From 13d8c7b0f75e99ebedc03dd58ed9c627cd6a30a3 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 17 Feb 2023 16:25:43 +0100 Subject: [PATCH 01/10] Replace beat specific version with global fixes #98 --- docs/role-beats.md | 6 +++--- molecule/beats_peculiar/converge.yml | 6 +++--- roles/beats/tasks/auditbeat.yml | 12 ++++++------ roles/beats/tasks/filebeat.yml | 12 ++++++------ roles/beats/tasks/metricbeat.yml | 12 ++++++------ 5 files changed, 24 insertions(+), 24 deletions(-) diff --git a/docs/role-beats.md b/docs/role-beats.md index b231888e..9a1b20ba 100644 --- a/docs/role-beats.md +++ b/docs/role-beats.md @@ -14,7 +14,7 @@ Role Variables -------------- * *beats_filebeat*: Install and manage filebeat (Default: `true`) -* *beats_filebeat_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) +* *elastic_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) * *filebeat_enable*: Automatically start Filebeat (Default: `true`) * *filebeat_output*: Set to `logstash` or `elasticsearch`. (default: `logstash`) * *filebeat_syslog_udp*: Use UDP Syslog input (Default: `false`) @@ -66,14 +66,14 @@ filebeat_journald_inputs: * *filebeat_modules*: **EXPERIMENTAL**: Give a list of modules to enable. (default: none) * *beats_auditbeat*: Install and manage filebeat (Default: `false`) -* *beats_auditbeat_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) +* *elastic_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) * *auditbeat_output*: Output for Auditbeat Set to `logstash` or `elasticsearch`. (default: `elasticsearch`) * *auditbeat_enable*: Automatically start Auditbeat (Default: `true`) * *auditbeat_setup*: Run Auditbeat Setup (Default: `true`) (Only works with Elasticsearch output) * *auditbeat_loadbalance*: Enable loadbalancing for Auditbeats Logstash output (default: `true`) * *beats_metricbeat*: Enable installation and management of Metricbeat (Default: `false`) -* *beats_metricbeat_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) +* *elastic_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) * *metricbeat_enable*: Start Metricbeat automatically (Default: `true`) * *metricbeat_output*: Set to `logstash` or `elasticsearch`. (default: `elasticsearch`) * *metricbeat_modules*: List of modules to enable. (Default: `- system`) diff --git a/molecule/beats_peculiar/converge.yml b/molecule/beats_peculiar/converge.yml index 12473e02..4528eb08 100644 --- a/molecule/beats_peculiar/converge.yml +++ b/molecule/beats_peculiar/converge.yml @@ -23,7 +23,7 @@ elastic_stack_full_stack: false filebeat_mysql_slowlog_input: true beats_auditbeat: true - beats_auditbeat_version: latest + elastic_version: latest auditbeat_output: logstash auditbeat_enable: false # can't run on GitHub because of permissions filebeat_journald_inputs: @@ -41,12 +41,12 @@ # #- name: Set Filebeat version on RedHat # set_fact: - # beats_filebeat_version: "-7.16.1" + # elastic_version: "-7.16.1" # when: ansible_os_family == "RedHat" #- name: Set Filebeat version on Debian # set_fact: - # beats_filebeat_version: "=7.16.1" + # elastic_version: "=7.16.1" # when: ansible_os_family == "Debian" - name: "Include Elastics repos role" diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml index 7e1586c1..073aa4aa 100644 --- a/roles/beats/tasks/auditbeat.yml +++ b/roles/beats/tasks/auditbeat.yml @@ -2,16 +2,16 @@ - name: Install Auditbeat package: name: auditbeat - when: beats_auditbeat_version is not defined + when: elastic_version is not defined - name: Install Auditbeat specific version package: - name: "auditbeat{{ beats_auditbeat_version }}" + name: "auditbeat{{ elastic_version }}" notify: - Restart Auditbeat when: - - beats_auditbeat_version is defined - - beats_auditbeat_version != "latest" + - elastic_version is defined + - elastic_version != "latest" - name: Install Auditbeat latest version package: @@ -20,8 +20,8 @@ notify: - Restart Auditbeat when: - - beats_auditbeat_version is defined - - beats_auditbeat_version == "latest" + - elastic_version is defined + - elastic_version == "latest" - name: Configure Auditbeat template: diff --git a/roles/beats/tasks/filebeat.yml b/roles/beats/tasks/filebeat.yml index 0c05a664..16a468c6 100644 --- a/roles/beats/tasks/filebeat.yml +++ b/roles/beats/tasks/filebeat.yml @@ -2,16 +2,16 @@ - name: Install Filebeat package: name: filebeat - when: beats_filebeat_version is not defined + when: elastic_version is not defined - name: Install Filebeat specific version package: - name: "filebeat{{ beats_filebeat_version }}" + name: "filebeat{{ elastic_version }}" notify: - Restart Filebeat when: - - beats_filebeat_version is defined - - beats_filebeat_version != "latest" + - elastic_version is defined + - elastic_version != "latest" - name: Install Filebeat latest version package: @@ -20,8 +20,8 @@ notify: - Restart Filebeat when: - - beats_filebeat_version is defined - - beats_filebeat_version == "latest" + - elastic_version is defined + - elastic_version == "latest" - name: Configure Filebeat template: diff --git a/roles/beats/tasks/metricbeat.yml b/roles/beats/tasks/metricbeat.yml index 8f4a04a8..2f87a13d 100644 --- a/roles/beats/tasks/metricbeat.yml +++ b/roles/beats/tasks/metricbeat.yml @@ -2,16 +2,16 @@ - name: Install Metricbeat package: name: metricbeat - when: beats_metricbeat_version is not defined + when: elastic_version is not defined - name: Install Metricbeat specific version package: - name: "metricbeat{{ beats_metricbeat_version }}" + name: "metricbeat{{ elastic_version }}" notify: - Restart Metricbeat when: - - beats_metricbeat_version is defined - - beats_metricbeat_version != "latest" + - elastic_version is defined + - elastic_version != "latest" - name: Install Metricbeat latest version package: @@ -20,8 +20,8 @@ notify: - Restart Metricbeat when: - - beats_metricbeat_version is defined - - beats_metricbeat_version == "latest" + - elastic_version is defined + - elastic_version == "latest" - name: Configure Metricbeat template: From d9a0cdb6288af46f70a3e8114df8f721a9f4fa44 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 17 Feb 2023 16:26:33 +0100 Subject: [PATCH 02/10] Replace Logstash specific version with global one --- docs/role-logstash.md | 2 +- molecule/logstash_specific_version/converge.yml | 4 ++-- molecule/logstash_specific_version/molecule.yml | 2 +- molecule/logstash_specific_version/verify.yml | 4 ++-- roles/logstash/defaults/main.yml | 2 +- roles/logstash/tasks/main.yml | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/role-logstash.md b/docs/role-logstash.md index a8ea4ecc..e261962a 100644 --- a/docs/role-logstash.md +++ b/docs/role-logstash.md @@ -29,7 +29,7 @@ If you want to use the default pipeline (or other pipelines communicating via Re Role Variables -------------- -* *logstash_version*: Version number of Logstash to install (use os specific version string. e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems). Only set if you don't want the latest. (default: none). For OSS version see `elastic_variant` below. +* *elastic_version*: Version number of Logstash to install (use os specific version string. e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems). Only set if you don't want the latest. (default: none). For OSS version see `elastic_variant` below. * *logstash_enable*: Start and enable Logstash service (default: `true`) * *logstash_config_backup*: Keep backups of all changed configuration (default: `no`) * *logstash_manage_yaml*: Manage and overwrite `logstash.yml` (default: `true`) diff --git a/molecule/logstash_specific_version/converge.yml b/molecule/logstash_specific_version/converge.yml index a650256b..11616b4b 100644 --- a/molecule/logstash_specific_version/converge.yml +++ b/molecule/logstash_specific_version/converge.yml @@ -18,12 +18,12 @@ - name: Set Logstash version on RedHat set_fact: - logstash_version: "-7.10.1" + elastic_version: "-7.10.1" when: ansible_os_family == "RedHat" - name: Set Logstash version on Debian set_fact: - logstash_version: "=1:7.10.1-1" + elastic_version: "=1:7.10.1-1" when: ansible_os_family == "Debian" - name: "Include Elastics repos role" diff --git a/molecule/logstash_specific_version/molecule.yml b/molecule/logstash_specific_version/molecule.yml index 7604df00..63efb37a 100644 --- a/molecule/logstash_specific_version/molecule.yml +++ b/molecule/logstash_specific_version/molecule.yml @@ -4,7 +4,7 @@ dependency: driver: name: docker platforms: - - name: logstash_version + - name: elastic_version image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: diff --git a/molecule/logstash_specific_version/verify.yml b/molecule/logstash_specific_version/verify.yml index b8a5b4a4..6439b310 100644 --- a/molecule/logstash_specific_version/verify.yml +++ b/molecule/logstash_specific_version/verify.yml @@ -6,8 +6,8 @@ tasks: - name: Run syntax check command: "/usr/share/logstash/bin/logstash --version | grep ^logstash" - register: logstash_version + register: elastic_version - name: Fail if Logstash has the wrong version fail: msg: "Logstash has the wrong version" - when: not "logstash 7.10.1" in logstash_version.stdout_lines + when: not "logstash 7.10.1" in elastic_version.stdout_lines diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml index 3202a1b0..d4d7425e 100644 --- a/roles/logstash/defaults/main.yml +++ b/roles/logstash/defaults/main.yml @@ -1,6 +1,6 @@ --- # defaults file for logstash -logstash_version: "" +elastic_version: "" logstash_enable: true logstash_config_backup: no logstash_manage_yaml: true diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index 8792efab..c8264135 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -43,13 +43,13 @@ - name: Ensure Logstash is installed package: - name: "logstash{{ logstash_version }}" + name: "logstash{{ elastic_version }}" when: - elastic_variant == "elastic" - name: Ensure Logstash OSS is installed package: - name: "logstash-oss{{ logstash_version }}" + name: "logstash-oss{{ elastic_version }}" when: - elastic_variant == "oss" From 04e2220bd38d6db0396803b7ceb7a05f1a646fa1 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 17 Feb 2023 16:28:23 +0100 Subject: [PATCH 03/10] Allow specific version when installing Elasticsearch --- roles/elasticsearch/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index d3342282..9c08f59a 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -31,12 +31,12 @@ - name: Ensure Elasticsearch is installed package: - name: elasticsearch + name: elasticsearch{{ elastic_version }} when: elastic_variant == "elastic" - name: Ensure Elasticsearch OSS is installed package: - name: elasticsearch-oss + name: elasticsearch-oss{{ elastic_version }} when: elastic_variant == "oss" - name: Configure Elasticsearch From 47cbc6b35052a622117b596e50107034aa1539c2 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 17 Feb 2023 16:31:49 +0100 Subject: [PATCH 04/10] Add Kibana version and Readme --- README.md | 4 ++++ roles/kibana/tasks/main.yml | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bf25ca04..2c6b3e6f 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,10 @@ You may want the following Ansible roles installed. There other ways to achieve ## Usage +* *elastic_version*: Version number of tools to install (use os specific version string. e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems). Only set if you don't want the latest. (default: none). For OSS version see `elastic_variant` below. **IMPORTANT** Do not change the version once you have set up the stack. There are unpredictable effects to be expected when using this for upgrades. And upgrade mechanism is already on it's way. +*elastic_release*: Major release version of Elastic stack to configure. (default: `7`) +*elastic_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) + ### Default Passwords Default Passwords can be seen during generation, or found later in `/usr/share/elasticsearch/initial_passwords` diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 317979c4..5fc66d38 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -24,12 +24,12 @@ - name: Install Kibana package: - name: kibana + name: kibana{{ elastic_version }} when: elastic_variant == "elastic" - name: Install Kibana OSS package: - name: kibana-oss + name: kibana-oss{{ elastic_version }} when: elastic_variant == "oss" - name: Import security related tasks From 05f914ea2321dce8153a0886fb5afbb70f5e9ffd Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 17 Feb 2023 16:06:13 +0100 Subject: [PATCH 05/10] Improve idempotency --- roles/elasticsearch/tasks/elasticsearch-security.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index e5e7eb6f..cca29584 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -33,6 +33,7 @@ /usr/share/elasticsearch/bin/elasticsearch-keystore add -x 'bootstrap.password' when: "'bootstrap.password' not in es_keystore.stdout_lines" + changed_when: false notify: - Restart Elasticsearch ignore_errors: "{{ ansible_check_mode }}" @@ -54,6 +55,7 @@ echo "{{ elasticsearch_tls_key_passphrase }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x 'xpack.security.http.ssl.keystore.secure_password' + changed_when: false when: - http_ssl_keystore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != http_ssl_keystore_secure_password.stdout - elasticsearch_http_security @@ -65,6 +67,7 @@ shell: > /usr/share/elasticsearch/bin/elasticsearch-keystore remove 'xpack.security.http.ssl.keystore.secure_password' + changed_when: false when: - "'xpack.security.http.ssl.keystore.secure_password' in es_keystore.stdout_lines" - not elasticsearch_http_security @@ -88,6 +91,7 @@ echo "{{ elasticsearch_tls_key_passphrase }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x 'xpack.security.http.ssl.truststore.secure_password' + changed_when: false when: - http_ssl_truststore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != http_ssl_truststore_secure_password.stdout - elasticsearch_http_security @@ -98,6 +102,7 @@ shell: > /usr/share/elasticsearch/bin/elasticsearch-keystore remove 'xpack.security.http.ssl.truststore.secure_password' + changed_when: false when: - "'xpack.security.http.ssl.truststore.secure_password' in es_keystore.stdout_lines" - not elasticsearch_http_security @@ -121,6 +126,7 @@ echo "{{ elasticsearch_tls_key_passphrase }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x 'xpack.security.transport.ssl.keystore.secure_password' + changed_when: false when: - transport_ssl_keystore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != transport_ssl_keystore_secure_password.stdout - elasticsearch_security @@ -131,6 +137,7 @@ shell: > /usr/share/elasticsearch/bin/elasticsearch-keystore remove 'xpack.security.transport.ssl.keystore.secure_password' + changed_when: false when: - "'xpack.security.transport.ssl.keystore.secure_password' in es_keystore.stdout_lines" - not elasticsearch_security @@ -154,6 +161,7 @@ echo "{{ elasticsearch_tls_key_passphrase }}" | /usr/share/elasticsearch/bin/elasticsearch-keystore add -f -x 'xpack.security.transport.ssl.truststore.secure_password' + changed_when: false when: - transport_ssl_truststore_secure_password.stdout is undefined or elasticsearch_tls_key_passphrase != transport_ssl_truststore_secure_password.stdout - elasticsearch_security @@ -164,6 +172,7 @@ shell: > /usr/share/elasticsearch/bin/elasticsearch-keystore remove 'xpack.security.transport.ssl.truststore.secure_password' + changed_when: false when: - "'xpack.security.transport.ssl.truststore.secure_password' in es_keystore.stdout_lines" - not elasticsearch_security From 9ec9cb594585d6180ad3696df9cc437961abecb1 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 20 Feb 2023 15:11:05 +0100 Subject: [PATCH 06/10] Make setting the version easier --- roles/beats/tasks/auditbeat.yml | 2 +- roles/beats/tasks/filebeat.yml | 2 +- roles/beats/tasks/main.yml | 6 ++++++ roles/beats/tasks/metricbeat.yml | 2 +- roles/beats/vars/Debian.yml | 4 ++++ roles/beats/vars/RedHat.yml | 4 ++++ roles/elasticsearch/tasks/main.yml | 4 ++-- roles/elasticsearch/vars/Debian.yml | 1 + roles/elasticsearch/vars/RedHat.yml | 1 + roles/kibana/tasks/main.yml | 10 ++++++++-- roles/kibana/vars/Debian.yml | 4 ++++ roles/kibana/vars/RedHat.yml | 4 ++++ roles/logstash/tasks/main.yml | 10 ++++++++-- roles/logstash/vars/Debian.yml | 4 ++++ roles/logstash/vars/RedHat.yml | 4 ++++ 15 files changed, 53 insertions(+), 9 deletions(-) create mode 100644 roles/beats/vars/Debian.yml create mode 100644 roles/beats/vars/RedHat.yml create mode 100644 roles/kibana/vars/Debian.yml create mode 100644 roles/kibana/vars/RedHat.yml create mode 100644 roles/logstash/vars/Debian.yml create mode 100644 roles/logstash/vars/RedHat.yml diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml index 073aa4aa..701674cb 100644 --- a/roles/beats/tasks/auditbeat.yml +++ b/roles/beats/tasks/auditbeat.yml @@ -6,7 +6,7 @@ - name: Install Auditbeat specific version package: - name: "auditbeat{{ elastic_version }}" + name: "auditbeat{{ elastic_versionseparator }}{{ elastic_version }}" notify: - Restart Auditbeat when: diff --git a/roles/beats/tasks/filebeat.yml b/roles/beats/tasks/filebeat.yml index 16a468c6..4b4212b1 100644 --- a/roles/beats/tasks/filebeat.yml +++ b/roles/beats/tasks/filebeat.yml @@ -6,7 +6,7 @@ - name: Install Filebeat specific version package: - name: "filebeat{{ elastic_version }}" + name: "filebeat{{ elastic_versionseparator }}{{ elastic_version }}" notify: - Restart Filebeat when: diff --git a/roles/beats/tasks/main.yml b/roles/beats/tasks/main.yml index 7947dbcd..4b20ea90 100644 --- a/roles/beats/tasks/main.yml +++ b/roles/beats/tasks/main.yml @@ -1,5 +1,11 @@ --- +- name: Include OS specific vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_os_family }}.yml' + - name: Prepare for whole stack roles if used when: - elastic_stack_full_stack | bool diff --git a/roles/beats/tasks/metricbeat.yml b/roles/beats/tasks/metricbeat.yml index 2f87a13d..e3efd367 100644 --- a/roles/beats/tasks/metricbeat.yml +++ b/roles/beats/tasks/metricbeat.yml @@ -6,7 +6,7 @@ - name: Install Metricbeat specific version package: - name: "metricbeat{{ elastic_version }}" + name: "metricbeat{{ elastic_versionseparator }}{{ elastic_version }}" notify: - Restart Metricbeat when: diff --git a/roles/beats/vars/Debian.yml b/roles/beats/vars/Debian.yml new file mode 100644 index 00000000..77b253b6 --- /dev/null +++ b/roles/beats/vars/Debian.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/default/elasticsearch +elastic_versionseparator: "=" diff --git a/roles/beats/vars/RedHat.yml b/roles/beats/vars/RedHat.yml new file mode 100644 index 00000000..acfaddb4 --- /dev/null +++ b/roles/beats/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elastic_versionseparator: "-" diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 9c08f59a..e34abf46 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -31,12 +31,12 @@ - name: Ensure Elasticsearch is installed package: - name: elasticsearch{{ elastic_version }} + name: elasticsearch{{ elastic_versionseparator }}{{ elastic_version }} when: elastic_variant == "elastic" - name: Ensure Elasticsearch OSS is installed package: - name: elasticsearch-oss{{ elastic_version }} + name: elasticsearch-oss{{ elastic_versionseparator }}{{ elastic_version }} when: elastic_variant == "oss" - name: Configure Elasticsearch diff --git a/roles/elasticsearch/vars/Debian.yml b/roles/elasticsearch/vars/Debian.yml index bb0878c1..77b253b6 100644 --- a/roles/elasticsearch/vars/Debian.yml +++ b/roles/elasticsearch/vars/Debian.yml @@ -1,3 +1,4 @@ --- elasticsearch_sysconfig_file: /etc/default/elasticsearch +elastic_versionseparator: "=" diff --git a/roles/elasticsearch/vars/RedHat.yml b/roles/elasticsearch/vars/RedHat.yml index f0dbc02a..acfaddb4 100644 --- a/roles/elasticsearch/vars/RedHat.yml +++ b/roles/elasticsearch/vars/RedHat.yml @@ -1,3 +1,4 @@ --- elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elastic_versionseparator: "-" diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 5fc66d38..023d431f 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -1,5 +1,11 @@ --- +- name: Include OS specific vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_os_family }}.yml' + - name: Set common password for common certificates set_fact: kibana_tls_key_passphrase: "{{ elastic_cert_pass }}" @@ -24,12 +30,12 @@ - name: Install Kibana package: - name: kibana{{ elastic_version }} + name: kibana{{ elastic_versionseparator }}{{ elastic_version }} when: elastic_variant == "elastic" - name: Install Kibana OSS package: - name: kibana-oss{{ elastic_version }} + name: kibana-oss{{ elastic_versionseparator }}{{ elastic_version }} when: elastic_variant == "oss" - name: Import security related tasks diff --git a/roles/kibana/vars/Debian.yml b/roles/kibana/vars/Debian.yml new file mode 100644 index 00000000..77b253b6 --- /dev/null +++ b/roles/kibana/vars/Debian.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/default/elasticsearch +elastic_versionseparator: "=" diff --git a/roles/kibana/vars/RedHat.yml b/roles/kibana/vars/RedHat.yml new file mode 100644 index 00000000..acfaddb4 --- /dev/null +++ b/roles/kibana/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elastic_versionseparator: "-" diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index c8264135..b1388ffb 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -1,5 +1,11 @@ --- +- name: Include OS specific vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_os_family }}.yml' + - name: Prepare for whole stack roles if used when: - elastic_stack_full_stack | bool @@ -43,13 +49,13 @@ - name: Ensure Logstash is installed package: - name: "logstash{{ elastic_version }}" + name: "logstash{{ elastic_versionseparator }}{{ elastic_version }}" when: - elastic_variant == "elastic" - name: Ensure Logstash OSS is installed package: - name: "logstash-oss{{ elastic_version }}" + name: "logstash-oss{{ elastic_versionseparator }}{{ elastic_version }}" when: - elastic_variant == "oss" diff --git a/roles/logstash/vars/Debian.yml b/roles/logstash/vars/Debian.yml new file mode 100644 index 00000000..77b253b6 --- /dev/null +++ b/roles/logstash/vars/Debian.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/default/elasticsearch +elastic_versionseparator: "=" diff --git a/roles/logstash/vars/RedHat.yml b/roles/logstash/vars/RedHat.yml new file mode 100644 index 00000000..acfaddb4 --- /dev/null +++ b/roles/logstash/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elastic_versionseparator: "-" From 6e655eb6a59f47f4d071c6c48041985d8f39a01b Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 20 Feb 2023 15:15:22 +0100 Subject: [PATCH 07/10] Reactivate verify.yml --- README.md | 2 +- molecule/beats_peculiar/converge.yml | 22 +++++++++++----------- molecule/beats_peculiar/verify.yml | 16 ++++++++++++---- 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 2c6b3e6f..dd6c1fce 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ You may want the following Ansible roles installed. There other ways to achieve ## Usage -* *elastic_version*: Version number of tools to install (use os specific version string. e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems). Only set if you don't want the latest. (default: none). For OSS version see `elastic_variant` below. **IMPORTANT** Do not change the version once you have set up the stack. There are unpredictable effects to be expected when using this for upgrades. And upgrade mechanism is already on it's way. +* *elastic_version*: Version number of tools to install Only set if you don't want the latest. (default: none). For OSS version see `elastic_variant` below. **IMPORTANT** Do not change the version once you have set up the stack. There are unpredictable effects to be expected when using this for upgrades. And upgrade mechanism is already on it's way. (default: none. Example: `7.17.2` *elastic_release*: Major release version of Elastic stack to configure. (default: `7`) *elastic_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) diff --git a/molecule/beats_peculiar/converge.yml b/molecule/beats_peculiar/converge.yml index 4528eb08..1fc587fc 100644 --- a/molecule/beats_peculiar/converge.yml +++ b/molecule/beats_peculiar/converge.yml @@ -36,18 +36,18 @@ #filebeat_docker: true elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - # Looks like Elastic isn't providing all old releases - # anymore - # - #- name: Set Filebeat version on RedHat - # set_fact: - # elastic_version: "-7.16.1" - # when: ansible_os_family == "RedHat" - #- name: Set Filebeat version on Debian - # set_fact: - # elastic_version: "=7.16.1" - # when: ansible_os_family == "Debian" + - name: Set Filebeat version for 7.x + set_fact: + elastic_version: "7.17.1" + when: + - elastic_release == 7 + + - name: Set Filebeat version for 8.x + set_fact: + elastic_version: "8.4.1" + when: + - elastic_release == 8 - name: "Include Elastics repos role" include_role: diff --git a/molecule/beats_peculiar/verify.yml b/molecule/beats_peculiar/verify.yml index 5980914b..ce1de5c5 100644 --- a/molecule/beats_peculiar/verify.yml +++ b/molecule/beats_peculiar/verify.yml @@ -11,8 +11,16 @@ debug: var: filebeat_version.stdout - #- name: Fail if Filebeat has the wrong version - # fail: - # msg: "Filebeat has the wrong version" + - name: Fail if Filebeat has the wrong version + fail: + msg: "Filebeat has the wrong version" + when: + - filebeat_version.stdout.find('7.17.1') == -1 + - elastic_release == 7 - # when: filebeat_version.stdout.find('7.16.1') == -1 + - name: Fail if Filebeat has the wrong version + fail: + msg: "Filebeat has the wrong version" + when: + - filebeat_version.stdout.find('8.4.1') == -1 + - elastic_release == 8 From b3930d56eee44fd38d6d5db080c97de7acf011c1 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 20 Feb 2023 15:40:48 +0100 Subject: [PATCH 08/10] Make specific version an extra task --- roles/elasticsearch/tasks/main.yml | 24 +++++++++++++++++++++--- roles/kibana/tasks/main.yml | 26 ++++++++++++++++++++++---- roles/logstash/tasks/main.yml | 19 ++++++++++++++++++- 3 files changed, 61 insertions(+), 8 deletions(-) diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index e34abf46..0f82d274 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -31,13 +31,31 @@ - name: Ensure Elasticsearch is installed package: - name: elasticsearch{{ elastic_versionseparator }}{{ elastic_version }} - when: elastic_variant == "elastic" + name: elasticsearch + when: + - elastic_variant == "elastic" + - elastic_version is undefined - name: Ensure Elasticsearch OSS is installed package: name: elasticsearch-oss{{ elastic_versionseparator }}{{ elastic_version }} - when: elastic_variant == "oss" + when: + - elastic_variant == "oss" + - elastic_version is undefined + +- name: Ensure Elasticsearch is installed (specific version) + package: + name: elasticsearch{{ elastic_versionseparator }}{{ elastic_version }} + when: + - elastic_variant == "elastic" + - elastic_version is defined + +- name: Ensure Elasticsearch OSS is installed (specific version) + package: + name: elasticsearch-oss{{ elastic_versionseparator }}{{ elastic_version }} + when: + - elastic_variant == "oss" + - elastic_version is defined - name: Configure Elasticsearch template: diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 023d431f..bd915029 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -12,7 +12,6 @@ when: - elastic_cert_pass is defined -# tasks file for kibana - name: Set Elasticsearch hosts if used with other roles set_fact: kibana_elasticsearch_hosts: "{{ groups['elasticsearch'] }}" @@ -30,13 +29,32 @@ - name: Install Kibana package: - name: kibana{{ elastic_versionseparator }}{{ elastic_version }} - when: elastic_variant == "elastic" + name: kibana + when: + - elastic_variant == "elastic" + - elastic_version is undefined - name: Install Kibana OSS + package: + name: kibana-oss + when: + - elastic_variant == "oss" + - elastic_version is undefined + +- name: Install Kibana (specific version) + package: + name: kibana{{ elastic_versionseparator }}{{ elastic_version }} + when: + - elastic_variant == "elastic" + - elastic_version is defined + +- name: Install Kibana OSS (specific version) package: name: kibana-oss{{ elastic_versionseparator }}{{ elastic_version }} - when: elastic_variant == "oss" + when: + - elastic_variant == "oss" + - elastic_version is defined + - name: Import security related tasks import_tasks: kibana-security.yml diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index b1388ffb..4c9fe12b 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -49,15 +49,32 @@ - name: Ensure Logstash is installed package: - name: "logstash{{ elastic_versionseparator }}{{ elastic_version }}" + name: logstash when: - elastic_variant == "elastic" + - elastic_version is undefined - name: Ensure Logstash OSS is installed + package: + name: logstash-oss + when: + - elastic_variant == "oss" + - elastic_version is undefined + +- name: Ensure Logstash is installed (specific version) + package: + name: "logstash{{ elastic_versionseparator }}{{ elastic_version }}" + when: + - elastic_variant == "elastic" + - elastic_version is defined + +- name: Ensure Logstash OSS is installed (specific version) package: name: "logstash-oss{{ elastic_versionseparator }}{{ elastic_version }}" when: - elastic_variant == "oss" + - elastic_version is defined + - name: Import Logstash Security tasks import_tasks: logstash-security.yml From e3267c778ea5110406d670de622fa1736ee3fcd3 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 20 Feb 2023 15:55:34 +0100 Subject: [PATCH 09/10] Old version had empty string for version --- molecule/beats_peculiar/converge.yml | 1 - roles/logstash/defaults/main.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/molecule/beats_peculiar/converge.yml b/molecule/beats_peculiar/converge.yml index 1fc587fc..a9ddb00c 100644 --- a/molecule/beats_peculiar/converge.yml +++ b/molecule/beats_peculiar/converge.yml @@ -23,7 +23,6 @@ elastic_stack_full_stack: false filebeat_mysql_slowlog_input: true beats_auditbeat: true - elastic_version: latest auditbeat_output: logstash auditbeat_enable: false # can't run on GitHub because of permissions filebeat_journald_inputs: diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml index d4d7425e..2bb8b2f9 100644 --- a/roles/logstash/defaults/main.yml +++ b/roles/logstash/defaults/main.yml @@ -1,6 +1,5 @@ --- # defaults file for logstash -elastic_version: "" logstash_enable: true logstash_config_backup: no logstash_manage_yaml: true From b1c235e334e7f76841a43e8e0f8e4836958ade15 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 20 Feb 2023 17:23:30 +0100 Subject: [PATCH 10/10] Typo --- roles/elasticsearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 0f82d274..979daf15 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -38,7 +38,7 @@ - name: Ensure Elasticsearch OSS is installed package: - name: elasticsearch-oss{{ elastic_versionseparator }}{{ elastic_version }} + name: elasticsearch-oss when: - elastic_variant == "oss" - elastic_version is undefined