diff --git a/ansible/README.md b/ansible/README.md index 93c60d0ce..e1b8415c2 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -58,11 +58,24 @@ Requires Ansible 2.0 ``` # ansible-playbook -i hosts install/connmon.yml ``` -##### Install ELK Stack +##### Install Generic ELK Stack ``` ansible-playbook -i hosts install/elk.yml ``` -##### Install ELK Clients +##### Install ELK Stack (on an OpenStack Undercloud) +``` +sed -i 's/nginx_kibana_port: 80/nginx_kibana_port: 8888/' install/group_vars/all.yml +sed -i 's/elk_server_ssl_cert_port: 8080/elk_server_ssl_cert_port: 9999/' install/group_vars/all.yml +``` +``` +ansible-playbook -i hosts install/elk.yml +``` +##### Install Generic ELK Clients +``` +ansible-playbook -i hosts install/elk-client.yml --extra-vars 'elk_server=X.X.X.X' +``` + - elk_server variable will be generated after the ELK stack playbook runs +#### Install ELK Clients for OpenStack nodes ``` ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server=X.X.X.X' ``` diff --git a/ansible/install/group_vars/all.yml b/ansible/install/group_vars/all.yml index b095006ea..25515d60b 100644 --- a/ansible/install/group_vars/all.yml +++ b/ansible/install/group_vars/all.yml @@ -117,3 +117,16 @@ browbeat_pri_pool_gw: 172.16.10.1 browbeat_pri_pool_dns: 8.8.8.8 browbeat_router_name: browbeat_router + +######################################## +# ELK Server Variables +######################################## +### nginx ### +# add nonstandard port here for undercloud usage +# usage: port nginx listens to reverse-proxy Kibana +# e.g. 8888 +nginx_kibana_port: 80 +# +# usage: port filebeat client grabs the client SSL certificate +# e.g. 9999 +elk_server_ssl_cert_port: 8080 diff --git a/ansible/install/roles/filebeat/tasks/main.yml b/ansible/install/roles/filebeat/tasks/main.yml index 12dc34183..bed52487b 100644 --- a/ansible/install/roles/filebeat/tasks/main.yml +++ b/ansible/install/roles/filebeat/tasks/main.yml @@ -12,9 +12,9 @@ mode=0644 become: true -- name: Import filebeat GPG key - command: rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch - ignore_errors: true +- name: Import Filebeat GPG Key + rpm_key: key=http://packages.elastic.co/GPG-KEY-elasticsearch + state=present become: true - name: Install filebeat rpms @@ -38,14 +38,21 @@ ignore_errors: true register: elk_client_ssl_cert_exists +# Set standard nginx ports if we're not pointing towards an undercloud +- name: Assign ELK nginx port value for SSL client certificate + set_fact: + elk_server_ssl_cert_port: 8080 + when: elk_server_ssl_cert_port is none + - name: Install ELK server SSL client certificate - shell: curl http://"{{ elk_server }}":8080/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt + shell: curl http://"{{ elk_server }}":{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt become: true when: elk_client_ssl_cert_exists != 0 - name: Start filebeat service command: systemctl start filebeat.service ignore_errors: true + become: true when: filebeat_needs_restart != 0 - name: Setup filebeat service diff --git a/ansible/install/roles/kibana/tasks/main.yml b/ansible/install/roles/kibana/tasks/main.yml index 0b3b204e6..9fe802c21 100644 --- a/ansible/install/roles/kibana/tasks/main.yml +++ b/ansible/install/roles/kibana/tasks/main.yml @@ -99,13 +99,13 @@ become: true - name: Print SSL post-setup information - debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:8080/filebeat-forwarder.crt" + debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt" - name: Print post-setup URL - debug: msg="*** ELK Services available at http://{{ ansible_hostname }}/ ***" + debug: msg="*** ELK Services available at http://{{ ansible_hostname }}:{{ nginx_kibana_port }} ***" - name: Print index creation instructions - debug: msg="** 1) Navigate to http://{{ ansible_hostname }} and login with admin/admin, click 'create' on the green index button ***" + debug: msg="** 1) Navigate to http://{{ ansible_hostname }}:{{ nginx_kibana_port }} and login with admin/admin, click 'create' on the green index button ***" - name: Print filebeat openstack client setup instructions debug: msg="** 2) Run ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server={{ ansible_default_ipv4.address }}' to setup OpenStack clients ***" diff --git a/ansible/install/roles/logstash/files/10-syslog.conf b/ansible/install/roles/logstash/files/10-syslog.conf index 574d8430d..0d71cfb68 100644 --- a/ansible/install/roles/logstash/files/10-syslog.conf +++ b/ansible/install/roles/logstash/files/10-syslog.conf @@ -4,7 +4,7 @@ input { } } output { - stdout {codec => rubydebug } +# stdout {codec => rubydebug } elasticsearch { hosts => "localhost:9200" } diff --git a/ansible/install/roles/logstash/tasks/main.yml b/ansible/install/roles/logstash/tasks/main.yml index fbff13e98..120a067f1 100644 --- a/ansible/install/roles/logstash/tasks/main.yml +++ b/ansible/install/roles/logstash/tasks/main.yml @@ -104,11 +104,6 @@ ignore_errors: true become: true -- name: Refresh logstash service - command: systemctl restart logstash.service - ignore_errors: true - become: true - - name: Setup logstash service service: name=logstash state=started enabled=true become: true @@ -123,16 +118,19 @@ shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' ignore_errors: true register: firewalld_in_use + no_log: True - name: Determine if firewalld is active shell: systemctl is-active firewalld.service | grep -vq inactive ignore_errors: true register: firewalld_is_active + no_log: True - name: Determine if TCP/5044 is already active shell: firewall-cmd --list-ports | egrep -q "^5044/tcp" ignore_errors: true register: firewalld_tcp5044_exists + no_log: True # add firewall rule via firewall-cmd - name: Add firewall rule for TCP/5044 (firewalld) @@ -150,6 +148,7 @@ ignore_errors: true register: iptables_tcp5044_exists failed_when: iptables_tcp5044_exists == 127 + no_log: True - name: Add firewall rule for TCP/5044 (iptables-services) lineinfile: diff --git a/ansible/install/roles/nginx/tasks/main.yml b/ansible/install/roles/nginx/tasks/main.yml index 8e197ac72..7a3fe9932 100644 --- a/ansible/install/roles/nginx/tasks/main.yml +++ b/ansible/install/roles/nginx/tasks/main.yml @@ -37,18 +37,17 @@ # deploy basic nginx.conf 8080 vhost - name: Setup nginx TCP/8080 vhost for SSL certificate - copy: - src=nginx.conf + template: + src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=0644 - ignore_errors: true become: true # start nginx service - name: Start nginx service - command: systemctl start nginx.service + command: systemctl restart nginx.service ignore_errors: true when: nginx_needs_restart != 0 @@ -66,45 +65,49 @@ shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' ignore_errors: true register: firewalld_in_use + no_log: True - name: Determine if firewalld is active shell: systemctl is-active firewalld.service | grep -vq inactive ignore_errors: true register: firewalld_is_active + no_log: True -- name: Determine if TCP/80 is already active - shell: firewall-cmd --list-ports | egrep -q "^80/tcp" +- name: Determine if TCP/{{nginx_kibana_port}} is already active + shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp" ignore_errors: true register: firewalld_tcp80_exists + no_log: True # add firewall rule via firewall-cmd -- name: Add firewall rule for TCP/80 (firewalld) +- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld) command: "{{ item }}" with_items: - - firewall-cmd --zone=public --add-port=80/tcp --permanent + - firewall-cmd --zone=public --add-port={{nginx_kibana_port}}/tcp --permanent - firewall-cmd --reload ignore_errors: true become: true when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0 # iptables-services -- name: check firewall rules for TCP/80 (iptables-services) - shell: grep "dport 80 \-j ACCEPT" /etc/sysconfig/iptables | wc -l +- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services) + shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l ignore_errors: true register: iptables_tcp80_exists failed_when: iptables_tcp80_exists == 127 + no_log: True -- name: Add firewall rule for TCP/80 (iptables-services) +- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services) lineinfile: dest: /etc/sysconfig/iptables - line: '-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT' + line: '-A INPUT -p tcp -m tcp --dport {{nginx_kibana_port}} -j ACCEPT' regexp: '^INPUT -i lo -j ACCEPT' insertbefore: '-A INPUT -i lo -j ACCEPT' backup: yes when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0 register: iptables_needs_restart -- name: Restart iptables-services for TCP/80 (iptables-services) +- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services) shell: systemctl restart iptables.service ignore_errors: true when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 @@ -114,45 +117,49 @@ shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' ignore_errors: true register: firewalld_in_use + no_log: True - name: Determine if firewalld is active shell: systemctl is-active firewalld.service | grep -vq inactive ignore_errors: true register: firewalld_is_active + no_log: True -- name: Determine if TCP/8080 is already active - shell: firewall-cmd --list-ports | egrep -q "^8080/tcp" +- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active + shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp" ignore_errors: true register: firewalld_tcp8080_exists + no_log: True # add firewall rule via firewall-cmd -- name: Add firewall rule for TCP/8080 (firewalld) +- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld) command: "{{ item }}" with_items: - - firewall-cmd --zone=public --add-port=8080/tcp --permanent + - firewall-cmd --zone=public --add-port={{elk_server_ssl_cert_port}}/tcp --permanent - firewall-cmd --reload ignore_errors: true become: true when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0 # iptables-services -- name: check firewall rules for TCP/8080 (iptables-services) - shell: grep "dport 8080 \-j ACCEPT" /etc/sysconfig/iptables | wc -l +- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services) + shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l ignore_errors: true register: iptables_tcp8080_exists failed_when: iptables_tcp8080_exists == 127 + no_log: True -- name: Add firewall rule for TCP/8080 (iptables-services) +- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services) lineinfile: dest: /etc/sysconfig/iptables - line: '-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT' + line: '-A INPUT -p tcp -m tcp --dport {{elk_server_ssl_cert_port}} -j ACCEPT' regexp: '^INPUT -i lo -j ACCEPT' insertbefore: '-A INPUT -i lo -j ACCEPT' backup: yes when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0 register: iptables_needs_restart -- name: Restart iptables-services for TCP/8080 (iptables-services) +- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services) shell: systemctl restart iptables.service ignore_errors: true when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 diff --git a/ansible/install/roles/nginx/templates/kibana.conf.j2 b/ansible/install/roles/nginx/templates/kibana.conf.j2 index 62dd5f9bc..82e54d40d 100644 --- a/ansible/install/roles/nginx/templates/kibana.conf.j2 +++ b/ansible/install/roles/nginx/templates/kibana.conf.j2 @@ -1,5 +1,5 @@ server { - listen 80; + listen {{nginx_kibana_port}}; server_name {{ansible_hostname}}; diff --git a/ansible/install/roles/nginx/files/nginx.conf b/ansible/install/roles/nginx/templates/nginx.conf.j2 similarity index 91% rename from ansible/install/roles/nginx/files/nginx.conf rename to ansible/install/roles/nginx/templates/nginx.conf.j2 index d5a7478bb..f050d198c 100644 --- a/ansible/install/roles/nginx/files/nginx.conf +++ b/ansible/install/roles/nginx/templates/nginx.conf.j2 @@ -33,8 +33,8 @@ http { include /etc/nginx/conf.d/*.conf; server { - listen 8080 default_server; - listen [::]:8080 default_server; + listen {{elk_server_ssl_cert_port}} default_server; + listen [::]:{{elk_server_ssl_cert_port}} default_server; server_name _; root /usr/share/nginx/html;