openstack/openstack-ansible-ops
Code Issues Proposed changes

More cleanup of the osquery role

Browse Source 
This cleanup should make things easier to integrate with OSA
while also better supporting a stand alone deployment.

Change-Id: I7321981a9ced7bf2e807a25cadde5463b39eef8f
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2018-10-16 12:15:54 -05:00
parent 5aff0b59f4
commit 1e40cef199
No known key found for this signature in database
GPG Key ID: 9443251A787B9FB3
13 changed files with 103 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
osquery/README.rst
View File

@ -83,13 +83,29 @@ Update the `/etc/hosts` file *(optional)*
Create an haproxy entry for kolide-fleet service 8443 Create an haproxy entry for kolide-fleet service 8443
Add the following configuration item to the `haproxy_extra_services` variable
within a **user** defined variable file.
.. code-block:: yaml
haproxy_extra_services:
- service:
haproxy_service_name: kolide-fleet
haproxy_ssl: False
haproxy_backend_nodes: "{{ groups['kolide-fleet_all'] | default([]) }}"
haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable
haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_balance_type: tcp
With the appropriate haproxy configuration in place, setup haproxy to begin
load balancing the traffic.
.. code-block:: bash .. code-block:: bash
cd /opt/openstack-ansible-ops/osquery
cat haproxy.example >> /etc/openstack_deploy/user_variables.yml
cd /opt/openstack-ansible/playbooks/ cd /opt/openstack-ansible/playbooks/
openstack-ansible haproxy-install.yml --tags=haproxy-service-config openstack-ansible haproxy-install.yml
Deploying | Installing with embedded Ansible Deploying | Installing with embedded Ansible
@ -136,21 +152,36 @@ Deploying | The environment
^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Create some basic passwords keys that are needed by fleet Create some basic passwords keys that are needed by fleet
.. code-block:: bashG
echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/fleet_user_vars.yml .. code-block:: bash
echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/fleet_user_vars.yml
echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/user_secrets.yml
echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/user_secrets.yml
echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/user_secrets.yml
# NOTICE: This may already be defined
echo "galera_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/user_secrets.yml
Install master/data Fleet nodes on the elastic-logstash containers, Install master/data Fleet nodes on the elastic-logstash containers,
deploy logstash, deploy Kibana, and then deploy all of the service beats. deploy logstash, deploy Kibana, and then deploy all of the service beats.
.. code-block:: bashG
.. code-block:: bash
cd /opt/openstack-ansible-ops/osquery cd /opt/openstack-ansible-ops/osquery
ansible-playbook site.yml -e@/etc/openstack_deploy/fleet_user_vars.yml ansible-playbook site.yml -e@/etc/openstack_deploy/user_secrets.yml
If the `installOSquery.yml` playbook is executed with a limit, a single
kolide-fleet host must be part of the limit. This requirement exists because
the nodes running osquery require certificates to authenticate to the
kolide-fleet cluster. Should a node within the kolide-fleet cluster not be
part of the limit the playbooks will not be able to fetch the required
certificates.
.. code-block:: bash
ansible-playbook installOSquery.yml $USER_VARS --limit 'host1,host2,kolide-fleet_all[0]'
* The `openstack-ansible` command can be used if the version of ansible on the * The `openstack-ansible` command can be used if the version of ansible on the
@ -167,6 +198,7 @@ deploy logstash, deploy Kibana, and then deploy all of the service beats.
of the OSA group_vars. These are not available by default with the embedded of the OSA group_vars. These are not available by default with the embedded
ansible and can be symlinked into the ops repo. ansible and can be symlinked into the ops repo.
.. code-block:: bash .. code-block:: bash
ln -s /opt/openstack-ansible/inventory/group_vars /opt/openstack-ansible-ops/osquery/group_vars ln -s /opt/openstack-ansible/inventory/group_vars /opt/openstack-ansible-ops/osquery/group_vars
@ -175,6 +207,7 @@ deploy logstash, deploy Kibana, and then deploy all of the service beats.
The individual playbooks found within this repository can be independently run The individual playbooks found within this repository can be independently run
at anytime. at anytime.
Architecture | Data flow Architecture | Data flow
^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^

2
osquery/conf.d/fleet.yml
View File

@ -1,4 +1,4 @@
fleet_hosts: kolide_hosts:
logging1: logging1:
ip: 10.0.236.110 ip: 10.0.236.110
logging2: logging2:

18
osquery/env.d/fleet.yml
View File

@ -1,32 +1,28 @@
--- ---
component_skel: component_skel:
fleet: kolide-fleet:
belongs_to: belongs_to:
- fleet_all - fleet_all
- kolide-fleet_all
mariadb: mariadb:
belongs_to: belongs_to:
- fleet_all - fleet_all
- mariadb_all - mariadb_all
osquery:
belongs_to:
- fleet_all
container_skel: container_skel:
fleet_container: kolide-fleet_container:
belongs_to: belongs_to:
- fleet_containers - kolide_containers
contains: contains:
- fleet - kolide-fleet
- mariadb - mariadb
- osquery
physical_skel: physical_skel:
fleet_containers: kolide_containers:
belongs_to: belongs_to:
- all_containers - all_containers
fleet_hosts: kolide_hosts:
belongs_to: belongs_to:
- hosts - hosts

9
osquery/haproxy.example
View File

@ -1,9 +0,0 @@
haproxy_extra_services:
- service:
haproxy_service_name: kolide-fleet
haproxy_ssl: False
haproxy_backend_nodes: "{{ groups['fleet_all'] | default([]) }}" # Fleet nodes
haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable
haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_balance_type: tcp

6
osquery/installDB.yml
View File

@ -27,15 +27,13 @@
fail: fail:
msg: >- msg: >-
The root password for the galera cluster is not defined. To proceed with this The root password for the galera cluster is not defined. To proceed with this
installation define the variable `mariadb_root_password` in line or within a installation define the variable `galera_root_password` in line or within a
variable file. variable file.
when: when:
- mariadb_root_password is undefined - galera_root_password is undefined
roles: roles:
- role: galera_server - role: galera_server
galera_root_user: "{{ mariadb_root_user }}"
galera_root_password: "{{ mariadb_root_password }}"
galera_cluster_members: "{{ groups['mariadb_all'] }}" galera_cluster_members: "{{ groups['mariadb_all'] }}"
galera_wsrep_node_name: "{{ inventory_hostname }}" galera_wsrep_node_name: "{{ inventory_hostname }}"
galera_cluster_name: telemetry_galera_cluster galera_cluster_name: telemetry_galera_cluster

2
osquery/installKolideFleet.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: Install Kolide Fleet - name: Install Kolide Fleet
hosts: "fleet_all" hosts: "kolide-fleet_all"
become: true become: true
vars_files: vars_files:

44
osquery/installOSquery.yml
View File

@ -13,8 +13,33 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
- name: Get osquery facts
hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
become: true
vars_files:
- vars/variables.yml
tags:
- always
environment: "{{ deployment_environment_variables | default({}) }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
tasks:
- name: Fetch Certificates
fetch:
flat: yes
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: "{{ kolide_fleet_ssl_cert }}"
dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- src: "{{ kolide_fleet_ssl_key }}"
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
- name: Install osquery - name: Install osquery
hosts: "fleet_all:osquery:hosts" hosts: "hosts:all_containers"
become: true become: true
vars_files: vars_files:
- vars/variables.yml - vars/variables.yml
@ -32,19 +57,6 @@
- /etc/osquery - /etc/osquery
- /etc/osquery/ssl - /etc/osquery/ssl
- name: Synchronize certifactes back
synchronize:
mode: pull
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: "{{ kolide_fleet_ssl_cert }}"
dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- src: "{{ kolide_fleet_ssl_key }}"
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
when:
- inventory_hostname == groups['fleet_all'][0]
- name: Copy certifactes over - name: Copy certifactes over
copy: copy:
src: "{{ item.src }}" src: "{{ item.src }}"
@ -54,14 +66,12 @@
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- dest: "{{ kolide_fleet_ssl_key }}" - dest: "{{ kolide_fleet_ssl_key }}"
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
when:
- inventory_hostname != groups['fleet_all'][0]
- name: retrieve Enrollment Token - name: retrieve Enrollment Token
command: /usr/local/bin/fleetctl get enroll-secret command: /usr/local/bin/fleetctl get enroll-secret
changed_when: false changed_when: false
register: _enrollment_token register: _enrollment_token
delegate_to: "{{ groups['fleet_all'][0] }}" delegate_to: "{{ groups['kolide-fleet_all'][0] }}"
run_once: true run_once: true
- name: Set kolide fleet enrollment token fact - name: Set kolide fleet enrollment token fact

16
osquery/inventory.example.yml
View File

@ -24,16 +24,12 @@ hosts:
logging01: {} logging01: {}
# This is the location where fleet(s) will live # This is the location where fleet(s) will live
fleet_all: kolide-fleet_all:
hosts: children:
logging01: {} kolide_hosts:
hosts:
logging01: {}
mariadb_all: mariadb_all:
children: children:
fleet_all: {} kolide-fleet_all: {}
osquery_all:
hosts:
logging02:
ansible_host: 172.16.27.101
ansible_user: root

5
osquery/roles/fleet/defaults/main.yml
View File

@ -20,7 +20,7 @@ kolide_fleet_db_user: fleet
#kolide_fleet_db_password: fleetSecrete #kolide_fleet_db_password: fleetSecrete
kolide_fleet_port: "8443" kolide_fleet_port: "8443"
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}" kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}"
kolide_fleet_version: "2.0.0-rc5" kolide_fleet_version: "2.0.0-rc5"
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download" kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
@ -43,7 +43,6 @@ kolide_fleet_ssl_key_purge: false
mariadb_bind_address: "0.0.0.0" mariadb_bind_address: "0.0.0.0"
mariadb_root_remote: 1 mariadb_root_remote: 1
mariadb_root_user: root mariadb_root_user: root
#mariadb_root_password: fleetSecrete
mariadb_databases: mariadb_databases:
- name: "{{ kolide_fleet_db_name }}" - name: "{{ kolide_fleet_db_name }}"
@ -52,5 +51,3 @@ mariadb_users:
password: "{{ kolide_fleet_db_password }}" password: "{{ kolide_fleet_db_password }}"
priv: " {{ kolide_fleet_db_name }}.*:ALL" priv: " {{ kolide_fleet_db_name }}.*:ALL"
host: "%" host: "%"
galera_root_password: "{{ mariadb_root_password }}"

4
osquery/roles/fleet/tasks/createFleetDB.yml
View File

@ -16,7 +16,7 @@
- name: Create DB for service - name: Create DB for service
mysql_db: mysql_db:
login_user: "{{ mariadb_root_user }}" login_user: "{{ mariadb_root_user }}"
login_password: "{{ mariadb_root_password }}" login_password: "{{ galera_root_password }}"
login_host: "{{ mariadb_login_host | default('localhost') }}" login_host: "{{ mariadb_login_host | default('localhost') }}"
name: "{{ kolide_fleet_db_name }}" name: "{{ kolide_fleet_db_name }}"
state: "present" state: "present"
@ -28,7 +28,7 @@
- name: Grant access to the DB for the service - name: Grant access to the DB for the service
mysql_user: mysql_user:
login_user: "{{ mariadb_root_user }}" login_user: "{{ mariadb_root_user }}"
login_password: "{{ mariadb_root_password }}" login_password: "{{ galera_root_password }}"
login_host: "{{ mariadb_login_host | default('localhost') }}" login_host: "{{ mariadb_login_host | default('localhost') }}"
name: "{{ kolide_fleet_db_user }}" name: "{{ kolide_fleet_db_user }}"
password: "{{ kolide_fleet_db_password }}" password: "{{ kolide_fleet_db_password }}"

22
osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml
View File

@ -65,23 +65,23 @@
- src: "{{ kolide_fleet_ssl_key }}" - src: "{{ kolide_fleet_ssl_key }}"
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
when: when:
- (groups['fleet_all'] | length) > 1 - (groups['kolide-fleet_all'] | length) > 1
notify: notify:
- Cleanup certifactes - Cleanup certifactes
when: when:
- inventory_hostname == groups['fleet_all'][0] - inventory_hostname == groups['kolide-fleet_all'][0]
- name: Copy certifactes over - name: Copy certifactes over
copy: copy:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
with_items: with_items:
- dest: "{{ kolide_fleet_ssl_csr }}" - dest: "{{ kolide_fleet_ssl_csr }}"
src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}" src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}"
- dest: "{{ kolide_fleet_ssl_cert }}" - dest: "{{ kolide_fleet_ssl_cert }}"
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- dest: "{{ kolide_fleet_ssl_key }}" - dest: "{{ kolide_fleet_ssl_key }}"
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
when: when:
- inventory_hostname != groups['fleet_all'][0] - inventory_hostname != groups['kolide-fleet_all'][0]
- (groups['fleet_all'] | length) > 1 - (groups['kolide-fleet_all'] | length) > 1

35
osquery/roles/fleet/vars/main.yml
View File

@ -1,35 +0,0 @@
---
# Kolide Fleet vars
kolide_fleet_db_name: fleet
kolide_fleet_db_user: fleet
#kolide_fleet_db_password: fleetSecrete
kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}"
kolide_fleet_version: "2.0.0-rc5"
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
kolide_fleet_admin_email: admin@openstack.org
#kolide_fleet_admin_password: AdminSecrete
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
# MariaDB/Gallera Variables
#mariadb_root_password: fleetSecrete
mariadb_bind_address: "0.0.0.0"
mariadb_root_remote: 1
mariadb_root_user: root
mariadb_databases:
- name: "{{ kolide_fleet_db_name }}"
mariadb_users:
- name: "{{ kolide_fleet_db_user }}"
password: "{{ kolide_fleet_db_password }}"
priv: " {{ kolide_fleet_db_name }}.*:ALL"
host: "%"
galera_root_password: "{{ mariadb_root_password }}"

4
osquery/vars/variables.yml
View File

@ -1,7 +1,5 @@
--- ---
mariadb_root_user: root
kolide_fleet_enable: true kolide_fleet_enable: true
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
@ -20,7 +18,7 @@ osquery_rsyslog: false
osquery_flags: osquery_flags:
- "--tls_server_certs={{ kolide_fleet_ssl_cert }}" - "--tls_server_certs={{ kolide_fleet_ssl_cert }}"
- "--tls_hostname={{ hostvars[groups['fleet_all'][0]]['ansible_host'] }}:443" - "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443"
- "--host_identifier=hostname" - "--host_identifier=hostname"
- "--enroll_tls_endpoint=/api/v1/osquery/enroll" - "--enroll_tls_endpoint=/api/v1/osquery/enroll"
- "--config_plugin=tls" - "--config_plugin=tls"