graphite/grafana enhancements (firewall/repo/package update)

This adds the following enhancements to graphite/grafana: * Switch to using Grafana RPM repository to get latest versions http://docs.grafana.org/installation/rpm/ * Do not disable firewall for graphite/grafana * Determine if firewalld or iptables is in use, and apply proper persistent firewall rules. * graphite_port and grafana_port values are configurable for firewall rules This does not effect the docker-based graphite/grafana playbooks as these are more siloed and are not in scope. Patchset #2: minor spacing in comments Patchset #3: fix conditional typo Patchset #4: switch to using RPM repo instead of hard-coded package version Patchset #5: remove unneeded playbook comments Change-Id: I4c81b94c6970e590057710974713b32f60776d83
2016-06-21 17:13:28 +01:00 · 2016-06-21 17:13:28 +01:00 · aee44e7ae0
commit aee44e7ae0
parent 87b262a373
4 changed files with 140 additions and 20 deletions
--- a/ansible/README.rst
+++ b/ansible/README.rst
@ -143,7 +143,8 @@ resources to allocate dedicated systems for the graphing/stats related
 services.  Prior to installing grafana, please review
 install/group\_vars/all.yml file and your ansible inventory file You
 will need to define values for the grafana\_host and graphite\_host IP
-addresses here.
+addresses here.  Optionally you can change the listening port for
+graphite-web.

 ::

@ -171,7 +172,7 @@ resources to allocate dedicated systems for the graphing/stats related
 services.  Prior to installing grafana, please review
 install/group\_vars/all.yml file and your ansible inventory file You
 will need to define values for the grafana\_host and graphite\_host IP
-addresses here.
+addresses here.  Optionally you can change the listening port.

 ::

--- a/ansible/install/roles/grafana/files/grafana.repo
+++ b/ansible/install/roles/grafana/files/grafana.repo
@ -0,0 +1,6 @@
+[grafana]
+name=grafana
+baseurl=https://packagecloud.io/grafana/stable/el/7/$basearch
+enabled=1
+gpgcheck=1
+gpgkey=https://grafanarel.s3.amazonaws.com/RPM-GPG-KEY-grafana
--- a/ansible/install/roles/grafana/tasks/main.yml
+++ b/ansible/install/roles/grafana/tasks/main.yml
@ -17,11 +17,24 @@
  yum: name=https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    state=present

- name: Install grafana rpms
+- name: Install grafana RPM repo
+  copy:
+    src=grafana.repo
+    dest=/etc/yum.repos.d/grafana.repo
+    owner=root
+    group=root
+    mode=0644
+  become: true
+
+- name: Import grafana GPG Key
+  rpm_key: key=https://grafanarel.s3.amazonaws.com/RPM-GPG-KEY-grafana
+    state=present
+
+- name: Install grafana RPM
  yum: name={{ item }} state=present
  become: true
  with_items:
-    - https://grafanarel.s3.amazonaws.com/builds/grafana-2.6.0-1.x86_64.rpm
+    - grafana

 - name: Set grafana server port
  ini_file:
@ -38,15 +51,67 @@
      value: true
  become: true

-# disable firewalld (might need to create specific firewall rules or leave it to admin to do via iptables)
+### begin firewall ###
+# we need TCP/3000 open
+# determine firewall status and take action
+# 1) use firewall-cmd if firewalld is utilized
+# 2) insert iptables rule if iptables is used

- name: disable firewalld
-  service: name=firewalld state=stopped enabled=false
+# Firewalld
+- name: (grafana) Determine if firewalld is in use
+  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
+  ignore_errors: true
+  register: firewalld_in_use
+  no_log: true
+
+- name: (grafana) Determine if firewalld is active
+  shell: systemctl is-active firewalld.service | grep -vq inactive
+  ignore_errors: true
+  register: firewalld_is_active
+  no_log: true
+
+- name: (grafana) Determine if TCP/{{grafana_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{grafana_port}}/tcp"
+  ignore_errors: true
+  register: firewalld_tcp{{grafana_port}}_exists
+  no_log: true
+
+# add firewall rule via firewall-cmd
+- name: (grafana) Add firewall rule for TCP/{{grafana_port}} (firewalld)
+  command: "{{ item }}"
+  with_items:
+    - firewall-cmd --zone=public --add-port={{grafana_port}}/tcp --permanent
+    - firewall-cmd --reload
+  ignore_errors: true
  become: true
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{grafana_port}}_exists.rc != 0
+
+# iptables-services
+- name: (grafana) check firewall rules for TCP/{{grafana_port}} (iptables-services)
+  shell: grep "dport {{grafana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+  ignore_errors: true
+  register: iptables_tcp3000_exists
+  failed_when: iptables_tcp{{grafana_port}}_exists == 127
+  no_log: true
+
+- name: (grafana) Add firewall rule for TCP/{{grafana_port}} (iptables-services)
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    line: '-A INPUT -p tcp -m tcp --dport {{grafana_port}} -j ACCEPT'
+    regexp: '^INPUT -i lo -j ACCEPT'
+    insertbefore: '-A INPUT -i lo -j ACCEPT'
+    backup: yes
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp3000_exists.stdout|int == 0
+  register: iptables_needs_restart
+
+- name: (grafana) Restart iptables-services for TCP/{{grafana_port}} (iptables-services)
+  shell: systemctl restart iptables.service
+  ignore_errors: true
+  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
+
+### end firewall ###

-#
 # setup the grafana-server service
-#
 - name: Setup grafana-server service
  service: name=grafana-server state=started enabled=true
  become: true
--- a/ansible/install/roles/graphite/tasks/main.yml
+++ b/ansible/install/roles/graphite/tasks/main.yml
@ -19,9 +19,6 @@
    - python-carbon
    - expect

-# moved to grafana specific playbook
-#    - https://grafanarel.s3.amazonaws.com/builds/grafana-2.6.0-1.x86_64.rpm
-
 - name: Check for graphite.db sqlite
  shell: ls /var/lib/graphite-web/graphite.db
  ignore_errors: true
@ -52,20 +49,71 @@
  become: true
  register: apache_needs_restart

+### begin firewall ###
+# we need TCP/80 open
+# determine firewall status and take action
+# 1) use firewall-cmd if firewalld is utilized
+# 2) insert iptables rule if iptables is used
+
+# Firewalld
+- name: (graphite-web) Determine if firewalld is in use
+  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
+  ignore_errors: true
+  register: firewalld_in_use
+  no_log: true
+
+- name: (graphite-web) Determine if firewalld is active
+  shell: systemctl is-active firewalld.service | grep -vq inactive
+  ignore_errors: true
+  register: firewalld_is_active
+  no_log: true
+
+- name: (graphite-web) Determine if TCP/{{graphite_port}} is already active
+  shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp"
+  ignore_errors: true
+  register: firewalld_tcp{{graphite_port}}_exists
+  no_log: true
+
+# add firewall rule via firewall-cmd
+- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (firewalld)
+  command: "{{ item }}"
+  with_items:
+    - firewall-cmd --zone=public --add-port={{graphite_port}}/tcp --permanent
+    - firewall-cmd --reload
+  ignore_errors: true
+  become: true
+  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{graphite_port}}_exists.rc != 0
+
+# iptables-services
+- name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services)
+  shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
+  ignore_errors: true
+  register: iptables_tcp80_exists
+  failed_when: iptables_tcp{{graphite_port}}_exists == 127
+  no_log: true
+
+- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services)
+  lineinfile:
+    dest: /etc/sysconfig/iptables
+    line: '-A INPUT -p tcp -m tcp --dport {{graphite_port}} -j ACCEPT'
+    regexp: '^INPUT -i lo -j ACCEPT'
+    insertbefore: '-A INPUT -i lo -j ACCEPT'
+    backup: yes
+  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
+  register: iptables_needs_restart
+
+- name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services)
+  shell: systemctl restart iptables.service
+  ignore_errors: true
+  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
+
+### end firewall ###

 # Start graphite-web service
-
 - name: Setup httpd service
  service: name=httpd state=started enabled=true
  become: true

-# disable firewalld (might need to create specific firewall rules or leave it to admin to do via iptables)
-
- name: disable firewalld
-  service: name=firewalld state=stopped enabled=false
-  become: true
-  ignore_errors: true
-
 # remove silly welcome from apache (if it exists)
 - name: Remove httpd welcome config
  become: true