From 024e6caa4bfcd016d8b000b1237038743160292b Mon Sep 17 00:00:00 2001 From: Brad Pitcher Date: Fri, 12 May 2017 13:31:50 -0700 Subject: [PATCH 1/2] use become: yes when root is needed --- handlers/elasticsearch-templates.yml | 3 +++ handlers/main.yml | 2 ++ tasks/elasticsearch-Debian-version-lock.yml | 3 ++- tasks/elasticsearch-Debian.yml | 5 +++++ tasks/elasticsearch-RedHat-version-lock.yml | 3 ++- tasks/elasticsearch-RedHat.yml | 4 ++++ tasks/elasticsearch-config.yml | 17 +++++++++++++++++ tasks/elasticsearch-optional-user.yml | 2 ++ tasks/elasticsearch-plugins.yml | 4 ++++ tasks/elasticsearch-scripts.yml | 3 +++ tasks/elasticsearch-templates.yml | 7 +++++-- tasks/java.yml | 4 ++++ tasks/xpack/elasticsearch-xpack-install.yml | 3 +++ tasks/xpack/elasticsearch-xpack.yml | 1 + .../security/elasticsearch-security-file.yml | 10 +++++++++- tasks/xpack/security/elasticsearch-security.yml | 3 +++ 16 files changed, 69 insertions(+), 5 deletions(-) diff --git a/handlers/elasticsearch-templates.yml b/handlers/elasticsearch-templates.yml index b1ff63a..c8cc2d4 100644 --- a/handlers/elasticsearch-templates.yml +++ b/handlers/elasticsearch-templates.yml @@ -1,12 +1,15 @@ --- - name: Ensure elasticsearch is started + become: yes service: name={{instance_init_script | basename}} state=started enabled=yes - name: Wait for elasticsearch to startup + become: yes wait_for: host={{es_api_host}} port={{es_api_port}} delay=10 - name: Get template files + become: yes find: paths="/etc/elasticsearch/templates" patterns="*.json" register: templates diff --git a/handlers/main.yml b/handlers/main.yml index 55b95af..fe392de 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,8 +1,10 @@ - name: reload systemd configuration + become: yes command: systemctl daemon-reload # Restart service and ensure it is enabled - name: restart elasticsearch + become: yes service: name={{instance_init_script | basename}} state=restarted enabled=yes when: es_restart_on_change and es_start_service and ((plugin_installed is defined and plugin_installed.changed) or (config_updated is defined and config_updated.changed) or (xpack_state.changed) or (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed or elasticsearch_install_from_package.changed)) diff --git a/tasks/elasticsearch-Debian-version-lock.yml b/tasks/elasticsearch-Debian-version-lock.yml index a932af7..d9fdd69 100644 --- a/tasks/elasticsearch-Debian-version-lock.yml +++ b/tasks/elasticsearch-Debian-version-lock.yml @@ -1,5 +1,6 @@ --- - name: Debian - hold elasticsearch version + become: yes command: apt-mark hold elasticsearch register: hold_elasticsearch_result - changed_when: "hold_elasticsearch_result.stdout != 'elasticsearch was already set on hold.'" \ No newline at end of file + changed_when: "hold_elasticsearch_result.stdout != 'elasticsearch was already set on hold.'" diff --git a/tasks/elasticsearch-Debian.yml b/tasks/elasticsearch-Debian.yml index 83748b0..13e12db 100644 --- a/tasks/elasticsearch-Debian.yml +++ b/tasks/elasticsearch-Debian.yml @@ -6,14 +6,17 @@ when: es_allow_downgrades - name: Debian - Install apt-transport-https to support https APT downloads + become: yes apt: name=apt-transport-https state=present when: es_use_repository - name: Debian - Add Elasticsearch repository key + become: yes apt_key: url="{{ es_apt_key }}" state=present when: es_use_repository and es_apt_key - name: Debian - Add elasticsearch repository + become: yes apt_repository: repo={{ item.repo }} state={{ item.state}} with_items: - { repo: "{{ es_apt_url_old }}", state: "absent" } @@ -25,6 +28,7 @@ when: es_version_lock - name: Debian - Ensure elasticsearch is installed + become: yes apt: name=elasticsearch{% if es_version is defined and es_version != "" %}={{ es_version }}{% endif %} state=present force={{force_install}} allow_unauthenticated={{ 'no' if es_apt_key else 'yes' }} cache_valid_time=86400 when: es_use_repository register: debian_elasticsearch_install_from_repo @@ -34,6 +38,7 @@ when: not es_use_repository - name: Debian - Ensure elasticsearch is installed from downloaded package + become: yes apt: deb=/tmp/elasticsearch-{{ es_version }}.deb when: not es_use_repository register: elasticsearch_install_from_package diff --git a/tasks/elasticsearch-RedHat-version-lock.yml b/tasks/elasticsearch-RedHat-version-lock.yml index e6fd838..b5711a2 100644 --- a/tasks/elasticsearch-RedHat-version-lock.yml +++ b/tasks/elasticsearch-RedHat-version-lock.yml @@ -1,6 +1,7 @@ --- - name: RedHat - install yum-version-lock + become: yes yum: name=yum-plugin-versionlock state=present update_cache=yes - name: RedHat - lock elasticsearch version + become: yes shell: yum versionlock delete 0:elasticsearch* ; yum versionlock add elasticsearch{% if es_version is defined and es_version != "" %}-{{ es_version }}{% endif %} - diff --git a/tasks/elasticsearch-RedHat.yml b/tasks/elasticsearch-RedHat.yml index 18cfe4e..885b910 100644 --- a/tasks/elasticsearch-RedHat.yml +++ b/tasks/elasticsearch-RedHat.yml @@ -1,9 +1,11 @@ --- - name: Ensure libselinux-python on CentOS 6.x + become: yes yum: name=libselinux-python state=present update_cache=yes when: ( ansible_distribution == "CentOS" ) and ( ansible_distribution_major_version == "6" ) - name: RedHat - add Elasticsearch repo + become: yes template: src=elasticsearch.repo dest=/etc/yum.repos.d/elasticsearch-{{ es_major_version }}.repo when: es_use_repository @@ -12,6 +14,7 @@ when: es_version_lock - name: RedHat - Install Elasticsearch + become: yes yum: name=elasticsearch{% if es_version is defined and es_version != "" %}-{{ es_version }}{% endif %} state=present update_cache=yes when: es_use_repository register: redhat_elasticsearch_install_from_repo @@ -20,6 +23,7 @@ delay: 10 - name: RedHat - Install Elasticsearch from url + become: yes yum: name={% if es_custom_package_url is defined %}{{ es_custom_package_url }}{% else %}{{ es_package_url }}-{{ es_version }}.noarch.rpm{% endif %} state=present when: not es_use_repository register: elasticsearch_install_from_package diff --git a/tasks/elasticsearch-config.yml b/tasks/elasticsearch-config.yml index 6debfaf..ba71b19 100644 --- a/tasks/elasticsearch-config.yml +++ b/tasks/elasticsearch-config.yml @@ -3,6 +3,7 @@ #Create required directories - name: Create Directories + become: yes file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} with_items: - "{{pid_dir}}" @@ -10,6 +11,7 @@ - "{{conf_dir}}" - name: Create Data Directories + become: yes file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} with_items: - "{{data_dirs}}" @@ -17,29 +19,34 @@ #Copy the config template - name: Copy Configuration File + become: yes template: src=elasticsearch.yml.j2 dest={{conf_dir}}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes register: config_updated notify: restart elasticsearch #Copy the instance specific default file - name: Copy Default File for Instance + become: yes template: src=elasticsearch.j2 dest={{instance_default_file}} mode=0644 force=yes notify: restart elasticsearch #Copy the instance specific init file - name: Copy Debian Init File for Instance + become: yes template: src=init/debian/elasticsearch.j2 dest={{instance_init_script}} mode=0755 force=yes when: ansible_os_family == 'Debian' and not use_system_d notify: restart elasticsearch #Copy the instance specific init file - name: Copy Redhat Init File for Instance + become: yes template: src=init/redhat/elasticsearch.j2 dest={{instance_init_script}} mode=0755 force=yes when: ansible_os_family == 'RedHat' and not use_system_d notify: restart elasticsearch #Copy the systemd specific file if systemd is installed - name: Copy Systemd File for Instance + become: yes template: src=systemd/elasticsearch.j2 dest={{instance_sysd_script}} mode=0644 force=yes when: use_system_d notify: @@ -48,37 +55,47 @@ #Copy the logging.yml - name: Copy log4j2.properties File for Instance + become: yes template: src=log4j2.properties.j2 dest={{conf_dir}}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes notify: restart elasticsearch - name: Copy jvm.options File for Instance + become: yes template: src=jvm.options.j2 dest={{conf_dir}}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes notify: restart elasticsearch #Clean up un-wanted package scripts to avoid confusion - name: Delete Default Init + become: yes file: dest=/etc/init.d/elasticsearch state=absent - name: Delete Default Environment File + become: yes file: dest=/etc/default/elasticsearch state=absent when: ansible_os_family == 'Debian' - name: Delete Default Environment File + become: yes file: dest=/etc/sysconfig/elasticsearch state=absent when: ansible_os_family == 'RedHat' - name: Delete Default Sysconfig File + become: yes file: dest="{{ sysd_script }}" state=absent - name: Delete Default Configuration File + become: yes file: dest=/etc/elasticsearch/elasticsearch.yml state=absent - name: Delete Default Logging File + become: yes file: dest=/etc/elasticsearch/logging.yml state=absent - name: Delete Default Logging File + become: yes file: dest=/etc/elasticsearch/log4j2.properties state=absent - name: Delete Default JVM Options File + become: yes file: dest=/etc/elasticsearch/jvm.options state=absent diff --git a/tasks/elasticsearch-optional-user.yml b/tasks/elasticsearch-optional-user.yml index 5cf1d38..5b2644b 100644 --- a/tasks/elasticsearch-optional-user.yml +++ b/tasks/elasticsearch-optional-user.yml @@ -1,6 +1,7 @@ --- #Add the elasticsearch user before installing from packages. - name: Ensure optional elasticsearch group is created with the correct id. + become: yes group: state: present name: "{{ es_group }}" @@ -8,6 +9,7 @@ gid: "{{ es_group_id }}" - name: Ensure optional elasticsearch user is created with the correct id. + become: yes user: state: present name: "{{ es_user }}" diff --git a/tasks/elasticsearch-plugins.yml b/tasks/elasticsearch-plugins.yml index 8ec9e25..4cf337a 100644 --- a/tasks/elasticsearch-plugins.yml +++ b/tasks/elasticsearch-plugins.yml @@ -12,6 +12,7 @@ #List currently installed plugins. We have to list the directories as the list commmand fails if the ES version is different than the plugin version. - name: Check installed elasticsearch plugins + become: yes shell: "ls {{es_home}}/plugins {{list_command}}" register: installed_plugins changed_when: False @@ -30,6 +31,7 @@ # This removes any currently installed plugins (to prevent errors when reinstalling) - name: Remove elasticsearch plugins + become: yes command: "{{es_home}}/bin/elasticsearch-plugin remove {{item}} --silent" ignore_errors: yes with_items: "{{ plugins_to_remove | default([]) }}" @@ -41,6 +43,7 @@ ES_INCLUDE: "{{ instance_default_file }}" - name: Install elasticsearch plugins + become: yes command: "{{es_home}}/bin/elasticsearch-plugin install {{ item.plugin }} --batch --silent {% if item.proxy_host is defined and item.proxy_host != '' and item.proxy_port is defined and item.proxy_port != ''%} -DproxyHost={{ item.proxy_host }} -DproxyPort={{ item.proxy_port }} {% elif es_proxy_host is defined and es_proxy_host != '' %} -DproxyHost={{ es_proxy_host }} -DproxyPort={{ es_proxy_port }} {% endif %}" register: plugin_installed failed_when: "'ERROR' in plugin_installed.stdout" @@ -57,4 +60,5 @@ #Set permissions on plugins directory - name: Set Plugin Directory Permissions + become: yes file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes diff --git a/tasks/elasticsearch-scripts.yml b/tasks/elasticsearch-scripts.yml index 30867f5..91708f9 100644 --- a/tasks/elasticsearch-scripts.yml +++ b/tasks/elasticsearch-scripts.yml @@ -10,12 +10,15 @@ - always - name: Create script dir + become: yes file: state=directory path={{ es_script_dir }} owner={{ es_user }} group={{ es_group }} recurse=yes - name: Copy default scripts to elasticsearch + become: yes copy: src=scripts dest={{ es_script_dir }} owner={{ es_user }} group={{ es_group }} when: es_scripts_fileglob is not defined - name: Copy scripts to elasticsearch + become: yes copy: src={{ item }} dest={{ es_script_dir }} owner={{ es_user }} group={{ es_group }} with_fileglob: "{{ es_scripts_fileglob | default('') }}" diff --git a/tasks/elasticsearch-templates.yml b/tasks/elasticsearch-templates.yml index 27c0c42..2004136 100644 --- a/tasks/elasticsearch-templates.yml +++ b/tasks/elasticsearch-templates.yml @@ -1,14 +1,17 @@ --- -- file: path=/etc/elasticsearch/templates state=directory owner={{ es_user }} group={{ es_group }} +- become: yes + file: path=/etc/elasticsearch/templates state=directory owner={{ es_user }} group={{ es_group }} - name: Copy default templates to elasticsearch + become: yes copy: src=templates dest=/etc/elasticsearch/ owner={{ es_user }} group={{ es_group }} notify: load-templates when: es_templates_fileglob is not defined - name: Copy templates to elasticsearch + become: yes copy: src={{ item }} dest=/etc/elasticsearch/templates owner={{ es_user }} group={{ es_group }} notify: load-templates with_fileglob: - - "{{ es_templates_fileglob | default('') }}" \ No newline at end of file + - "{{ es_templates_fileglob | default('') }}" diff --git a/tasks/java.yml b/tasks/java.yml index c0c63b8..a7d3e43 100644 --- a/tasks/java.yml +++ b/tasks/java.yml @@ -6,15 +6,18 @@ when: update_java == true - name: RedHat - Ensure Java is installed + become: yes yum: name={{ java }} state={{java_state}} when: ansible_os_family == 'RedHat' - name: Refresh java repo + become: yes apt: update_cache=yes changed_when: false when: ansible_os_family == 'Debian' - name: Debian - Ensure Java is installed + become: yes apt: name={{ java }} state={{java_state}} when: ansible_os_family == 'Debian' @@ -25,6 +28,7 @@ #https://github.com/docker-library/openjdk/issues/19 - ensures tests pass due to java 8 broken certs - name: refresh the java ca-certificates + become: yes command: /var/lib/dpkg/info/ca-certificates-java.postinst configure when: ansible_distribution == 'Ubuntu' and open_jdk.rc == 0 changed_when: false diff --git a/tasks/xpack/elasticsearch-xpack-install.yml b/tasks/xpack/elasticsearch-xpack-install.yml index 16bbc5a..ee61a62 100644 --- a/tasks/xpack/elasticsearch-xpack-install.yml +++ b/tasks/xpack/elasticsearch-xpack-install.yml @@ -2,6 +2,7 @@ #Test if feature is installed - shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack" + become: yes register: x_pack_installed changed_when: False failed_when: "'ERROR' in x_pack_installed.stdout" @@ -14,6 +15,7 @@ #Remove X-Pack if installed and its not been requested or the ES version has changed - name: Remove x-pack plugin + become: yes command: "{{es_home}}/bin/elasticsearch-plugin remove x-pack" register: xpack_state failed_when: "'ERROR' in xpack_state.stdout" @@ -27,6 +29,7 @@ #Install plugin if not installed, or the es version has changed (so removed above), and its been requested - name: Install x-pack plugin + become: yes command: > {{es_home}}/bin/elasticsearch-plugin install --silent --batch x-pack {% if es_proxy_host is defined and es_proxy_host != '' %} -Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} {% endif %} register: xpack_state diff --git a/tasks/xpack/elasticsearch-xpack.yml b/tasks/xpack/elasticsearch-xpack.yml index 1e54782..b629943 100644 --- a/tasks/xpack/elasticsearch-xpack.yml +++ b/tasks/xpack/elasticsearch-xpack.yml @@ -9,4 +9,5 @@ #Add any feature specific configuration here - name: Set Plugin Directory Permissions + become: yes file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes diff --git a/tasks/xpack/security/elasticsearch-security-file.yml b/tasks/xpack/security/elasticsearch-security-file.yml index b09237c..fb9f55f 100644 --- a/tasks/xpack/security/elasticsearch-security-file.yml +++ b/tasks/xpack/security/elasticsearch-security-file.yml @@ -3,12 +3,14 @@ #Ensure x-pack conf directory is created - name: Ensure x-pack conf directory exists (file) + become: yes file: path={{ conf_dir }}/x-pack state=directory owner={{ es_user }} group={{ es_group }} changed_when: False when: es_enable_xpack and '"security" in es_xpack_features' #List current users - name: List Users + become: yes shell: cat {{conf_dir}}/x-pack/users | awk -F':' '{print $1}' register: current_file_users when: manage_file_users @@ -19,6 +21,7 @@ #Remove users - name: Remove Users + become: yes command: > {{es_home}}/bin/x-pack/users userdel {{item}} with_items: "{{users_to_remove | default([])}}" @@ -33,6 +36,7 @@ #Add users - name: Add Users + become: yes command: > {{es_home}}/bin/x-pack/users useradd {{item}} -p {{es_users.file[item].password}} with_items: "{{users_to_add | default([])}}" @@ -44,6 +48,7 @@ #Set passwords for all users declared - Required as the useradd will not change existing user passwords - name: Set User Passwords + become: yes command: > {{es_home}}/bin/x-pack/users passwd {{item.key}} -p {{item.value.password}} with_dict: "{{(es_users | default({'file':{}})).file}}" @@ -60,14 +65,17 @@ #Copy Roles files - name: Copy roles.yml File for Instance + become: yes template: src=security/roles.yml.j2 dest={{conf_dir}}/x-pack/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_roles is defined and es_roles.file is defined #Overwrite users_roles file - name: Copy User Roles + become: yes template: src=security/users_roles.j2 dest={{conf_dir}}/x-pack/users_roles mode=0644 force=yes when: manage_file_users and users_roles | length > 0 #Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions. - name: Set Security Directory Permissions Recursive - file: state=directory path={{conf_dir}}/x-pack/ owner={{ es_user }} group={{ es_group }} recurse=yes \ No newline at end of file + become: yes + file: state=directory path={{conf_dir}}/x-pack/ owner={{ es_user }} group={{ es_group }} recurse=yes diff --git a/tasks/xpack/security/elasticsearch-security.yml b/tasks/xpack/security/elasticsearch-security.yml index 820c7e3..bfb6b25 100644 --- a/tasks/xpack/security/elasticsearch-security.yml +++ b/tasks/xpack/security/elasticsearch-security.yml @@ -12,12 +12,14 @@ #Copy Roles files - name: Copy role_mapping.yml File for Instance + become: yes template: src=security/role_mapping.yml.j2 dest={{conf_dir}}/x-pack/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes when: es_role_mapping is defined #-----------------------------AUTH FILE---------------------------------------- - name: Copy message auth key to elasticsearch + become: yes copy: src={{ es_message_auth_file }} dest={{conf_dir}}/x-pack/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes when: es_message_auth_file is defined @@ -25,6 +27,7 @@ #Ensure security conf directory is created - name: Ensure security conf directory exists + become: yes file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }} changed_when: False when: es_enable_xpack and '"security" in es_xpack_features' From 4731553438a5a384759eab81a9d3690ef29f814c Mon Sep 17 00:00:00 2001 From: Brad Pitcher Date: Fri, 12 May 2017 13:38:45 -0700 Subject: [PATCH 2/2] typo: Native Relm->Native Realm --- tasks/xpack/security/elasticsearch-security-native.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/xpack/security/elasticsearch-security-native.yml b/tasks/xpack/security/elasticsearch-security-native.yml index 96bedfa..4621367 100644 --- a/tasks/xpack/security/elasticsearch-security-native.yml +++ b/tasks/xpack/security/elasticsearch-security-native.yml @@ -11,7 +11,7 @@ when: es_roles is defined and es_roles.native is defined # If playbook runs too fast, Native commands could fail as the Native Realm is not yet up -- name: Wait 15 seconds for the Native Relm to come up +- name: Wait 15 seconds for the Native Realm to come up pause: seconds=15 #If the node has just has security installed it maybe either stopped or started 1. if stopped, we need to start to load native realms 2. if started, we need to restart to load