Become: false for operation /tmp/opensearch-nodecerts (#51)

* Become: false for operation /tmp/opensearch-nodecerts Signed-off-by: Anton Patsev <[email protected]> * become: false for Cleanup local temporary directory Signed-off-by: Anton Patsev <[email protected]> * readme: run the playbook as ec2-user, add --become Signed-off-by: Anton Patsev <[email protected]> * Add examples: hosts_ec2-user and hosts_root_user Signed-off-by: Anton Patsev <[email protected]> * Add examples hosts for centos and ubuntu Signed-off-by: Anton Patsev <[email protected]>
opensearch-project · May 2, 2022 · 2cb49ff · 2cb49ff
1 parent f9aa741
commit 2cb49ff
Show file tree

Hide file tree

Showing 6 changed files with 105 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -39,13 +39,36 @@ For example if we need to increase the java memory heap size for opensearch,
     xms_value: 8
     xmx_value: 8
 
+If you use ec2-user as linux user, then copy hosts_ec2-user to hosts
+```
+cp inventories/opensearch/hosts_ec2-user inventories/opensearch/hosts
+```
+
+If you use ubuntu as linux user, then copy hosts_ubuntu to hosts
+
+```
+cp inventories/opensearch/hosts_ubuntu inventories/opensearch/hosts
+```
+
+If you use centos as linux user, then copy hosts_centos to hosts
+
+```
+cp inventories/opensearch/hosts_centos inventories/opensearch/hosts
+```
+
+If you use root user as linux user, then copy hosts_root_user to hosts
+
+```
+cp inventories/opensearch/hosts_root_user inventories/opensearch/hosts
+```
+
 In `inventories/opensearch/hosts` file, you can configure the node details.
 `ansible_host` is used for ansible to connect the nodes to run this playbook.
 `ip` is used in OpenSearch and Dashboards configuration.
 
 In AWS EC2,
 ```
-os1 ansible_host=<Elastic/Public IP> address ansible_user=root ip=<Private IP address>
+os1 ansible_host=<Elastic/Public IP> address ansible_user=ec2-user ip=<Private IP address>
 ```
 
 #### Multi-node Installation
@@ -82,8 +105,8 @@ cluster_type: single-node
 ### Install
 
 
-    # Deploy with ansible playbook - run the playbook as root
-    ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=Test@123 kibanaserver_password=Test@6789"
+    # Deploy with ansible playbook - run the playbook as ec2-user
+    ansible-playbook -i inventories/opensearch/hosts opensearch.yml --extra-vars "admin_password=Test@123 kibanaserver_password=Test@6789" --become
 
 You should set the reserved users(`admin` and `kibanaserver`) password using `admin_password` and `kibanaserver_password` variables.
 

diff --git a/inventories/opensearch/hosts_centos b/inventories/opensearch/hosts_centos
@@ -0,0 +1,24 @@
+os1 ansible_host=10.0.1.1  ansible_user=centos ip=10.0.1.1 roles=data,master
+os2 ansible_host=10.0.1.2  ansible_user=centos ip=10.0.1.2 roles=data,master
+os3 ansible_host=10.0.1.3  ansible_user=centos ip=10.0.1.3 roles=data,master
+os4 ansible_host=10.0.1.4  ansible_user=centos ip=10.0.1.4 roles=data,ingest
+os5 ansible_host=10.0.1.5  ansible_user=centos ip=10.0.1.5 roles=data,ingest
+
+dashboards1 ansible_host=10.0.1.6  ansible_user=centos ip=10.0.1.6
+
+# List all the nodes in the os cluster
+[os-cluster]
+os1
+os2
+os3
+os4
+os5
+
+# List all the Master eligible nodes under this group
+[master]
+os1
+os2
+os3
+
+[dashboards]
+dashboards1
diff --git a/inventories/opensearch/hosts_ec2-user b/inventories/opensearch/hosts_ec2-user
@@ -0,0 +1,24 @@
+os1 ansible_host=10.0.1.1  ansible_user=ec2-user ip=10.0.1.1 roles=data,master
+os2 ansible_host=10.0.1.2  ansible_user=ec2-user ip=10.0.1.2 roles=data,master
+os3 ansible_host=10.0.1.3  ansible_user=ec2-user ip=10.0.1.3 roles=data,master
+os4 ansible_host=10.0.1.4  ansible_user=ec2-user ip=10.0.1.4 roles=data,ingest
+os5 ansible_host=10.0.1.5  ansible_user=ec2-user ip=10.0.1.5 roles=data,ingest
+
+dashboards1 ansible_host=10.0.1.6  ansible_user=ec2-user ip=10.0.1.6
+
+# List all the nodes in the os cluster
+[os-cluster]
+os1
+os2
+os3
+os4
+os5
+
+# List all the Master eligible nodes under this group
+[master]
+os1
+os2
+os3
+
+[dashboards]
+dashboards1
diff --git a/inventories/opensearch/hosts → inventories/opensearch/hosts_root_user b/inventories/opensearch/hosts → inventories/opensearch/hosts_root_user
diff --git a/inventories/opensearch/hosts_ubuntu b/inventories/opensearch/hosts_ubuntu
@@ -0,0 +1,24 @@
+os1 ansible_host=10.0.1.1  ansible_user=ubuntu ip=10.0.1.1 roles=data,master
+os2 ansible_host=10.0.1.2  ansible_user=ubuntu ip=10.0.1.2 roles=data,master
+os3 ansible_host=10.0.1.3  ansible_user=ubuntu ip=10.0.1.3 roles=data,master
+os4 ansible_host=10.0.1.4  ansible_user=ubuntu ip=10.0.1.4 roles=data,ingest
+os5 ansible_host=10.0.1.5  ansible_user=ubuntu ip=10.0.1.5 roles=data,ingest
+
+dashboards1 ansible_host=10.0.1.6  ansible_user=ubuntu ip=10.0.1.6
+
+# List all the nodes in the os cluster
+[os-cluster]
+os1
+os2
+os3
+os4
+os5
+
+# List all the Master eligible nodes under this group
+[master]
+os1
+os2
+os3
+
+[dashboards]
+dashboards1
diff --git a/roles/linux/opensearch/tasks/security.yml b/roles/linux/opensearch/tasks/security.yml
@@ -9,6 +9,7 @@
     state: directory
   run_once: true
   register: configuration
+  become: false
 
 - name: Security Plugin configuration | Download certificates generation tool
   local_action:
@@ -17,11 +18,13 @@
     dest: /tmp/opensearch-nodecerts/search-guard-tlstool.tar.gz
   run_once: true
   when: configuration.changed
+  become: false
 
 - name: Security Plugin configuration | Extract the certificates generation tool
   local_action: command chdir=/tmp/opensearch-nodecerts tar -xvf search-guard-tlstool.tar.gz
   run_once: true
   when: configuration.changed
+  become: false
 
 - name: Security Plugin configuration | Make the executable file
   local_action:
@@ -30,6 +33,7 @@
     mode: a+x
   run_once: true
   when: configuration.changed
+  become: false
 
 - name: Security Plugin configuration | Prepare the certificates generation template file
   local_action:
@@ -38,12 +42,14 @@
     dest: /tmp/opensearch-nodecerts/config/tlsconfig.yml
   run_once: true
   when: configuration.changed
+  become: false
 
 - name: Security Plugin configuration | Generate the node & admin certificates in local
   local_action:
     module: command /tmp/opensearch-nodecerts/tools/sgtlstool.sh -c /tmp/opensearch-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opensearch-nodecerts/config/
   run_once: true
   when: configuration.changed
+  become: false
 
 - name: Security Plugin configuration | Copy the node & admin certificates to opensearch nodes
   copy:
@@ -154,3 +160,4 @@
     state: absent
   run_once: true
   when: configuration.changed
+  become: false