Add ansible provisioning (#122)
* first ansible skeleton * first commit of ansible installation of vulnwhisperer outside docker * first ansible skeleton * first commit of ansible installation of vulnwhisperer outside docker * refactor the ansible role a bit * update readme, add fail validation step to provision.yml and fix typo when calling a logging funciton
This commit is contained in:
Andrea Lusuardi
committed by
Quim Montal
Quim Montal
parent
a8671a7303
commit
3a09f60543
@ -0,0 +1,75 @@
|
||||
# Check for mandatory parameters
|
||||
|
||||
- name: fail when es_instance is not defined
|
||||
fail: msg="es_instance_name must be specified and cannot be blank"
|
||||
when: es_instance_name is not defined or es_instance_name == ''
|
||||
|
||||
- name: fail when es_proxy_port is not defined or is blank
|
||||
fail: msg="es_proxy_port must be specified and cannot be blank when es_proxy_host is defined"
|
||||
when: (es_proxy_port is not defined or es_proxy_port == '') and (es_proxy_host is defined and es_proxy_host != '')
|
||||
|
||||
- name: debug message
|
||||
debug: msg="WARNING - It is recommended you specify the parameter 'http.port'"
|
||||
when: es_config['http.port'] is not defined
|
||||
|
||||
- name: debug message
|
||||
debug: msg="WARNING - It is recommended you specify the parameter 'transport.tcp.port'"
|
||||
when: es_config['transport.tcp.port'] is not defined
|
||||
|
||||
- name: debug message
|
||||
debug: msg="WARNING - It is recommended you specify the parameter 'discovery.zen.ping.unicast.hosts'"
|
||||
when: es_config['discovery.zen.ping.unicast.hosts'] is not defined
|
||||
|
||||
#If the user attempts to lock memory they must specify a heap size
|
||||
- name: fail when heap size is not specified when using memory lock
|
||||
fail: msg="If locking memory with bootstrap.memory_lock a heap size must be specified"
|
||||
when: es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True and es_heap_size is not defined
|
||||
|
||||
#Check if working with security we have an es_api_basic_auth_username and es_api_basic_auth_username - otherwise any http calls wont work
|
||||
- name: fail when api credentials are not declared when using security
|
||||
fail: msg="Enabling security requires an es_api_basic_auth_username and es_api_basic_auth_password to be provided to allow cluster operations"
|
||||
when: es_enable_xpack and ("security" in es_xpack_features) and es_api_basic_auth_username is not defined and es_api_basic_auth_password is not defined
|
||||
|
||||
- name: set fact file_reserved_users
|
||||
set_fact: file_reserved_users={{ es_users.file.keys() | intersect (reserved_xpack_users) }}
|
||||
when: es_users is defined and es_users.file is defined and (es_users.file.keys() | length > 0) and (es_users.file.keys() | intersect (reserved_xpack_users) | length > 0)
|
||||
|
||||
- name: fail when changing users through file realm
|
||||
fail:
|
||||
msg: "ERROR: INVALID CONFIG - YOU CANNOT CHANGE RESERVED USERS THROUGH THE FILE REALM. THE FOLLOWING CANNOT BE CHANGED: {{file_reserved_users}}. USE THE NATIVE REALM."
|
||||
when: file_reserved_users | default([]) | length > 0
|
||||
|
||||
- name: set fact instance_default_file
|
||||
set_fact: instance_default_file={{default_file | dirname}}/{{es_instance_name}}_{{default_file | basename}}
|
||||
- name: set fact instance_init_script
|
||||
set_fact: instance_init_script={{init_script | dirname }}/{{es_instance_name}}_{{init_script | basename}}
|
||||
- name: set fact conf_dir
|
||||
set_fact: conf_dir={{ es_conf_dir }}/{{es_instance_name}}
|
||||
- name: set fact m_lock_enabled
|
||||
set_fact: m_lock_enabled={{ es_config['bootstrap.memory_lock'] is defined and es_config['bootstrap.memory_lock'] == True }}
|
||||
|
||||
#TODO - if transport.host is not local maybe error on boostrap checks
|
||||
|
||||
|
||||
#Use systemd for the following distributions:
|
||||
#Ubuntu 15 and up
|
||||
#Debian 8 and up
|
||||
#Centos 7 and up
|
||||
#Relies on elasticsearch distribution installing a serviced script to determine whether one should be copied.
|
||||
|
||||
- name: set fact use_system_d
|
||||
set_fact: use_system_d={{(ansible_distribution == 'Debian' and ansible_distribution_version | version_compare('8', '>=')) or (ansible_distribution in ['RedHat','CentOS'] and ansible_distribution_version | version_compare('7', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version | version_compare('15', '>=')) }}
|
||||
|
||||
- name: set fact instance_sysd_script
|
||||
set_fact: instance_sysd_script={{sysd_script | dirname }}/{{es_instance_name}}_{{sysd_script | basename}}
|
||||
when: use_system_d
|
||||
#For directories we also use the {{inventory_hostname}}-{{ es_instance_name }} - this helps if we have a shared SAN.
|
||||
|
||||
- name: set fact instance_suffix
|
||||
set_fact: instance_suffix={{inventory_hostname}}-{{ es_instance_name }}
|
||||
- name: set fact pid_dir
|
||||
set_fact: pid_dir={{ es_pid_dir }}/{{instance_suffix}}
|
||||
- name: set fact log_dir
|
||||
set_fact: log_dir={{ es_log_dir }}/{{instance_suffix}}
|
||||
- name: set fact log_dir
|
||||
set_fact: data_dirs={{ es_data_dirs | append_to_list('/'+instance_suffix) }}
|
||||
Reference in New Issue
Block a user