Add config overrides for systemd for better auditing

The following change will ensure that the elastic-static is logging to
the journal and that systemd is able to report how well the elastic
slice is running.

Change-Id: I79a9074b5f14a41dec421d6691fd04c0e6be15b7
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

elk_metrics_6x/installElastic.yml

@@ -82,7 +82,7 @@
 
     - include_tasks: common_task_install_elk_repo.yml
 
-    - name: Ensure Elastic search is installed
+    - name: Ensure elasticsearch is installed
       apt:
         name: elasticsearch
         state: "{{ elk_package_state | default('present') }}"
@@ -91,9 +91,29 @@
       until: _apt_task is success
       retries: 3
       delay: 2
+      notify:
+        - Enable and restart elastic
       tags:
         - package_install
 
+    - name: Create elasticsearch systemd service config dir
+      file:
+        path: "/etc/systemd/system/elasticsearch.service.d"
+        state: "directory"
+        group: "root"
+        owner: "root"
+        mode: "0755"
+
+    - name: Apply systemd options
+      template:
+        src: "{{ item.src }}"
+        dest: "/etc/systemd/system/elasticsearch.service.d/{{ item.dest }}"
+        mode: "0644"
+      with_items:
+        - { src: "systemd.elasticsearch-overrides.conf.j2", dest: "elasticsearch-overrides.conf" }
+      notify:
+        - Enable and restart elastic
+
     - name: Drop elasticsearch conf file
       template:
         src: "{{ item.src }}"
@@ -105,6 +125,8 @@
           dest: /etc/elasticsearch/jvm.options
         - src: templates/es-log4j2.properties.j2
           dest: /etc/elasticsearch/log4j2.properties
+      notify:
+        - Enable and restart elastic
       tags:
         - config
 
@@ -121,11 +143,13 @@
       tags:
         - config
 
+  handlers:
     - name: Enable and restart elastic
       systemd:
         name: "elasticsearch"
         enabled: true
         state: restarted
+        daemon_reload: true
       tags:
         - config
 

elk_metrics_6x/installKibana.yml

@@ -54,20 +54,44 @@
       until: _apt_task is success
       retries: 3
       delay: 2
+      notify:
+        - Enable and restart kibana
       tags:
         - package_install
 
+    - name: Create kibana systemd service config dir
+      file:
+        path: "/etc/systemd/system/kibana.service.d"
+        state: "directory"
+        group: "root"
+        owner: "root"
+        mode: "0755"
+
+    - name: Apply systemd options
+      template:
+        src: "{{ item.src }}"
+        dest: "/etc/systemd/system/kibana.service.d/{{ item.dest }}"
+        mode: "0644"
+      with_items:
+        - { src: "systemd.kibana-overrides.conf.j2", dest: "kibana-overrides.conf" }
+      notify:
+        - Enable and restart kibana
+
     - name: Drop kibana conf file
       template:
         src: templates/kibana.yml.j2
         dest: /etc/kibana/kibana.yml
         mode: "0666"
+      notify:
+        - Enable and restart kibana
 
+  handlers:
     - name: Enable and restart kibana
       systemd:
         name: "kibana"
         enabled: true
         state: restarted
+        daemon_reload: true
 
   tags:
     - server-install

elk_metrics_6x/installLogstash.yml

@@ -78,9 +78,29 @@
       until: _apt_task is success
       retries: 3
       delay: 2
+      notify:
+        - Enable and restart logstash
       tags:
         - package_install
 
+    - name: Create logstash systemd service config dir
+      file:
+        path: "/etc/systemd/system/logstash.service.d"
+        state: "directory"
+        group: "root"
+        owner: "root"
+        mode: "0755"
+
+    - name: Apply systemd options
+      template:
+        src: "{{ item.src }}"
+        dest: "/etc/systemd/system/logstash.service.d/{{ item.dest }}"
+        mode: "0644"
+      with_items:
+        - { src: "systemd.logstash-overrides.conf.j2", dest: "logstash-overrides.conf" }
+      notify:
+        - Enable and restart logstash
+
     - name: Drop elasticsearch conf file
       template:
         src: "{{ item.src }}"
@@ -201,6 +221,7 @@
         name: "logstash"
         enabled: true
         state: restarted
+        daemon_reload: true
 
   tags:
     - server-install

elk_metrics_6x/templates/systemd.elasticsearch-overrides.conf.j2

@@ -0,0 +1,18 @@
+[Service]
+# This first line clears the source ExecStart
+ExecStart=
+# This runs our ExecStart as an override.
+ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid
+
+# This creates a specific slice to operate from. The accounting options give us
+# the ability to see resource usage through the `systemd-cgtop` command and
+# further isolate this service from the host machine.
+Slice=elastic.slice
+CPUAccounting=true
+BlockIOAccounting=true
+MemoryAccounting=true
+TasksAccounting=true
+
+# Sandbox setup
+PrivateTmp=true
+PrivateDevices={{ ((ansible_os_family | lower) != "redhat") | lower }}

elk_metrics_6x/templates/systemd.kibana-overrides.conf.j2

@@ -0,0 +1,13 @@
+[Service]
+# This creates a specific slice to operate from. The accounting options give us
+# the ability to see resource usage through the `systemd-cgtop` command and
+# further isolate this service from the host machine.
+Slice=elastic.slice
+CPUAccounting=true
+BlockIOAccounting=true
+MemoryAccounting=true
+TasksAccounting=true
+
+# Sandbox setup
+PrivateTmp=true
+PrivateDevices={{ ((ansible_os_family | lower) != "redhat") | lower }}

elk_metrics_6x/templates/systemd.logstash-overrides.conf.j2

@@ -0,0 +1,13 @@
+[Service]
+# This creates a specific slice to operate from. The accounting options give us
+# the ability to see resource usage through the `systemd-cgtop` command and
+# further isolate this service from the host machine.
+Slice=elastic.slice
+CPUAccounting=true
+BlockIOAccounting=true
+MemoryAccounting=true
+TasksAccounting=true
+
+# Sandbox setup
+PrivateTmp=true
+PrivateDevices={{ ((ansible_os_family | lower) != "redhat") | lower }}