diff --git a/ansible/README.rst b/ansible/README.rst index 990cf6ac6..f18088ee1 100644 --- a/ansible/README.rst +++ b/ansible/README.rst @@ -148,7 +148,8 @@ resources to allocate dedicated systems for the graphing/stats related services. Prior to installing grafana, please review install/group\_vars/all.yml file and your ansible inventory file You will need to define values for the grafana\_host and graphite\_host IP -addresses here. +addresses here. Optionally you can change the listening port for +graphite-web. :: @@ -176,7 +177,7 @@ resources to allocate dedicated systems for the graphing/stats related services. Prior to installing grafana, please review install/group\_vars/all.yml file and your ansible inventory file You will need to define values for the grafana\_host and graphite\_host IP -addresses here. +addresses here. Optionally you can change the listening port. :: diff --git a/ansible/install/roles/grafana/files/grafana.repo b/ansible/install/roles/grafana/files/grafana.repo new file mode 100644 index 000000000..6f3c0ff45 --- /dev/null +++ b/ansible/install/roles/grafana/files/grafana.repo @@ -0,0 +1,6 @@ +[grafana] +name=grafana +baseurl=https://packagecloud.io/grafana/stable/el/7/$basearch +enabled=1 +gpgcheck=1 +gpgkey=https://grafanarel.s3.amazonaws.com/RPM-GPG-KEY-grafana diff --git a/ansible/install/roles/grafana/tasks/main.yml b/ansible/install/roles/grafana/tasks/main.yml index 5f9f18543..573095c12 100644 --- a/ansible/install/roles/grafana/tasks/main.yml +++ b/ansible/install/roles/grafana/tasks/main.yml @@ -17,11 +17,24 @@ yum: name=https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm state=present -- name: Install grafana rpms +- name: Install grafana RPM repo + copy: + src=grafana.repo + dest=/etc/yum.repos.d/grafana.repo + owner=root + group=root + mode=0644 + become: true + +- name: Import grafana GPG Key + rpm_key: key=https://grafanarel.s3.amazonaws.com/RPM-GPG-KEY-grafana + state=present + +- name: Install grafana RPM yum: name={{ item }} state=present become: true with_items: - - https://grafanarel.s3.amazonaws.com/builds/grafana-2.6.0-1.x86_64.rpm + - grafana - name: Set grafana server port ini_file: @@ -38,15 +51,67 @@ value: true become: true -# disable firewalld (might need to create specific firewall rules or leave it to admin to do via iptables) +### begin firewall ### +# we need TCP/3000 open +# determine firewall status and take action +# 1) use firewall-cmd if firewalld is utilized +# 2) insert iptables rule if iptables is used -- name: disable firewalld - service: name=firewalld state=stopped enabled=false +# Firewalld +- name: (grafana) Determine if firewalld is in use + shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' + ignore_errors: true + register: firewalld_in_use + no_log: true + +- name: (grafana) Determine if firewalld is active + shell: systemctl is-active firewalld.service | grep -vq inactive + ignore_errors: true + register: firewalld_is_active + no_log: true + +- name: (grafana) Determine if TCP/{{grafana_port}} is already active + shell: firewall-cmd --list-ports | egrep -q "^{{grafana_port}}/tcp" + ignore_errors: true + register: firewalld_tcp{{grafana_port}}_exists + no_log: true + +# add firewall rule via firewall-cmd +- name: (grafana) Add firewall rule for TCP/{{grafana_port}} (firewalld) + command: "{{ item }}" + with_items: + - firewall-cmd --zone=public --add-port={{grafana_port}}/tcp --permanent + - firewall-cmd --reload + ignore_errors: true become: true + when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{grafana_port}}_exists.rc != 0 + +# iptables-services +- name: (grafana) check firewall rules for TCP/{{grafana_port}} (iptables-services) + shell: grep "dport {{grafana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l + ignore_errors: true + register: iptables_tcp3000_exists + failed_when: iptables_tcp{{grafana_port}}_exists == 127 + no_log: true + +- name: (grafana) Add firewall rule for TCP/{{grafana_port}} (iptables-services) + lineinfile: + dest: /etc/sysconfig/iptables + line: '-A INPUT -p tcp -m tcp --dport {{grafana_port}} -j ACCEPT' + regexp: '^INPUT -i lo -j ACCEPT' + insertbefore: '-A INPUT -i lo -j ACCEPT' + backup: yes + when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp3000_exists.stdout|int == 0 + register: iptables_needs_restart + +- name: (grafana) Restart iptables-services for TCP/{{grafana_port}} (iptables-services) + shell: systemctl restart iptables.service + ignore_errors: true + when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 + +### end firewall ### -# # setup the grafana-server service -# - name: Setup grafana-server service service: name=grafana-server state=started enabled=true become: true diff --git a/ansible/install/roles/graphite/tasks/main.yml b/ansible/install/roles/graphite/tasks/main.yml index 6b03d808a..5d4a1ba9a 100644 --- a/ansible/install/roles/graphite/tasks/main.yml +++ b/ansible/install/roles/graphite/tasks/main.yml @@ -19,9 +19,6 @@ - python-carbon - expect -# moved to grafana specific playbook -# - https://grafanarel.s3.amazonaws.com/builds/grafana-2.6.0-1.x86_64.rpm - - name: Check for graphite.db sqlite shell: ls /var/lib/graphite-web/graphite.db ignore_errors: true @@ -52,20 +49,71 @@ become: true register: apache_needs_restart +### begin firewall ### +# we need TCP/80 open +# determine firewall status and take action +# 1) use firewall-cmd if firewalld is utilized +# 2) insert iptables rule if iptables is used + +# Firewalld +- name: (graphite-web) Determine if firewalld is in use + shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled' + ignore_errors: true + register: firewalld_in_use + no_log: true + +- name: (graphite-web) Determine if firewalld is active + shell: systemctl is-active firewalld.service | grep -vq inactive + ignore_errors: true + register: firewalld_is_active + no_log: true + +- name: (graphite-web) Determine if TCP/{{graphite_port}} is already active + shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp" + ignore_errors: true + register: firewalld_tcp{{graphite_port}}_exists + no_log: true + +# add firewall rule via firewall-cmd +- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (firewalld) + command: "{{ item }}" + with_items: + - firewall-cmd --zone=public --add-port={{graphite_port}}/tcp --permanent + - firewall-cmd --reload + ignore_errors: true + become: true + when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp{{graphite_port}}_exists.rc != 0 + +# iptables-services +- name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services) + shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l + ignore_errors: true + register: iptables_tcp80_exists + failed_when: iptables_tcp{{graphite_port}}_exists == 127 + no_log: true + +- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services) + lineinfile: + dest: /etc/sysconfig/iptables + line: '-A INPUT -p tcp -m tcp --dport {{graphite_port}} -j ACCEPT' + regexp: '^INPUT -i lo -j ACCEPT' + insertbefore: '-A INPUT -i lo -j ACCEPT' + backup: yes + when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0 + register: iptables_needs_restart + +- name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services) + shell: systemctl restart iptables.service + ignore_errors: true + when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 + +### end firewall ### # Start graphite-web service - - name: Setup httpd service service: name=httpd state=started enabled=true become: true -# disable firewalld (might need to create specific firewall rules or leave it to admin to do via iptables) - -- name: disable firewalld - service: name=firewalld state=stopped enabled=false - become: true - ignore_errors: true - # remove silly welcome from apache (if it exists) - name: Remove httpd welcome config become: true