debops.elasticsearch default variables

APT packages, version

The debops.elasticsearch role uses the debops.elatic_co Ansible role to configure the Elastic APT repositories and install the packages. The role also installs the Ansible facts that provide the elasticsearch version.

elasticsearch__base_packages

List of base APT packages to install.

elasticsearch__base_packages: [ 'elasticsearch' ]
elasticsearch__packages

List of additional APT packages to install with Elasticsearch.

elasticsearch__packages: []
elasticsearch__version

Store the detected Elasticsearch version in a convenient variable for conditional configuration.

elasticsearch__version: '{{ ansible_local.elasticsearch.version | d("0.0.0") }}'

UNIX user and group

elasticsearch__user

Name of the UNIX user account used by Elasticsearch.

elasticsearch__user: 'elasticsearch'
elasticsearch__group

Name of the UNIX primary group used by Elasticsearch.

elasticsearch__group: 'elasticsearch'
elasticsearch__additional_groups

List of additional UNIX groups to which the Elasticsearch user will belong.

elasticsearch__additional_groups: '{{ ["ssl-cert"]
                                      if elasticsearch__pki_enabled | bool
                                      else [] }}'

Ansible inventory layout

elasticsearch__inventory_group_all

Name of the Ansible inventory group which contains Elasticsearch host in a "homogeneous" configuration (each node having the same functions as every other node).

elasticsearch__inventory_group_all: 'debops_service_elasticsearch'
elasticsearch__inventory_group_master

Name of the Ansible inventory group which contains Elasticsearch master nodes.

elasticsearch__inventory_group_master: 'debops_service_elasticsearch_master'
elasticsearch__inventory_group_data

Name of the Ansible inventory group which contains Elasticsearch data nodes.

elasticsearch__inventory_group_data: 'debops_service_elasticsearch_data'
elasticsearch__inventory_group_ingest

Name of the Ansible inventory group which contains Elasticsearch ingest nodes.

elasticsearch__inventory_group_ingest: 'debops_service_elasticsearch_ingest'
elasticsearch__inventory_group_lb

Name of the Ansible inventory group which contains Elasticsearch load balancer nodes.

elasticsearch__inventory_group_lb: 'debops_service_elasticsearch_lb'
elasticsearch__inventory_master_hosts

List of Ansible inventory hosts which should be treated as Elasticsearch master nodes. See Elasticsearch clustering for more details.

elasticsearch__inventory_master_hosts: '{{ (groups[elasticsearch__inventory_group_master]
                                            | d(groups[elasticsearch__inventory_group_all]))
                                           if elasticsearch__allow_tcp else [] }}'
elasticsearch__initial_master_nodes

List of Elasticsearch nodes which will be bootstrapped as masters on the first cluster execution.

elasticsearch__initial_master_nodes: [ '{{ elasticsearch__node_name }}' ]

Firewall configuration

elasticsearch__allow_http

List of IP addresses or CIDR subnets that can connect to the Elasticsearch HTTP service. This does not need to be set to allow the nodes to communicate. If this list is empty, nobody can connect to the HTTP server directly.

elasticsearch__allow_http: []
elasticsearch__allow_tcp

List of IP addresses or CIDR subnets that can connect to the Elasticsearch TCP transport port. This variable needs to be set to allow nodes to communicate. If this list is empty, nobody can connect to the transport port and the Elasticsearch service is configured in a standalone mode.

elasticsearch__allow_tcp: []

Connection encryption, TLS

elasticsearch__pki_enabled

Enable or disable support for TLS connection encryption based on DebOps PKI, managed by the debops.pki Ansible role.

elasticsearch__pki_enabled: '{{ (ansible_local.pki.enabled | d()) | bool }}'
elasticsearch__pki_base_path

The absolute path of th location of PKI realms.

elasticsearch__pki_base_path: '{{ ansible_local.pki.base_path | d("/etc/pki/realms") }}'
elasticsearch__pki_realm

The PKI realm used by Elasticsearch cluster for the HTTP and Transport communication.

elasticsearch__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
elasticsearch__pki_ca_file

Name of the file which contains Certificate Authorities trusted by Elasticsearch, relative to the PKI realm directory.

elasticsearch__pki_ca_file: '{{ ansible_local.pki.ca | d("CA.crt") }}'
elasticsearch__pki_key_file

Name of the file which contains the private key used by Elasticsearch for HTTP and Transport communication, relative to the PKI realm directory.

elasticsearch__pki_key_file: '{{ ansible_local.pki.key | d("default.key") }}'
elasticsearch__pki_crt_file

Name of the file which contains the X.509 certificate chain used by Elasticsearch for HTTP and Transport communication, relative to the PKI realm directory. Java applications don't work well with Diffie-Hellman parameters embedded in the certificate chain, so let's use the "plain" one instead.

elasticsearch__pki_crt_file: 'public/cert_intermediate.pem'
elasticsearch__tls_ca_certificate

Absolute path of the Certificate Authority certificate used by Elasticsearch.

elasticsearch__tls_ca_certificate: '{{ elasticsearch__pki_base_path + "/"
                                       + elasticsearch__pki_realm + "/"
                                       + elasticsearch__pki_ca_file }}'
elasticsearch__tls_private_key

Absolute path of the private key used by Elasticsearch.

elasticsearch__tls_private_key: '{{ elasticsearch__pki_base_path + "/"
                                    + elasticsearch__pki_realm + "/"
                                    + elasticsearch__pki_key_file }}'
elasticsearch__tls_certificate

Absolute path of the X.509 certificate used by Elasticsearch.

elasticsearch__tls_certificate: '{{ elasticsearch__pki_base_path + "/"
                                    + elasticsearch__pki_realm + "/"
                                    + elasticsearch__pki_crt_file }}'

Elastic X-Pack options

elasticsearch__xpack_enabled

Enable or disable support for X-Pack plugin. The X-Pack support affects security features of Elasticsearch like TLS encryption in transit and user/role management.

By default, X-Pack will be enabled if Elasticsearch is configured as a cluster and PKI environment managed by the debops.pki Ansible role is configured on the host. Otherwise the support will be disabled since it's not useful in a standalone mode.

elasticsearch__xpack_enabled: '{{ True
                                  if (elasticsearch__pki_enabled | bool and
                                      elasticsearch__allow_tcp | d())
                                  else False }}'

Elasticsearch users and roles management

elasticsearch__api_base_url

The URL of the Elasticsearch API endpoint used to manage user accounts and roles in the cluster, for example: https://example.org:9200. If not specified, the role will not perform any API-based tasks.

Tasks are executed on one of the Elasticsearch hosts, only single host is used if multiple are in a given Ansible run.

elasticsearch__api_base_url: '{{ "https://" + ansible_fqdn + ":9200" }}'
elasticsearch__api_username

Name of the Elasticsearch user account used to access the API. The built-in elastic user account has superuser privileges.

elasticsearch__api_username: 'elastic'
elasticsearch__secret_path

Path to the directory in the debops.secret storage where passwords of Elastcisearch built-in users will be stored.

elasticsearch__secret_path: '{{ "elasticsearch/credentials/"
                                + elasticsearch__cluster_name + "/built-in" }}'
elasticsearch__api_password

The password used to access the Elasticsearch API, stored in the secret/ directory, managed by the debops.secret Ansible role.

elasticsearch__api_password: '{{ lookup("password", secret + "/"
                                 + elasticsearch__secret_path + "/"
                                 + elasticsearch__api_username + "/password") }}'
elasticsearch__native_roles

List of Elasticsearch "role" definitions which will be defined on all hosts in the Ansible inventory. See elasticsearch__native_roles for more details.

elasticsearch__native_roles: []
elasticsearch__group_native_roles

List of Elasticsearch "role" definitions which will be defined on hosts in a specific Ansible inventory group. See elasticsearch__native_roles for more details.

elasticsearch__group_native_roles: []
elasticsearch__host_native_roles

List of Elasticsearch "role" definitions which will be defined on specific hosts in the Ansible inventory. See elasticsearch__native_roles for more details.

elasticsearch__host_native_roles: []
elasticsearch__combined_native_roles

The variable which combines all "native role" lists and is used in role tasks and templates.

elasticsearch__combined_native_roles: '{{ elasticsearch__native_roles
                                          + elasticsearch__group_native_roles
                                          + elasticsearch__host_native_roles }}'
elasticsearch__native_users

List of Elasticsearch "user" definitions which will be defined on all hosts in the Ansible inventory. See elasticsearch__native_users for more details.

elasticsearch__native_users: []
elasticsearch__group_native_users

List of Elasticsearch "user" definitions which will be defined on hosts in a specific Ansible inventory group. See elasticsearch__native_users for more details.

elasticsearch__group_native_users: []
elasticsearch__host_native_users

List of Elasticsearch "user" definitions which will be defined on specific hosts in the Ansible inventory. See elasticsearch__native_users for more details.

elasticsearch__host_native_users: []
elasticsearch__combined_native_users

The variable which combines all "native user" lists and is used in role tasks and templates.

elasticsearch__combined_native_users: '{{ elasticsearch__native_users
                                          + elasticsearch__group_native_users
                                          + elasticsearch__host_native_users }}'

Elasticsearch network options

elasticsearch__network_host

List of network interface names or IP addresses on which Elasticsearch should listen for connections. By default, if debops.ferm firewall is enabled, Elasticsearch will listen on localhost and private IP addresses only. See https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html for more details.

elasticsearch__network_host: '{{ ["_local_", "_site_"]
                                 if (ansible_local.ferm.enabled | d() and
                                     ansible_local.ferm.enabled | bool)
                                 else ["_local_"] }}'
elasticsearch__http_port

The port on which Elasticsearch will listen for HTTP connections.

elasticsearch__http_port: '9200'
elasticsearch__transport_tcp_port

The port on which Elasticsearch will listen for TCP transport connections.

elasticsearch__transport_tcp_port: '9300'

Elasticsearch cluster options

elasticsearch__domain

The DNS domain of the host.

elasticsearch__domain: '{{ ansible_domain }}'
elasticsearch__cluster_name

Name of the Elasticsearch cluster, should be the same on all of the cluster nodes. By default it's based on the host domain name.

elasticsearch__cluster_name: '{{ elasticsearch__domain | replace(".", "-") }}'
elasticsearch__node_name

Descriptive name of the Elasticsearch node, by default based on the hostname.

elasticsearch__node_name: '{{ ansible_hostname }}'
elasticsearch__discovery_hosts

List of Elasticsearch nodes which should be contacted for unicast cluster discovery. See Elasticsearch clustering for more details.

elasticsearch__discovery_hosts: '{{ elasticsearch__inventory_master_hosts }}'
elasticsearch__discovery_minimum_master_nodes

Minimum number of master-eligible nodes that are required to achieve quorum.

elasticsearch__discovery_minimum_master_nodes: '{{ "1" if (elasticsearch__inventory_master_hosts | count <= 2)
                                                       else ((elasticsearch__inventory_master_hosts | count / 2) | round(0, "floor") | int + 1) }}'
elasticsearch__gateway_recover_after_nodes

Number of Elasticsearch nodes required to enable cluster initial recovery after full restart. Deprecated in Elasticsearch 7.7.0.

elasticsearch__gateway_recover_after_nodes: '{{ elasticsearch__discovery_minimum_master_nodes }}'

Node functions

These variables define the functionality of a given Elasticsearch node. See https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html for more details.

elasticsearch__node_master

When enabled, this node is a master-eligible node and can be elected as a master.

Warning: this variable is not taken into account for master node calculations. See Elasticsearch clustering for more details.

elasticsearch__node_master: '{{ True
                                if (elasticsearch__inventory_group_master in group_names)
                                else (False
                                      if (elasticsearch__inventory_group_data in group_names)
                                      else (False
                                            if (elasticsearch__inventory_group_ingest in group_names)
                                            else (False
                                                  if (elasticsearch__inventory_group_lb in group_names)
                                                  else True))) }}'
elasticsearch__node_data

When enabled, this node can hold the cluster data and perform various operations like searching and aggregation.

elasticsearch__node_data: '{{ True
                              if (elasticsearch__inventory_group_data in group_names)
                              else (False
                                    if (elasticsearch__inventory_group_master in group_names)
                                    else (False
                                          if (elasticsearch__inventory_group_ingest in group_names)
                                          else (False
                                                if (elasticsearch__inventory_group_lb in group_names)
                                                else True))) }}'
elasticsearch__node_ingest

When enabled, this node can perform operations on documents before indexing them using an ingest pipeline.

elasticsearch__node_ingest: '{{ True
                                if (elasticsearch__inventory_group_ingest in group_names)
                                else (False
                                      if (elasticsearch__inventory_group_master in group_names)
                                      else (False
                                            if (elasticsearch__inventory_group_data in group_names)
                                            else (False
                                                  if (elasticsearch__inventory_group_lb in group_names)
                                                  else True))) }}'

Memory options

The variables below configure JVM memory allocation options. See https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html for more details.

elasticsearch__memory_lock

Enable or disable memory lock depending on availability of required POSIX capabilities. If this variable is enabled, systemd memlock limit is configured.

elasticsearch__memory_lock: '{{ True
                                if (not (ansible_system_capabilities_enforced | d()) | bool or
                                    ((ansible_system_capabilities_enforced | d()) | bool and
                                     "cap_ipc_lock" in (ansible_system_capabilities | d([]))))
                                else False }}'
elasticsearch__systemd_limit_memlock

Specify maximum size of the process memory in bytes that the process is allowed to lock in RAM and not have it stored in swap. Specify infinity to disable the maximum limit. This setting is applied through the systemd service unit.

elasticsearch__systemd_limit_memlock: 'infinity'
elasticsearch__jvm_memory_heap_size_multiplier

This variable defines a float value which will be used to select the JVM heap size depending on the size of the available system RAM.

elasticsearch__jvm_memory_heap_size_multiplier: '{{ "0.2"
                                                    if (ansible_memtotal_mb | int / 2 <= 2048)
                                                    else "0.45" }}'
elasticsearch__jvm_memory_min_heap_size

Specify the minimum JVM heap size, depending on the available system RAM.

elasticsearch__jvm_memory_min_heap_size: '{{ (((ansible_memtotal_mb | int
                                               * elasticsearch__jvm_memory_heap_size_multiplier | float)
                                               | round | int) | string + "m")
                                             if (ansible_memtotal_mb | int / 2 <= 32768)
                                             else "32600m" }}'
elasticsearch__jvm_memory_max_heap_size

Specify the maximum JVM heap size, depending on the available system RAM. This usually should be the same as the minimum heap size, for performance reasons.

elasticsearch__jvm_memory_max_heap_size: '{{ elasticsearch__jvm_memory_min_heap_size }}'

Paths

The variables below configure paths used by Elasticsearch. See https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html#path-settings for more details.

elasticsearch__path_data

List of all data paths. They will be created and permissions will be updated if needed.

elasticsearch__path_data:
  - '/var/lib/elasticsearch'

Elasticsearch configuration file

The variables below define the contents of the /etc/elasticsearch/elasticsearch.yml configuration file. See elasticsearch__configuration for the details and configuration syntax.

elasticsearch__original_configuration

The original configuration options present in the default Elasticsearch configuration file.

elasticsearch__original_configuration:

  - name: 'cluster.name'
    comment: 'Use a descriptive name for your cluster'
    value: 'node-1'
    state: 'comment'

  - name: 'node.name'
    comment: 'Use a descriptive name for the node'
    value: 'node-1'
    state: 'comment'

  - name: 'node.attr.rack'
    comment: 'Add custom attributes to the node'
    value: 'r1'
    state: 'comment'

  - name: 'path.data'
    comment: |
      Path to directory where to store the data
      (separate multiple locations by comma)
    value: '/var/lib/elasticsearch'

  - name: 'path.logs'
    comment: 'Path to log files'
    value: '/var/log/elasticsearch'

  - name: 'bootstrap.memory_lock'
    comment: |
      Lock the memory on startup

      Make sure that the heap size is set to about half the memory available
      on the system and that the owner of the process is allowed to use this
      limit.

      Elasticsearch performs poorly when the system is swapping the memory.
    value: True
    state: 'comment'

  - name: 'network.host'
    comment: 'Set the bind address to a specific IP (IPv4 or IPv6)'
    value: '192.160.0.1'
    state: 'comment'

  - name: 'http.port'
    comment: 'Set a custom port for HTTP'
    value: '9200'
    state: 'comment'

  - name: '{{ "discovery.zen.ping.unicast.hosts"
              if (elasticsearch__version is version("7.0.0", "<"))
              else "discovery.seed_hosts" }}'
    comment: |
      Pass an initial list of hosts to perform discovery when new node is started:
      The default list of hosts is ["127.0.0.1", "[::1]"]
    value: [ 'host1', 'host2' ]
    state: 'comment'

  - name: 'cluster.initial_master_nodes'
    comment: 'Bootstrap the cluster using an initial set of master-eligible nodes:'
    value: [ 'node-1', 'node-2' ]
    state: 'comment'

  - name: 'action.destructive_requires_name'
    comment: 'Require explicit names when deleting indices'
    value: True
    state: 'comment'
elasticsearch__default_configuration

List of default configuration options defined by the role.

elasticsearch__default_configuration:

  - name: 'cluster.name'
    value: '{{ elasticsearch__cluster_name }}'
    state: 'present'

  - name: 'node.roles'
    comment: 'Roles assigned to the node'
    state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_master) else "absent" }}'
    value:
      - 'master'

  - name: 'node.roles'
    state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_data) else "absent" }}'
    value:
      - 'data'

  - name: 'node.roles'
    state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_ingest) else "absent" }}'
    value:
      - 'ingest'

  - name: 'node.master'
    comment: 'Type of the node'
    value: '{{ elasticsearch__node_master }}'
    state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'

  - name: 'node.data'
    value: '{{ elasticsearch__node_data }}'
    state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'

  - name: 'node.ingest'
    value: '{{ elasticsearch__node_ingest }}'
    state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'

  - name: 'node.name'
    value: '{{ elasticsearch__node_name }}'
    state: 'present'

  - name: 'network.host'
    value: '{{ elasticsearch__network_host }}'
    state: 'present'

  - name: 'http.port'
    value: '{{ elasticsearch__http_port }}'
    state: 'present'

  - name: '{{ "transport.tcp.port"
              if (elasticsearch__version is version("7.1.0", "<"))
              else "transport.port" }}'
    comment: 'Set a custom port for TCP transport'
    value: '{{ elasticsearch__transport_tcp_port }}'
    state: 'present'

    # Reset the default host list
  - name: '{{ "discovery.zen.ping.unicast.hosts"
              if (elasticsearch__version is version("7.0.0", "<"))
              else "discovery.seed_hosts" }}'
    value: ''
    state: 'present'

  - name: '{{ "discovery.zen.ping.unicast.hosts"
              if (elasticsearch__version is version("7.0.0", "<"))
              else "discovery.seed_hosts" }}'
    value: '{{ elasticsearch__discovery_hosts }}'
    state: '{{ "present" if elasticsearch__discovery_hosts else "absent" }}'

  - name: 'discovery.zen.minimum_master_nodes'
    comment: |
      Prevent the "split brain" by configuring the majority of nodes
      (total number of master-eligible nodes / 2 + 1)
    value: '{{ elasticsearch__discovery_minimum_master_nodes }}'
    state: '{{ "present" if (elasticsearch__version is version("7.0.0", "<")) else "absent" }}'

    # Reset the default host list
  - name: 'cluster.initial_master_nodes'
    value: ''
    state: 'present'

  - name: 'cluster.initial_master_nodes'
    value: '{{ elasticsearch__initial_master_nodes }}'
    state: '{{ "absent"
               if (elasticsearch__version is version("7.0.0", "<"))
               else "present" }}'

  - name: 'gateway.recover_after_nodes'
    comment: 'Block initial recovery after a full cluster restart until N nodes are started'
    value: '{{ elasticsearch__gateway_recover_after_nodes }}'
    state: '{{ "present" if (elasticsearch__version is version("7.7.0", "<")) else "absent" }}'

  - name: 'action.destructive_requires_name'
    value: True
    state: 'present'

  - name: 'bootstrap.memory_lock'
    value: '{{ True if elasticsearch__memory_lock | bool else False }}'
    state: 'present'

  - name: 'path.data'
    value: '{{ elasticsearch__path_data }}'
    state: 'present'

  - name: 'xpack.security.enabled'
    value: True
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.http.ssl.enabled'
    value: True
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.http.ssl.verification_mode'
    value: 'certificate'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

    # The client verification is optional in HTTP communication to avoid
    # forcing Kibana and other clients to present their own X.509 client
    # certificates to the Elasticsearch service.
  - name: 'xpack.security.http.ssl.client_authentication'
    value: 'optional'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.http.ssl.key'
    value: '{{ elasticsearch__tls_private_key }}'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.http.ssl.certificate'
    value: '{{ elasticsearch__tls_certificate }}'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.http.ssl.certificate_authorities'
    value: '{{ elasticsearch__tls_ca_certificate }}'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.transport.ssl.enabled'
    value: True
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.transport.ssl.verification_mode'
    value: 'certificate'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.transport.ssl.client_authentication'
    value: 'required'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.transport.ssl.key'
    value: '{{ elasticsearch__tls_private_key }}'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.transport.ssl.certificate'
    value: '{{ elasticsearch__tls_certificate }}'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'

  - name: 'xpack.security.transport.ssl.certificate_authorities'
    value: '{{ elasticsearch__tls_ca_certificate }}'
    state: '{{ "present" if elasticsearch__xpack_enabled | bool else "absent" }}'
elasticsearch__configuration

List of configuration options defined on all hosts in the Ansible inventory.

elasticsearch__configuration: []
elasticsearch__master_configuration

List of configuration options defined on Elasticsearch master nodes (needs to be placed in appropriate Ansible inventory group).

elasticsearch__master_configuration: []
elasticsearch__data_configuration

List of configuration options defined on Elasticsearch data nodes (needs to be placed in appropriate Ansible inventory group).

elasticsearch__data_configuration: []
elasticsearch__ingest_configuration

List of configuration options defined on Elasticsearch ingest nodes (needs to be placed in appropriate Ansible inventory group).

elasticsearch__ingest_configuration: []
elasticsearch__lb_configuration

List of configuration options defined on Elasticsearch load balancer nodes (needs to be placed in appropriate Ansible inventory group).

elasticsearch__lb_configuration: []
elasticsearch__group_configuration

List of configuration options defined on hosts in specific Ansible inventory group.

elasticsearch__group_configuration: []
elasticsearch__host_configuration

List of configuration options defined on specific hosts in the Ansible inventory.

elasticsearch__host_configuration: []
elasticsearch__plugin_configuration

List of configuration options defined separately for any Elasticsearch plugins. See elasticsearch__plugins for more details.

elasticsearch__plugin_configuration: '{{ lookup("template",
                                         "lookup/elasticsearch__plugin_configuration.j2")
                                         | from_yaml }}'
elasticsearch__dependent_role

A string that identifies another Ansible role that uses the debops.elasticsearch role as a dependency. This value is needed to correctly store the dependent configuration options. See Usage as a role dependency for more details.

elasticsearch__dependent_role: ''
elasticsearch__dependent_state

Specify the state of the dependent configuration options, either present (options should be included in the configuration file) or absent (options should be removed from the configuration file). See Usage as a role dependency for more details.

elasticsearch__dependent_state: 'present'
elasticsearch__dependent_configuration

List of Elasticsearch configuration options defined by another Ansible role and specified using role dependent variables.

elasticsearch__dependent_configuration: []
elasticsearch__dependent_configuration_filter

Actual variable used in the combined Elasticsearch configuration that unwraps the dependent configuration specified by other Ansible roles and converts it into format understood by the debops.elasticsearch configuration template. See Usage as a role dependency for more details.

elasticsearch__dependent_configuration_filter: '{{ lookup("template",
                                                   "lookup/elasticsearch__dependent_configuration_filter.j2")
                                                   | from_yaml }}'
elasticsearch__combined_configuration

Actual list of Elasticsearch configuration options passed to the configuration template. This list defines the order in which the options from different variables are processed.

elasticsearch__combined_configuration: '{{ lookup("flattened", (elasticsearch__original_configuration
                                           + elasticsearch__default_configuration
                                           + elasticsearch__plugin_configuration
                                           + elasticsearch__dependent_configuration_filter
                                           + elasticsearch__configuration
                                           + elasticsearch__master_configuration
                                           + elasticsearch__data_configuration
                                           + elasticsearch__ingest_configuration
                                           + elasticsearch__lb_configuration
                                           + elasticsearch__group_configuration
                                           + elasticsearch__host_configuration)) }}'
elasticsearch__configuration_sections

List of sections defined in the /etc/elasticsearch/elasticsearch.yml configuration file and corresponding variable groups. See elasticsearch__configuration_sections for more details.

elasticsearch__configuration_sections:

  - name: 'Cluster'
    part: 'cluster'

  - name: 'Node'
    part: 'node'

  - name: 'Paths'
    part: 'path'

  - name: 'Memory'
    part: 'bootstrap'

  - name: 'Network'
    parts: [ 'network', 'http', 'transport' ]

  - name: 'Discovery'
    part: 'discovery'

  - name: 'Gateway'
    part: 'gateway'

  - name: 'X-Pack'
    part: 'xpack'

  - name: 'Search Guard'
    part: 'searchguard'

  - name: 'ReadonlyREST'
    part: 'readonlyrest'

Plugin configuration

These variables define lists of Elasticsearch plugins to install/remove, as well as additional configuration options for them. See elasticsearch__plugins for more details.

elasticsearch__plugins

List of Elasticsearch plugins to manage on all hosts in the Ansible inventory.

elasticsearch__plugins: []
elasticsearch__master_plugins

List of Elasticsearch plugins to manage on master nodes (variable needs to be defined in appropriate Ansible inventory group).

elasticsearch__master_plugins: []
elasticsearch__data_plugins

List of Elasticsearch plugins to manage on data nodes (variable needs to be defined in appropriate Ansible inventory group).

elasticsearch__data_plugins: []
elasticsearch__ingest_plugins

List of Elasticsearch plugins to manage on ingest nodes (variable needs to be defined in appropriate Ansible inventory group).

elasticsearch__ingest_plugins: []
elasticsearch__lb_plugins

List of Elasticsearch plugins to manage on load balancer nodes (variable needs to be defined in appropriate Ansible inventory group).

elasticsearch__lb_plugins: []
elasticsearch__group_plugins

List of Elasticsearch plugins to manage on hosts in specific Ansible inventory group.

elasticsearch__group_plugins: []
elasticsearch__host_plugins

List of Elasticsearch plugins to manage on specific hosts in the Ansible inventory.

elasticsearch__host_plugins: []
elasticsearch__combined_plugins

Actual list of Elasticsearch plugins that combines other plugin variables and is used in the Ansible tasks and the configuration template.

elasticsearch__combined_plugins: '{{ lookup("flattened", (elasticsearch__plugins
                                     + elasticsearch__master_plugins
                                     + elasticsearch__data_plugins
                                     + elasticsearch__ingest_plugins
                                     + elasticsearch__lb_plugins
                                     + elasticsearch__group_plugins
                                     + elasticsearch__host_plugins)) }}'

Java Policy configuration

Java Policy defines what paths and resources can be accessed by the Elasticsearch application. By default the file access is limited to the /etc/elasticsearch/ directory, but in DebOps we want to grant access to the PKI directories managed by the debops.pki role to support encrypted communication in the cluster.

elasticsearch__java_policy

This variable contains the contents of the java.policy configuration file for Elasticsearch.

elasticsearch__java_policy: |
  // default permissions granted to all domains
  grant {
      // allows anyone to listen on dynamic ports
      permission java.net.SocketPermission "localhost:0", "listen";

      // "standard" properties that can be read by anyone
      permission java.util.PropertyPermission "java.version", "read";
      permission java.util.PropertyPermission "java.vendor", "read";
      permission java.util.PropertyPermission "java.vendor.url", "read";
      permission java.util.PropertyPermission "java.class.version", "read";
      permission java.util.PropertyPermission "os.name", "read";
      permission java.util.PropertyPermission "os.version", "read";
      permission java.util.PropertyPermission "os.arch", "read";
      permission java.util.PropertyPermission "file.separator", "read";
      permission java.util.PropertyPermission "path.separator", "read";
      permission java.util.PropertyPermission "line.separator", "read";
      permission java.util.PropertyPermission
                     "java.specification.version", "read";
      permission java.util.PropertyPermission "java.specification.vendor", "read";
      permission java.util.PropertyPermission "java.specification.name", "read";
      permission java.util.PropertyPermission
                     "java.vm.specification.version", "read";
      permission java.util.PropertyPermission
                     "java.vm.specification.vendor", "read";
      permission java.util.PropertyPermission
                     "java.vm.specification.name", "read";
      permission java.util.PropertyPermission "java.vm.version", "read";
      permission java.util.PropertyPermission "java.vm.vendor", "read";
      permission java.util.PropertyPermission "java.vm.name", "read";

      permission java.io.FilePermission "{{ elasticsearch__pki_base_path }}/-", "read";
      permission java.io.FilePermission "{{ elasticsearch__pki_base_path }}/", "read";
      permission java.io.FilePermission "/etc/ssl/certs/-", "read";
      permission java.io.FilePermission "/etc/ssl/certs/", "read";
  };

Configuration for other Ansible roles

elasticsearch__etc_services__dependent_list

Configuration for the debops.etc_services Ansible role.

elasticsearch__etc_services__dependent_list:

  - name: 'elasticsearch-http'
    port: '{{ elasticsearch__http_port }}'

  - name: 'elasticsearch-tcp'
    port: '{{ elasticsearch__transport_tcp_port }}'
elasticsearch__sysctl__dependent_parameters

Configuration for the debops.sysctl Ansible role.

elasticsearch__sysctl__dependent_parameters:

  - name: 'elasticsearch'
    weight: 80
    options:

        # This parameter is set by default by the Elasticsearch .deb package,
        # but this breaks 'sysctl' usage in containers. The original file will
        # be diverted, and the role will configure the relevant setting for us,
        # automatically commenting it out inside of a container.
      - name: 'vm.max_map_count'
        comment: |
          Elasticsearch uses a mmapfs directory by default to store its
          indices. The default operating system limits on mmap counts is likely
          to be too low, which may result in out of memory exceptions.
          Ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html
        value: 262144
elasticsearch__extrepo__dependent_sources

Configuration for the debops.extrepo Ansible role.

elasticsearch__extrepo__dependent_sources:
  - 'elastic'
elasticsearch__ferm__dependent_rules

Configuration for the debops.ferm Ansible role.

elasticsearch__ferm__dependent_rules:

  - name: 'elasticsearch_http'
    type: 'accept'
    dport: '{{ elasticsearch__http_port }}'
    saddr: '{{ elasticsearch__allow_http }}'
    accept_any: False

  - name: 'elasticsearch_tcp'
    type: 'accept'
    dport: '{{ elasticsearch__transport_tcp_port }}'
    saddr: '{{ elasticsearch__allow_tcp }}'
    accept_any: False