Getting started

Upstream package is used by default

The Debian and Ubuntu archives contain the elasticsearch packages, however they are very old releases (1.x). The security support for the package in Debian has been discontinued due to issues with upstream security policy (Debian Bug #803713). Debian Developers suggest that in production environments the upstream version should be used to provide adequate security updates.

Due to the above reasons, the role is focused on the upstream Elasticsearch release only (5.x+). The package installation itself is handled by the debops.elastic_co Ansible role which also manages upstream APT repository configuration.

Elasticsearch is insecure by default

The Elasticsearch service in the default configuration supports only plaintext connections between the cluster nodes themselves, and between the cluster and clients. There's no client authentication or authorization policies as well. Due to that you should take care to not expose your Elasticsearch cluster to the outside world without proper encryption and authentication.

You can install additional plugins that provide encrypted connections, authentication, authorization and access control:

  • X-Pack, an Elastic commercial plugin with free trial period. Supports encryption, authentication, access control, integrates with Kibana and Logstash. Since the plugin is developed by the same team, its releases are in parallel with Elasticsearch.
  • Search Guard, an open source third party plugin with commercial support. Has features comparable with X-Pack, with more basic features like HTTP and transport encryption, basic authentication and access control available free of charge.
  • ReadonlyREST, an open source security plugin focused on the Elasticsearch HTTP REST interface security.

Standalone deployment or cluster

With the default configuration, the debops.elasticsearch role will deploy the Elasticsearch service in a "standalone" mode without exposing the service to the outside world. This allows easy deployments for development or testing purposes.

In production environment, you are strongly advised to deploy Elasticsearch on at least three (3) nodes to ensure consistency in the cluster. To enable cluster mode, you will need to configure the firewall for Elasticsearch and use one or multiple Ansible inventory groups to design your cluster architecture.

The role currently does not support deployment of multiple Elasticsearch instances on one host. As an alternative, consider setting up an internal container environment with each Elasticsearch instance in a separate container with its own IP address or use Elastic Cloud Elasticsearch Service which does this for you and more.

See the Elasticsearch clustering for more details.

Use as a role dependency

The Elasticsearch main configuration file does not support an include statement or conf.d directory. To mitigate that and allow multiple Elasticsearch configuration sources from other Ansible roles, the debops.elasticsearch role supports operation as a dependent role. This functionality can be used by other Ansible roles to better manage Elasticsearch plugins or extend the cluster configuration without the need to implement the entire role again and with preserved idempotency.

See the Usage as a role dependency for more details.

Example inventory

To deploy Elasticsearch in a standalone mode, you can add the host to the [debops_service_elasticsearch] Ansible inventory group:


The default playbook supports use of different Ansible inventory groups for different types of Elasticsearch nodes. See Elasticsearch clustering for more details.

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.elasticsearch role:


- name: Manage Elasticsearch cluster
  hosts: [ 'debops_service_elasticsearch',
           'debops_service_elasticsearch_lb' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'


    - role: debops.keyring
      tags: [ 'role::keyring', 'skip::keyring', 'role::elastic_co' ]
        - '{{ elastic_co__keyring__dependent_apt_keys }}'

    - role: debops.elasticsearch/env
      tags: [ 'role::elasticsearch', 'role::secret', 'role::elasticsearch:config' ]

    - role: debops.secret
      tags: [ 'role::secret', 'role::elasticsearch', 'role::elasticsearch:config' ]
        - '{{ elasticsearch__secret__directories }}'

    - role: debops.apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
        - '{{ java__apt_preferences__dependent_list }}'
        - '{{ elastic_co__apt_preferences__dependent_list }}'

    - role: debops.etc_services
      tags: [ 'role::etc_services', 'skip::etc_services' ]
        - '{{ elasticsearch__etc_services__dependent_list }}'

    - role: debops.sysctl
      tags: [ 'role::sysctl', 'skip::sysctl' ]
        - '{{ elasticsearch__sysctl__dependent_parameters }}'

    - role: debops.ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
        - '{{ elasticsearch__ferm__dependent_rules }}'

    - role:
      tags: [ 'role::java', 'skip::java' ]

    - role: debops.elastic_co
      tags: [ 'role::elastic_co', 'skip::elastic_co' ]
        - '{{ elasticsearch__elastic_co__dependent_packages }}'

    - role: debops.elasticsearch
      tags: [ 'role::elasticsearch', 'skip::elasticsearch' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.
Generate the Elasticsearch configuration taking into account different configuration sources.