Merge branch 'main' into feature-singlenode-8

widhalmt · web-flow · commit 02aa2c6a5836 · 2023-02-03T14:15:56.000+01:00
diff --git a/README.md b/README.md
@@ -27,11 +27,23 @@ collections:
   - name: netways.elasticstack
 ```
 
+### Requirements
+
+You will need the following Ansible collections installed
+
+* community.general (probably already present)
+
+You may want the following Ansible roles installed. There other ways to achieve what they are doing but using them is easy and convenient.
+
+* geerlingguy.redis
+
 ## Usage
 
 Our default configuration will collect filesystem logs placed by `rsyslog`. Therefor our example playbook makes sure, `rsyslog` is installed. If you don't want that, please change the configuration of the `beats` module. Without syslog you won't receive any messages with the default configuration.
 
 There are some comments in the Playbook. Either fill them with the correct values (`remote_user`) or consider them as a hint to commonly used options.
+
+The execution order of the roles is important! (see below)
 ```
 ---
 - hosts: all
diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md
@@ -17,6 +17,7 @@ Role Variables
 * *elasticsearch_create_datapath*: Create the path for data to store if it doesn't exist. (default: `false` - only useful if you change `elasticsearch_datapath`)
 * *elasticsearch_fs_repo*: List of paths that should be registered as repository for snapshots (only filesystem supported so far). (default: none) Remember, that every node needs access to the same share under the same path.
 * *elasticsearch_disable_systemcallfilterchecks*: Disable system call filter checks. This has a security impact but is necessary on some systems. Please refer to the [docs](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/_system_call_filter_check.html) for details. (default: `false`)
+* *elasticsearch_pamlimits*: Set pam_limits neccessary for Elasticsearch. (Default: `true`)
 
 This variable activates a workaround to start on systems that have certain hardening measures active. See [Stackoverflow](https://stackoverflow.com/questions/47824643/unable-to-load-jna-native-support-library-elasticsearch-6-x/50371992#50371992) for details and logmessages to look for. **WARNING**: This will change your `/etc/sysconfig/elasticseach`or `/etc/default/elasticsearch` file and overwrite `ES_JAVA_OPTS`. See this [issue](https://github.com/NETWAYS/ansible-role-elasticsearch/issues/79) for details.
 
diff --git a/galaxy.yml b/galaxy.yml
@@ -21,7 +21,8 @@ tags:
   - metricbeat
   - filebeat
   - monitoring
-dependencies: {}
+dependencies:
+  "community.general": "*"
 repository: https://github.com/NETWAYS/ansible-collection-elasticstack
 documentation: https://github.com/NETWAYS/ansible-collection-elasticstack/README.md
 homepage: https://www.netways.de
diff --git a/molecule/elasticsearch_cluster-8/requirements.yml b/molecule/elasticsearch_cluster-8/requirements.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general
diff --git a/molecule/elasticsearch_cluster-oss/requirements.yml b/molecule/elasticsearch_cluster-oss/requirements.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general
diff --git a/molecule/elasticsearch_cluster/requirements.yml b/molecule/elasticsearch_cluster/requirements.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general
diff --git a/molecule/elasticsearch_default/requirements.yml b/molecule/elasticsearch_default/requirements.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general
diff --git a/molecule/elasticsearch_no-security/requirements.yml b/molecule/elasticsearch_no-security/requirements.yml
@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general
diff --git a/molecule/kibana_full_stack-oss/prepare.yml b/molecule/kibana_full_stack-oss/prepare.yml
@@ -8,6 +8,7 @@
           - gpg
           - curl
           - procps
+          - gpg-agent
         update_cache: yes
       when: ansible_os_family == "Debian"
     - name: Install git
diff --git a/molecule/kibana_full_stack/prepare.yml b/molecule/kibana_full_stack/prepare.yml
@@ -8,6 +8,7 @@
           - gpg
           - curl
           - procps
+          - gpg-agent
         update_cache: yes
       when: ansible_os_family == "Debian"
     - name: Install git
diff --git a/requirements-test.txt b/requirements-test.txt
@@ -2,3 +2,4 @@ ansible
 ansible-lint
 molecule
 molecule-docker
+pytest
diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml
@@ -13,6 +13,7 @@ elasticsearch_datapath: /var/lib/elasticsearch
 elasticsearch_create_datapath: false
 elasticsearch_disable_systemcallfilterchecks: false
 elasticsearch_heap: "{{ [[ ( ansible_memtotal_mb // 1024) // 2 , 30 ]|min, 1]|max }}"
+elasticsearch_pamlimits: true
 
 elasticsearch_jna_workaround: false
 
diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml
@@ -26,6 +26,8 @@
     domain: elasticsearch
     value: 65535
     limit_type: hard
+  when:
+    - elasticsearch_pamlimits | bool
 
 - name: Ensure Elasticsearch is installed
   package:
diff --git a/roles/elasticsearch/tests/inventory b/roles/elasticsearch/tests/inventory
diff --git a/roles/elasticsearch/tests/test.yml b/roles/elasticsearch/tests/test.yml
diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
@@ -85,7 +85,7 @@
 
 - name: fetch Kibana password
   shell: >
-    grep "PASSWORD kibana " /usr/share/elasticsearch/initial_passwords |
+    grep "PASSWORD kibana_system " /usr/share/elasticsearch/initial_passwords |
     awk {' print $4 '}
   register: kibana_password
   changed_when: false
diff --git a/roles/kibana/templates/kibana.yml.j2 b/roles/kibana/templates/kibana.yml.j2
@@ -2,7 +2,7 @@ server.host: "0.0.0.0"
 
 {% if elastic_stack_full_stack is defined and elastic_stack_full_stack | bool and kibana_security | bool  and elastic_variant == "elastic" %}
 elasticsearch.hosts: [{% for host in kibana_elasticsearch_hosts %}"https://{{ host }}:9200"{% if not loop.last %},{% endif %}{% endfor %}]
-elasticsearch.username: "kibana"
+elasticsearch.username: "kibana_system"
 elasticsearch.password: "{{ kibana_password.stdout }}"
 elasticsearch.ssl.certificateAuthorities:  "/etc/kibana/certs/ca.crt"
 {% if "localhost" in kibana_elasticsearch_hosts %}elasticsearch.ssl.verificationMode: certificate
diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
@@ -231,6 +231,7 @@
     -u elastic:{{ elastic_password_logstash.stdout }}
     https://{{ elasticsearch_ca }}:9200/_xpack/security/role/logstash_writer
   delegate_to: "{{ elasticsearch_ca }}"
+  changed_when: false
   run_once: true
   when:
     - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool
@@ -243,6 +244,7 @@
     -u elastic:{{ elastic_password_logstash.stdout }}
     https://{{ elasticsearch_ca }}:9200/_security/role/logstash_writer
   delegate_to: "{{ elasticsearch_ca }}"
+  changed_when: false
   run_once: true
   when:
     - logstash_writer_role_present.rc > 0 or logstash_reset_writer_role | bool
@@ -271,6 +273,7 @@
     -u elastic:{{ elastic_password_logstash.stdout }}
     https://{{ elasticsearch_ca }}:9200/_xpack/security/user/{{ logstash_user }}
   delegate_to: "{{ elasticsearch_ca }}"
+  changed_when: false
   run_once: true
   when:
     - logstash_writer_user_present.rc > 0
@@ -284,6 +287,7 @@
     https://{{ elasticsearch_ca }}:9200/_security/user/{{ logstash_user }}
   delegate_to: "{{ elasticsearch_ca }}"
   run_once: true
+  changed_when: false
   when:
     - logstash_writer_user_present.rc > 0
     - elastic_release | int > 7

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+collections:`
	`3`	`+ - community.general`