diff --git a/README.md b/README.md index bf25ca04..dd6c1fce 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,10 @@ You may want the following Ansible roles installed. There other ways to achieve ## Usage +* *elastic_version*: Version number of tools to install Only set if you don't want the latest. (default: none). For OSS version see `elastic_variant` below. **IMPORTANT** Do not change the version once you have set up the stack. There are unpredictable effects to be expected when using this for upgrades. And upgrade mechanism is already on it's way. (default: none. Example: `7.17.2` +*elastic_release*: Major release version of Elastic stack to configure. (default: `7`) +*elastic_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) + ### Default Passwords Default Passwords can be seen during generation, or found later in `/usr/share/elasticsearch/initial_passwords` diff --git a/docs/role-beats.md b/docs/role-beats.md index b231888e..9a1b20ba 100644 --- a/docs/role-beats.md +++ b/docs/role-beats.md @@ -14,7 +14,7 @@ Role Variables -------------- * *beats_filebeat*: Install and manage filebeat (Default: `true`) -* *beats_filebeat_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) +* *elastic_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) * *filebeat_enable*: Automatically start Filebeat (Default: `true`) * *filebeat_output*: Set to `logstash` or `elasticsearch`. (default: `logstash`) * *filebeat_syslog_udp*: Use UDP Syslog input (Default: `false`) @@ -66,14 +66,14 @@ filebeat_journald_inputs: * *filebeat_modules*: **EXPERIMENTAL**: Give a list of modules to enable. (default: none) * *beats_auditbeat*: Install and manage filebeat (Default: `false`) -* *beats_auditbeat_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) +* *elastic_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) * *auditbeat_output*: Output for Auditbeat Set to `logstash` or `elasticsearch`. (default: `elasticsearch`) * *auditbeat_enable*: Automatically start Auditbeat (Default: `true`) * *auditbeat_setup*: Run Auditbeat Setup (Default: `true`) (Only works with Elasticsearch output) * *auditbeat_loadbalance*: Enable loadbalancing for Auditbeats Logstash output (default: `true`) * *beats_metricbeat*: Enable installation and management of Metricbeat (Default: `false`) -* *beats_metricbeat_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) +* *elastic_version*: Install specific version (Default: none. Possible values: e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems or `latest`) * *metricbeat_enable*: Start Metricbeat automatically (Default: `true`) * *metricbeat_output*: Set to `logstash` or `elasticsearch`. (default: `elasticsearch`) * *metricbeat_modules*: List of modules to enable. (Default: `- system`) diff --git a/docs/role-logstash.md b/docs/role-logstash.md index a8ea4ecc..e261962a 100644 --- a/docs/role-logstash.md +++ b/docs/role-logstash.md @@ -29,7 +29,7 @@ If you want to use the default pipeline (or other pipelines communicating via Re Role Variables -------------- -* *logstash_version*: Version number of Logstash to install (use os specific version string. e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems). Only set if you don't want the latest. (default: none). For OSS version see `elastic_variant` below. +* *elastic_version*: Version number of Logstash to install (use os specific version string. e.g. `-7.10.1` for RedHat compatible systems or `=1:7.10.1-1` for Debian compatible systems). Only set if you don't want the latest. (default: none). For OSS version see `elastic_variant` below. * *logstash_enable*: Start and enable Logstash service (default: `true`) * *logstash_config_backup*: Keep backups of all changed configuration (default: `no`) * *logstash_manage_yaml*: Manage and overwrite `logstash.yml` (default: `true`) diff --git a/molecule/beats_peculiar/converge.yml b/molecule/beats_peculiar/converge.yml index 12473e02..a9ddb00c 100644 --- a/molecule/beats_peculiar/converge.yml +++ b/molecule/beats_peculiar/converge.yml @@ -23,7 +23,6 @@ elastic_stack_full_stack: false filebeat_mysql_slowlog_input: true beats_auditbeat: true - beats_auditbeat_version: latest auditbeat_output: logstash auditbeat_enable: false # can't run on GitHub because of permissions filebeat_journald_inputs: @@ -36,18 +35,18 @@ #filebeat_docker: true elastic_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" tasks: - # Looks like Elastic isn't providing all old releases - # anymore - # - #- name: Set Filebeat version on RedHat - # set_fact: - # beats_filebeat_version: "-7.16.1" - # when: ansible_os_family == "RedHat" - #- name: Set Filebeat version on Debian - # set_fact: - # beats_filebeat_version: "=7.16.1" - # when: ansible_os_family == "Debian" + - name: Set Filebeat version for 7.x + set_fact: + elastic_version: "7.17.1" + when: + - elastic_release == 7 + + - name: Set Filebeat version for 8.x + set_fact: + elastic_version: "8.4.1" + when: + - elastic_release == 8 - name: "Include Elastics repos role" include_role: diff --git a/molecule/beats_peculiar/verify.yml b/molecule/beats_peculiar/verify.yml index 5980914b..ce1de5c5 100644 --- a/molecule/beats_peculiar/verify.yml +++ b/molecule/beats_peculiar/verify.yml @@ -11,8 +11,16 @@ debug: var: filebeat_version.stdout - #- name: Fail if Filebeat has the wrong version - # fail: - # msg: "Filebeat has the wrong version" + - name: Fail if Filebeat has the wrong version + fail: + msg: "Filebeat has the wrong version" + when: + - filebeat_version.stdout.find('7.17.1') == -1 + - elastic_release == 7 - # when: filebeat_version.stdout.find('7.16.1') == -1 + - name: Fail if Filebeat has the wrong version + fail: + msg: "Filebeat has the wrong version" + when: + - filebeat_version.stdout.find('8.4.1') == -1 + - elastic_release == 8 diff --git a/molecule/logstash_specific_version/converge.yml b/molecule/logstash_specific_version/converge.yml index a650256b..11616b4b 100644 --- a/molecule/logstash_specific_version/converge.yml +++ b/molecule/logstash_specific_version/converge.yml @@ -18,12 +18,12 @@ - name: Set Logstash version on RedHat set_fact: - logstash_version: "-7.10.1" + elastic_version: "-7.10.1" when: ansible_os_family == "RedHat" - name: Set Logstash version on Debian set_fact: - logstash_version: "=1:7.10.1-1" + elastic_version: "=1:7.10.1-1" when: ansible_os_family == "Debian" - name: "Include Elastics repos role" diff --git a/molecule/logstash_specific_version/molecule.yml b/molecule/logstash_specific_version/molecule.yml index 7604df00..63efb37a 100644 --- a/molecule/logstash_specific_version/molecule.yml +++ b/molecule/logstash_specific_version/molecule.yml @@ -4,7 +4,7 @@ dependency: driver: name: docker platforms: - - name: logstash_version + - name: elastic_version image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: diff --git a/molecule/logstash_specific_version/verify.yml b/molecule/logstash_specific_version/verify.yml index b8a5b4a4..6439b310 100644 --- a/molecule/logstash_specific_version/verify.yml +++ b/molecule/logstash_specific_version/verify.yml @@ -6,8 +6,8 @@ tasks: - name: Run syntax check command: "/usr/share/logstash/bin/logstash --version | grep ^logstash" - register: logstash_version + register: elastic_version - name: Fail if Logstash has the wrong version fail: msg: "Logstash has the wrong version" - when: not "logstash 7.10.1" in logstash_version.stdout_lines + when: not "logstash 7.10.1" in elastic_version.stdout_lines diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml index 7e1586c1..701674cb 100644 --- a/roles/beats/tasks/auditbeat.yml +++ b/roles/beats/tasks/auditbeat.yml @@ -2,16 +2,16 @@ - name: Install Auditbeat package: name: auditbeat - when: beats_auditbeat_version is not defined + when: elastic_version is not defined - name: Install Auditbeat specific version package: - name: "auditbeat{{ beats_auditbeat_version }}" + name: "auditbeat{{ elastic_versionseparator }}{{ elastic_version }}" notify: - Restart Auditbeat when: - - beats_auditbeat_version is defined - - beats_auditbeat_version != "latest" + - elastic_version is defined + - elastic_version != "latest" - name: Install Auditbeat latest version package: @@ -20,8 +20,8 @@ notify: - Restart Auditbeat when: - - beats_auditbeat_version is defined - - beats_auditbeat_version == "latest" + - elastic_version is defined + - elastic_version == "latest" - name: Configure Auditbeat template: diff --git a/roles/beats/tasks/filebeat.yml b/roles/beats/tasks/filebeat.yml index 0c05a664..4b4212b1 100644 --- a/roles/beats/tasks/filebeat.yml +++ b/roles/beats/tasks/filebeat.yml @@ -2,16 +2,16 @@ - name: Install Filebeat package: name: filebeat - when: beats_filebeat_version is not defined + when: elastic_version is not defined - name: Install Filebeat specific version package: - name: "filebeat{{ beats_filebeat_version }}" + name: "filebeat{{ elastic_versionseparator }}{{ elastic_version }}" notify: - Restart Filebeat when: - - beats_filebeat_version is defined - - beats_filebeat_version != "latest" + - elastic_version is defined + - elastic_version != "latest" - name: Install Filebeat latest version package: @@ -20,8 +20,8 @@ notify: - Restart Filebeat when: - - beats_filebeat_version is defined - - beats_filebeat_version == "latest" + - elastic_version is defined + - elastic_version == "latest" - name: Configure Filebeat template: diff --git a/roles/beats/tasks/main.yml b/roles/beats/tasks/main.yml index 7947dbcd..4b20ea90 100644 --- a/roles/beats/tasks/main.yml +++ b/roles/beats/tasks/main.yml @@ -1,5 +1,11 @@ --- +- name: Include OS specific vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_os_family }}.yml' + - name: Prepare for whole stack roles if used when: - elastic_stack_full_stack | bool diff --git a/roles/beats/tasks/metricbeat.yml b/roles/beats/tasks/metricbeat.yml index 8f4a04a8..e3efd367 100644 --- a/roles/beats/tasks/metricbeat.yml +++ b/roles/beats/tasks/metricbeat.yml @@ -2,16 +2,16 @@ - name: Install Metricbeat package: name: metricbeat - when: beats_metricbeat_version is not defined + when: elastic_version is not defined - name: Install Metricbeat specific version package: - name: "metricbeat{{ beats_metricbeat_version }}" + name: "metricbeat{{ elastic_versionseparator }}{{ elastic_version }}" notify: - Restart Metricbeat when: - - beats_metricbeat_version is defined - - beats_metricbeat_version != "latest" + - elastic_version is defined + - elastic_version != "latest" - name: Install Metricbeat latest version package: @@ -20,8 +20,8 @@ notify: - Restart Metricbeat when: - - beats_metricbeat_version is defined - - beats_metricbeat_version == "latest" + - elastic_version is defined + - elastic_version == "latest" - name: Configure Metricbeat template: diff --git a/roles/beats/vars/Debian.yml b/roles/beats/vars/Debian.yml new file mode 100644 index 00000000..77b253b6 --- /dev/null +++ b/roles/beats/vars/Debian.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/default/elasticsearch +elastic_versionseparator: "=" diff --git a/roles/beats/vars/RedHat.yml b/roles/beats/vars/RedHat.yml new file mode 100644 index 00000000..acfaddb4 --- /dev/null +++ b/roles/beats/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elastic_versionseparator: "-" diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index d3342282..979daf15 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -32,12 +32,30 @@ - name: Ensure Elasticsearch is installed package: name: elasticsearch - when: elastic_variant == "elastic" + when: + - elastic_variant == "elastic" + - elastic_version is undefined - name: Ensure Elasticsearch OSS is installed package: name: elasticsearch-oss - when: elastic_variant == "oss" + when: + - elastic_variant == "oss" + - elastic_version is undefined + +- name: Ensure Elasticsearch is installed (specific version) + package: + name: elasticsearch{{ elastic_versionseparator }}{{ elastic_version }} + when: + - elastic_variant == "elastic" + - elastic_version is defined + +- name: Ensure Elasticsearch OSS is installed (specific version) + package: + name: elasticsearch-oss{{ elastic_versionseparator }}{{ elastic_version }} + when: + - elastic_variant == "oss" + - elastic_version is defined - name: Configure Elasticsearch template: diff --git a/roles/elasticsearch/vars/Debian.yml b/roles/elasticsearch/vars/Debian.yml index bb0878c1..77b253b6 100644 --- a/roles/elasticsearch/vars/Debian.yml +++ b/roles/elasticsearch/vars/Debian.yml @@ -1,3 +1,4 @@ --- elasticsearch_sysconfig_file: /etc/default/elasticsearch +elastic_versionseparator: "=" diff --git a/roles/elasticsearch/vars/RedHat.yml b/roles/elasticsearch/vars/RedHat.yml index f0dbc02a..acfaddb4 100644 --- a/roles/elasticsearch/vars/RedHat.yml +++ b/roles/elasticsearch/vars/RedHat.yml @@ -1,3 +1,4 @@ --- elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elastic_versionseparator: "-" diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 317979c4..bd915029 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -1,12 +1,17 @@ --- +- name: Include OS specific vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_os_family }}.yml' + - name: Set common password for common certificates set_fact: kibana_tls_key_passphrase: "{{ elastic_cert_pass }}" when: - elastic_cert_pass is defined -# tasks file for kibana - name: Set Elasticsearch hosts if used with other roles set_fact: kibana_elasticsearch_hosts: "{{ groups['elasticsearch'] }}" @@ -25,12 +30,31 @@ - name: Install Kibana package: name: kibana - when: elastic_variant == "elastic" + when: + - elastic_variant == "elastic" + - elastic_version is undefined - name: Install Kibana OSS package: name: kibana-oss - when: elastic_variant == "oss" + when: + - elastic_variant == "oss" + - elastic_version is undefined + +- name: Install Kibana (specific version) + package: + name: kibana{{ elastic_versionseparator }}{{ elastic_version }} + when: + - elastic_variant == "elastic" + - elastic_version is defined + +- name: Install Kibana OSS (specific version) + package: + name: kibana-oss{{ elastic_versionseparator }}{{ elastic_version }} + when: + - elastic_variant == "oss" + - elastic_version is defined + - name: Import security related tasks import_tasks: kibana-security.yml diff --git a/roles/kibana/vars/Debian.yml b/roles/kibana/vars/Debian.yml new file mode 100644 index 00000000..77b253b6 --- /dev/null +++ b/roles/kibana/vars/Debian.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/default/elasticsearch +elastic_versionseparator: "=" diff --git a/roles/kibana/vars/RedHat.yml b/roles/kibana/vars/RedHat.yml new file mode 100644 index 00000000..acfaddb4 --- /dev/null +++ b/roles/kibana/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elastic_versionseparator: "-" diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml index 3202a1b0..2bb8b2f9 100644 --- a/roles/logstash/defaults/main.yml +++ b/roles/logstash/defaults/main.yml @@ -1,6 +1,5 @@ --- # defaults file for logstash -logstash_version: "" logstash_enable: true logstash_config_backup: no logstash_manage_yaml: true diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index 8792efab..4c9fe12b 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -1,5 +1,11 @@ --- +- name: Include OS specific vars + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_os_family }}.yml' + - name: Prepare for whole stack roles if used when: - elastic_stack_full_stack | bool @@ -43,15 +49,32 @@ - name: Ensure Logstash is installed package: - name: "logstash{{ logstash_version }}" + name: logstash when: - elastic_variant == "elastic" + - elastic_version is undefined - name: Ensure Logstash OSS is installed package: - name: "logstash-oss{{ logstash_version }}" + name: logstash-oss when: - elastic_variant == "oss" + - elastic_version is undefined + +- name: Ensure Logstash is installed (specific version) + package: + name: "logstash{{ elastic_versionseparator }}{{ elastic_version }}" + when: + - elastic_variant == "elastic" + - elastic_version is defined + +- name: Ensure Logstash OSS is installed (specific version) + package: + name: "logstash-oss{{ elastic_versionseparator }}{{ elastic_version }}" + when: + - elastic_variant == "oss" + - elastic_version is defined + - name: Import Logstash Security tasks import_tasks: logstash-security.yml diff --git a/roles/logstash/vars/Debian.yml b/roles/logstash/vars/Debian.yml new file mode 100644 index 00000000..77b253b6 --- /dev/null +++ b/roles/logstash/vars/Debian.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/default/elasticsearch +elastic_versionseparator: "=" diff --git a/roles/logstash/vars/RedHat.yml b/roles/logstash/vars/RedHat.yml new file mode 100644 index 00000000..acfaddb4 --- /dev/null +++ b/roles/logstash/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- + +elasticsearch_sysconfig_file: /etc/sysconfig/elasticsearch +elastic_versionseparator: "-"