More cleanup of the osquery role
This cleanup should make things easier to integrate with OSA while also better supporting a stand alone deployment. Change-Id: I7321981a9ced7bf2e807a25cadde5463b39eef8f Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
5aff0b59f4
commit
1e40cef199
@ -83,13 +83,29 @@ Update the `/etc/hosts` file *(optional)*
|
||||
|
||||
Create an haproxy entry for kolide-fleet service 8443
|
||||
|
||||
Add the following configuration item to the `haproxy_extra_services` variable
|
||||
within a **user** defined variable file.
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
haproxy_extra_services:
|
||||
- service:
|
||||
haproxy_service_name: kolide-fleet
|
||||
haproxy_ssl: False
|
||||
haproxy_backend_nodes: "{{ groups['kolide-fleet_all'] | default([]) }}"
|
||||
haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_balance_type: tcp
|
||||
|
||||
|
||||
With the appropriate haproxy configuration in place, setup haproxy to begin
|
||||
load balancing the traffic.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
cd /opt/openstack-ansible-ops/osquery
|
||||
cat haproxy.example >> /etc/openstack_deploy/user_variables.yml
|
||||
|
||||
cd /opt/openstack-ansible/playbooks/
|
||||
openstack-ansible haproxy-install.yml --tags=haproxy-service-config
|
||||
openstack-ansible haproxy-install.yml
|
||||
|
||||
|
||||
Deploying | Installing with embedded Ansible
|
||||
@ -136,21 +152,36 @@ Deploying | The environment
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Create some basic passwords keys that are needed by fleet
|
||||
.. code-block:: bashG
|
||||
|
||||
echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/fleet_user_vars.yml
|
||||
echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/fleet_user_vars.yml
|
||||
echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
|
||||
echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
|
||||
.. code-block:: bash
|
||||
|
||||
echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/user_secrets.yml
|
||||
echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/user_secrets.yml
|
||||
echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/user_secrets.yml
|
||||
# NOTICE: This may already be defined
|
||||
echo "galera_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/user_secrets.yml
|
||||
|
||||
|
||||
Install master/data Fleet nodes on the elastic-logstash containers,
|
||||
deploy logstash, deploy Kibana, and then deploy all of the service beats.
|
||||
|
||||
.. code-block:: bashG
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
cd /opt/openstack-ansible-ops/osquery
|
||||
ansible-playbook site.yml -e@/etc/openstack_deploy/fleet_user_vars.yml
|
||||
ansible-playbook site.yml -e@/etc/openstack_deploy/user_secrets.yml
|
||||
|
||||
|
||||
If the `installOSquery.yml` playbook is executed with a limit, a single
|
||||
kolide-fleet host must be part of the limit. This requirement exists because
|
||||
the nodes running osquery require certificates to authenticate to the
|
||||
kolide-fleet cluster. Should a node within the kolide-fleet cluster not be
|
||||
part of the limit the playbooks will not be able to fetch the required
|
||||
certificates.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
ansible-playbook installOSquery.yml $USER_VARS --limit 'host1,host2,kolide-fleet_all[0]'
|
||||
|
||||
|
||||
* The `openstack-ansible` command can be used if the version of ansible on the
|
||||
@ -167,6 +198,7 @@ deploy logstash, deploy Kibana, and then deploy all of the service beats.
|
||||
of the OSA group_vars. These are not available by default with the embedded
|
||||
ansible and can be symlinked into the ops repo.
|
||||
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
ln -s /opt/openstack-ansible/inventory/group_vars /opt/openstack-ansible-ops/osquery/group_vars
|
||||
@ -175,6 +207,7 @@ deploy logstash, deploy Kibana, and then deploy all of the service beats.
|
||||
The individual playbooks found within this repository can be independently run
|
||||
at anytime.
|
||||
|
||||
|
||||
Architecture | Data flow
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
fleet_hosts:
|
||||
kolide_hosts:
|
||||
logging1:
|
||||
ip: 10.0.236.110
|
||||
logging2:
|
||||
|
@ -1,32 +1,28 @@
|
||||
---
|
||||
component_skel:
|
||||
fleet:
|
||||
kolide-fleet:
|
||||
belongs_to:
|
||||
- fleet_all
|
||||
- kolide-fleet_all
|
||||
|
||||
mariadb:
|
||||
belongs_to:
|
||||
- fleet_all
|
||||
- mariadb_all
|
||||
|
||||
osquery:
|
||||
belongs_to:
|
||||
- fleet_all
|
||||
|
||||
container_skel:
|
||||
fleet_container:
|
||||
kolide-fleet_container:
|
||||
belongs_to:
|
||||
- fleet_containers
|
||||
- kolide_containers
|
||||
contains:
|
||||
- fleet
|
||||
- kolide-fleet
|
||||
- mariadb
|
||||
- osquery
|
||||
|
||||
physical_skel:
|
||||
fleet_containers:
|
||||
kolide_containers:
|
||||
belongs_to:
|
||||
- all_containers
|
||||
|
||||
fleet_hosts:
|
||||
kolide_hosts:
|
||||
belongs_to:
|
||||
- hosts
|
||||
|
@ -1,9 +0,0 @@
|
||||
haproxy_extra_services:
|
||||
- service:
|
||||
haproxy_service_name: kolide-fleet
|
||||
haproxy_ssl: False
|
||||
haproxy_backend_nodes: "{{ groups['fleet_all'] | default([]) }}" # Fleet nodes
|
||||
haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_balance_type: tcp
|
@ -27,15 +27,13 @@
|
||||
fail:
|
||||
msg: >-
|
||||
The root password for the galera cluster is not defined. To proceed with this
|
||||
installation define the variable `mariadb_root_password` in line or within a
|
||||
installation define the variable `galera_root_password` in line or within a
|
||||
variable file.
|
||||
when:
|
||||
- mariadb_root_password is undefined
|
||||
- galera_root_password is undefined
|
||||
|
||||
roles:
|
||||
- role: galera_server
|
||||
galera_root_user: "{{ mariadb_root_user }}"
|
||||
galera_root_password: "{{ mariadb_root_password }}"
|
||||
galera_cluster_members: "{{ groups['mariadb_all'] }}"
|
||||
galera_wsrep_node_name: "{{ inventory_hostname }}"
|
||||
galera_cluster_name: telemetry_galera_cluster
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: Install Kolide Fleet
|
||||
hosts: "fleet_all"
|
||||
hosts: "kolide-fleet_all"
|
||||
become: true
|
||||
|
||||
vars_files:
|
||||
|
@ -13,8 +13,33 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Get osquery facts
|
||||
hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/variables.yml
|
||||
tags:
|
||||
- always
|
||||
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
|
||||
tasks:
|
||||
- name: Fetch Certificates
|
||||
fetch:
|
||||
flat: yes
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: "{{ kolide_fleet_ssl_cert }}"
|
||||
dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
|
||||
- src: "{{ kolide_fleet_ssl_key }}"
|
||||
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
|
||||
|
||||
- name: Install osquery
|
||||
hosts: "fleet_all:osquery:hosts"
|
||||
hosts: "hosts:all_containers"
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/variables.yml
|
||||
@ -32,19 +57,6 @@
|
||||
- /etc/osquery
|
||||
- /etc/osquery/ssl
|
||||
|
||||
- name: Synchronize certifactes back
|
||||
synchronize:
|
||||
mode: pull
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- src: "{{ kolide_fleet_ssl_cert }}"
|
||||
dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
|
||||
- src: "{{ kolide_fleet_ssl_key }}"
|
||||
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
when:
|
||||
- inventory_hostname == groups['fleet_all'][0]
|
||||
|
||||
- name: Copy certifactes over
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
@ -54,14 +66,12 @@
|
||||
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
|
||||
- dest: "{{ kolide_fleet_ssl_key }}"
|
||||
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
when:
|
||||
- inventory_hostname != groups['fleet_all'][0]
|
||||
|
||||
- name: retrieve Enrollment Token
|
||||
command: /usr/local/bin/fleetctl get enroll-secret
|
||||
changed_when: false
|
||||
register: _enrollment_token
|
||||
delegate_to: "{{ groups['fleet_all'][0] }}"
|
||||
delegate_to: "{{ groups['kolide-fleet_all'][0] }}"
|
||||
run_once: true
|
||||
|
||||
- name: Set kolide fleet enrollment token fact
|
||||
|
@ -24,16 +24,12 @@ hosts:
|
||||
logging01: {}
|
||||
|
||||
# This is the location where fleet(s) will live
|
||||
fleet_all:
|
||||
hosts:
|
||||
logging01: {}
|
||||
kolide-fleet_all:
|
||||
children:
|
||||
kolide_hosts:
|
||||
hosts:
|
||||
logging01: {}
|
||||
|
||||
mariadb_all:
|
||||
children:
|
||||
fleet_all: {}
|
||||
|
||||
osquery_all:
|
||||
hosts:
|
||||
logging02:
|
||||
ansible_host: 172.16.27.101
|
||||
ansible_user: root
|
||||
kolide-fleet_all: {}
|
||||
|
@ -20,7 +20,7 @@ kolide_fleet_db_user: fleet
|
||||
#kolide_fleet_db_password: fleetSecrete
|
||||
|
||||
kolide_fleet_port: "8443"
|
||||
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
|
||||
kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}"
|
||||
kolide_fleet_version: "2.0.0-rc5"
|
||||
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
|
||||
|
||||
@ -43,7 +43,6 @@ kolide_fleet_ssl_key_purge: false
|
||||
mariadb_bind_address: "0.0.0.0"
|
||||
mariadb_root_remote: 1
|
||||
mariadb_root_user: root
|
||||
#mariadb_root_password: fleetSecrete
|
||||
mariadb_databases:
|
||||
- name: "{{ kolide_fleet_db_name }}"
|
||||
|
||||
@ -52,5 +51,3 @@ mariadb_users:
|
||||
password: "{{ kolide_fleet_db_password }}"
|
||||
priv: " {{ kolide_fleet_db_name }}.*:ALL"
|
||||
host: "%"
|
||||
|
||||
galera_root_password: "{{ mariadb_root_password }}"
|
||||
|
@ -16,7 +16,7 @@
|
||||
- name: Create DB for service
|
||||
mysql_db:
|
||||
login_user: "{{ mariadb_root_user }}"
|
||||
login_password: "{{ mariadb_root_password }}"
|
||||
login_password: "{{ galera_root_password }}"
|
||||
login_host: "{{ mariadb_login_host | default('localhost') }}"
|
||||
name: "{{ kolide_fleet_db_name }}"
|
||||
state: "present"
|
||||
@ -28,7 +28,7 @@
|
||||
- name: Grant access to the DB for the service
|
||||
mysql_user:
|
||||
login_user: "{{ mariadb_root_user }}"
|
||||
login_password: "{{ mariadb_root_password }}"
|
||||
login_password: "{{ galera_root_password }}"
|
||||
login_host: "{{ mariadb_login_host | default('localhost') }}"
|
||||
name: "{{ kolide_fleet_db_user }}"
|
||||
password: "{{ kolide_fleet_db_password }}"
|
||||
|
@ -65,23 +65,23 @@
|
||||
- src: "{{ kolide_fleet_ssl_key }}"
|
||||
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
when:
|
||||
- (groups['fleet_all'] | length) > 1
|
||||
- (groups['kolide-fleet_all'] | length) > 1
|
||||
notify:
|
||||
- Cleanup certifactes
|
||||
when:
|
||||
- inventory_hostname == groups['fleet_all'][0]
|
||||
- inventory_hostname == groups['kolide-fleet_all'][0]
|
||||
|
||||
- name: Copy certifactes over
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
with_items:
|
||||
- dest: "{{ kolide_fleet_ssl_csr }}"
|
||||
src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}"
|
||||
- dest: "{{ kolide_fleet_ssl_cert }}"
|
||||
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
|
||||
- dest: "{{ kolide_fleet_ssl_key }}"
|
||||
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
with_items:
|
||||
- dest: "{{ kolide_fleet_ssl_csr }}"
|
||||
src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}"
|
||||
- dest: "{{ kolide_fleet_ssl_cert }}"
|
||||
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
|
||||
- dest: "{{ kolide_fleet_ssl_key }}"
|
||||
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
when:
|
||||
- inventory_hostname != groups['fleet_all'][0]
|
||||
- (groups['fleet_all'] | length) > 1
|
||||
- inventory_hostname != groups['kolide-fleet_all'][0]
|
||||
- (groups['kolide-fleet_all'] | length) > 1
|
||||
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
# Kolide Fleet vars
|
||||
kolide_fleet_db_name: fleet
|
||||
kolide_fleet_db_user: fleet
|
||||
#kolide_fleet_db_password: fleetSecrete
|
||||
|
||||
kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}"
|
||||
kolide_fleet_version: "2.0.0-rc5"
|
||||
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
|
||||
|
||||
kolide_fleet_admin_email: admin@openstack.org
|
||||
#kolide_fleet_admin_password: AdminSecrete
|
||||
|
||||
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
|
||||
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
|
||||
|
||||
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
|
||||
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
||||
|
||||
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
|
||||
# MariaDB/Gallera Variables
|
||||
#mariadb_root_password: fleetSecrete
|
||||
mariadb_bind_address: "0.0.0.0"
|
||||
mariadb_root_remote: 1
|
||||
mariadb_root_user: root
|
||||
mariadb_databases:
|
||||
- name: "{{ kolide_fleet_db_name }}"
|
||||
|
||||
mariadb_users:
|
||||
- name: "{{ kolide_fleet_db_user }}"
|
||||
password: "{{ kolide_fleet_db_password }}"
|
||||
priv: " {{ kolide_fleet_db_name }}.*:ALL"
|
||||
host: "%"
|
||||
|
||||
galera_root_password: "{{ mariadb_root_password }}"
|
@ -1,7 +1,5 @@
|
||||
---
|
||||
|
||||
mariadb_root_user: root
|
||||
|
||||
kolide_fleet_enable: true
|
||||
|
||||
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
|
||||
@ -20,7 +18,7 @@ osquery_rsyslog: false
|
||||
|
||||
osquery_flags:
|
||||
- "--tls_server_certs={{ kolide_fleet_ssl_cert }}"
|
||||
- "--tls_hostname={{ hostvars[groups['fleet_all'][0]]['ansible_host'] }}:443"
|
||||
- "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443"
|
||||
- "--host_identifier=hostname"
|
||||
- "--enroll_tls_endpoint=/api/v1/osquery/enroll"
|
||||
- "--config_plugin=tls"
|
||||
|
Loading…
x
Reference in New Issue
Block a user