Update roles with new vars (#580)

* Update Spec file With python2 purged most packages were renamed or removed from repos. This addresses those name changes. * Delete rockctl.j2 Remove old control script that is no longer mantained * Update local services var The data structure of the rock_services var was changed to allow additional configuration options. This should now populate this task correctly * Update rock.spec * Update local_services based on new data structure * Update Roles with new installed, enabled, and rock_services vars
rocknsm · May 14, 2021 · 9faf12d · 9faf12d
1 parent e631237
commit 9faf12d
Show file tree

Hide file tree

Showing 22 changed files with 55 additions and 56 deletions.
diff --git a/roles/common/files/etc-issue.in b/roles/common/files/etc-issue.in
@@ -4,7 +4,7 @@
  |                 /   \\                            |        Kernel: \s
  |         \\      /     \\                           |        Build: \v
  |        / \\    X   \\   \\                          |      IP Addr: {{IP_ADDR}}
- |       /   \\  / \\ / \\ ^_v___   ____   _____ _  __ |      Release: ROCK {{ROCK_VERSION}}          
+ |       /   \\  / \\ / \\ ^_v___   ____   _____ _  __ |      Release: ROCK {{ROCK_VERSION}}
  |      /     v/   /   /|  __ \\ / __ \\ / ____| |/ / |
  |     /      /         | |__) | |  | | |    | ' /  |
  |    /      /          |  _  /| |  | | |    |  <   |         Date: \d

diff --git a/roles/common/tasks/gather-facts.yml b/roles/common/tasks/gather-facts.yml
@@ -2,5 +2,7 @@
 # Set local system-specific facts
 - name: Gather local service facts specific to each host
   set_fact:
-    local_services: "{{ rock_services |map(attribute='name') | list | intersect(group_names) }}"
+    local_services: "{{ rock_services | map(attribute='name') | list | intersect(group_names) }}"
+    enabled_services: "{{ rock_services | rejectattr('enabled', 'equalto', False) | map(attribute='name') | list | intersect(group_names)  }}"
+    installed_services: "{{ rock_services | rejectattr('installed', 'equalto', False) | map(attribute='name') | list | intersect(group_names) }}"
 ...
diff --git a/roles/docket/handlers/main.yml b/roles/docket/handlers/main.yml
@@ -17,7 +17,7 @@
   service:
     name: redis
     state: restarted
-  when: local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool
+  when: "'docket' in enabled_services"
 
 - name: Seed random key
   lineinfile:
@@ -33,16 +33,16 @@
   loop:
     - docket-celery-io
     - docket-celery-query
-  when: local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool
+  when: "'docket' in enabled_services"
 
 - name: Restart docket uwsgi
   service:
     name: docket
     state: restarted
-  when: local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool
+  when: "'docket' in enabled_services"
 
 - name: Restart lighttpd
   service:
     name: lighttpd
     state: restarted
-  when: local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool
+  when: "'docket' in enabled_services"
diff --git a/roles/docket/tasks/docket_config.yml b/roles/docket/tasks/docket_config.yml
@@ -30,12 +30,12 @@
     name: redis
     enabled: true
   notify: Restart redis
-  when: "local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool"
+  when: "'docket' in enabled_services"
 
 - name: Enable docket celery services
   service:
     name: "{{ item }}"
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool }}"
+    enabled: "{{ 'docket' in enabled_services }}"
   notify: Restart docket celery services
   loop:
     - docket-celery-io
@@ -44,5 +44,5 @@
 - name: Enable docket uwsgi service
   service:
     name: docket
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool }}"
+    enabled: "{{ 'docket' in enabled_services }}"
   notify: Restart docket uwsgi
diff --git a/roles/docket/tasks/lighttpd.yml b/roles/docket/tasks/lighttpd.yml
@@ -41,5 +41,5 @@
 - name: Enable lighttpd service
   service:
     name: lighttpd
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool }}"
+    enabled: "{{ 'docket' in enabled_services }}"
   notify: Restart lighttpd
diff --git a/roles/elasticsearch/tasks/after.yml b/roles/elasticsearch/tasks/after.yml
@@ -32,7 +32,7 @@
     url: "{{ es_url }}/_template/default"
     body: "{{ lookup('file', 'default-mapping.json') }}"
     body_format: json
-  when: (rock_services | selectattr('name', 'equalto', 'elasticsearch') | map(attribute='installed')) and default_index_template.status != 200
+  when: "'elasticsearch' in installed_services and default_index_template.status != 200"
   run_once: true
 
 - name: Blanket install/update elasticsearch mappings

diff --git a/roles/elasticsearch/tasks/before.yml b/roles/elasticsearch/tasks/before.yml
@@ -126,7 +126,7 @@
   service:
     name: elasticsearch
     state: started
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'elasticsearch') | map(attribute='enabled') | first | bool }}"
+    enabled: "{{ 'elasticsearch' in enabled_services }}"
 
 - name: Create internal firewall zone
   firewalld:

diff --git a/roles/filebeat/tasks/main.yml b/roles/filebeat/tasks/main.yml
@@ -30,5 +30,5 @@
 - name: Enable and start filebeat
   service:
     name: filebeat
-    state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'filebeat') | map(attribute='enabled') | first | bool else 'stopped' }}"
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'filebeat') | map(attribute='enabled') | first | bool }}"
+    state: "{{ 'started' if 'filebeat' in enabled_services else 'stopped' }}"
+    enabled: "{{ 'filebeat' in enabled_services }}"
diff --git a/roles/fsf/tasks/main.yml b/roles/fsf/tasks/main.yml
@@ -111,8 +111,8 @@
 - name: Enable and start FSF
   service:
     name: fsf
-    state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'fsf') | map(attribute='enabled') | first | bool else 'stopped' }}"
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'fsf') | map(attribute='enabled') | first | bool }}"
+    state: "{{ 'started' if 'fsf' in enabled_services else 'stopped' }}"
+    enabled: "{{ 'fsf' in enabled_services }}"
 
 - name: Apply Logstash role
   include_role:

diff --git a/roles/kafka/tasks/main.yml b/roles/kafka/tasks/main.yml
@@ -153,8 +153,8 @@
   service:
     name: "{{ item }}"
     daemon-reload: "{{ kafka_override_created.changed or wait_for_zk_created.changed }}"
-    state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'kafka') | map(attribute='enabled') | bool else 'stopped' }}"
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'kafka') | map(attribute='enabled') | bool  }}"
+    state: "{{ 'started' if 'kafka' in enabled_services else 'stopped' }}"
+    enabled: "{{ 'kafka' in enabled_services }}"
   with_items:
     - wait-for-zookeeper
     - kafka

diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml
@@ -14,7 +14,7 @@
 - name: Enable and start kibana
   service:
     name: kibana
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='enabled') | list | bool }}"
+    enabled: "{{ 'kibana' in enabled_services }}"
 
 - name: Flush handlers
   meta: flush_handlers
@@ -119,8 +119,8 @@
     mode: 0644
   when:
     rock_online_install and (
-      rock_services | selectattr('name', 'equalto', 'elasticsearch') | map(attribute='installed') | list | first | bool or
-      rock_services | selectattr('name', 'equalto', 'logstash') | map(attribute='installed') | list | first | bool
+      'elasticsearch' in installed_services or
+      'logstash' in installed_services
     )
 
 - name: Extract RockNSM elastic configs
@@ -131,6 +131,4 @@
     group: root
     creates: "{{ rock_module_dir }}"
     remote_src: true
-  when:
-    rock_services | selectattr('name', 'equalto', 'elasticsearch') | map(attribute='installed') | list | first | bool or
-    rock_services | selectattr('name', 'equalto', 'logstash') | map(attribute='installed') | list | first | bool
+  when: "'elasticsearch' in installed_services or 'logstash' in installed_services"
diff --git a/roles/lighttpd/handlers/main.yml b/roles/lighttpd/handlers/main.yml
@@ -3,15 +3,13 @@
   systemd:
     name: lighttpd
     state: >-
-      {%- if local_services | selectattr('name', 'equalto', 'lighttpd') | map(attribute='enabled') | first | bool or
-      local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool -%}
+      {%- if 'lighttpd' in enabled_services or 'docket' in enabled_services -%}
         restarted
       {%- else -%}
         stopped
       {%- endif -%}
     enabled: >-
-      {%- if local_services | selectattr('name', 'equalto', 'lighttpd') | map(attribute='enabled') | first | bool or
-      local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool -%}
+      {%- if 'lighttpd' in enabled_services or 'docket' in enabled_services -%}
         True
       {%- else -%}
         False

diff --git a/roles/lighttpd/tasks/main.yml b/roles/lighttpd/tasks/main.yml
@@ -14,7 +14,7 @@
     mode: 0644
     owner: root
     group: root
-  when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool"
+  when: "'kibana' in installed_services"
   loop:
     - 10-rock-auth.conf
     - 10-tls.conf
@@ -41,19 +41,19 @@
     name: httpd_can_network_connect
     state: true
     persistent: true
-  when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool"
+  when: "'kibana' in installed_services"
 
 - name: Generate sensor private key
   openssl_privatekey:
     path: "{{ http_tls_key }}"
-  when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool"
+  when: "'kibana' in installed_services"
   notify: Enable and restart lighttpd
 
 - name: Generate sensor public key
   openssl_publickey:
     path: "{{ http_tls_pub }}"
     privatekey_path: "{{ http_tls_key }}"
-  when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool"
+  when: "'kibana' in installed_services"
   notify: Enable and restart lighttpd
 
 - name: Generate sensor CSR
@@ -67,7 +67,7 @@
     organizational_unit_name: NSM Ninjas
     email_address: [email protected]
     common_name: "{{ ansible_hostname }}"
-  when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool"
+  when: "'kibana' in installed_services"
   notify: Enable and restart lighttpd
 
 - name: Generate sensor certificate
@@ -76,22 +76,23 @@
     privatekey_path: "{{ http_tls_key }}"
     csr_path: "{{ http_tls_pub }}.csr"
     provider: selfsigned
-  when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool"
+  when: "'kibana' in installed_services"
   notify: Enable and restart lighttpd
 
 - name: Combine sensor cert and key
   shell: >
     cat {{ http_tls_key }} {{ http_tls_crt }} > {{ http_tls_combined }}
   args:
     creates: "{{ http_tls_combined }}"
+  when: "'kibana' in installed_services"
   notify: Enable and restart lighttpd
 
 - name: Generate DH parameters
   command: >
     openssl dhparam -out {{ http_tls_dhparams }} 2048
   args:
     creates: "{{ http_tls_dhparams }}"
-  when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | list | bool"
+  when: "'kibana' in installed_services"
   notify: Enable and restart lighttpd
 
 - name: Configure firewall ports

diff --git a/roles/logstash/handlers/main.yml b/roles/logstash/handlers/main.yml
@@ -3,4 +3,4 @@
 - name: Restart logstash
   systemd:
     name: logstash
-    state: "{{ 'restarted' if local_services | selectattr('name', 'equalto', 'logstash') | map(attribute='enabled') | first | bool else 'stopped' }}"
+    state: "{{ 'restarted' if 'logstash' in enabled_services else 'stopped' }}"
diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml
@@ -89,7 +89,7 @@
 - name: Enable and start Logstash
   service:
     name: logstash
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'logstash') | map(attribute='enabled') | bool }}"
+    enabled: "{{ 'logstash' in enabled_services }}"
 #  notify: Restart logstash
   tags:
     - molecule-idempotencie-notest

diff --git a/roles/stenographer/handlers/main.yml b/roles/stenographer/handlers/main.yml
@@ -4,16 +4,16 @@
 - name: Start stenographer service
   service:
     name: stenographer
-    state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | bool else 'stopped' }}"
+    state: "{{ 'started' if 'stenographer' in enabled_services else 'stopped' }}"
 
 - name: Start stenographer per interface
   service:
     name: "stenographer@{{ item }}"
-    state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | bool else 'stopped' }}"
+    state: "{{ 'started' if 'stenographer' in enabled_services else 'stopped' }}"
   loop: "{{ stenographer_monitor_interfaces }}"
 
 - name: Restart stenographer per interface
   service:
     name: "stenographer@{{ item }}"
-    state: "{{ 'restarted' if local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | bool else 'stopped' }}"
+    state: "{{ 'started' if 'stenographer' in enabled_services else 'stopped' }}"
   loop: "{{ stenographer_monitor_interfaces }}"
diff --git a/roles/stenographer/tasks/config.yml b/roles/stenographer/tasks/config.yml
@@ -104,13 +104,13 @@
 - name: Configure stenographer service
   service:
     name: stenographer
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | list | bool }}"
+    enabled: "{{ 'stenographer' in enabled_services }}"
   notify: Start stenographer service
 
 - name: Configure stenographer per interface
   service:
     name: "stenographer@{{ item }}"
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled')  | list | bool }}"
+    enabled: "{{ 'stenographer' in enabled_services }}"
   loop: "{{ stenographer_monitor_interfaces }}"
   notify: Start stenographer per interface
 

diff --git a/roles/suricata/tasks/main.yml b/roles/suricata/tasks/main.yml
@@ -175,15 +175,15 @@
   command: /usr/bin/suricata-update add-source "emerging-threats-offline" "file:///srv/rocknsm/support/emerging.rules-suricata.tar.gz"
   args:
     creates: /var/lib/suricata/update/sources/emerging-threats-offline.yaml
-  when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='installed') | list | bool and not rock_online_install"
+  when: "'suricata' in installed_services and not rock_online_install"
   become: true
   become_user: "{{ suricata_user }}"
 
 - name: Offline install of suricata rules
   command: /usr/bin/suricata-update update --reload-command "/usr/bin/systemctl kill -s USR2 suricata"
   args:
     creates: /var/lib/suricata/rules/suricata.rules
-  when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool and not rock_online_install"
+  when: "'suricata' in enabled_services and not rock_online_install"
   become: true
   become_user: "{{ suricata_user }}"
 
@@ -192,7 +192,7 @@
   args:
     creates: /var/lib/suricata/update/cache/index.yaml
     chdir: /var/lib/suricata
-  when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool and rock_online_install"
+  when: "'suricata' in enabled_services and rock_online_install"
   become: true
   become_user: "{{ suricata_user }}"
 
@@ -201,7 +201,7 @@
   args:
     creates: /var/lib/suricata/update/sources/et-open.yaml
     chdir: /var/lib/suricata
-  when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool and rock_online_install"
+  when: "'suricata' in enabled_services and rock_online_install"
   become: true
   become_user: "{{ suricata_user }}"
 
@@ -210,7 +210,7 @@
   args:
     creates: /var/lib/suricata/rules/suricata.rules
     chdir: /var/lib/suricata
-  when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool and rock_online_install"
+  when: "'suricata' in enabled_services and rock_online_install"
   become: true
   become_user: "{{ suricata_user }}"
 
@@ -223,13 +223,13 @@
     minute: "0"
     job: /usr/bin/suricata-update update --reload-command "/usr/bin/systemctl kill -s USR2 suricata"
          > /var/log/suricata-update.log 2>&1
-  when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool"
+  when: "'suricata' in enabled_services"
 
 - name: Enable and start suricata
   service:
     name: suricata
-    state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool else 'stopped' }}"
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool }}"
+    state: "{{ 'started' if 'suricata' in enabled_services else 'stopped' }}"
+    enabled: "{{ 'suricata' in enabled_services }}"
 
 - name: Apply Logstash role
   include_role:

diff --git a/roles/zeek/handlers/main.yml b/roles/zeek/handlers/main.yml
@@ -11,4 +11,4 @@
   service:
     name: zeek
     state: restarted
-  when: local_services | selectattr('name', 'equalto', 'zeek') | map(attribute='enabled') | first | bool
+  when: "'zeek' in enabled_services"
diff --git a/roles/zeek/tasks/main.yml b/roles/zeek/tasks/main.yml
@@ -209,7 +209,7 @@
     dest: "{{ zeek_site_dir }}/local.zeek"
     line: "@load scripts/rock/plugins/kafka"
     state: present
-  when: "rock_services | selectattr('name', 'equalto', 'kafka') | map(attribute='enabled') | list | first | bool"
+  when: "'kafka' in enabled_services"
 
 - name: Add zeek aliases
   copy:
@@ -337,8 +337,8 @@
 - name: Enable and start zeek
   service:
     name: zeek
-    state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'zeek') | map(attribute='enabled') | bool else 'stopped' }}"
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'zeek') | map(attribute='enabled') | bool }}"
+    state: "{{ 'started' if 'zeek' in enabled_services else 'stopped' }}"
+    enabled: "{{ 'zeek' in enabled_services }}"
 
 - name: Apply Logstash role
   include_role:

diff --git a/roles/zookeeper/handlers/main.yml b/roles/zookeeper/handlers/main.yml
@@ -3,4 +3,4 @@
 - name: Restart zookeeper
   systemd:
     name: zookeeper
-    state: "{{ 'restarted' if local_services | selectattr('name', 'equalto', 'zookeeper') | map(attribute='enabled') | first | bool else 'stopped' }}"
+    state: "{{ 'restarted' if 'zookeeper' in enabled_services else 'stopped' }}"
diff --git a/roles/zookeeper/tasks/main.yml b/roles/zookeeper/tasks/main.yml
@@ -9,7 +9,7 @@
 - name: Enable and Start zookeeper
   systemd:
     name: zookeeper
-    enabled: "{{ local_services | selectattr('name', 'equalto', 'zookeeper') | map(attribute='enabled') | bool }}"
+    enabled: "{{ 'zookeeper' in enabled_services }}"
   notify: Restart zookeeper
 
 - name: Configure firewall ports