From c8ea620de560ddcf256430110d66d2bf305a0173 Mon Sep 17 00:00:00 2001 From: Saeid Hassanabadi Date: Fri, 3 Jul 2026 11:28:31 +0200 Subject: [PATCH 1/5] fix: unify version selection across roles (install latest by default) Compute package name and package state from elasticstack_version instead of duplicating install tasks. unset/empty/'latest' -> state: latest; concrete version -> state: present. Stored in internal fact _elasticstack_package_state. Removes duplicate beats tasks and the KICS 'latest' workaround, documents the scheme in the getting started guide. Refs #313 --- docs/getting-started.md | 16 +++++++++++ roles/beats/tasks/auditbeat.yml | 46 ++++-------------------------- roles/beats/tasks/filebeat.yml | 43 ++++------------------------ roles/beats/tasks/metricbeat.yml | 44 ++++------------------------ roles/elasticsearch/tasks/main.yml | 6 +++- roles/kibana/tasks/main.yml | 6 +++- roles/logstash/tasks/main.yml | 9 ++++-- 7 files changed, 48 insertions(+), 122 deletions(-) diff --git a/docs/getting-started.md b/docs/getting-started.md index 79569b50..cae16846 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -61,3 +61,19 @@ Every role got its own set of variables, in addition a few variables are useable * *elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) * *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) +* *elasticstack_version*: Full version to pin all components to (e.g. `8.13.0`). Leave unset to install the latest available version. (default: unset) + + +Version handling +----------- + +All roles share a single version selection scheme, so Elasticsearch, Kibana, Logstash and the Beats always behave the same way: + +* If `elasticstack_version` is **not set** (or set to the special value `latest`), the roles install the newest package available in the configured repository and keep it up to date on every run (`state: latest`). This is the default. +* If `elasticstack_version` is **set to a concrete version** (e.g. `8.13.0`), that exact version is installed and pinned (`state: present`); the package is not upgraded on later runs as long as the value stays the same. + +Internally each role derives the package name and the package state from `elasticstack_version` and stores the result in the internal fact `_elasticstack_package_state`. This variable is computed automatically and is not meant to be set by users. + +To keep the whole stack on one version, set `elasticstack_version` once at the play or group level. When running the full stack, the meta role also determines the version from the already installed Elasticsearch package (see `roles/elasticstack/tasks/elasticstack-versions.yml`), so the remaining components stay aligned. + +> **Note:** With the default (`latest`), every run may upgrade a component to the newest available release. For Elasticsearch clusters where controlled, orchestrated upgrades matter, pin `elasticstack_version` to a concrete value instead. diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml index 46a84a00..5c6b30cf 100644 --- a/roles/beats/tasks/auditbeat.yml +++ b/roles/beats/tasks/auditbeat.yml @@ -7,13 +7,15 @@ 'auditbeat' + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} + _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Install Auditbeat - rpm - full stack ansible.builtin.package: name: "{{ beats_auditbeat_package }}" + state: "{{ _elasticstack_package_state }}" enablerepo: - 'elastic-{{ elasticstack_release }}.x' notify: @@ -25,6 +27,7 @@ - name: Install Auditbeat - rpm - standalone ansible.builtin.package: name: "{{ beats_auditbeat_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Auditbeat when: @@ -34,51 +37,12 @@ - name: Install Auditbeat - deb ansible.builtin.package: name: "{{ beats_auditbeat_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Auditbeat when: - ansible_os_family == "Debian" -# KICS complains about "latest" package but this is a dedicated update task - -- name: Install Auditbeat latest version - rpm - full stack - ansible.builtin.package: - name: auditbeat -# kics-scan ignore-line - state: latest - enablerepo: - - "elastic-{{ elasticstack_release }}.x" - notify: - - Restart Auditbeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Auditbeat latest version - rpm - standalone - ansible.builtin.package: - name: auditbeat - state: latest - notify: - - Restart Auditbeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - -- name: Install Auditbeat latest version - deb - ansible.builtin.package: - name: auditbeat - state: latest - notify: - - Restart Auditbeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "Debian" - - name: Configure Auditbeat ansible.builtin.template: src: auditbeat.yml.j2 diff --git a/roles/beats/tasks/filebeat.yml b/roles/beats/tasks/filebeat.yml index 0fbce0cb..090b6658 100644 --- a/roles/beats/tasks/filebeat.yml +++ b/roles/beats/tasks/filebeat.yml @@ -7,12 +7,14 @@ 'filebeat' + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} + _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Install Filebeat - rpm - full stack ansible.builtin.package: name: "{{ beats_filebeat_package }}" + state: "{{ _elasticstack_package_state }}" enablerepo: - 'elastic-{{ elasticstack_release }}.x' notify: @@ -24,6 +26,7 @@ - name: Install Filebeat - rpm - standalone ansible.builtin.package: name: "{{ beats_filebeat_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Filebeat when: @@ -33,48 +36,12 @@ - name: Install Filebeat - deb ansible.builtin.package: name: "{{ beats_filebeat_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Filebeat when: - ansible_os_family == "Debian" -- name: Install Filebeat latest version - rpm - full stack - ansible.builtin.package: - name: filebeat - state: latest - enablerepo: - - "elastic-{{ elasticstack_release }}.x" - notify: - - Restart Filebeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Filebeat latest version - rpm - standalone - ansible.builtin.package: - name: filebeat - state: latest - notify: - - Restart Filebeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - -- name: Install Filebeat latest version - deb - ansible.builtin.package: - name: filebeat - state: latest - notify: - - Restart Filebeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "Debian" - - name: Configure Filebeat ansible.builtin.template: src: filebeat.yml.j2 diff --git a/roles/beats/tasks/metricbeat.yml b/roles/beats/tasks/metricbeat.yml index 4ca61cfb..ce38e38d 100644 --- a/roles/beats/tasks/metricbeat.yml +++ b/roles/beats/tasks/metricbeat.yml @@ -7,13 +7,15 @@ 'metricbeat' + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} + _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Install Metricbeat - rpm - full stack ansible.builtin.package: name: "{{ beats_metricbeat_package }}" + state: "{{ _elasticstack_package_state }}" enablerepo: - 'elastic-{{ elasticstack_release }}.x' notify: @@ -25,6 +27,7 @@ - name: Install Metricbeat - rpm - standalone ansible.builtin.package: name: "{{ beats_metricbeat_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Metricbeat when: @@ -34,49 +37,12 @@ - name: Install Metricbeat - deb ansible.builtin.package: name: "{{ beats_metricbeat_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Metricbeat when: - ansible_os_family == "Debian" -- name: Install Metricbeat latest version - rpm - full stack - ansible.builtin.package: - name: metricbeat - state: latest - enablerepo: - - "elastic-{{ elasticstack_release }}.x" - notify: - - Restart Metricbeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Metricbeat latest version - rpm - standalone - ansible.builtin.package: - name: metricbeat - state: latest - notify: - - Restart Metricbeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - - -- name: Install Metricbeat latest version - deb - ansible.builtin.package: - name: metricbeat - state: latest - notify: - - Restart Metricbeat - when: - - elasticstack_version is defined - - elasticstack_version == "latest" - - ansible_os_family == "Debian" - - name: Configure Metricbeat ansible.builtin.template: src: metricbeat.yml.j2 diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index e92085cd..5759e87e 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -124,9 +124,10 @@ ('elasticsearch-oss' if elasticstack_variant == 'oss' else 'elasticsearch') + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} + _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Update Elasticsearch if needed ansible.builtin.include_tasks: elasticsearch-rolling-upgrade.yml @@ -141,6 +142,7 @@ - name: Install Elasticsearch - rpm - full stack ansible.builtin.package: name: "{{ elasticsearch_package }}" + state: "{{ _elasticstack_package_state }}" enablerepo: - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' when: @@ -150,6 +152,7 @@ - name: Install Elasticsearch - rpm - standalone ansible.builtin.package: name: "{{ elasticsearch_package }}" + state: "{{ _elasticstack_package_state }}" when: - ansible_os_family == "RedHat" - not elasticstack_full_stack | bool @@ -157,6 +160,7 @@ - name: Install Elasticsearch - deb ansible.builtin.package: name: "{{ elasticsearch_package }}" + state: "{{ _elasticstack_package_state }}" when: - ansible_os_family == "Debian" diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 597ebce3..9cb8982d 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -48,12 +48,14 @@ ('-oss' if elasticstack_variant == 'oss' else '') + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} + _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Install Kibana - rpm - full stack ansible.builtin.package: name: "{{ kibana_package }}" + state: "{{ _elasticstack_package_state }}" enablerepo: - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' notify: @@ -65,6 +67,7 @@ - name: Install Kibana - rpm - standalone ansible.builtin.package: name: "{{ kibana_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Kibana when: @@ -74,6 +77,7 @@ - name: Install Kibana - deb ansible.builtin.package: name: "{{ kibana_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Kibana when: diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index 0ba06dee..d0de07bf 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -65,9 +65,10 @@ ('-oss' if elasticstack_variant == 'oss' else '') + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} + _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" when: - ansible_os_family != "Debian" @@ -78,15 +79,17 @@ 'logstash' + ('-oss' if elasticstack_variant == 'oss' else '') + ((elasticstack_versionseparator + '1:' + elasticstack_version + '-1') - if (elasticstack_version is defined and elasticstack_version | length > 0) else '') | + if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else '') | replace(' ', '') }} + _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" when: - ansible_os_family == "Debian" - name: Install Logstash - rpm - full stack ansible.builtin.package: name: "{{ logstash_package }}" + state: "{{ _elasticstack_package_state }}" enablerepo: - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' notify: @@ -98,6 +101,7 @@ - name: Install Logstash - rpm - standalone ansible.builtin.package: name: "{{ logstash_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Logstash when: @@ -107,6 +111,7 @@ - name: Install Logstash - deb ansible.builtin.package: name: "{{ logstash_package }}" + state: "{{ _elasticstack_package_state }}" notify: - Restart Logstash when: From caeca8108526b448096fc346495858463aafcb4b Mon Sep 17 00:00:00 2001 From: Saeid Hassanabadi Date: Fri, 3 Jul 2026 12:01:19 +0200 Subject: [PATCH 2/5] fix: unify version selection across roles Remove the duplicate "latest" install tasks from the beats role and select the version solely via the package name: unset/empty/'latest' installs the unversioned package (newest on first install), a concrete elasticstack_version pins that exact version. All roles install with state: present, so re-runs never trigger an unplanned upgrade. Documents the scheme in the getting started guide. Refs #313 --- docs/getting-started.md | 10 ++++------ roles/beats/tasks/auditbeat.yml | 7 +++---- roles/beats/tasks/filebeat.yml | 7 +++---- roles/beats/tasks/metricbeat.yml | 7 +++---- roles/elasticsearch/tasks/main.yml | 7 +++---- roles/kibana/tasks/main.yml | 7 +++---- roles/logstash/tasks/main.yml | 8 +++----- 7 files changed, 22 insertions(+), 31 deletions(-) diff --git a/docs/getting-started.md b/docs/getting-started.md index cae16846..ba46f1be 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -67,13 +67,11 @@ Every role got its own set of variables, in addition a few variables are useable Version handling ----------- -All roles share a single version selection scheme, so Elasticsearch, Kibana, Logstash and the Beats always behave the same way: +All roles share a single version selection scheme, so Elasticsearch, Kibana, Logstash and the Beats always behave the same way. The install tasks always use `state: present`; only the package *name* changes depending on whether a version is pinned: -* If `elasticstack_version` is **not set** (or set to the special value `latest`), the roles install the newest package available in the configured repository and keep it up to date on every run (`state: latest`). This is the default. -* If `elasticstack_version` is **set to a concrete version** (e.g. `8.13.0`), that exact version is installed and pinned (`state: present`); the package is not upgraded on later runs as long as the value stays the same. +* If `elasticstack_version` is **not set** (or set to `latest`), the package name has no version suffix. On first install this pulls the newest version available in the configured repository. On later runs the package is left as-is and **not** upgraded automatically. This is the default. +* If `elasticstack_version` is **set to a concrete version** (e.g. `8.13.0`), the versioned package name is installed and pinned to exactly that version. -Internally each role derives the package name and the package state from `elasticstack_version` and stores the result in the internal fact `_elasticstack_package_state`. This variable is computed automatically and is not meant to be set by users. +Because everything runs with `state: present`, a plain re-run never triggers an unplanned upgrade. To move to a newer release, either set `elasticstack_version` to the desired version, or upgrade the package outside of this collection. To keep the whole stack on one version, set `elasticstack_version` once at the play or group level. When running the full stack, the meta role also determines the version from the already installed Elasticsearch package (see `roles/elasticstack/tasks/elasticstack-versions.yml`), so the remaining components stay aligned. - -> **Note:** With the default (`latest`), every run may upgrade a component to the newest available release. For Elasticsearch clusters where controlled, orchestrated upgrades matter, pin `elasticstack_version` to a concrete value instead. diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml index 5c6b30cf..cf017b4e 100644 --- a/roles/beats/tasks/auditbeat.yml +++ b/roles/beats/tasks/auditbeat.yml @@ -10,12 +10,11 @@ string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} - _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Install Auditbeat - rpm - full stack ansible.builtin.package: name: "{{ beats_auditbeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present enablerepo: - 'elastic-{{ elasticstack_release }}.x' notify: @@ -27,7 +26,7 @@ - name: Install Auditbeat - rpm - standalone ansible.builtin.package: name: "{{ beats_auditbeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Auditbeat when: @@ -37,7 +36,7 @@ - name: Install Auditbeat - deb ansible.builtin.package: name: "{{ beats_auditbeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Auditbeat when: diff --git a/roles/beats/tasks/filebeat.yml b/roles/beats/tasks/filebeat.yml index 090b6658..8da2d026 100644 --- a/roles/beats/tasks/filebeat.yml +++ b/roles/beats/tasks/filebeat.yml @@ -9,12 +9,11 @@ elasticstack_version | string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} - _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Install Filebeat - rpm - full stack ansible.builtin.package: name: "{{ beats_filebeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present enablerepo: - 'elastic-{{ elasticstack_release }}.x' notify: @@ -26,7 +25,7 @@ - name: Install Filebeat - rpm - standalone ansible.builtin.package: name: "{{ beats_filebeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Filebeat when: @@ -36,7 +35,7 @@ - name: Install Filebeat - deb ansible.builtin.package: name: "{{ beats_filebeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Filebeat when: diff --git a/roles/beats/tasks/metricbeat.yml b/roles/beats/tasks/metricbeat.yml index ce38e38d..dd5a655e 100644 --- a/roles/beats/tasks/metricbeat.yml +++ b/roles/beats/tasks/metricbeat.yml @@ -10,12 +10,11 @@ string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} - _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Install Metricbeat - rpm - full stack ansible.builtin.package: name: "{{ beats_metricbeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present enablerepo: - 'elastic-{{ elasticstack_release }}.x' notify: @@ -27,7 +26,7 @@ - name: Install Metricbeat - rpm - standalone ansible.builtin.package: name: "{{ beats_metricbeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Metricbeat when: @@ -37,7 +36,7 @@ - name: Install Metricbeat - deb ansible.builtin.package: name: "{{ beats_metricbeat_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Metricbeat when: diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 5759e87e..9b89924d 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -127,7 +127,6 @@ string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} - _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Update Elasticsearch if needed ansible.builtin.include_tasks: elasticsearch-rolling-upgrade.yml @@ -142,7 +141,7 @@ - name: Install Elasticsearch - rpm - full stack ansible.builtin.package: name: "{{ elasticsearch_package }}" - state: "{{ _elasticstack_package_state }}" + state: present enablerepo: - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' when: @@ -152,7 +151,7 @@ - name: Install Elasticsearch - rpm - standalone ansible.builtin.package: name: "{{ elasticsearch_package }}" - state: "{{ _elasticstack_package_state }}" + state: present when: - ansible_os_family == "RedHat" - not elasticstack_full_stack | bool @@ -160,7 +159,7 @@ - name: Install Elasticsearch - deb ansible.builtin.package: name: "{{ elasticsearch_package }}" - state: "{{ _elasticstack_package_state }}" + state: present when: - ansible_os_family == "Debian" diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 9cb8982d..11b29158 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -50,12 +50,11 @@ elasticstack_version | string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} - _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" - name: Install Kibana - rpm - full stack ansible.builtin.package: name: "{{ kibana_package }}" - state: "{{ _elasticstack_package_state }}" + state: present enablerepo: - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' notify: @@ -67,7 +66,7 @@ - name: Install Kibana - rpm - standalone ansible.builtin.package: name: "{{ kibana_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Kibana when: @@ -77,7 +76,7 @@ - name: Install Kibana - deb ansible.builtin.package: name: "{{ kibana_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Kibana when: diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index d0de07bf..7703ae27 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -68,7 +68,6 @@ string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | replace(' ', '') }} - _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" when: - ansible_os_family != "Debian" @@ -82,14 +81,13 @@ if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else '') | replace(' ', '') }} - _elasticstack_package_state: "{{ 'present' if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else 'latest' }}" when: - ansible_os_family == "Debian" - name: Install Logstash - rpm - full stack ansible.builtin.package: name: "{{ logstash_package }}" - state: "{{ _elasticstack_package_state }}" + state: present enablerepo: - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' notify: @@ -101,7 +99,7 @@ - name: Install Logstash - rpm - standalone ansible.builtin.package: name: "{{ logstash_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Logstash when: @@ -111,7 +109,7 @@ - name: Install Logstash - deb ansible.builtin.package: name: "{{ logstash_package }}" - state: "{{ _elasticstack_package_state }}" + state: present notify: - Restart Logstash when: From fe00d424c4ffbcf42a7096572c90706d5531cd4b Mon Sep 17 00:00:00 2001 From: Saeid Hassanabadi Date: Fri, 3 Jul 2026 12:34:53 +0200 Subject: [PATCH 3/5] fix: unify version selection across roles Remove the duplicate "latest" install tasks from the beats role. The package version is now selected solely via the package name: a defined elasticstack_version installs that exact version, an unset value installs the unversioned package (newest available). All roles install with state: present. Documents the behaviour in the README. Refs #313 --- README.md | 2 + docs/getting-started.md | 14 - docs/role-beats.md | 2 +- .../beats/tasks/.fuse_hidden0000001000000001 | 97 ++++++ .../beats/tasks/.fuse_hidden0000001200000002 | 77 +++++ .../beats/tasks/.fuse_hidden0000001400000003 | 80 +++++ roles/beats/tasks/auditbeat.yml | 2 +- roles/beats/tasks/filebeat.yml | 2 +- roles/beats/tasks/metricbeat.yml | 2 +- .../tasks/.fuse_hidden0000002000000006 | 315 +++++++++++++++++ roles/elasticsearch/tasks/main.yml | 2 +- .../kibana/tasks/.fuse_hidden0000001800000004 | 147 ++++++++ roles/kibana/tasks/main.yml | 2 +- .../tasks/.fuse_hidden0000001c00000005 | 320 ++++++++++++++++++ roles/logstash/tasks/main.yml | 4 +- 15 files changed, 1046 insertions(+), 22 deletions(-) create mode 100644 roles/beats/tasks/.fuse_hidden0000001000000001 create mode 100644 roles/beats/tasks/.fuse_hidden0000001200000002 create mode 100644 roles/beats/tasks/.fuse_hidden0000001400000003 create mode 100644 roles/elasticsearch/tasks/.fuse_hidden0000002000000006 create mode 100644 roles/kibana/tasks/.fuse_hidden0000001800000004 create mode 100644 roles/logstash/tasks/.fuse_hidden0000001c00000005 diff --git a/README.md b/README.md index 99b4389f..23f948d6 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,8 @@ The variable `elasticstack_no_log` can be set to `false` if you want to see the *elasticstack_version*: Version number of tools to install. Only set if you don't want the latest on new setups. (default: none). If you already have an installation of Elastic Stack, this collection will query the version of Elasticsearch on the CA host and use it for all further installations in the same setup. (Only if you run the `elasticsearch` role before all others) Example: `7.17.2` +All packages are installed with `state: present`. When `elasticstack_version` is set to a version number (e.g. `7.17.2`), that exact version is installed and pinned. When it is left unset, the package is installed without a version, so a new setup gets the newest available version and existing installations are not upgraded automatically on later runs. + *elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) Make sure it corresponds to `elasticstack_version` if you set both. For OSS version see `elasticstack_variant` below. diff --git a/docs/getting-started.md b/docs/getting-started.md index ba46f1be..79569b50 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -61,17 +61,3 @@ Every role got its own set of variables, in addition a few variables are useable * *elasticstack_release*: Major release version of Elastic stack to configure. (default: `7`) * *elasticstack_variant*: Variant of the stack to install. Valid values: `elastic` or `oss`. (default: `elastic`) -* *elasticstack_version*: Full version to pin all components to (e.g. `8.13.0`). Leave unset to install the latest available version. (default: unset) - - -Version handling ------------ - -All roles share a single version selection scheme, so Elasticsearch, Kibana, Logstash and the Beats always behave the same way. The install tasks always use `state: present`; only the package *name* changes depending on whether a version is pinned: - -* If `elasticstack_version` is **not set** (or set to `latest`), the package name has no version suffix. On first install this pulls the newest version available in the configured repository. On later runs the package is left as-is and **not** upgraded automatically. This is the default. -* If `elasticstack_version` is **set to a concrete version** (e.g. `8.13.0`), the versioned package name is installed and pinned to exactly that version. - -Because everything runs with `state: present`, a plain re-run never triggers an unplanned upgrade. To move to a newer release, either set `elasticstack_version` to the desired version, or upgrade the package outside of this collection. - -To keep the whole stack on one version, set `elasticstack_version` once at the play or group level. When running the full stack, the meta role also determines the version from the already installed Elasticsearch package (see `roles/elasticstack/tasks/elasticstack-versions.yml`), so the remaining components stay aligned. diff --git a/docs/role-beats.md b/docs/role-beats.md index 5d742c82..12e4a052 100644 --- a/docs/role-beats.md +++ b/docs/role-beats.md @@ -95,7 +95,7 @@ The following variables only apply if you use this role together with our other * *elasticstack_ca_dir*: Directory where on the Elasticsearch CA host certificates are stored. This is only useful in connection with out other Elastic Stack related roles. (default: `/opt/es-ca`) * *elasticstack_ca_pass*: Password for Elasticsearch CA (default: `PleaseChangeMe`) * *elasticstack_initial_passwords*: Path to file with initical elasticsearch passwords (default: `/usr/share/elasticsearch/initial_passwords`) -* *elasticstack_version*: Install specific version (Default: none. Possible values: e.g. `7.10.1` or `latest`) +* *elasticstack_version*: Install a specific version; leave unset to install the latest available. (Default: none. Example: `7.10.1`) If you want to use this role with your own TLS certificates, use these variables. diff --git a/roles/beats/tasks/.fuse_hidden0000001000000001 b/roles/beats/tasks/.fuse_hidden0000001000000001 new file mode 100644 index 00000000..8da2d026 --- /dev/null +++ b/roles/beats/tasks/.fuse_hidden0000001000000001 @@ -0,0 +1,97 @@ +--- + +- name: Construct exact name of Filebeat package + ansible.builtin.set_fact: + beats_filebeat_package: >- + {{ + 'filebeat' + + ((elasticstack_versionseparator + + elasticstack_version | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + replace(' ', '') }} + +- name: Install Filebeat - rpm - full stack + ansible.builtin.package: + name: "{{ beats_filebeat_package }}" + state: present + enablerepo: + - 'elastic-{{ elasticstack_release }}.x' + notify: + - Restart Filebeat + when: + - ansible_os_family == "RedHat" + - elasticstack_full_stack | bool + +- name: Install Filebeat - rpm - standalone + ansible.builtin.package: + name: "{{ beats_filebeat_package }}" + state: present + notify: + - Restart Filebeat + when: + - ansible_os_family == "RedHat" + - not elasticstack_full_stack | bool + +- name: Install Filebeat - deb + ansible.builtin.package: + name: "{{ beats_filebeat_package }}" + state: present + notify: + - Restart Filebeat + when: + - ansible_os_family == "Debian" + +- name: Configure Filebeat + ansible.builtin.template: + src: filebeat.yml.j2 + dest: /etc/filebeat/filebeat.yml + owner: root + group: root + mode: 0640 + notify: + - Restart Filebeat + tags: + - configuration + - beats_filebeat_configuration + - beats_configuration + +- name: Configure modules + when: beats_filebeat_modules is defined + tags: + - configuration + - beats_filebeat_configuration + - beats_configuration + block: + + - name: Enable modules + ansible.builtin.command: "filebeat modules enable {{ item }}" + args: + creates: "/etc/filebeat/modules.d/{{ item }}.yml" + with_items: "{{ beats_filebeat_modules }}" + + - name: Enable System module + ansible.builtin.template: + src: filebeat-system.yml.j2 + dest: /etc/filebeat/modules.d/system.yml + owner: root + group: root + mode: 0644 + when: + - elasticstack_release | int > 7 + + - name: Enable Ingest Pipelines + ansible.builtin.shell: > + /usr/bin/filebeat setup --pipelines && + /usr/bin/filebeat version > /etc/filebeat/{{ item }}_pipeline_created + args: + creates: "/etc/filebeat/{{ item }}_pipeline_created" + with_items: "{{ beats_filebeat_modules }}" + notify: + - Restart Filebeat + +- name: Start Filebeat + ansible.builtin.service: + name: filebeat + state: started + enabled: true + when: beats_filebeat_enable | bool diff --git a/roles/beats/tasks/.fuse_hidden0000001200000002 b/roles/beats/tasks/.fuse_hidden0000001200000002 new file mode 100644 index 00000000..cf017b4e --- /dev/null +++ b/roles/beats/tasks/.fuse_hidden0000001200000002 @@ -0,0 +1,77 @@ +--- + +- name: Construct exact name of Auditbeat package + ansible.builtin.set_fact: + beats_auditbeat_package: >- + {{ + 'auditbeat' + + ((elasticstack_versionseparator + + elasticstack_version | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + replace(' ', '') + }} + +- name: Install Auditbeat - rpm - full stack + ansible.builtin.package: + name: "{{ beats_auditbeat_package }}" + state: present + enablerepo: + - 'elastic-{{ elasticstack_release }}.x' + notify: + - Restart Auditbeat + when: + - ansible_os_family == "RedHat" + - elasticstack_full_stack | bool + +- name: Install Auditbeat - rpm - standalone + ansible.builtin.package: + name: "{{ beats_auditbeat_package }}" + state: present + notify: + - Restart Auditbeat + when: + - ansible_os_family == "RedHat" + - not elasticstack_full_stack | bool + +- name: Install Auditbeat - deb + ansible.builtin.package: + name: "{{ beats_auditbeat_package }}" + state: present + notify: + - Restart Auditbeat + when: + - ansible_os_family == "Debian" + +- name: Configure Auditbeat + ansible.builtin.template: + src: auditbeat.yml.j2 + dest: /etc/auditbeat/auditbeat.yml + owner: root + group: root + mode: 0640 + notify: + - Restart Auditbeat + tags: + - configuration + - beats_auditbeat_configuration + - beats_configuration + +- name: Setup Auditbeat in Elasticsearch + ansible.builtin.command: > + /usr/bin/auditbeat setup --pipelines --index-management && + /usr/bin/auditbeat version > /etc/auditbeat/pipeline_created + run_once: true + args: + creates: "/etc/auditbeat/pipeline_created" + notify: + - Restart Auditbeat + when: + - beats_auditbeat_setup | bool + - beats_auditbeat_output == "elasticsearch" + +- name: Start Auditbeat + ansible.builtin.service: + name: auditbeat + state: started + enabled: true + when: beats_auditbeat_enable | bool diff --git a/roles/beats/tasks/.fuse_hidden0000001400000003 b/roles/beats/tasks/.fuse_hidden0000001400000003 new file mode 100644 index 00000000..dd5a655e --- /dev/null +++ b/roles/beats/tasks/.fuse_hidden0000001400000003 @@ -0,0 +1,80 @@ +--- + +- name: Construct exact name of Metricbeat package + ansible.builtin.set_fact: + beats_metricbeat_package: >- + {{ + 'metricbeat' + + ((elasticstack_versionseparator + + elasticstack_version | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + replace(' ', '') + }} + +- name: Install Metricbeat - rpm - full stack + ansible.builtin.package: + name: "{{ beats_metricbeat_package }}" + state: present + enablerepo: + - 'elastic-{{ elasticstack_release }}.x' + notify: + - Restart Metricbeat + when: + - ansible_os_family == "RedHat" + - elasticstack_full_stack | bool + +- name: Install Metricbeat - rpm - standalone + ansible.builtin.package: + name: "{{ beats_metricbeat_package }}" + state: present + notify: + - Restart Metricbeat + when: + - ansible_os_family == "RedHat" + - not elasticstack_full_stack | bool + +- name: Install Metricbeat - deb + ansible.builtin.package: + name: "{{ beats_metricbeat_package }}" + state: present + notify: + - Restart Metricbeat + when: + - ansible_os_family == "Debian" + +- name: Configure Metricbeat + ansible.builtin.template: + src: metricbeat.yml.j2 + dest: /etc/metricbeat/metricbeat.yml + owner: root + group: root + mode: 0644 + notify: + - Restart Metricbeat + +- name: Enable modules + ansible.builtin.command: "metricbeat modules enable {{ item }}" + args: + creates: "/etc/metricbeat/modules.d/{{ item }}.yml" + with_items: "{{ beats_metricbeat_modules }}" + when: beats_metricbeat_modules is defined + +- name: Enable Ingest Pipelines + ansible.builtin.command: > + metricbeat setup && + metricbeat version > /etc/metricbeat/pipelines_created + args: + creates: "/etc/metricbeat/pipelines_created" + notify: + - Restart Metricbeat + with_items: "{{ beats_metricbeat_modules }}" + when: + - beats_metricbeat_modules is defined + - beats_metricbeat_output == "elasticsearch" + +- name: Start Metricbeat + ansible.builtin.service: + name: metricbeat + state: started + enabled: true + when: beats_metricbeat_enable | bool diff --git a/roles/beats/tasks/auditbeat.yml b/roles/beats/tasks/auditbeat.yml index cf017b4e..7142168b 100644 --- a/roles/beats/tasks/auditbeat.yml +++ b/roles/beats/tasks/auditbeat.yml @@ -7,7 +7,7 @@ 'auditbeat' + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | replace(' ', '') }} diff --git a/roles/beats/tasks/filebeat.yml b/roles/beats/tasks/filebeat.yml index 8da2d026..2cd28406 100644 --- a/roles/beats/tasks/filebeat.yml +++ b/roles/beats/tasks/filebeat.yml @@ -7,7 +7,7 @@ 'filebeat' + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | replace(' ', '') }} - name: Install Filebeat - rpm - full stack diff --git a/roles/beats/tasks/metricbeat.yml b/roles/beats/tasks/metricbeat.yml index dd5a655e..3501ce01 100644 --- a/roles/beats/tasks/metricbeat.yml +++ b/roles/beats/tasks/metricbeat.yml @@ -7,7 +7,7 @@ 'metricbeat' + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | replace(' ', '') }} diff --git a/roles/elasticsearch/tasks/.fuse_hidden0000002000000006 b/roles/elasticsearch/tasks/.fuse_hidden0000002000000006 new file mode 100644 index 00000000..9b89924d --- /dev/null +++ b/roles/elasticsearch/tasks/.fuse_hidden0000002000000006 @@ -0,0 +1,315 @@ +--- + +- name: Check for versions + ansible.builtin.fail: + msg: "No OSS package with version later than 7 is available for Elasticsearch" + when: + - elasticstack_release | int > 7 + - elasticstack_variant == "oss" + +- name: Include global role + ansible.builtin.import_role: + name: netways.elasticstack.elasticstack + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) + +- name: Update apt cache. + ansible.builtin.apt: + update_cache: yes + cache_valid_time: 600 + changed_when: false + when: ansible_os_family == 'Debian' + +- name: Check-set-parameters + ansible.builtin.include_tasks: elasticsearch-parameters.yml + +- name: Include OS specific vars + ansible.builtin.include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' + - '{{ ansible_os_family }}.yml' + +- name: Set node name if not overriden by user + ansible.builtin.set_fact: + elasticsearch_nodename: "{{ ansible_hostname }}" + when: + - elasticsearch_nodename is undefined + +- name: Set common password for common certificates + ansible.builtin.set_fact: + elasticsearch_tls_key_passphrase: "{{ elasticstack_cert_pass }}" + when: + - elasticstack_cert_pass is defined + tags: + - certificates + - renew_ca + - renew_es_cert + +- name: Check if cluster is already set up + ansible.builtin.stat: + path: "{{ elasticsearch_initialized_file }}" + register: cluster_setup_check + failed_when: false + +- name: Set var that cluster is set up + ansible.builtin.set_fact: + elaticsearch_cluster_set_up: true + when: + - cluster_setup_check.stat.exists | bool + - cluster_setup_check is defined + +- name: Set var that cluster is not set up + ansible.builtin.set_fact: + elaticsearch_cluster_set_up: false + when: + - cluster_setup_check is undefined or + not cluster_setup_check.stat.exists | bool + +- name: Check if master node count is correct + when: + - elasticsearch_node_types is defined + block: + + # the following is a way to simplify handling information + # about nodes. For some tasks it's only important if a node + # has a specific roles and the others are irrelevant + # + - name: Set node role variable to master + ansible.builtin.set_fact: + elasticsearch_role: "master" + when: + - "'master' in elasticsearch_node_types" + + - name: Set node role variable to data + ansible.builtin.set_fact: + elasticsearch_role: "data" + when: + - "'master' not in elasticsearch_node_types" + - "'data' in elasticsearch_node_types" + + - name: Set node role variable to other + ansible.builtin.set_fact: + elasticsearch_role: "other" + when: + - "'master' not in elasticsearch_node_types" + - "'data' not in elasticsearch_node_types" + + - name: Create groups of nodes + ansible.builtin.group_by: + key: "elasticsearch_role_{{ elasticsearch_role }}" + changed_when: false + + - name: Count master nodes + ansible.builtin.set_fact: + count_of_master_nodes: "{{ groups['elasticsearch_role_master'] | length }}" + + - name: Check count of master nodes + ansible.builtin.fail: + msg: "There must be an odd count of master nodes. You have {{ count_of_master_nodes }}" + when: + - count_of_master_nodes | int % 2 == 0 + + - name: End play in checks + ansible.builtin.meta: end_host + when: elasticsearch_check_calculation | bool + +- name: Install openssl if security is activated + ansible.builtin.package: + name: openssl + when: elasticsearch_security | bool + +- name: Construct exact name of Elasticsearch package + ansible.builtin.set_fact: + elasticsearch_package: > + {{ + ('elasticsearch-oss' if elasticstack_variant == 'oss' else 'elasticsearch') + + ((elasticstack_versionseparator + + elasticstack_version | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + replace(' ', '') + }} + +- name: Update Elasticsearch if needed + ansible.builtin.include_tasks: elasticsearch-rolling-upgrade.yml + with_items: "{{ groups[elasticstack_elasticsearch_group_name] }}" + when: + - "hostvars[item].inventory_hostname == inventory_hostname" + - elasticstack_version is defined + - ansible_facts.packages['elasticsearch'][0].version is defined + - elasticstack_password.stdout is defined + - elasticstack_version is version( ansible_facts.packages['elasticsearch'][0].version, '>') + +- name: Install Elasticsearch - rpm - full stack + ansible.builtin.package: + name: "{{ elasticsearch_package }}" + state: present + enablerepo: + - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' + when: + - ansible_os_family == "RedHat" + - elasticstack_full_stack | bool + +- name: Install Elasticsearch - rpm - standalone + ansible.builtin.package: + name: "{{ elasticsearch_package }}" + state: present + when: + - ansible_os_family == "RedHat" + - not elasticstack_full_stack | bool + +- name: Install Elasticsearch - deb + ansible.builtin.package: + name: "{{ elasticsearch_package }}" + state: present + when: + - ansible_os_family == "Debian" + +- name: Configure Elasticsearch + ansible.builtin.template: + src: elasticsearch.yml.j2 + dest: /etc/elasticsearch/elasticsearch.yml + owner: root + group: root + mode: 0644 + backup: "{{ elasticsearch_config_backup }}" + notify: + - Restart Elasticsearch + when: elasticsearch_manage_yaml | bool + +- name: Create Elasticsearch directory + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + owner: elasticsearch + group: elasticsearch + mode: "2750" + when: item.create | bool + loop: + - {create: "{{ elasticsearch_create_logpath }}", path: "{{ elasticsearch_logpath }}" } + - {create: "{{ elasticsearch_create_datapath }}", path: "{{ elasticsearch_datapath }}" } + +- name: Activate JNA workaround (see README.md) + ansible.builtin.lineinfile: + path: "{{ elasticsearch_sysconfig_file }}" + regexp: 'ES_JAVA_OPTS=' + line: 'ES_JAVA_OPTS="-Djna.tmpdir={{ elasticsearch_datapath }}/tmp"' + notify: + - Restart Elasticsearch + when: elasticsearch_jna_workaround | bool + +- name: Set jvm heap size + ansible.builtin.template: + src: "jvm.options.d/heap.options.j2" + dest: "{{ elasticsearch_conf_dir }}/jvm.options.d/10-heap.options" + owner: root + group: "{{ elasticsearch_group }}" + mode: "660" + force: yes + notify: Restart Elasticsearch + when: elasticsearch_heap | bool + +- name: Set jvm paths + ansible.builtin.template: + src: "jvm.options.d/paths.options.j2" + dest: "{{ elasticsearch_conf_dir }}/jvm.options.d/50-paths.options" + owner: root + group: "{{ elasticsearch_group }}" + mode: "660" + force: yes + notify: Restart Elasticsearch + +- name: Set jvm custom options + ansible.builtin.template: + src: "jvm.options.d/custom.options.j2" + dest: "{{ elasticsearch_conf_dir }}/jvm.options.d/90-custom.options" + owner: root + group: "{{ elasticsearch_group }}" + mode: "660" + force: yes + notify: Restart Elasticsearch + when: elasticsearch_jvm_custom_parameters | bool + +# On containerized Debian 10 systemd will not recognize elasticsearch service +- name: Force systemd to reread configs on container + ansible.builtin.systemd: + daemon_reload: true + when: ansible_virtualization_type == "container" or ansible_virtualization_type == "docker" + +# Free up some space to let elsticsearch allocate replica in GitHub Action +- name: Remove cache + ansible.builtin.command: > + rm -rf /var/cache/* + changed_when: false + when: ansible_virtualization_type == "container" or ansible_virtualization_type == "docker" + +- name: Import Tasks elasticsearch-security.yml + ansible.builtin.import_tasks: elasticsearch-security.yml + when: + - elasticsearch_security | bool + - elasticstack_variant == "elastic" + tags: + - certificates + - renew_ca + - renew_es_cert + +- name: Start Elasticsearch + ansible.builtin.service: + name: elasticsearch + state: started + enabled: yes + register: elasticsearch_freshstart + +# The comment in the following task will disable KICS security checks for this +# very line. In this state of the system we can only communicate without https +# so the finding is a false positive + +- name: Handle cluster setup without security + when: not elasticsearch_security | bool + block: + - name: Check for cluster status without security + ansible.builtin.uri: +# kics-scan ignore-line + url: "http://{{ elasticsearch_api_host }}:{{ elasticstack_elasticsearch_http_port }}/_cluster/health?pretty" + register: elasticsearch_cluster_status + ignore_errors: "{{ ansible_check_mode }}" + until: elasticsearch_cluster_status.json.status == "green" + retries: 5 + delay: 10 + no_log: "{{ elasticstack_no_log }}" + + - name: Leave a file showing that the cluster is set up + ansible.builtin.template: + dest: "{{ elasticsearch_initialized_file }}" + src: elasticsearch_initialized.j2 + owner: root + group: root + mode: "0600" + + - name: Set var that cluster is set up + ansible.builtin.set_fact: + elaticsearch_cluster_set_up: true + +# See https://github.com/NETWAYS/ansible-collection-elasticstack/issues/137 +# for details why we have this task again here +# +- name: Configure Elasticsearch + ansible.builtin.template: + src: elasticsearch.yml.j2 + dest: /etc/elasticsearch/elasticsearch.yml + owner: root + group: root + mode: 0644 + backup: "{{ elasticsearch_config_backup }}" + when: elasticsearch_manage_yaml | bool + +- name: Show Info about heap + ansible.builtin.debug: + msg: "Using {{ elasticsearch_heap | int * 1024 }} of {{ ansible_memtotal_mb }} MB as heap for Elasticsearch" + when: elasticsearch_heap | bool + +- name: Show hint about passwords + ansible.builtin.debug: + msg: "Remember, your temporary passwords can be found on {{ elasticstack_ca_host }} in {{ elasticstack_initial_passwords }}" + when: + - elasticsearch_security | bool + - elasticstack_variant == "elastic" + - inventory_hostname == elasticstack_ca_host diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml index 9b89924d..37652624 100644 --- a/roles/elasticsearch/tasks/main.yml +++ b/roles/elasticsearch/tasks/main.yml @@ -124,7 +124,7 @@ ('elasticsearch-oss' if elasticstack_variant == 'oss' else 'elasticsearch') + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | replace(' ', '') }} diff --git a/roles/kibana/tasks/.fuse_hidden0000001800000004 b/roles/kibana/tasks/.fuse_hidden0000001800000004 new file mode 100644 index 00000000..11b29158 --- /dev/null +++ b/roles/kibana/tasks/.fuse_hidden0000001800000004 @@ -0,0 +1,147 @@ +--- + +- name: Check for versions + ansible.builtin.fail: + msg: "No OSS package with version later than 7 is available for Kibana" + when: + - elasticstack_release | int > 7 + - elasticstack_variant == "oss" + +- name: Include global role + ansible.builtin.import_role: + name: netways.elasticstack.elasticstack + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) + +- name: Update apt cache. + ansible.builtin.apt: + update_cache: yes + cache_valid_time: 600 + changed_when: false + when: ansible_os_family == 'Debian' + +- name: Set common password for common certificates + ansible.builtin.set_fact: + kibana_tls_key_passphrase: "{{ elasticstack_cert_pass }}" + when: + - elasticstack_cert_pass is defined + +- name: Set Elasticsearch hosts if used with other roles + ansible.builtin.set_fact: + kibana_elasticsearch_hosts: "{{ groups[elasticstack_elasticsearch_group_name] }}" + when: + - kibana_elasticsearch_hosts is undefined + - groups[elasticstack_elasticsearch_group_name] is defined + +- name: Set Elasticsearch hosts to localhost if no other info is available + ansible.builtin.set_fact: + kibana_elasticsearch_hosts: + - localhost + when: + - kibana_elasticsearch_hosts is undefined + - groups[elasticstack_elasticsearch_group_name] is undefined + +- name: Construct exact name of Kibana package + ansible.builtin.set_fact: + kibana_package: >- + {{ + 'kibana' + + ('-oss' if elasticstack_variant == 'oss' else '') + + ((elasticstack_versionseparator + + elasticstack_version | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + replace(' ', '') }} + +- name: Install Kibana - rpm - full stack + ansible.builtin.package: + name: "{{ kibana_package }}" + state: present + enablerepo: + - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' + notify: + - Restart Kibana + when: + - ansible_os_family == "RedHat" + - elasticstack_full_stack | bool + +- name: Install Kibana - rpm - standalone + ansible.builtin.package: + name: "{{ kibana_package }}" + state: present + notify: + - Restart Kibana + when: + - ansible_os_family == "RedHat" + - not elasticstack_full_stack | bool + +- name: Install Kibana - deb + ansible.builtin.package: + name: "{{ kibana_package }}" + state: present + notify: + - Restart Kibana + when: + - ansible_os_family == "Debian" + +- name: Import security related tasks + ansible.builtin.import_tasks: kibana-security.yml + when: + - elasticstack_full_stack is defined + - elasticstack_full_stack | bool + - kibana_security | bool + - elasticstack_variant == "elastic" + tags: + - certificates + - renew_ca + - renew_kibana_cert + +- name: Configure Kibana + ansible.builtin.template: + src: kibana.yml.j2 + dest: /etc/kibana/kibana.yml + owner: root + group: root + mode: 0644 + backup: "{{ kibana_config_backup }}" + notify: + - Restart Kibana + when: kibana_manage_yaml | bool + +- name: Start Kibana + ansible.builtin.service: + name: kibana + state: started + enabled: yes + when: kibana_enable | bool + register: kibana_freshstart + +# the following is useful when running tests or extra tasks that need to +# have Kibana running. Escape it on Rocky8, because it gets time out with Elastic 8 + +- name: Wait for Kibana to start (with debug) + block: + - name: Wait for Kibana to start + ansible.builtin.wait_for: + host: localhost + port: 5601 + timeout: 300 + register: kibana_wait + rescue: + - name: Debug Kibana status on failure + ansible.builtin.debug: + msg: "Kibana failed to start: {{ kibana_wait }}" + - name: Show Kibana logs + ansible.builtin.command: + cmd: journalctl -u kibana -n 100 + register: kibana_logs + changed_when: false + no_log: true + - name: Output Kibana logs + ansible.builtin.debug: + var: kibana_logs.stdout + +# Free up some space to let elsticsearch allocate replica in GitHub Action +- name: Remove cache + ansible.builtin.command: > + rm -rf /var/cache/* + changed_when: false + when: ansible_virtualization_type == "container" or ansible_virtualization_type == "docker" diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index 11b29158..3e78d61e 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -48,7 +48,7 @@ ('-oss' if elasticstack_variant == 'oss' else '') + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | replace(' ', '') }} - name: Install Kibana - rpm - full stack diff --git a/roles/logstash/tasks/.fuse_hidden0000001c00000005 b/roles/logstash/tasks/.fuse_hidden0000001c00000005 new file mode 100644 index 00000000..7703ae27 --- /dev/null +++ b/roles/logstash/tasks/.fuse_hidden0000001c00000005 @@ -0,0 +1,320 @@ +--- + +- name: Include global role + ansible.builtin.import_role: + name: netways.elasticstack.elasticstack + when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) + +- name: Update apt cache. + ansible.builtin.apt: + update_cache: yes + cache_valid_time: 600 + changed_when: false + when: ansible_os_family == 'Debian' + +- name: Prepare for whole stack roles if used + when: + - elasticstack_full_stack | bool + block: + + - name: Set Elasticsearch hosts if used with other roles + ansible.builtin.set_fact: + logstash_elasticsearch: "{{ groups[elasticstack_elasticsearch_group_name] }}" + when: + - logstash_elasticsearch is undefined + - groups[elasticstack_elasticsearch_group_name] is defined + tags: + - configuration + - logstash_configuration + + - name: Activate TLS for Beats for full stack + ansible.builtin.set_fact: + logstash_beats_tls: true + when: + - logstash_beats_tls is undefined + - not elasticstack_override_beats_tls | bool + +- name: Set Elasticsearch hosts to localhost if no other information available + ansible.builtin.set_fact: + logstash_elasticsearch: + - localhost + when: + - logstash_elasticsearch is undefined + - groups[elasticstack_elasticsearch_group_name] is undefined + tags: + - configuration + - logstash_configuration + +- name: Enable security as default when in full stack mode + ansible.builtin.set_fact: + logstash_security: true + when: + - logstash_security is undefined or elasticstack_security | bool + - elasticstack_full_stack | bool + - elasticstack_variant == "elastic" + tags: + - certificates + - renew_ca + - renew_logstash_cert + +- name: Construct exact name of Logstash package + ansible.builtin.set_fact: + logstash_package: >- + {{ + 'logstash' + + ('-oss' if elasticstack_variant == 'oss' else '') + + ((elasticstack_versionseparator + + elasticstack_version | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + replace(' ', '') + }} + when: + - ansible_os_family != "Debian" + +- name: Construct exact name of Logstash package + ansible.builtin.set_fact: + logstash_package: >- + {{ + 'logstash' + + ('-oss' if elasticstack_variant == 'oss' else '') + + ((elasticstack_versionseparator + '1:' + elasticstack_version + '-1') + if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else '') | + replace(' ', '') + }} + when: + - ansible_os_family == "Debian" + +- name: Install Logstash - rpm - full stack + ansible.builtin.package: + name: "{{ logstash_package }}" + state: present + enablerepo: + - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' + notify: + - Restart Logstash + when: + - ansible_os_family == "RedHat" + - elasticstack_full_stack | bool + +- name: Install Logstash - rpm - standalone + ansible.builtin.package: + name: "{{ logstash_package }}" + state: present + notify: + - Restart Logstash + when: + - ansible_os_family == "RedHat" + - not elasticstack_full_stack | bool + +- name: Install Logstash - deb + ansible.builtin.package: + name: "{{ logstash_package }}" + state: present + notify: + - Restart Logstash + when: + - ansible_os_family == "Debian" + +- name: Import Logstash Security tasks + ansible.builtin.import_tasks: logstash-security.yml + when: + - elasticstack_full_stack | bool + - logstash_security is defined and logstash_security | bool + - elasticstack_variant == "elastic" + tags: + - certificates + - renew_ca + - renew_logstash_cert + +- name: Configure Logstash + ansible.builtin.template: + src: logstash.yml.j2 + dest: /etc/logstash/logstash.yml + owner: root + group: root + mode: 0644 + backup: "{{ logstash_config_backup }}" + notify: + - Restart Logstash + when: logstash_manage_yaml | bool + tags: + - configuration + - logstash_configuration + +- name: Create systemd drop-in directory for Logstash + ansible.builtin.file: + path: /etc/systemd/system/logstash.service.d + state: directory + owner: root + group: root + mode: "0755" + tags: + - configuration + - logstash_configuration + +- name: Set Logstash JVM heap size via systemd drop-in + ansible.builtin.template: + src: jvm-heap.conf.j2 + dest: /etc/systemd/system/logstash.service.d/heap.conf + owner: root + group: root + mode: "0644" + register: logstash_heap_dropin + notify: + - Restart Logstash + tags: + - configuration + - logstash_configuration + +# Reload systemd inline (not via handler) so a fresh install picks up the drop-in before +# "Start Logstash" runs. Handlers only fire at the end of the play, which would be too late. +- name: Reload systemd to apply Logstash heap drop-in + ansible.builtin.systemd: + daemon_reload: true + when: logstash_heap_dropin.changed + tags: + - configuration + - logstash_configuration + +- name: Configure Logstash logging + ansible.builtin.template: + src: log4j2.properties.j2 + dest: /etc/logstash/log4j2.properties + owner: root + group: root + mode: 0644 + backup: "{{ logstash_config_backup }}" + notify: + - Restart Logstash + when: logstash_manage_logging | bool + tags: + - configuration + - logstash_configuration + +- name: Fetch pipelines from git repositories + loop: "{{ logstash_pipelines }}" + ansible.builtin.include_tasks: manage_pipeline.yml + loop_control: + loop_var: pipelinename + when: + - logstash_pipelines is defined + - not logstash_no_pipelines | bool + tags: + - configuration + - logstash_configuration + +- name: Create default Elasticsearch output pipeline + when: + - logstash_elasticsearch_output | bool + - not logstash_no_pipelines | bool + tags: + - configuration + - logstash_configuration + block: + - name: Create directory for default Elasticsearch output pipeline + ansible.builtin.file: + path: "/etc/logstash/conf.d/ansible-forwarder" + state: directory + owner: root + group: root + mode: 0755 + + - name: Create default Elasticsearch output pipeline inputs + ansible.builtin.template: + src: redis-input.conf.j2 + dest: "/etc/logstash/conf.d/ansible-forwarder/input.conf" + owner: root + group: root + mode: 0644 + notify: + - Restart Logstash noauto + + - name: Create default Elasticsearch output pipeline output + ansible.builtin.template: + src: elasticsearch-output.conf.j2 + dest: "/etc/logstash/conf.d/ansible-forwarder/output.conf" + owner: root + group: root + mode: 0644 + notify: + - Restart Logstash noauto + +- name: Create default Beats input pipeline + when: + - logstash_beats_input | bool + - not logstash_no_pipelines | bool + tags: + - configuration + - logstash_configuration + block: + - name: Create directory for default beats input pipeline + ansible.builtin.file: + path: "/etc/logstash/conf.d/ansible-input" + state: directory + owner: root + group: root + mode: 0755 + + - name: Create default Beats input pipeline inputs + ansible.builtin.template: + src: beats-input.conf.j2 + dest: "/etc/logstash/conf.d/ansible-input/input.conf" + owner: root + group: root + mode: 0644 + notify: + - Restart Logstash noauto + + - name: Create default Beats input pipeline output + ansible.builtin.template: + src: redis-output.conf.j2 + dest: "/etc/logstash/conf.d/ansible-input/output.conf" + owner: root + group: root + mode: 0644 + notify: + - Restart Logstash noauto + +- name: Configure Logstash pipelines + ansible.builtin.template: + src: pipelines.yml.j2 + dest: /etc/logstash/pipelines.yml + owner: root + group: root + mode: 0644 + backup: "{{ logstash_config_backup }}" + when: + - logstash_manage_pipelines | bool + - not logstash_no_pipelines | bool + tags: + - configuration + - logstash_configuration + +- name: Print Logstash pipelines in Mermaid syntax + ansible.builtin.import_tasks: logstash-mermaid.yml + when: + - logstash_mermaid | bool + tags: + - mermaid + +- name: Install Logstash plugins + community.general.logstash_plugin: + state: present + name: "{{ item }}" + with_items: "{{ logstash_plugins }}" + when: logstash_plugins is defined + +- name: Start Logstash + ansible.builtin.service: + name: logstash + state: started + enabled: yes + when: logstash_enable | bool + register: logstash_freshstart + +# Free up some space to let elsticsearch allocate replica in GitHub Action +- name: Remove cache + ansible.builtin.command: > + rm -rf /var/cache/* + changed_when: false + when: ansible_virtualization_type == "container" or ansible_virtualization_type == "docker" diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index 7703ae27..d43dc730 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -65,7 +65,7 @@ ('-oss' if elasticstack_variant == 'oss' else '') + ((elasticstack_versionseparator + elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | + string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) | replace(' ', '') }} when: @@ -78,7 +78,7 @@ 'logstash' + ('-oss' if elasticstack_variant == 'oss' else '') + ((elasticstack_versionseparator + '1:' + elasticstack_version + '-1') - if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else '') | + if (elasticstack_version is defined and elasticstack_version | length > 0) else '') | replace(' ', '') }} when: From 579cb030715d89662b5404d0b7e2ed7c9d32cf24 Mon Sep 17 00:00:00 2001 From: Saeid Hassanabadi Date: Fri, 3 Jul 2026 13:33:19 +0200 Subject: [PATCH 4/5] Some fixes --- .gitignore | 1 + .../beats/tasks/.fuse_hidden0000001000000001 | 97 ------ .../beats/tasks/.fuse_hidden0000001200000002 | 77 ----- .../beats/tasks/.fuse_hidden0000001400000003 | 80 ----- .../tasks/.fuse_hidden0000002000000006 | 315 ----------------- .../kibana/tasks/.fuse_hidden0000001800000004 | 147 -------- .../tasks/.fuse_hidden0000001c00000005 | 320 ------------------ 7 files changed, 1 insertion(+), 1036 deletions(-) delete mode 100644 roles/beats/tasks/.fuse_hidden0000001000000001 delete mode 100644 roles/beats/tasks/.fuse_hidden0000001200000002 delete mode 100644 roles/beats/tasks/.fuse_hidden0000001400000003 delete mode 100644 roles/elasticsearch/tasks/.fuse_hidden0000002000000006 delete mode 100644 roles/kibana/tasks/.fuse_hidden0000001800000004 delete mode 100644 roles/logstash/tasks/.fuse_hidden0000001c00000005 diff --git a/.gitignore b/.gitignore index 6e30d40a..39a8b804 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ __pycache__* .vscode .venv +.fuse_hidden* diff --git a/roles/beats/tasks/.fuse_hidden0000001000000001 b/roles/beats/tasks/.fuse_hidden0000001000000001 deleted file mode 100644 index 8da2d026..00000000 --- a/roles/beats/tasks/.fuse_hidden0000001000000001 +++ /dev/null @@ -1,97 +0,0 @@ ---- - -- name: Construct exact name of Filebeat package - ansible.builtin.set_fact: - beats_filebeat_package: >- - {{ - 'filebeat' + - ((elasticstack_versionseparator + - elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | - replace(' ', '') }} - -- name: Install Filebeat - rpm - full stack - ansible.builtin.package: - name: "{{ beats_filebeat_package }}" - state: present - enablerepo: - - 'elastic-{{ elasticstack_release }}.x' - notify: - - Restart Filebeat - when: - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Filebeat - rpm - standalone - ansible.builtin.package: - name: "{{ beats_filebeat_package }}" - state: present - notify: - - Restart Filebeat - when: - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - -- name: Install Filebeat - deb - ansible.builtin.package: - name: "{{ beats_filebeat_package }}" - state: present - notify: - - Restart Filebeat - when: - - ansible_os_family == "Debian" - -- name: Configure Filebeat - ansible.builtin.template: - src: filebeat.yml.j2 - dest: /etc/filebeat/filebeat.yml - owner: root - group: root - mode: 0640 - notify: - - Restart Filebeat - tags: - - configuration - - beats_filebeat_configuration - - beats_configuration - -- name: Configure modules - when: beats_filebeat_modules is defined - tags: - - configuration - - beats_filebeat_configuration - - beats_configuration - block: - - - name: Enable modules - ansible.builtin.command: "filebeat modules enable {{ item }}" - args: - creates: "/etc/filebeat/modules.d/{{ item }}.yml" - with_items: "{{ beats_filebeat_modules }}" - - - name: Enable System module - ansible.builtin.template: - src: filebeat-system.yml.j2 - dest: /etc/filebeat/modules.d/system.yml - owner: root - group: root - mode: 0644 - when: - - elasticstack_release | int > 7 - - - name: Enable Ingest Pipelines - ansible.builtin.shell: > - /usr/bin/filebeat setup --pipelines && - /usr/bin/filebeat version > /etc/filebeat/{{ item }}_pipeline_created - args: - creates: "/etc/filebeat/{{ item }}_pipeline_created" - with_items: "{{ beats_filebeat_modules }}" - notify: - - Restart Filebeat - -- name: Start Filebeat - ansible.builtin.service: - name: filebeat - state: started - enabled: true - when: beats_filebeat_enable | bool diff --git a/roles/beats/tasks/.fuse_hidden0000001200000002 b/roles/beats/tasks/.fuse_hidden0000001200000002 deleted file mode 100644 index cf017b4e..00000000 --- a/roles/beats/tasks/.fuse_hidden0000001200000002 +++ /dev/null @@ -1,77 +0,0 @@ ---- - -- name: Construct exact name of Auditbeat package - ansible.builtin.set_fact: - beats_auditbeat_package: >- - {{ - 'auditbeat' + - ((elasticstack_versionseparator + - elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | - replace(' ', '') - }} - -- name: Install Auditbeat - rpm - full stack - ansible.builtin.package: - name: "{{ beats_auditbeat_package }}" - state: present - enablerepo: - - 'elastic-{{ elasticstack_release }}.x' - notify: - - Restart Auditbeat - when: - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Auditbeat - rpm - standalone - ansible.builtin.package: - name: "{{ beats_auditbeat_package }}" - state: present - notify: - - Restart Auditbeat - when: - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - -- name: Install Auditbeat - deb - ansible.builtin.package: - name: "{{ beats_auditbeat_package }}" - state: present - notify: - - Restart Auditbeat - when: - - ansible_os_family == "Debian" - -- name: Configure Auditbeat - ansible.builtin.template: - src: auditbeat.yml.j2 - dest: /etc/auditbeat/auditbeat.yml - owner: root - group: root - mode: 0640 - notify: - - Restart Auditbeat - tags: - - configuration - - beats_auditbeat_configuration - - beats_configuration - -- name: Setup Auditbeat in Elasticsearch - ansible.builtin.command: > - /usr/bin/auditbeat setup --pipelines --index-management && - /usr/bin/auditbeat version > /etc/auditbeat/pipeline_created - run_once: true - args: - creates: "/etc/auditbeat/pipeline_created" - notify: - - Restart Auditbeat - when: - - beats_auditbeat_setup | bool - - beats_auditbeat_output == "elasticsearch" - -- name: Start Auditbeat - ansible.builtin.service: - name: auditbeat - state: started - enabled: true - when: beats_auditbeat_enable | bool diff --git a/roles/beats/tasks/.fuse_hidden0000001400000003 b/roles/beats/tasks/.fuse_hidden0000001400000003 deleted file mode 100644 index dd5a655e..00000000 --- a/roles/beats/tasks/.fuse_hidden0000001400000003 +++ /dev/null @@ -1,80 +0,0 @@ ---- - -- name: Construct exact name of Metricbeat package - ansible.builtin.set_fact: - beats_metricbeat_package: >- - {{ - 'metricbeat' + - ((elasticstack_versionseparator + - elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | - replace(' ', '') - }} - -- name: Install Metricbeat - rpm - full stack - ansible.builtin.package: - name: "{{ beats_metricbeat_package }}" - state: present - enablerepo: - - 'elastic-{{ elasticstack_release }}.x' - notify: - - Restart Metricbeat - when: - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Metricbeat - rpm - standalone - ansible.builtin.package: - name: "{{ beats_metricbeat_package }}" - state: present - notify: - - Restart Metricbeat - when: - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - -- name: Install Metricbeat - deb - ansible.builtin.package: - name: "{{ beats_metricbeat_package }}" - state: present - notify: - - Restart Metricbeat - when: - - ansible_os_family == "Debian" - -- name: Configure Metricbeat - ansible.builtin.template: - src: metricbeat.yml.j2 - dest: /etc/metricbeat/metricbeat.yml - owner: root - group: root - mode: 0644 - notify: - - Restart Metricbeat - -- name: Enable modules - ansible.builtin.command: "metricbeat modules enable {{ item }}" - args: - creates: "/etc/metricbeat/modules.d/{{ item }}.yml" - with_items: "{{ beats_metricbeat_modules }}" - when: beats_metricbeat_modules is defined - -- name: Enable Ingest Pipelines - ansible.builtin.command: > - metricbeat setup && - metricbeat version > /etc/metricbeat/pipelines_created - args: - creates: "/etc/metricbeat/pipelines_created" - notify: - - Restart Metricbeat - with_items: "{{ beats_metricbeat_modules }}" - when: - - beats_metricbeat_modules is defined - - beats_metricbeat_output == "elasticsearch" - -- name: Start Metricbeat - ansible.builtin.service: - name: metricbeat - state: started - enabled: true - when: beats_metricbeat_enable | bool diff --git a/roles/elasticsearch/tasks/.fuse_hidden0000002000000006 b/roles/elasticsearch/tasks/.fuse_hidden0000002000000006 deleted file mode 100644 index 9b89924d..00000000 --- a/roles/elasticsearch/tasks/.fuse_hidden0000002000000006 +++ /dev/null @@ -1,315 +0,0 @@ ---- - -- name: Check for versions - ansible.builtin.fail: - msg: "No OSS package with version later than 7 is available for Elasticsearch" - when: - - elasticstack_release | int > 7 - - elasticstack_variant == "oss" - -- name: Include global role - ansible.builtin.import_role: - name: netways.elasticstack.elasticstack - when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) - -- name: Update apt cache. - ansible.builtin.apt: - update_cache: yes - cache_valid_time: 600 - changed_when: false - when: ansible_os_family == 'Debian' - -- name: Check-set-parameters - ansible.builtin.include_tasks: elasticsearch-parameters.yml - -- name: Include OS specific vars - ansible.builtin.include_vars: '{{ item }}' - with_first_found: - - '{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml' - - '{{ ansible_os_family }}.yml' - -- name: Set node name if not overriden by user - ansible.builtin.set_fact: - elasticsearch_nodename: "{{ ansible_hostname }}" - when: - - elasticsearch_nodename is undefined - -- name: Set common password for common certificates - ansible.builtin.set_fact: - elasticsearch_tls_key_passphrase: "{{ elasticstack_cert_pass }}" - when: - - elasticstack_cert_pass is defined - tags: - - certificates - - renew_ca - - renew_es_cert - -- name: Check if cluster is already set up - ansible.builtin.stat: - path: "{{ elasticsearch_initialized_file }}" - register: cluster_setup_check - failed_when: false - -- name: Set var that cluster is set up - ansible.builtin.set_fact: - elaticsearch_cluster_set_up: true - when: - - cluster_setup_check.stat.exists | bool - - cluster_setup_check is defined - -- name: Set var that cluster is not set up - ansible.builtin.set_fact: - elaticsearch_cluster_set_up: false - when: - - cluster_setup_check is undefined or - not cluster_setup_check.stat.exists | bool - -- name: Check if master node count is correct - when: - - elasticsearch_node_types is defined - block: - - # the following is a way to simplify handling information - # about nodes. For some tasks it's only important if a node - # has a specific roles and the others are irrelevant - # - - name: Set node role variable to master - ansible.builtin.set_fact: - elasticsearch_role: "master" - when: - - "'master' in elasticsearch_node_types" - - - name: Set node role variable to data - ansible.builtin.set_fact: - elasticsearch_role: "data" - when: - - "'master' not in elasticsearch_node_types" - - "'data' in elasticsearch_node_types" - - - name: Set node role variable to other - ansible.builtin.set_fact: - elasticsearch_role: "other" - when: - - "'master' not in elasticsearch_node_types" - - "'data' not in elasticsearch_node_types" - - - name: Create groups of nodes - ansible.builtin.group_by: - key: "elasticsearch_role_{{ elasticsearch_role }}" - changed_when: false - - - name: Count master nodes - ansible.builtin.set_fact: - count_of_master_nodes: "{{ groups['elasticsearch_role_master'] | length }}" - - - name: Check count of master nodes - ansible.builtin.fail: - msg: "There must be an odd count of master nodes. You have {{ count_of_master_nodes }}" - when: - - count_of_master_nodes | int % 2 == 0 - - - name: End play in checks - ansible.builtin.meta: end_host - when: elasticsearch_check_calculation | bool - -- name: Install openssl if security is activated - ansible.builtin.package: - name: openssl - when: elasticsearch_security | bool - -- name: Construct exact name of Elasticsearch package - ansible.builtin.set_fact: - elasticsearch_package: > - {{ - ('elasticsearch-oss' if elasticstack_variant == 'oss' else 'elasticsearch') + - ((elasticstack_versionseparator + - elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | - replace(' ', '') - }} - -- name: Update Elasticsearch if needed - ansible.builtin.include_tasks: elasticsearch-rolling-upgrade.yml - with_items: "{{ groups[elasticstack_elasticsearch_group_name] }}" - when: - - "hostvars[item].inventory_hostname == inventory_hostname" - - elasticstack_version is defined - - ansible_facts.packages['elasticsearch'][0].version is defined - - elasticstack_password.stdout is defined - - elasticstack_version is version( ansible_facts.packages['elasticsearch'][0].version, '>') - -- name: Install Elasticsearch - rpm - full stack - ansible.builtin.package: - name: "{{ elasticsearch_package }}" - state: present - enablerepo: - - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' - when: - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Elasticsearch - rpm - standalone - ansible.builtin.package: - name: "{{ elasticsearch_package }}" - state: present - when: - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - -- name: Install Elasticsearch - deb - ansible.builtin.package: - name: "{{ elasticsearch_package }}" - state: present - when: - - ansible_os_family == "Debian" - -- name: Configure Elasticsearch - ansible.builtin.template: - src: elasticsearch.yml.j2 - dest: /etc/elasticsearch/elasticsearch.yml - owner: root - group: root - mode: 0644 - backup: "{{ elasticsearch_config_backup }}" - notify: - - Restart Elasticsearch - when: elasticsearch_manage_yaml | bool - -- name: Create Elasticsearch directory - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - owner: elasticsearch - group: elasticsearch - mode: "2750" - when: item.create | bool - loop: - - {create: "{{ elasticsearch_create_logpath }}", path: "{{ elasticsearch_logpath }}" } - - {create: "{{ elasticsearch_create_datapath }}", path: "{{ elasticsearch_datapath }}" } - -- name: Activate JNA workaround (see README.md) - ansible.builtin.lineinfile: - path: "{{ elasticsearch_sysconfig_file }}" - regexp: 'ES_JAVA_OPTS=' - line: 'ES_JAVA_OPTS="-Djna.tmpdir={{ elasticsearch_datapath }}/tmp"' - notify: - - Restart Elasticsearch - when: elasticsearch_jna_workaround | bool - -- name: Set jvm heap size - ansible.builtin.template: - src: "jvm.options.d/heap.options.j2" - dest: "{{ elasticsearch_conf_dir }}/jvm.options.d/10-heap.options" - owner: root - group: "{{ elasticsearch_group }}" - mode: "660" - force: yes - notify: Restart Elasticsearch - when: elasticsearch_heap | bool - -- name: Set jvm paths - ansible.builtin.template: - src: "jvm.options.d/paths.options.j2" - dest: "{{ elasticsearch_conf_dir }}/jvm.options.d/50-paths.options" - owner: root - group: "{{ elasticsearch_group }}" - mode: "660" - force: yes - notify: Restart Elasticsearch - -- name: Set jvm custom options - ansible.builtin.template: - src: "jvm.options.d/custom.options.j2" - dest: "{{ elasticsearch_conf_dir }}/jvm.options.d/90-custom.options" - owner: root - group: "{{ elasticsearch_group }}" - mode: "660" - force: yes - notify: Restart Elasticsearch - when: elasticsearch_jvm_custom_parameters | bool - -# On containerized Debian 10 systemd will not recognize elasticsearch service -- name: Force systemd to reread configs on container - ansible.builtin.systemd: - daemon_reload: true - when: ansible_virtualization_type == "container" or ansible_virtualization_type == "docker" - -# Free up some space to let elsticsearch allocate replica in GitHub Action -- name: Remove cache - ansible.builtin.command: > - rm -rf /var/cache/* - changed_when: false - when: ansible_virtualization_type == "container" or ansible_virtualization_type == "docker" - -- name: Import Tasks elasticsearch-security.yml - ansible.builtin.import_tasks: elasticsearch-security.yml - when: - - elasticsearch_security | bool - - elasticstack_variant == "elastic" - tags: - - certificates - - renew_ca - - renew_es_cert - -- name: Start Elasticsearch - ansible.builtin.service: - name: elasticsearch - state: started - enabled: yes - register: elasticsearch_freshstart - -# The comment in the following task will disable KICS security checks for this -# very line. In this state of the system we can only communicate without https -# so the finding is a false positive - -- name: Handle cluster setup without security - when: not elasticsearch_security | bool - block: - - name: Check for cluster status without security - ansible.builtin.uri: -# kics-scan ignore-line - url: "http://{{ elasticsearch_api_host }}:{{ elasticstack_elasticsearch_http_port }}/_cluster/health?pretty" - register: elasticsearch_cluster_status - ignore_errors: "{{ ansible_check_mode }}" - until: elasticsearch_cluster_status.json.status == "green" - retries: 5 - delay: 10 - no_log: "{{ elasticstack_no_log }}" - - - name: Leave a file showing that the cluster is set up - ansible.builtin.template: - dest: "{{ elasticsearch_initialized_file }}" - src: elasticsearch_initialized.j2 - owner: root - group: root - mode: "0600" - - - name: Set var that cluster is set up - ansible.builtin.set_fact: - elaticsearch_cluster_set_up: true - -# See https://github.com/NETWAYS/ansible-collection-elasticstack/issues/137 -# for details why we have this task again here -# -- name: Configure Elasticsearch - ansible.builtin.template: - src: elasticsearch.yml.j2 - dest: /etc/elasticsearch/elasticsearch.yml - owner: root - group: root - mode: 0644 - backup: "{{ elasticsearch_config_backup }}" - when: elasticsearch_manage_yaml | bool - -- name: Show Info about heap - ansible.builtin.debug: - msg: "Using {{ elasticsearch_heap | int * 1024 }} of {{ ansible_memtotal_mb }} MB as heap for Elasticsearch" - when: elasticsearch_heap | bool - -- name: Show hint about passwords - ansible.builtin.debug: - msg: "Remember, your temporary passwords can be found on {{ elasticstack_ca_host }} in {{ elasticstack_initial_passwords }}" - when: - - elasticsearch_security | bool - - elasticstack_variant == "elastic" - - inventory_hostname == elasticstack_ca_host diff --git a/roles/kibana/tasks/.fuse_hidden0000001800000004 b/roles/kibana/tasks/.fuse_hidden0000001800000004 deleted file mode 100644 index 11b29158..00000000 --- a/roles/kibana/tasks/.fuse_hidden0000001800000004 +++ /dev/null @@ -1,147 +0,0 @@ ---- - -- name: Check for versions - ansible.builtin.fail: - msg: "No OSS package with version later than 7 is available for Kibana" - when: - - elasticstack_release | int > 7 - - elasticstack_variant == "oss" - -- name: Include global role - ansible.builtin.import_role: - name: netways.elasticstack.elasticstack - when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) - -- name: Update apt cache. - ansible.builtin.apt: - update_cache: yes - cache_valid_time: 600 - changed_when: false - when: ansible_os_family == 'Debian' - -- name: Set common password for common certificates - ansible.builtin.set_fact: - kibana_tls_key_passphrase: "{{ elasticstack_cert_pass }}" - when: - - elasticstack_cert_pass is defined - -- name: Set Elasticsearch hosts if used with other roles - ansible.builtin.set_fact: - kibana_elasticsearch_hosts: "{{ groups[elasticstack_elasticsearch_group_name] }}" - when: - - kibana_elasticsearch_hosts is undefined - - groups[elasticstack_elasticsearch_group_name] is defined - -- name: Set Elasticsearch hosts to localhost if no other info is available - ansible.builtin.set_fact: - kibana_elasticsearch_hosts: - - localhost - when: - - kibana_elasticsearch_hosts is undefined - - groups[elasticstack_elasticsearch_group_name] is undefined - -- name: Construct exact name of Kibana package - ansible.builtin.set_fact: - kibana_package: >- - {{ - 'kibana' + - ('-oss' if elasticstack_variant == 'oss' else '') + - ((elasticstack_versionseparator + - elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | - replace(' ', '') }} - -- name: Install Kibana - rpm - full stack - ansible.builtin.package: - name: "{{ kibana_package }}" - state: present - enablerepo: - - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' - notify: - - Restart Kibana - when: - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Kibana - rpm - standalone - ansible.builtin.package: - name: "{{ kibana_package }}" - state: present - notify: - - Restart Kibana - when: - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - -- name: Install Kibana - deb - ansible.builtin.package: - name: "{{ kibana_package }}" - state: present - notify: - - Restart Kibana - when: - - ansible_os_family == "Debian" - -- name: Import security related tasks - ansible.builtin.import_tasks: kibana-security.yml - when: - - elasticstack_full_stack is defined - - elasticstack_full_stack | bool - - kibana_security | bool - - elasticstack_variant == "elastic" - tags: - - certificates - - renew_ca - - renew_kibana_cert - -- name: Configure Kibana - ansible.builtin.template: - src: kibana.yml.j2 - dest: /etc/kibana/kibana.yml - owner: root - group: root - mode: 0644 - backup: "{{ kibana_config_backup }}" - notify: - - Restart Kibana - when: kibana_manage_yaml | bool - -- name: Start Kibana - ansible.builtin.service: - name: kibana - state: started - enabled: yes - when: kibana_enable | bool - register: kibana_freshstart - -# the following is useful when running tests or extra tasks that need to -# have Kibana running. Escape it on Rocky8, because it gets time out with Elastic 8 - -- name: Wait for Kibana to start (with debug) - block: - - name: Wait for Kibana to start - ansible.builtin.wait_for: - host: localhost - port: 5601 - timeout: 300 - register: kibana_wait - rescue: - - name: Debug Kibana status on failure - ansible.builtin.debug: - msg: "Kibana failed to start: {{ kibana_wait }}" - - name: Show Kibana logs - ansible.builtin.command: - cmd: journalctl -u kibana -n 100 - register: kibana_logs - changed_when: false - no_log: true - - name: Output Kibana logs - ansible.builtin.debug: - var: kibana_logs.stdout - -# Free up some space to let elsticsearch allocate replica in GitHub Action -- name: Remove cache - ansible.builtin.command: > - rm -rf /var/cache/* - changed_when: false - when: ansible_virtualization_type == "container" or ansible_virtualization_type == "docker" diff --git a/roles/logstash/tasks/.fuse_hidden0000001c00000005 b/roles/logstash/tasks/.fuse_hidden0000001c00000005 deleted file mode 100644 index 7703ae27..00000000 --- a/roles/logstash/tasks/.fuse_hidden0000001c00000005 +++ /dev/null @@ -1,320 +0,0 @@ ---- - -- name: Include global role - ansible.builtin.import_role: - name: netways.elasticstack.elasticstack - when: not hostvars[inventory_hostname]._elasticstack_role_imported | default(false) - -- name: Update apt cache. - ansible.builtin.apt: - update_cache: yes - cache_valid_time: 600 - changed_when: false - when: ansible_os_family == 'Debian' - -- name: Prepare for whole stack roles if used - when: - - elasticstack_full_stack | bool - block: - - - name: Set Elasticsearch hosts if used with other roles - ansible.builtin.set_fact: - logstash_elasticsearch: "{{ groups[elasticstack_elasticsearch_group_name] }}" - when: - - logstash_elasticsearch is undefined - - groups[elasticstack_elasticsearch_group_name] is defined - tags: - - configuration - - logstash_configuration - - - name: Activate TLS for Beats for full stack - ansible.builtin.set_fact: - logstash_beats_tls: true - when: - - logstash_beats_tls is undefined - - not elasticstack_override_beats_tls | bool - -- name: Set Elasticsearch hosts to localhost if no other information available - ansible.builtin.set_fact: - logstash_elasticsearch: - - localhost - when: - - logstash_elasticsearch is undefined - - groups[elasticstack_elasticsearch_group_name] is undefined - tags: - - configuration - - logstash_configuration - -- name: Enable security as default when in full stack mode - ansible.builtin.set_fact: - logstash_security: true - when: - - logstash_security is undefined or elasticstack_security | bool - - elasticstack_full_stack | bool - - elasticstack_variant == "elastic" - tags: - - certificates - - renew_ca - - renew_logstash_cert - -- name: Construct exact name of Logstash package - ansible.builtin.set_fact: - logstash_package: >- - {{ - 'logstash' + - ('-oss' if elasticstack_variant == 'oss' else '') + - ((elasticstack_versionseparator + - elasticstack_version | - string ) if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest')) | - replace(' ', '') - }} - when: - - ansible_os_family != "Debian" - -- name: Construct exact name of Logstash package - ansible.builtin.set_fact: - logstash_package: >- - {{ - 'logstash' + - ('-oss' if elasticstack_variant == 'oss' else '') + - ((elasticstack_versionseparator + '1:' + elasticstack_version + '-1') - if (elasticstack_version is defined and elasticstack_version | length > 0 and elasticstack_version != 'latest') else '') | - replace(' ', '') - }} - when: - - ansible_os_family == "Debian" - -- name: Install Logstash - rpm - full stack - ansible.builtin.package: - name: "{{ logstash_package }}" - state: present - enablerepo: - - 'elastic-{% if elasticstack_variant == "oss" %}oss-{% endif %}{{ elasticstack_release }}.x' - notify: - - Restart Logstash - when: - - ansible_os_family == "RedHat" - - elasticstack_full_stack | bool - -- name: Install Logstash - rpm - standalone - ansible.builtin.package: - name: "{{ logstash_package }}" - state: present - notify: - - Restart Logstash - when: - - ansible_os_family == "RedHat" - - not elasticstack_full_stack | bool - -- name: Install Logstash - deb - ansible.builtin.package: - name: "{{ logstash_package }}" - state: present - notify: - - Restart Logstash - when: - - ansible_os_family == "Debian" - -- name: Import Logstash Security tasks - ansible.builtin.import_tasks: logstash-security.yml - when: - - elasticstack_full_stack | bool - - logstash_security is defined and logstash_security | bool - - elasticstack_variant == "elastic" - tags: - - certificates - - renew_ca - - renew_logstash_cert - -- name: Configure Logstash - ansible.builtin.template: - src: logstash.yml.j2 - dest: /etc/logstash/logstash.yml - owner: root - group: root - mode: 0644 - backup: "{{ logstash_config_backup }}" - notify: - - Restart Logstash - when: logstash_manage_yaml | bool - tags: - - configuration - - logstash_configuration - -- name: Create systemd drop-in directory for Logstash - ansible.builtin.file: - path: /etc/systemd/system/logstash.service.d - state: directory - owner: root - group: root - mode: "0755" - tags: - - configuration - - logstash_configuration - -- name: Set Logstash JVM heap size via systemd drop-in - ansible.builtin.template: - src: jvm-heap.conf.j2 - dest: /etc/systemd/system/logstash.service.d/heap.conf - owner: root - group: root - mode: "0644" - register: logstash_heap_dropin - notify: - - Restart Logstash - tags: - - configuration - - logstash_configuration - -# Reload systemd inline (not via handler) so a fresh install picks up the drop-in before -# "Start Logstash" runs. Handlers only fire at the end of the play, which would be too late. -- name: Reload systemd to apply Logstash heap drop-in - ansible.builtin.systemd: - daemon_reload: true - when: logstash_heap_dropin.changed - tags: - - configuration - - logstash_configuration - -- name: Configure Logstash logging - ansible.builtin.template: - src: log4j2.properties.j2 - dest: /etc/logstash/log4j2.properties - owner: root - group: root - mode: 0644 - backup: "{{ logstash_config_backup }}" - notify: - - Restart Logstash - when: logstash_manage_logging | bool - tags: - - configuration - - logstash_configuration - -- name: Fetch pipelines from git repositories - loop: "{{ logstash_pipelines }}" - ansible.builtin.include_tasks: manage_pipeline.yml - loop_control: - loop_var: pipelinename - when: - - logstash_pipelines is defined - - not logstash_no_pipelines | bool - tags: - - configuration - - logstash_configuration - -- name: Create default Elasticsearch output pipeline - when: - - logstash_elasticsearch_output | bool - - not logstash_no_pipelines | bool - tags: - - configuration - - logstash_configuration - block: - - name: Create directory for default Elasticsearch output pipeline - ansible.builtin.file: - path: "/etc/logstash/conf.d/ansible-forwarder" - state: directory - owner: root - group: root - mode: 0755 - - - name: Create default Elasticsearch output pipeline inputs - ansible.builtin.template: - src: redis-input.conf.j2 - dest: "/etc/logstash/conf.d/ansible-forwarder/input.conf" - owner: root - group: root - mode: 0644 - notify: - - Restart Logstash noauto - - - name: Create default Elasticsearch output pipeline output - ansible.builtin.template: - src: elasticsearch-output.conf.j2 - dest: "/etc/logstash/conf.d/ansible-forwarder/output.conf" - owner: root - group: root - mode: 0644 - notify: - - Restart Logstash noauto - -- name: Create default Beats input pipeline - when: - - logstash_beats_input | bool - - not logstash_no_pipelines | bool - tags: - - configuration - - logstash_configuration - block: - - name: Create directory for default beats input pipeline - ansible.builtin.file: - path: "/etc/logstash/conf.d/ansible-input" - state: directory - owner: root - group: root - mode: 0755 - - - name: Create default Beats input pipeline inputs - ansible.builtin.template: - src: beats-input.conf.j2 - dest: "/etc/logstash/conf.d/ansible-input/input.conf" - owner: root - group: root - mode: 0644 - notify: - - Restart Logstash noauto - - - name: Create default Beats input pipeline output - ansible.builtin.template: - src: redis-output.conf.j2 - dest: "/etc/logstash/conf.d/ansible-input/output.conf" - owner: root - group: root - mode: 0644 - notify: - - Restart Logstash noauto - -- name: Configure Logstash pipelines - ansible.builtin.template: - src: pipelines.yml.j2 - dest: /etc/logstash/pipelines.yml - owner: root - group: root - mode: 0644 - backup: "{{ logstash_config_backup }}" - when: - - logstash_manage_pipelines | bool - - not logstash_no_pipelines | bool - tags: - - configuration - - logstash_configuration - -- name: Print Logstash pipelines in Mermaid syntax - ansible.builtin.import_tasks: logstash-mermaid.yml - when: - - logstash_mermaid | bool - tags: - - mermaid - -- name: Install Logstash plugins - community.general.logstash_plugin: - state: present - name: "{{ item }}" - with_items: "{{ logstash_plugins }}" - when: logstash_plugins is defined - -- name: Start Logstash - ansible.builtin.service: - name: logstash - state: started - enabled: yes - when: logstash_enable | bool - register: logstash_freshstart - -# Free up some space to let elsticsearch allocate replica in GitHub Action -- name: Remove cache - ansible.builtin.command: > - rm -rf /var/cache/* - changed_when: false - when: ansible_virtualization_type == "container" or ansible_virtualization_type == "docker" From aee1d4d2d30619b80055abccb6df521645a7d640 Mon Sep 17 00:00:00 2001 From: Saeid Hassan-Abadi <91598706+Saeid-Abadi@users.noreply.github.com> Date: Fri, 3 Jul 2026 13:39:47 +0200 Subject: [PATCH 5/5] Update description for elasticstack_version variable --- docs/role-beats.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/role-beats.md b/docs/role-beats.md index 12e4a052..beca290e 100644 --- a/docs/role-beats.md +++ b/docs/role-beats.md @@ -95,7 +95,7 @@ The following variables only apply if you use this role together with our other * *elasticstack_ca_dir*: Directory where on the Elasticsearch CA host certificates are stored. This is only useful in connection with out other Elastic Stack related roles. (default: `/opt/es-ca`) * *elasticstack_ca_pass*: Password for Elasticsearch CA (default: `PleaseChangeMe`) * *elasticstack_initial_passwords*: Path to file with initical elasticsearch passwords (default: `/usr/share/elasticsearch/initial_passwords`) -* *elasticstack_version*: Install a specific version; leave unset to install the latest available. (Default: none. Example: `7.10.1`) +* *elasticstack_version*: Install a (update to) specific version; leave unset to install the latest available. (Default: none. Example: `7.10.1`) If you want to use this role with your own TLS certificates, use these variables.