From 2dd31b594a939bcde1b2d718b9fad7dfe2127195 Mon Sep 17 00:00:00 2001 From: Patrick Dolinic Date: Tue, 31 Jan 2023 14:50:42 +0100 Subject: [PATCH 01/24] add docs --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index 90e769f5..07504d3a 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,29 @@ collections: ## Usage +1) + +Default: For general Elastic Installations including all other Belk Stacks you shoud use: + +``` +- name: Install Elasticsearch + hosts: all + become: true + collections: + - netways.elasticstack + vars: + elastic_stack_full_stack: true + elastic_variant: elastic + elasticsearch_jna_workaround: true + roles: + - repos + - beats + - elasticsearch + - logstash + - kibana +``` + +2) Specific: For OSS Installation without all the other BELK Stacks you could use: ``` - name: Install Elasticsearch hosts: all From 580cfca1afd8d885710e716b5dabf937368c4d0d Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Tue, 31 Jan 2023 15:01:37 +0100 Subject: [PATCH 02/24] Add some Readme --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 07504d3a..a8272a8c 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,9 @@ collections: 1) -Default: For general Elastic Installations including all other Belk Stacks you shoud use: +Default: For general Elastic Stack installations using all features use the following. + +You will need Redis installed and running for the default setup to run. A viable way is using the `geerlingguy.redis` role. (You can install it with `ansible-galaxy install geerlingguy.redis) ``` - name: Install Elasticsearch @@ -47,17 +49,19 @@ Default: For general Elastic Installations including all other Belk Stacks you s - repos - beats - elasticsearch + - geerlingguy.redis - logstash - kibana ``` -2) Specific: For OSS Installation without all the other BELK Stacks you could use: +2) Specific: For OSS Installation without X-Pack features you can use the following. _Note_ this is only available for version `7.x`. ``` - name: Install Elasticsearch hosts: all collections: - - NETWAYS.elasticstack + - netways.elasticstack vars: + elastic_stack_full_stack: true elastic_variant: oss elasticsearch_jna_workaround: true roles: From 7982c681d7c190ed0861e76892c1fab68a369d50 Mon Sep 17 00:00:00 2001 From: Patrick Dolinic Date: Tue, 31 Jan 2023 15:08:41 +0100 Subject: [PATCH 03/24] add readme on redis, default password --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index a8272a8c..431e740c 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,18 @@ collections: ## Usage +### Default Passwords + +Default Passwords can be seen during generation, or found later in `usr/share/elasticsearch/initial_passwords` + +### Redis + +0) You need to install the redis role which is maintained by geerlingguy + +``` +ansible-galaxy install geerlingguy.redis +``` + 1) Default: For general Elastic Stack installations using all features use the following. @@ -68,6 +80,7 @@ You will need Redis installed and running for the default setup to run. A viable - repos - beats - elasticsearch + - geerlingguy.redis - logstash - kibana ``` From 8ada6d3cbdf3b7b77ea948a5b81c2113e15fea0c Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Tue, 31 Jan 2023 15:13:42 +0100 Subject: [PATCH 04/24] Change sorting of roles in playbook --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 431e740c..a65430de 100644 --- a/README.md +++ b/README.md @@ -59,11 +59,11 @@ You will need Redis installed and running for the default setup to run. A viable elasticsearch_jna_workaround: true roles: - repos - - beats - elasticsearch - geerlingguy.redis - logstash - kibana + - beats ``` 2) Specific: For OSS Installation without X-Pack features you can use the following. _Note_ this is only available for version `7.x`. @@ -78,9 +78,9 @@ You will need Redis installed and running for the default setup to run. A viable elasticsearch_jna_workaround: true roles: - repos - - beats - elasticsearch - geerlingguy.redis - logstash - kibana + - beats ``` From abab565c687cca027718ea0456bde9fe41159530 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Tue, 31 Jan 2023 15:19:11 +0100 Subject: [PATCH 05/24] Install gpg-agent for repo handling on Ubuntu --- molecule/kibana_default/prepare.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/molecule/kibana_default/prepare.yml b/molecule/kibana_default/prepare.yml index 2c0fd094..ed1547d8 100644 --- a/molecule/kibana_default/prepare.yml +++ b/molecule/kibana_default/prepare.yml @@ -8,6 +8,7 @@ - gpg - curl - procps + - gpg-agent update_cache: yes when: ansible_os_family == "Debian" - name: Install git From 7f12048eddd210ba149df299efe8bb0cf1424f50 Mon Sep 17 00:00:00 2001 From: Patrick Dolinic Date: Wed, 1 Feb 2023 15:59:57 +0100 Subject: [PATCH 06/24] added documentation on override and fix passwords --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a65430de..8764570e 100644 --- a/README.md +++ b/README.md @@ -31,11 +31,13 @@ collections: ### Default Passwords -Default Passwords can be seen during generation, or found later in `usr/share/elasticsearch/initial_passwords` +Default Passwords can be seen during generation, or found later in `/usr/share/elasticsearch/initial_passwords` +To turn off security currently: +`elastic_override_beats_tls: true` ### Redis -0) You need to install the redis role which is maintained by geerlingguy +0) You need to install the redis role which is maintained by geerlingguy. ``` ansible-galaxy install geerlingguy.redis From 8e447816f44590b6d09e61616c9efcffa718b38d Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 1 Feb 2023 20:59:28 +0100 Subject: [PATCH 07/24] Add tests for Elasticsearch 7 and 8 --- .github/workflows/test_role_elasticsearch.yml | 2 ++ molecule/elasticsearch_default/converge.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/.github/workflows/test_role_elasticsearch.yml b/.github/workflows/test_role_elasticsearch.yml index 99a06f43..d680c156 100644 --- a/.github/workflows/test_role_elasticsearch.yml +++ b/.github/workflows/test_role_elasticsearch.yml @@ -71,6 +71,7 @@ jobs: matrix: distro: [ubuntu2204] scenario: [elasticsearch_default, elasticsearch_cluster, elasticsearch_cluster-oss, elasticsearch_no-security] + release: [7, 8] steps: - name: Check out code @@ -96,5 +97,6 @@ jobs: molecule test -s ${{ matrix.scenario }} env: MOLECULE_DISTRO: ${{ matrix.distro }} + ELASTIC_RELEASE: ${{ matrix.release }} PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' diff --git a/molecule/elasticsearch_default/converge.yml b/molecule/elasticsearch_default/converge.yml index df3ce033..bda9f510 100644 --- a/molecule/elasticsearch_default/converge.yml +++ b/molecule/elasticsearch_default/converge.yml @@ -10,6 +10,7 @@ elasticsearch_security: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') }}" tasks: - name: Include Elastics repos role include_role: From c813b659e2c42d4533785095e05e083679d74c79 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Wed, 1 Feb 2023 21:04:31 +0100 Subject: [PATCH 08/24] Add matrix release to pr checks --- .github/workflows/test_roles_pr.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test_roles_pr.yml b/.github/workflows/test_roles_pr.yml index d3a57654..a06bcf54 100644 --- a/.github/workflows/test_roles_pr.yml +++ b/.github/workflows/test_roles_pr.yml @@ -28,6 +28,9 @@ jobs: - kibana_default - logstash_default - repos_default + release: + - 7 + - 8 steps: - name: Check out code @@ -55,3 +58,4 @@ jobs: MOLECULE_DISTRO: ${{ matrix.distro }} PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' + ELASTIC_RELEASE: ${{ matrix.release }} From 62398c20edba97b109b3cda003077e7bec4ff6ea Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 10:27:01 +0100 Subject: [PATCH 09/24] Cast elastic_release to int When setting a variable e.g. via ENV in Molecule we need to explicitly cast the variable to int. --- roles/elasticsearch/tasks/elasticsearch-parameters.yml | 2 +- roles/repos/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elasticsearch/tasks/elasticsearch-parameters.yml b/roles/elasticsearch/tasks/elasticsearch-parameters.yml index 8823c431..6d2ddd2e 100644 --- a/roles/elasticsearch/tasks/elasticsearch-parameters.yml +++ b/roles/elasticsearch/tasks/elasticsearch-parameters.yml @@ -3,6 +3,6 @@ ansible.builtin.fail: msg: "Elasticsearch >= 8 requires enabled security. Set elasticsearch_security to true" when: - - elastic_release >= 8 + - elastic_release | int >= 8 - elastic_variant == 'elastic' - elasticsearch_security is not defined or not elasticsearch_security diff --git a/roles/repos/tasks/main.yml b/roles/repos/tasks/main.yml index e0f1a181..f0d18b2c 100644 --- a/roles/repos/tasks/main.yml +++ b/roles/repos/tasks/main.yml @@ -4,7 +4,7 @@ ansible.builtin.fail: msg: "No OSS versions later than 7 are available" when: - - elastic_release > 7 + - elastic_release | int > 7 - elastic_variant == "oss" - import_tasks: redhat.yml From ca5dcf85d53792b983e7cc9963a5a4bf03972866 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 10:43:48 +0100 Subject: [PATCH 10/24] Set "full stack mode" as default --- roles/beats/defaults/main.yml | 2 +- roles/elasticsearch/defaults/main.yml | 1 + roles/kibana/defaults/main.yml | 1 + roles/logstash/defaults/main.yml | 3 +-- roles/repos/defaults/main.yml | 1 + 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml index 276bda68..43ed52c6 100644 --- a/roles/beats/defaults/main.yml +++ b/roles/beats/defaults/main.yml @@ -59,7 +59,7 @@ metricbeat_modules: - system metricbeat_loadbalance: true -elastic_stack_full_stack: false +elastic_stack_full_stack: true elastic_variant: elastic elastic_security: true diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index c6e658c2..dffda3f0 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -29,4 +29,5 @@ elastic_cert_pass: PleaseChangeMeIndividually # "global" variables for all roles elastic_release: 7 +elastic_stack_full_stack: true elastic_variant: elastic diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml index d363b5c8..780539e0 100644 --- a/roles/kibana/defaults/main.yml +++ b/roles/kibana/defaults/main.yml @@ -17,4 +17,5 @@ elastic_initial_passwords: /usr/share/elasticsearch/initial_passwords # "global" variables for all roles elastic_release: 7 +elastic_stack_full_stack: true elastic_variant: elastic diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml index f28e8927..a1535804 100644 --- a/roles/logstash/defaults/main.yml +++ b/roles/logstash/defaults/main.yml @@ -57,8 +57,6 @@ logstash_pipeline_identifier: true logstash_pipeline_identifier_field_name: "[netways][pipeline]" logstash_pipeline_identifier_defaults: false -# elastic full stack configuration -elastic_stack_full_stack: false elastic_ca_dir: /opt/es-ca elastic_initial_passwords: /usr/share/elasticsearch/initial_passwords elastic_ca_pass: PleaseChangeMe @@ -66,6 +64,7 @@ elastic_ca_pass: PleaseChangeMe # "global" variables for all roles elastic_release: 7 +elastic_stack_full_stack: true elastic_variant: elastic elastic_security: true diff --git a/roles/repos/defaults/main.yml b/roles/repos/defaults/main.yml index 6618d82c..46f0f23c 100644 --- a/roles/repos/defaults/main.yml +++ b/roles/repos/defaults/main.yml @@ -1,6 +1,7 @@ --- # defaults file for elastic-repos elastic_release: 7 +elastic_stack_full_stack: true elastic_variant: elastic elastic_rpm_workaround: false From 41015bec37cf456131595733584b8ca8610daf6a Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 10:45:48 +0100 Subject: [PATCH 11/24] Set release 8 as default --- roles/beats/defaults/main.yml | 1 + roles/elasticsearch/defaults/main.yml | 2 +- roles/kibana/defaults/main.yml | 2 +- roles/logstash/defaults/main.yml | 2 +- roles/repos/defaults/main.yml | 2 +- 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml index 43ed52c6..f22c3856 100644 --- a/roles/beats/defaults/main.yml +++ b/roles/beats/defaults/main.yml @@ -59,6 +59,7 @@ metricbeat_modules: - system metricbeat_loadbalance: true +elastic_release: 8 elastic_stack_full_stack: true elastic_variant: elastic elastic_security: true diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml index dffda3f0..5bdb6788 100644 --- a/roles/elasticsearch/defaults/main.yml +++ b/roles/elasticsearch/defaults/main.yml @@ -28,6 +28,6 @@ elastic_cert_pass: PleaseChangeMeIndividually # "global" variables for all roles -elastic_release: 7 +elastic_release: 8 elastic_stack_full_stack: true elastic_variant: elastic diff --git a/roles/kibana/defaults/main.yml b/roles/kibana/defaults/main.yml index 780539e0..1ae2bd24 100644 --- a/roles/kibana/defaults/main.yml +++ b/roles/kibana/defaults/main.yml @@ -16,6 +16,6 @@ elastic_initial_passwords: /usr/share/elasticsearch/initial_passwords # "global" variables for all roles -elastic_release: 7 +elastic_release: 8 elastic_stack_full_stack: true elastic_variant: elastic diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml index a1535804..9639447e 100644 --- a/roles/logstash/defaults/main.yml +++ b/roles/logstash/defaults/main.yml @@ -63,7 +63,7 @@ elastic_ca_pass: PleaseChangeMe # "global" variables for all roles -elastic_release: 7 +elastic_release: 8 elastic_stack_full_stack: true elastic_variant: elastic elastic_security: true diff --git a/roles/repos/defaults/main.yml b/roles/repos/defaults/main.yml index 46f0f23c..de1b24cc 100644 --- a/roles/repos/defaults/main.yml +++ b/roles/repos/defaults/main.yml @@ -1,6 +1,6 @@ --- # defaults file for elastic-repos -elastic_release: 7 +elastic_release: 8 elastic_stack_full_stack: true elastic_variant: elastic From a408be39bf15f744231b318400520acf77ce6039 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 11:52:47 +0100 Subject: [PATCH 12/24] Set full stack to false due to changed default --- molecule/beats_default/converge.yml | 1 + molecule/elasticsearch_default/converge.yml | 1 + molecule/kibana_default/converge.yml | 2 ++ molecule/logstash_default/converge.yml | 2 ++ molecule/repos_default/converge.yml | 1 + 5 files changed, 7 insertions(+) diff --git a/molecule/beats_default/converge.yml b/molecule/beats_default/converge.yml index 72255217..c5d18616 100644 --- a/molecule/beats_default/converge.yml +++ b/molecule/beats_default/converge.yml @@ -8,6 +8,7 @@ collections: - NETWAYS.elasticstack vars: + elastic_stack_full_stack: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true tasks: diff --git a/molecule/elasticsearch_default/converge.yml b/molecule/elasticsearch_default/converge.yml index bda9f510..85f85c5f 100644 --- a/molecule/elasticsearch_default/converge.yml +++ b/molecule/elasticsearch_default/converge.yml @@ -8,6 +8,7 @@ vars: elasticsearch_enable: false elasticsearch_security: false + elastic_stack_full_stack: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') }}" diff --git a/molecule/kibana_default/converge.yml b/molecule/kibana_default/converge.yml index 0be4ad7a..e795336f 100644 --- a/molecule/kibana_default/converge.yml +++ b/molecule/kibana_default/converge.yml @@ -5,6 +5,8 @@ # https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722 - name: Converge hosts: all + vars: + elastic_stack_full_stack: false collections: - NETWAYS.elasticstack tasks: diff --git a/molecule/logstash_default/converge.yml b/molecule/logstash_default/converge.yml index a0e058a0..a57830ec 100644 --- a/molecule/logstash_default/converge.yml +++ b/molecule/logstash_default/converge.yml @@ -5,6 +5,8 @@ # https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722 - name: Converge hosts: all + vars: + elastic_stack_full_stack: false collections: - NETWAYS.elasticstack tasks: diff --git a/molecule/repos_default/converge.yml b/molecule/repos_default/converge.yml index 12597e29..0c56eda0 100644 --- a/molecule/repos_default/converge.yml +++ b/molecule/repos_default/converge.yml @@ -5,6 +5,7 @@ - NETWAYS.elasticstack vars: elastic_rpm_workaround: true + elastic_stack_full_stack: false tasks: - name: Include Elastic Repos ansible.builtin.include_role: From 41aac7f6e93e25216ef3903f8d1dd272ff1ad364 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 11:57:04 +0100 Subject: [PATCH 13/24] Add checks for different versions to all defaults We want to check all current versions, so we need to add them to molecule --- molecule/beats_default/converge.yml | 1 + molecule/elasticsearch_default/converge.yml | 2 +- molecule/kibana_default/converge.yml | 1 + molecule/logstash_default/converge.yml | 1 + molecule/repos_default/converge.yml | 1 + 5 files changed, 5 insertions(+), 1 deletion(-) diff --git a/molecule/beats_default/converge.yml b/molecule/beats_default/converge.yml index c5d18616..f87e95dc 100644 --- a/molecule/beats_default/converge.yml +++ b/molecule/beats_default/converge.yml @@ -11,6 +11,7 @@ elastic_stack_full_stack: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastics repos role include_role: diff --git a/molecule/elasticsearch_default/converge.yml b/molecule/elasticsearch_default/converge.yml index 85f85c5f..825cbcc9 100644 --- a/molecule/elasticsearch_default/converge.yml +++ b/molecule/elasticsearch_default/converge.yml @@ -11,7 +11,7 @@ elastic_stack_full_stack: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true - elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') }}" + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastics repos role include_role: diff --git a/molecule/kibana_default/converge.yml b/molecule/kibana_default/converge.yml index e795336f..7fcf730d 100644 --- a/molecule/kibana_default/converge.yml +++ b/molecule/kibana_default/converge.yml @@ -7,6 +7,7 @@ hosts: all vars: elastic_stack_full_stack: false + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" collections: - NETWAYS.elasticstack tasks: diff --git a/molecule/logstash_default/converge.yml b/molecule/logstash_default/converge.yml index a57830ec..5e26daf1 100644 --- a/molecule/logstash_default/converge.yml +++ b/molecule/logstash_default/converge.yml @@ -7,6 +7,7 @@ hosts: all vars: elastic_stack_full_stack: false + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" collections: - NETWAYS.elasticstack tasks: diff --git a/molecule/repos_default/converge.yml b/molecule/repos_default/converge.yml index 0c56eda0..32a5d243 100644 --- a/molecule/repos_default/converge.yml +++ b/molecule/repos_default/converge.yml @@ -6,6 +6,7 @@ vars: elastic_rpm_workaround: true elastic_stack_full_stack: false + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastic Repos ansible.builtin.include_role: From d357b10b48fd355ff5f44db3882db470c4c5764d Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 12:52:19 +0100 Subject: [PATCH 14/24] Activate Elasticsearch security for version > 7 --- molecule/elasticsearch_default/converge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/elasticsearch_default/converge.yml b/molecule/elasticsearch_default/converge.yml index 825cbcc9..ab011663 100644 --- a/molecule/elasticsearch_default/converge.yml +++ b/molecule/elasticsearch_default/converge.yml @@ -7,7 +7,7 @@ hosts: all vars: elasticsearch_enable: false - elasticsearch_security: false + elasticsearch_security: true # needed for tests of > 7 releases elastic_stack_full_stack: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true From fbf16ff9ba26fd1e61f323635590ab58b5bc5f06 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 13:23:50 +0100 Subject: [PATCH 15/24] Typo in heap formula --- molecule/elasticsearch_default/converge.yml | 2 +- roles/elasticsearch/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/molecule/elasticsearch_default/converge.yml b/molecule/elasticsearch_default/converge.yml index ab011663..0b55b2e4 100644 --- a/molecule/elasticsearch_default/converge.yml +++ b/molecule/elasticsearch_default/converge.yml @@ -7,7 +7,7 @@ hosts: all vars: elasticsearch_enable: false - elasticsearch_security: true # needed for tests of > 7 releases + #elasticsearch_security: true # needed for tests of > 7 releases elastic_stack_full_stack: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 1db33587..94fb7d88 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -94,7 +94,7 @@ - name: Show Info about heap debug: - msg: "Using {{ elasticsearch_heap * 1024 }} of {{ ansible_memtotal_mb }} MB as heap for Elasticsearch" + msg: "Using {{ elasticsearch_heap / 1024 }} of {{ ansible_memtotal_mb }} MB as heap for Elasticsearch" - name: Start Elasticsearch service: From 30ba720bd8e101b6cdbdcec1210bbd5974fcf6af Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Thu, 2 Feb 2023 13:24:37 +0100 Subject: [PATCH 16/24] Test version 8 with security disabled --- .../tasks/elasticsearch-parameters.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/elasticsearch/tasks/elasticsearch-parameters.yml b/roles/elasticsearch/tasks/elasticsearch-parameters.yml index 6d2ddd2e..5f443b71 100644 --- a/roles/elasticsearch/tasks/elasticsearch-parameters.yml +++ b/roles/elasticsearch/tasks/elasticsearch-parameters.yml @@ -1,8 +1,8 @@ --- -- name: Fail when security is not declared when elasticsearch >= 8 - ansible.builtin.fail: - msg: "Elasticsearch >= 8 requires enabled security. Set elasticsearch_security to true" - when: - - elastic_release | int >= 8 - - elastic_variant == 'elastic' - - elasticsearch_security is not defined or not elasticsearch_security +#- name: Fail when security is not declared when elasticsearch >= 8 +# ansible.builtin.fail: +# msg: "Elasticsearch >= 8 requires enabled security. Set elasticsearch_security to true" +# when: +# - elastic_release | int >= 8 +# - elastic_variant == 'elastic' +# - elasticsearch_security is not defined or not elasticsearch_security From 47cb0264a515138d5b25fc82bd37f67e73a0c3a3 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 3 Feb 2023 13:49:33 +0100 Subject: [PATCH 17/24] Add tests for release 7 and 8 Some checks (esp. oss) force release 7 to be used. So they run two times with hardcoded release 7. That's a waste of ressources. We can accept it because they will all be removed as soon as 7 is out of support --- .github/workflows/test_full_stack.yml | 4 ++ .github/workflows/test_role_beats.yml | 2 + .github/workflows/test_role_kibana.yml | 2 + .github/workflows/test_role_logstash.yml | 4 ++ .github/workflows/test_role_repos.yml | 4 +- molecule/beats_full_stack/converge.yml | 1 + molecule/beats_peculiar/converge.yml | 1 + molecule/elasticsearch_cluster-8/converge.yml | 18 ------- molecule/elasticsearch_cluster-8/molecule.yml | 24 --------- molecule/elasticsearch_cluster-8/prepare.yml | 36 ------------- molecule/elasticsearch_cluster-8/verify.yml | 54 ------------------- .../elasticsearch_cluster-oss/converge.yml | 1 + molecule/elasticsearch_cluster/converge.yml | 1 + .../elasticsearch_no-security/converge.yml | 1 + molecule/elasticstack_default/converge.yml | 1 + molecule/kibana_full_stack-oss/converge.yml | 1 + molecule/kibana_full_stack/converge.yml | 1 + molecule/logstash_full_stack-oss/converge.yml | 1 + molecule/logstash_full_stack/converge.yml | 1 + molecule/logstash_pipelines/converge.yml | 1 + molecule/logstash_run_logstash/converge.yml | 1 + .../logstash_specific_version/converge.yml | 1 + molecule/repos_elastic8/converge.yml | 14 ----- molecule/repos_elastic8/molecule.yml | 18 ------- molecule/repos_elastic8/prepare.yml | 17 ------ molecule/repos_elastic8/verify.yml | 9 ---- molecule/repos_oss/converge.yml | 1 + 27 files changed, 29 insertions(+), 191 deletions(-) delete mode 100644 molecule/elasticsearch_cluster-8/converge.yml delete mode 100644 molecule/elasticsearch_cluster-8/molecule.yml delete mode 100644 molecule/elasticsearch_cluster-8/prepare.yml delete mode 100644 molecule/elasticsearch_cluster-8/verify.yml delete mode 100644 molecule/repos_elastic8/converge.yml delete mode 100644 molecule/repos_elastic8/molecule.yml delete mode 100644 molecule/repos_elastic8/prepare.yml delete mode 100644 molecule/repos_elastic8/verify.yml diff --git a/.github/workflows/test_full_stack.yml b/.github/workflows/test_full_stack.yml index c8408be2..c33337fd 100644 --- a/.github/workflows/test_full_stack.yml +++ b/.github/workflows/test_full_stack.yml @@ -28,6 +28,9 @@ jobs: - ubuntu2204 scenario: - elasticstack_default + release: + - 7 + - 8 steps: - name: Check out code @@ -55,3 +58,4 @@ jobs: MOLECULE_DISTRO: ${{ matrix.distro }} PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' + ELASTIC_RELEASE: ${{ matrix.release }} diff --git a/.github/workflows/test_role_beats.yml b/.github/workflows/test_role_beats.yml index 9fde9e65..40837469 100644 --- a/.github/workflows/test_role_beats.yml +++ b/.github/workflows/test_role_beats.yml @@ -71,6 +71,7 @@ jobs: matrix: distro: [debian11, rockylinux8, ubuntu2204] scenario: [beats_default, beats_full_stack, beats_peculiar] + release: [ 7, 8 ] steps: - name: Check out code @@ -98,3 +99,4 @@ jobs: MOLECULE_DISTRO: ${{ matrix.distro }} PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' + ELASTIC_RELEASE: ${{ matrix.release }} diff --git a/.github/workflows/test_role_kibana.yml b/.github/workflows/test_role_kibana.yml index 9d28ab5b..00122650 100644 --- a/.github/workflows/test_role_kibana.yml +++ b/.github/workflows/test_role_kibana.yml @@ -71,6 +71,7 @@ jobs: matrix: distro: [ubuntu2204] scenario: [kibana_default, kibana_full_stack, kibana_full_stack-oss] + release: [ 7, 8 ] steps: - name: Check out code @@ -96,3 +97,4 @@ jobs: molecule test -s ${{ matrix.scenario }} env: MOLECULE_DISTRO: ${{ matrix.distro }} + ELASTIC_RELEASE: ${{ matrix.release }} diff --git a/.github/workflows/test_role_logstash.yml b/.github/workflows/test_role_logstash.yml index a0387503..e6765780 100644 --- a/.github/workflows/test_role_logstash.yml +++ b/.github/workflows/test_role_logstash.yml @@ -69,6 +69,7 @@ jobs: matrix: distro: [ubuntu2204] scenario: [logstash_default] + release: [ 7, 8 ] steps: - name: Check out code @@ -96,6 +97,7 @@ jobs: MOLECULE_DISTRO: ${{ matrix.distro }} PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' + ELASTIC_RELEASE: ${{ matrix.release }} molecule_tests: runs-on: ubuntu-latest @@ -115,6 +117,7 @@ jobs: logstash_full_stack-oss, logstash_specific_version, logstash_pipelines] + release: [ 7, 8 ] steps: - name: Check out code @@ -142,3 +145,4 @@ jobs: MOLECULE_DISTRO: ${{ matrix.distro }} PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' + ELASTIC_RELEASE: ${{ matrix.release }} diff --git a/.github/workflows/test_role_repos.yml b/.github/workflows/test_role_repos.yml index 8be30a8e..0baa39c0 100644 --- a/.github/workflows/test_role_repos.yml +++ b/.github/workflows/test_role_repos.yml @@ -70,7 +70,8 @@ jobs: matrix: distro: [centos7, debian10, debian11, rockylinux8, rockylinux9, ubuntu2004, ubuntu2204] - scenario: [repos_default, repos_oss, repos_elastic8] + scenario: [repos_default, repos_oss] + release: [ 7, 8 ] steps: - name: Check out code @@ -97,3 +98,4 @@ jobs: molecule test -s ${{ matrix.scenario }} env: MOLECULE_DISTRO: ${{ matrix.distro }} + ELASTIC_RELEASE: ${{ matrix.release }} diff --git a/molecule/beats_full_stack/converge.yml b/molecule/beats_full_stack/converge.yml index 28fab1f4..41ff09e1 100644 --- a/molecule/beats_full_stack/converge.yml +++ b/molecule/beats_full_stack/converge.yml @@ -17,6 +17,7 @@ - "testbed: molecule" elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastics repos role include_role: diff --git a/molecule/beats_peculiar/converge.yml b/molecule/beats_peculiar/converge.yml index fa7fd830..b71ef0fd 100644 --- a/molecule/beats_peculiar/converge.yml +++ b/molecule/beats_peculiar/converge.yml @@ -33,6 +33,7 @@ beats_metricbeat: true metricbeat_output: logstash filebeat_docker: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Set Filebeat version on RedHat set_fact: diff --git a/molecule/elasticsearch_cluster-8/converge.yml b/molecule/elasticsearch_cluster-8/converge.yml deleted file mode 100644 index 8b3aaa6b..00000000 --- a/molecule/elasticsearch_cluster-8/converge.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another -# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722 -- name: Converge - hosts: all - collections: - - NETWAYS.elasticstack - vars: - # elasticsearch_disable_systemcallfilterchecks: true - elastic_release: 8 - elasticsearch_jna_workaround: true - tasks: - - name: "Include Elastics repos role" - include_role: - name: repos - - name: "Include Elasticsearch" - include_role: - name: elasticsearch diff --git a/molecule/elasticsearch_cluster-8/molecule.yml b/molecule/elasticsearch_cluster-8/molecule.yml deleted file mode 100644 index 0a4e67ab..00000000 --- a/molecule/elasticsearch_cluster-8/molecule.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -platforms: - - name: elasticsearch-cluster81 - groups: - - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - privileged: true - pre_build_image: true - - name: elasticsearch-cluster82 - groups: - - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - privileged: true - pre_build_image: true -provisioner: - name: ansible -verifier: - name: ansible diff --git a/molecule/elasticsearch_cluster-8/prepare.yml b/molecule/elasticsearch_cluster-8/prepare.yml deleted file mode 100644 index d6abc016..00000000 --- a/molecule/elasticsearch_cluster-8/prepare.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Prepare - hosts: all - tasks: - - name: Refresh apt cache - apt: - update_cache: yes - when: ansible_os_family == "Debian" - - - name: Install git - package: - name: git - - - name: Install packages for RHEL - package: - name: - - iproute - - NetworkManager - when: ansible_os_family == "RedHat" - - - name: Start NetworkManager - service: - name: NetworkManager - state: started - enabled: yes - when: ansible_os_family == "RedHat" - - - name: Install packages for Debian - package: - name: - - gpg - - gpg-agent - - procps - - curl - - iproute2 - when: ansible_os_family == "Debian" diff --git a/molecule/elasticsearch_cluster-8/verify.yml b/molecule/elasticsearch_cluster-8/verify.yml deleted file mode 100644 index 1a5331aa..00000000 --- a/molecule/elasticsearch_cluster-8/verify.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - vars: - elastic_initial_passwords: /usr/share/elasticsearch/initial_passwords - tasks: - - - name: Set elasticsearch_ca variable if not already done by user - set_fact: - elasticsearch_ca: "{{ groups['elasticsearch'][0] }}" - when: elasticsearch_ca is undefined - - - name: Fetch Elastic password - shell: grep "PASSWORD elastic" {{ elastic_initial_passwords }} | awk {' print $4 '} - register: elastic_password - changed_when: false - delegate_to: "{{ elasticsearch_ca }}" - - - name: Health check - uri: - url: https://localhost:9200/_cluster/health - method: GET - force_basic_auth: yes - user: elastic - password: "{{ elastic_password.stdout }}" - return_content: yes - status_code: 200 - validate_certs: false - register: result - until: result.json.status == "green" - retries: 6 - delay: 10 - - - name: Node check - uri: - url: https://localhost:9200/_cat/nodes - method: GET - force_basic_auth: yes - user: elastic - password: "{{ elastic_password.stdout }}" - return_content: yes - status_code: 200 - validate_certs: false - register: nodes - - - name: Check if all Nodes see each other - ansible.builtin.assert: - that: - - "'{{ item }}' in nodes.content" - fail_msg: "'{{ item }}' was not found in nodes.content" - success_msg: "'{{ item }}' was found in nodes.content" - with_inventory_hostnames: all diff --git a/molecule/elasticsearch_cluster-oss/converge.yml b/molecule/elasticsearch_cluster-oss/converge.yml index 4160b128..fcfa00f9 100644 --- a/molecule/elasticsearch_cluster-oss/converge.yml +++ b/molecule/elasticsearch_cluster-oss/converge.yml @@ -9,6 +9,7 @@ elastic_variant: oss elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true + elastic_release: 7 tasks: - name: Include Elastics repos role include_role: diff --git a/molecule/elasticsearch_cluster/converge.yml b/molecule/elasticsearch_cluster/converge.yml index abe83483..b8578b08 100644 --- a/molecule/elasticsearch_cluster/converge.yml +++ b/molecule/elasticsearch_cluster/converge.yml @@ -8,6 +8,7 @@ vars: elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastics repos role include_role: diff --git a/molecule/elasticsearch_no-security/converge.yml b/molecule/elasticsearch_no-security/converge.yml index 70361213..49619dfb 100644 --- a/molecule/elasticsearch_no-security/converge.yml +++ b/molecule/elasticsearch_no-security/converge.yml @@ -9,6 +9,7 @@ elasticsearch_security: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastics repos role include_role: diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml index b8b54f6c..630a8377 100644 --- a/molecule/elasticstack_default/converge.yml +++ b/molecule/elasticstack_default/converge.yml @@ -8,6 +8,7 @@ elasticsearch_disable_systemcallfilterchecks: true elastic_stack_full_stack: true elastic_variant: oss + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastic Repos include_role: diff --git a/molecule/kibana_full_stack-oss/converge.yml b/molecule/kibana_full_stack-oss/converge.yml index 604a7ae9..6ba41220 100644 --- a/molecule/kibana_full_stack-oss/converge.yml +++ b/molecule/kibana_full_stack-oss/converge.yml @@ -10,6 +10,7 @@ vars: elastic_stack_full_stack: true elastic_variant: oss + elastic_release: 7 tasks: - name: Include Elastic Repos include_role: diff --git a/molecule/kibana_full_stack/converge.yml b/molecule/kibana_full_stack/converge.yml index af39cc3b..cac315c4 100644 --- a/molecule/kibana_full_stack/converge.yml +++ b/molecule/kibana_full_stack/converge.yml @@ -9,6 +9,7 @@ - NETWAYS.elasticstack vars: elastic_stack_full_stack: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastic Repos include_role: diff --git a/molecule/logstash_full_stack-oss/converge.yml b/molecule/logstash_full_stack-oss/converge.yml index 651e89b2..c4eb598f 100644 --- a/molecule/logstash_full_stack-oss/converge.yml +++ b/molecule/logstash_full_stack-oss/converge.yml @@ -21,6 +21,7 @@ filebeat_syslog_udp: true filebeat_syslog_tcp: true logstash_beats_tls: false + elastic_release: 7 tasks: - name: "Include Elastics repos role" include_role: diff --git a/molecule/logstash_full_stack/converge.yml b/molecule/logstash_full_stack/converge.yml index 30185bdd..d251bf98 100644 --- a/molecule/logstash_full_stack/converge.yml +++ b/molecule/logstash_full_stack/converge.yml @@ -11,6 +11,7 @@ elastic_stack_full_stack: true filebeat_syslog_udp: true filebeat_syslog_tcp: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include repos role include_role: diff --git a/molecule/logstash_pipelines/converge.yml b/molecule/logstash_pipelines/converge.yml index 7ba9141d..908315c9 100644 --- a/molecule/logstash_pipelines/converge.yml +++ b/molecule/logstash_pipelines/converge.yml @@ -29,6 +29,7 @@ key: forwarder logstash_pipeline_identifier_field_name: "[mytest][pipelines]" logstash_pipeline_identifier_defaults: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: "Include Elastics repos role" include_role: diff --git a/molecule/logstash_run_logstash/converge.yml b/molecule/logstash_run_logstash/converge.yml index 0dcb72ec..fd852af0 100644 --- a/molecule/logstash_run_logstash/converge.yml +++ b/molecule/logstash_run_logstash/converge.yml @@ -40,6 +40,7 @@ output: - name: forwarder key: forwarder + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: Include Elastics repos role include_role: diff --git a/molecule/logstash_specific_version/converge.yml b/molecule/logstash_specific_version/converge.yml index b4910eaf..aab57eef 100644 --- a/molecule/logstash_specific_version/converge.yml +++ b/molecule/logstash_specific_version/converge.yml @@ -12,6 +12,7 @@ logstash_logging_console: false logstash_logging_slow_file: false logstash_pipeline_identifier: false + elastic_release: 7 tasks: - name: Set Logstash version on RedHat diff --git a/molecule/repos_elastic8/converge.yml b/molecule/repos_elastic8/converge.yml deleted file mode 100644 index 6c71e2b2..00000000 --- a/molecule/repos_elastic8/converge.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another -# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722 -- name: Converge - collections: - - NETWAYS.elasticstack - vars: - elastic_release: 8 - elastic_rpm_workaround: true - hosts: all - tasks: - - name: "Include Elastic Repos" - ansible.builtin.include_role: - name: repos diff --git a/molecule/repos_elastic8/molecule.yml b/molecule/repos_elastic8/molecule.yml deleted file mode 100644 index dbbe9ea0..00000000 --- a/molecule/repos_elastic8/molecule.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -platforms: - - name: elastic-repos-default - image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-""} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:rw - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible -verifier: - name: ansible diff --git a/molecule/repos_elastic8/prepare.yml b/molecule/repos_elastic8/prepare.yml deleted file mode 100644 index 619f7c2c..00000000 --- a/molecule/repos_elastic8/prepare.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: Prepare - hosts: all - tasks: - - name: Install requirements for Debian - ansible.builtin.apt: - name: - - gpg - - apt-transport-https - update_cache: yes - when: ansible_os_family == "Debian" - - name: Install requirements for Ubuntu - ansible.builtin.apt: - name: - - gpg-agent - update_cache: yes - when: ansible_os_family == "Debian" and ansible_distribution == "Ubuntu" \ No newline at end of file diff --git a/molecule/repos_elastic8/verify.yml b/molecule/repos_elastic8/verify.yml deleted file mode 100644 index d0511758..00000000 --- a/molecule/repos_elastic8/verify.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - tasks: - - name: Install Kibana - ansible.builtin.package: - name: kibana diff --git a/molecule/repos_oss/converge.yml b/molecule/repos_oss/converge.yml index c98cf928..fe97b87e 100644 --- a/molecule/repos_oss/converge.yml +++ b/molecule/repos_oss/converge.yml @@ -8,6 +8,7 @@ vars: elastic_variant: oss elastic_rpm_workaround: true + elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - name: "Include Elastic Repos" ansible.builtin.include_role: From e70a86d4e0b4302c7f5c54fb6d715cd8ab3e0474 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 3 Feb 2023 16:45:43 +0100 Subject: [PATCH 18/24] Test Elasticseach cluster without security --- molecule/elasticsearch_no-security/converge.yml | 1 + molecule/elasticsearch_no-security/molecule.yml | 12 +++++++++++- molecule/elasticsearch_no-security/verify.yml | 12 ------------ 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/molecule/elasticsearch_no-security/converge.yml b/molecule/elasticsearch_no-security/converge.yml index 49619dfb..dc3f1e68 100644 --- a/molecule/elasticsearch_no-security/converge.yml +++ b/molecule/elasticsearch_no-security/converge.yml @@ -7,6 +7,7 @@ hosts: all vars: elasticsearch_security: false + elastic_security: false elasticsearch_jna_workaround: true elasticsearch_disable_systemcallfilterchecks: true elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" diff --git a/molecule/elasticsearch_no-security/molecule.yml b/molecule/elasticsearch_no-security/molecule.yml index f980152b..83ba94da 100644 --- a/molecule/elasticsearch_no-security/molecule.yml +++ b/molecule/elasticsearch_no-security/molecule.yml @@ -4,7 +4,17 @@ dependency: driver: name: docker platforms: - - name: elasticsearch_no_security + - name: elasticsearch-nosecurity1 + groups: + - elasticsearch + image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + cgroupns_mode: host + privileged: true + pre_build_image: true + - name: elasticsearch-nosecurity2 groups: - elasticsearch image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" diff --git a/molecule/elasticsearch_no-security/verify.yml b/molecule/elasticsearch_no-security/verify.yml index b7c3aac2..93d20b44 100644 --- a/molecule/elasticsearch_no-security/verify.yml +++ b/molecule/elasticsearch_no-security/verify.yml @@ -7,18 +7,6 @@ elastic_initial_passwords: /usr/share/elasticsearch/initial_passwords tasks: - - name: Set elasticsearch_ca variable if not already done by user - set_fact: - elasticsearch_ca: "{{ groups['elasticsearch'][0] }}" - when: elasticsearch_ca is undefined - - - name: Fetch Elastic password - shell: grep "PASSWORD elastic" {{ elastic_initial_passwords }} | awk {' print $4 '} - register: elastic_password - changed_when: false - delegate_to: "{{ elasticsearch_ca }}" - - # Remember, this is the no-security scenario. So no https - name: Health check uri: From b317b7e343b4efa1c3cd1f7e3e9f107f70298150 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 6 Feb 2023 11:23:18 +0100 Subject: [PATCH 19/24] Typecast elastic_release --- roles/elasticsearch/templates/elasticsearch.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index dd55dee2..36f46603 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -2,7 +2,7 @@ node.name: "{{ ansible_hostname }}" path.data: {{ elasticsearch_datapath }} path.logs: /var/log/elasticsearch network.host: ["_local_","_site_"] -{% if elastic_release < 8 or groups['elasticsearch'] | length > 1 %} +{% if elastic_release | int < 8 or groups['elasticsearch'] | length > 1 %} discovery.seed_hosts: [ {% for host in groups['elasticsearch'] %} "{{ hostvars[host].ansible_default_ipv4.address | default(hostvars[host].ansible_all_ipv4_addresses[0]) }}"{% if not loop.last %},{% endif %} {% endfor %} ] From 2af7a3d2df0bd67f06c8145296024f4567a4e83e Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 6 Feb 2023 11:32:22 +0100 Subject: [PATCH 20/24] List which passwords can't be changed after init --- docs/role-elasticsearch.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index de61f3a0..d5a81e3e 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -7,6 +7,8 @@ This role installs manages Elasticsearch on your hosts. Optionally it can config If you use the role to set up security you can use its CA to create certificates for Logstash and Kibana, too. +Please note that setting `elasticsearch_bootstrap_pw` as variable will only take effect when initialising Elasticsearch. Changes after starting elasticsearch for the first time will not change the bootstrap password for the instance and will lead to breaking tests. + Role Variables -------------- @@ -16,6 +18,7 @@ Role Variables * *elasticsearch_datapath*: Path where Elasticsearch will store it's data. (default: `/var/lib/elasticsearch` - the packages default) * *elasticsearch_create_datapath*: Create the path for data to store if it doesn't exist. (default: `false` - only useful if you change `elasticsearch_datapath`) * *elasticsearch_fs_repo*: List of paths that should be registered as repository for snapshots (only filesystem supported so far). (default: none) Remember, that every node needs access to the same share under the same path. +* *elasticsearch_bootstrap_pw*: Bootstrap password for Elasticsearch (Default: `PleaseChangeMe`) * *elasticsearch_disable_systemcallfilterchecks*: Disable system call filter checks. This has a security impact but is necessary on some systems. Please refer to the [docs](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/_system_call_filter_check.html) for details. (default: `false`) * *elasticsearch_pamlimits*: Set pam_limits neccessary for Elasticsearch. (Default: `true`) From ecc65d8891de97e4e3fd2b30aed521cf091e3cc1 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 6 Feb 2023 13:02:25 +0100 Subject: [PATCH 21/24] Start Elasticsearch --- molecule/elasticsearch_default/converge.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/molecule/elasticsearch_default/converge.yml b/molecule/elasticsearch_default/converge.yml index 0b55b2e4..a60272aa 100644 --- a/molecule/elasticsearch_default/converge.yml +++ b/molecule/elasticsearch_default/converge.yml @@ -6,7 +6,6 @@ - NETWAYS.elasticstack hosts: all vars: - elasticsearch_enable: false #elasticsearch_security: true # needed for tests of > 7 releases elastic_stack_full_stack: false elasticsearch_jna_workaround: true From be00d1ab99d8e265c726f80420a44ff3cd966f33 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 6 Feb 2023 13:31:10 +0100 Subject: [PATCH 22/24] Typecast elasticsearch_heap --- roles/elasticsearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index e922d788..fc31241a 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -96,7 +96,7 @@ - name: Show Info about heap debug: - msg: "Using {{ elasticsearch_heap / 1024 }} of {{ ansible_memtotal_mb }} MB as heap for Elasticsearch" + msg: "Using {{ elasticsearch_heap | int / 1024 }} of {{ ansible_memtotal_mb }} MB as heap for Elasticsearch" - name: Start Elasticsearch service: From aff2e6ccfc01df97f6552c08869706b7a0e9d024 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Tue, 7 Feb 2023 11:00:32 +0100 Subject: [PATCH 23/24] Set higher timeout for Elasticsearch --- roles/elasticsearch/tasks/wait_for_instance.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/elasticsearch/tasks/wait_for_instance.yml b/roles/elasticsearch/tasks/wait_for_instance.yml index c1eceb35..70c82caa 100644 --- a/roles/elasticsearch/tasks/wait_for_instance.yml +++ b/roles/elasticsearch/tasks/wait_for_instance.yml @@ -4,3 +4,4 @@ wait_for: host: "{{ hostvars[item].ansible_default_ipv4.address }}" port: 9200 + timeout: 600 From 28afe227fb8573a520ec1055e476ac12bf6d555b Mon Sep 17 00:00:00 2001 From: Daniel Patrick Date: Wed, 8 Feb 2023 10:41:09 +0100 Subject: [PATCH 24/24] Disabled setting bootstrap.system_call_filter for elasticsearch 8 --- roles/elasticsearch/templates/elasticsearch.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elasticsearch/templates/elasticsearch.yml.j2 b/roles/elasticsearch/templates/elasticsearch.yml.j2 index 36f46603..43d93ba8 100644 --- a/roles/elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elasticsearch/templates/elasticsearch.yml.j2 @@ -13,7 +13,7 @@ cluster.initial_master_nodes: [ {% for host in groups['elasticsearch'] %} {% if elastic_temperature is defined %} node.attr.temp: "{{ elastic_temperature }}" {% endif %} -{% if elasticsearch_disable_systemcallfilterchecks | bool %} +{% if elasticsearch_disable_systemcallfilterchecks | bool and elastic_release == 7 %} bootstrap.system_call_filter: false {% endif %} {% if elastic_variant == "elastic" %}