From 18bade606af5bab2df396685ce11fd330d445108 Mon Sep 17 00:00:00 2001 From: JocelynPa Date: Fri, 3 Mar 2023 19:01:11 +0100 Subject: [PATCH] V03 --- README.md | 0 install_splunk.yml | 24 +++ install_splunk_uf.yml | 23 +++ install_splunk_uf_win.yml | 10 ++ inventory/cluster/hosts.yml | 27 ++++ inventory/group_vars/all_splunk_instances.yml | 49 +++++++ roles/splunk_common/handlers/main.yml | 4 + roles/splunk_common/tasks/install_splunk.yml | 39 +++++ .../install_tasks/install_splunk_msi.yml | 7 + .../install_tasks/install_splunk_tgz.yml | 13 ++ roles/splunk_common/tasks/main.yml | 138 ++++++++++++++++++ .../post_install_subtasks/clean_user_seed.yml | 7 + .../configure_ssl_on_splunk.yml | 48 ++++++ .../post_install_subtasks/enable_service.yml | 109 ++++++++++++++ .../post_install_subtasks/install_java.yml | 30 ++++ .../register_splunk_secret.yml | 21 +++ .../remove_first_login.yml | 10 ++ .../post_install_subtasks/set_http_port.yml | 8 + .../post_install_subtasks/set_mgmt_port.yml | 7 + .../set_root_endpoint.yml | 19 +++ .../set_splunk_secret.yml | 35 +++++ .../post_install_subtasks/set_user_seed.yml | 42 ++++++ .../setup_optimistic_locking.yml | 7 + .../change_splunk_directory_owner.yml | 10 ++ .../tasks/pre_install_subtasks/get_facts.yml | 56 +++++++ .../get_facts_build_type.yml | 21 +++ .../get_facts_target_version.yml | 13 ++ roles/splunk_common/tasks/start_splunk.yml | 45 ++++++ roles/splunk_common/tasks/stop_splunk.yml | 40 +++++ roles/splunk_common/vars/main.yml | 3 + .../splunk_common_uf/tasks/install_splunk.yml | 39 +++++ .../install_tasks/install_splunk_tgz.yml | 13 ++ roles/splunk_common_uf/tasks/main.yml | 92 ++++++++++++ .../post_install_subtasks/clean_user_seed.yml | 7 + .../post_install_subtasks/enable_service.yml | 109 ++++++++++++++ .../post_install_subtasks/install_java.yml | 30 ++++ .../register_splunk_secret.yml | 21 +++ .../remove_first_login.yml | 10 ++ .../set_splunk_secret.yml | 33 +++++ .../post_install_subtasks/set_user_seed.yml | 42 ++++++ .../change_splunk_directory_owner.yml | 10 ++ .../tasks/pre_install_subtasks/get_facts.yml | 53 +++++++ .../get_facts_build_type.yml | 21 +++ .../get_facts_target_version.yml | 13 ++ roles/splunk_common_uf/tasks/start_splunk.yml | 45 ++++++ roles/splunk_common_uf/tasks/stop_splunk.yml | 40 +++++ test_ping.yml | 7 + 47 files changed, 1450 insertions(+) create mode 100644 README.md create mode 100644 install_splunk.yml create mode 100755 install_splunk_uf.yml create mode 100755 install_splunk_uf_win.yml create mode 100644 inventory/cluster/hosts.yml create mode 100644 inventory/group_vars/all_splunk_instances.yml create mode 100755 roles/splunk_common/handlers/main.yml create mode 100755 roles/splunk_common/tasks/install_splunk.yml create mode 100644 roles/splunk_common/tasks/install_tasks/install_splunk_msi.yml create mode 100644 roles/splunk_common/tasks/install_tasks/install_splunk_tgz.yml create mode 100755 roles/splunk_common/tasks/main.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/clean_user_seed.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/configure_ssl_on_splunk.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/enable_service.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/install_java.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/register_splunk_secret.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/remove_first_login.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/set_http_port.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/set_mgmt_port.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/set_root_endpoint.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/set_splunk_secret.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/set_user_seed.yml create mode 100755 roles/splunk_common/tasks/post_install_subtasks/setup_optimistic_locking.yml create mode 100644 roles/splunk_common/tasks/pre_install_subtasks/change_splunk_directory_owner.yml create mode 100644 roles/splunk_common/tasks/pre_install_subtasks/get_facts.yml create mode 100644 roles/splunk_common/tasks/pre_install_subtasks/get_facts_build_type.yml create mode 100644 roles/splunk_common/tasks/pre_install_subtasks/get_facts_target_version.yml create mode 100755 roles/splunk_common/tasks/start_splunk.yml create mode 100755 roles/splunk_common/tasks/stop_splunk.yml create mode 100644 roles/splunk_common/vars/main.yml create mode 100755 roles/splunk_common_uf/tasks/install_splunk.yml create mode 100755 roles/splunk_common_uf/tasks/install_tasks/install_splunk_tgz.yml create mode 100755 roles/splunk_common_uf/tasks/main.yml create mode 100755 roles/splunk_common_uf/tasks/post_install_subtasks/clean_user_seed.yml create mode 100755 roles/splunk_common_uf/tasks/post_install_subtasks/enable_service.yml create mode 100755 roles/splunk_common_uf/tasks/post_install_subtasks/install_java.yml create mode 100755 roles/splunk_common_uf/tasks/post_install_subtasks/register_splunk_secret.yml create mode 100755 roles/splunk_common_uf/tasks/post_install_subtasks/remove_first_login.yml create mode 100755 roles/splunk_common_uf/tasks/post_install_subtasks/set_splunk_secret.yml create mode 100755 roles/splunk_common_uf/tasks/post_install_subtasks/set_user_seed.yml create mode 100755 roles/splunk_common_uf/tasks/pre_install_subtasks/change_splunk_directory_owner.yml create mode 100755 roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts.yml create mode 100755 roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts_build_type.yml create mode 100755 roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts_target_version.yml create mode 100755 roles/splunk_common_uf/tasks/start_splunk.yml create mode 100755 roles/splunk_common_uf/tasks/stop_splunk.yml create mode 100644 test_ping.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29 diff --git a/install_splunk.yml b/install_splunk.yml new file mode 100644 index 0000000..f7cf668 --- /dev/null +++ b/install_splunk.yml @@ -0,0 +1,24 @@ +- hosts: all_splunk_instances + tasks: + - name: Gathering Facts + include_tasks: roles/splunk_common/tasks/pre_install_subtasks/get_facts.yml + when: + - splunk_get_fact is not defined + +- hosts: all_splunk_instances + serial: + - 1 + - 100% + roles: + - splunk_common + tags: all,installation + +- hosts: localhost + connection: local + tasks: + - name: Cleanup secret + file: + dest: "/tmp/splunk_secret" + state: "absent" + become: yes + become_user: root \ No newline at end of file diff --git a/install_splunk_uf.yml b/install_splunk_uf.yml new file mode 100755 index 0000000..c20e8b1 --- /dev/null +++ b/install_splunk_uf.yml @@ -0,0 +1,23 @@ +--- +- hosts: splunk_uf_Linux_TIC + tasks: + - name: Gathering Facts + include_tasks: roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts.yml + when: + - splunk_get_fact is not defined + +- hosts: splunk_uf_Linux_TIC + serial: + - 1 + - 100% + roles: + - splunk_common_uf + tags: all,installation + +- hosts: localhost + connection: local + tasks: + - name: Cleanup secret + file: + dest: "/tmp/splunk_secret" + state: "absent" \ No newline at end of file diff --git a/install_splunk_uf_win.yml b/install_splunk_uf_win.yml new file mode 100755 index 0000000..8798066 --- /dev/null +++ b/install_splunk_uf_win.yml @@ -0,0 +1,10 @@ +- hosts: splunk_uf_win_m-tic + name: Copy source forwarder windows + ansible.windows.win.copy: + src: "{{ playbook_dir }}/roles/sources/{{ hostvars ['127.0.0.1'].splunkforwarder-8.1.3-63079c59e632-x64-release.msi }}" + dest: "C:\Temp\" + +- hosts: splunk_uf_win_m-tic + name: Install SplunkForwarder Windows + win_command: C:\Windows\System32\msiexec.exe /i C:\Temp\splunkforwarder-8.1.3-63079c59e632-x64-release.msi AGREETOLICENSE=Yes SPLUNKUSERNAME=admin SPLUNKPASSWORD=Adm1nPa$$w0rd /quiet + when: splunkforwarder_installed.exists == false \ No newline at end of file diff --git a/inventory/cluster/hosts.yml b/inventory/cluster/hosts.yml new file mode 100644 index 0000000..57adbd6 --- /dev/null +++ b/inventory/cluster/hosts.yml @@ -0,0 +1,27 @@ +all_splunk_instances: + children: + splunk_search_head_TIC: + hosts: + SVLCTPLOGPUB01.mom.fr: + SVLCTPLOGPUB02.mom.fr: + splunk_indexer_TIC: + hosts: + SVLCTPLOGIDX01.mom.fr: + SVLCTPLOGIDX02.mom.fr: + splunk_licence_master: + hosts: + SVLCTPLOGLMR.mom.fr: + splunk_uf_Linux_TIC: + hosts: + SVLCTPSUPPFI01.mom.fr: + SVLCTPSUPPFI02.mom.fr: + 10.10.30.16: + splunk_uf_Windows_TIC: + hosts: + SVWCTPSUPPFI01.mom.fr: + splunk_deployement_TIC: + hosts: + SVLCTPLOGSUP01.mom.fr: + splunk_monitoring_TIC: + hosts: + SVLCTPLOGSUP01.mom.fr: \ No newline at end of file diff --git a/inventory/group_vars/all_splunk_instances.yml b/inventory/group_vars/all_splunk_instances.yml new file mode 100644 index 0000000..f670e85 --- /dev/null +++ b/inventory/group_vars/all_splunk_instances.yml @@ -0,0 +1,49 @@ +--- +ansible_user: admin +privileged_user: root +retry_num: 3 +delay_num: 3 +hide_password: false + +ansible_script_version: 1.0 +author: VABOS + +splunk_upgrade: false + +splunk_home_ownership_enforcement: true +splunk_user: splunk +splunk_group: splunk +splunk_build_location: /tmp/splunk +splunk_build_location_uf: /tmp/splunk +splunk_build_remote_src: true +splunk_build_type: tgz +splunk_opt: /opt +splunk_home: /opt/splunk +splunk_home_uf: /opt/splunkforwarder +splunk_exec: /opt/splunk/bin/splunk +splunk_exec_uf: /opt/splunkforwarder/bin/splunk +splunk_enable_service: false +splunk_password: 921223Jocpam!? +splunk_admin_user: adminsplunk +splunk_general_pass4SymmKey: Asf#oQcAjOAnw^#zCE#Nd2R0#27j0@ +splunk_secret: 6XHPsFI2^jsYI&^ITvxzk#SZBcr1^n +splunk_svc_port: 8089 +splunk_http_port: 8000 +splunk_enableSSL: true +splunk_ssl_cert_password: CHANGEME +splunk_ssl_generate_cert: false +splunk_ssl_generate_root_cert: false +splunk_s2s_port: 9997 +splunk_replication_port: 9100 +splunk_shcluster_replication_port: 9200 +splunk_shcluster_mode: member + +splunk_optimistic_about_file_locking: true +splunk_single_instance: false + +#splunk_site: site0 +#splunk_multisite: false +#splunk_license_uri: /splunk_apps/splunk.license + +splunk_idxc_pass4SymmKey: 1nZ7lubH^KTqKyS3#h5Ad9V^Xkrttq +splunk_app_prefix: SPL \ No newline at end of file diff --git a/roles/splunk_common/handlers/main.yml b/roles/splunk_common/handlers/main.yml new file mode 100755 index 0000000..fd2f43a --- /dev/null +++ b/roles/splunk_common/handlers/main.yml @@ -0,0 +1,4 @@ +--- +# handlers file for splunk_common +- name: "Restart the splunkd service" + include_tasks: "{{ playbook_dir }}/common/handlers/restart_splunk.yml" diff --git a/roles/splunk_common/tasks/install_splunk.yml b/roles/splunk_common/tasks/install_splunk.yml new file mode 100755 index 0000000..7c08fc4 --- /dev/null +++ b/roles/splunk_common/tasks/install_splunk.yml @@ -0,0 +1,39 @@ +--- +- name: Remove old manifest files + file: + path: "{{ item.path }}" + state: "absent" + ignore_errors: yes + become: yes + become_user: "{{ privileged_user }}" + with_items: + - "{{ manifests.files }}" + when: splunk_upgrade | bool + +- name: Remove old directories + file: + path: "{{ item }}" + state: "absent" + ignore_errors: yes + become: yes + become_user: "{{ privileged_user }}" + with_items: + - "{{ splunk_home }}/bin" + - "{{ splunk_home }}/lib" + - "{{ splunk_home }}/share" + - "{{ splunk_home }}/Python-2.7" + when: splunk_upgrade | bool + +- name: Install Splunk + include_tasks: install_tasks/install_splunk_{{ splunk_build_type }}.yml + +- name: Remove installers + file: + dest: "{{ item }}" + state: "absent" + ignore_errors: yes + become: yes + become_user: "{{ privileged_user }}" + with_items: + - "{{ splunk_build_location }}" + - "/tmp/splunk_msi" diff --git a/roles/splunk_common/tasks/install_tasks/install_splunk_msi.yml b/roles/splunk_common/tasks/install_tasks/install_splunk_msi.yml new file mode 100644 index 0000000..d2ed314 --- /dev/null +++ b/roles/splunk_common/tasks/install_tasks/install_splunk_msi.yml @@ -0,0 +1,7 @@ +- name: Install Splunk (Windows) + command: "msiexec /I {{ splunk_build_location }}" AGREETOLICENSE=yes LAUNCHSPLUNK=0 /passive /qn" + when: ansible_system is match("CYGWIN*|Win32NT") + register: install_result + until: install_result is succeeded + retries: "{{ retry_num }}" + delay: 3 \ No newline at end of file diff --git a/roles/splunk_common/tasks/install_tasks/install_splunk_tgz.yml b/roles/splunk_common/tasks/install_tasks/install_splunk_tgz.yml new file mode 100644 index 0000000..55d7a44 --- /dev/null +++ b/roles/splunk_common/tasks/install_tasks/install_splunk_tgz.yml @@ -0,0 +1,13 @@ +- name: Install Splunk (Linux) + unarchive: + src: "{{ splunk_build_location }}" + dest: "{{ splunk_opt }}" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + remote_src: "{{ splunk_build_remote_src }}" + register: install_result + until: install_result is succeeded + retries: " {{ retry_num}}" + delay: 3 + become: yes + become_user: "{{ privileged_user }}" \ No newline at end of file diff --git a/roles/splunk_common/tasks/main.yml b/roles/splunk_common/tasks/main.yml new file mode 100755 index 0000000..4233414 --- /dev/null +++ b/roles/splunk_common/tasks/main.yml @@ -0,0 +1,138 @@ +--- +- name: Check if splunk user exists + getent: + database: passwd + key: "{{ splunk_user }}" + fail_key: yes + register: user_exist + ignore_errors: true + become: yes + +- name: Setup the splunk user + user: + name: "{{ splunk_user }}" + comment: Splunk User + shell: /bin/bash + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + state: present + when: user_exist["failed"] == true + become: yes + become_user: "{{ privileged_user }}" + +- name: Changing Splunk directory Owner + include_tasks: pre_install_subtasks/change_splunk_directory_owner.yml + when: + - ansible_system is match("Linux") + - splunk_home_ownership_enforcement is defined + - splunk_home_ownership_enforcement | bool + +- name: Stop existing Splunk + include_tasks: stop_splunk.yml + when: + - splunk_upgrade | bool + +# Below we will either install or upgrade, which at this moment is the same task. +- name: "Install Splunk" + include_tasks: install_splunk.yml + when: + - splunk_install | bool or (first_run | bool and splunk_build_location and splunk_build_location is match("^(https?|file)://.*")) + +- name: "Upgrade Splunk" + include_tasks: install_splunk.yml + when: + - not splunk_install + - not first_run + - splunk_upgrade | bool + +- name: Remove First Login + include_tasks: post_install_subtasks/remove_first_login.yml + when: + - first_run | bool + +# This needs to be done before any encrypted passkeys are generated +- name: setup splunk_secret + include_tasks: post_install_subtasks/set_splunk_secret.yml + when: + - first_run | bool + +- name: Generate user_seed.conf + include_tasks: post_install_subtasks/set_user_seed.yml + when: + - first_run | bool + +- name: setup the [general] pass4SymmKey in system/local + include_tasks: "{{ playbook_dir }}/common/tasks/set_conf_stanza.yml" + vars: + conf_file: "server.conf" + conf_directory: "{{ splunk_home }}/etc/system/local" + stanza_name: general + conf_stanzas: + - pass4SymmKey: "{{ splunk_general_pass4SymmKey }}" + +- name: Enable Splunk Service + include_tasks: post_install_subtasks/enable_service.yml + when: + - splunk_enable_service and ansible_system is match("Linux") + - first_run | bool + +- name: Setup HTTP port + include_tasks: post_install_subtasks/set_http_port.yml + when: + - splunk_http_port | int != 8000 + +- name: Setup MGMT port + include_tasks: post_install_subtasks/set_mgmt_port.yml + when: + - splunk_svc_port | int != 8089 + +- name : Setup SSL + include_tasks: post_install_subtasks/configure_ssl_on_splunk.yml + when: + - splunk_enableSSL | bool + - first_run | bool + +- name: Setup Optimistic locking + include_tasks: post_install_subtasks/setup_optimistic_locking.yml + when: + - splunk_optimistic_about_file_locking + +- name: "Add generic ssl apps" + copy: + src: "{{ playbook_dir }}/splunk_apps/base_ssl_apps/" + dest: "{{ splunk_home }}/etc/apps/" + group: "{{ splunk_group }}" + owner: "{{ splunk_user }}" + follow: yes + local_follow: yes + become: yes + become_user: "{{ privileged_user }}" + when: + - splunk_enableSSL | bool + +- name: Start Splunk + include_tasks: start_splunk.yml + +- name: setup http or https for further processing + include_tasks: "{{ playbook_dir }}/common/tasks/set_certificate_prefix.yml" + when : + - cert_prefix is not defined + +- name: setup root_endpoint for further processing + include_tasks: post_install_subtasks/set_root_endpoint.yml + when: + - splunk_root_endpoint is defined + - splunk_root_endpoint != None + - first_run | bool + +- name: Clean user_seed.conf + include_tasks: post_install_subtasks/clean_user_seed.yml + when: + - first_run | bool + +- name: Get splunk.secret if not provided initially + include_tasks: post_install_subtasks/register_splunk_secret.yml + when: + - first_run | bool + - splunk_secret is undefined or splunk_secret is none \ No newline at end of file diff --git a/roles/splunk_common/tasks/post_install_subtasks/clean_user_seed.yml b/roles/splunk_common/tasks/post_install_subtasks/clean_user_seed.yml new file mode 100755 index 0000000..b0aa661 --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/clean_user_seed.yml @@ -0,0 +1,7 @@ +--- +- name: Remove user-seed.conf + file: + dest: "{{ splunk_home }}/etc/system/local/user-seed.conf" + state: "absent" + notify: + - Restart the splunkd service diff --git a/roles/splunk_common/tasks/post_install_subtasks/configure_ssl_on_splunk.yml b/roles/splunk_common/tasks/post_install_subtasks/configure_ssl_on_splunk.yml new file mode 100755 index 0000000..137e91a --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/configure_ssl_on_splunk.yml @@ -0,0 +1,48 @@ +--- +- name: "Transmit certificates from host" + copy: + src: "{{ playbook_dir }}/ssl/{{ item }}" + dest: "{{ splunk_home }}/etc/auth/{{ item }}" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + local_follow: true + mode: 0400 + loop: + - ca-cert.pem + - ca-key.pem + - "{{ inventory_hostname }}-cert-concatenated.pem" + - "{{ inventory_hostname }}-cert-concatenated-web.pem" + - "{{ inventory_hostname }}-nopwd-key.pem" + become: yes + become_user: "{{ privileged_user }}" + +- name: "Rename Server certificate for simplified usage via symbolic link" + file: + src: "{{ splunk_home }}/etc/auth/{{ inventory_hostname }}-cert-concatenated.pem" + dest: "{{ splunk_home }}/etc/auth/servercertificate.pem" + state: link + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + become: yes + become_user: "{{ privileged_user }}" + +- name: "Rename Web Server certificate for simplified usage via symbolic link" + file: + src: "{{ splunk_home }}/etc/auth/{{ inventory_hostname }}-cert-concatenated-web.pem" + dest: "{{ splunk_home }}/etc/auth/web-servercertificate.pem" + state: link + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + become: yes + become_user: "{{ privileged_user }}" + + +- name: "Rename Web Server certificate Key for simplified usage via symbolic link" + file: + src: "{{ splunk_home }}/etc/auth/{{ inventory_hostname }}-nopwd-key.pem" + dest: "{{ splunk_home }}/etc/auth/web-nopwd-key.pem" + state: link + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + become: yes + become_user: "{{ privileged_user }}" diff --git a/roles/splunk_common/tasks/post_install_subtasks/enable_service.yml b/roles/splunk_common/tasks/post_install_subtasks/enable_service.yml new file mode 100755 index 0000000..d3256dc --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/enable_service.yml @@ -0,0 +1,109 @@ +--- +- name: "Retrieve PID 1 process information (Linux)" + command: "ps 1" + register: pid1 + when: ansible_system is match("Linux") + +- name: "Retrieve Splunk version" + command: "{{ splunk_exec }} version --accept-license --answer-yes --no-prompt" + register: installed_splunk_version + when: ansible_system is match("Linux") + become: yes + become_user: "{{ splunk_user }}" + +- name: "Set installed version fact" + set_fact: + installed_splunk_version: "{{ installed_splunk_version.stdout | regex_search(regexp, '\\1') }}" + vars: + regexp: 'Splunk\s((\d+)\.(\d+)\.(\d+)).*' + when: ansible_system is match("Linux") + +- name: "Enable service via boot-start - Linux (systemd)" + become: yes + become_user: "{{ privileged_user }}" + command: "{{ splunk_exec }} enable boot-start -systemd-managed 1 -user {{ splunk_user }} --accept-license --answer-yes --no-prompt" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + - installed_splunk_version[0] is version("7.2.2", ">=") + +# Using service file approach for systemd rather than 'boot-start' with +# 'systemd-unit-file-name' option because cli's versions older than 7.2.2 do +# not implement systemd in boot-start command. +- name: "Copy Splunkd unit file - Linux (systemd)" + template: + src: Splunkd.service.j2 + dest: /etc/systemd/system/Splunkd.service + owner: "{{ privileged_user }}" + group: "{{ privileged_user }}" + mode: 0644 + become: yes + become_user: "{{ privileged_user }}" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + - installed_splunk_version[0] is version("7.2.2", "<") + +- name: "Reload daemons via systemctl - Linux (systemd)" + become: yes + become_user: "{{ privileged_user }}" + systemd: + daemon-reload: yes + name: Splunkd.service + enabled: true + when: + - ansible_system is match("Linux") + - pid1.stdout.find('systemd') != -1 + +- name: "Enable service via boot-start - Linux (init)" + become: yes + become_user: "{{ privileged_user }}" + command: "{{ splunk_exec }} enable boot-start -user {{ splunk_user }} --accept-license --answer-yes --no-prompt" + when: + - ansible_system is match("Linux") + - pid1.stdout.find('systemd') == -1 + +- name: "Enable service via boot-start - Windows" + command: "{{ splunk_exec }} enable boot-start -user {{ splunk_user }} --accept-license --answer-yes --no-prompt" + when: ansible_os_family == "Windows" + +- name: add splunk user to sudoer for systemd + lineinfile: + path: /etc/sudoers + state: present + line: "{{ splunk_user }} ALL=(root) NOPASSWD: /usr/bin/systemctl restart Splunkd.service" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + become: yes + +- name: add splunk user to sudoer for systemd + lineinfile: + path: /etc/sudoers + state: present + line: "{{ splunk_user }} ALL=(root) NOPASSWD: /usr/bin/systemctl start Splunkd.service" + + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + become: yes + +- name: add splunk user to sudoer for systemd + lineinfile: + path: /etc/sudoers + state: present + line: "{{ splunk_user }} ALL=(root) NOPASSWD: /usr/bin/systemctl stop Splunkd.service" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + become: yes + +- name: add splunk user to sudoer for systemd + lineinfile: + path: /etc/sudoers + state: present + line: "{{ splunk_user }} ALL=(root) NOPASSWD: /usr/bin/systemctl status Splunkd.service" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + become: yes diff --git a/roles/splunk_common/tasks/post_install_subtasks/install_java.yml b/roles/splunk_common/tasks/post_install_subtasks/install_java.yml new file mode 100755 index 0000000..bca5d89 --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/install_java.yml @@ -0,0 +1,30 @@ +--- +- name: Install Oracle8 JDK + include_tasks: java_tasks/install_oracle8_jdk.yml + when: + - java_version == "oracle:8" + - ansible_system is match("Linux") + +- name: Install Openjdk8 JDK + include_tasks: java_tasks/install_openjdk8_jdk.yml + when: + - java_version == "openjdk:8" + - ansible_system is match("Linux") + +- name: Install Openjdk11 JDK + include_tasks: java_tasks/install_openjdk11_jdk.yml + when: + - java_version == "openjdk:11" + - ansible_system is match("Linux") + +- name: Install Openjdk13 JDK + include_tasks: java_tasks/install_openjdk11_jdk.yml + when: + - java_version == "openjdk:13" + - ansible_system is match("Linux") + +- name: Install Openjdk9 JDK for Windows + include_tasks: java_tasks/install_openjdk9_jdk_windows.yml + when: + - java_version == "openjdk:9" + - ansible_system is match("CYGWIN*|Win32NT") diff --git a/roles/splunk_common/tasks/post_install_subtasks/register_splunk_secret.yml b/roles/splunk_common/tasks/post_install_subtasks/register_splunk_secret.yml new file mode 100755 index 0000000..85db2a6 --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/register_splunk_secret.yml @@ -0,0 +1,21 @@ +--- + +# - name: Get the Splunk secret +# shell: cat "{{ splunk_home }}/etc/auth/splunk.secret" +# register: splunk_secret_content +# when: +# - splunk_secret is undefined or splunk_secret is none +# - not tmp_splunk_secret.stat.exists +# become: yes +# become_user: "{{ privileged_user }}" + +- name: register Splunk secret for use on other hosts + fetch: + src: "{{ splunk_home }}/etc/auth/splunk.secret" + dest: "/tmp/splunk_secret" + flat: yes + become: yes + become_user: "{{ privileged_user }}" + when: + - splunk_secret is undefined or splunk_secret is none + - not tmp_splunk_secret.stat.exists diff --git a/roles/splunk_common/tasks/post_install_subtasks/remove_first_login.yml b/roles/splunk_common/tasks/post_install_subtasks/remove_first_login.yml new file mode 100755 index 0000000..e7e3e7b --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/remove_first_login.yml @@ -0,0 +1,10 @@ +--- +- name: "Create .ui_login" + file: + path: "{{ splunk_home }}/etc/.ui_login" + state: touch + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + mode: "u=rw,g=,o=" + become: yes + become_user: "{{ splunk_user }}" \ No newline at end of file diff --git a/roles/splunk_common/tasks/post_install_subtasks/set_http_port.yml b/roles/splunk_common/tasks/post_install_subtasks/set_http_port.yml new file mode 100755 index 0000000..e361809 --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/set_http_port.yml @@ -0,0 +1,8 @@ +--- +- name: Set HTTP Port + ini_file: + dest: "{{ splunk_home }}/etc/system/local/web.conf" + section: settings + option: "httpport" + value: "{{ splunk_http_port }}" + diff --git a/roles/splunk_common/tasks/post_install_subtasks/set_mgmt_port.yml b/roles/splunk_common/tasks/post_install_subtasks/set_mgmt_port.yml new file mode 100755 index 0000000..e958959 --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/set_mgmt_port.yml @@ -0,0 +1,7 @@ +--- +- name: Set mgmt port + ini_file: + dest: "{{ splunk_home }}/etc/system/local/web.conf" + section: settings + option: "mgmtHostPort" + value: "127.0.0.1:{{ splunk_svc_port }}" diff --git a/roles/splunk_common/tasks/post_install_subtasks/set_root_endpoint.yml b/roles/splunk_common/tasks/post_install_subtasks/set_root_endpoint.yml new file mode 100755 index 0000000..7e8a4aa --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/set_root_endpoint.yml @@ -0,0 +1,19 @@ +--- +- name: Set root endpoint + uri: + url: "{{ cert_prefix }}://127.0.0.1:{{ splunk_svc_port }}/servicesNS/nobody/system/configs/conf-web/settings" + method: POST + user: "{{ splunk_admin_user }}" + password: "{{ splunk_password }}" + validate_certs: false + body: + root_endpoint: "{{ splunk_root_endpoint }}" + body_format: "form-urlencoded" + status_code: 200 + timeout: 10 + when: splunk_root_endpoint + register: set_root_endpoint + changed_when: set_root_endpoint.status == 200 + no_log: "{{ hide_password }}" + notify: + - Restart the splunkd service diff --git a/roles/splunk_common/tasks/post_install_subtasks/set_splunk_secret.yml b/roles/splunk_common/tasks/post_install_subtasks/set_splunk_secret.yml new file mode 100755 index 0000000..0b1630e --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/set_splunk_secret.yml @@ -0,0 +1,35 @@ +--- + +- name: Set the Splunk secret from Config + copy: + dest: "{{ splunk_home }}/etc/auth/splunk.secret" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + mode: 0400 + content: "{{ splunk_secret }}" + when: + - splunk_secret is defined and splunk_secret is not none + become: yes + become_user: "{{ privileged_user }}" + +# Checking that a splunk_secret exists on ansible host +- name: "Checking that a splunk_secret exists on ansible host" + local_action: stat path=/tmp/splunk_secret + register: tmp_splunk_secret + + become: yes + become_user: "{{ privileged_user }}" + + +- name: Set the Splunk secret from First Host + copy: + dest: "{{ splunk_home }}/etc/auth/splunk.secret" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + mode: 0400 + src: "/tmp/splunk_secret" + when: + - splunk_secret is undefined or splunk_secret is none + - tmp_splunk_secret.stat.exists + become: yes + become_user: "{{ privileged_user }}" \ No newline at end of file diff --git a/roles/splunk_common/tasks/post_install_subtasks/set_user_seed.yml b/roles/splunk_common/tasks/post_install_subtasks/set_user_seed.yml new file mode 100755 index 0000000..4c554ba --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/set_user_seed.yml @@ -0,0 +1,42 @@ +--- +- name: "Hash the password" + command: "{{ splunk_exec }} hash-passwd {{ splunk_password }}" + register: hashed_pwd + changed_when: hashed_pwd.rc == 0 + become: yes + become_user: "{{ splunk_user }}" + no_log: "{{ hide_password }}" + +- name: "Generate user-seed.conf (Linux)" + ini_file: + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + dest: "{{ splunk_home }}/etc/system/local/user-seed.conf" + section: user_info + option: "{{ item.opt }}" + value: "{{ item.val }}" + with_items: + - { opt: "USERNAME", val: "{{ splunk_admin_user }}" } + - { opt: "HASHED_PASSWORD", val: "{{ hashed_pwd.stdout }}" } + loop_control: + label: "{{ item.opt }}" + when: ansible_system is match("Linux") + no_log: "{{ hide_password }}" + become: yes + become_user: "{{ splunk_user }}" + +- name: "Generate user-seed.conf (Windows)" + ini_file: + dest: "{{ splunk_home }}/etc/system/local/user-seed.conf" + section: user_info + option: "{{ item.opt }}" + value: "{{ item.val }}" + with_items: + - { opt: "USERNAME", val: "{{ splunk_admin_user }}" } + - { opt: "HASHED_PASSWORD", val: "{{ hashed_pwd.stdout }}" } + loop_control: + label: "{{ item.opt }}" + when: ansible_system is match("CYGWIN*|Win32NT") + no_log: "{{ hide_password }}" + become: yes + become_user: "{{ splunk_user }}" diff --git a/roles/splunk_common/tasks/post_install_subtasks/setup_optimistic_locking.yml b/roles/splunk_common/tasks/post_install_subtasks/setup_optimistic_locking.yml new file mode 100755 index 0000000..99860c5 --- /dev/null +++ b/roles/splunk_common/tasks/post_install_subtasks/setup_optimistic_locking.yml @@ -0,0 +1,7 @@ +- name: Ensure Optimistic locking is set to splunk-launch.conf + lineinfile: + path: "{{ splunk_home }}/etc/splunk-launch.conf" + regexp: "^OPTIMISTIC_ABOUT_FILE_LOCKING=" + line: OPTIMISTIC_ABOUT_FILE_LOCKING=1 + become: yes + become_user: "{{ privileged_user }}" \ No newline at end of file diff --git a/roles/splunk_common/tasks/pre_install_subtasks/change_splunk_directory_owner.yml b/roles/splunk_common/tasks/pre_install_subtasks/change_splunk_directory_owner.yml new file mode 100644 index 0000000..4c0d51f --- /dev/null +++ b/roles/splunk_common/tasks/pre_install_subtasks/change_splunk_directory_owner.yml @@ -0,0 +1,10 @@ +--- +- name: Update Splunk directory owner + file: + path: "{{ splunk_home }}" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + recurse: yes + state: directory + become: yes + become_user: "{{ privileged_user }}" \ No newline at end of file diff --git a/roles/splunk_common/tasks/pre_install_subtasks/get_facts.yml b/roles/splunk_common/tasks/pre_install_subtasks/get_facts.yml new file mode 100644 index 0000000..2fdde54 --- /dev/null +++ b/roles/splunk_common/tasks/pre_install_subtasks/get_facts.yml @@ -0,0 +1,56 @@ +--- +- name: "Set privilege escalation user" + set_fact: + privileged_user: "{% if ansible_system is match('CYGWIN*|Win32NT') %}Administrator{% else %}root{% endif %}" + +- name: "Check for existing installation" + stat: + path: "{{ splunk_exec }}" + become: yes + register: pre_existing_splunk_exec + +- name: "Set splunk install fact" + set_fact: + splunk_install: "{{ not pre_existing_splunk_exec.stat.exists | default(True) }}" + +- name: "Check for existing splunk secret" + stat: + path: "{{ splunk_home }}/etc/auth/splunk.secret" + register: pre_existing_splunk_secret + become: yes + become_user: "{{ privileged_user }}" + +- name: "Set first run fact" + set_fact: + first_run: "{{ not pre_existing_splunk_secret.stat.exists | default(True) }}" + become: yes + become_user: "{{ privileged_user }}" + +- name : "Set splunk_build_type fact" + include_tasks: get_facts_build_type.yml + +- name: "Set target version fact" + include_tasks: get_facts_target_version.yml + when: splunk_target_version is not defined or splunk_target_version == none + +- name: "Find manifest" + find: + paths: "{{ splunk_home }}" + patterns: ".*-manifest$" + use_regex: yes + become: yes + register: manifests + +- name: "Set current version fact" + set_fact: + splunk_current_version: "{{ manifests.files[0].path | regex_search(regexp, '\\1') if (manifests.matched == 1) else '0' }}" + vars: + regexp: 'splunk\D*?-((\d+)\.(\d+)\.(\d+))' + +- name: "Setting upgrade fact" + set_fact: + splunk_upgrade: "{{ splunk_build_location and not splunk_install and splunk_target_version and splunk_target_version != splunk_current_version | default(False) }}" + +- name: "Register the fact that we've gather the fact" + set_fact: + splunk_get_fact: true \ No newline at end of file diff --git a/roles/splunk_common/tasks/pre_install_subtasks/get_facts_build_type.yml b/roles/splunk_common/tasks/pre_install_subtasks/get_facts_build_type.yml new file mode 100644 index 0000000..f81116d --- /dev/null +++ b/roles/splunk_common/tasks/pre_install_subtasks/get_facts_build_type.yml @@ -0,0 +1,21 @@ +- name: Set splunk_build_type from variable + set_fact: + splunk_build_type: "{{ splunk_build_type }}" + when: + - "splunk_build_type is defined" + +- name: Set splunk_build_type from build_location + block: + #check if the build_location is a tgz + - name: "Set build_type (tgz)" + set_fact: + splunk_build_type: "tgz" + when: splunk_build_location is match(".*(\.tar\.gz|\.tgz)$") + - name: "Set build_type (msi)" + set_fact: + splunk_build_type: "msi" + when: splunk_build_location is match(".*\.msi$") + when: + - splunk_build_type is not defined + - splunk_build_type is not none + - splunk_build_location is not none diff --git a/roles/splunk_common/tasks/pre_install_subtasks/get_facts_target_version.yml b/roles/splunk_common/tasks/pre_install_subtasks/get_facts_target_version.yml new file mode 100644 index 0000000..ecb8021 --- /dev/null +++ b/roles/splunk_common/tasks/pre_install_subtasks/get_facts_target_version.yml @@ -0,0 +1,13 @@ +# Use a manually set version, if a it is set +- name: "Set target version fact" + set_fact: + splunk_target_version: "{{ splunk_target_version }}" + when: "splunk_target_version is defined" + +# Extracting the numbers from the Splunk installer file name allows us to know the version we are targeting. +- name: "Set target version fact (file)" + set_fact: + splunk_target_version: "{{ splunk_build_location | regex_search(regexp, '\\1') | default('0') }}" + vars: + regexp: 'splunk\D*?-((\d+)\.(\d+)\.(\d+))' + when: "splunk_build_type is defined and splunk_build_type is match('(tgz|msi|rpm|deb)')" \ No newline at end of file diff --git a/roles/splunk_common/tasks/start_splunk.yml b/roles/splunk_common/tasks/start_splunk.yml new file mode 100755 index 0000000..f656f23 --- /dev/null +++ b/roles/splunk_common/tasks/start_splunk.yml @@ -0,0 +1,45 @@ +--- +- name: "Get Splunk status" + command: "{{ splunk_exec }} status --accept-license --answer-yes --no-prompt" + become: yes + become_user: "{{ splunk_user }}" + register: splunk_status + changed_when: False + failed_when: False + ignore_errors: yes + +- name: "Start Splunk via cli" + command: "{{ splunk_exec }} start --accept-license --answer-yes --no-prompt" + become: yes + become_user: "{{ splunk_user }}" + register: start_splunk + changed_when: start_splunk.rc == 0 and 'already running' not in start_splunk.stdout + when: + - not splunk_enable_service or pid1 is not defined + - splunk_status.rc != 0 + ignore_errors: yes + +- name: "Start Splunk via service" + service: + name: "{% if pid1.stdout.find('systemd') != -1 %}Splunkd{% else %}splunk{% endif %}" + state: restarted + when: + - splunk_enable_service + - splunk_status.rc != 0 + - ansible_system is match("Linux") + - pid1 is defined + become: yes + become_user: "{{ privileged_user }}" + +- name: "Start Splunk via Windows service" + win_service: + name: splunkd + state: restarted + when: + - splunk_enable_service + - splunk_status.rc != 0 + - ansible_os_family == "Windows" + +- name: "Wait for splunkd management port" + wait_for: + port: "{{ splunk_svc_port }}" diff --git a/roles/splunk_common/tasks/stop_splunk.yml b/roles/splunk_common/tasks/stop_splunk.yml new file mode 100755 index 0000000..0b19892 --- /dev/null +++ b/roles/splunk_common/tasks/stop_splunk.yml @@ -0,0 +1,40 @@ +--- +- name: "Get Splunk status" + command: "{{ splunk_exec }} status --accept-license --answer-yes --no-prompt" + become: yes + become_user: "{{ splunk_user }}" + register: splunk_status + changed_when: False + failed_when: False + ignore_errors: yes + +- name: "Stop Splunk via cli" + command: "{{ splunk_exec }} stop --accept-license --answer-yes --no-prompt" + become: yes + become_user: "{{ splunk_user }}" + register: stop_splunk + changed_when: stop_splunk.rc == 0 + when: + - not splunk_enable_service + - splunk_status.rc == 0 + +- name: "Stop Splunk via systemctl" + service: + name: Splunkd + state: stopped + when: + - splunk_enable_service + - splunk_status.rc == 0 + - ansible_system is match("Linux") + become: yes + become_user: "{{ privileged_user }}" + ignore_errors: yes + +- name: "Stop Splunk via Windows service" + win_service: + name: splunkd + state: stopped + when: + - splunk_enable_service + - splunk_status.rc == 0 + - ansible_os_family == "Windows" diff --git a/roles/splunk_common/vars/main.yml b/roles/splunk_common/vars/main.yml new file mode 100644 index 0000000..2d7fb35 --- /dev/null +++ b/roles/splunk_common/vars/main.yml @@ -0,0 +1,3 @@ +splunk_version: "8.3.1" +splunk_download_url: "https://download.splunk.com/products/splunk/releases/{{ splunk_version }}/linux/splunk-{{ splunk_version }}-aa7ca5cfbb32-Linux-x86_64.tgz" +splunk_user: "splunk" \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/install_splunk.yml b/roles/splunk_common_uf/tasks/install_splunk.yml new file mode 100755 index 0000000..a46c54c --- /dev/null +++ b/roles/splunk_common_uf/tasks/install_splunk.yml @@ -0,0 +1,39 @@ +--- +- name: Remove old manifest files + file: + path: "{{ item.path }}" + state: "absent" + ignore_errors: yes + become: yes + become_user: "{{ privileged_user }}" + with_items: + - "{{ manifests.files }}" + when: splunk_upgrade | bool + +- name: Remove old directories + file: + path: "{{ item }}" + state: "absent" + ignore_errors: yes + become: yes + become_user: "{{ privileged_user }}" + with_items: + - "{{ splunk_home_uf }}/bin" + - "{{ splunk_home_uf }}/lib" + - "{{ splunk_home_uf }}/share" + - "{{ splunk_home_uf }}/Python-2.7" + when: splunk_upgrade | bool + +- name: Install Splunk + include_tasks: install_tasks/install_splunk_{{ splunk_build_type }}.yml + +- name: Remove installers + file: + dest: "{{ item }}" + state: "absent" + ignore_errors: yes + become: yes + become_user: "{{ privileged_user }}" + with_items: + - "{{ splunk_build_location_uf }}" + - "/tmp/splunk_msi" \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/install_tasks/install_splunk_tgz.yml b/roles/splunk_common_uf/tasks/install_tasks/install_splunk_tgz.yml new file mode 100755 index 0000000..dd2a34e --- /dev/null +++ b/roles/splunk_common_uf/tasks/install_tasks/install_splunk_tgz.yml @@ -0,0 +1,13 @@ +- name: Install Splunk (Linux) + unarchive: + src: "{{ splunk_build_location_uf }}" + dest: "{{ splunk_opt }}" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + remote_src: "{{ splunk_build_remote_src }}" + register: install_result + until: install_result is succeeded + retries: "{{ retry_num }}" + delay: 3 + become: yes + become_user: "{{ privileged_user }}" \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/main.yml b/roles/splunk_common_uf/tasks/main.yml new file mode 100755 index 0000000..b84b328 --- /dev/null +++ b/roles/splunk_common_uf/tasks/main.yml @@ -0,0 +1,92 @@ +--- +- name: Check if splunk user exists + getent: + database: passwd + key: "{{ splunk_user }}" + fail_key: yes + register: user_exist + ignore_errors: true + become: yes + +- name: Setup the splunk user + user: + name: "{{ splunk_user }}" + comment: Splunk User + shell: /bin/bash + generate_ssh_key: yes + ssh_key_bits: 2048 + ssh_key_file: .ssh/id_rsa + state: present + when: user_exist["failed"] == true + become: yes + become_user: "{{ privileged_user }}" + +- name: Changing Splunk directory Owner + include_tasks: pre_install_subtasks/change_splunk_directory_owner.yml + when: + - ansible_system is match("Linux") + - splunk_home_ownership_enforcement is defined + - splunk_home_ownership_enforcement | bool + +- name: Stop existing Splunk + include_tasks: stop_splunk.yml + when: + - splunk_upgrade | bool + +# Below we will either install or upgrade, which at this moment is the same task. +- name: "Install Splunk" + include_tasks: install_splunk.yml + when: + - splunk_install | bool or (first_run | bool and splunk_build_location and splunk_build_location is match("^(https?|file)://.*")) + +- name: "Upgrade Splunk" + include_tasks: install_splunk.yml + when: + - not splunk_install + - not first_run + - splunk_upgrade | bool + +- name: Remove First Login + include_tasks: post_install_subtasks/remove_first_login.yml + when: + - first_run | bool + +# This needs to be done before any encrypted passkeys are generated +- name: setup splunk_secret + include_tasks: post_install_subtasks/set_splunk_secret.yml + when: + - first_run | bool + +- name: Generate user_seed.conf + include_tasks: post_install_subtasks/set_user_seed.yml + when: + - first_run | bool + +- name: setup the [general] pass4SymmKey in system/local + include_tasks: "{{ playbook_dir }}/common/tasks/set_conf_stanza.yml" + vars: + conf_file: "server.conf" + conf_directory: "{{ splunk_home_uf }}/etc/system/local" + stanza_name: general + conf_stanzas: + - pass4SymmKey: "{{ splunk_general_pass4SymmKey }}" + +- name: Enable Splunk Service + include_tasks: post_install_subtasks/enable_service.yml + when: + - splunk_enable_service and ansible_system is match("Linux") + - first_run | bool + +- name: Start Splunk + include_tasks: start_splunk.yml + +- name: Clean user_seed.conf + include_tasks: post_install_subtasks/clean_user_seed.yml + when: + - first_run | bool + +- name: Get splunk.secret if not provided initially + include_tasks: post_install_subtasks/register_splunk_secret.yml + when: + - first_run | bool + - splunk_secret is undefined or splunk_secret is none \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/post_install_subtasks/clean_user_seed.yml b/roles/splunk_common_uf/tasks/post_install_subtasks/clean_user_seed.yml new file mode 100755 index 0000000..d0334cd --- /dev/null +++ b/roles/splunk_common_uf/tasks/post_install_subtasks/clean_user_seed.yml @@ -0,0 +1,7 @@ +--- +- name: Remove user-seed.conf + file: + dest: "{{ splunk_home_uf }}/etc/system/local/user-seed.conf" + state: "absent" + notify: + - Restart the splunkd service \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/post_install_subtasks/enable_service.yml b/roles/splunk_common_uf/tasks/post_install_subtasks/enable_service.yml new file mode 100755 index 0000000..efe3720 --- /dev/null +++ b/roles/splunk_common_uf/tasks/post_install_subtasks/enable_service.yml @@ -0,0 +1,109 @@ +--- +- name: "Retrieve PID 1 process information (Linux)" + command: "ps 1" + register: pid1 + when: ansible_system is match("Linux") + +- name: "Retrieve Splunk version" + command: "{{ splunk_exec_uf }} version --accept-license --answer-yes --no-prompt" + register: installed_splunk_version + when: ansible_system is match("Linux") + become: yes + become_user: "{{ splunk_user }}" + +- name: "Set installed version fact" + set_fact: + installed_splunk_version: "{{ installed_splunk_version.stdout | regex_search(regexp, '\\1') }}" + vars: + regexp: 'Splunk\s((\d+)\.(\d+)\.(\d+)).*' + when: ansible_system is match("Linux") + +- name: "Enable service via boot-start - Linux (systemd)" + become: yes + become_user: "{{ privileged_user }}" + command: "{{ splunk_exec_uf }} enable boot-start -systemd-managed 1 -user {{ splunk_user }} --accept-license --answer-yes --no-prompt" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + - installed_splunk_version[0] is version("7.2.2", ">=") + +# Using service file approach for systemd rather than 'boot-start' with +# 'systemd-unit-file-name' option because cli's versions older than 7.2.2 do +# not implement systemd in boot-start command. +- name: "Copy Splunkd unit file - Linux (systemd)" + template: + src: Splunkd.service.j2 + dest: /etc/systemd/system/Splunkd.service + owner: "{{ privileged_user }}" + group: "{{ privileged_user }}" + mode: 0644 + become: yes + become_user: "{{ privileged_user }}" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + - installed_splunk_version[0] is version("7.2.2", "<") + +- name: "Reload daemons via systemctl - Linux (systemd)" + become: yes + become_user: "{{ privileged_user }}" + systemd: + daemon-reload: yes + name: Splunkd.service + enabled: true + when: + - ansible_system is match("Linux") + - pid1.stdout.find('systemd') != -1 + +- name: "Enable service via boot-start - Linux (init)" + become: yes + become_user: "{{ privileged_user }}" + command: "{{ splunk_exec_uf }} enable boot-start -user {{ splunk_user }} --accept-license --answer-yes --no-prompt" + when: + - ansible_system is match("Linux") + - pid1.stdout.find('systemd') == -1 + +- name: "Enable service via boot-start - Windows" + command: "{{ splunk_exec_uf }} enable boot-start -user {{ splunk_user }} --accept-license --answer-yes --no-prompt" + when: ansible_os_family == "Windows" + +- name: add splunk user to sudoer for systemd + lineinfile: + path: /etc/sudoers + state: present + line: "{{ splunk_user }} ALL=(root) NOPASSWD: /usr/bin/systemctl restart Splunkd.service" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + become: yes + +- name: add splunk user to sudoer for systemd + lineinfile: + path: /etc/sudoers + state: present + line: "{{ splunk_user }} ALL=(root) NOPASSWD: /usr/bin/systemctl start Splunkd.service" + + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + become: yes + +- name: add splunk user to sudoer for systemd + lineinfile: + path: /etc/sudoers + state: present + line: "{{ splunk_user }} ALL=(root) NOPASSWD: /usr/bin/systemctl stop Splunkd.service" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + become: yes + +- name: add splunk user to sudoer for systemd + lineinfile: + path: /etc/sudoers + state: present + line: "{{ splunk_user }} ALL=(root) NOPASSWD: /usr/bin/systemctl status Splunkd.service" + when: + - ansible_system is match("Linux") + - pid1.stdout.find("systemd") != -1 + become: yes \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/post_install_subtasks/install_java.yml b/roles/splunk_common_uf/tasks/post_install_subtasks/install_java.yml new file mode 100755 index 0000000..bca5d89 --- /dev/null +++ b/roles/splunk_common_uf/tasks/post_install_subtasks/install_java.yml @@ -0,0 +1,30 @@ +--- +- name: Install Oracle8 JDK + include_tasks: java_tasks/install_oracle8_jdk.yml + when: + - java_version == "oracle:8" + - ansible_system is match("Linux") + +- name: Install Openjdk8 JDK + include_tasks: java_tasks/install_openjdk8_jdk.yml + when: + - java_version == "openjdk:8" + - ansible_system is match("Linux") + +- name: Install Openjdk11 JDK + include_tasks: java_tasks/install_openjdk11_jdk.yml + when: + - java_version == "openjdk:11" + - ansible_system is match("Linux") + +- name: Install Openjdk13 JDK + include_tasks: java_tasks/install_openjdk11_jdk.yml + when: + - java_version == "openjdk:13" + - ansible_system is match("Linux") + +- name: Install Openjdk9 JDK for Windows + include_tasks: java_tasks/install_openjdk9_jdk_windows.yml + when: + - java_version == "openjdk:9" + - ansible_system is match("CYGWIN*|Win32NT") diff --git a/roles/splunk_common_uf/tasks/post_install_subtasks/register_splunk_secret.yml b/roles/splunk_common_uf/tasks/post_install_subtasks/register_splunk_secret.yml new file mode 100755 index 0000000..343a207 --- /dev/null +++ b/roles/splunk_common_uf/tasks/post_install_subtasks/register_splunk_secret.yml @@ -0,0 +1,21 @@ +--- + +# - name: Get the Splunk secret +# shell: cat "{{ splunk_home }}/etc/auth/splunk.secret" +# register: splunk_secret_content +# when: +# - splunk_secret is undefined or splunk_secret is none +# - not tmp_splunk_secret.stat.exists +# become: yes +# become_user: "{{ privileged_user }}" + +- name: register Splunk secret for use on other hosts + fetch: + src: "{{ splunk_home_uf }}/etc/auth/splunk.secret" + dest: "/tmp/splunk_secret" + flat: yes + become: yes + become_user: "{{ privileged_user }}" + when: + - splunk_secret is undefined or splunk_secret is none + - not tmp_splunk_secret.stat.exists \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/post_install_subtasks/remove_first_login.yml b/roles/splunk_common_uf/tasks/post_install_subtasks/remove_first_login.yml new file mode 100755 index 0000000..829e63e --- /dev/null +++ b/roles/splunk_common_uf/tasks/post_install_subtasks/remove_first_login.yml @@ -0,0 +1,10 @@ +--- +- name: "Create .ui_login" + file: + path: "{{ splunk_home_uf }}/etc/.ui_login" + state: touch + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + mode: "u=rw,g=,o=" + become: yes + become_user: "{{ splunk_user }}" \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/post_install_subtasks/set_splunk_secret.yml b/roles/splunk_common_uf/tasks/post_install_subtasks/set_splunk_secret.yml new file mode 100755 index 0000000..c2d56ad --- /dev/null +++ b/roles/splunk_common_uf/tasks/post_install_subtasks/set_splunk_secret.yml @@ -0,0 +1,33 @@ +--- + +- name: Set the Splunk secret from Config + copy: + dest: "{{ splunk_home_uf }}/etc/auth/splunk.secret" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + mode: 0400 + content: "{{ splunk_secret }}" + when: + - splunk_secret is defined and splunk_secret is not none + become: yes + become_user: "{{ privileged_user }}" + +# Checking that a splunk_secret exists on ansible host +- name: "Checking that a splunk_secret exists on ansible host" + local_action: stat path=/tmp/splunk_secret + register: tmp_splunk_secret + become: yes + become_user: "{{ privileged_user }}" + +- name: Set the Splunk secret from First Host + copy: + dest: "{{ splunk_home_uf }}/etc/auth/splunk.secret" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + mode: 0400 + src: "/tmp/splunk_secret" + when: + - splunk_secret is undefined or splunk_secret is none + - tmp_splunk_secret.stat.exists + become: yes + become_user: "{{ privileged_user }}" \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/post_install_subtasks/set_user_seed.yml b/roles/splunk_common_uf/tasks/post_install_subtasks/set_user_seed.yml new file mode 100755 index 0000000..40c7841 --- /dev/null +++ b/roles/splunk_common_uf/tasks/post_install_subtasks/set_user_seed.yml @@ -0,0 +1,42 @@ +--- +- name: "Hash the password" + command: "{{ splunk_exec_uf }} hash-passwd {{ splunk_password }}" + register: hashed_pwd + changed_when: hashed_pwd.rc == 0 + become: yes + become_user: "{{ splunk_user }}" + no_log: "{{ hide_password }}" + +- name: "Generate user-seed.conf (Linux)" + ini_file: + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + dest: "{{ splunk_home_uf }}/etc/system/local/user-seed.conf" + section: user_info + option: "{{ item.opt }}" + value: "{{ item.val }}" + with_items: + - { opt: "USERNAME", val: "{{ splunk_admin_user }}" } + - { opt: "HASHED_PASSWORD", val: "{{ hashed_pwd.stdout }}" } + loop_control: + label: "{{ item.opt }}" + when: ansible_system is match("Linux") + no_log: "{{ hide_password }}" + become: yes + become_user: "{{ splunk_user }}" + +- name: "Generate user-seed.conf (Windows)" + ini_file: + dest: "{{ splunk_home_uf }}/etc/system/local/user-seed.conf" + section: user_info + option: "{{ item.opt }}" + value: "{{ item.val }}" + with_items: + - { opt: "USERNAME", val: "{{ splunk_admin_user }}" } + - { opt: "HASHED_PASSWORD", val: "{{ hashed_pwd.stdout }}" } + loop_control: + label: "{{ item.opt }}" + when: ansible_system is match("CYGWIN*|Win32NT") + no_log: "{{ hide_password }}" + become: yes + become_user: "{{ splunk_user }}" diff --git a/roles/splunk_common_uf/tasks/pre_install_subtasks/change_splunk_directory_owner.yml b/roles/splunk_common_uf/tasks/pre_install_subtasks/change_splunk_directory_owner.yml new file mode 100755 index 0000000..57a5880 --- /dev/null +++ b/roles/splunk_common_uf/tasks/pre_install_subtasks/change_splunk_directory_owner.yml @@ -0,0 +1,10 @@ +--- +- name: Update Splunk directory owner + file: + path: "{{ splunk_home_uf }}" + owner: "{{ splunk_user }}" + group: "{{ splunk_group }}" + recurse: yes + state: directory + become: yes + become_user: "{{ privileged_user }}" \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts.yml b/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts.yml new file mode 100755 index 0000000..8a2bc19 --- /dev/null +++ b/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts.yml @@ -0,0 +1,53 @@ +--- +- name: "Set privilege escalation user" + set_fact: + privileged_user: "{% if ansible_system is match('CYGWIN*|Win32NT') %}Administrator{% else %}root{% endif %}" + +- name: "Check for existing installation" + stat: + path: "{{ splunk_exec_uf }}" + become: yes + register: pre_existing_splunk_exec + +- name: "Set splunk install fact" + set_fact: + splunk_install: "{{ not pre_existing_splunk_exec.stat.exists | default(True) }}" + +- name: "Check for existing splunk secret" + stat: + path: "{{ splunk_home_uf }}/etc/auth/splunk.secret" + register: pre_existing_splunk_secret + become: yes + +- name: "Set first run fact" + set_fact: + first_run: "{{ not pre_existing_splunk_secret.stat.exists | default(True) }}" + +- name: "Set splunk_build_type fact" + include_tasks: get_facts_build_type.yml + +- name: "Set target version fact" + include_tasks: get_facts_target_version.yml + when: splunk_target_version is not defined or splunk_target_version == none + +- name: "Find manifests" + find: + paths: "{{ splunk_home_uf }}" + patterns: ".*-manifest$" + use_regex: yes + become: yes + register: manifests + +- name: "Set current version fact" + set_fact: + splunk_current_version: "{{ manifests.files[0].path | regex_search(regexp, '\\1') if (manifests.matched == 1) else '0' }}" + vars: + regexp: 'splunk\D*?-((\d+)\.(\d+)\.(\d+))' + +- name: "Setting upgrade fact" + set_fact: + splunk_upgrade: "{{ splunk_build_location_uf and not splunk_install and splunk_target_version and splunk_target_version != splunk_current_version | default(False) }}" + +- name: "Register the fact that we've gather the fact" + set_fact: + splunk_get_fact: true \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts_build_type.yml b/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts_build_type.yml new file mode 100755 index 0000000..fdf20dd --- /dev/null +++ b/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts_build_type.yml @@ -0,0 +1,21 @@ +- name: Set splunk_build_type from variable + set_fact: + splunk_build_type: "{{ splunk_build_type }}" + when: + - "splunk_build_type is defined" + +- name: Set splunk_build_type from build_location + block: + #check if the build_location is a tgz + - name: "Set build_type (tgz)" + set_fact: + splunk_build_type: "tgz" + when: splunk_build_location is match(".*(\.tar\.gz|\.tgz)$") + - name: "Set build_type (msi)" + set_fact: + splunk_build_type: "msi" + when: splunk_build_location is match(".*\.msi$") + when: + - splunk_build_type is not defined + - splunk_build_type is not none + - splunk_build_location is not none \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts_target_version.yml b/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts_target_version.yml new file mode 100755 index 0000000..4957e66 --- /dev/null +++ b/roles/splunk_common_uf/tasks/pre_install_subtasks/get_facts_target_version.yml @@ -0,0 +1,13 @@ +# Use a manually set version, if a it is set +- name: "Set target version fact" + set_fact: + splunk_target_version: "{{ splunk_target_version }}" + when: "splunk_target_version is defined" + +# Extracting the numbers from the Splunk installer file name allows us to know the version we are targeting. +- name: "Set target version fact (file)" + set_fact: + splunk_target_version: "{{ splunk_build_location | regex_search(regexp, '\\1') | default('0') }}" + vars: + regexp: 'splunk\D*?-((\d+)\.(\d+)\.(\d+))' + when: "splunk_build_type is defined and splunk_build_type is match('(tgz|msi|rpm|deb)')" \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/start_splunk.yml b/roles/splunk_common_uf/tasks/start_splunk.yml new file mode 100755 index 0000000..d32697b --- /dev/null +++ b/roles/splunk_common_uf/tasks/start_splunk.yml @@ -0,0 +1,45 @@ +--- +- name: "Get Splunk status" + command: "{{ splunk_exec_uf }} status --accept-license --answer-yes --no-prompt" + become: yes + become_user: "{{ splunk_user }}" + register: splunk_status + changed_when: False + failed_when: False + ignore_errors: yes + +- name: "Start Splunk via cli" + command: "{{ splunk_exec_uf }} start --accept-license --answer-yes --no-prompt" + become: yes + become_user: "{{ splunk_user }}" + register: start_splunk + changed_when: start_splunk.rc == 0 and 'already running' not in start_splunk.stdout + when: + - not splunk_enable_service or pid1 is not defined + - splunk_status.rc != 0 + ignore_errors: yes + +- name: "Start Splunk via service" + service: + name: "{% if pid1.stdout.find('systemd') != -1 %}Splunkd{% else %}splunk{% endif %}" + state: restarted + when: + - splunk_enable_service + - splunk_status.rc != 0 + - ansible_system is match("Linux") + - pid1 is defined + become: yes + become_user: "{{ privileged_user }}" + +- name: "Start Splunk via Windows service" + win_service: + name: splunkd + state: restarted + when: + - splunk_enable_service + - splunk_status.rc != 0 + - ansible_os_family == "Windows" + +- name: "Wait for splunkd management port" + wait_for: + port: "{{ splunk_svc_port }}" \ No newline at end of file diff --git a/roles/splunk_common_uf/tasks/stop_splunk.yml b/roles/splunk_common_uf/tasks/stop_splunk.yml new file mode 100755 index 0000000..3b8a097 --- /dev/null +++ b/roles/splunk_common_uf/tasks/stop_splunk.yml @@ -0,0 +1,40 @@ +--- +- name: "Get Splunk status" + command: "{{ splunk_exec_uf }} status --accept-license --answer-yes --no-prompt" + become: yes + become_user: "{{ splunk_user }}" + register: splunk_status + changed_when: False + failed_when: False + ignore_errors: yes + +- name: "Stop Splunk via cli" + command: "{{ splunk_exec_uf }} stop --accept-license --answer-yes --no-prompt" + become: yes + become_user: "{{ splunk_user }}" + register: stop_splunk + changed_when: stop_splunk.rc == 0 + when: + - not splunk_enable_service + - splunk_status.rc == 0 + +- name: "Stop Splunk via systemctl" + service: + name: Splunkd + state: stopped + when: + - splunk_enable_service + - splunk_status.rc == 0 + - ansible_system is match("Linux") + become: yes + become_user: "{{ privileged_user }}" + ignore_errors: yes + +- name: "Stop Splunk via Windows service" + win_service: + name: splunkd + state: stopped + when: + - splunk_enable_service + - splunk_status.rc == 0 + - ansible_os_family == "Windows" \ No newline at end of file diff --git a/test_ping.yml b/test_ping.yml new file mode 100644 index 0000000..21eda00 --- /dev/null +++ b/test_ping.yml @@ -0,0 +1,7 @@ +- name: Test de connectivité ping pong + hosts: all_splunk_instances + become: true + + tasks: + - name: Test de ping pong + ping: \ No newline at end of file