x/browbeat
Code Issues Proposed changes

Resolve linting failures for install/elk.yml

Browse Source 
Resolves linting issues:
* [ANSIBLE0006] curl used in place of get_url or uri module
* [ANSIBLE0013] Use shell only when shell functionality is required
* [ANSIBLE0012] Commands should not change things if nothing needs doing
* [ANSIBLE0010] Package installs should not use latest

Executed via: ansible-lint ansible/install/elk.yml

Change-Id: I0cfff457fa1e2aa770f532d761452279ee2bd10c
This commit is contained in:
Leif Madsen 2016-08-25 14:11:11 -04:00
parent 8a052006f8
commit 127f342e97
No known key found for this signature in database
GPG Key ID: 409E6FD5A5D30321
5 changed files with 135 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ansible/install/roles/elasticsearch/tasks/main.yml
View File

@ -103,6 +103,10 @@
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and es_listen_external
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# No systemctl module available in current stable release (Ansible 2.1)
- skip_ansible_lint
# Firewalld
- name: Determine if firewalld is in use

70
ansible/install/roles/fluentd/tasks/main.yml
View File

@ -13,7 +13,8 @@
become: true
- name: Import fluentd GPG Key
rpm_key: key=https://packages.treasuredata.com/GPG-KEY-td-agent
rpm_key:
key=https://packages.treasuredata.com/GPG-KEY-td-agent
state=present
- name: Install fluentd
@ -44,18 +45,30 @@
ignore_errors: true
register: firewalld_in_use
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Actually need to determine if firewalld is in use.
- skip_ansible_lint
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to know if firewalld is active.
- skip_ansible_lint
- name: Determine if TCP/{{fluentd_syslog_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_syslog_port}}/tcp"
ignore_errors: true
register: firewalld_tcp42185_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to determine is port already in use.
- skip_ansible_lint
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{fluentd_syslog_port}} (firewalld)
@ -74,6 +87,10 @@
register: iptables_tcp42185_exists
failed_when: iptables_tcp42185_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check firewall rules.
- skip_ansible_lint
- name: Add firewall rule for TCP/{{fluentd_syslog_port}} (iptables-services)
lineinfile:
@ -89,25 +106,20 @@
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
# Firewalld
- name: Determine if firewalld is in use
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
no_log: true
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: true
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# No systemctl module available in current stable release (Ansible 2.1)
- skip_ansible_lint
- name: Determine if TCP/{{fluentd_http_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{fluentd_http_port}}/tcp"
ignore_errors: true
register: firewalld_tcp9919_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if port is already active
- skip_ansible_lint
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{fluentd_http_port}} (firewalld)
@ -126,6 +138,10 @@
register: iptables_tcp9919_exists
failed_when: iptables_tcp9919_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if port is already active
- skip_ansible_lint
- name: Add firewall rule for TCP/{{fluentd_http_port}} (iptables-services)
lineinfile:
@ -141,13 +157,17 @@
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# No systemctl module available in current stable release (Ansible 2.1)
- skip_ansible_lint
### end firewall settings ###
- name: Install fluentd elasticsearch plugin
gem:
name=fluent-plugin-elasticsearch
state=latest
state=present
include_dependencies=yes
user_install=no
executable=/usr/sbin/td-agent-gem
@ -157,27 +177,19 @@
- name: Install fluentd beats plugin
gem:
name=fluent-plugin-beats
state=latest
state=present
include_dependencies=yes
user_install=no
executable=/usr/sbin/td-agent-gem
become: true
ignore_errors: false
- name: Stage filebeat JSON index template
copy:
src=filebeat-index-template.json
dest=/tmp/filebeat-index-template.json
owner=root
group=root
mode=0644
become: true
# note: we can't currently use the Ansible uri module here, curl is a workaround
# https://github.com/ansible/ansible-modules-core/issues/265
# http://stackoverflow.com/questions/28997007/translate-curl-put-into-ansible-uri-module
- name: Load filebeat JSON index template
command: curl -XPOST 'http://localhost:9200/_template/filebeat?pretty' -d@/tmp/filebeat-index-template.json
uri:
url: http://localhost:9200/_template/filebeat?pretty
method: POST
body: "{{ lookup('file', 'filebeat-index-template.json') }}"
body_format: json
ignore_errors: true
become: true

11
ansible/install/roles/kibana/tasks/main.yml
View File

@ -73,9 +73,20 @@
ignore_errors: true
when: kibana_dashboards_present != 0
- name: Validate kibana load.sh script is available for use
stat:
path: /tmp/beats-dashboards-master/load.sh
ignore_errors: true
register: kibana_dashboards_load_sh_present
- name: Configure kibana filebeat dashboards
shell: sh /tmp/beats-dashboards-master/load.sh -url "http://localhost:9200" -user "admin:admin"
ignore_errors: true
when: kibana_dashboards_load_sh_present != 0
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# Shell required here during script execution
- skip_ansible_lint
- name: Check kibana users
stat: path=/etc/nginx/htpasswd.users

42
ansible/install/roles/logstash/tasks/main.yml
View File

@ -64,15 +64,6 @@
mode=0644
become: true
- name: Stage filebeat JSON index template
copy:
src=filebeat-index-template.json
dest=/tmp/filebeat-index-template.json
owner=root
group=root
mode=0644
become: true
- name: Load OpenSSL CA Extended Configuration
template:
src=openssl_extras.cnf.j2
@ -86,6 +77,10 @@
shell: grep "{{ ansible_default_ipv4.address }}" /etc/pki/tls/openssl.cnf | wc -l
ignore_errors: true
register: subjectAltName_exists
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to understand if an entry exists
- skip_ansible_lint
- name: Add OpenSSL SANs (SubjectAltName) entry for CA
lineinfile:
@ -96,11 +91,12 @@
backup: yes
when: subjectAltName_exists.stdout|int == 0
# note: we can't currently use the Ansible uri module here, curl is a workaround
# https://github.com/ansible/ansible-modules-core/issues/265
# http://stackoverflow.com/questions/28997007/translate-curl-put-into-ansible-uri-module
- name: Load filebeat JSON index template
command: curl -XPOST 'http://localhost:9200/_template/filebeat?pretty' -d@/tmp/filebeat-index-template.json
uri:
url: http://localhost:9200/_template/filebeat?pretty
method: post
body: "{{ lookups('file', 'filebeat-index-template.json') }}"
body_format: json
ignore_errors: true
become: true
@ -118,16 +114,28 @@
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Check if firewall is enabled
- skip_ansible_lint
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Check if firewall is active
- skip_ansible_lint
- name: Determine if TCP/{{logstash_syslog_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{logstash_syslog_port}}/tcp"
ignore_errors: true
register: firewalld_tcp{{logstash_syslog_port}}_exists
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to validate if port already configured
- skip_ansible_lint
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (firewalld)
@ -145,6 +153,10 @@
ignore_errors: true
register: iptables_tcp5044_exists
failed_when: iptables_tcp{{logstash_syslog_port}}_exists == 127
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to validate if port already configured
- skip_ansible_lint
- name: Add firewall rule for TCP/{{logstash_syslog_port}} (iptables-services)
lineinfile:
@ -160,3 +172,7 @@
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# No systemctl module available in current stable release (Ansible 2.1)
- skip_ansible_lint

51
ansible/install/roles/nginx/tasks/main.yml
View File

@ -49,9 +49,19 @@
ignore_errors: true
when: nginx_needs_restart != 0
- name: Check if nginx is in use
shell: systemctl is-enabled nginx.service | egrep -qv 'masked|disabled'
register: nginx_in_use
ignore_errors: yes
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Determine if nginx is enabled
- skip_ansible_lint
- name: Set nginx to start on boot
command: systemctl enable nginx.service
ignore_errors: true
when: nginx_in_use.rc != 0
# we need TCP/80 and TCP/8080 open
# determine firewall status and take action
@ -64,18 +74,30 @@
ignore_errors: true
register: firewalld_in_use
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall is active
- skip_ansible_lint
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall is active
- skip_ansible_lint
- name: Determine if TCP/{{nginx_kibana_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
ignore_errors: true
register: firewalld_tcp80_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall rule already exists
- skip_ansible_lint
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld)
@ -94,6 +116,10 @@
register: iptables_tcp80_exists
failed_when: iptables_tcp80_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall rule already exists
- skip_ansible_lint
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services)
lineinfile:
@ -109,6 +135,10 @@
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# No systemctl module available in current stable release (Ansible 2.1)
- skip_ansible_lint
# Firewalld
- name: Determine if firewalld is in use
@ -116,18 +146,30 @@
ignore_errors: true
register: firewalld_in_use
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall is active
- skip_ansible_lint
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall is active
- skip_ansible_lint
- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
ignore_errors: true
register: firewalld_tcp8080_exists
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall rule already exists
- skip_ansible_lint
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld)
@ -146,6 +188,10 @@
register: iptables_tcp8080_exists
failed_when: iptables_tcp8080_exists == 127
no_log: true
tags:
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
# Need to check if firewall rule already exists
- skip_ansible_lint
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
lineinfile:
@ -161,4 +207,7 @@
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
tags:
# Skip ANSIBLE0013 Use shell only when shell functionality is required
# No systemctl module available in current stable release (Ansible 2.1)
- skip_ansible_lint