diff --git a/roles/build/templates/odfees/Dockerfile-odfeelastic.j2 b/roles/build/templates/odfees/Dockerfile-odfeelastic.j2 index 87ee8427e574538c62daf57f68ce10351f2d9743..a4834a5e3caff38bd7f76182455a747638c2f952 100644 --- a/roles/build/templates/odfees/Dockerfile-odfeelastic.j2 +++ b/roles/build/templates/odfees/Dockerfile-odfeelastic.j2 @@ -13,7 +13,7 @@ RUN for PLUGIN in \ chown -R elasticsearch plugins/opendistro_security RUN echo 'elasticsearch ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers -RUN yum install -y supervisor +RUN yum install -y supervisor rsync RUN yum clean all COPY odfesupervisord.conf /etc/supervisord.conf ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] diff --git a/roles/odfees/tasks/main.yml b/roles/odfees/tasks/main.yml index e0589265dfb6a931d0d78f46f79ec7876711ffb5..016e8786ed6a31238dd2c7efc68e9aec7c7a9912 100644 --- a/roles/odfees/tasks/main.yml +++ b/roles/odfees/tasks/main.yml @@ -1,137 +1,17 @@ --- -- name: Copy cacert to ca-trust dir - remote_user: root - copy: - src: "{{playbook_dir}}/secrets/CA/ca.crt" - dest: /etc/pki/ca-trust/source/anchors/ca.crt +- include: start.yml tags: - - start - -- name: Install cacert to root truststore - remote_user: root - command: "update-ca-trust" - tags: - - start - -- name: Copy certificates in odfe conf dir - remote_user: elasticsearch - copy: - src: "{{ item }}" - dest: "config/" - mode: 0600 - with_items: - - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12" - - "{{playbook_dir}}/secrets/CA/cacerts.jks" - - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12" - tags: - - start - -- name: Configure sysconfig - remote_user: elasticsearch - template: - src: sysconfig_elasticsearch.j2 - dest: sysconfig_elasticsearch - tags: - - start - -- name: Copy sysconfig to /etc - remote_user: elasticsearch - command: "cp sysconfig_elasticsearch /etc/sysconfig/elasticsearch" - tags: - - start - -- name: Configure odfe properties - remote_user: elasticsearch - template: - src: "config/{{item}}.j2" - dest: "config/{{item}}" - with_items: - - elasticsearch.yml - - jvm.options - - log4j2.properties - tags: - - start - -- name: Change password for admin - remote_user: elasticsearch - command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/odfees_adminpass')}}" - register: adminhash - # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname" - tags: - - start - -- set_fact: - adminhashpwd: "{{ adminhash.stdout }}" - #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}" - remote_user: elasticsearch - tags: - - start - -- name: Change password for cortex - remote_user: elasticsearch - command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}" - register: cortexhash - # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname" + - start +- include: stop.yml tags: - - start - -- set_fact: - cortexhashpwd: "{{ cortexhash.stdout }}" - #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}" - remote_user: elasticsearch - tags: - - start - -- name: Configure opendistro_security properties - remote_user: elasticsearch - template: - src: "securityconfig/{{item}}.j2" - dest: "plugins/opendistro_security/securityconfig/{{item}}" - with_items: - - internal_users.yml - - config.yml - - roles_mapping.yml - tags: - - start - -#- name: Exit here to test ODFE -# meta: end_play -# tags: -# - start - -- name: Start OpenDistro for Elasticsearch - remote_user: root - command: "supervisorctl start odfe" - tags: - - start - -- name: Wait for ElasticSearch - remote_user: root - wait_for: - host: "{{groups['odfeescontainers'][0]}}" - port: 9200 - state: started - delay: 5 - tags: - - start - -- name: Configure OpenDistro security - remote_user: elasticsearch - command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster" - when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname" + - stop + - stop-odfees +- include: update-config.yml tags: - - start - -- name: Set Autostart for supervisord's services - remote_user: root - shell: "sed -i 's/autostart=false/autostart=true/g' /etc/supervisord.conf" + - update-config + - update-odfees-config +- include: restart.yml tags: - - start - -- name: Stop OpenDistro for Elasticsearch - remote_user: root - command: "supervisorctl stop odfe" - tags: - - stop - + - restart + - restart-odfees diff --git a/roles/odfees/tasks/restart.yml b/roles/odfees/tasks/restart.yml new file mode 100644 index 0000000000000000000000000000000000000000..130f200cb0e139f54001e92ebb0bff025e803136 --- /dev/null +++ b/roles/odfees/tasks/restart.yml @@ -0,0 +1,14 @@ +--- + +- name: Restart OpenDistro for Elasticsearch + remote_user: root + command: "supervisorctl restart odfe" + +- name: Wait for ElasticSearch + remote_user: root + wait_for: + host: "{{groups['odfeescontainers'][0]}}" + port: 9200 + state: started + delay: 5 + diff --git a/roles/odfees/tasks/start.yml b/roles/odfees/tasks/start.yml new file mode 100644 index 0000000000000000000000000000000000000000..622a1cd65e9e634472048a5ab79207ffa60850fd --- /dev/null +++ b/roles/odfees/tasks/start.yml @@ -0,0 +1,102 @@ +--- + +- name: Copy cacert to ca-trust dir + remote_user: root + copy: + src: "{{playbook_dir}}/secrets/CA/ca.crt" + dest: /etc/pki/ca-trust/source/anchors/ca.crt + +- name: Install cacert to root truststore + remote_user: root + command: "update-ca-trust" + +- name: Copy certificates in odfe conf dir + remote_user: elasticsearch + copy: + src: "{{ item }}" + dest: "config/" + mode: 0600 + with_items: + - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12" + - "{{playbook_dir}}/secrets/CA/cacerts.jks" + - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12" + +- name: Configure sysconfig + remote_user: elasticsearch + template: + src: sysconfig_elasticsearch.j2 + dest: sysconfig_elasticsearch + +- name: Copy sysconfig to /etc + remote_user: elasticsearch + command: "cp sysconfig_elasticsearch /etc/sysconfig/elasticsearch" + +- name: Configure odfe properties + remote_user: elasticsearch + template: + src: "config/{{item}}.j2" + dest: "config/{{item}}" + with_items: + - elasticsearch.yml + - jvm.options + - log4j2.properties + +- name: Change password for admin + remote_user: elasticsearch + command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/odfees_adminpass')}}" + register: adminhash + # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname" + +- set_fact: + adminhashpwd: "{{ adminhash.stdout }}" + #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}" + remote_user: elasticsearch + +- name: Change password for cortex + remote_user: elasticsearch + command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}" + register: cortexhash + # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname" + +- set_fact: + cortexhashpwd: "{{ cortexhash.stdout }}" + #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}" + remote_user: elasticsearch + +- name: Configure opendistro_security properties + remote_user: elasticsearch + template: + src: "securityconfig/{{item}}.j2" + dest: "plugins/opendistro_security/securityconfig/{{item}}" + with_items: + - internal_users.yml + - config.yml + - roles_mapping.yml + +#- name: Exit here to test ODFE +# meta: end_play + +- name: Start OpenDistro for Elasticsearch + remote_user: root + command: "supervisorctl start odfe" + +- name: Wait for ElasticSearch + remote_user: root + wait_for: + host: "{{groups['odfeescontainers'][0]}}" + port: 9200 + state: started + delay: 5 + +- name: Configure OpenDistro security + remote_user: elasticsearch + command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster" + when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname" + +- name: Set Autostart for supervisord's services + remote_user: root + replace: + path: /etc/supervisord.conf + regexp: '^autostart=false$' + replace: 'autostart=true' + diff --git a/roles/odfees/tasks/stop.yml b/roles/odfees/tasks/stop.yml new file mode 100644 index 0000000000000000000000000000000000000000..1302cc8bf86e04950e347eb12436b0a6cc0aac0f --- /dev/null +++ b/roles/odfees/tasks/stop.yml @@ -0,0 +1,6 @@ +--- + +- name: Stop OpenDistro for Elasticsearch + remote_user: root + command: "supervisorctl stop odfe" + diff --git a/roles/odfees/tasks/update-config.yml b/roles/odfees/tasks/update-config.yml new file mode 100644 index 0000000000000000000000000000000000000000..a40d487df503d8edc00dd641352d61d3f892042e --- /dev/null +++ b/roles/odfees/tasks/update-config.yml @@ -0,0 +1,32 @@ +--- + +- name: Configure sysconfig + remote_user: elasticsearch + template: + src: sysconfig_elasticsearch.j2 + dest: sysconfig_elasticsearch + +- name: Copy sysconfig to /etc + remote_user: elasticsearch + command: "cp sysconfig_elasticsearch /etc/sysconfig/elasticsearch" + +- name: Configure odfe properties + remote_user: elasticsearch + template: + src: "config/{{item}}.j2" + dest: "config/{{item}}" + with_items: + - elasticsearch.yml + - jvm.options + - log4j2.properties + +- name: Configure opendistro_security properties + remote_user: elasticsearch + template: + src: "securityconfig/{{item}}.j2" + dest: "plugins/opendistro_security/securityconfig/{{item}}" + with_items: + - internal_users.yml + - config.yml + - roles_mapping.yml +