Add tasks to allow Logstash opening of privileged ports

defaults/main.yml

@@ -5,6 +5,7 @@ logstash_release: 7
 logstash_manage_java: true
 logstash_config_backup: no
 logstash_manage_yaml: true
+logstash_privileged: false
 
 # config items in yaml file #
 

handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 # handlers file for logstash
-- name: Restart Logstash
+- name: restart Logstash
   service:
     name: logstash
     state: restarted
@@ -11,3 +11,6 @@
     name: logstash
     state: restarted
   when: not logstash_config_autoreload and logstash_enable | bool
+
+- name: call ldconfig
+  command: "/sbin/ldconfig"

tasks/linux.yml

@@ -87,6 +87,9 @@
   tags:
     - security
 
+- import_tasks: privileged.yml
+  when: logstash_privileged | bool
+
 - name: Start Logstash
   service:
     name: logstash

tasks/privileged.yml

@@ -0,0 +1,18 @@
+---
+
+- name: allow Logstash opening of privileged ports
+  shell: "setcap 'cap_net_bind_service=+ep' $(readlink -f /usr/bin/java)"
+  changed_when: false
+- name: Find libjli library
+  shell: 'set -o pipefail && find / -name libjli.so -exec dirname {} \; | head -1'
+  changed_when: false
+  register: libjli_path
+- name: Enable ldconfig to search for libjli
+  template:
+    src: java-libjli.conf.j2
+    dest: /etc/ld.so.conf.d/java-libjli.conf
+    owner: root
+    group: root
+    mode: 0444
+  notify:
+    - call ldconfig