x/browbeat
Code Issues Proposed changes
browbeat/ansible/install/roles/graphite/tasks/main.yml
Will Foster 5095ffad73 Fix firewall variables, remove minor lines 
* Apply @akrzos fix for firewall variabilization, make
  firewall register values a static string so port values
  are truly variablized.
* Remove one small, unneeded section doing an unecessary
  lookup for firewall method since we run this earlier on.

Change-Id: Ia29781072d1babc1d71b71345ceb798356c219f5
2016-09-09 17:15:33 +01:00

163 lines
4.5 KiB
YAML
Raw Blame History

---
#
# Install/run graphite-web for browbeat
#
- name: Install graphite rpms
yum: name={{ item }} state=present
become: true
with_items:
- graphite-web
- python-carbon
- expect
- name: Check for graphite.db sqlite
shell: ls /var/lib/graphite-web/graphite.db
ignore_errors: true
register: graphite_db_installed
- name: Copy setup-graphite-db.exp
copy:
src=setup-graphite-db.exp
dest=/root/setup-graphite-db.exp
owner=root
group=root
mode=0755
become: true
- name: Create initial graphite db
shell: /root/setup-graphite-db.exp {{ graphite_username }} {{ graphite_password }} && chown apache:apache /var/lib/graphite-web/graphite.db
become: true
when: graphite_db_installed.rc != 0
register: apache_needs_restart
- name: Setup httpd graphite-web config
template:
src=graphite-web.conf.j2
dest=/etc/httpd/conf.d/graphite-web.conf
owner=root
group=root
mode=0644
become: true
register: apache_needs_restart
### begin firewall ###
# we need TCP/80 open
# determine firewall status and take action
# 1) use firewall-cmd if firewalld is utilized
# 2) insert iptables rule if iptables is used
# Firewalld
- name: (graphite-web) Determine if firewalld is in use
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
ignore_errors: true
register: firewalld_in_use
no_log: true
- name: (graphite-web) Determine if firewalld is active
shell: systemctl is-active firewalld.service | grep -vq inactive
ignore_errors: true
register: firewalld_is_active
no_log: true
- name: (graphite-web) Determine if TCP/{{graphite_port}} is already active
shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp"
ignore_errors: true
register: firewalld_graphite_port_exists
no_log: true
# add firewall rule via firewall-cmd
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (firewalld)
command: "{{ item }}"
with_items:
- firewall-cmd --zone=public --add-port={{graphite_port}}/tcp --permanent
- firewall-cmd --reload
ignore_errors: true
become: true
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_graphite_port_exists.rc != 0
# iptables-services
- name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services)
shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
ignore_errors: true
register: iptables_graphite_port_exists
failed_when: iptables_graphite_port_exists == 127
no_log: true
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services)
lineinfile:
dest: /etc/sysconfig/iptables
line: '-A INPUT -p tcp -m tcp --dport {{graphite_port}} -j ACCEPT'
regexp: '^INPUT -i lo -j ACCEPT'
insertbefore: '-A INPUT -i lo -j ACCEPT'
backup: yes
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_graphite_port_exists.stdout|int == 0
register: iptables_needs_restart
- name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services)
shell: systemctl restart iptables.service
ignore_errors: true
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
### end firewall ###
# Start graphite-web service
- name: Setup httpd service
service: name=httpd state=started enabled=true
become: true
# remove silly welcome from apache (if it exists)
- name: Remove httpd welcome config
become: true
file: path=/etc/httpd/conf.d/welcome.conf state=absent
register: apache_needs_restart
- name: Bounce Apache
service: name=httpd state=restarted enabled=true
become: true
when: apache_needs_restart.changed
#
# setup the python-carbon service
#
- name: Setup carbon-cache service
service: name=carbon-cache state=started enabled=true
become: true
- name: copy carbon storage schema config
copy:
src=storage-schemas.conf
dest=/etc/carbon/storage-schemas.conf
owner=root
group=root
mode=0644
become: true
register: carbon_cache_needs_restart
- name: copy carbon storage aggregation config
copy:
src=storage-aggregation.conf
dest=/etc/carbon/storage-aggregation.conf
owner=root
group=root
mode=0644
become: true
register: carbon_cache_needs_restart
- name: copy carbon config
copy:
src=carbon.conf
dest=/etc/carbon/carbon.conf
owner=root
group=root
mode=0644
become: true
register: carbon_cache_needs_restart
- name: bounce carbon cache
service: name=carbon-cache state=restarted enabled=true
become: true
when: carbon_cache_needs_restart.changed
View Git Blame Copy Permalink