x/browbeat
Code Issues Proposed changes

Open ES firewall rules and fix nginx dir structure.

Browse Source 
This sets firewall rules for elasticsearch to listen on
9200/TCP via the es_listen_external: true directive.

Additionally upstream nginx seems to have change their config
directory layout so /etc/nginx/conf.d/ is no longer the default,
we still want to use this so it's now created if it doesn't
exist.

Fixes bug 1605721
Fixes bug 1605722

Patchset #3: rename groupvars variable to es_listen_external

Change-Id: I3dcfd36a9836412f326d6af0d38ea2e2a0e01303
This commit is contained in:
Will Foster 2016-07-22 14:27:58 -04:00
parent e542981f40
commit 7d23123155
3 changed files with 94 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ansible/install/group_vars/all.yml
View File

@ -159,6 +159,13 @@ logstash_syslog_port: 5044
fluentd_syslog_port: 42185 fluentd_syslog_port: 42185
fluentd_http_port: 9919 fluentd_http_port: 9919
fluentd_debug_port: 24230 fluentd_debug_port: 24230
## elasticsearch local port listener
# we will enable localhost listening on TCP/9200
# due to utilizing elasticsearch connectors, general
# usage may want to disable this option due to security reasons
# in which case you should set this to false
es_local_port: 9200
es_listen_external: true
### install curator tool ### ### install curator tool ###
# curator is the recommended tool for managing elasticsearch indexes # curator is the recommended tool for managing elasticsearch indexes
# https://www.elastic.co/guide/en/elasticsearch/client/curator/current/index.html # https://www.elastic.co/guide/en/elasticsearch/client/curator/current/index.html

81
ansible/install/roles/elasticsearch/tasks/main.yml
View File

@ -40,6 +40,87 @@
when: ansible_memory_mb.real.total|int < 65536 when: ansible_memory_mb.real.total|int < 65536
register: elasticsearch_updated register: elasticsearch_updated
## begin firewall rules ##
# we will be opening TCP/9200 for ES
# if es_listen_external: true is set
# this is needed for elastic connector in browbeat
# determine firewall status and take action
# 1) use firewall-cmd if firewalld is utilized
# 2) insert iptables rule if iptables is used
# Firewalld
- name: Determine if firewalld is in use
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
no_log: true
when: es_listen_external
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: true
when: es_listen_external
- name: Determine if TCP/{{es_local_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{es_local_port}}/tcp"
ignore_errors: true
register: firewalld_tcp9200_exists
no_log: true
when: es_listen_external
# add firewall rule via firewall-cmd
- name: Add firewall rule for TCP/{{es_local_port}} (firewalld)
command: "{{ item }}"
with_items:
- firewall-cmd --zone=public --add-port={{es_local_port}}/tcp --permanent
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp9200_exists.rc != 0 and es_listen_external
# iptables-services
- name: check firewall rules for TCP/{{es_local_port}} (iptables-services)
shell: grep "dport {{es_local_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_tcp9200_exists
failed_when: iptables_tcp9200_exists == 127
no_log: true
when: es_listen_external
- name: Add firewall rule for TCP/{{es_local_port}} (iptables-services)
lineinfile:
dest: /etc/sysconfig/iptables
line: '-A INPUT -p tcp -m tcp --dport {{es_local_port}} -j ACCEPT'
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp9200_exists.stdout|int == 0 and es_listen_external
register: iptables_needs_restart
- name: Restart iptables-services for TCP/{{es_local_port}} (iptables-services)
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and es_listen_external
# Firewalld
- name: Determine if firewalld is in use
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
no_log: true
when: es_listen_external
- name: Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: true
when: es_listen_external
## end firewall rules ##
- name: Start elasticsearch service - name: Start elasticsearch service
command: systemctl start elasticsearch.service command: systemctl start elasticsearch.service
ignore_errors: true ignore_errors: true

6
ansible/install/roles/nginx/tasks/main.yml
View File

@ -16,6 +16,12 @@
- name: Apply SELinux boolean httpd_can_network_connect - name: Apply SELinux boolean httpd_can_network_connect
seboolean: name=httpd_can_network_connect state=yes persistent=yes seboolean: name=httpd_can_network_connect state=yes persistent=yes
# create /etc/nginx/conf.d/ directory
- name: Create nginx directory structure
file: path=/etc/nginx/conf.d/
state=directory
mode=0755
# deploy kibana.conf with FQDN # deploy kibana.conf with FQDN
- name: Setup nginx reverse proxy for kibana - name: Setup nginx reverse proxy for kibana
template: template: