false es_use_repository: true +es_add_repository: true es_templates_fileglob: "files/templates-{{ es_major_version }}/*.json" es_repo_base: "https://artifacts.elastic.co" es_apt_key: "{{ es_repo_base }}/GPG-KEY-elasticsearch" diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 3b696c7..257ea54 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -43,12 +43,13 @@ apt_key: url: '{{ es_apt_key }}' state: present - when: es_apt_key | string + when: es_add_repository and es_apt_key | string - name: Debian - Add elasticsearch repository apt_repository: repo: '{{ item.repo }}' state: '{{ item.state }}' + when: es_add_repository with_items: - { repo: "{{ es_apt_url_old }}", state: "absent" } - { repo: "{{ es_apt_url }}", state: "present" } diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index c872fc3..97c49a9 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -16,7 +16,7 @@ template: src: 'elasticsearch.repo' dest: '/etc/yum.repos.d/elasticsearch-{{ es_repo_name }}.repo' - when: es_use_repository + when: es_use_repository and es_add_repository - name: RedHat - remove unused Elasticsearch repo become: yes From 582c79c607f4a564f49b56a0b1b566eb8c0cd1c5 Mon Sep 17 00:00:00 2001 From: Michael Russell Date: Tue, 9 Jul 2019 21:26:10 +0200 Subject: [PATCH 40/71] Add back in force_basic_auth for all http requests Related: #576 This is needed when using security for 6.x. All other http requests still have this parameter added. --- tasks/elasticsearch-template.yml | 1 + tasks/xpack/security/elasticsearch-xpack-activation.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index e1bc80d..8af780d 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -20,6 +20,7 @@ status_code: 200 user: "{{es_api_basic_auth_username | default(omit)}}" password: "{{es_api_basic_auth_password | default(omit)}}" + force_basic_auth: yes body_format: json body: "{{ lookup('file', item) }}" when: load_templates.changed and es_start_service diff --git a/tasks/xpack/security/elasticsearch-xpack-activation.yml b/tasks/xpack/security/elasticsearch-xpack-activation.yml index 996d86a..7da085e 100644 --- a/tasks/xpack/security/elasticsearch-xpack-activation.yml +++ b/tasks/xpack/security/elasticsearch-xpack-activation.yml @@ -8,6 +8,7 @@ body_format: json body: "{{ es_xpack_license }}" return_content: yes + force_basic_auth: yes register: license_activated no_log: True failed_when: > From 226df614ebc8dfb68208baaf36ad7dc38885c03a Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 12 Jul 2019 09:53:12 +0200 Subject: [PATCH 41/71] strip spaces to avoid wrong indent --- templates/elasticsearch.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index 47346ed..abb6c56 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -50,8 +50,8 @@ xpack.notification.email: auth: {{ es_mail_config['require_auth'] }} host: {{ es_mail_config['host'] }} port: {{ es_mail_config['port'] }} - {% if es_mail_config['require_auth'] == true %} + {% if es_mail_config['require_auth'] == true -%} user: {{ es_mail_config['user'] }} password: {{ es_mail_config['pass'] }} - {% endif %} + {%- endif %} {% endif %} From 718b3936f17b691500921fd66e352418548293da Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 12 Jul 2019 11:07:10 +0200 Subject: [PATCH 42/71] remove http.port recommendation --- tasks/elasticsearch-parameters.yml | 4 ---- test/integration/xpack-upgrade.yml | 4 ---- test/integration/xpack.yml | 2 -- 3 files changed, 10 deletions(-) diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index f20c2d2..a27088a 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -4,10 +4,6 @@ fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined" when: (es_proxy_port is not defined or es_proxy_port == '') and (es_proxy_host is defined and es_proxy_host != '') -- name: debug message - debug: msg="WARNING - It is recommended you specify the parameter 'http.port'" - when: es_config['http.port'] is not defined - #If the user attempts to lock memory they must specify a heap size - name: fail when heap size is not specified when using memory lock fail: msg="If locking memory with bootstrap.memory_lock a heap size must be specified" diff --git a/test/integration/xpack-upgrade.yml b/test/integration/xpack-upgrade.yml index c1944fe..1270007 100644 --- a/test/integration/xpack-upgrade.yml +++ b/test/integration/xpack-upgrade.yml @@ -7,13 +7,11 @@ - elasticsearch vars: es_config_6x: - http.port: 9200 xpack.security.authc.realms.file1.order: 0 xpack.security.authc.realms.file1.type: file xpack.security.authc.realms.native1.order: 1 xpack.security.authc.realms.native1.type: native es_config_7x: - http.port: 9200 xpack.security.authc.realms.file.file1.order: 0 xpack.security.authc.realms.native.native1.order: 1 es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" @@ -117,13 +115,11 @@ - elasticsearch vars: es_config_6x: - http.port: 9200 xpack.security.authc.realms.file1.order: 0 xpack.security.authc.realms.file1.type: file xpack.security.authc.realms.native1.order: 1 xpack.security.authc.realms.native1.type: native es_config_7x: - http.port: 9200 xpack.security.authc.realms.file.file1.order: 0 xpack.security.authc.realms.native.native1.order: 1 es_config: "{{ es_config_7x if es_major_version == '7.x' else es_config_6x }}" diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index aa02d61..e12064d 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -7,7 +7,5 @@ roles: - elasticsearch vars: - es_config: - http.port: 9200 es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{{ es_version }}.zip" es_heap_size: 2g From 6ca0f063720c68db9bf66d754e8307719269969a Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Fri, 12 Jul 2019 11:12:45 +0200 Subject: [PATCH 43/71] fix variables names --- docs/multi-instance.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/multi-instance.md b/docs/multi-instance.md index b934904..11872a9 100644 --- a/docs/multi-instance.md +++ b/docs/multi-instance.md @@ -10,11 +10,11 @@ If you have single-instances hosts and want to upgrade from previous versions of 1. Override these variables to match previous values: ```yaml -es_conf_dir: /etc/elasticsearch/{{ instance_name }} +es_conf_dir: /etc/elasticsearch/{{ es_instance_name }} es_data_dirs: - - /var/lib/elasticsearch/{{ node_name }}-{{ instance_name }} -es_log_dir: /var/log/elasticsearch/{{ node_name }}-{{ instance_name }} -es_pid_dir: /var/run/elasticsearch/{{ node_name }}-{{ instance_name }} + - /var/lib/elasticsearch/{{ inventory_hostname }}-{{ es_instance_name }} +es_log_dir: /var/log/elasticsearch/{{ inventory_hostname }}-{{ es_instance_name }} +es_pid_dir: /var/run/elasticsearch/{{ inventory_hostname }}-{{ es_instance_name }} ``` 2. Deploy ansible-role. **Even if these variables are overrided, Elasticsearch config file and default option file will change, which imply an Elasticsearch restart.** From b73cd06c1491515bdaf7912a97ee3865208b8f36 Mon Sep 17 00:00:00 2001 From: Ludovic Petetin Date: Mon, 22 Jul 2019 12:28:40 +0200 Subject: [PATCH 44/71] Set limitMEMLOCK for OS using systemd --- tasks/elasticsearch-config.yml | 12 ++++++++++++ tasks/elasticsearch-parameters.yml | 4 ++++ vars/main.yml | 1 + 3 files changed, 17 insertions(+) diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index 3d4f304..9b7d14f 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -24,6 +24,18 @@ template: src=elasticsearch.j2 dest={{ default_file }} mode=0644 force=yes notify: restart elasticsearch +#Copy the systemd specific file if systemd is installed +- name: Make sure destination dir exists + file: path={{ sysd_config_file | dirname }} state=directory recurse=yes mode=0755 + +- name: Copy Systemd File for Instance + become: yes + copy: src=systemd/elasticsearch_override.conf dest={{ sysd_config_file }} mode=0644 force=yes + when: use_system_d and m_lock_enabled + notify: + - reload systemd configuration + - restart elasticsearch + #Copy the logging.yml - name: Copy log4j2.properties File become: yes diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml index a27088a..36c3fe1 100644 --- a/tasks/elasticsearch-parameters.yml +++ b/tasks/elasticsearch-parameters.yml @@ -28,3 +28,7 @@ - name: set fact m_lock_enabled set_fact: m_lock_enabled={{ es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True }} + +- name: set fact use_system_d + set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version is version_compare('8', '>=')) or (ansible_distribution in ['RedHat','CentOS'] and ansible_distribution_version is version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('15', '>=')) }} + diff --git a/vars/main.yml b/vars/main.yml index d640fc4..91b7b69 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1,4 @@ --- es_package_url: "https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch" reserved_xpack_users: ["elastic","kibana","logstash_system"] +sysd_config_file: "/etc/systemd/system/elasticsearch.service.d/override.conf" From 2142c6f8f92fc58ad6103e11442072f3daf470c5 Mon Sep 17 00:00:00 2001 From: Ludovic Petetin Date: Mon, 22 Jul 2019 12:30:43 +0200 Subject: [PATCH 45/71] adding systemd limitMEMLOCK override file --- files/systemd/elasticsearch_override.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 files/systemd/elasticsearch_override.conf diff --git a/files/systemd/elasticsearch_override.conf b/files/systemd/elasticsearch_override.conf new file mode 100644 index 0000000..bf02203 --- /dev/null +++ b/files/systemd/elasticsearch_override.conf @@ -0,0 +1,2 @@ +[Service] +LimitMEMLOCK=infinity From 5994840c75320e460056dd44b8af021d389adf0f Mon Sep 17 00:00:00 2001 From: Ludovic Petetin Date: Mon, 22 Jul 2019 14:42:26 +0200 Subject: [PATCH 46/71] Create overriding systemd directory only if using systemd and memory lock is enabled --- tasks/elasticsearch-config.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index 9b7d14f..f3508a7 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -25,16 +25,17 @@ notify: restart elasticsearch #Copy the systemd specific file if systemd is installed -- name: Make sure destination dir exists - file: path={{ sysd_config_file | dirname }} state=directory recurse=yes mode=0755 +- when: use_system_d and m_lock_enabled + block: + - name: Make sure destination dir exists + file: path={{ sysd_config_file | dirname }} state=directory recurse=yes mode=0755 -- name: Copy Systemd File for Instance - become: yes - copy: src=systemd/elasticsearch_override.conf dest={{ sysd_config_file }} mode=0644 force=yes - when: use_system_d and m_lock_enabled - notify: - - reload systemd configuration - - restart elasticsearch + - name: Copy Systemd File for Instance + become: yes + copy: src=systemd/elasticsearch_override.conf dest={{ sysd_config_file }} mode=0644 force=yes + notify: + - reload systemd configuration + - restart elasticsearch #Copy the logging.yml - name: Copy log4j2.properties File From 5bac5a4dbf07f748c77175fbc032ac6052d45cd3 Mon Sep 17 00:00:00 2001 From: Ludovic Petetin Date: Mon, 22 Jul 2019 15:19:00 +0200 Subject: [PATCH 47/71] Use ini_file module for systemd overriding config file, better task naming and fix variable indentation --- tasks/elasticsearch-config.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index f3508a7..e3437f2 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -26,13 +26,13 @@ #Copy the systemd specific file if systemd is installed - when: use_system_d and m_lock_enabled + become: yes block: - name: Make sure destination dir exists - file: path={{ sysd_config_file | dirname }} state=directory recurse=yes mode=0755 + file: path={{ sysd_config_file | dirname }} state=directory mode=0755 - - name: Copy Systemd File for Instance - become: yes - copy: src=systemd/elasticsearch_override.conf dest={{ sysd_config_file }} mode=0644 force=yes + - name: Copy specific ElasticSearch Systemd config file + ini_file: path={{ sysd_config_file }} section=Service option=LimitMEMLOCK value=infinity mode=0644 notify: - reload systemd configuration - restart elasticsearch @@ -40,7 +40,7 @@ #Copy the logging.yml - name: Copy log4j2.properties File become: yes - template: src={{es_config_log4j2}} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes notify: restart elasticsearch - name: Copy jvm.options File From 651bfdf0fa1de8abf633b2d9559bc8b7b409dea0 Mon Sep 17 00:00:00 2001 From: Titan Lien Date: Tue, 6 Aug 2019 16:00:14 +0200 Subject: [PATCH 48/71] alwasy gather the es_major_version variables --- tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index c41ab6e..0c7cb83 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,6 +3,8 @@ - set_fact: "es_major_version={{ es_version.split('.')[0] }}.x" when: - es_major_version is undefined + tags: + - always - name: os-specific vars include_vars: "{{ansible_os_family}}.yml" From 34bede813161ae83da988f3477f992e9660b1f09 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 4 Sep 2019 19:15:03 +0200 Subject: [PATCH 49/71] add doc for migration with data move (#605) --- docs/multi-instance.md | 84 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 4 deletions(-) diff --git a/docs/multi-instance.md b/docs/multi-instance.md index 11872a9..57b6238 100644 --- a/docs/multi-instance.md +++ b/docs/multi-instance.md @@ -8,13 +8,89 @@ See [554#issuecomment-496804929](https://github.com/elastic/ansible-elasticsearc If you have single-instances hosts and want to upgrade from previous versions of the role: +### Procedure with data move + +This procedure will allow you to move your data to the new standard paths (see [#581](https://github.com/elastic/ansible-elasticsearch/issues/581)): + +1. Stop Elasticsearch before the migration + +2. Migrate your data to the new standard paths: +``` +# mv /etc/elasticsearch/${ES_INSTANCE_NAME}/* /etc/elasticsearch/ && rm -fr /etc/elasticsearch/${ES_INSTANCE_NAME}/ +mv: overwrite '/etc/elasticsearch/elasticsearch.keystore'? y +# mv /var/lib/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/* /var/lib/elasticsearch/ && rm -fr /var/lib/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/ +# ls /var/lib/elasticsearch/ +nodes +# mv /var/log/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/* /var/log/elasticsearch/ && rm -fr /var/log/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/ +# rm -fr /var/run/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/ +``` + +3. Update playbook (remove `es_conf_dir`, `es_data_dirs`, `es_log_dir`, `es_pid_dir` and `es_instance_name` variables) + +4. Update ansible-role to new version ([7.1.1](https://github.com/elastic/ansible-elasticsearch/releases/tag/7.1.1) at the time of writing) and deploy ansible-role + +5. After ansible-role new deployment, you can do some cleanup of old Init file and Default file: + +Example: +``` +$ systemctl stop elasticsearch +$ mv /etc/elasticsearch/${ES_INSTANCE_NAME}/* /etc/elasticsearch/ && rm -fr /etc/elasticsearch/${ES_INSTANCE_NAME}/ +mv: overwrite '/etc/elasticsearch/elasticsearch.keystore'? y +$ mv /var/lib/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/* /var/lib/elasticsearch/ && rm -fr /var/lib/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/ +$ ls /var/lib/elasticsearch/ +nodes +$ mv /var/log/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/* /var/log/elasticsearch/ && rm -fr /var/log/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/ +$ rm -fr /var/run/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}/ +$ ansible-galaxy install --force elastic.elasticsearch,7.1.1 +- changing role elastic.elasticsearch from 6.6.0 to 7.1.1 +- downloading role 'elasticsearch', owned by elastic +- downloading role from https://github.com/elastic/ansible-elasticsearch/archive/7.1.1.tar.gz +- extracting elastic.elasticsearch to /home/jmlrt/.ansible/roles/elastic.elasticsearch +- elastic.elasticsearch (7.1.1) was installed successfully +$ ansible-playbook playbook.yml + +... + +TASK [elastic.elasticsearch : Create Directories] +ok: [localhost] => (item=/var/run/elasticsearch) +ok: [localhost] => (item=/var/log/elasticsearch) +changed: [localhost] => (item=/etc/elasticsearch) +ok: [localhost] => (item=/var/lib/elasticsearch) + +TASK [elastic.elasticsearch : Copy Configuration File] +changed: [localhost] + +TASK [elastic.elasticsearch : Copy Default File] +changed: [localhost] + +TASK [elastic.elasticsearch : Copy jvm.options File] +changed: [localhost] + +... + +RUNNING HANDLER [elastic.elasticsearch : restart elasticsearch] +changed: [localhost] + +... + +PLAY RECAP +localhost : ok=26 changed=6 unreachable=0 failed=0 skipped=116 rescued=0 ignored=0 +$ find /etc -name '${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME}*' +/etc/default/node1_elasticsearch +/etc/systemd/system/multi-user.target.wants/node1_elasticsearch.service +``` + +### Procedure without data move + +This procedure will allow you to keep your data to the old paths: + 1. Override these variables to match previous values: ```yaml -es_conf_dir: /etc/elasticsearch/{{ es_instance_name }} +es_conf_dir: /etc/elasticsearch/${ES_INSTANCE_NAME} es_data_dirs: - - /var/lib/elasticsearch/{{ inventory_hostname }}-{{ es_instance_name }} -es_log_dir: /var/log/elasticsearch/{{ inventory_hostname }}-{{ es_instance_name }} -es_pid_dir: /var/run/elasticsearch/{{ inventory_hostname }}-{{ es_instance_name }} + - /var/lib/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME} +es_log_dir: /var/log/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME} +es_pid_dir: /var/run/elasticsearch/${INVENTORY_HOSTNAME}-${ES_INSTANCE_NAME} ``` 2. Deploy ansible-role. **Even if these variables are overrided, Elasticsearch config file and default option file will change, which imply an Elasticsearch restart.** From 7562990df94a17de5f61015d1343752d808e9ad4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20R=C3=B3=C5=BCok?= Date: Mon, 19 Aug 2019 12:04:11 +0200 Subject: [PATCH 50/71] Remove ES version hold on Debian when `es_version_hold: false` --- tasks/elasticsearch-Debian-version-lock.yml | 6 ----- tasks/elasticsearch-Debian.yml | 28 +++++++++++++++++++-- 2 files changed, 26 insertions(+), 8 deletions(-) delete mode 100644 tasks/elasticsearch-Debian-version-lock.yml diff --git a/tasks/elasticsearch-Debian-version-lock.yml b/tasks/elasticsearch-Debian-version-lock.yml deleted file mode 100644 index 6d52493..0000000 --- a/tasks/elasticsearch-Debian-version-lock.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Debian - hold elasticsearch version - become: yes - dpkg_selections: - name: "{{ es_package_name }}" - selection: "hold" diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 8e01fd9..4f6844b 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -17,6 +17,13 @@ changed_when: False check_mode: no + - name: unhold elasticsearch package when switching to a different package type + become: yes + dpkg_selections: + name: "{{ es_other_package_name }}" + selection: "install" + when: elasticsearch_package.stdout == 'install ok installed' + - name: stop elasticsearch service: name: 'elasticsearch' @@ -59,6 +66,20 @@ when: (es_user_id is defined) and (es_group_id is defined) include: elasticsearch-optional-user.yml +- name: Debian - Get installed elasticsearch version + command: dpkg-query --showformat='${Version}' --show {{ es_package_name }} + register: installed_es_version + failed_when: False + changed_when: False + check_mode: no + +- name: Debian - unhold elasticsearch version + become: yes + dpkg_selections: + name: "{{ es_package_name }}" + selection: "install" + when: not es_version_lock or (installed_es_version.stdout and installed_es_version.stdout != es_version) + - name: Debian - Ensure elasticsearch is installed become: yes apt: @@ -73,8 +94,11 @@ environment: ES_PATH_CONF: "/etc/elasticsearch" -- name: Debian - Include versionlock - include: elasticsearch-Debian-version-lock.yml +- name: Debian - hold elasticsearch version + become: yes + dpkg_selections: + name: "{{ es_package_name }}" + selection: "hold" when: es_version_lock - name: Debian - Download elasticsearch from url From fd3ceedd8c46256f6f93d316ca671308eb1e4530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20R=C3=B3=C5=BCok?= Date: Mon, 19 Aug 2019 12:06:01 +0200 Subject: [PATCH 51/71] Remove ES version lock on RedHat when `es_version_hold: false` --- tasks/elasticsearch-RedHat-version-lock.yml | 31 ++++++++++++++++++++- tasks/elasticsearch-RedHat.yml | 1 - 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/tasks/elasticsearch-RedHat-version-lock.yml b/tasks/elasticsearch-RedHat-version-lock.yml index 94059e3..e0f1569 100644 --- a/tasks/elasticsearch-RedHat-version-lock.yml +++ b/tasks/elasticsearch-RedHat-version-lock.yml @@ -2,6 +2,35 @@ - name: RedHat - install yum-version-lock become: yes yum: name=yum-plugin-versionlock state=present update_cache=yes + +- name: RedHat - check if requested elasticsearch version lock exists + become: yes + shell: yum versionlock list | grep -c {{es_package_name}}-{{es_version}} + register: es_requested_version_locked + args: + warn: false + failed_when: False + changed_when: False + - name: RedHat - lock elasticsearch version become: yes - shell: yum versionlock delete 0:elasticsearch* ; yum versionlock add {{ es_package_name }}{% if es_version is defined and es_version != "" %}-{{ es_version }}{% endif %} + shell: yum versionlock delete 0:elasticsearch* ; yum versionlock add {{ es_package_name }}-{{ es_version }} + args: + warn: false + when: es_version_lock and es_requested_version_locked.stdout|int == 0 + +- name: RedHat - check if any elasticsearch version lock exists + become: yes + shell: yum versionlock list | grep -c elasticsearch + register: es_version_locked + args: + warn: false + failed_when: False + changed_when: False + +- name: RedHat - unlock elasticsearch version + become: yes + shell: yum versionlock delete 0:elasticsearch* + args: + warn: false + when: not es_version_lock and es_version_locked.stdout|int > 0 diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index 2b5c044..1208b1c 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -27,7 +27,6 @@ - name: RedHat - include versionlock include: elasticsearch-RedHat-version-lock.yml - when: es_version_lock - name: RedHat - Remove the other elasticsearch package if switching between OSS and standard become: yes From c88cc532035310531af86b42af0f8a8fc9309e3d Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 11 Sep 2019 13:29:43 +0200 Subject: [PATCH 52/71] [botelastic] add probot config to manage stale issues/pr --- .github/stale.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/stale.yml diff --git a/.github/stale.yml b/.github/stale.yml new file mode 100644 index 0000000..4e331a7 --- /dev/null +++ b/.github/stale.yml @@ -0,0 +1,33 @@ +--- +# Number of days of inactivity before an issue becomes stale +daysUntilStale: 90 + +# Number of days of inactivity before an stale issue is closed +daysUntilClose: 30 + +# Label to use when marking an issue as stale +staleLabel: triage/stale + +issues: + # Comment to post when marking an issue as stale. + markComment: |- + This issue has been automatically marked as stale because it has not had + recent activity. It will be closed if no further activity occurs. Thank you + for your contributions. + # Comment to post when closing a stale issue. + closeComment: |- + This issue has been automatically closed because it has not had recent + activity since being marked as stale. + +pulls: + # Comment to post when marking a PR as stale. + markComment: |- + This PR has been automatically marked as stale because it has not had + recent activity. It will be closed if no further activity occurs. Thank you + for your contributions. + To track this PR (even if closed), please open a corresponding issue if one does not already exist. + # Comment to post when closing a stale PR. + closeComment: |- + This PR has been automatically closed because it has not had recent + activity since being marked as stale. + Please reopen when work resumes. From 09266df689e7ed58c6d1e85dafea2a5ae69f2ea7 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 11 Sep 2019 13:39:55 +0200 Subject: [PATCH 53/71] [github] fix typo in issue template --- .github/issue_template.md | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/issue_template.md b/.github/issue_template.md index d6cf235..2609e62 100644 --- a/.github/issue_template.md +++ b/.github/issue_template.md @@ -1,4 +1,3 @@ - Date: Fri, 13 Sep 2019 09:28:52 +0200 Subject: [PATCH 54/71] [doc] describe how to select a different elasticsearch version --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b8d8e7d..c448754 100644 --- a/README.md +++ b/README.md @@ -44,9 +44,15 @@ The simplest configuration therefore consists of: hosts: localhost roles: - role: elastic.elasticsearch + vars: + es_version: 7.1.1 ``` -The above installs a single node 'node1' on the hosts 'localhost'. +The above installs Elasticsearch 7.1.1 in a single node 'node1' on the hosts 'localhost'. + +**Note**: +Elasticsearch default version is described in [`es_version`](defaults/main.yml#L2). You can override this variable in your playbook to install another version. +While we are testing this role only with one 7.x and one 6.x version (respectively [7.1.1](defaults/main.yml#L2) and [6.8.0](.kitchen.yml#L22) at the time of writing), this role should work with others version also in most cases. This role also uses [Ansible tags](http://docs.ansible.com/ansible/playbooks_tags.html). Run your playbook with the `--list-tasks` flag for more information. From 447550903ff1860760c9abe19fb56a400a93df8e Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 09:32:36 +0200 Subject: [PATCH 55/71] clean log config specific to 5.x version --- templates/log4j2.properties.j2 | 32 -------------------------------- 1 file changed, 32 deletions(-) diff --git a/templates/log4j2.properties.j2 b/templates/log4j2.properties.j2 index dbfb23e..b4754c1 100644 --- a/templates/log4j2.properties.j2 +++ b/templates/log4j2.properties.j2 @@ -11,23 +11,14 @@ appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n appender.rolling.type = RollingFile appender.rolling.name = rolling -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.rolling.fileName = ${sys:es.logs}.log -{% else %} appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log -{% endif %} appender.rolling.layout.type = PatternLayout appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.rolling.filePattern = ${sys:es.logs}-%d{yyyy-MM-dd}.log -{% else %} appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz -{% endif %} appender.rolling.policies.type = Policies appender.rolling.policies.time.type = TimeBasedTriggeringPolicy appender.rolling.policies.time.interval = 1 appender.rolling.policies.time.modulate = true -{% if (es_version is version_compare('6.0.0', '>')) %} appender.rolling.policies.size.type = SizeBasedTriggeringPolicy appender.rolling.policies.size.size = 128MB appender.rolling.strategy.type = DefaultRolloverStrategy @@ -38,25 +29,16 @@ appender.rolling.strategy.action.condition.type = IfFileName appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-* appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB -{% endif %} rootLogger.level = info rootLogger.appenderRef.console.ref = console rootLogger.appenderRef.rolling.ref = rolling appender.deprecation_rolling.type = RollingFile appender.deprecation_rolling.name = deprecation_rolling -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.deprecation_rolling.fileName = ${sys:es.logs}_deprecation.log -{% else %} appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log -{% endif %} appender.deprecation_rolling.layout.type = PatternLayout appender.deprecation_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.deprecation_rolling.filePattern = ${sys:es.logs}_deprecation-%i.log.gz -{% else %} appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.log.gz -{% endif %} appender.deprecation_rolling.policies.type = Policies appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy appender.deprecation_rolling.policies.size.size = 1GB @@ -70,18 +52,12 @@ logger.deprecation.additivity = false appender.index_search_slowlog_rolling.type = RollingFile appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling -{% if (es_version is version_compare('6.0.0', '<')) %} appender.index_search_slowlog_rolling.fileName = ${sys:es.logs}_index_search_slowlog.log -{% else %} appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog.log -{% endif %} appender.index_search_slowlog_rolling.layout.type = PatternLayout appender.index_search_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n -{% if (es_version is version_compare('6.0.0', '<')) %} appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs}_index_search_slowlog-%d{yyyy-MM-dd}.log -{% else %} appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog-%d{yyyy-MM-dd}.log -{% endif %} appender.index_search_slowlog_rolling.policies.type = Policies appender.index_search_slowlog_rolling.policies.time.type = TimeBasedTriggeringPolicy appender.index_search_slowlog_rolling.policies.time.interval = 1 @@ -94,18 +70,10 @@ logger.index_search_slowlog_rolling.additivity = false appender.index_indexing_slowlog_rolling.type = RollingFile appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs}_index_indexing_slowlog.log -{% else %} appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog.log -{% endif %} appender.index_indexing_slowlog_rolling.layout.type = PatternLayout appender.index_indexing_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n -{% if (es_version is version_compare('6.0.0', '<')) %} -appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs}_index_indexing_slowlog-%d{yyyy-MM-dd}.log -{% else %} appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog-%d{yyyy-MM-dd}.log -{% endif %} appender.index_indexing_slowlog_rolling.policies.type = Policies appender.index_indexing_slowlog_rolling.policies.time.type = TimeBasedTriggeringPolicy appender.index_indexing_slowlog_rolling.policies.time.interval = 1 From d5e414b9aa028ef5dd726df12b9b30dc218e1a54 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 09:42:16 +0200 Subject: [PATCH 56/71] clean code related to xpack plugin install We don't need this anymore as X-Pack is now already included in elasticsearch since 6.3. --- tasks/compatibility-variables.yml | 18 ------ tasks/elasticsearch-plugins.yml | 1 - tasks/xpack/elasticsearch-xpack-install.yml | 68 --------------------- tasks/xpack/elasticsearch-xpack.yml | 4 -- 4 files changed, 91 deletions(-) delete mode 100644 tasks/xpack/elasticsearch-xpack-install.yml diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index 0ed0c21..eb725e8 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -8,9 +8,6 @@ - name: Set the defaults here otherwise they can't be overriden in the same play if the role is called twice set_fact: - es_open_xpack: true - es_install_xpack: false - es_users_path: "users" es_xpack_conf_subdir: "" es_repo_name: "{{ es_major_version }}" es_xpack_users_command: "elasticsearch-users" @@ -19,20 +16,6 @@ es_other_repo_name: "{{ 'oss-' + es_major_version }}" es_other_apt_url: "deb {{ es_repo_base }}/packages/{{ 'oss-' + es_major_version }}/apt stable main" -- name: Detect if es_version is before X-Pack was open and included - set_fact: - es_open_xpack: false - when: "es_version is version_compare('6.3.0', '<')" - -- name: If this is an older version we need to install X-Pack as a plugin and use a different users command - set_fact: - es_install_xpack: true - es_xpack_users_command: "x-pack/users" - es_xpack_conf_subdir: "/x-pack" - when: - - not es_open_xpack - - es_enable_xpack - - name: Use the oss repo and package if xpack is not being used set_fact: es_repo_name: "{{ 'oss-' + es_major_version }}" @@ -41,5 +24,4 @@ es_package_name: "elasticsearch-oss" es_other_package_name: "elasticsearch" when: - - es_open_xpack - not es_enable_xpack diff --git a/tasks/elasticsearch-plugins.yml b/tasks/elasticsearch-plugins.yml index b0a300d..af669f0 100644 --- a/tasks/elasticsearch-plugins.yml +++ b/tasks/elasticsearch-plugins.yml @@ -17,7 +17,6 @@ file: dest: "{{ es_home }}/plugins/x-pack" state: "absent" - when: es_open_xpack #List currently installed plugins. We have to list the directories as the list commmand fails if the ES version is different than the plugin version. - name: Check installed elasticsearch plugins diff --git a/tasks/xpack/elasticsearch-xpack-install.yml b/tasks/xpack/elasticsearch-xpack-install.yml deleted file mode 100644 index 421a475..0000000 --- a/tasks/xpack/elasticsearch-xpack-install.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- - -#Test if feature is installed -- name: Test if x-pack is installed - shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack" - become: yes - register: x_pack_installed - changed_when: False - failed_when: "'ERROR' in x_pack_installed.stdout" - check_mode: no - ignore_errors: yes - environment: - CONF_DIR: "{{ es_conf_dir }}" - ES_PATH_CONF: "{{ es_conf_dir }}" - ES_INCLUDE: "{{ default_file }}" - - -#Remove X-Pack if installed and its not been requested or the ES version has changed -- name: Remove x-pack plugin - become: yes - command: "{{es_home}}/bin/elasticsearch-plugin remove x-pack" - register: xpack_state - failed_when: "'ERROR' in xpack_state.stdout" - changed_when: xpack_state.rc == 0 - when: x_pack_installed.rc == 0 and (not es_enable_xpack or es_version_changed) - notify: restart elasticsearch - environment: - CONF_DIR: "{{ es_conf_dir }}" - ES_PATH_CONF: "{{ es_conf_dir }}" - ES_INCLUDE: "{{ default_file }}" - - -#Install plugin if not installed, or the es version has changed (so removed above), and its been requested -- name: Download x-pack from url - get_url: url={{ es_xpack_custom_url }} dest=/tmp/x-pack-{{ es_version }}.zip - when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined) - -- name: Install x-pack plugin from local - become: yes - command: > - {{es_home}}/bin/elasticsearch-plugin install --silent --batch file:///tmp/x-pack-{{ es_version }}.zip - register: xpack_state - changed_when: xpack_state.rc == 0 - when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined) - notify: restart elasticsearch - environment: - CONF_DIR: "{{ es_conf_dir }}" - ES_PATH_CONF: "{{ es_conf_dir }}" - ES_INCLUDE: "{{ default_file }}" - -- name: Delete x-pack zip file - file: dest=/tmp/x-pack-{{ es_version }}.zip state=absent - when: es_xpack_custom_url is defined - -- name: Install x-pack plugin from elastic.co - become: yes - command: > - {{es_home}}/bin/elasticsearch-plugin install --silent --batch x-pack - register: xpack_state - failed_when: "'ERROR' in xpack_state.stdout" - changed_when: xpack_state.rc == 0 - when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is not defined) - notify: restart elasticsearch - environment: - CONF_DIR: "{{ es_conf_dir }}" - ES_PATH_CONF: "{{ es_conf_dir }}" - ES_INCLUDE: "{{ default_file }}" - ES_JAVA_OPTS: "{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}" diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 3347bd4..ec239c5 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -3,10 +3,6 @@ - name: set fact es_version_changed set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }} -- name: include elasticsearch-xpack-install.yml - include: elasticsearch-xpack-install.yml - when: es_install_xpack - #Security configuration - name: include security/elasticsearch-security.yml include: security/elasticsearch-security.yml From abaf124639f3f45e40ba7e9404c35b8a282b82c1 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 09:53:49 +0200 Subject: [PATCH 57/71] cleanup unused es_version_changed fact --- tasks/xpack/elasticsearch-xpack.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index ec239c5..794334f 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -1,8 +1,5 @@ --- -- name: set fact es_version_changed - set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }} - #Security configuration - name: include security/elasticsearch-security.yml include: security/elasticsearch-security.yml From 0f601259c673a2c1d9d0b958a84decb0d59c2dad Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:06:26 +0200 Subject: [PATCH 58/71] clean es_xpack_conf_subdir variable This variable was added to manage specific x-pack dir with version < 6.3 --- tasks/compatibility-variables.yml | 1 - tasks/xpack/security/elasticsearch-security-file.yml | 12 ++++++------ tasks/xpack/security/elasticsearch-security.yml | 4 ++-- .../helpers/serverspec/xpack_upgrade_spec.rb | 6 +++--- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index eb725e8..c5a31ab 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -8,7 +8,6 @@ - name: Set the defaults here otherwise they can't be overriden in the same play if the role is called twice set_fact: - es_xpack_conf_subdir: "" es_repo_name: "{{ es_major_version }}" es_xpack_users_command: "elasticsearch-users" es_package_name: "elasticsearch" diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index ab77be1..a9f1fe0 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -13,13 +13,13 @@ remote_src: yes force: no # only copy it if the new path doesn't exist yet src: "{{ es_conf_dir }}/x-pack/users" - dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users" + dest: "{{ es_conf_dir }}/users" when: old_users_file.stat.exists - name: Create the users file if it doesn't exist copy: content: "" - dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users" + dest: "{{ es_conf_dir }}/users" force: no # this ensures it only creates it if it does not exist group: "{{ es_group }}" owner: "{{ es_user }}" @@ -28,7 +28,7 @@ #List current users - name: List Users become: yes - shell: cat {{ es_conf_dir }}{{es_xpack_conf_subdir}}/users | awk -F':' '{print $1}' + shell: cat {{ es_conf_dir }}/users | awk -F':' '{print $1}' register: current_file_users when: manage_file_users changed_when: False @@ -89,16 +89,16 @@ #Copy Roles files - name: Copy roles.yml File for Instance become: yes - template: src=security/roles.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_roles is defined and es_roles.file is defined #Overwrite users_roles file - name: Copy User Roles become: yes - template: src=security/users_roles.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/users_roles mode=0644 force=yes + template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 #Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions. - name: Set Security Directory Permissions Recursive become: yes - file: state=directory path={{ es_conf_dir }}{{es_xpack_conf_subdir}}/ owner={{ es_user }} group={{ es_group }} recurse=yes + file: state=directory path={{ es_conf_dir }}/ owner={{ es_user }} group={{ es_group }} recurse=yes diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 2c18019..1c85c67 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -5,7 +5,7 @@ #Ensure x-pack conf directory is created if necessary - name: Ensure x-pack conf directory exists (file) - file: path={{ es_conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }} + file: path={{ es_conf_dir }} state=directory owner={{ es_user }} group={{ es_group }} changed_when: False when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined) @@ -52,7 +52,7 @@ #Copy Roles files - name: Copy role_mapping.yml File for Instance become: yes - template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_role_mapping is defined #------------------------------------------------------------------------------------ diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index 4223234..aadf9e9 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -4,13 +4,13 @@ vars = JSON.parse(File.read('/tmp/vars.json')) shared_examples 'xpack_upgrade::init' do |vars| #Test users file, users_roles and roles.yml - describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/users_roles") do + describe file("/etc/elasticsearch/users_roles") do it { should be_owned_by 'elasticsearch' } it { should contain 'admin:es_admin' } it { should contain 'power_user:testUser' } end - describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/users") do + describe file("/etc/elasticsearch/users") do it { should be_owned_by 'elasticsearch' } it { should contain 'testUser:' } it { should contain 'es_admin:' } @@ -36,7 +36,7 @@ shared_examples 'xpack_upgrade::init' do |vars| end #Test contents of role_mapping.yml - describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/role_mapping.yml") do + describe file("/etc/elasticsearch/role_mapping.yml") do it { should be_owned_by 'elasticsearch' } it { should contain 'power_user:' } it { should contain '- cn=admins,dc=example,dc=com' } From 27a524cd07364f33cbc6ce67fb6bfd08b4f450e2 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:28:23 +0200 Subject: [PATCH 59/71] remove x-pack dir creation --- tasks/xpack/security/elasticsearch-security.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 1c85c67..2e54575 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -3,12 +3,6 @@ #TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6 -#Ensure x-pack conf directory is created if necessary -- name: Ensure x-pack conf directory exists (file) - file: path={{ es_conf_dir }} state=directory owner={{ es_user }} group={{ es_group }} - changed_when: False - when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined) - #-----------------------------Create Bootstrap User----------------------------------- ### START BLOCK elasticsearch keystore ### - name: create the elasticsearch keystore From 08512fc17ea49568a58f788d1ed998133a68fd3e Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:30:03 +0200 Subject: [PATCH 60/71] fix typo I think this typo was here since https://github.com/elastic/ansible-elasticsearch/pull/129/commits/048fd636025a00379d2549c36f8b4bd271a8f832 --- tasks/xpack/security/elasticsearch-security-file.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index a9f1fe0..831d803 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -1,6 +1,8 @@ --- -- name: set fact manage_file_users - set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0 +- set_fact: manage_file_users=false + +- set_fact: manage_file_users=true + when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0 - name: Check if old users file exists stat: From ffc6d99915c699ee31e782dc1ec2819b2e7237d6 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:45:36 +0200 Subject: [PATCH 61/71] clean es_xpack_custom_url variable wich is no more used This was used to define url to download X-Pack but X-Pack is now embedded in Elasticsearch since 6.3 --- README.md | 4 ---- test/integration/xpack.yml | 1 - 2 files changed, 5 deletions(-) diff --git a/README.md b/README.md index c448754..47499da 100644 --- a/README.md +++ b/README.md @@ -264,10 +264,6 @@ X-Pack features, such as Security, are supported. The parameter `es_xpack_features` allows to list xpack features to install (example: `["alerting","monitoring","graph","security","ml"]`). When the list is empty, it install all features available with the current licence. -The following additional parameters allow X-Pack to be configured: - -* ```es_xpack_custom_url``` Url from which X-Pack can be downloaded. This can be used for installations in isolated environments where the elastic.co repo is not accessible. e.g. ```es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-5.5.1.zip"``` - * ```es_role_mapping``` Role mappings file declared as yml as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html) diff --git a/test/integration/xpack.yml b/test/integration/xpack.yml index e12064d..002736f 100644 --- a/test/integration/xpack.yml +++ b/test/integration/xpack.yml @@ -7,5 +7,4 @@ roles: - elasticsearch vars: - es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{{ es_version }}.zip" es_heap_size: 2g From 407dddcae1673c633fa3c243c1ba721f75d54447 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:48:24 +0200 Subject: [PATCH 62/71] hardcode elasticsearch-users command instead of es_xpack_users_command This variable was introduce to match legacy x-pack/users command before 6.3. --- tasks/compatibility-variables.yml | 1 - tasks/xpack/security/elasticsearch-security-file.yml | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/compatibility-variables.yml b/tasks/compatibility-variables.yml index c5a31ab..a0b6dfc 100644 --- a/tasks/compatibility-variables.yml +++ b/tasks/compatibility-variables.yml @@ -9,7 +9,6 @@ - name: Set the defaults here otherwise they can't be overriden in the same play if the role is called twice set_fact: es_repo_name: "{{ es_major_version }}" - es_xpack_users_command: "elasticsearch-users" es_package_name: "elasticsearch" es_other_package_name: "elasticsearch-oss" es_other_repo_name: "{{ 'oss-' + es_major_version }}" diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 831d803..ef68efe 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -44,7 +44,7 @@ - name: Remove Users become: yes command: > - {{es_home}}/bin/{{es_xpack_users_command}} userdel {{item}} + {{es_home}}/bin/elasticsearch-users userdel {{item}} with_items: "{{users_to_remove | default([])}}" when: manage_file_users environment: @@ -60,7 +60,7 @@ - name: Add Users become: yes command: > - {{es_home}}/bin/{{es_xpack_users_command}} useradd {{item}} -p {{es_users.file[item].password}} + {{es_home}}/bin/elasticsearch-users useradd {{item}} -p {{es_users.file[item].password}} with_items: "{{ users_to_add | default([]) }}" when: manage_file_users no_log: True @@ -73,7 +73,7 @@ - name: Set User Passwords become: yes command: > - {{es_home}}/bin/{{es_xpack_users_command}} passwd {{ item }} -p {{es_users.file[item].password}} + {{es_home}}/bin/elasticsearch-users passwd {{ item }} -p {{es_users.file[item].password}} with_items: "{{ es_users.file.keys() | list }}" when: manage_file_users #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip. From e45c902e5e316324961827324ee165eebd44dcc5 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:49:33 +0200 Subject: [PATCH 63/71] clean unused task related to multi-instance directories --- tasks/xpack/security/elasticsearch-security-file.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index ef68efe..4dd2c52 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -100,7 +100,3 @@ template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 -#Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions. -- name: Set Security Directory Permissions Recursive - become: yes - file: state=directory path={{ es_conf_dir }}/ owner={{ es_user }} group={{ es_group }} recurse=yes From be7941438c5fbf6b8bf5fd9b3152ddfeb2e4a96a Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:50:20 +0200 Subject: [PATCH 64/71] cleanup some values related to 5.x version We can remove them since 5.x is no more supported --- defaults/main.yml | 2 +- templates/elasticsearch.yml.j2 | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8de86f4..81cc21d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -29,7 +29,7 @@ es_data_dirs: es_log_dir: "/var/log/elasticsearch" es_action_auto_create_index: true es_max_open_files: 65536 -es_max_threads: "{{ 2048 if ( es_version is version_compare('6.0.0', '<')) else 8192 }}" +es_max_threads: 8192 es_max_map_count: 262144 es_allow_downgrades: false es_xpack_features: [] diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2 index abb6c56..9ceac83 100644 --- a/templates/elasticsearch.yml.j2 +++ b/templates/elasticsearch.yml.j2 @@ -15,10 +15,6 @@ node.name: {{inventory_hostname}} # Path to directory containing configuration (this file and logging.yml): -{% if (es_version is version_compare('6.0.0', '<')) %} -path.conf: {{ es_conf_dir }} -{% endif %} - path.data: {{ es_data_dirs | array_to_str }} path.logs: {{ es_log_dir }} From 8e1cafacf5e96defc086dc5aaabcf53ee555d941 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Thu, 5 Sep 2019 10:51:41 +0200 Subject: [PATCH 65/71] add some comment to better identify user migration tasks from elasticsearch < 6.3 --- tasks/xpack/security/elasticsearch-security-file.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 4dd2c52..cdba2b8 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -4,6 +4,7 @@ - set_fact: manage_file_users=true when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0 +# Users migration from elasticsearch < 6.3 versions - name: Check if old users file exists stat: path: '{{ es_conf_dir }}/x-pack/users' @@ -17,6 +18,7 @@ src: "{{ es_conf_dir }}/x-pack/users" dest: "{{ es_conf_dir }}/users" when: old_users_file.stat.exists +# End of users migrations - name: Create the users file if it doesn't exist copy: @@ -99,4 +101,3 @@ become: yes template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 - From 08a8a467b61ea61f40de82383ac2587d74cce4dd Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Mon, 16 Sep 2019 12:31:07 +0200 Subject: [PATCH 66/71] fix missing permissions --- tasks/xpack/security/elasticsearch-security-file.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index cdba2b8..c4e02ec 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -17,6 +17,8 @@ force: no # only copy it if the new path doesn't exist yet src: "{{ es_conf_dir }}/x-pack/users" dest: "{{ es_conf_dir }}/users" + group: "{{ es_group }}" + owner: "{{ es_user }}" when: old_users_file.stat.exists # End of users migrations @@ -99,5 +101,5 @@ #Overwrite users_roles file - name: Copy User Roles become: yes - template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles mode=0644 force=yes + template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: manage_file_users and users_roles | length > 0 From c8b666bd798fb49bdc41435bc5df609fa70636ee Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 09:51:45 +0200 Subject: [PATCH 67/71] remove /etc/elasticsearch/security directory creation This directory isn't used anywhere in this ansible-role --- tasks/xpack/security/elasticsearch-security.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 2e54575..2678611 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -48,11 +48,3 @@ become: yes template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_role_mapping is defined - -#------------------------------------------------------------------------------------ - -#Ensure security conf directory is created -- name: Ensure security conf directory exists - become: yes - file: path={{ es_conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }} - changed_when: False From 79470cb344946666c918261dac538ca6a9eac7ec Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 10:04:50 +0200 Subject: [PATCH 68/71] replace hardcoded /etc/elasticsearch dir by the good variable --- tasks/elasticsearch-Debian.yml | 4 ++-- tasks/elasticsearch-RedHat.yml | 2 +- tasks/elasticsearch-template.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 4f6844b..5fc4a7a 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -92,7 +92,7 @@ register: debian_elasticsearch_install_from_repo notify: restart elasticsearch environment: - ES_PATH_CONF: "/etc/elasticsearch" + ES_PATH_CONF: "{{ es_conf_dir }}" - name: Debian - hold elasticsearch version become: yes @@ -112,4 +112,4 @@ register: elasticsearch_install_from_package notify: restart elasticsearch environment: - ES_PATH_CONF: "/etc/elasticsearch" + ES_PATH_CONF: "{{ es_conf_dir }}" diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index 1208b1c..a7b974d 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -52,7 +52,7 @@ retries: 5 delay: 10 environment: - ES_PATH_CONF: "/etc/elasticsearch" + ES_PATH_CONF: "{{ es_conf_dir }}" - name: RedHat - Install Elasticsearch from url become: yes diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index 8af780d..beb512e 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -2,13 +2,13 @@ - name: ensure templates dir is created file: - path: /etc/elasticsearch/templates + path: "{{ es_conf_dir }}/templates" state: directory owner: "{{ es_user }}" group: "{{ es_group }}" - name: Copy templates to elasticsearch - copy: src={{ item }} dest=/etc/elasticsearch/templates owner={{ es_user }} group={{ es_group }} + copy: src={{ item }} dest={{ es_conf_dir }}/templates owner={{ es_user }} group={{ es_group }} register: load_templates with_fileglob: - "{{ es_templates_fileglob | default('') }}" From 6a1b886753f3e855c82d92a907d29f64319bf809 Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 10:53:43 +0200 Subject: [PATCH 69/71] use default permissions from official package for plugin directory --- tasks/elasticsearch-plugins.yml | 5 ----- tasks/xpack/elasticsearch-xpack.yml | 5 ----- test/integration/helpers/serverspec/shared_spec.rb | 2 +- 3 files changed, 1 insertion(+), 11 deletions(-) diff --git a/tasks/elasticsearch-plugins.yml b/tasks/elasticsearch-plugins.yml index af669f0..e953ae0 100644 --- a/tasks/elasticsearch-plugins.yml +++ b/tasks/elasticsearch-plugins.yml @@ -79,8 +79,3 @@ until: plugin_installed.rc == 0 retries: 5 delay: 5 - -#Set permissions on plugins directory -- name: Set Plugin Directory Permissions - become: yes - file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 794334f..a8f04f7 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -5,11 +5,6 @@ include: security/elasticsearch-security.yml when: es_enable_xpack -#Add any feature specific configuration here -- name: Set Plugin Directory Permissions - become: yes - file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes - #Make sure elasticsearch.keystore has correct Permissions - name: Set elasticsearch.keystore Permissions become: yes diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index cbeb2ed..1bbbc11 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -138,7 +138,7 @@ shared_examples 'shared::init' do |vars| name = plugin['plugin'] describe file('/usr/share/elasticsearch/plugins/'+name) do it { should be_directory } - it { should be_owned_by vars['es_user'] } + it { should be_owned_by 'root' } end it 'should be installed and the right version' do plugins = curl_json("#{es_api_url}/_nodes/plugins", username=username, password=password) From 9bac169862d9e1fc27daeb68bb99ef221624f8eb Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 10:57:07 +0200 Subject: [PATCH 70/71] use files permissions from official package --- tasks/elasticsearch-config.yml | 28 ++++++++++++------- tasks/elasticsearch-template.yml | 5 ++-- tasks/xpack/elasticsearch-xpack.yml | 3 +- .../security/elasticsearch-security-file.yml | 6 ++-- .../xpack/security/elasticsearch-security.yml | 2 +- .../helpers/serverspec/oss_spec.rb | 4 +-- .../helpers/serverspec/shared_spec.rb | 5 ++-- .../helpers/serverspec/xpack_upgrade_spec.rb | 6 ++-- 8 files changed, 34 insertions(+), 25 deletions(-) diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index e3437f2..c8bc1cf 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -1,27 +1,35 @@ --- # Configure Elasticsearch Node -#Create required directories -- name: Create Directories +#Create conf directory +- name: Create Configuration Directory become: yes - file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} + file: path={{ es_conf_dir }} state=directory owner=root group={{ es_group }} mode=2750 + +#Create pid directory +- name: Create PID Directory + become: yes + file: path={{ es_pid_dir }} state=directory owner={{ es_user }} group={{ es_group }} mode=0755 + +#Create required directories +- name: Create Others Directories + become: yes + file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} mode=2750 with_items: - - "{{ es_pid_dir }}" - "{{ es_log_dir }}" - - "{{ es_conf_dir }}" - "{{ es_data_dirs }}" #Copy the config template - name: Copy Configuration File become: yes - template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner=root group={{ es_group }} mode=0660 force=yes register: system_change notify: restart elasticsearch #Copy the default file - name: Copy Default File become: yes - template: src=elasticsearch.j2 dest={{ default_file }} mode=0644 force=yes + template: src=elasticsearch.j2 dest={{ default_file }} owner=root group={{ es_group }} mode=0660 force=yes notify: restart elasticsearch #Copy the systemd specific file if systemd is installed @@ -30,7 +38,7 @@ block: - name: Make sure destination dir exists file: path={{ sysd_config_file | dirname }} state=directory mode=0755 - + - name: Copy specific ElasticSearch Systemd config file ini_file: path={{ sysd_config_file }} section=Service option=LimitMEMLOCK value=infinity mode=0644 notify: @@ -40,10 +48,10 @@ #Copy the logging.yml - name: Copy log4j2.properties File become: yes - template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner=root group={{ es_group }} mode=0660 force=yes notify: restart elasticsearch - name: Copy jvm.options File become: yes - template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner=root group={{ es_group }} mode=0660 force=yes notify: restart elasticsearch diff --git a/tasks/elasticsearch-template.yml b/tasks/elasticsearch-template.yml index beb512e..41f5f41 100644 --- a/tasks/elasticsearch-template.yml +++ b/tasks/elasticsearch-template.yml @@ -4,11 +4,12 @@ file: path: "{{ es_conf_dir }}/templates" state: directory - owner: "{{ es_user }}" + owner: root group: "{{ es_group }}" + mode: 2750 - name: Copy templates to elasticsearch - copy: src={{ item }} dest={{ es_conf_dir }}/templates owner={{ es_user }} group={{ es_group }} + copy: src={{ item }} dest={{ es_conf_dir }}/templates owner=root group={{ es_group }} mode=0660 register: load_templates with_fileglob: - "{{ es_templates_fileglob | default('') }}" diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index a8f04f7..263af93 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -8,5 +8,4 @@ #Make sure elasticsearch.keystore has correct Permissions - name: Set elasticsearch.keystore Permissions become: yes - file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }} - when: es_enable_xpack + file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner=root group={{ es_group }} mode=0660 diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index c4e02ec..1d5d222 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -18,7 +18,7 @@ src: "{{ es_conf_dir }}/x-pack/users" dest: "{{ es_conf_dir }}/users" group: "{{ es_group }}" - owner: "{{ es_user }}" + owner: root when: old_users_file.stat.exists # End of users migrations @@ -95,11 +95,11 @@ #Copy Roles files - name: Copy roles.yml File for Instance become: yes - template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner=root group={{ es_group }} mode=0660 force=yes when: es_roles is defined and es_roles.file is defined #Overwrite users_roles file - name: Copy User Roles become: yes - template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner=root group={{ es_group }} mode=0660 force=yes when: manage_file_users and users_roles | length > 0 diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 2678611..f735358 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -46,5 +46,5 @@ #Copy Roles files - name: Copy role_mapping.yml File for Instance become: yes - template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes + template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner=root group={{ es_group }} mode=0660 force=yes when: es_role_mapping is defined diff --git a/test/integration/helpers/serverspec/oss_spec.rb b/test/integration/helpers/serverspec/oss_spec.rb index abe9df3..0f4ff00 100644 --- a/test/integration/helpers/serverspec/oss_spec.rb +++ b/test/integration/helpers/serverspec/oss_spec.rb @@ -3,11 +3,11 @@ require 'spec_helper' shared_examples 'oss::init' do |vars| describe file("/etc/elasticsearch/log4j2.properties") do it { should be_file } - it { should be_owned_by 'elasticsearch' } + it { should be_owned_by 'root' } it { should_not contain 'CUSTOM LOG4J FILE' } end describe file("/etc/elasticsearch/jvm.options") do it { should be_file } - it { should be_owned_by vars['es_user'] } + it { should be_owned_by 'root' } end end diff --git a/test/integration/helpers/serverspec/shared_spec.rb b/test/integration/helpers/serverspec/shared_spec.rb index 1bbbc11..93d3025 100644 --- a/test/integration/helpers/serverspec/shared_spec.rb +++ b/test/integration/helpers/serverspec/shared_spec.rb @@ -108,11 +108,11 @@ shared_examples 'shared::init' do |vars| if vars['es_templates'] describe file('/etc/elasticsearch/templates') do it { should be_directory } - it { should be_owned_by vars['es_user'] } + it { should be_owned_by 'root' } end describe file('/etc/elasticsearch/templates/basic.json') do it { should be_file } - it { should be_owned_by vars['es_user'] } + it { should be_owned_by 'root' } end #This is possibly subject to format changes in the response across versions so may fail in the future describe 'Template Contents Correct' do @@ -152,6 +152,7 @@ shared_examples 'shared::init' do |vars| end end describe file("/etc/elasticsearch/elasticsearch.yml") do + it { should be_owned_by 'root' } it { should contain "node.name: localhost" } it { should contain 'cluster.name: elasticsearch' } it { should_not contain "path.conf: /etc/elasticsearch" } diff --git a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb index aadf9e9..62c9528 100644 --- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb +++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb @@ -5,13 +5,13 @@ vars = JSON.parse(File.read('/tmp/vars.json')) shared_examples 'xpack_upgrade::init' do |vars| #Test users file, users_roles and roles.yml describe file("/etc/elasticsearch/users_roles") do - it { should be_owned_by 'elasticsearch' } + it { should be_owned_by 'root' } it { should contain 'admin:es_admin' } it { should contain 'power_user:testUser' } end describe file("/etc/elasticsearch/users") do - it { should be_owned_by 'elasticsearch' } + it { should be_owned_by 'root' } it { should contain 'testUser:' } it { should contain 'es_admin:' } end @@ -37,7 +37,7 @@ shared_examples 'xpack_upgrade::init' do |vars| #Test contents of role_mapping.yml describe file("/etc/elasticsearch/role_mapping.yml") do - it { should be_owned_by 'elasticsearch' } + it { should be_owned_by 'root' } it { should contain 'power_user:' } it { should contain '- cn=admins,dc=example,dc=com' } it { should contain 'user:' } From 1befe6c0d9ac3140d41f1ecd26e5f7a7fec3b4ad Mon Sep 17 00:00:00 2001 From: Julien Mailleret Date: Wed, 18 Sep 2019 10:57:58 +0200 Subject: [PATCH 71/71] stop trying to create users file as it's already created by the official package --- tasks/xpack/security/elasticsearch-security-file.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index 1d5d222..f81117a 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -22,15 +22,6 @@ when: old_users_file.stat.exists # End of users migrations -- name: Create the users file if it doesn't exist - copy: - content: "" - dest: "{{ es_conf_dir }}/users" - force: no # this ensures it only creates it if it does not exist - group: "{{ es_group }}" - owner: "{{ es_user }}" - mode: 0555 - #List current users - name: List Users become: yes