d330e39ffd
Ansible has a module to control systemd so we might as well use it. Change-Id: Ic9d704c442db0ef49e00e29260157e8b91de5b30 Signed-off-by: Chuck Short <chucks@redhat.com>
129 lines
4.4 KiB
YAML
129 lines
4.4 KiB
YAML
---
|
|
#
|
|
# Install/run elasticsearch for browbeat
|
|
#
|
|
|
|
- name: Copy elasticsearch yum repo file
|
|
copy:
|
|
src=elasticsearch.repo
|
|
dest=/etc/yum.repos.d/elasticsearch.repo
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
- name: Install elasticsearch and openjdk
|
|
yum: name={{ item }} state=present
|
|
become: true
|
|
with_items:
|
|
- elasticsearch
|
|
- java-openjdk-headless
|
|
|
|
- name: Check if system memory is greater than 64G
|
|
debug: msg="System memory is {{ansible_memory_mb.real.total | int}} so setting heapsize to 32G upper limit"
|
|
when: ansible_memory_mb.real.total|int >= 65536
|
|
|
|
- name: Apply heapsize tuning for systems with greater than 64G memory
|
|
lineinfile: dest=/usr/share/elasticsearch/bin/elasticsearch.in.sh \
|
|
line="ES_HEAP_SIZE=32g" insertafter="^ES_CLASSPATH="
|
|
when: ansible_memory_mb.real.total|int >= 65536
|
|
register: elasticsearch_updated
|
|
|
|
- name: Print extended documentation for heapsize tuning
|
|
debug: msg="Refer to https://www.elastic.co/guide/en/elasticsearch/guide/current/_limiting_memory_usage.html"
|
|
when: ansible_memory_mb.real.total|int >= 65536
|
|
|
|
- name: Update elasticsearch startup with heap size
|
|
become: true
|
|
lineinfile: dest=/usr/share/elasticsearch/bin/elasticsearch.in.sh \
|
|
line="ES_HEAP_SIZE={{ (ansible_memory_mb.real.total / 2) | int }}m" insertafter="^ES_CLASSPATH="
|
|
when: ansible_memory_mb.real.total|int < 65536
|
|
register: elasticsearch_updated
|
|
|
|
## begin firewall rules ##
|
|
# we will be opening TCP/9200 for ES
|
|
# if es_listen_external: true is set
|
|
# this is needed for elastic connector in browbeat
|
|
# determine firewall status and take action
|
|
# 1) use firewall-cmd if firewalld is utilized
|
|
# 2) insert iptables rule if iptables is used
|
|
|
|
# Firewalld
|
|
- name: Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: true
|
|
when: es_listen_external
|
|
|
|
- name: Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | grep -vq inactive
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: true
|
|
when: es_listen_external
|
|
|
|
- name: Determine if TCP/{{es_local_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{es_local_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_es_local_port_exists
|
|
no_log: true
|
|
when: es_listen_external
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: Add firewall rule for TCP/{{es_local_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{es_local_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: es_listen_external and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_es_local_port_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: check firewall rules for TCP/{{es_local_port}} (iptables-services)
|
|
shell: grep "dport {{es_local_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_es_local_port_exists
|
|
failed_when: iptables_es_local_port_exists == 127
|
|
no_log: true
|
|
when: es_listen_external
|
|
|
|
- name: Add firewall rule for TCP/{{es_local_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{es_local_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: es_listen_external and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_es_local_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: Restart iptables-services for TCP/{{es_local_port}} (iptables-services)
|
|
shell: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
when: es_listen_external and iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
|
tags:
|
|
# Skip ANSIBLE0013 Use shell only when shell functionality is required
|
|
# No systemctl module available in current stable release (Ansible 2.1)
|
|
- skip_ansible_lint
|
|
|
|
## end firewall rules ##
|
|
|
|
- name: Copy over ES Config
|
|
template:
|
|
src=elasticsearch.yml.j2
|
|
dest=/etc/elasticsearch/elasticsearch.yml
|
|
become: true
|
|
|
|
- name: Start elasticsearch service
|
|
systemd:
|
|
name: elasticsearch.service
|
|
state: started
|
|
ignore_errors: true
|
|
when: elasticsearch_updated != 0
|
|
|
|
- name: Setup elasticsearch service
|
|
service: name=elasticsearch state=started enabled=true
|
|
become: true
|