santerikainulainen/ansible-role-elasticsearch
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

merge upstream

Browse source
This commit is contained in:
Jan Dreyer 2019-09-21 23:36:21 +02:00
commit 14d3a41edd
66 changed files with 963 additions and 1643 deletions
Download patch file Download diff file Expand all files Collapse all files

27
tasks/compatibility-variables.yml
View file

@ -8,31 +8,18 @@
- name: Set the defaults here otherwise they can't be overriden in the same play if the role is called twice
set_fact:
es_open_xpack: true
es_install_xpack: false
es_users_path: "users"
es_xpack_conf_subdir: ""
es_repo_name: "{{ es_major_version }}"
es_xpack_users_command: "elasticsearch-users"
- name: Detect if es_version is before X-Pack was open and included
set_fact:
es_open_xpack: false
when: "es_version | version_compare('6.3.0', '<')"
- name: If this is an older version we need to install X-Pack as a plugin and use a differet users command
set_fact:
es_install_xpack: true
es_xpack_users_command: "x-pack/users"
es_xpack_conf_subdir: "/x-pack"
when:
- not es_open_xpack
- es_enable_xpack
es_package_name: "elasticsearch"
es_other_package_name: "elasticsearch-oss"
es_other_repo_name: "{{ 'oss-' + es_major_version }}"
es_other_apt_url: "deb {{ es_repo_base }}/packages/{{ 'oss-' + es_major_version }}/apt stable main"
- name: Use the oss repo and package if xpack is not being used
set_fact:
es_repo_name: "{{ 'oss-' + es_major_version }}"
es_other_repo_name: "{{ es_major_version }}"
es_other_apt_url: "deb {{ es_repo_base }}/packages/{{ es_major_version }}/apt stable main"
es_package_name: "elasticsearch-oss"
es_other_package_name: "elasticsearch"
when:
- es_open_xpack
- not es_enable_xpack

6
tasks/elasticsearch-Debian-version-lock.yml
View file

@ -1,6 +0,0 @@
---
- name: Debian - hold elasticsearch version
become: yes
command: "apt-mark hold {{ es_package_name }}"
register: hold_elasticsearch_result
changed_when: "hold_elasticsearch_result.stdout != '{{ es_package_name }} was already set on hold.'"

75
tasks/elasticsearch-Debian.yml
View file

@ -7,7 +7,7 @@
set_fact: force_install=yes
when: es_allow_downgrades
- name: Debian - Install apt-transport-https to support https APT downloads
- name: Gracefully stop and remove elasticsearch package if switching between OSS and standard
become: yes
apt: name=apt-transport-https state=present
when: es_use_repository
@ -31,25 +31,75 @@
- es_package_name == 'elasticsearch-oss'
block:
- name: Check if the elasticsearch package is installed
shell: dpkg-query -W -f'${Status}' elasticsearch
shell: "dpkg-query -W -f'${Status}' {{ es_other_package_name }}"
register: elasticsearch_package
failed_when: False
changed_when: False
check_mode: no
- name: unhold elasticsearch package when switching to a different package type
become: yes
dpkg_selections:
name: "{{ es_other_package_name }}"
selection: "install"
when: elasticsearch_package.stdout == 'install ok installed'
- name: stop elasticsearch
become: yes
service:
name: '{{ instance_init_script | basename }}'
name: 'elasticsearch'
state: stopped
when: elasticsearch_package.stdout == 'install ok installed'
- name: Debian - Remove elasticsearch package if we are installing the oss package
become: yes
- name: Debian - Remove elasticsearch package if we are switching to a different package type
apt:
name: 'elasticsearch'
name: '{{ es_other_package_name }}'
state: absent
when: elasticsearch_package.stdout == 'install ok installed'
- name: Install Elasticsearch repository
when: es_use_repository
become: yes
block:
- name: Debian - Install apt-transport-https to support https APT downloads
apt:
name: apt-transport-https
state: present
- name: Debian - Add Elasticsearch repository key
apt_key:
url: '{{ es_apt_key }}'
state: present
when: es_add_repository and es_apt_key | string
- name: Debian - Add elasticsearch repository
apt_repository:
repo: '{{ item.repo }}'
state: '{{ item.state }}'
when: es_add_repository
with_items:
- { repo: "{{ es_apt_url_old }}", state: "absent" }
- { repo: "{{ es_apt_url }}", state: "present" }
- { repo: "{{ es_other_apt_url }}", state: "absent" }
- name: Include optional user and group creation.
when: (es_user_id is defined) and (es_group_id is defined)
include: elasticsearch-optional-user.yml
- name: Debian - Get installed elasticsearch version
command: dpkg-query --showformat='${Version}' --show {{ es_package_name }}
register: installed_es_version
failed_when: False
changed_when: False
check_mode: no
- name: Debian - unhold elasticsearch version
become: yes
dpkg_selections:
name: "{{ es_package_name }}"
selection: "install"
when: not es_version_lock or (installed_es_version.stdout and installed_es_version.stdout != es_version)
- name: Debian - Ensure elasticsearch is installed
become: yes
apt:
@ -62,10 +112,13 @@
register: debian_elasticsearch_install_from_repo
notify: restart elasticsearch
environment:
ES_PATH_CONF: "/etc/elasticsearch"
ES_PATH_CONF: "{{ es_conf_dir }}"
- name: Debian - Include versionlock
include: elasticsearch-Debian-version-lock.yml
- name: Debian - hold elasticsearch version
become: yes
dpkg_selections:
name: "{{ es_package_name }}"
selection: "hold"
when: es_version_lock
- name: Debian - Download elasticsearch from url
@ -78,3 +131,5 @@
when: not es_use_repository
register: elasticsearch_install_from_package
notify: restart elasticsearch
environment:
ES_PATH_CONF: "{{ es_conf_dir }}"

31
tasks/elasticsearch-RedHat-version-lock.yml
View file

@ -2,6 +2,35 @@
- name: RedHat - install yum-version-lock
become: yes
yum: name=yum-plugin-versionlock state=present update_cache=yes
- name: RedHat - check if requested elasticsearch version lock exists
become: yes
shell: yum versionlock list | grep -c {{es_package_name}}-{{es_version}}
register: es_requested_version_locked
args:
warn: false
failed_when: False
changed_when: False
- name: RedHat - lock elasticsearch version
become: yes
shell: yum versionlock delete 0:elasticsearch* ; yum versionlock add {{ es_package_name }}{% if es_version is defined and es_version != "" %}-{{ es_version }}{% endif %}
shell: yum versionlock delete 0:elasticsearch* ; yum versionlock add {{ es_package_name }}-{{ es_version }}
args:
warn: false
when: es_version_lock and es_requested_version_locked.stdout|int == 0
- name: RedHat - check if any elasticsearch version lock exists
become: yes
shell: yum versionlock list | grep -c elasticsearch
register: es_version_locked
args:
warn: false
failed_when: False
changed_when: False
- name: RedHat - unlock elasticsearch version
become: yes
shell: yum versionlock delete 0:elasticsearch*
args:
warn: false
when: not es_version_lock and es_version_locked.stdout|int > 0

23
tasks/elasticsearch-RedHat.yml
View file

@ -13,19 +13,30 @@
- name: RedHat - add Elasticsearch repo
become: yes
template: src=elasticsearch.repo dest=/etc/yum.repos.d/elasticsearch-{{ es_repo_name }}.repo
template:
src: 'elasticsearch.repo'
dest: '/etc/yum.repos.d/elasticsearch-{{ es_repo_name }}.repo'
when: es_use_repository and es_add_repository
- name: RedHat - remove unused Elasticsearch repo
become: yes
file:
path: '/etc/yum.repos.d/elasticsearch-{{ es_other_repo_name }}.repo'
state: absent
when: es_use_repository
- name: RedHat - include versionlock
include: elasticsearch-RedHat-version-lock.yml
when: es_version_lock
- name: RedHat - Remove non oss package if the old elasticsearch package is installed
- name: RedHat - Remove the other elasticsearch package if switching between OSS and standard
become: yes
yum:
name: 'elasticsearch'
name: '{{ es_other_package_name }}'
state: 'absent'
when: es_package_name == 'elasticsearch-oss'
- name: Include optional user and group creation.
when: (es_user_id is defined) and (es_group_id is defined)
include: elasticsearch-optional-user.yml
- name: RedHat - Install Elasticsearch
become: yes
@ -41,7 +52,7 @@
retries: 5
delay: 10
environment:
ES_PATH_CONF: "/etc/elasticsearch"
ES_PATH_CONF: "{{ es_conf_dir }}"
- name: RedHat - Install Elasticsearch from url
become: yes

136
tasks/elasticsearch-config.yml
View file

@ -1,129 +1,57 @@
---
# Configure Elasticsearch Node
#Create conf directory
- name: Create Configuration Directory
become: yes
file: path={{ es_conf_dir }} state=directory owner=root group={{ es_group }} mode=2750
#Create pid directory
- name: Create PID Directory
become: yes
file: path={{ es_pid_dir }} state=directory owner={{ es_user }} group={{ es_group }} mode=0755
#Create required directories
- name: Create Directories
- name: Create Others Directories
become: yes
file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }}
file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} mode=2750
with_items:
- "{{pid_dir}}"
- "{{log_dir}}"
- "{{conf_dir}}"
- name: Create Data Directories
become: yes
file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }}
with_items:
- "{{data_dirs}}"
- "{{ es_log_dir }}"
- "{{ es_data_dirs }}"
#Copy the config template
- name: Copy Configuration File
become: yes
template: src=elasticsearch.yml.j2 dest={{conf_dir}}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner=root group={{ es_group }} mode=0660 force=yes
register: system_change
notify: restart elasticsearch
#Copy the instance specific default file
- name: Copy Default File for Instance
#Copy the default file
- name: Copy Default File
become: yes
template: src=elasticsearch.j2 dest={{instance_default_file}} mode=0644 force=yes
notify: restart elasticsearch
#Copy the instance specific init file
- name: Copy Debian Init File for Instance
become: yes
template: src=init/debian/elasticsearch.j2 dest={{instance_init_script}} mode=0755 force=yes
when: ansible_os_family == 'Debian' and not use_system_d
notify: restart elasticsearch
#Copy the instance specific init file
- name: Copy Redhat Init File for Instance
become: yes
template: src=init/redhat/elasticsearch.j2 dest={{instance_init_script}} mode=0755 force=yes
when: ansible_os_family == 'RedHat' and not use_system_d
template: src=elasticsearch.j2 dest={{ default_file }} owner=root group={{ es_group }} mode=0660 force=yes
notify: restart elasticsearch
#Copy the systemd specific file if systemd is installed
- name: Copy Systemd File for Instance
- when: use_system_d and m_lock_enabled
become: yes
template: src=systemd/elasticsearch.j2 dest={{instance_sysd_script}} mode=0644 force=yes
when: use_system_d
notify:
- reload systemd configuration
- restart elasticsearch
block:
- name: Make sure destination dir exists
file: path={{ sysd_config_file | dirname }} state=directory mode=0755
- name: Copy specific ElasticSearch Systemd config file
ini_file: path={{ sysd_config_file }} section=Service option=LimitMEMLOCK value=infinity mode=0644
notify:
- reload systemd configuration
- restart elasticsearch
#Copy the logging.yml
- name: Copy log4j2.properties File for Instance
- name: Copy log4j2.properties File
become: yes
template: src={{es_config_log4j2}} dest={{conf_dir}}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner=root group={{ es_group }} mode=0660 force=yes
notify: restart elasticsearch
- name: Copy jvm.options File for Instance
- name: Copy jvm.options File
become: yes
template: src=jvm.options.j2 dest={{conf_dir}}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner=root group={{ es_group }} mode=0660 force=yes
notify: restart elasticsearch
#Clean up un-wanted package scripts to avoid confusion
- name: Delete Default Init
become: yes
file: dest=/etc/init.d/elasticsearch state=absent
- name: Create empty default environment file
become: yes
changed_when: False
copy:
dest: /etc/default/elasticsearch
content: ''
when: ansible_os_family == 'Debian'
- name: Create empty default environment file
become: yes
changed_when: False
copy:
dest: /etc/sysconfig/elasticsearch
content: ''
when: ansible_os_family == 'RedHat'
- name: Symlink default systemd service to first instance of elasticsearch
when: use_system_d
block:
- name: Check if default systemd file exists
stat:
path: "{{ sysd_script }}"
register: sysd_stat_result
- name: Remove if it is a normal file
become: yes
file:
path: "{{ sysd_script }}"
state: absent
when: sysd_stat_result.stat.exists and not sysd_stat_result.stat.islnk
- name: Create a symbolic link to the default systemd location to the first instance running on this host
become: yes
file:
state: link
src: "{{ instance_sysd_script }}"
path: "{{ sysd_script }}"
when: sysd_stat_result.stat.exists and not sysd_stat_result.stat.islnk
notify:
- reload systemd configuration
- restart elasticsearch
- name: Delete Default Configuration File
become: yes
file: dest=/etc/elasticsearch/elasticsearch.yml state=absent
- name: Delete Default Logging File
become: yes
file: dest=/etc/elasticsearch/logging.yml state=absent
- name: Delete Default Logging File
become: yes
file: dest=/etc/elasticsearch/log4j2.properties state=absent
- name: Delete Default JVM Options File
become: yes
file: dest=/etc/elasticsearch/jvm.options state=absent

53
tasks/elasticsearch-parameters.yml
View file

@ -1,25 +1,9 @@
# Check for mandatory parameters
- name: fail when es_instance is not defined
fail: msg="es_instance_name must be specified and cannot be blank"
when: es_instance_name is not defined or es_instance_name == ''
- name: fail when es_proxy_port is not defined or is blank
fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined"
when: (es_proxy_port is not defined or es_proxy_port == '') and (es_proxy_host is defined and es_proxy_host != '')
- name: debug message
debug: msg="WARNING - It is recommended you specify the parameter 'http.port'"
when: es_config['http.port'] is not defined
- name: debug message
debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port'"
when: es_config['transport.tcp.port'] is not defined
- name: debug message
debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts'"
when: es_config['discovery.zen.ping.unicast.hosts'] is not defined
#If the user attempts to lock memory they must specify a heap size
- name: fail when heap size is not specified when using memory lock
fail: msg="If locking memory with bootstrap.memory_lock a heap size must be specified"
@ -28,48 +12,23 @@
#Check if working with security we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work
- name: fail when api credentials are not declared when using security
fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined
when:
- es_enable_xpack and "security" in es_xpack_features
- es_api_basic_auth_username is not defined
- es_api_basic_auth_password is not defined
- name: set fact file_reserved_users
set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }}
when: es_users is defined and es_users.file is defined and (es_users.file.keys() | length > 0) and (es_users.file.keys() | intersect (reserved_xpack_users) | length > 0)
set_fact: file_reserved_users={{ es_users.file.keys() | list | intersect (reserved_xpack_users) }}
when: es_users is defined and es_users.file is defined and (es_users.file.keys() | list | length > 0) and (es_users.file.keys() | list | intersect (reserved_xpack_users) | length > 0)
- name: fail when changing users through file realm
fail:
msg: "ERROR: INVALID CONFIG - YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING CANNOT BE CHANGED: {{file_reserved_users}}. USE THE NATIVE REALM."
when: file_reserved_users | default([]) | length > 0
- name: set fact instance_default_file
set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
- name: set fact instance_init_script
set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
- name: set fact conf_dir
set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}}
- name: set fact m_lock_enabled
set_fact: m_lock_enabled={{ es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True }}
#TODO - if transport.host is not local maybe error on boostrap checks
#Use systemd for the following distributions:
#Ubuntu 15 and up
#Debian 8 and up
#Centos 7 and up
#Relies on elasticsearch distribution installing a serviced script to determine whether one should be copied.
- name: set fact use_system_d
set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version is version_compare('8', '>=')) or (ansible_distribution in ['RedHat','CentOS'] and ansible_distribution_version is version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('15', '>=')) }}
- name: set fact instance_sysd_script
set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}}
when: use_system_d
#For directories we also use the {{inventory_hostname}}-{{ es_instance_name }} - this helps if we have a shared SAN.
- name: set fact instance_suffix
set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }}
- name: set fact pid_dir
set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}}
- name: set fact log_dir
set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}}
- name: set fact log_dir
set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }}

24
tasks/elasticsearch-plugins.yml
View file

@ -17,7 +17,6 @@
file:
dest: "{{ es_home }}/plugins/x-pack"
state: "absent"
when: es_open_xpack
#List currently installed plugins. We have to list the directories as the list commmand fails if the ES version is different than the plugin version.
- name: Check installed elasticsearch plugins
@ -27,9 +26,9 @@
changed_when: False
ignore_errors: yes
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
ES_INCLUDE: "{{ instance_default_file }}"
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_INCLUDE: "{{ default_file }}"
check_mode: no
#if es_plugins_reinstall is set to true we remove ALL plugins
@ -60,9 +59,9 @@
notify: restart elasticsearch
register: plugin_removed
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
ES_INCLUDE: "{{ instance_default_file }}"
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_INCLUDE: "{{ default_file }}"
- name: Install elasticsearch plugins
become: yes
@ -73,15 +72,10 @@
when: item.plugin in plugins_to_install
notify: restart elasticsearch
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
ES_INCLUDE: "{{ instance_default_file }}"
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_INCLUDE: "{{ default_file }}"
ES_JAVA_OPTS: "{% if item.proxy_host is defined and item.proxy_host != '' and item.proxy_port is defined and item.proxy_port != ''%} -Dhttp.proxyHost={{ item.proxy_host }} -Dhttp.proxyPort={{ item.proxy_port }} -Dhttps.proxyHost={{ item.proxy_host }} -Dhttps.proxyPort={{ item.proxy_port }} {% elif es_proxy_host is defined and es_proxy_host != '' %} -Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }} {% endif %}"
until: plugin_installed.rc == 0
retries: 5
delay: 5
#Set permissions on plugins directory
- name: Set Plugin Directory Permissions
become: yes
file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes

26
tasks/elasticsearch-scripts.yml
View file

@ -1,26 +0,0 @@
---
- name: set fact es_script_dir
set_fact: es_script_dir={{ es_conf_dir }}/{{es_instance_name}}
tags:
- always
- name: set fact es_script_dir when path.scripts
set_fact: es_script_dir={{es_config['path.scripts']}}
when: es_config['path.scripts'] is defined
tags:
- always
- name: Create script dir
become: yes
file: state=directory path={{ es_script_dir }} owner={{ es_user }} group={{ es_group }} recurse=yes
- name: Copy default scripts to elasticsearch
become: yes
copy: src=scripts dest={{ es_script_dir }} owner={{ es_user }} group={{ es_group }}
when: es_scripts_fileglob is not defined
- name: Copy scripts to elasticsearch
become: yes
copy: src={{ item }} dest={{ es_script_dir }} owner={{ es_user }} group={{ es_group }}
with_fileglob: "{{ es_scripts_fileglob | default('') }}"

27
tasks/elasticsearch-template.yml
View file

@ -2,40 +2,29 @@
- name: ensure templates dir is created
file:
path: /etc/elasticsearch/templates
path: "{{ es_conf_dir }}/templates"
state: directory
owner: "{{ es_user }}"
owner: root
group: "{{ es_group }}"
mode: 2750
- name: Copy templates to elasticsearch
copy: src={{ item }} dest=/etc/elasticsearch/templates owner={{ es_user }} group={{ es_group }}
copy: src={{ item }} dest={{ es_conf_dir }}/templates owner=root group={{ es_group }} mode=0660
register: load_templates
with_fileglob:
- "{{ es_templates_fileglob | default('') }}"
- name: Install templates without auth
- name: Install templates
uri:
url: "http://{{es_api_host}}:{{es_api_port}}/_template/{{item | filename}}"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('file', item) }}"
when: load_templates.changed and es_start_service and not es_enable_xpack or not es_xpack_features is defined or "security" not in es_xpack_features
with_fileglob:
- "{{ es_templates_fileglob | default('') }}"
run_once: True
- name: Install templates with auth
uri:
url: "http://{{es_api_host}}:{{es_api_port}}/_template/{{item | filename}}"
method: PUT
status_code: 200
user: "{{es_api_basic_auth_username}}"
password: "{{es_api_basic_auth_password}}"
user: "{{es_api_basic_auth_username | default(omit)}}"
password: "{{es_api_basic_auth_password | default(omit)}}"
force_basic_auth: yes
body_format: json
body: "{{ lookup('file', item) }}"
when: load_templates.changed and es_start_service and es_enable_xpack and es_xpack_features is defined and "security" in es_xpack_features
when: load_templates.changed and es_start_service
with_fileglob:
- "{{ es_templates_fileglob | default('') }}"
run_once: True

4
tasks/elasticsearch.yml
View file

@ -1,9 +1,5 @@
---
- name: Include optional user and group creation.
when: (es_user_id is defined) and (es_group_id is defined)
include: elasticsearch-optional-user.yml
- name: Include specific Elasticsearch
include: elasticsearch-Debian.yml
when: ansible_os_family == 'Debian'

2
tasks/java.yml
View file

@ -18,6 +18,7 @@
register: java_full_path
failed_when: False
changed_when: False
check_mode: no
when: ansible_os_family == 'RedHat'
- name: correct java version selected
@ -43,6 +44,7 @@
register: open_jdk
ignore_errors: yes
changed_when: false
check_mode: no
#https://github.com/docker-library/openjdk/issues/19 - ensures tests pass due to java 8 broken certs
- name: refresh the java ca-certificates

22
tasks/main.yml
View file

@ -1,4 +1,11 @@
---
- set_fact: "es_major_version={{ es_version.split('.')[0] }}.x"
when:
- es_major_version is undefined
tags:
- always
- name: os-specific vars
include_vars: "{{ansible_os_family}}.yml"
tags:
@ -34,12 +41,6 @@
tags:
- config
- name: include elasticsearch-scripts.yml
include: elasticsearch-scripts.yml
when: es_scripts
tags:
- scripts
- name: include elasticsearch-plugins.yml
include: elasticsearch-plugins.yml
when: es_plugins is defined or es_plugins_reinstall
@ -57,7 +58,7 @@
- name: Make sure elasticsearch is started
become: yes
service: name={{instance_init_script | basename}} state=started enabled=yes
service: name=elasticsearch state=started enabled=yes
when: es_start_service
- name: Wait for elasticsearch to startup
@ -69,11 +70,14 @@
- name: set fact manage_native_realm to true
set_fact: manage_native_realm=true
when: es_start_service and (es_enable_xpack and "security" in es_xpack_features) and ((es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined))
when:
- es_start_service
- es_enable_xpack
- (es_users is defined and es_users.native is defined) or (es_roles is defined and es_roles.native is defined)
# If playbook runs too fast, Native commands could fail as the Native Realm is not yet up
- name: Wait 15 seconds for the Native Relm to come up
pause: seconds=15
command: sleep 15
when: manage_native_realm
- name: activate-license

1
tasks/snapshot-release.yml
View file

@ -27,6 +27,7 @@
delay: 1
ignore_errors: true
until: "'status' in snapshots and snapshots.status == 200"
check_mode: no
- name: use the custom package url instead of the repository
set_fact:

68
tasks/xpack/elasticsearch-xpack-install.yml
View file

@ -1,68 +0,0 @@
---
#Test if feature is installed
- name: Test if x-pack is installed
shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack"
become: yes
register: x_pack_installed
changed_when: False
failed_when: "'ERROR' in x_pack_installed.stdout"
check_mode: no
ignore_errors: yes
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
ES_INCLUDE: "{{ instance_default_file }}"
#Remove X-Pack if installed and its not been requested or the ES version has changed
- name: Remove x-pack plugin
become: yes
command: "{{es_home}}/bin/elasticsearch-plugin remove x-pack"
register: xpack_state
failed_when: "'ERROR' in xpack_state.stdout"
changed_when: xpack_state.rc == 0
when: x_pack_installed.rc == 0 and (not es_enable_xpack or es_version_changed)
notify: restart elasticsearch
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
ES_INCLUDE: "{{ instance_default_file }}"
#Install plugin if not installed, or the es version has changed (so removed above), and its been requested
- name: Download x-pack from url
get_url: url={{ es_xpack_custom_url }} dest=/tmp/x-pack-{{ es_version }}.zip
when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined)
- name: Install x-pack plugin from local
become: yes
command: >
{{es_home}}/bin/elasticsearch-plugin install --silent --batch file:///tmp/x-pack-{{ es_version }}.zip
register: xpack_state
changed_when: xpack_state.rc == 0
when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined)
notify: restart elasticsearch
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
ES_INCLUDE: "{{ instance_default_file }}"
- name: Delete x-pack zip file
file: dest=/tmp/x-pack-{{ es_version }}.zip state=absent
when: es_xpack_custom_url is defined
- name: Install x-pack plugin from elastic.co
become: yes
command: >
{{es_home}}/bin/elasticsearch-plugin install --silent --batch x-pack
register: xpack_state
failed_when: "'ERROR' in xpack_state.stdout"
changed_when: xpack_state.rc == 0
when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is not defined)
notify: restart elasticsearch
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
ES_INCLUDE: "{{ instance_default_file }}"
ES_JAVA_OPTS: "{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}"

16
tasks/xpack/elasticsearch-xpack.yml
View file

@ -1,23 +1,11 @@
---
- name: set fact es_version_changed
set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }}
- name: include elasticsearch-xpack-install.yml
include: elasticsearch-xpack-install.yml
when: es_install_xpack
#Security configuration
- name: include security/elasticsearch-security.yml
include: security/elasticsearch-security.yml
#Add any feature specific configuration here
- name: Set Plugin Directory Permissions
become: yes
file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes
when: es_enable_xpack
#Make sure elasticsearch.keystore has correct Permissions
- name: Set elasticsearch.keystore Permissions
become: yes
file: state=file path={{ conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }}
when: es_enable_xpack and "security" in es_xpack_features and (es_version | version_compare('6.0.0', '>'))
file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner=root group={{ es_group }} mode=0660

62
tasks/xpack/security/elasticsearch-security-file.yml
View file

@ -1,83 +1,82 @@
---
- name: set fact manage_file_users
set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | length > 0
- set_fact: manage_file_users=false
- set_fact: manage_file_users=true
when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0
# Users migration from elasticsearch < 6.3 versions
- name: Check if old users file exists
stat:
path: '{{ conf_dir }}/x-pack/users'
path: '{{ es_conf_dir }}/x-pack/users'
register: old_users_file
check_mode: no
- name: Copy the old users file from the old depreacted location
copy:
remote_src: yes
force: no # only copy it if the new path doesn't exist yet
src: "{{ conf_dir }}/x-pack/users"
dest: "{{ conf_dir }}{{ es_xpack_conf_subdir }}/users"
when: old_users_file.stat.exists
- name: Create the users file if it doesn't exist
copy:
content: ""
dest: "{{ conf_dir }}{{ es_xpack_conf_subdir }}/users"
force: no # this ensures it only creates it if it does not exist
src: "{{ es_conf_dir }}/x-pack/users"
dest: "{{ es_conf_dir }}/users"
group: "{{ es_group }}"
owner: "{{ es_user }}"
mode: 0555
owner: root
when: old_users_file.stat.exists
# End of users migrations
#List current users
- name: List Users
become: yes
shell: cat {{conf_dir}}{{es_xpack_conf_subdir}}/users | awk -F':' '{print $1}'
shell: cat {{ es_conf_dir }}/users | awk -F':' '{print $1}'
register: current_file_users
when: manage_file_users
changed_when: False
check_mode: no
- name: set fact users_to_remove
set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys()) }}
set_fact: users_to_remove={{ current_file_users.stdout_lines | difference (es_users.file.keys() | list) }}
when: manage_file_users
#Remove users
- name: Remove Users
become: yes
command: >
{{es_home}}/bin/{{es_xpack_users_command}} userdel {{item}}
{{es_home}}/bin/elasticsearch-users userdel {{item}}
with_items: "{{users_to_remove | default([])}}"
when: manage_file_users
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_HOME: "{{es_home}}"
- name: set fact users_to_add
set_fact: users_to_add={{ es_users.file.keys() | difference (current_file_users.stdout_lines) }}
set_fact: users_to_add={{ es_users.file.keys() | list | difference (current_file_users.stdout_lines) }}
when: manage_file_users
#Add users
- name: Add Users
become: yes
command: >
{{es_home}}/bin/{{es_xpack_users_command}} useradd {{item}} -p {{es_users.file[item].password}}
{{es_home}}/bin/elasticsearch-users useradd {{item}} -p {{es_users.file[item].password}}
with_items: "{{ users_to_add | default([]) }}"
when: manage_file_users
no_log: True
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_HOME: "{{es_home}}"
#Set passwords for all users declared - Required as the useradd will not change existing user passwords
- name: Set User Passwords
become: yes
command: >
{{es_home}}/bin/{{es_xpack_users_command}} passwd {{ item }} -p {{es_users.file[item].password}}
with_items: "{{ es_users.file.keys() | default([]) }}"
{{es_home}}/bin/elasticsearch-users passwd {{ item }} -p {{es_users.file[item].password}}
with_items: "{{ es_users.file.keys() | list }}"
when: manage_file_users
#Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
changed_when: False
no_log: True
environment:
CONF_DIR: "{{ conf_dir }}"
ES_PATH_CONF: "{{ conf_dir }}"
CONF_DIR: "{{ es_conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
ES_HOME: "{{es_home}}"
- name: set fact users_roles
@ -87,16 +86,11 @@
#Copy Roles files
- name: Copy roles.yml File for Instance
become: yes
template: src=security/roles.yml.j2 dest={{conf_dir}}{{es_xpack_conf_subdir}}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner=root group={{ es_group }} mode=0660 force=yes
when: es_roles is defined and es_roles.file is defined
#Overwrite users_roles file
- name: Copy User Roles
become: yes
template: src=security/users_roles.j2 dest={{conf_dir}}{{es_xpack_conf_subdir}}/users_roles mode=0644 force=yes
template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner=root group={{ es_group }} mode=0660 force=yes
when: manage_file_users and users_roles | length > 0
#Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions.
- name: Set Security Directory Permissions Recursive
become: yes
file: state=directory path={{conf_dir}}{{es_xpack_conf_subdir}}/ owner={{ es_user }} group={{ es_group }} recurse=yes

22
tasks/xpack/security/elasticsearch-security-native.yml
View file

@ -7,14 +7,14 @@
- name: set fact manage_native_users to true
set_fact: manage_native_users=true
when: es_users is defined and es_users.native is defined and es_users.native.keys() | length > 0
when: es_users is defined and es_users.native is defined and es_users.native.keys() | list | length > 0
- name: set fact manage_native_role to false
set_fact: manage_native_roles=false
- name: set fact manange_native_roles to true
set_fact: manage_native_roles=true
when: es_roles is defined and es_roles.native is defined and es_roles.native.keys() | length > 0
when: es_roles is defined and es_roles.native is defined and es_roles.native.keys() | list | length > 0
#If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load
@ -29,6 +29,7 @@
status_code: 200
register: user_list_response
when: manage_native_users
check_mode: no
- name: set fact reserved_users equals user_list_response.json
set_fact: reserved_users={{ user_list_response.json | filter_reserved }}
@ -36,7 +37,7 @@
#Current users not inc. those reserved
- name: set fact current_users equals user_list_response.json.keys not including reserved
set_fact: current_users={{ user_list_response.json.keys() | difference (reserved_users) }}
set_fact: current_users={{ user_list_response.json.keys() | list | difference (reserved_users) }}
when: manage_native_users
#We are changing the es_api_basic_auth_username password, so we need to do it first and update the param
@ -66,7 +67,7 @@
#Identify users that are present in ES but not declared and thus should be removed
- name: set fact users_to_remove
set_fact: users_to_remove={{ current_users | difference ( native_users.keys() ) }}
set_fact: users_to_remove={{ current_users | difference ( native_users.keys() | list) }}
when: manage_native_users
#Delete all non required users NOT inc. reserved
@ -82,7 +83,7 @@
with_items: "{{ users_to_remove | default([]) }}"
- name: set fact users_to_ignore
set_fact: users_to_ignore={{ native_users.keys() | intersect (reserved_users) }}
set_fact: users_to_ignore={{ native_users.keys() | list | intersect (reserved_users) }}
when: manage_native_users
- name: debug message
@ -106,7 +107,7 @@
with_items: "{{ users_to_ignore | default([]) }}"
- name: set fact users_to_modify
set_fact: users_to_modify={{ native_users.keys() | difference (reserved_users) }}
set_fact: users_to_modify={{ native_users.keys() | list | difference (reserved_users) }}
when: manage_native_users
#Overwrite all other users NOT inc. those reserved
@ -138,17 +139,18 @@
status_code: 200
register: role_list_response
when: manage_native_roles
check_mode: no
- name: set fact reserved roles
set_fact: reserved_roles={{ role_list_response.json | filter_reserved }}
when: manage_native_roles
- name: set fact current roles
set_fact: current_roles={{ role_list_response.json.keys() | difference (reserved_roles) }}
set_fact: current_roles={{ role_list_response.json.keys() | list | difference (reserved_roles) }}
when: manage_native_roles
- name: set fact roles to ignore
set_fact: roles_to_ignore={{ es_roles.native.keys() | intersect (reserved_roles) | default([]) }}
set_fact: roles_to_ignore={{ es_roles.native.keys() | list | intersect (reserved_roles) | default([]) }}
when: manage_native_roles
- name: debug message
@ -157,7 +159,7 @@
when: manage_native_roles and roles_to_ignore | length > 0
- name: set fact roles_to_remove
set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() ) }}
set_fact: roles_to_remove={{ current_roles | difference ( es_roles.native.keys() | list) }}
when: manage_native_roles
#Delete all non required roles NOT inc. reserved
@ -173,7 +175,7 @@
with_items: "{{roles_to_remove | default([]) }}"
- name: set fact roles_to_modify
set_fact: roles_to_modify={{ es_roles.native.keys() | difference (reserved_roles) }}
set_fact: roles_to_modify={{ es_roles.native.keys() | list | difference (reserved_roles) }}
when: manage_native_roles
#Update other roles - NOT inc. reserved roles

38
tasks/xpack/security/elasticsearch-security.yml
View file

@ -3,27 +3,18 @@
#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6
#Ensure x-pack conf directory is created if necessary
- name: Ensure x-pack conf directory exists (file)
file: path={{ conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }}
changed_when: False
when:
- es_enable_xpack and "security" in es_xpack_features
- (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined)
#-----------------------------Create Bootstrap User-----------------------------------
### START BLOCK elasticsearch keystore ###
- name: create the elasticsearch keystore
when: (es_enable_xpack and "security" in es_xpack_features) and (es_version | version_compare('6.0.0', '>'))
block:
- name: create the keystore if it doesn't exist yet
become: yes
command: >
{{es_home}}/bin/elasticsearch-keystore create
args:
creates: "{{ conf_dir }}/elasticsearch.keystore"
creates: "{{ es_conf_dir }}/elasticsearch.keystore"
environment:
ES_PATH_CONF: "{{ conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
- name: Check if bootstrap password is set
become: yes
@ -32,7 +23,8 @@
register: list_keystore
changed_when: False
environment:
ES_PATH_CONF: "{{ conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
check_mode: no
- name: Create Bootstrap password for elastic user
become: yes
@ -40,35 +32,19 @@
when:
- es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
environment:
ES_PATH_CONF: "{{ conf_dir }}"
ES_PATH_CONF: "{{ es_conf_dir }}"
no_log: true
### END BLOCK elasticsearch keystore ###
#-----------------------------FILE BASED REALM----------------------------------------
- include: elasticsearch-security-file.yml
when: (es_enable_xpack and "security" in es_xpack_features) and ((es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined))
when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)
#-----------------------------ROLE MAPPING ----------------------------------------
#Copy Roles files
- name: Copy role_mapping.yml File for Instance
become: yes
template: src=security/role_mapping.yml.j2 dest={{conf_dir}}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner=root group={{ es_group }} mode=0660 force=yes
when: es_role_mapping is defined
#-----------------------------AUTH FILE----------------------------------------
- name: Copy message auth key to elasticsearch
become: yes
copy: src={{ es_message_auth_file }} dest={{conf_dir}}{{es_xpack_conf_subdir}}/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes
when: es_message_auth_file is defined
#------------------------------------------------------------------------------------
#Ensure security conf directory is created
- name: Ensure security conf directory exists
become: yes
file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}
changed_when: False
when: es_enable_xpack and "security" in es_xpack_features

23
tasks/xpack/security/elasticsearch-xpack-activation.yml
View file

@ -1,33 +1,16 @@
---
- name: Activate ES license (without security authentication)
uri:
method: PUT
url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true"
body_format: json
body: "{{ es_xpack_license }}"
return_content: yes
register: license_activated
no_log: True
when: not "security" in es_xpack_features
failed_when: >
license_activated.status != 200 or
license_activated.json.license_status is not defined or
license_activated.json.license_status != 'valid'
- name: Activate ES license (with security authentication)
uri:
method: PUT
url: "http://{{es_api_host}}:{{es_api_port}}/_xpack/license?acknowledge=true"
user: "{{es_api_basic_auth_username}}"
password: "{{es_api_basic_auth_password}}"
user: "{{es_api_basic_auth_username | default(omit)}}"
password: "{{es_api_basic_auth_password | default(omit)}}"
body_format: json
force_basic_auth: yes
body: "{{ es_xpack_license }}"
return_content: yes
force_basic_auth: yes
register: license_activated
no_log: True
when: "'security' in es_xpack_features"
failed_when: >
license_activated.status != 200 or
license_activated.json.license_status is not defined or