Merge "Make nginx ports and firewall rules a variable."

ansible/README.md

@@ -58,11 +58,24 @@ Requires Ansible 2.0
 ```
 # ansible-playbook -i hosts install/connmon.yml
 ```
-##### Install ELK Stack
+##### Install Generic ELK Stack
 ```
 ansible-playbook -i hosts install/elk.yml
 ```
-##### Install ELK Clients
+##### Install ELK Stack (on an OpenStack Undercloud)
+```
+sed -i 's/nginx_kibana_port: 80/nginx_kibana_port: 8888/' install/group_vars/all.yml
+sed -i 's/elk_server_ssl_cert_port: 8080/elk_server_ssl_cert_port: 9999/' install/group_vars/all.yml
+```
+```
+ansible-playbook -i hosts install/elk.yml
+```
+##### Install Generic ELK Clients
+```
+ansible-playbook -i hosts install/elk-client.yml --extra-vars 'elk_server=X.X.X.X'
+```
+  - elk_server variable will be generated after the ELK stack playbook runs
+#### Install ELK Clients for OpenStack nodes
 ```
 ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server=X.X.X.X'
 ```

ansible/install/group_vars/all.yml

@@ -117,3 +117,16 @@ browbeat_pri_pool_gw: 172.16.10.1
 browbeat_pri_pool_dns: 8.8.8.8
 
 browbeat_router_name: browbeat_router
+
+########################################
+# ELK Server Variables
+########################################
+### nginx ###
+# add nonstandard port here for undercloud usage
+# usage: port nginx listens to reverse-proxy Kibana
+# e.g. 8888
+nginx_kibana_port: 80
+#
+# usage: port filebeat client grabs the client SSL certificate
+# e.g. 9999
+elk_server_ssl_cert_port: 8080

ansible/install/roles/filebeat/tasks/main.yml

@@ -12,9 +12,9 @@
     mode=0644
   become: true
 
-- name: Import filebeat GPG key
-  command: rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
-  ignore_errors: true
+- name: Import Filebeat GPG Key
+  rpm_key: key=http://packages.elastic.co/GPG-KEY-elasticsearch
+    state=present
   become: true
 
 - name: Install filebeat rpms
@@ -38,14 +38,21 @@
   ignore_errors: true
   register: elk_client_ssl_cert_exists
 
+# Set standard nginx ports if we're not pointing towards an undercloud
+- name: Assign ELK nginx port value for SSL client certificate
+  set_fact:
+    elk_server_ssl_cert_port: 8080
+  when: elk_server_ssl_cert_port is none
+
 - name: Install ELK server SSL client certificate
-  shell: curl http://"{{ elk_server }}":8080/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt
+  shell: curl http://"{{ elk_server }}":{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt
   become: true
   when: elk_client_ssl_cert_exists != 0
 
 - name: Start filebeat service
   command: systemctl start filebeat.service
   ignore_errors: true
+  become: true
   when: filebeat_needs_restart != 0
 
 - name: Setup filebeat service

ansible/install/roles/kibana/tasks/main.yml

@@ -99,13 +99,13 @@
   become: true
 
 - name: Print SSL post-setup information
-  debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:8080/filebeat-forwarder.crt"
+  debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt"
 
 - name: Print post-setup URL
-  debug: msg="*** ELK Services available at http://{{ ansible_hostname }}/ ***"
+  debug: msg="*** ELK Services available at http://{{ ansible_hostname }}:{{ nginx_kibana_port }} ***"
 
 - name: Print index creation instructions
-  debug: msg="** 1) Navigate to http://{{ ansible_hostname }} and login with admin/admin, click 'create' on the green index button ***"
+  debug: msg="** 1) Navigate to http://{{ ansible_hostname }}:{{ nginx_kibana_port }} and login with admin/admin, click 'create' on the green index button ***"
 
 - name: Print filebeat openstack client setup instructions
   debug: msg="** 2) Run ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server={{ ansible_default_ipv4.address }}' to setup OpenStack clients ***"

ansible/install/roles/logstash/files/10-syslog.conf

@@ -4,7 +4,7 @@ input {
     }
 }
 output {
-  stdout {codec => rubydebug }
+#  stdout {codec => rubydebug }
    elasticsearch {
           hosts => "localhost:9200"
        }

ansible/install/roles/logstash/tasks/main.yml

@@ -104,11 +104,6 @@
   ignore_errors: true
   become: true
 
-- name: Refresh logstash service
-  command: systemctl restart logstash.service
-  ignore_errors: true
-  become: true
-
 - name: Setup logstash service
   service: name=logstash state=started enabled=true
   become: true
@@ -123,16 +118,19 @@
   shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
   ignore_errors: true
   register: firewalld_in_use
+  no_log: True
 
 - name: Determine if firewalld is active
   shell: systemctl is-active firewalld.service | grep -vq inactive
   ignore_errors: true
   register: firewalld_is_active
+  no_log: True
 
 - name: Determine if TCP/5044 is already active
   shell: firewall-cmd --list-ports | egrep -q "^5044/tcp"
   ignore_errors: true
   register: firewalld_tcp5044_exists
+  no_log: True
 
 # add firewall rule via firewall-cmd
 - name: Add firewall rule for TCP/5044 (firewalld)
@@ -150,6 +148,7 @@
   ignore_errors: true
   register: iptables_tcp5044_exists
   failed_when: iptables_tcp5044_exists == 127
+  no_log: True
 
 - name: Add firewall rule for TCP/5044 (iptables-services)
   lineinfile:

ansible/install/roles/nginx/tasks/main.yml

@@ -37,18 +37,17 @@
 
 # deploy basic nginx.conf 8080 vhost
 - name: Setup nginx TCP/8080 vhost for SSL certificate
-  copy:
-    src=nginx.conf
+  template:
+    src=nginx.conf.j2
     dest=/etc/nginx/nginx.conf
     owner=root
     group=root
     mode=0644
-  ignore_errors: true
   become: true
 
 # start nginx service
 - name: Start nginx service
-  command: systemctl start nginx.service
+  command: systemctl restart nginx.service
   ignore_errors: true
   when: nginx_needs_restart != 0
 
@@ -66,45 +65,49 @@
   shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
   ignore_errors: true
   register: firewalld_in_use
+  no_log: True
 
 - name: Determine if firewalld is active
   shell: systemctl is-active firewalld.service | grep -vq inactive
   ignore_errors: true
   register: firewalld_is_active
+  no_log: True
 
-- name: Determine if TCP/80 is already active
-  shell: firewall-cmd --list-ports | egrep -q "^80/tcp"
+- name: Determine if TCP/{{nginx_kibana_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
   ignore_errors: true
   register: firewalld_tcp80_exists
+  no_log: True
 
 # add firewall rule via firewall-cmd
-- name: Add firewall rule for TCP/80 (firewalld)
+- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld)
   command: "{{ item }}"
   with_items:
-    - firewall-cmd --zone=public --add-port=80/tcp --permanent
+    - firewall-cmd --zone=public --add-port={{nginx_kibana_port}}/tcp --permanent
     - firewall-cmd --reload
   ignore_errors: true
   become: true
   when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0
 
 # iptables-services
-- name: check firewall rules for TCP/80 (iptables-services)
-  shell: grep "dport 80 \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services)
+  shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
   ignore_errors: true
   register: iptables_tcp80_exists
   failed_when: iptables_tcp80_exists == 127
+  no_log: True
 
-- name: Add firewall rule for TCP/80 (iptables-services)
+- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services)
   lineinfile:
     dest: /etc/sysconfig/iptables
-    line: '-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT'
+    line: '-A INPUT -p tcp -m tcp --dport {{nginx_kibana_port}} -j ACCEPT'
     regexp: '^INPUT -i lo -j ACCEPT'
     insertbefore: '-A INPUT -i lo -j ACCEPT'
     backup: yes
   when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
   register: iptables_needs_restart
 
-- name: Restart iptables-services for TCP/80 (iptables-services)
+- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services)
   shell: systemctl restart iptables.service
   ignore_errors: true
   when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
@@ -114,45 +117,49 @@
   shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
   ignore_errors: true
   register: firewalld_in_use
+  no_log: True
 
 - name: Determine if firewalld is active
   shell: systemctl is-active firewalld.service | grep -vq inactive
   ignore_errors: true
   register: firewalld_is_active
+  no_log: True
 
-- name: Determine if TCP/8080 is already active
-  shell: firewall-cmd --list-ports | egrep -q "^8080/tcp"
+- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
   ignore_errors: true
   register: firewalld_tcp8080_exists
+  no_log: True
 
 # add firewall rule via firewall-cmd
-- name: Add firewall rule for TCP/8080 (firewalld)
+- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld)
   command: "{{ item }}"
   with_items:
-    - firewall-cmd --zone=public --add-port=8080/tcp --permanent
+    - firewall-cmd --zone=public --add-port={{elk_server_ssl_cert_port}}/tcp --permanent
     - firewall-cmd --reload
   ignore_errors: true
   become: true
   when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0
 
 # iptables-services
-- name: check firewall rules for TCP/8080 (iptables-services)
-  shell: grep "dport 8080 \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
+  shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
   ignore_errors: true
   register: iptables_tcp8080_exists
   failed_when: iptables_tcp8080_exists == 127
+  no_log: True
 
-- name: Add firewall rule for TCP/8080 (iptables-services)
+- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
   lineinfile:
     dest: /etc/sysconfig/iptables
-    line: '-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT'
+    line: '-A INPUT -p tcp -m tcp --dport {{elk_server_ssl_cert_port}} -j ACCEPT'
     regexp: '^INPUT -i lo -j ACCEPT'
     insertbefore: '-A INPUT -i lo -j ACCEPT'
     backup: yes
   when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0
   register: iptables_needs_restart
 
-- name: Restart iptables-services for TCP/8080 (iptables-services)
+- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
   shell: systemctl restart iptables.service
   ignore_errors: true
   when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0

ansible/install/roles/nginx/templates/kibana.conf.j2

@@ -1,5 +1,5 @@
 server {
-    listen 80;
+    listen {{nginx_kibana_port}};
 
     server_name {{ansible_hostname}};
 

ansible/install/roles/nginx/templates/nginx.conf.j2

@@ -33,8 +33,8 @@ http {
     include /etc/nginx/conf.d/*.conf;
 
     server {
-        listen       8080 default_server;
-        listen       [::]:8080 default_server;
+        listen       {{elk_server_ssl_cert_port}} default_server;
+        listen       [::]:{{elk_server_ssl_cert_port}} default_server;
         server_name  _;
         root         /usr/share/nginx/html;