debops.elasticsearch default variables
Sections
APT packages, version
The debops.elasticsearch role uses the debops.elatic_co Ansible role
to configure the Elastic APT repositories and install the packages. The role
also installs the Ansible facts that provide the elasticsearch
version.
- elasticsearch__base_packages
List of base APT packages to install.
elasticsearch__base_packages: [ 'elasticsearch' ]
- elasticsearch__packages
List of additional APT packages to install with Elasticsearch.
elasticsearch__packages: []
- elasticsearch__version
Store the detected Elasticsearch version in a convenient variable for conditional configuration.
elasticsearch__version: '{{ ansible_local.elasticsearch.version | d("0.0.0") }}'
UNIX user and group
- elasticsearch__user
Name of the UNIX user account used by Elasticsearch.
elasticsearch__user: 'elasticsearch'
- elasticsearch__group
Name of the UNIX primary group used by Elasticsearch.
elasticsearch__group: 'elasticsearch'
- elasticsearch__additional_groups
List of additional UNIX groups to which the Elasticsearch user will belong.
elasticsearch__additional_groups: '{{ [ "ssl-cert" ]
if elasticsearch__pki_enabled|bool
else [] }}'
Ansible inventory layout
- elasticsearch__inventory_group_all
Name of the Ansible inventory group which contains Elasticsearch host in a "homogeneous" configuration (each node having the same functions as every other node).
elasticsearch__inventory_group_all: 'debops_service_elasticsearch'
- elasticsearch__inventory_group_master
Name of the Ansible inventory group which contains Elasticsearch master nodes.
elasticsearch__inventory_group_master: 'debops_service_elasticsearch_master'
- elasticsearch__inventory_group_data
Name of the Ansible inventory group which contains Elasticsearch data nodes.
elasticsearch__inventory_group_data: 'debops_service_elasticsearch_data'
- elasticsearch__inventory_group_ingest
Name of the Ansible inventory group which contains Elasticsearch ingest nodes.
elasticsearch__inventory_group_ingest: 'debops_service_elasticsearch_ingest'
- elasticsearch__inventory_group_lb
Name of the Ansible inventory group which contains Elasticsearch load balancer nodes.
elasticsearch__inventory_group_lb: 'debops_service_elasticsearch_lb'
- elasticsearch__inventory_master_hosts
List of Ansible inventory hosts which should be treated as Elasticsearch master nodes. See Elasticsearch clustering for more details.
elasticsearch__inventory_master_hosts: '{{ (groups[elasticsearch__inventory_group_master]
| d(groups[elasticsearch__inventory_group_all]))
if elasticsearch__allow_tcp else [] }}'
- elasticsearch__initial_master_nodes
List of Elasticsearch nodes which will be bootstrapped as masters on the first cluster execution.
elasticsearch__initial_master_nodes: [ '{{ elasticsearch__node_name }}' ]
Firewall configuration
- elasticsearch__allow_http
List of IP addresses or CIDR subnets that can connect to the Elasticsearch HTTP service. This does not need to be set to allow the nodes to communicate. If this list is empty, nobody can connect to the HTTP server directly.
elasticsearch__allow_http: []
- elasticsearch__allow_tcp
List of IP addresses or CIDR subnets that can connect to the Elasticsearch TCP transport port. This variable needs to be set to allow nodes to communicate. If this list is empty, nobody can connect to the transport port and the Elasticsearch service is configured in a standalone mode.
elasticsearch__allow_tcp: []
Connection encryption, TLS
- elasticsearch__pki_enabled
Enable or disable support for TLS connection encryption based on DebOps PKI, managed by the debops.pki Ansible role.
elasticsearch__pki_enabled: '{{ (ansible_local.pki.enabled|d())|bool }}'
- elasticsearch__pki_base_path
The absolute path of th location of PKI realms.
elasticsearch__pki_base_path: '{{ ansible_local.pki.base_path | d("/etc/pki/realms") }}'
- elasticsearch__pki_realm
The PKI realm used by Elasticsearch cluster for the HTTP and Transport communication.
elasticsearch__pki_realm: '{{ ansible_local.pki.realm | d("domain") }}'
- elasticsearch__pki_ca_file
Name of the file which contains Certificate Authorities trusted by Elasticsearch, relative to the PKI realm directory.
elasticsearch__pki_ca_file: '{{ ansible_local.pki.ca | d("CA.crt") }}'
- elasticsearch__pki_key_file
Name of the file which contains the private key used by Elasticsearch for HTTP and Transport communication, relative to the PKI realm directory.
elasticsearch__pki_key_file: '{{ ansible_local.pki.key | d("default.key") }}'
- elasticsearch__pki_crt_file
Name of the file which contains the X.509 certificate chain used by Elasticsearch for HTTP and Transport communication, relative to the PKI realm directory. Java applications don't work well with Diffie-Hellman parameters embedded in the certificate chain, so let's use the "plain" one instead.
elasticsearch__pki_crt_file: 'public/cert_intermediate.pem'
- elasticsearch__tls_ca_certificate
Absolute path of the Certificate Authority certificate used by Elasticsearch.
elasticsearch__tls_ca_certificate: '{{ elasticsearch__pki_base_path + "/"
+ elasticsearch__pki_realm + "/"
+ elasticsearch__pki_ca_file }}'
- elasticsearch__tls_private_key
Absolute path of the private key used by Elasticsearch.
elasticsearch__tls_private_key: '{{ elasticsearch__pki_base_path + "/"
+ elasticsearch__pki_realm + "/"
+ elasticsearch__pki_key_file }}'
- elasticsearch__tls_certificate
Absolute path of the X.509 certificate used by Elasticsearch.
elasticsearch__tls_certificate: '{{ elasticsearch__pki_base_path + "/"
+ elasticsearch__pki_realm + "/"
+ elasticsearch__pki_crt_file }}'
Elastic X-Pack options
- elasticsearch__xpack_enabled
Enable or disable support for X-Pack plugin. The X-Pack support affects security features of Elasticsearch like TLS encryption in transit and user/role management.
By default, X-Pack will be enabled if Elasticsearch is configured as a cluster and PKI environment managed by the debops.pki Ansible role is configured on the host. Otherwise the support will be disabled since it's not useful in a standalone mode.
elasticsearch__xpack_enabled: '{{ True
if (elasticsearch__pki_enabled|bool and
elasticsearch__allow_tcp|d())
else False }}'
Elasticsearch users and roles management
- elasticsearch__api_base_url
The URL of the Elasticsearch API endpoint used to manage user accounts and
roles in the cluster, for example: https://example.org:9200. If not
specified, the role will not perform any API-based tasks.
Tasks are executed on one of the Elasticsearch hosts, only single host is used if multiple are in a given Ansible run.
elasticsearch__api_base_url: '{{ "https://" + ansible_fqdn + ":9200" }}'
- elasticsearch__api_username
Name of the Elasticsearch user account used to access the API. The built-in
elastic user account has superuser privileges.
elasticsearch__api_username: 'elastic'
- elasticsearch__api_password
The password used to access the Elasticsearch API, stored in the
secret/ directory, managed by the debops.secret Ansible role.
elasticsearch__api_password: '{{ lookup("password", secret + "/elasticsearch/credentials/"
+ "built-in/" + elasticsearch__api_username + "/password") }}'
- elasticsearch__native_roles
List of Elasticsearch "role" definitions which will be defined on all hosts in the Ansible inventory. See elasticsearch__native_roles for more details.
elasticsearch__native_roles: []
- elasticsearch__group_native_roles
List of Elasticsearch "role" definitions which will be defined on hosts in a specific Ansible inventory group. See elasticsearch__native_roles for more details.
elasticsearch__group_native_roles: []
- elasticsearch__host_native_roles
List of Elasticsearch "role" definitions which will be defined on specific hosts in the Ansible inventory. See elasticsearch__native_roles for more details.
elasticsearch__host_native_roles: []
- elasticsearch__combined_native_roles
The variable which combines all "native role" lists and is used in role tasks and templates.
elasticsearch__combined_native_roles: '{{ elasticsearch__native_roles
+ elasticsearch__group_native_roles
+ elasticsearch__host_native_roles }}'
- elasticsearch__native_users
List of Elasticsearch "user" definitions which will be defined on all hosts in the Ansible inventory. See elasticsearch__native_users for more details.
elasticsearch__native_users: []
- elasticsearch__group_native_users
List of Elasticsearch "user" definitions which will be defined on hosts in a specific Ansible inventory group. See elasticsearch__native_users for more details.
elasticsearch__group_native_users: []
- elasticsearch__host_native_users
List of Elasticsearch "user" definitions which will be defined on specific hosts in the Ansible inventory. See elasticsearch__native_users for more details.
elasticsearch__host_native_users: []
- elasticsearch__combined_native_users
The variable which combines all "native user" lists and is used in role tasks and templates.
elasticsearch__combined_native_users: '{{ elasticsearch__native_users
+ elasticsearch__group_native_users
+ elasticsearch__host_native_users }}'
Elasticsearch network options
- elasticsearch__network_host
List of network interface names or IP addresses on which Elasticsearch should
listen for connections. By default, if debops.ferm firewall is enabled,
Elasticsearch will listen on localhost and private IP addresses only. See
https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html
for more details.
elasticsearch__network_host: '{{ [ "_local_", "_site_" ]
if (ansible_local.ferm.enabled|d() and
ansible_local.ferm.enabled|bool)
else [ "_local_" ] }}'
- elasticsearch__http_port
The port on which Elasticsearch will listen for HTTP connections.
elasticsearch__http_port: '9200'
- elasticsearch__transport_tcp_port
The port on which Elasticsearch will listen for TCP transport connections.
elasticsearch__transport_tcp_port: '9300'
Elasticsearch cluster options
- elasticsearch__domain
The DNS domain of the host.
elasticsearch__domain: '{{ ansible_domain }}'
- elasticsearch__cluster_name
Name of the Elasticsearch cluster, should be the same on all of the cluster nodes. By default it's based on the host domain name.
elasticsearch__cluster_name: '{{ elasticsearch__domain | replace(".","-") }}'
- elasticsearch__node_name
Descriptive name of the Elasticsearch node, by default based on the hostname.
elasticsearch__node_name: '{{ ansible_hostname }}'
- elasticsearch__discovery_hosts
List of Elasticsearch nodes which should be contacted for unicast cluster discovery. See Elasticsearch clustering for more details.
elasticsearch__discovery_hosts: '{{ elasticsearch__inventory_master_hosts }}'
- elasticsearch__discovery_minimum_master_nodes
Minimum number of master-eligible nodes that are required to achieve quorum.
elasticsearch__discovery_minimum_master_nodes: '{{ "1" if (elasticsearch__inventory_master_hosts | count <= 2)
else ((elasticsearch__inventory_master_hosts | count / 2) | round(0, "floor") | int + 1) }}'
- elasticsearch__gateway_recover_after_nodes
Number of Elasticsearch nodes required to enable cluster initial recovery after full restart. Deprecated in Elasticsearch 7.7.0.
elasticsearch__gateway_recover_after_nodes: '{{ elasticsearch__discovery_minimum_master_nodes }}'
Node functions
These variables define the functionality of a given Elasticsearch node. See https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html for more details.
- elasticsearch__node_master
When enabled, this node is a master-eligible node and can be elected as a master.
Warning: this variable is not taken into account for master node calculations. See Elasticsearch clustering for more details.
elasticsearch__node_master: '{{ True
if (elasticsearch__inventory_group_master in group_names)
else (False
if (elasticsearch__inventory_group_data in group_names)
else (False
if (elasticsearch__inventory_group_ingest in group_names)
else (False
if (elasticsearch__inventory_group_lb in group_names)
else True))) }}'
- elasticsearch__node_data
When enabled, this node can hold the cluster data and perform various operations like searching and aggregation.
elasticsearch__node_data: '{{ True
if (elasticsearch__inventory_group_data in group_names)
else (False
if (elasticsearch__inventory_group_master in group_names)
else (False
if (elasticsearch__inventory_group_ingest in group_names)
else (False
if (elasticsearch__inventory_group_lb in group_names)
else True))) }}'
- elasticsearch__node_ingest
When enabled, this node can perform operations on documents before indexing them using an ingest pipeline.
elasticsearch__node_ingest: '{{ True
if (elasticsearch__inventory_group_ingest in group_names)
else (False
if (elasticsearch__inventory_group_master in group_names)
else (False
if (elasticsearch__inventory_group_data in group_names)
else (False
if (elasticsearch__inventory_group_lb in group_names)
else True))) }}'
Memory options
The variables below configure JVM memory allocation options. See https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html for more details.
- elasticsearch__memory_lock
Enable or disable memory lock depending on availability of required POSIX capabilities. If this variable is enabled, systemd memlock limit is configured.
elasticsearch__memory_lock: '{{ True
if (not (ansible_system_capabilities_enforced|d())|bool or
((ansible_system_capabilities_enforced|d())|bool and
"cap_ipc_lock" in (ansible_system_capabilities|d([]))))
else False }}'
- elasticsearch__systemd_limit_memlock
Specify maximum size of the process memory in bytes that the process is
allowed to lock in RAM and not have it stored in swap. Specify infinity
to disable the maximum limit. This setting is applied through the
systemd service unit.
elasticsearch__systemd_limit_memlock: 'infinity'
- elasticsearch__jvm_memory_heap_size_multiplier
This variable defines a float value which will be used to select the JVM heap size depending on the size of the available system RAM.
elasticsearch__jvm_memory_heap_size_multiplier: '{{ "0.2"
if (ansible_memtotal_mb|int / 2 <= 2048)
else "0.45" }}'
- elasticsearch__jvm_memory_min_heap_size
Specify the minimum JVM heap size, depending on the available system RAM.
elasticsearch__jvm_memory_min_heap_size: '{{ (((ansible_memtotal_mb|int
* elasticsearch__jvm_memory_heap_size_multiplier|float)
| round | int) | string + "m")
if (ansible_memtotal_mb|int / 2 <= 32768)
else "32600m" }}'
- elasticsearch__jvm_memory_max_heap_size
Specify the maximum JVM heap size, depending on the available system RAM. This usually should be the same as the minimum heap size, for performance reasons.
elasticsearch__jvm_memory_max_heap_size: '{{ elasticsearch__jvm_memory_min_heap_size }}'
Paths
The variables below configure paths used by Elasticsearch. See https://www.elastic.co/guide/en/elasticsearch/reference/current/important-settings.html#path-settings for more details.
- elasticsearch__path_data
List of all data paths. They will be created and permissions will be updated if needed.
elasticsearch__path_data:
- '/var/lib/elasticsearch'
Elasticsearch configuration file
The variables below define the contents of the
/etc/elasticsearch/elasticsearch.yml configuration file.
See elasticsearch__configuration for the details and configuration
syntax.
- elasticsearch__original_configuration
The original configuration options present in the default Elasticsearch configuration file.
elasticsearch__original_configuration:
- name: 'cluster.name'
comment: 'Use a descriptive name for your cluster'
value: 'node-1'
state: 'comment'
- name: 'node.name'
comment: 'Use a descriptive name for the node'
value: 'node-1'
state: 'comment'
- name: 'node.attr.rack'
comment: 'Add custom attributes to the node'
value: 'r1'
state: 'comment'
- name: 'path.data'
comment: |
Path to directory where to store the data
(separate multiple locations by comma)
value: '/var/lib/elasticsearch'
- name: 'path.logs'
comment: 'Path to log files'
value: '/var/log/elasticsearch'
- name: 'bootstrap.memory_lock'
comment: |
Lock the memory on startup
Make sure that the heap size is set to about half the memory available
on the system and that the owner of the process is allowed to use this
limit.
Elasticsearch performs poorly when the system is swapping the memory.
value: True
state: 'comment'
- name: 'network.host'
comment: 'Set the bind address to a specific IP (IPv4 or IPv6)'
value: '192.160.0.1'
state: 'comment'
- name: 'http.port'
comment: 'Set a custom port for HTTP'
value: '9200'
state: 'comment'
- name: '{{ "discovery.zen.ping.unicast.hosts"
if (elasticsearch__version is version("7.0.0", "<"))
else "discovery.seed_hosts" }}'
comment: |
Pass an initial list of hosts to perform discovery when new node is started:
The default list of hosts is ["127.0.0.1", "[::1]"]
value: [ 'host1', 'host2' ]
state: 'comment'
- name: 'cluster.initial_master_nodes'
comment: 'Bootstrap the cluster using an initial set of master-eligible nodes:'
value: [ 'node-1', 'node-2' ]
state: 'comment'
- name: 'action.destructive_requires_name'
comment: 'Require explicit names when deleting indices'
value: True
state: 'comment'
- elasticsearch__default_configuration
List of default configuration options defined by the role.
elasticsearch__default_configuration:
- name: 'cluster.name'
value: '{{ elasticsearch__cluster_name }}'
state: 'present'
- name: 'node.roles'
comment: 'Roles assigned to the node'
state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_master) else "absent" }}'
value:
- 'master'
- name: 'node.roles'
state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_data) else "absent" }}'
value:
- 'data'
- name: 'node.roles'
state: '{{ "present" if (elasticsearch__version is version("7.9.0", ">=") and elasticsearch__node_ingest) else "absent" }}'
value:
- 'ingest'
- name: 'node.master'
comment: 'Type of the node'
value: '{{ elasticsearch__node_master }}'
state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'
- name: 'node.data'
value: '{{ elasticsearch__node_data }}'
state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'
- name: 'node.ingest'
value: '{{ elasticsearch__node_ingest }}'
state: '{{ "present" if (elasticsearch__version is version("7.9.0", "<")) else "absent" }}'
- name: 'node.name'
value: '{{ elasticsearch__node_name }}'
state: 'present'
- name: 'network.host'
value: '{{ elasticsearch__network_host }}'
state: 'present'
- name: 'http.port'
value: '{{ elasticsearch__http_port }}'
state: 'present'
- name: '{{ "transport.tcp.port"
if (elasticsearch__version is version("7.1.0", "<"))
else "transport.port" }}'
comment: 'Set a custom port for TCP transport'
value: '{{ elasticsearch__transport_tcp_port }}'
state: 'present'
# Reset the default host list
- name: '{{ "discovery.zen.ping.unicast.hosts"
if (elasticsearch__version is version("7.0.0", "<"))
else "discovery.seed_hosts" }}'
value: ''
state: 'present'
- name: '{{ "discovery.zen.ping.unicast.hosts"
if (elasticsearch__version is version("7.0.0", "<"))
else "discovery.seed_hosts" }}'
value: '{{ elasticsearch__discovery_hosts }}'
state: '{{ "present" if elasticsearch__discovery_hosts else "absent" }}'
- name: 'discovery.zen.minimum_master_nodes'
comment: |
Prevent the "split brain" by configuring the majority of nodes
(total number of master-eligible nodes / 2 + 1)
value: '{{ elasticsearch__discovery_minimum_master_nodes }}'
state: '{{ "present" if (elasticsearch__version is version("7.0.0", "<")) else "absent" }}'
# Reset the default host list
- name: 'cluster.initial_master_nodes'
value: ''
state: 'present'
- name: 'cluster.initial_master_nodes'
value: '{{ elasticsearch__initial_master_nodes }}'
state: '{{ "absent"
if (elasticsearch__version is version("7.0.0", "<"))
else "present" }}'
- name: 'gateway.recover_after_nodes'
comment: 'Block initial recovery after a full cluster restart until N nodes are started'
value: '{{ elasticsearch__gateway_recover_after_nodes }}'
state: '{{ "present" if (elasticsearch__version is version("7.7.0", "<")) else "absent" }}'
- name: 'action.destructive_requires_name'
value: True
state: 'present'
- name: 'bootstrap.memory_lock'
value: '{{ True if elasticsearch__memory_lock|bool else False }}'
state: 'present'
- name: 'path.data'
value: '{{ elasticsearch__path_data }}'
state: 'present'
- name: 'xpack.security.enabled'
value: True
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.http.ssl.enabled'
value: True
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.http.ssl.verification_mode'
value: 'certificate'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
# The client verification is optional in HTTP communication to avoid
# forcing Kibana and other clients to present their own X.509 client
# certificates to the Elasticsearch service.
- name: 'xpack.security.http.ssl.client_authentication'
value: 'optional'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.http.ssl.key'
value: '{{ elasticsearch__tls_private_key }}'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.http.ssl.certificate'
value: '{{ elasticsearch__tls_certificate }}'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.http.ssl.certificate_authorities'
value: '{{ elasticsearch__tls_ca_certificate }}'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.transport.ssl.enabled'
value: True
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.transport.ssl.verification_mode'
value: 'certificate'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.transport.ssl.client_authentication'
value: 'required'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.transport.ssl.key'
value: '{{ elasticsearch__tls_private_key }}'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.transport.ssl.certificate'
value: '{{ elasticsearch__tls_certificate }}'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- name: 'xpack.security.transport.ssl.certificate_authorities'
value: '{{ elasticsearch__tls_ca_certificate }}'
state: '{{ "present" if elasticsearch__xpack_enabled|bool else "absent" }}'
- elasticsearch__configuration
List of configuration options defined on all hosts in the Ansible inventory.
elasticsearch__configuration: []
- elasticsearch__master_configuration
List of configuration options defined on Elasticsearch master nodes (needs to be placed in appropriate Ansible inventory group).
elasticsearch__master_configuration: []
- elasticsearch__data_configuration
List of configuration options defined on Elasticsearch data nodes (needs to be placed in appropriate Ansible inventory group).
elasticsearch__data_configuration: []
- elasticsearch__ingest_configuration
List of configuration options defined on Elasticsearch ingest nodes (needs to be placed in appropriate Ansible inventory group).
elasticsearch__ingest_configuration: []
- elasticsearch__lb_configuration
List of configuration options defined on Elasticsearch load balancer nodes (needs to be placed in appropriate Ansible inventory group).
elasticsearch__lb_configuration: []
- elasticsearch__group_configuration
List of configuration options defined on hosts in specific Ansible inventory group.
elasticsearch__group_configuration: []
- elasticsearch__host_configuration
List of configuration options defined on specific hosts in the Ansible inventory.
elasticsearch__host_configuration: []
- elasticsearch__plugin_configuration
List of configuration options defined separately for any Elasticsearch plugins. See elasticsearch__plugins for more details.
elasticsearch__plugin_configuration: '{{ lookup("template",
"lookup/elasticsearch__plugin_configuration.j2")
| from_yaml }}'
- elasticsearch__dependent_role
A string that identifies another Ansible role that uses the
debops.elasticsearch role as a dependency. This value is needed to
correctly store the dependent configuration options.
See Usage as a role dependency for more details.
elasticsearch__dependent_role: ''
- elasticsearch__dependent_state
Specify the state of the dependent configuration options, either present
(options should be included in the configuration file) or absent (options
should be removed from the configuration file).
See Usage as a role dependency for more details.
elasticsearch__dependent_state: 'present'
- elasticsearch__dependent_configuration
List of Elasticsearch configuration options defined by another Ansible role and specified using role dependent variables.
elasticsearch__dependent_configuration: []
- elasticsearch__dependent_configuration_filter
Actual variable used in the combined Elasticsearch configuration that unwraps
the dependent configuration specified by other Ansible roles and converts it
into format understood by the debops.elasticsearch configuration
template. See Usage as a role dependency for more details.
elasticsearch__dependent_configuration_filter: '{{ lookup("template",
"lookup/elasticsearch__dependent_configuration_filter.j2")
| from_yaml }}'
- elasticsearch__combined_configuration
Actual list of Elasticsearch configuration options passed to the configuration template. This list defines the order in which the options from different variables are processed.
elasticsearch__combined_configuration: '{{ lookup("flattened", (elasticsearch__original_configuration
+ elasticsearch__default_configuration
+ elasticsearch__plugin_configuration
+ elasticsearch__dependent_configuration_filter
+ elasticsearch__configuration
+ elasticsearch__master_configuration
+ elasticsearch__data_configuration
+ elasticsearch__ingest_configuration
+ elasticsearch__lb_configuration
+ elasticsearch__group_configuration
+ elasticsearch__host_configuration)) }}'
- elasticsearch__configuration_sections
List of sections defined in the /etc/elasticsearch/elasticsearch.yml
configuration file and corresponding variable groups.
See elasticsearch__configuration_sections for more details.
elasticsearch__configuration_sections:
- name: 'Cluster'
part: 'cluster'
- name: 'Node'
part: 'node'
- name: 'Paths'
part: 'path'
- name: 'Memory'
part: 'bootstrap'
- name: 'Network'
parts: [ 'network', 'http', 'transport' ]
- name: 'Discovery'
part: 'discovery'
- name: 'Gateway'
part: 'gateway'
- name: 'X-Pack'
part: 'xpack'
- name: 'Search Guard'
part: 'searchguard'
- name: 'ReadonlyREST'
part: 'readonlyrest'
Plugin configuration
These variables define lists of Elasticsearch plugins to install/remove, as well as additional configuration options for them. See elasticsearch__plugins for more details.
- elasticsearch__plugins
List of Elasticsearch plugins to manage on all hosts in the Ansible inventory.
elasticsearch__plugins: []
- elasticsearch__master_plugins
List of Elasticsearch plugins to manage on master nodes (variable needs to be defined in appropriate Ansible inventory group).
elasticsearch__master_plugins: []
- elasticsearch__data_plugins
List of Elasticsearch plugins to manage on data nodes (variable needs to be defined in appropriate Ansible inventory group).
elasticsearch__data_plugins: []
- elasticsearch__ingest_plugins
List of Elasticsearch plugins to manage on ingest nodes (variable needs to be defined in appropriate Ansible inventory group).
elasticsearch__ingest_plugins: []
- elasticsearch__lb_plugins
List of Elasticsearch plugins to manage on load balancer nodes (variable needs to be defined in appropriate Ansible inventory group).
elasticsearch__lb_plugins: []
- elasticsearch__group_plugins
List of Elasticsearch plugins to manage on hosts in specific Ansible inventory group.
elasticsearch__group_plugins: []
- elasticsearch__host_plugins
List of Elasticsearch plugins to manage on specific hosts in the Ansible inventory.
elasticsearch__host_plugins: []
- elasticsearch__combined_plugins
Actual list of Elasticsearch plugins that combines other plugin variables and is used in the Ansible tasks and the configuration template.
elasticsearch__combined_plugins: '{{ lookup("flattened", (elasticsearch__plugins
+ elasticsearch__master_plugins
+ elasticsearch__data_plugins
+ elasticsearch__ingest_plugins
+ elasticsearch__lb_plugins
+ elasticsearch__group_plugins
+ elasticsearch__host_plugins)) }}'
Java Policy configuration
Java Policy defines what paths and resources can be accessed by the
Elasticsearch application. By default the file access is limited to the
/etc/elasticsearch/ directory, but in DebOps we want to grant access
to the PKI directories managed by the debops.pki role to support
encrypted communication in the cluster.
- elasticsearch__java_policy
This variable contains the contents of the java.policy configuration
file for Elasticsearch.
elasticsearch__java_policy: |
// default permissions granted to all domains
grant {
// allows anyone to listen on dynamic ports
permission java.net.SocketPermission "localhost:0", "listen";
// "standard" properties that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission
"java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission
"java.vm.specification.version", "read";
permission java.util.PropertyPermission
"java.vm.specification.vendor", "read";
permission java.util.PropertyPermission
"java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
permission java.io.FilePermission "{{ elasticsearch__pki_base_path }}/-", "read";
permission java.io.FilePermission "{{ elasticsearch__pki_base_path }}/", "read";
permission java.io.FilePermission "/etc/ssl/certs/-", "read";
permission java.io.FilePermission "/etc/ssl/certs/", "read";
};
Configuration for other Ansible roles
- elasticsearch__etc_services__dependent_list
Configuration for the debops.etc_services Ansible role.
elasticsearch__etc_services__dependent_list:
- name: 'elasticsearch-http'
port: '{{ elasticsearch__http_port }}'
- name: 'elasticsearch-tcp'
port: '{{ elasticsearch__transport_tcp_port }}'
- elasticsearch__sysctl__dependent_parameters
Configuration for the debops.sysctl Ansible role.
elasticsearch__sysctl__dependent_parameters:
- name: 'elasticsearch'
weight: 80
options:
# This parameter is set by default by the Elasticsearch .deb package,
# but this breaks 'sysctl' usage in containers. The original file will
# be diverted, and the role will configure the relevant setting for us,
# automatically commenting it out inside of a container.
- name: 'vm.max_map_count'
comment: |
Elasticsearch uses a mmapfs directory by default to store its
indices. The default operating system limits on mmap counts is likely
to be too low, which may result in out of memory exceptions.
Ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html
value: 262144
- elasticsearch__extrepo__dependent_sources
Configuration for the debops.extrepo Ansible role.
elasticsearch__extrepo__dependent_sources:
- 'elastic'
- elasticsearch__ferm__dependent_rules
Configuration for the debops.ferm Ansible role.
elasticsearch__ferm__dependent_rules:
- name: 'elasticsearch_http'
type: 'accept'
dport: '{{ elasticsearch__http_port }}'
saddr: '{{ elasticsearch__allow_http }}'
accept_any: False
- name: 'elasticsearch_tcp'
type: 'accept'
dport: '{{ elasticsearch__transport_tcp_port }}'
saddr: '{{ elasticsearch__allow_tcp }}'
accept_any: False