From 6cad01eec4ff632c04a228970309e9d8f4a7fb6f Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Sat, 21 Feb 2026 14:02:01 +0100 Subject: [PATCH 01/14] Workaround for mismatch in Ansible and Python versions --- .github/workflows/test_role_repos.yml | 3 +- .gitignore | 2 + molecule/beats_default/molecule.yml | 4 +- molecule/beats_peculiar/molecule.yml | 4 +- .../elasticsearch_cluster-oss/molecule.yml | 4 +- molecule/elasticsearch_default/molecule.yml | 4 +- .../elasticsearch_no-security/molecule.yml | 4 +- .../molecule.yml | 6 +-- .../elasticsearch_test_modules/molecule.yml | 2 +- molecule/elasticstack_default/molecule.yml | 4 +- molecule/kibana_default/molecule.yml | 2 +- molecule/logstash_full_stack-oss/molecule.yml | 2 +- molecule/logstash_pipelines/molecule.yml | 2 +- .../logstash_specific_version/molecule.yml | 2 +- molecule/repos_default/molecule.yml | 2 +- molecule/repos_oss/molecule.yml | 2 +- roles/repos/tasks/debian.yml | 47 +++++++++++++++++-- 17 files changed, 70 insertions(+), 26 deletions(-) diff --git a/.github/workflows/test_role_repos.yml b/.github/workflows/test_role_repos.yml index 60620b00..7e4f6587 100644 --- a/.github/workflows/test_role_repos.yml +++ b/.github/workflows/test_role_repos.yml @@ -37,10 +37,11 @@ jobs: strategy: fail-fast: false + max-parallel: 5 matrix: distro: - - centos7 + # centos7 removed - no longer supported - debian10 - debian11 - rockylinux8 diff --git a/.gitignore b/.gitignore index 5fa051f4..4754ea73 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ *.swp __pycache__* .vscode +.roo +.ansible diff --git a/molecule/beats_default/molecule.yml b/molecule/beats_default/molecule.yml index 51fbb100..a989c22a 100644 --- a/molecule/beats_default/molecule.yml +++ b/molecule/beats_default/molecule.yml @@ -4,8 +4,8 @@ dependency: driver: name: docker platforms: - - name: beats_default_${MOLECULE_DISTRO:-debian11} - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + - name: beats_default_${MOLECULE_DISTRO:-debian12} + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/beats_peculiar/molecule.yml b/molecule/beats_peculiar/molecule.yml index bbbd5849..6a0fda12 100644 --- a/molecule/beats_peculiar/molecule.yml +++ b/molecule/beats_peculiar/molecule.yml @@ -4,8 +4,8 @@ dependency: driver: name: docker platforms: - - name: beats_peculiar_${MOLECULE_DISTRO:-debian11} - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + - name: beats_peculiar_${MOLECULE_DISTRO:-debian12} + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/elasticsearch_cluster-oss/molecule.yml b/molecule/elasticsearch_cluster-oss/molecule.yml index 7b78fb80..65d38f17 100644 --- a/molecule/elasticsearch_cluster-oss/molecule.yml +++ b/molecule/elasticsearch_cluster-oss/molecule.yml @@ -9,7 +9,7 @@ platforms: - name: elasticsearch-cluster1 groups: - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw @@ -19,7 +19,7 @@ platforms: - name: elasticsearch-cluster2 groups: - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/elasticsearch_default/molecule.yml b/molecule/elasticsearch_default/molecule.yml index 7c2c71b7..27bb3d8b 100644 --- a/molecule/elasticsearch_default/molecule.yml +++ b/molecule/elasticsearch_default/molecule.yml @@ -9,7 +9,7 @@ platforms: - name: elasticsearch_default1 groups: - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw @@ -19,7 +19,7 @@ platforms: - name: elasticsearch_default2 groups: - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/elasticsearch_no-security/molecule.yml b/molecule/elasticsearch_no-security/molecule.yml index d36a077a..077c8767 100644 --- a/molecule/elasticsearch_no-security/molecule.yml +++ b/molecule/elasticsearch_no-security/molecule.yml @@ -9,7 +9,7 @@ platforms: - name: elasticsearch-nosecurity1 groups: - elasticsearchXYZ - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw @@ -19,7 +19,7 @@ platforms: - name: elasticsearch-nosecurity2 groups: - elasticsearchXYZ - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/elasticsearch_roles_calculation/molecule.yml b/molecule/elasticsearch_roles_calculation/molecule.yml index 6d9a59c7..fe33e032 100644 --- a/molecule/elasticsearch_roles_calculation/molecule.yml +++ b/molecule/elasticsearch_roles_calculation/molecule.yml @@ -9,7 +9,7 @@ platforms: - name: elasticsearch-cluster1 groups: - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw @@ -19,7 +19,7 @@ platforms: - name: elasticsearch-cluster2 groups: - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw @@ -29,7 +29,7 @@ platforms: - name: elasticsearch-cluster3 groups: - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/elasticsearch_test_modules/molecule.yml b/molecule/elasticsearch_test_modules/molecule.yml index 81e709ef..e39bf9cf 100644 --- a/molecule/elasticsearch_test_modules/molecule.yml +++ b/molecule/elasticsearch_test_modules/molecule.yml @@ -9,7 +9,7 @@ platforms: - name: elasticsearch_default groups: - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/elasticstack_default/molecule.yml b/molecule/elasticstack_default/molecule.yml index 7b68d2c3..f564f6b4 100644 --- a/molecule/elasticstack_default/molecule.yml +++ b/molecule/elasticstack_default/molecule.yml @@ -11,7 +11,7 @@ platforms: - beats - logstash - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw @@ -23,7 +23,7 @@ platforms: - beats - kibana - elasticsearch - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/kibana_default/molecule.yml b/molecule/kibana_default/molecule.yml index 0ae83520..4ee0366f 100644 --- a/molecule/kibana_default/molecule.yml +++ b/molecule/kibana_default/molecule.yml @@ -5,7 +5,7 @@ driver: name: docker platforms: - name: kibana_default - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/logstash_full_stack-oss/molecule.yml b/molecule/logstash_full_stack-oss/molecule.yml index 199fff10..04121c08 100644 --- a/molecule/logstash_full_stack-oss/molecule.yml +++ b/molecule/logstash_full_stack-oss/molecule.yml @@ -11,7 +11,7 @@ platforms: - elasticsearch - logstash - filebeat - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/logstash_pipelines/molecule.yml b/molecule/logstash_pipelines/molecule.yml index 51d872e7..3c6491d7 100644 --- a/molecule/logstash_pipelines/molecule.yml +++ b/molecule/logstash_pipelines/molecule.yml @@ -7,7 +7,7 @@ driver: name: docker platforms: - name: ansible-role-logstash_pipelines - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/logstash_specific_version/molecule.yml b/molecule/logstash_specific_version/molecule.yml index de33f462..c83f761a 100644 --- a/molecule/logstash_specific_version/molecule.yml +++ b/molecule/logstash_specific_version/molecule.yml @@ -7,7 +7,7 @@ driver: name: docker platforms: - name: elasticstack_version - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/repos_default/molecule.yml b/molecule/repos_default/molecule.yml index a111002c..fa1d32be 100644 --- a/molecule/repos_default/molecule.yml +++ b/molecule/repos_default/molecule.yml @@ -7,7 +7,7 @@ driver: name: docker platforms: - name: elastic-repos-default - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/repos_oss/molecule.yml b/molecule/repos_oss/molecule.yml index e1e7a330..977dac8a 100644 --- a/molecule/repos_oss/molecule.yml +++ b/molecule/repos_oss/molecule.yml @@ -7,7 +7,7 @@ driver: name: docker platforms: - name: elastic-repos-default-oss - image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/roles/repos/tasks/debian.yml b/roles/repos/tasks/debian.yml index 1f3ba3f3..e0bed352 100644 --- a/roles/repos/tasks/debian.yml +++ b/roles/repos/tasks/debian.yml @@ -11,11 +11,52 @@ url: "{{ elasticstack_repo_key }}" state: absent -- name: Ensure Elastic Stack key is available (Debian) - ansible.builtin.get_url: - url: "{{ elasticstack_repo_key }}" +# NOTE: Workaround for older ansible-core versions combined with Python 3.12 on managed nodes (e.g. Ubuntu 24.04), +# where ansible.builtin.get_url may fail with HTTPSConnection/cert_file related errors. We intentionally use curl via +# ansible.builtin.command here and will switch back to get_url once the Ansible/Python version mismatch in CI and +# supported environments is resolved. +- name: Ensure /usr/share/keyrings directory exists (Debian) + ansible.builtin.file: + path: /usr/share/keyrings + state: directory + mode: "0755" + +- name: Ensure curl is installed (Debian/Ubuntu) + ansible.builtin.apt: + name: curl + state: present + update_cache: true + +- name: Download Elastic Stack GPG key to temporary file + ansible.builtin.command: curl -fsSL "{{ elasticstack_repo_key }}" -o /tmp/elasticsearch.asc + # noqa: command-instead-of-module + changed_when: false + +- name: Stat existing key file + ansible.builtin.stat: + path: /usr/share/keyrings/elasticsearch.asc + checksum_algorithm: sha256 + register: existing_key + +- name: Stat downloaded temporary key file + ansible.builtin.stat: + path: /tmp/elasticsearch.asc + checksum_algorithm: sha256 + register: downloaded_key + +- name: Install Elastic Stack key if missing or changed + ansible.builtin.copy: + src: /tmp/elasticsearch.asc dest: /usr/share/keyrings/elasticsearch.asc + remote_src: true mode: "0644" + when: not existing_key.stat.exists or existing_key.stat.checksum != downloaded_key.stat.checksum + +- name: Remove temporary key file + ansible.builtin.file: + path: /tmp/elasticsearch.asc + state: absent + changed_when: false - name: Ensure Elastic Stack apt repo is absent (Debian legacy format) ansible.builtin.file: From e8482466bb21a3cb3c6e631eeb7db866fc45cf5a Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 23 Feb 2026 11:25:05 +0100 Subject: [PATCH 02/14] Add Workaround for unsupported mix of Python and Ansible Also add some minor improvements to code style, replacing old syntax for `when` checks --- roles/elasticsearch/handlers/main.yml | 10 ++++---- .../tasks/elasticsearch-security.yml | 4 +-- roles/elasticsearch/tasks/main.yml | 25 +++++++++++-------- 3 files changed, 21 insertions(+), 18 deletions(-) diff --git a/roles/elasticsearch/handlers/main.yml b/roles/elasticsearch/handlers/main.yml index 78169736..c4028ff0 100644 --- a/roles/elasticsearch/handlers/main.yml +++ b/roles/elasticsearch/handlers/main.yml @@ -12,10 +12,10 @@ - name: Restart kibana if available for elasticsearch certificates ansible.builtin.include_tasks: handlers/restart_kibana.yml - with_items: "{{ groups[elasticstack_kibana_group_name] }}" + with_items: "{{ groups[elasticstack_kibana_group_name] | default([]) }}" when: - - elasticstack_full_stack: true - - "not 'renew_ca' in ansible_run_tags" - - "not elasticstack_ca_will_expire_soon | bool" + - elasticstack_full_stack | bool + - "'renew_ca' not in ansible_run_tags" + - not elasticstack_ca_will_expire_soon | bool - elasticstack_kibana_group_name is defined - - groups[elasticstack_kibana_group_name] is defined + - groups[elasticstack_kibana_group_name] | default([]) | length > 0 diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml index 75fca634..69c185c6 100644 --- a/roles/elasticsearch/tasks/elasticsearch-security.yml +++ b/roles/elasticsearch/tasks/elasticsearch-security.yml @@ -40,12 +40,12 @@ ansible.builtin.service: name: logstash state: stopped - with_items: "{{ groups[elasticstack_logstash_group_name] }}" + with_items: "{{ groups[elasticstack_logstash_group_name] | default([]) }}" delegate_to: "{{ item }}" when: - "'renew_ca' in ansible_run_tags or elasticstack_ca_will_expire_soon | bool" - elasticstack_logstash_group_name is defined - - groups[elasticstack_logstash_group_name] is defined + - groups[elasticstack_logstash_group_name] | default([]) | length > 0 - name: Backup ca directory on elasticsearch ca host then remove when: (inventory_hostname == elasticstack_ca_host) and ('renew_ca' in "ansible_run_tags" or elasticstack_ca_will_expire_soon | bool) diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 7537197b..fa66c8e8 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -118,14 +118,17 @@ when: elasticsearch_security | bool # the following should be done by the rpm but failed with 7.4 -- name: Set ulimits for Elasticsearch - community.general.pam_limits: - limit_item: nofile - domain: elasticsearch - value: 65535 - limit_type: hard - when: - - elasticsearch_pamlimits | bool +# NOTE: Workaround for older distributions (e.g., RHEL 8 / Rocky 8) where the +# community.general.pam_limits module requires Python >= 3.7, which is not +# available. This uses lineinfile to set the ulimit. Replace with the proper +# pam_limits module once support for these older platforms is dropped. +- name: Set ulimits for Elasticsearch (workaround) + ansible.builtin.lineinfile: + path: /etc/security/limits.d/elasticsearch.conf + create: yes + line: "elasticsearch - nofile hard 65535" + state: present + when: elasticsearch_pamlimits | bool - name: Construct exact name of Elasticsearch package ansible.builtin.set_fact: @@ -212,7 +215,7 @@ mode: "660" force: yes notify: Restart Elasticsearch - when: (elasticsearch_heap) + when: elasticsearch_heap | bool - name: Set jvm paths ansible.builtin.template: @@ -233,7 +236,7 @@ mode: "660" force: yes notify: Restart Elasticsearch - when: (elasticsearch_jvm_custom_parameters) + when: elasticsearch_jvm_custom_parameters | bool # On containerized Debian 10 systemd will not recognize elasticsearch service - name: Force systemd to reread configs on container @@ -311,7 +314,7 @@ - name: Show Info about heap ansible.builtin.debug: msg: "Using {{ elasticsearch_heap | int * 1024 }} of {{ ansible_memtotal_mb }} MB as heap for Elasticsearch" - when: (elasticsearch_heap) + when: elasticsearch_heap | bool - name: Show hint about passwords ansible.builtin.debug: From fa77053b158be0e1e4e6a12e3f7eeace3de4be21 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 23 Feb 2026 13:38:13 +0100 Subject: [PATCH 03/14] Fix lint about file permissions --- roles/elasticsearch/tasks/main.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index fa66c8e8..2284a423 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -122,10 +122,18 @@ # community.general.pam_limits module requires Python >= 3.7, which is not # available. This uses lineinfile to set the ulimit. Replace with the proper # pam_limits module once support for these older platforms is dropped. + +- name: Ensure correct permissions for Elasticsearch limits file + path: /etc/security/limits.d/elasticsearch.conf + state: file + owner: root + group: root + mode: "0644" + when: elasticsearch_pamlimits | bool + - name: Set ulimits for Elasticsearch (workaround) ansible.builtin.lineinfile: path: /etc/security/limits.d/elasticsearch.conf - create: yes line: "elasticsearch - nofile hard 65535" state: present when: elasticsearch_pamlimits | bool From 4e45bca9bd8b8f6826db14ee6ede54efb78c50a2 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 23 Feb 2026 13:43:44 +0100 Subject: [PATCH 04/14] More lint --- roles/elasticsearch/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 2284a423..1dbdce43 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -124,6 +124,7 @@ # pam_limits module once support for these older platforms is dropped. - name: Ensure correct permissions for Elasticsearch limits file + ansible.builtin.file: path: /etc/security/limits.d/elasticsearch.conf state: file owner: root From 83134ceca5336a765fb489a327b90a957a32f241 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 23 Feb 2026 15:11:09 +0100 Subject: [PATCH 05/14] Remove ulimit handling for Elasticsearch --- README.md | 11 ++++++++--- docs/role-elasticsearch.md | 5 ++++- galaxy.yml | 1 + roles/beats/meta/main.yml | 1 - roles/elasticsearch/meta/main.yml | 1 - roles/elasticsearch/tasks/main.yml | 22 ---------------------- roles/kibana/meta/main.yml | 1 - roles/logstash/meta/main.yml | 3 ++- 8 files changed, 15 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 63f4c98e..112d4899 100644 --- a/README.md +++ b/README.md @@ -9,8 +9,6 @@ This collection installs and manages the Elastic Stack. It provides roles for ev Every role is documented with all variables, please refer to the documentation found in **[Getting-Started](./docs/getting-started.md)** -**Please note**: If you are already using this collection before version `1.0.0`, please note that we had to rename a significant amount of variables due to naming schema changes made by Ansible. Please review the variables you have set in your playbooks and variable files. - ## Roles documentation > [!NOTE] @@ -78,8 +76,15 @@ We know from personal experience, that the collections work in following combina * CentOS 7 - Elastic Stack 7 -### Known Issues +## Caveats and information for long time users + +### Variable renaming + +**Please note**: If you are already using this collection before version `1.0.0`, please note that we had to rename a significant amount of variables due to naming schema changes made by Ansible. Please review the variables you have set in your playbooks and variable files. + +### Ulimit management for Elasticsearch +> **Warning**: The role no longer configures `ulimit`. Ensure the system's open file limit is set correctly (e.g., `ulimit -n`). Packages usually handle this, but verify with `ulimit -n` or checking `/proc//limits`. If your version does not, open an issue at the collection's issue tracker: https://github.com/netways/ansible-collection-elasticstack/issues ## Usage diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md index fa7f5620..3676a644 100644 --- a/docs/role-elasticsearch.md +++ b/docs/role-elasticsearch.md @@ -29,7 +29,6 @@ Role Variables * *elasticsearch_disable_systemcallfilterchecks*: Disable system call filter checks. This has a security impact but is necessary on some systems. Please refer to the [docs](https://www.elastic.co/guide/en/elasticsearch/reference/7.17/_system_call_filter_check.html) for details. (default: `false`) * *elasticsearch_http_publish_host*: (String) The network address for HTTP clients to contact the node using sniffing. Accepts an IP address, a hostname, or a special value. (default: `not set`) * *elasticsearch_http_publish_port*: (integer) The port of the HTTP publish address. Configure this setting only if you need the publish port to be different from http.port. (default: `not set`) -* *elasticsearch_pamlimits*: Set pam_limits neccessary for Elasticsearch. (Default: `true`) * *elasticsearch_check_calculation*: End play in checks (Default: `false`) * *elasticsearch_network_host*: You can configure multipe network addresses where the networking is bind to. You can assign IP addresses or interfaces by their names. You can also use elasticsearch internal variabels as it set as default. Example: `"_ens190_,_local_"` (Default: `"_local_,"_site_"`) (Optional; if not defined `default` is used) * *elasticsearch_api_host*: Hostname or IP elasticsearch is listening on. Only used for connection checks by ansible role. (Default: `localhost`) @@ -83,3 +82,7 @@ These variables are identical over all our elastic related roles, hence the diff - repos - elasticsearch ``` + +## Caveats + +> **Note**: The role no longer configures `ulimit`. Ensure the system's open file limit is set correctly (e.g., `ulimit -n`). Packages usually handle this, but verify with `ulimit -n` or checking `/proc//limits`. If your version does not, open an issue at the collection's issue tracker: https://github.com/netways/ansible-collection-elasticstack/issues diff --git a/galaxy.yml b/galaxy.yml index 206776df..609db1d1 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -23,6 +23,7 @@ tags: - monitoring dependencies: "community.general": "*" + "geerlingguy.redis": "*" repository: https://github.com/netways/ansible-collection-elasticstack documentation: https://github.com/netways/ansible-collection-elasticstack/README.md homepage: https://www.netways.de diff --git a/roles/beats/meta/main.yml b/roles/beats/meta/main.yml index 7060c661..046d0c63 100644 --- a/roles/beats/meta/main.yml +++ b/roles/beats/meta/main.yml @@ -23,4 +23,3 @@ galaxy_info: - beats - logging - system -dependencies: [] diff --git a/roles/elasticsearch/meta/main.yml b/roles/elasticsearch/meta/main.yml index fc06634b..7a0ec056 100644 --- a/roles/elasticsearch/meta/main.yml +++ b/roles/elasticsearch/meta/main.yml @@ -18,4 +18,3 @@ galaxy_info: - focal - jammy galaxy_tags: [] -dependencies: [] diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 1dbdce43..f1e3f71b 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -117,28 +117,6 @@ name: openssl when: elasticsearch_security | bool -# the following should be done by the rpm but failed with 7.4 -# NOTE: Workaround for older distributions (e.g., RHEL 8 / Rocky 8) where the -# community.general.pam_limits module requires Python >= 3.7, which is not -# available. This uses lineinfile to set the ulimit. Replace with the proper -# pam_limits module once support for these older platforms is dropped. - -- name: Ensure correct permissions for Elasticsearch limits file - ansible.builtin.file: - path: /etc/security/limits.d/elasticsearch.conf - state: file - owner: root - group: root - mode: "0644" - when: elasticsearch_pamlimits | bool - -- name: Set ulimits for Elasticsearch (workaround) - ansible.builtin.lineinfile: - path: /etc/security/limits.d/elasticsearch.conf - line: "elasticsearch - nofile hard 65535" - state: present - when: elasticsearch_pamlimits | bool - - name: Construct exact name of Elasticsearch package ansible.builtin.set_fact: elasticsearch_package: > diff --git a/roles/kibana/meta/main.yml b/roles/kibana/meta/main.yml index 3e42337f..3ce492c6 100644 --- a/roles/kibana/meta/main.yml +++ b/roles/kibana/meta/main.yml @@ -18,6 +18,5 @@ galaxy_info: - focal - jammy galaxy_tags: [] -dependencies: [] # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. diff --git a/roles/logstash/meta/main.yml b/roles/logstash/meta/main.yml index 3a3cd722..96959b34 100644 --- a/roles/logstash/meta/main.yml +++ b/roles/logstash/meta/main.yml @@ -22,4 +22,5 @@ galaxy_info: - logstash - logging - system -dependencies: [] +dependencies: + - geerlingguy.redis From 6e924a6cbefa8ad882722dc8f5f1e37073a37098 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Mon, 2 Mar 2026 15:38:10 +0100 Subject: [PATCH 06/14] Fix dependencies --- README.md | 2 +- galaxy.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 112d4899..b5dad47e 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ We know from personal experience, that the collections work in following combina ### Ulimit management for Elasticsearch -> **Warning**: The role no longer configures `ulimit`. Ensure the system's open file limit is set correctly (e.g., `ulimit -n`). Packages usually handle this, but verify with `ulimit -n` or checking `/proc//limits`. If your version does not, open an issue at the collection's issue tracker: https://github.com/netways/ansible-collection-elasticstack/issues +**Warning**: The role no longer configures `ulimit`. Ensure the system's open file limit is set correctly (e.g., `ulimit -n`). Packages usually handle this, but verify with `ulimit -n` or checking `/proc//limits`. If your version does not, open an issue at the collection's issue tracker: https://github.com/netways/ansible-collection-elasticstack/issues ## Usage diff --git a/galaxy.yml b/galaxy.yml index 609db1d1..206776df 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -23,7 +23,6 @@ tags: - monitoring dependencies: "community.general": "*" - "geerlingguy.redis": "*" repository: https://github.com/netways/ansible-collection-elasticstack documentation: https://github.com/netways/ansible-collection-elasticstack/README.md homepage: https://www.netways.de From f4db781b6e0dea50d446f1d76f3900b21f34ddd0 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Tue, 3 Mar 2026 15:50:15 +0100 Subject: [PATCH 07/14] Rise ansible version --- requirements-test.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-test.txt b/requirements-test.txt index cd4890e6..b9673d4d 100644 --- a/requirements-test.txt +++ b/requirements-test.txt @@ -1,4 +1,4 @@ -ansible +ansible>=2.15 ansible-lint molecule molecule-plugins[docker] From 4ad99392565142a7c578f316ab50438182df6830 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 6 Mar 2026 09:50:33 +0100 Subject: [PATCH 08/14] Add max-parallel limit to full stack workflow --- .github/workflows/test_full_stack.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test_full_stack.yml b/.github/workflows/test_full_stack.yml index 5cc8857c..b1df3a79 100644 --- a/.github/workflows/test_full_stack.yml +++ b/.github/workflows/test_full_stack.yml @@ -31,6 +31,7 @@ jobs: strategy: fail-fast: false + max-parallel: 2 matrix: distro: - rockylinux8 From 166a4ecd8ed54043e8f3ac101790e09bdbce4aac Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 6 Mar 2026 10:16:55 +0100 Subject: [PATCH 09/14] Reduce parallel checks even more --- .github/workflows/test_full_stack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_full_stack.yml b/.github/workflows/test_full_stack.yml index b1df3a79..41644b74 100644 --- a/.github/workflows/test_full_stack.yml +++ b/.github/workflows/test_full_stack.yml @@ -31,7 +31,7 @@ jobs: strategy: fail-fast: false - max-parallel: 2 + max-parallel: 1 matrix: distro: - rockylinux8 From 4175c7f216e4be08b4dc8cc7de331800e934f523 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 6 Mar 2026 10:59:01 +0100 Subject: [PATCH 10/14] Add debug tasks to Kibana --- roles/kibana/tasks/main.yml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 194f8344..4111487e 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -114,10 +114,26 @@ # the following is useful when running tests or extra tasks that need to # have Kibana running. Escape it on Rocky8, because it gets time out with Elastic 8 -- name: Wait for Kibana to start - ansible.builtin.wait_for: - host: localhost - port: 5601 +- name: Wait for Kibana to start (with debug) + block: + - name: Wait for Kibana to start + ansible.builtin.wait_for: + host: localhost + port: 5601 + timeout: 300 + register: kibana_wait + rescue: + - name: Debug Kibana status on failure + ansible.builtin.debug: + msg: "Kibana failed to start: {{ kibana_wait }}" + - name: Show Kibana logs + ansible.builtin.command: + cmd: journalctl -u kibana -n 100 + register: kibana_logs + - name: Output Kibana logs + ansible.builtin.debug: + var: kibana_logs.stdout + ignore_errors: true # Free up some space to let elsticsearch allocate replica in GitHub Action - name: Remove cache From a4b0c91a169f827bfaf1132b813485a1e9a5ac38 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 6 Mar 2026 12:50:17 +0100 Subject: [PATCH 11/14] Lint --- .gitignore | 2 ++ roles/elasticsearch/meta/main.yml | 5 ++++- roles/kibana/meta/main.yml | 6 +++--- roles/logstash/meta/main.yml | 4 ++++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 4754ea73..09f36261 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ __pycache__* .vscode .roo .ansible +.rooignore +.venv diff --git a/roles/elasticsearch/meta/main.yml b/roles/elasticsearch/meta/main.yml index 7a0ec056..9068ffba 100644 --- a/roles/elasticsearch/meta/main.yml +++ b/roles/elasticsearch/meta/main.yml @@ -1,7 +1,8 @@ +--- galaxy_info: + role_name: elasticsearch author: Netways GmbH description: Elasticsearch Ansible role - role_name: elasticsearch company: Netways GmbH namespace: netways license: GPL-3.0-or-later @@ -18,3 +19,5 @@ galaxy_info: - focal - jammy galaxy_tags: [] +collections: + - netways.elasticstack diff --git a/roles/kibana/meta/main.yml b/roles/kibana/meta/main.yml index 3ce492c6..d2163f3f 100644 --- a/roles/kibana/meta/main.yml +++ b/roles/kibana/meta/main.yml @@ -1,10 +1,10 @@ +--- galaxy_info: role_name: kibana author: netways description: Ansible role for Kibana company: Netways GmbH license: GPL-3.0-or-later - min_ansible_version: "2.4" platforms: - name: EL @@ -18,5 +18,5 @@ galaxy_info: - focal - jammy galaxy_tags: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. +collections: + - netways.elasticstack diff --git a/roles/logstash/meta/main.yml b/roles/logstash/meta/main.yml index 96959b34..af844f1f 100644 --- a/roles/logstash/meta/main.yml +++ b/roles/logstash/meta/main.yml @@ -22,5 +22,9 @@ galaxy_info: - logstash - logging - system + +collections: + - netways.elasticstack + dependencies: - geerlingguy.redis From f21dd554ed0205b6454f9070fab19d37238888b2 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 6 Mar 2026 13:16:59 +0100 Subject: [PATCH 12/14] Lint --- roles/kibana/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 4111487e..597ebce3 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -130,10 +130,11 @@ ansible.builtin.command: cmd: journalctl -u kibana -n 100 register: kibana_logs + changed_when: false + no_log: true - name: Output Kibana logs ansible.builtin.debug: var: kibana_logs.stdout - ignore_errors: true # Free up some space to let elsticsearch allocate replica in GitHub Action - name: Remove cache From fc7c24e378e5904a8578dc36cf3836e884f26900 Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 6 Mar 2026 16:52:02 +0100 Subject: [PATCH 13/14] Reduce memory to not run into OOM * Remove heavier Rockylinux 9 image for now * Restrict ES heap to 1GB --- .github/workflows/test_roles_pr.yml | 2 +- molecule/elasticstack_default/converge.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test_roles_pr.yml b/.github/workflows/test_roles_pr.yml index df014eb0..85204c96 100644 --- a/.github/workflows/test_roles_pr.yml +++ b/.github/workflows/test_roles_pr.yml @@ -34,7 +34,7 @@ jobs: matrix: distro: - rockylinux8 - - rockylinux9 + #- rockylinux9 - ubuntu2204 scenario: - elasticstack_default diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml index 694db61d..58119e39 100644 --- a/molecule/elasticstack_default/converge.yml +++ b/molecule/elasticstack_default/converge.yml @@ -14,7 +14,7 @@ elasticsearch_disable_systemcallfilterchecks: true elasticsearch_monitoring_enabled: false elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}" - elasticsearch_heap: "2" + elasticsearch_heap: "1" elasticstack_full_stack: true elasticstack_no_log: false logstash_pipeline_unsafe_shutdown: true From 8074932d8ec17f4e3015e0b624c19e3ceaadcf5a Mon Sep 17 00:00:00 2001 From: Thomas Widhalm Date: Fri, 6 Mar 2026 17:31:21 +0100 Subject: [PATCH 14/14] Fully remove Rockylinux 9 from definition for full stack tests --- .github/workflows/test_roles_pr.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test_roles_pr.yml b/.github/workflows/test_roles_pr.yml index 85204c96..7493fa47 100644 --- a/.github/workflows/test_roles_pr.yml +++ b/.github/workflows/test_roles_pr.yml @@ -34,7 +34,6 @@ jobs: matrix: distro: - rockylinux8 - #- rockylinux9 - ubuntu2204 scenario: - elasticstack_default