Make nginx ports and firewall rules a variable.

Changes in patchset #11:

1) moved to putting default port variables in group_vars/all.yml
2) updated README to specify changing port variables for undercloud deployments
3) removed setting variables in the nginx task, but we can utilize fail: checks
   for variable checks instead (cleaner).

Changes in patchet #10:

1) added become: true for filebeat per jtaleric comments
2) added no_log: True to reduce unecessary firewall debug discovery
   during the playbook run

Changes in patchset #9:

Rebased against commit 5ef39f88dd

Changes in patchset #8:

1) use restart instead of start for ansible service
   this will address when you re-run playbooks if you
   decide to change the listener ports

Changes in patchset #7:

1) use rpm_key ansible module instead of rpm command
   for GPG key management

Changes in patchset #6:

1) ensure elk_server_ssl_cert_port variable can be set
   for non-standard port access like elk_server

Changes in patchset #5:

1) use 'become=true' for all operations within filebeat
   so that elk clients running as non-root (but privileged)
   users can run client deployments.

Changes in patchset #4:

1) turn logstash stdout off by default
2) remove unneeded logstash refresh

Changes in patchset #3:

1) remove debug statements for port variable testing

Changes in patchset #2:

1) remove unneeded conditional logic, only comparison
   for 'none' is needed.
2) fix duplicate variable assignment
3) add more info to group_vars/all comments that you
   need to use nonstandard ports for both if you need one
   only.

Changes introduced in patchset #1:

This provides the following functionality:

1) adds two new variables to group_vars/all:
   * nginx_kibana_port
   * elk_server_ssl_cert_port

2) sets a normal default for these ports if
   they are not defined explicitly.

If these are not defined then default ports of 80/TCP
and 8080/TCP will be used respectively.

If they are defined (in case of undercloud install where lots
of services/ports are listening on standard ports) then both
nginx jinja2 templates will be updated along with firewall rules.

Why we need this functionality, and why we should use it:

1) Avoid hard-coded defaults like 1.1.1.1 or service ports
2) Minimize the amount of editing needed for variables before
   Browbeat can be run by users

Change-Id: Ia689f73d9c0c83de4d34a1954824afbee8205c25
This commit is contained in:
Will Foster 2016-05-05 15:01:12 -04:00
parent 5ef39f88dd
commit 3e06f195b7
9 changed files with 79 additions and 40 deletions

View File

@ -58,11 +58,24 @@ Requires Ansible 2.0
```
# ansible-playbook -i hosts install/connmon.yml
```
##### Install ELK Stack
##### Install Generic ELK Stack
```
ansible-playbook -i hosts install/elk.yml
```
##### Install ELK Clients
##### Install ELK Stack (on an OpenStack Undercloud)
```
sed -i 's/nginx_kibana_port: 80/nginx_kibana_port: 8888/' install/group_vars/all.yml
sed -i 's/elk_server_ssl_cert_port: 8080/elk_server_ssl_cert_port: 9999/' install/group_vars/all.yml
```
```
ansible-playbook -i hosts install/elk.yml
```
##### Install Generic ELK Clients
```
ansible-playbook -i hosts install/elk-client.yml --extra-vars 'elk_server=X.X.X.X'
```
- elk_server variable will be generated after the ELK stack playbook runs
#### Install ELK Clients for OpenStack nodes
```
ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server=X.X.X.X'
```

View File

@ -104,3 +104,16 @@ browbeat_pri_pool_gw: 172.16.10.1
browbeat_pri_pool_dns: 8.8.8.8
browbeat_router_name: browbeat_router
########################################
# ELK Server Variables
########################################
### nginx ###
# add nonstandard port here for undercloud usage
# usage: port nginx listens to reverse-proxy Kibana
# e.g. 8888
nginx_kibana_port: 80
#
# usage: port filebeat client grabs the client SSL certificate
# e.g. 9999
elk_server_ssl_cert_port: 8080

View File

@ -12,9 +12,9 @@
mode=0644
become: true
- name: Import filebeat GPG key
command: rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
ignore_errors: true
- name: Import Filebeat GPG Key
rpm_key: key=http://packages.elastic.co/GPG-KEY-elasticsearch
state=present
become: true
- name: Install filebeat rpms
@ -38,14 +38,21 @@
ignore_errors: true
register: elk_client_ssl_cert_exists
# Set standard nginx ports if we're not pointing towards an undercloud
- name: Assign ELK nginx port value for SSL client certificate
set_fact:
elk_server_ssl_cert_port: 8080
when: elk_server_ssl_cert_port is none
- name: Install ELK server SSL client certificate
shell: curl http://"{{ elk_server }}":8080/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt
shell: curl http://"{{ elk_server }}":{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt > /etc/pki/tls/certs/filebeat-forwarder.crt
become: true
when: elk_client_ssl_cert_exists != 0
- name: Start filebeat service
command: systemctl start filebeat.service
ignore_errors: true
become: true
when: filebeat_needs_restart != 0
- name: Setup filebeat service

View File

@ -99,13 +99,13 @@
become: true
- name: Print SSL post-setup information
debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:8080/filebeat-forwarder.crt"
debug: msg="Filebeat SSL Certificate available at http://{{ ansible_hostname }}:{{ elk_server_ssl_cert_port }}/filebeat-forwarder.crt"
- name: Print post-setup URL
debug: msg="*** ELK Services available at http://{{ ansible_hostname }}/ ***"
debug: msg="*** ELK Services available at http://{{ ansible_hostname }}:{{ nginx_kibana_port }} ***"
- name: Print index creation instructions
debug: msg="** 1) Navigate to http://{{ ansible_hostname }} and login with admin/admin, click 'create' on the green index button ***"
debug: msg="** 1) Navigate to http://{{ ansible_hostname }}:{{ nginx_kibana_port }} and login with admin/admin, click 'create' on the green index button ***"
- name: Print filebeat openstack client setup instructions
debug: msg="** 2) Run ansible-playbook -i hosts install/elk-openstack-client.yml --extra-vars 'elk_server={{ ansible_default_ipv4.address }}' to setup OpenStack clients ***"

View File

@ -4,7 +4,7 @@ input {
}
}
output {
stdout {codec => rubydebug }
# stdout {codec => rubydebug }
elasticsearch {
hosts => "localhost:9200"
}

View File

@ -104,11 +104,6 @@
ignore_errors: true
become: true
- name: Refresh logstash service
command: systemctl restart logstash.service
ignore_errors: true
become: true
- name: Setup logstash service
service: name=logstash state=started enabled=true
become: true
@ -123,16 +118,19 @@
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
no_log: True
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: True
- name: Determine if TCP/5044 is already active
shell: firewall-cmd --list-ports | egrep -q "^5044/tcp"
ignore_errors: true
register: firewalld_tcp5044_exists
no_log: True
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/5044 (firewalld)
@ -150,6 +148,7 @@
ignore_errors: true
register: iptables_tcp5044_exists
failed_when: iptables_tcp5044_exists == 127
no_log: True
- name: Add firewall rule for TCP/5044 (iptables-services)
lineinfile:

View File

@ -37,18 +37,17 @@
# deploy basic nginx.conf 8080 vhost
- name: Setup nginx TCP/8080 vhost for SSL certificate
copy:
src=nginx.conf
template:
src=nginx.conf.j2
dest=/etc/nginx/nginx.conf
owner=root
group=root
mode=0644
ignore_errors: true
become: true
# start nginx service
- name: Start nginx service
command: systemctl start nginx.service
command: systemctl restart nginx.service
ignore_errors: true
when: nginx_needs_restart != 0
@ -66,45 +65,49 @@
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
no_log: True
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: True
- name: Determine if TCP/80 is already active
shell: firewall-cmd --list-ports | egrep -q "^80/tcp"
- name: Determine if TCP/{{nginx_kibana_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
ignore_errors: true
register: firewalld_tcp80_exists
no_log: True
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/80 (firewalld)
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld)
command: "{{ item }}"
with_items:
- firewall-cmd --zone=public --add-port=80/tcp --permanent
- firewall-cmd --zone=public --add-port={{nginx_kibana_port}}/tcp --permanent
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/80 (iptables-services)
shell: grep "dport 80 \-j ACCEPT" /etc/sysconfig/iptables | wc -l
- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services)
shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp80_exists
failed_when: iptables_tcp80_exists == 127
no_log: True
- name: Add firewall rule for TCP/80 (iptables-services)
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services)
lineinfile:
dest: /etc/sysconfig/iptables
line: '-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT'
line: '-A INPUT -p tcp -m tcp --dport {{nginx_kibana_port}} -j ACCEPT'
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/80 (iptables-services)
- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services)
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
@ -114,45 +117,49 @@
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
no_log: True
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: True
- name: Determine if TCP/8080 is already active
shell: firewall-cmd --list-ports | egrep -q "^8080/tcp"
- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
ignore_errors: true
register: firewalld_tcp8080_exists
no_log: True
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/8080 (firewalld)
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld)
command: "{{ item }}"
with_items:
- firewall-cmd --zone=public --add-port=8080/tcp --permanent
- firewall-cmd --zone=public --add-port={{elk_server_ssl_cert_port}}/tcp --permanent
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0
# iptables-services
- name: check firewall rules for TCP/8080 (iptables-services)
shell: grep "dport 8080 \-j ACCEPT" /etc/sysconfig/iptables | wc -l
- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp8080_exists
failed_when: iptables_tcp8080_exists == 127
no_log: True
- name: Add firewall rule for TCP/8080 (iptables-services)
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
lineinfile:
dest: /etc/sysconfig/iptables
line: '-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT'
line: '-A INPUT -p tcp -m tcp --dport {{elk_server_ssl_cert_port}} -j ACCEPT'
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0
register: iptables_needs_restart
- name: Restart iptables-services for TCP/8080 (iptables-services)
- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0

View File

@ -1,5 +1,5 @@
server {
listen 80;
listen {{nginx_kibana_port}};
server_name {{ansible_hostname}};

View File

@ -33,8 +33,8 @@ http {
include /etc/nginx/conf.d/*.conf;
server {
listen 8080 default_server;
listen [::]:8080 default_server;
listen {{elk_server_ssl_cert_port}} default_server;
listen [::]:{{elk_server_ssl_cert_port}} default_server;
server_name _;
root /usr/share/nginx/html;