-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding opensearch as an option to 1-clicks #60
Open
mauricio
wants to merge
4
commits into
digitalocean:master
Choose a base branch
from
mauricio:add-opensearch
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
- hosts: default | ||
become: true | ||
serial: 1 | ||
roles: | ||
- role: opensearch |
23 changes: 23 additions & 0 deletions
23
opensearch-20-04/ansible/roles/opensearch/defaults/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
opensearch_home: /opt/opensearch | ||
opensearch_config_home: /opt/opensearch/config | ||
opensearch_config_file: /opt/opensearch/config/opensearch.yml | ||
opensearch_url: https://artifacts.opensearch.org/releases/bundle/opensearch/1.3.1/opensearch-1.3.1-linux-x64.tar.gz | ||
opensearch_checksum: "sha256:a5863c08a9a7cc25fb7171242df37c8225a21027ff7283527343681cc1875f61" | ||
|
||
opensearch_dashboards_home: /opt/opensearch-dashboards | ||
opensearch_dashboards_config_home: /opt/opensearch-dashboards/config | ||
opensearch_dashboards_config_file: /opt/opensearch-dashboards/config/opensearch_dashboards.yml | ||
opensearch_dashboards_url: https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/1.3.1/opensearch-dashboards-1.3.1-linux-x64.tar.gz | ||
opensearch_dashboards_checksum: "sha256:4887964a48df578dfddee9d5d43350265ba48f4f408045ea1ede62d9322cbdb7" | ||
|
||
opensearch_user: opensearch | ||
opensearch_group: opensearch | ||
|
||
opensearch_plugin_bin_path: /opt/opensearch/bin/opensearch-plugin | ||
opensearch_security_plugin_conf_path: /opt/opensearch/plugins/opensearch-security/securityconfig | ||
opensearch_security_plugin_tools_path: /opt/opensearch/plugins/opensearch-security/tools | ||
|
||
systemctl_path: /etc/systemd/system | ||
|
||
nodecerts_home: /opt/opensearch-nodecerts |
21 changes: 21 additions & 0 deletions
21
opensearch-20-04/ansible/roles/opensearch/files/internal_users.yml.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
--- | ||
# This is the internal user database | ||
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh | ||
|
||
_meta: | ||
type: "internalusers" | ||
config_version: 2 | ||
|
||
# Define your internal users here | ||
|
||
admin: | ||
hash: "{{ datasource "admin_password" }}" | ||
reserved: true | ||
backend_roles: | ||
- "admin" | ||
description: "admin user" | ||
|
||
kibanaserver: | ||
hash: "{{ datasource "kibanaserver_password" }}" | ||
reserved: true | ||
description: "kibanaserver user" |
80 changes: 80 additions & 0 deletions
80
opensearch-20-04/ansible/roles/opensearch/files/jvm.options.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
## JVM configuration | ||
|
||
################################################################ | ||
## IMPORTANT: JVM heap size | ||
################################################################ | ||
## | ||
## You should always set the min and max JVM heap | ||
## size to the same value. For example, to set | ||
## the heap to 4 GB, set: | ||
## | ||
## -Xms4g | ||
## -Xmx4g | ||
## | ||
## See https://opensearch.org/docs/opensearch/install/important-settings/ | ||
## for more information | ||
## | ||
################################################################ | ||
|
||
# Xms represents the initial size of total heap space | ||
# Xmx represents the maximum size of total heap space | ||
|
||
-Xms{{datasource "max_memory" }}m | ||
-Xmx{{datasource "max_memory" }}m | ||
|
||
################################################################ | ||
## Expert settings | ||
################################################################ | ||
## | ||
## All settings below this section are considered | ||
## expert settings. Don't tamper with them unless | ||
## you understand what you are doing | ||
## | ||
################################################################ | ||
|
||
## GC configuration | ||
8-13:-XX:+UseConcMarkSweepGC | ||
8-13:-XX:CMSInitiatingOccupancyFraction=75 | ||
8-13:-XX:+UseCMSInitiatingOccupancyOnly | ||
|
||
## G1GC Configuration | ||
# NOTE: G1 GC is only supported on JDK version 10 or later | ||
# to use G1GC, uncomment the next two lines and update the version on the | ||
# following three lines to your version of the JDK | ||
# 10-13:-XX:-UseConcMarkSweepGC | ||
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly | ||
14-:-XX:+UseG1GC | ||
14-:-XX:G1ReservePercent=25 | ||
14-:-XX:InitiatingHeapOccupancyPercent=30 | ||
|
||
## JVM temporary directory | ||
-Djava.io.tmpdir=${OPENSEARCH_TMPDIR} | ||
|
||
## heap dumps | ||
|
||
# generate a heap dump when an allocation from the Java heap fails | ||
# heap dumps are created in the working directory of the JVM | ||
-XX:+HeapDumpOnOutOfMemoryError | ||
|
||
# specify an alternative path for heap dumps; ensure the directory exists and | ||
# has sufficient space | ||
-XX:HeapDumpPath=data | ||
|
||
# specify an alternative path for JVM fatal error logs | ||
-XX:ErrorFile=logs/hs_err_pid%p.log | ||
|
||
## JDK 8 GC logging | ||
8:-XX:+PrintGCDetails | ||
8:-XX:+PrintGCDateStamps | ||
8:-XX:+PrintTenuringDistribution | ||
8:-XX:+PrintGCApplicationStoppedTime | ||
8:-Xloggc:logs/gc.log | ||
8:-XX:+UseGCLogFileRotation | ||
8:-XX:NumberOfGCLogFiles=32 | ||
8:-XX:GCLogFileSize=64m | ||
|
||
# JDK 9+ GC logging | ||
9-:-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m | ||
|
||
# Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380) | ||
18-:-Djava.security.manager=allow |
31 changes: 31 additions & 0 deletions
31
opensearch-20-04/ansible/roles/opensearch/files/opensearch.yml.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
cluster.name: {{ datasource "droplet_name" }} | ||
|
||
node.name: {{ datasource "droplet_name" }} | ||
|
||
network.host: {{ datasource "ip_address" }} | ||
|
||
http.port: 9200 | ||
|
||
discovery.type: single-node | ||
|
||
bootstrap.memory_lock: true | ||
|
||
plugins.security.allow_default_init_securityindex: true | ||
plugins.security.audit.type: internal_opensearch | ||
plugins.security.enable_snapshot_restore_privilege: true | ||
plugins.security.check_snapshot_restore_write_privileges: true | ||
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] | ||
|
||
plugins.security.ssl.transport.pemcert_filepath: opensearch.pem | ||
plugins.security.ssl.transport.pemkey_filepath: opensearch.key | ||
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem | ||
plugins.security.ssl.transport.enforce_hostname_verification: false | ||
plugins.security.ssl.transport.resolve_hostname: false | ||
plugins.security.ssl.http.enabled: true | ||
plugins.security.ssl.http.pemcert_filepath: opensearch_http.pem | ||
plugins.security.ssl.http.pemkey_filepath: opensearch_http.key | ||
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem | ||
plugins.security.nodes_dn: | ||
- CN=opensearch,OU=Ops,O=opensearch\, Inc.,DC=opensearch | ||
plugins.security.authcz.admin_dn: | ||
- CN=admin.opensearch,OU=Ops,O=opensearch\, Inc.,DC=opensearch |
21 changes: 21 additions & 0 deletions
21
opensearch-20-04/ansible/roles/opensearch/files/opensearch_dashboards.yml.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
server.port: 5601 | ||
server.host: "{{ datasource "ip_address" }}" | ||
opensearch.hosts: ["https://{{ datasource "ip_address" }}:9200"] | ||
opensearch.ssl.verificationMode: none | ||
opensearch.username: "kibanaserver" | ||
opensearch.password: "{{ datasource "kibanaserver_password" }}" | ||
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] | ||
|
||
opensearch_security.multitenancy.enabled: true | ||
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"] | ||
opensearch_security.readonly_mode.roles: ["kibana_read_only"] | ||
opensearch_security.cookie.secure: true | ||
|
||
server.ssl.enabled: true | ||
server.ssl.certificate: {{ datasource "opensearch_config_home" }}/opensearch_http.pem | ||
server.ssl.key: {{ datasource "opensearch_config_home" }}/opensearch_http.key | ||
|
||
opensearch.ssl.certificateAuthorities: [ "{{ datasource "opensearch_config_home" }}/root-ca.pem" ] | ||
|
||
opensearch.ssl.certificate: {{ datasource "opensearch_config_home" }}/opensearch.pem | ||
opensearch.ssl.key: {{ datasource "opensearch_config_home" }}/opensearch.key |
45 changes: 45 additions & 0 deletions
45
opensearch-20-04/ansible/roles/opensearch/files/tlsconfig.yml.template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
ca: | ||
root: | ||
dn: CN=root.ca.opensearch,OU=CA,O=opensearch\, Inc.,DC=opensearch | ||
keysize: 2048 | ||
validityDays: 3650 | ||
pkPassword: none | ||
file: root-ca.pem | ||
|
||
### Default values and global settings | ||
defaults: | ||
validityDays: 3650 | ||
pkPassword: none | ||
# Set this to true in order to generate config and certificates for | ||
# the HTTP interface of nodes | ||
httpsEnabled: true | ||
reuseTransportCertificatesForHttp: false | ||
verifyHostnames: false | ||
resolveHostnames: false | ||
|
||
|
||
### | ||
### Nodes | ||
### | ||
# | ||
# Specify the nodes of your ES cluster here | ||
# | ||
nodes: | ||
- name: opensearch | ||
dn: CN=opensearch,OU=Ops,O=opensearch\, Inc.,DC=opensearch | ||
dns: opensearch | ||
ip: {{ datasource "ip_address" }} | ||
|
||
### | ||
### Clients | ||
### | ||
# | ||
# Specify the clients that shall access your ES cluster with certificate authentication here | ||
# | ||
# At least one client must be an admin user (i.e., a super-user). Admin users can | ||
# be specified with the attribute admin: true | ||
# | ||
clients: | ||
- name: admin | ||
dn: CN=admin.opensearch,OU=Ops,O=opensearch\, Inc.,DC=opensearch | ||
admin: true |
41 changes: 41 additions & 0 deletions
41
opensearch-20-04/ansible/roles/opensearch/tasks/dashboards.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
--- | ||
|
||
- name: Download dashboards | ||
get_url: | ||
url: "{{ opensearch_dashboards_url }}" | ||
dest: "/tmp/dashboards.tar.gz" | ||
checksum: "{{ opensearch_dashboards_checksum }}" | ||
|
||
- name: Unpack dashboards tarball | ||
unarchive: | ||
copy: no | ||
src: "/tmp/dashboards.tar.gz" | ||
dest: "{{ opensearch_dashboards_home }}" | ||
owner: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
extra_opts: | ||
- --strip-components=1 | ||
|
||
- name: Dashboards Install | create systemd service | ||
template: | ||
src: opensearch_dashboards.service | ||
dest: "{{ systemctl_path }}/opensearch_dashboards.service" | ||
|
||
- name: Add dashboards jvm options template | ||
copy: | ||
src: jvm.options.template | ||
dest: "{{ opensearch_dashboards_config_home }}/jvm.options.template" | ||
owner: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
|
||
- name: Copy template config file | ||
copy: | ||
src: "opensearch_dashboards.yml.template" | ||
dest: "{{ opensearch_dashboards_config_file }}.template" | ||
owner: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
|
||
- name: Remove dashboards config file | ||
file: | ||
path: "{{ opensearch_dashboards_config_file }}" | ||
state: absent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
--- | ||
|
||
- name: setup group | ||
group: | ||
name: "{{ opensearch_group }}" | ||
system: true | ||
state: present | ||
|
||
- name: setup user | ||
user: | ||
name: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
system: true | ||
|
||
- name: Set vm.max_map_count in sysctl.conf | ||
sysctl: | ||
name: vm.max_map_count | ||
value: 262144 | ||
state: present | ||
|
||
- name: Set open files limit in sysctl.conf | ||
sysctl: | ||
name: fs.file-max | ||
value: 65536 | ||
state: present | ||
|
||
- name: create base directories | ||
file: | ||
path: "{{ item }}" | ||
state: directory | ||
owner: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
mode: 0744 | ||
loop: | ||
- "{{ opensearch_home }}" | ||
- "{{ opensearch_dashboards_home }}" | ||
- "{{ nodecerts_home }}" | ||
|
||
- name: Download gomplate | ||
get_url: | ||
url: "https://github.com/hairyhenderson/gomplate/releases/download/v3.10.0/gomplate_linux-amd64" | ||
dest: "/usr/bin/gomplate" | ||
mode: a+x | ||
checksum: "sha256:eec0f85433c9c8aad93e8cd84c79d238f436b3e62f35b15471f5929bc741763a" | ||
|
||
mauricio marked this conversation as resolved.
Show resolved
Hide resolved
|
||
- name: include opensearch | ||
include: opensearch.yml | ||
|
||
- name: include dashboards | ||
include: dashboards.yml | ||
|
||
- name: include security | ||
include: security.yml | ||
|
||
- name: Add opensearch init script | ||
template: | ||
src: 001_onboot | ||
dest: "/var/lib/cloud/scripts/per-instance/001_onboot" | ||
owner: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
mode: a+x | ||
|
||
- name: Run config script on boot | ||
cron: | ||
name: "configure-opensearch" | ||
special_time: "reboot" | ||
job: "/bin/bash /var/lib/cloud/scripts/per-instance/001_onboot" | ||
user: "{{ opensearch_user }}" |
42 changes: 42 additions & 0 deletions
42
opensearch-20-04/ansible/roles/opensearch/tasks/opensearch.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
|
||
- name: Download opensearch | ||
get_url: | ||
url: "{{ opensearch_url }}" | ||
dest: "/tmp/opensearch.tar.gz" | ||
checksum: "{{ opensearch_checksum }}" | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We could add a |
||
- name: Unpack opensearch tarball | ||
unarchive: | ||
copy: no | ||
src: "/tmp/opensearch.tar.gz" | ||
dest: "{{ opensearch_home }}" | ||
owner: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
mode: 0700 | ||
extra_opts: | ||
- --strip-components=1 | ||
|
||
- name: Add opensearch config template | ||
copy: | ||
src: opensearch.yml.template | ||
dest: "{{ opensearch_config_file }}.template" | ||
owner: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
|
||
- name: Add opensearch jvm options template | ||
copy: | ||
src: jvm.options.template | ||
dest: "{{ opensearch_config_home }}/jvm.options.template" | ||
owner: "{{ opensearch_user }}" | ||
group: "{{ opensearch_group }}" | ||
|
||
- name: Remove opensearch config file | ||
file: | ||
path: "{{ opensearch_config_file }}" | ||
state: absent | ||
|
||
- name: OpenSearch Install | create systemd service | ||
template: | ||
src: opensearch.service | ||
dest: "{{ systemctl_path }}/opensearch.service" |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could add a
checksum
here for additional safety.