Merge pull request #609 from jmlrt/no-more-6.3-compatibility

No more 6.3 compatibility + Use default files permissions from Elasticsearch package
2019-09-18 12:46:31 +02:00 · 2019-09-18 12:46:31 +02:00 · cf316aebec
commit cf316aebec
parent 2813c54777 1befe6c0d9
18 changed files with 55 additions and 215 deletions
--- a/README.md
+++ b/README.md
@ -264,10 +264,6 @@ X-Pack features, such as Security, are supported.
 The parameter `es_xpack_features` allows to list xpack features to install (example: `["alerting","monitoring","graph","security","ml"]`).
 When the list is empty, it install all features available with the current licence.
 The following additional parameters allow X-Pack to be configured:
 * ```es_xpack_custom_url``` Url from which X-Pack can be downloaded. This can be used for installations in isolated environments where the elastic.co repo is not accessible. e.g. ```es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-5.5.1.zip"```
 * ```es_role_mapping``` Role mappings file declared as yml as described [here](https://www.elastic.co/guide/en/x-pack/current/mapping-roles.html)
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -29,7 +29,7 @@ es_data_dirs:
 es_log_dir: "/var/log/elasticsearch"
 es_action_auto_create_index: true
 es_max_open_files: 65536
-es_max_threads: "{{ 2048 if ( es_version is version_compare('6.0.0', '<')) else 8192 }}"
+es_max_threads: 8192
 es_max_map_count: 262144
 es_allow_downgrades: false
 es_xpack_features: []
--- a/tasks/compatibility-variables.yml
+++ b/tasks/compatibility-variables.yml
@ -8,31 +8,12 @@
 - name: Set the defaults here otherwise they can't be overriden in the same play if the role is called twice
  set_fact:
    es_open_xpack: true
    es_install_xpack: false
    es_users_path: "users"
    es_xpack_conf_subdir: ""
    es_repo_name: "{{ es_major_version }}"
    es_xpack_users_command: "elasticsearch-users"
    es_package_name: "elasticsearch"
    es_other_package_name: "elasticsearch-oss"
    es_other_repo_name: "{{ 'oss-' + es_major_version }}"
    es_other_apt_url: "deb {{ es_repo_base }}/packages/{{ 'oss-' + es_major_version }}/apt stable main"
 - name: Detect if es_version is before X-Pack was open and included
  set_fact:
    es_open_xpack: false
  when: "es_version is version_compare('6.3.0', '<')"
 - name: If this is an older version we need to install X-Pack as a plugin and use a different users command
  set_fact:
    es_install_xpack: true
    es_xpack_users_command: "x-pack/users"
    es_xpack_conf_subdir: "/x-pack"
  when: 
    - not es_open_xpack
    - es_enable_xpack
 - name: Use the oss repo and package if xpack is not being used
  set_fact:
    es_repo_name: "{{ 'oss-' + es_major_version }}"
@ -41,5 +22,4 @@
    es_package_name: "elasticsearch-oss"
    es_other_package_name: "elasticsearch"
  when:
    - es_open_xpack
    - not es_enable_xpack
--- a/tasks/elasticsearch-Debian.yml
+++ b/tasks/elasticsearch-Debian.yml
@ -92,7 +92,7 @@
  register: debian_elasticsearch_install_from_repo
  notify: restart elasticsearch
  environment:
-    ES_PATH_CONF: "/etc/elasticsearch"
+    ES_PATH_CONF: "{{ es_conf_dir }}"
 - name: Debian - hold elasticsearch version
  become: yes
@ -112,4 +112,4 @@
  register: elasticsearch_install_from_package
  notify: restart elasticsearch
  environment:
-    ES_PATH_CONF: "/etc/elasticsearch"
+    ES_PATH_CONF: "{{ es_conf_dir }}"
--- a/tasks/elasticsearch-RedHat.yml
+++ b/tasks/elasticsearch-RedHat.yml
@ -52,7 +52,7 @@
  retries: 5
  delay: 10
  environment:
-    ES_PATH_CONF: "/etc/elasticsearch"
+    ES_PATH_CONF: "{{ es_conf_dir }}"
 - name: RedHat - Install Elasticsearch from url
  become: yes
--- a/tasks/elasticsearch-config.yml
+++ b/tasks/elasticsearch-config.yml
@ -1,27 +1,35 @@
 ---
 # Configure Elasticsearch Node
-#Create required directories
+#Create conf directory
- name: Create Directories
+- name: Create Configuration Directory
  become: yes
-  file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }}
+  file: path={{ es_conf_dir }} state=directory owner=root group={{ es_group }} mode=2750
 #Create pid directory
 - name: Create PID Directory
  become: yes
  file: path={{ es_pid_dir }} state=directory owner={{ es_user }} group={{ es_group }} mode=0755
 #Create required directories
 - name: Create Others Directories
  become: yes
  file: path={{ item }} state=directory owner={{ es_user }} group={{ es_group }} mode=2750
  with_items:
    - "{{ es_pid_dir }}"
    - "{{ es_log_dir }}"
    - "{{ es_conf_dir }}"
    - "{{ es_data_dirs }}"
 #Copy the config template
 - name: Copy Configuration File
  become: yes
-  template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=elasticsearch.yml.j2 dest={{ es_conf_dir }}/elasticsearch.yml owner=root group={{ es_group }} mode=0660 force=yes
  register: system_change
  notify: restart elasticsearch
 #Copy the default file
 - name: Copy Default File
  become: yes
-  template: src=elasticsearch.j2 dest={{ default_file }} mode=0644 force=yes
+  template: src=elasticsearch.j2 dest={{ default_file }} owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch
 #Copy the systemd specific file if systemd is installed
@ -30,7 +38,7 @@
  block:
    - name: Make sure destination dir exists
      file: path={{ sysd_config_file | dirname }} state=directory mode=0755
-  
+
    - name: Copy specific ElasticSearch Systemd config file
      ini_file: path={{ sysd_config_file }} section=Service option=LimitMEMLOCK value=infinity mode=0644
      notify:
@ -40,10 +48,10 @@
 #Copy the logging.yml
 - name: Copy log4j2.properties File
  become: yes
-  template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src={{ es_config_log4j2 }} dest={{ es_conf_dir }}/log4j2.properties owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch
 - name: Copy jvm.options File
  become: yes
-  template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=jvm.options.j2 dest={{ es_conf_dir }}/jvm.options owner=root group={{ es_group }} mode=0660 force=yes
  notify: restart elasticsearch
--- a/tasks/elasticsearch-plugins.yml
+++ b/tasks/elasticsearch-plugins.yml
@ -17,7 +17,6 @@
  file:
    dest: "{{ es_home }}/plugins/x-pack"
    state: "absent"
  when: es_open_xpack
 #List currently installed plugins. We have to list the directories as the list commmand fails if the ES version is different than the plugin version.
 - name: Check installed elasticsearch plugins
@ -80,8 +79,3 @@
  until: plugin_installed.rc == 0
  retries: 5
  delay: 5
 #Set permissions on plugins directory
 - name: Set Plugin Directory Permissions
  become: yes
  file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes
--- a/tasks/elasticsearch-template.yml
+++ b/tasks/elasticsearch-template.yml
@ -2,13 +2,14 @@
 - name: ensure templates dir is created
  file:
-    path: /etc/elasticsearch/templates
+    path: "{{ es_conf_dir }}/templates"
    state: directory
-    owner: "{{ es_user }}"
+    owner: root
    group: "{{ es_group }}"
    mode: 2750
 - name: Copy templates to elasticsearch
-  copy: src={{ item }} dest=/etc/elasticsearch/templates owner={{ es_user }} group={{ es_group }}
+  copy: src={{ item }} dest={{ es_conf_dir }}/templates owner=root group={{ es_group }} mode=0660
  register: load_templates
  with_fileglob:
    - "{{ es_templates_fileglob | default('') }}"
--- a/tasks/xpack/elasticsearch-xpack-install.yml
+++ b/tasks/xpack/elasticsearch-xpack-install.yml
@ -1,68 +0,0 @@
 ---
 #Test if feature is installed
 - name: Test if x-pack is installed
  shell: "{{es_home}}/bin/elasticsearch-plugin list | grep x-pack"
  become: yes
  register: x_pack_installed
  changed_when: False
  failed_when: "'ERROR' in x_pack_installed.stdout"
  check_mode: no
  ignore_errors: yes
  environment:
    CONF_DIR: "{{ es_conf_dir }}"
    ES_PATH_CONF: "{{ es_conf_dir }}"
    ES_INCLUDE: "{{ default_file }}"
 #Remove X-Pack if installed and its not been requested or the ES version has changed
 - name: Remove x-pack plugin
  become: yes
  command: "{{es_home}}/bin/elasticsearch-plugin remove x-pack"
  register: xpack_state
  failed_when: "'ERROR' in xpack_state.stdout"
  changed_when: xpack_state.rc == 0
  when: x_pack_installed.rc == 0 and (not es_enable_xpack or es_version_changed)
  notify: restart elasticsearch
  environment:
    CONF_DIR: "{{ es_conf_dir }}"
    ES_PATH_CONF: "{{ es_conf_dir }}"
    ES_INCLUDE: "{{ default_file }}"
 #Install plugin if not installed, or the es version has changed (so removed above), and its been requested
 - name: Download x-pack from url
  get_url: url={{ es_xpack_custom_url }} dest=/tmp/x-pack-{{ es_version }}.zip
  when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined)
 - name: Install x-pack plugin from local
  become: yes
  command: >
    {{es_home}}/bin/elasticsearch-plugin install --silent --batch file:///tmp/x-pack-{{ es_version }}.zip
  register: xpack_state
  changed_when: xpack_state.rc == 0
  when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is defined)
  notify: restart elasticsearch
  environment:
    CONF_DIR: "{{ es_conf_dir }}"
    ES_PATH_CONF: "{{ es_conf_dir }}"
    ES_INCLUDE: "{{ default_file }}"
 - name: Delete x-pack zip file
  file: dest=/tmp/x-pack-{{ es_version }}.zip state=absent
  when: es_xpack_custom_url is defined
 - name: Install x-pack plugin from elastic.co
  become: yes
  command: >
    {{es_home}}/bin/elasticsearch-plugin install --silent --batch x-pack
  register: xpack_state
  failed_when: "'ERROR' in xpack_state.stdout"
  changed_when: xpack_state.rc == 0
  when: (x_pack_installed.rc == 1 or es_version_changed) and (es_enable_xpack and es_xpack_custom_url is not defined)
  notify: restart elasticsearch
  environment:
    CONF_DIR: "{{ es_conf_dir }}"
    ES_PATH_CONF: "{{ es_conf_dir }}"
    ES_INCLUDE: "{{ default_file }}"
    ES_JAVA_OPTS: "{% if es_proxy_host is defined and es_proxy_host != '' %}-Dhttp.proxyHost={{ es_proxy_host }} -Dhttp.proxyPort={{ es_proxy_port }} -Dhttps.proxyHost={{ es_proxy_host }} -Dhttps.proxyPort={{ es_proxy_port }}{% endif %}"
--- a/tasks/xpack/elasticsearch-xpack.yml
+++ b/tasks/xpack/elasticsearch-xpack.yml
@ -1,24 +1,11 @@
 ---
 - name: set fact es_version_changed
  set_fact: es_version_changed={{ ((elasticsearch_install_from_package is defined and (debian_elasticsearch_install_from_repo.changed or redhat_elasticsearch_install_from_repo.changed)) or (elasticsearch_install_from_package is defined and elasticsearch_install_from_package.changed)) }}
 - name: include elasticsearch-xpack-install.yml
  include: elasticsearch-xpack-install.yml
  when: es_install_xpack
 #Security configuration
 - name: include security/elasticsearch-security.yml
  include: security/elasticsearch-security.yml
  when: es_enable_xpack
 #Add any feature specific configuration here
 - name: Set Plugin Directory Permissions
  become: yes
  file: state=directory path={{ es_home }}/plugins owner={{ es_user }} group={{ es_group }} recurse=yes
 #Make sure elasticsearch.keystore has correct Permissions
 - name: Set elasticsearch.keystore Permissions
  become: yes
-  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner={{ es_user }} group={{ es_group }}
+  file: state=file path={{ es_conf_dir }}/elasticsearch.keystore owner=root group={{ es_group }} mode=0660
  when: es_enable_xpack
--- a/tasks/xpack/security/elasticsearch-security-file.yml
+++ b/tasks/xpack/security/elasticsearch-security-file.yml
@ -1,7 +1,10 @@
 ---
- name: set fact manage_file_users
+- set_fact: manage_file_users=false
  set_fact: manage_file_users=es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0
 - set_fact: manage_file_users=true
  when: es_users is defined and es_users.file is defined and es_users.file.keys() | list | length > 0
 # Users migration from elasticsearch < 6.3 versions
 - name: Check if old users file exists
  stat:
    path: '{{ es_conf_dir }}/x-pack/users'
@ -13,22 +16,16 @@
    remote_src: yes
    force: no # only copy it if the new path doesn't exist yet
    src: "{{ es_conf_dir }}/x-pack/users"
-    dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users"
+    dest: "{{ es_conf_dir }}/users"
  when: old_users_file.stat.exists
 - name: Create the users file if it doesn't exist
  copy:
    content: ""
    dest: "{{ es_conf_dir }}{{ es_xpack_conf_subdir }}/users"
    force: no # this ensures it only creates it if it does not exist
    group: "{{ es_group }}"
-    owner: "{{ es_user }}"
+    owner: root
-    mode: 0555
+  when: old_users_file.stat.exists
 # End of users migrations
 #List current users
 - name: List Users
  become: yes
-  shell: cat {{ es_conf_dir }}{{es_xpack_conf_subdir}}/users | awk -F':' '{print $1}'
+  shell: cat {{ es_conf_dir }}/users | awk -F':' '{print $1}'
  register: current_file_users
  when: manage_file_users
  changed_when: False
@ -42,7 +39,7 @@
 - name: Remove Users
  become: yes
  command: >
-    {{es_home}}/bin/{{es_xpack_users_command}} userdel {{item}}
+    {{es_home}}/bin/elasticsearch-users userdel {{item}}
  with_items: "{{users_to_remove | default([])}}"
  when: manage_file_users
  environment:
@ -58,7 +55,7 @@
 - name: Add Users
  become: yes
  command: >
-    {{es_home}}/bin/{{es_xpack_users_command}} useradd {{item}} -p {{es_users.file[item].password}}
+    {{es_home}}/bin/elasticsearch-users useradd {{item}} -p {{es_users.file[item].password}}
  with_items: "{{ users_to_add | default([]) }}"
  when: manage_file_users
  no_log: True
@ -71,7 +68,7 @@
 - name: Set User Passwords
  become: yes
  command: >
-    {{es_home}}/bin/{{es_xpack_users_command}} passwd {{ item }} -p {{es_users.file[item].password}}
+    {{es_home}}/bin/elasticsearch-users passwd {{ item }} -p {{es_users.file[item].password}}
  with_items: "{{ es_users.file.keys() | list }}"
  when: manage_file_users
  #Currently no easy way to figure out if the password has changed or to know what it currently is so we can skip.
@ -89,16 +86,11 @@
 #Copy Roles files
 - name: Copy roles.yml File for Instance
  become: yes
-  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/roles.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/roles.yml.j2 dest={{ es_conf_dir }}/roles.yml owner=root group={{ es_group }} mode=0660 force=yes
  when: es_roles is defined and es_roles.file is defined
 #Overwrite users_roles file
 - name: Copy User Roles
  become: yes
-  template: src=security/users_roles.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/users_roles mode=0644 force=yes
+  template: src=security/users_roles.j2 dest={{ es_conf_dir }}/users_roles owner=root group={{ es_group }} mode=0660 force=yes
  when: manage_file_users and users_roles | length > 0
 #Set permission on security directory. E.g. if 2 nodes are installed on the same machine, the second node will not get the users file created at install, causing the files being created at es_users call and then having the wrong Permissions.
 - name: Set Security Directory Permissions Recursive
  become: yes
  file: state=directory path={{ es_conf_dir }}{{es_xpack_conf_subdir}}/ owner={{ es_user }} group={{ es_group }} recurse=yes
--- a/tasks/xpack/security/elasticsearch-security.yml
+++ b/tasks/xpack/security/elasticsearch-security.yml
@ -3,12 +3,6 @@
 #TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6
 #Ensure x-pack conf directory is created if necessary
 - name: Ensure x-pack conf directory exists (file)
  file: path={{ es_conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
  when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined)
 #-----------------------------Create Bootstrap User-----------------------------------
 ### START BLOCK elasticsearch keystore ###
 - name: create the elasticsearch keystore
@ -52,13 +46,5 @@
 #Copy Roles files
 - name: Copy role_mapping.yml File for Instance
  become: yes
-  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
+  template: src=security/role_mapping.yml.j2 dest={{ es_conf_dir }}/role_mapping.yml owner=root group={{ es_group }} mode=0660 force=yes
  when: es_role_mapping is defined
 #------------------------------------------------------------------------------------
 #Ensure security conf directory is created
 - name: Ensure security conf directory exists
  become: yes
  file: path={{ es_conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
--- a/templates/elasticsearch.yml.j2
+++ b/templates/elasticsearch.yml.j2
@ -15,10 +15,6 @@ node.name: {{inventory_hostname}}
 # Path to directory containing configuration (this file and logging.yml):
 {% if (es_version is version_compare('6.0.0', '<')) %}
 path.conf: {{ es_conf_dir }}
 {% endif %}
 path.data: {{ es_data_dirs | array_to_str }}
 path.logs: {{ es_log_dir }}
--- a/templates/log4j2.properties.j2
+++ b/templates/log4j2.properties.j2
@ -11,23 +11,14 @@ appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
 appender.rolling.type = RollingFile
 appender.rolling.name = rolling
 {% if (es_version is version_compare('6.0.0', '<')) %}
 appender.rolling.fileName = ${sys:es.logs}.log
 {% else %}
 appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
 {% endif %}
 appender.rolling.layout.type = PatternLayout
 appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n
 {% if (es_version is version_compare('6.0.0', '<')) %}
 appender.rolling.filePattern = ${sys:es.logs}-%d{yyyy-MM-dd}.log
 {% else %}
 appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz
 {% endif %}
 appender.rolling.policies.type = Policies
 appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.rolling.policies.time.interval = 1
 appender.rolling.policies.time.modulate = true
 {% if (es_version is version_compare('6.0.0', '>')) %}
 appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.rolling.policies.size.size = 128MB
 appender.rolling.strategy.type = DefaultRolloverStrategy
@ -38,25 +29,16 @@ appender.rolling.strategy.action.condition.type = IfFileName
 appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-*
 appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
 appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
 {% endif %}
 rootLogger.level = info
 rootLogger.appenderRef.console.ref = console
 rootLogger.appenderRef.rolling.ref = rolling
 appender.deprecation_rolling.type = RollingFile
 appender.deprecation_rolling.name = deprecation_rolling
 {% if (es_version is version_compare('6.0.0', '<')) %}
 appender.deprecation_rolling.fileName = ${sys:es.logs}_deprecation.log
 {% else %}
 appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log
 {% endif %}
 appender.deprecation_rolling.layout.type = PatternLayout
 appender.deprecation_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n
 {% if (es_version is version_compare('6.0.0', '<')) %}
 appender.deprecation_rolling.filePattern = ${sys:es.logs}_deprecation-%i.log.gz
 {% else %}
 appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.log.gz
 {% endif %}
 appender.deprecation_rolling.policies.type = Policies
 appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.deprecation_rolling.policies.size.size = 1GB
@ -70,18 +52,12 @@ logger.deprecation.additivity = false
 appender.index_search_slowlog_rolling.type = RollingFile
 appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling
 {% if (es_version is version_compare('6.0.0', '<')) %}
 appender.index_search_slowlog_rolling.fileName = ${sys:es.logs}_index_search_slowlog.log
 {% else %}
 appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog.log
 {% endif %}
 appender.index_search_slowlog_rolling.layout.type = PatternLayout
 appender.index_search_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n
 {% if (es_version is version_compare('6.0.0', '<')) %}
 appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs}_index_search_slowlog-%d{yyyy-MM-dd}.log
 {% else %}
 appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog-%d{yyyy-MM-dd}.log
 {% endif %}
 appender.index_search_slowlog_rolling.policies.type = Policies
 appender.index_search_slowlog_rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.index_search_slowlog_rolling.policies.time.interval = 1
@ -94,18 +70,10 @@ logger.index_search_slowlog_rolling.additivity = false
 appender.index_indexing_slowlog_rolling.type = RollingFile
 appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling
 {% if (es_version is version_compare('6.0.0', '<')) %}
 appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs}_index_indexing_slowlog.log
 {% else %}
 appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog.log
 {% endif %}
 appender.index_indexing_slowlog_rolling.layout.type = PatternLayout
 appender.index_indexing_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n
 {% if (es_version is version_compare('6.0.0', '<')) %}
 appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs}_index_indexing_slowlog-%d{yyyy-MM-dd}.log
 {% else %}
 appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog-%d{yyyy-MM-dd}.log
 {% endif %}
 appender.index_indexing_slowlog_rolling.policies.type = Policies
 appender.index_indexing_slowlog_rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.index_indexing_slowlog_rolling.policies.time.interval = 1
--- a/test/integration/helpers/serverspec/oss_spec.rb
+++ b/test/integration/helpers/serverspec/oss_spec.rb
@ -3,11 +3,11 @@ require 'spec_helper'
 shared_examples 'oss::init' do |vars|
  describe file("/etc/elasticsearch/log4j2.properties") do
    it { should be_file }
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
    it { should_not contain 'CUSTOM LOG4J FILE' }
  end
  describe file("/etc/elasticsearch/jvm.options") do
    it { should be_file }
-    it { should be_owned_by vars['es_user'] }
+    it { should be_owned_by 'root' }
  end
 end
--- a/test/integration/helpers/serverspec/shared_spec.rb
+++ b/test/integration/helpers/serverspec/shared_spec.rb
@ -108,11 +108,11 @@ shared_examples 'shared::init' do |vars|
  if vars['es_templates']
    describe file('/etc/elasticsearch/templates') do
      it { should be_directory }
-      it { should be_owned_by vars['es_user'] }
+      it { should be_owned_by 'root' }
    end
    describe file('/etc/elasticsearch/templates/basic.json') do
      it { should be_file }
-      it { should be_owned_by vars['es_user'] }
+      it { should be_owned_by 'root' }
    end
    #This is possibly subject to format changes in the response across versions so may fail in the future
    describe 'Template Contents Correct' do
@ -138,7 +138,7 @@ shared_examples 'shared::init' do |vars|
      name = plugin['plugin']
      describe file('/usr/share/elasticsearch/plugins/'+name) do
        it { should be_directory }
-        it { should be_owned_by vars['es_user'] }
+        it { should be_owned_by 'root' }
      end
      it 'should be installed and the right version' do
        plugins = curl_json("#{es_api_url}/_nodes/plugins", username=username, password=password)
@ -152,6 +152,7 @@ shared_examples 'shared::init' do |vars|
    end
  end
  describe file("/etc/elasticsearch/elasticsearch.yml") do
    it { should be_owned_by 'root' }
    it { should contain "node.name: localhost" }
    it { should contain 'cluster.name: elasticsearch' }
    it { should_not contain "path.conf: /etc/elasticsearch" }
--- a/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
+++ b/test/integration/helpers/serverspec/xpack_upgrade_spec.rb
@ -4,14 +4,14 @@ vars = JSON.parse(File.read('/tmp/vars.json'))
 shared_examples 'xpack_upgrade::init' do |vars|
  #Test users file, users_roles and roles.yml
-  describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/users_roles") do
+  describe file("/etc/elasticsearch/users_roles") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
    it { should contain 'admin:es_admin' }
    it { should contain 'power_user:testUser' }
  end
-  describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/users") do
+  describe file("/etc/elasticsearch/users") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
    it { should contain 'testUser:' }
    it { should contain 'es_admin:' }
  end
@ -36,8 +36,8 @@ shared_examples 'xpack_upgrade::init' do |vars|
  end
  #Test contents of role_mapping.yml
-  describe file("/etc/elasticsearch/#{vars['es_xpack_conf_subdir']}/role_mapping.yml") do
+  describe file("/etc/elasticsearch/role_mapping.yml") do
-    it { should be_owned_by 'elasticsearch' }
+    it { should be_owned_by 'root' }
    it { should contain 'power_user:' }
    it { should contain '- cn=admins,dc=example,dc=com' }
    it { should contain 'user:' }
--- a/test/integration/xpack.yml
+++ b/test/integration/xpack.yml
@ -7,5 +7,4 @@
  roles:
    - elasticsearch
  vars:
    es_xpack_custom_url: "https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{{ es_version }}.zip"
    es_heap_size: 2g