c30e8b950c
* Expose carbon_cache_port to the config file and via the firewall * Small cleanup job around the Graphite/Grafana playbook for consistency * Docs for building a monitor host Change-Id: I9e15eac3ce749c341ebf464f165f73c0a87212e5
189 lines
5.6 KiB
YAML
189 lines
5.6 KiB
YAML
---
|
|
#
|
|
# Install/run graphite-web for browbeat
|
|
#
|
|
|
|
- name: Install graphite rpms
|
|
yum:
|
|
name: "{{ item }}"
|
|
state: present
|
|
become: true
|
|
with_items:
|
|
- graphite-web
|
|
- python-carbon
|
|
- expect
|
|
|
|
- name: Check for graphite.db sqlite
|
|
shell: ls /var/lib/graphite-web/graphite.db
|
|
ignore_errors: true
|
|
register: graphite_db_installed
|
|
|
|
- name: Copy setup-graphite-db.exp
|
|
copy:
|
|
src: setup-graphite-db.exp
|
|
dest: /root/setup-graphite-db.exp
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
become: true
|
|
|
|
- name: Create initial graphite db
|
|
shell: /root/setup-graphite-db.exp {{ graphite_username }} {{ graphite_password }} && chown apache:apache /var/lib/graphite-web/graphite.db
|
|
become: true
|
|
when: graphite_db_installed.rc != 0
|
|
notify:
|
|
- restart apache
|
|
|
|
- name: Setup httpd graphite-web config
|
|
template:
|
|
src: graphite-web.conf.j2
|
|
dest: /etc/httpd/conf.d/graphite-web.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
become: true
|
|
notify:
|
|
- restart apache
|
|
|
|
### begin firewall ###
|
|
# we need TCP/80 open
|
|
# determine firewall status and take action
|
|
# 1) use firewall-cmd if firewalld is utilized
|
|
# 2) insert iptables rule if iptables is used
|
|
|
|
# Firewalld
|
|
- name: (graphite-web) Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: true
|
|
|
|
- name: (graphite-web) Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | grep -vq inactive
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: true
|
|
|
|
- name: (graphite-web) Determine if TCP/{{graphite_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_graphite_port_exists
|
|
no_log: true
|
|
|
|
- name: (carbon) Determine if TCP/{{carbon_cache_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{carbon_cache_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_carbon_cache_port_exists
|
|
no_log: true
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{graphite_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_graphite_port_exists.rc != 0
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: (carbon) Add firewall rule for TCP/{{carbon_cache_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{carbon_cache_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_carbon_cache_port_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services)
|
|
shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_graphite_port_exists
|
|
failed_when: iptables_graphite_port_exists == 127
|
|
no_log: true
|
|
|
|
- name: (carbon) check firewall rules for TCP/{{carbon_cache_port}} (iptables-services)
|
|
shell: grep "dport {{carbon_cache_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_carbon_cache_port_exists
|
|
failed_when: iptables_carbon_cache_port_exists == 127
|
|
no_log: true
|
|
|
|
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{graphite_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_graphite_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: (carbon) Add firewall rule for TCP/{{carbon_cache_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{carbon_cache_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_carbon_cache_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services)
|
|
shell: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
|
|
|
### end firewall ###
|
|
|
|
- name: Setup httpd service
|
|
service:
|
|
name: httpd
|
|
state: started
|
|
enabled: true
|
|
become: true
|
|
|
|
- name: Remove httpd welcome config
|
|
become: true
|
|
file:
|
|
path: /etc/httpd/conf.d/welcome.conf
|
|
state: absent
|
|
notify:
|
|
- restart apache
|
|
|
|
- name: Setup carbon-cache service
|
|
service:
|
|
name: carbon-cache
|
|
state: started
|
|
enabled: true
|
|
become: true
|
|
|
|
- name: Copy Carbon storage scheme and aggregation config files
|
|
copy:
|
|
src: "{{item.src}}"
|
|
dest: "{{item.dest}}"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
become: true
|
|
with_items:
|
|
- src: storage-schemas.conf
|
|
dest: /etc/carbon/storage-schemas.conf
|
|
- src: storage-aggregation.conf
|
|
dest: /etc/carbon/storage-aggregation.conf
|
|
notify:
|
|
- restart carbon-cache
|
|
|
|
- name: Configure carbon.conf
|
|
template:
|
|
src: carbon.conf.j2
|
|
dest: /etc/carbon/carbon.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
become: true
|
|
notify:
|
|
- restart carbon-cache
|