Another 6.x support pull request #408
Conversation
| - (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined) | ||
|
|
||
| #-----------------------------Create Bootstrap User----------------------------------- | ||
| - name: Check if bootstrap password is set |
There was a problem hiding this comment.
This section causes issues on my setup, when xpack is set to disabled due to the keystore not existing. Should this block of code ever be hit when xpack is not installed? Should we block it with a when: (es_enable_xpack and '"security" in es_xpack_features')
There was a problem hiding this comment.
@gregdurham just his this issue too. Your suggestion will work and think its the way to go.
There was a problem hiding this comment.
Yes I am making those changes, I encountered the same in further testing
| yum: name={{ java }} state={{java_state}} | ||
| when: ansible_os_family == 'RedHat' | ||
|
|
||
| - name: correct java version selected |
There was a problem hiding this comment.
Had issues with this on RHEL 7, the binary java8 does not exist
There was a problem hiding this comment.
Amazon AMIs have different behaviour than RedHat. Made the change and tested on both Amazon AMI and redhat 7.4. Thanks @gregdurham for reviewing
|
This task fails on the second run if the {{es_api_basic_auth_password}} has been changed from the that of the original bootstrap password. |
|
@Hokeycokey I will give it a try, from the documentation it seems this should be fine(https://www.elastic.co/guide/en/x-pack/6.1/setting-up-authentication.html#set-built-in-user-passwords).. if you change the password for elastic after setting bootstrap.password it will take the new password. I have a check to find out if bootstrap.password is already set.. in the second run I dont change/set bootstrap password. As long as you are sending new password as part of your playbook run in theory it should work. But I will test it anyways. So to reproduce in first run say you set the password to changeme for elastic user and then changed it to changeme1 through API and in next run of the playbook you are setting es_api_basic_auth_password to changeme1 and it fails there? |
|
Hi @shribigb and thanks. In defaults I have the following: Within playbook: Error on second run: It seems as though the task uses |
|
Hi @Hokeycokey that's expected behaviour. Role doen't know anything about you have changed password of es_api_basic_auth_username in setting es_users.native.elastic.password to changednow. Rather in first run itself its setting bootstrap.password to changeme and then changing the password of elastic to changednow when its trying to change passwords of native users. In second run in your playbook, you should be considering setting es_api_basic_auth_password: changednow. |
There was a problem hiding this comment.
Great work on this @shribigb! Seems to be just a few small things that need to be fixed up before this can be merged into master. I think we should also be changing the default version to be 6.x once this has been fully tested and merged.
I'm currently setting up a jenkins job on https://devops-ci.elastic.co/ to get the 5.x and 6.x branches automatically tested for each pull request. The next thing I'll be working on is making sure that all tests pass properly for 5.x and 6.x. There are currently a few tests which have hardcoded versions in them.
| when: ansible_os_family == 'RedHat' | ||
|
|
||
| - name: Get the installed java path | ||
| shell: "update-alternatives --display java | grep '^/' | awk '{print $1}' | grep 1.8.0" |
There was a problem hiding this comment.
Should this shell have failed_when: False? Looking at the below task correct java version selected which has ansible_os_family == 'RedHat' and java_full_path is defined makes it sound like this task should only run for RedHat families but also allow failures in the event that 1.8.0 isn't available.
When running the tests for Ubuntu 16.04 this fails as the only available path is /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java.
I would suggest something like:
- name: Get the installed java path
shell: "update-alternatives --display java | grep '^/' | awk '{print $1}' | grep 1.8.0"
register: java_full_path
failed_when: False
when: ansible_os_family == 'RedHat'
- name: correct java version selected
alternatives:
name: java
path: "{{ java_full_path.stdout }}"
link: /usr/bin/java
when: ansible_os_family == 'RedHat' and java_full_path is defined
There was a problem hiding this comment.
This is fixed! I somehow missed a check for RedHat.
|
I tried this on CentOS 7 to install version 6.1.2 and I am getting an error in elasticsearch-security.yml "Ensure x-pack conf directory exists (file)" task step. There are some areas where I have to include Become: yes and some with Become_User. TASK [elasticsearch : Check if bootstrap password is set] **************************************************************************************************** |
4 participants
This is another 6.x pull request. It covers x-pack support and plugin support. Tested installing both 5.6.3 and 6.1.0 version with the same role. I also added adding bootstrap user in case es_api_basic_auth_username is elastic.