openstack
/
openstack-ansible-ops
Code Issues Proposed changes

Additional playbook cleanup and use stable release 

The stable release of the kolide has been cut. This change sets our used
version of kolide to "2.0.0".

Change-Id: Ie488fe42e98bd96f5777c1c893fc79e50a2eddee
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2018-10-18 10:47:41 -05:00
parent 6ee136fea9
commit e0e8579785
4 changed files with 13 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
osquery/README.rst
View File

@ -2,19 +2,11 @@ Install OSQuery and Kolide fleet
################################ ################################
:tags: openstack, ansible :tags: openstack, ansible
Table of Contents
=================
* [About this repository](#about-this-repository)
* [OpenStack-Ansible Integration](#openstack-ansible-integration)
* [TODO](#todo)
About this repository About this repository
--------------------- ---------------------
This set of playbooks will deploy osquery. If this is being deployed as part of This set of playbooks will deploy osquery and kolide-fleet. If this is being
an OpenStack all of the inventory needs will be provided for. deployed as part of an OpenStack all of the inventory needs will be provided for.
**These playbooks require Ansible 2.4+.** **These playbooks require Ansible 2.4+.**
@ -27,6 +19,7 @@ build and operate against.
:alt: Osquery & Kolide Fleet Architecture Diagram :alt: Osquery & Kolide Fleet Architecture Diagram
:align: center :align: center
OpenStack-Ansible Integration OpenStack-Ansible Integration
----------------------------- -----------------------------
@ -34,6 +27,7 @@ These playbooks can be used as standalone inventory or as an integrated part of
an OpenStack-Ansible deployment. For a simple example of standalone inventory an OpenStack-Ansible deployment. For a simple example of standalone inventory
see ``inventory.example.yml``. see ``inventory.example.yml``.
Setup | system configuration Setup | system configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -243,14 +237,3 @@ This diagram outlines the data flow from within an osquery deployment.
:scale: 50 % :scale: 50 %
:alt: Kolide & Osquery Data Flow Diagram :alt: Kolide & Osquery Data Flow Diagram
:align: center :align: center
TODO
----
The following is a list of open items.
- [x] Test Redhat familly Operating Systems
- [x] missing mariadb cluster (should all work needs additional vars)
- [x] use haproxy instead of the kolide fleet server ip
- [ ] add/update tags
- [x] convert to roles
- [x] add testing

19
osquery/roles/fleet/defaults/main.yml
View File

@ -21,11 +21,10 @@ kolide_fleet_db_user: fleet
kolide_fleet_port: "8443" kolide_fleet_port: "8443"
kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}" kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}"
kolide_fleet_version: "2.0.0-rc5" kolide_fleet_version: "2.0.0"
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download" kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
kolide_fleet_admin_email: admin@openstack.org kolide_fleet_admin_email: admin@openstack.org
#kolide_fleet_admin_password: AdminSecrete
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
@ -35,19 +34,3 @@ kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
kolide_fleet_ssl_key_purge: false kolide_fleet_ssl_key_purge: false
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
# MariaDB/Gallera Variables
mariadb_bind_address: "0.0.0.0"
mariadb_root_remote: 1
mariadb_root_user: root
mariadb_databases:
- name: "{{ kolide_fleet_db_name }}"
mariadb_users:
- name: "{{ kolide_fleet_db_user }}"
password: "{{ kolide_fleet_db_password }}"
priv: " {{ kolide_fleet_db_name }}.*:ALL"
host: "%"

17
osquery/roles/fleet/tasks/createFleetDB.yml
View File

@ -15,22 +15,20 @@
- name: Create DB for service - name: Create DB for service
mysql_db: mysql_db:
login_user: "{{ mariadb_root_user }}" login_user: "root"
login_password: "{{ galera_root_password }}" login_password: "{{ galera_root_password }}"
login_host: "{{ mariadb_login_host | default('localhost') }}" login_host: "127.0.0.1"
name: "{{ kolide_fleet_db_name }}" name: "{{ kolide_fleet_db_name }}"
state: "present" state: "present"
delegate_to: "{{ groups['mariadb_all'][0] }}" delegate_to: "{{ groups['mariadb_all'][0] }}"
no_log: False no_log: False
run_once: true run_once: true
tags:
- fleet_db_install
- name: Grant access to the DB for the service - name: Grant access to the DB for the service
mysql_user: mysql_user:
login_user: "{{ mariadb_root_user }}" login_user: "root"
login_password: "{{ galera_root_password }}" login_password: "{{ galera_root_password }}"
login_host: "{{ mariadb_login_host | default('localhost') }}" login_host: "127.0.0.1"
name: "{{ kolide_fleet_db_user }}" name: "{{ kolide_fleet_db_user }}"
password: "{{ kolide_fleet_db_password }}" password: "{{ kolide_fleet_db_password }}"
host: "{{ item }}" host: "{{ item }}"
@ -38,8 +36,9 @@
priv: "{{ kolide_fleet_db_name }}.*:ALL" priv: "{{ kolide_fleet_db_name }}.*:ALL"
append_privs: "{{ kolide_fleet_db_append_privs | default(omit) }}" append_privs: "{{ kolide_fleet_db_append_privs | default(omit) }}"
delegate_to: "{{ groups['mariadb_all'][0] }}" delegate_to: "{{ groups['mariadb_all'][0] }}"
with_items: "{{ grant_list | default(['localhost', '%']) }}" with_items:
- 'localhost'
- '127.0.0.1'
- '%'
no_log: False no_log: False
run_once: true run_once: true
tags:
- fleet_db_install

1
osquery/roles/fleet/tasks/fleetMigrateDB.yml
View File

@ -13,7 +13,6 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
- name: Migrate the fleet database - name: Migrate the fleet database
command: /usr/local/bin/fleet prepare db --config=/etc/fleet/fleet_config.yml --no-prompt command: /usr/local/bin/fleet prepare db --config=/etc/fleet/fleet_config.yml --no-prompt
changed_when: false changed_when: false