From 924188eed60cbe5e5fa08ff51fc38c48cf0f7dd3 Mon Sep 17 00:00:00 2001 From: Russ Cam Date: Thu, 2 May 2019 18:14:42 +1000 Subject: [PATCH] Add support for Elastic Stack 7.0 (#275) * Add support for Elastic Stack 7.0 This commit adds support for Elastic Stack 7.0. * Update docs to version 7.0 * Include OS suffix in Debian package name for 7.x + * Omit the transport ports from zen2 discovery hosts * Update user passwords on install - Add apm_system built-in user password and configure for 6.5.0+ - Add remote_monitoring_user built-in password and configure for 6.5.0+ - Remove es_read user. Users can configure any additional accounts post-deployment. Closes #274 --- README.md | 42 +++--- build/allowedValues.json | 5 +- build/arm-tests/1d-nvme-0m-0c-ext-p.json | 2 +- build/tasks/arm-validator.js | 3 +- docs/azure-arm-template.asciidoc | 48 +++---- docs/trial-license-warning.asciidoc | 2 +- docs/troubleshooting.asciidoc | 8 +- parameters/password.parameters.json | 5 +- parameters/ssh.parameters.json | 5 +- src/createUiDefinition.json | 47 +++++-- src/mainTemplate.json | 32 +++-- src/scripts/elasticsearch-install.sh | 166 ++++++++++++++--------- src/scripts/java-install.sh | 21 ++- src/scripts/kibana-install.sh | 9 +- src/scripts/logstash-install.sh | 29 +++- src/settings/ubuntuSettings.json | 2 +- 16 files changed, 274 insertions(+), 152 deletions(-) diff --git a/README.md b/README.md index 1535f334..fd50695f 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ Deploying through the Marketplace is great and easy way to get your feet wet for ![Example UI Flow](images/ui.gif) -You can view the UI in developer mode by [clicking here](https://portal.azure.com/#blade/Microsoft_Azure_Compute/CreateMultiVmWizardBlade/internal_bladeCallId/anything/internal_bladeCallerParams/{"initialData":{},"providerConfig":{"createUiDefinition":"https%3A%2F%2Fraw.githubusercontent.com%2Felastic%2Fazure-marketplace%2Fmaster%2Fsrc%2FcreateUiDefinition.json"}}). If you feel something is cached improperly use [this client unoptimized link instead](https://portal.azure.com/?clientOptimizations=false#blade/Microsoft_Azure_Compute/CreateMultiVmWizardBlade/internal_bladeCallId/anything/internal_bladeCallerParams/{"initialData":{},"providerConfig":{"createUiDefinition":"https%3A%2F%2Fraw.githubusercontent.com%2Felastic%2Fazure-marketplace%2Fmaster%2Fsrc%2FcreateUiDefinition.json"}}) +You can view the UI in developer mode by [clicking here](https://portal.azure.com/#blade/Microsoft_Azure_Compute/CreateMultiVmWizardBlade/internal_bladeCallId/anything/internal_bladeCallerParams/{"initialData":{},"providerConfig":{"createUiDefinition":"https%3A%2F%2Fraw.githubusercontent.com%2Felastic%2Fazure-marketplace%2F7.0%2Fsrc%2FcreateUiDefinition.json"}}). If you feel something is cached improperly use [this client unoptimized link instead](https://portal.azure.com/?clientOptimizations=false#blade/Microsoft_Azure_Compute/CreateMultiVmWizardBlade/internal_bladeCallId/anything/internal_bladeCallerParams/{"initialData":{},"providerConfig":{"createUiDefinition":"https%3A%2F%2Fraw.githubusercontent.com%2Felastic%2Fazure-marketplace%2F7.0%2Fsrc%2FcreateUiDefinition.json"}}) ## Reporting bugs @@ -357,12 +357,6 @@ value defined in the template. should be a minimum of 12 characters, and must be greater than 6 characters. "" - securityReadPasswordsecurestring - Security password for the es_read user with user (read-only) role. -
- should be a minimum of 12 characters, and must be greater than 6 characters. - "" - securityKibanaPasswordsecurestring Security password Kibana.
@@ -383,6 +377,18 @@ value defined in the template. should be a minimum of 12 characters, and must be greater than 6 characters. "" + securityApmPasswordsecurestring + This is the built-in apm_system user. Valid for Elasticsearch 6.5.0+ +
+ should be a minimum of 12 characters, and must be greater than 6 characters. + "" + + securityRemoteMonitoringPasswordsecurestring + This is the built-in remote_monitoring_user user. Valid for Elasticsearch 6.5.0+ +
+ should be a minimum of 12 characters, and must be greater than 6 characters. + "" + Kibana related settings kibanastring @@ -563,7 +569,7 @@ value defined in the template. ### Web based deploy - + Deploy to Azure @@ -597,7 +603,7 @@ supported by the last release. It's recommended to update to [Azure CLI 2.0](htt ```sh az group deployment create \ --resource-group \ - --template-uri https://raw.githubusercontent.com/elastic/azure-marketplace/master/src/mainTemplate.json \ + --template-uri https://raw.githubusercontent.com/elastic/azure-marketplace/7.0/src/mainTemplate.json \ --parameters @parameters/password.parameters.json ``` @@ -622,7 +628,7 @@ where `` refers to the resource group you just created. ```powershell $clusterParameters = @{ - "artifactsBaseUrl"="https://raw.githubusercontent.com/elastic/azure-marketplace/master/src" + "artifactsBaseUrl"="https://raw.githubusercontent.com/elastic/azure-marketplace/7.0/src" "esVersion" = "6.7.0" "esClusterName" = "elasticsearch" "loadBalancerType" = "internal" @@ -630,11 +636,12 @@ where `` refers to the resource group you just created. "adminUsername" = "russ" "adminPassword" = "Password1234" "securityBootstrapPassword" = "Password1234" - "securityAdminPassword" = "Password1234" - "securityReadPassword" = "Password1234" + "securityAdminPassword" = "Password1234" "securityKibanaPassword" = "Password1234" "securityLogstashPassword" = "Password1234" "securityBeatsPassword" = "Password1234" + "securityApmPassword" = "Password1234" + "securityRemoteMonitoringPassword" = "Password1234" } ``` @@ -647,7 +654,7 @@ where `` refers to the resource group you just created. 5. Use our template directly from GitHub ```powershell - New-AzureRmResourceGroupDeployment -Name "" -ResourceGroupName "" -TemplateUri "https://raw.githubusercontent.com/elastic/azure-marketplace/master/src/mainTemplate.json" -TemplateParameterObject $clusterParameters + New-AzureRmResourceGroupDeployment -Name "" -ResourceGroupName "" -TemplateUri "https://raw.githubusercontent.com/elastic/azure-marketplace/7.0/src/mainTemplate.json" -TemplateParameterObject $clusterParameters ``` ## Targeting a specific template version @@ -657,24 +664,25 @@ the artifactsBaseUrl parameter of the template to point to a specific tagged rel **Targeting a specific template version is recommended for repeatable production deployments.** -For example, to target the [`6.6.1` tag release with PowerShell](https://github.com/elastic/azure-marketplace/tree/6.6.1) +For example, to target the [`7.0.0` tag release with PowerShell](https://github.com/elastic/azure-marketplace/tree/6.6.1) ```powershell -$templateVersion = "6.6.1" +$templateVersion = "7.0.0" $templateBaseUrl = "https://raw.githubusercontent.com/elastic/azure-marketplace/$templateVersion/src" # minimum parameters required to deploy $clusterParameters = @{ "artifactsBaseUrl" = $templateBaseUrl - "esVersion" = "6.6.1" + "esVersion" = "7.0.0" "adminUsername" = "russ" "adminPassword" = "Password1234" "securityBootstrapPassword" = "Password1234" "securityAdminPassword" = "Password1234" - "securityReadPassword" = "Password1234" "securityKibanaPassword" = "Password1234" "securityLogstashPassword" = "Password1234" "securityBeatsPassword" = "Password1234" + "securityApmPassword" = "Password1234" + "securityRemoteMonitoringPassword" = "Password1234" } $resourceGroup = "my-azure-cluster" diff --git a/build/allowedValues.json b/build/allowedValues.json index 058af191..098009c2 100644 --- a/build/allowedValues.json +++ b/build/allowedValues.json @@ -8,7 +8,8 @@ "6.4.3", "6.5.4", "6.6.2", - "6.7.0" + "6.7.1", + "7.0.0" ], "numberOfDataNodes" : 50, "numberOfClientNodes" : 20, @@ -45,8 +46,6 @@ "Standard_F8s", "Standard_F16s", - - "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", diff --git a/build/arm-tests/1d-nvme-0m-0c-ext-p.json b/build/arm-tests/1d-nvme-0m-0c-ext-p.json index f5f76888..6290fab0 100644 --- a/build/arm-tests/1d-nvme-0m-0c-ext-p.json +++ b/build/arm-tests/1d-nvme-0m-0c-ext-p.json @@ -12,7 +12,7 @@ "vmSizeDataNodes":{"value":"Standard_L8s_v2"}, "vmDataNodeCount":{"value":1}, "vmDataDiskCount":{"value":0}, - "vmDataDiskSize":{"value":"Small"}, + "vmDataDiskSize":{"value":"32GiB"}, "storageAccountType":{"value":"Default"}, "dataNodesAreMasterEligible":{"value":"Yes"}, "vmSizeMasterNodes":{"value":"Standard_DS2"}, diff --git a/build/tasks/arm-validator.js b/build/tasks/arm-validator.js index a991cf8a..3c5dbd47 100644 --- a/build/tasks/arm-validator.js +++ b/build/tasks/arm-validator.js @@ -71,10 +71,11 @@ var bootstrapTest = (t, defaultVersion) => testParameters.sshPublicKey.value = config.deployments.ssh; testParameters.securityBootstrapPassword.value = config.deployments.securityPassword; testParameters.securityAdminPassword.value = config.deployments.securityPassword; - testParameters.securityReadPassword.value = config.deployments.securityPassword; + testParameters.securityRemoteMonitoringPassword.value = config.deployments.securityPassword; testParameters.securityKibanaPassword.value = config.deployments.securityPassword; testParameters.securityLogstashPassword.value = config.deployments.securityPassword; testParameters.securityBeatsPassword.value = config.deployments.securityPassword; + testParameters.securityApmPassword.value = config.deployments.securityPassword; testParameters.esVersion.value = defaultVersion; // Some parameters are longer than the max allowed characters for cmd on Windows. diff --git a/docs/azure-arm-template.asciidoc b/docs/azure-arm-template.asciidoc index b683af01..2c481a93 100644 --- a/docs/azure-arm-template.asciidoc +++ b/docs/azure-arm-template.asciidoc @@ -1,8 +1,8 @@ :marketplace: https://azuremarketplace.microsoft.com/en-au/marketplace/apps/elastic.elasticsearch :portal: https://portal.azure.com :github: https://github.com/elastic/azure-marketplace -:current: 6.6 -:version: 6.6.0 +:current: 7.0 +:version: 7.0.0 :register: https://register.elastic.co :elasticguide: https://www.elastic.co/guide/en/elasticsearch :elasticdocs: {elasticguide}/reference/{current} @@ -151,11 +151,12 @@ az group deployment create \ vmDataDiskCount=1 dataNodesAreMasterEligible=Yes \ adminUsername=russ adminPassword=Password1234 \ securityBootstrapPassword=bootstrapPassword123 \ - securityAdminPassword=adminPassword123 \ - securityReadPassword=readPassword123 \ + securityAdminPassword=adminPassword123 \ securityKibanaPassword=kibanaPassword123 \ securityLogstashPassword=logstashPassword123 \ - securityBeatsPassword=beatsPassword123 + securityBeatsPassword=beatsPassword123 \ + securityApmPassword=apmPassword123 \ + securityRemoteMonitoringPassword=remoteMonitoringPassword123 ---- [source,powershell] @@ -175,10 +176,11 @@ $parameters = @{ "adminPassword" = "Password1234" "securityBootstrapPassword" = "bootstrapPassword123" "securityAdminPassword" = "adminPassword123" - "securityReadPassword" = "readPassword123" "securityKibanaPassword" = "kibanaPassword123" "securityLogstashPassword" = "logstashPassword123" "securityBeatsPassword" = "beatsPassword123" + "securityApmPassword" = "apmPassword123" + "securityRemoteMonitoringPassword" = "remoteMonitoringPassword123" } $deployment = New-AzureRmResourceGroupDeployment -ResourceGroupName "" ` @@ -1051,24 +1053,16 @@ Security password for the `beats_system` built-in user account. This is the acco Beats can use to communicate with Elasticsearch. Must be greater than six characters in length. Valid only for Elasticsearch 6.3.0+ -`securityReadPassword`:: -Security password for an `es_read` user account configured with a user (read-only) role with -the following definition -+ -[source,json] --- -{ - "cluster": [ "monitor" ], - "indices": [ - { - "names": [ "*" ], - "privileges": [ "read", "monitor", "view_index_metadata" ] - } - ] -} --- -+ -Must be greater than six characters in length. +`securityApmPassword`:: +Security password for the `apm_system` built-in user account. This is the account that the +APM server can use to communicate with Elasticsearch. Must be greater +than six characters in length. Valid only for Elasticsearch 6.5.0+ + +`securityRemoteMonitoringPassword`:: +Security password for the `remote_monitoring_user` built-in user account. This is the account that +Metricbeat uses when collecting and storing monitoring information in Elasticsearch. +It has the `remote_monitoring_agent` and `remote_monitoring_collector` built-in roles. +Valid only for Elasticsearch 6.5.0+ It is recommended after deployment to use the `elastic` superuser account to create the individual user accounts that will be needed for the users and applications @@ -1273,10 +1267,11 @@ az group deployment create \ adminPassword=Password1234 \ securityBootstrapPassword=BootstrapPassword123 \ securityAdminPassword=AdminPassword123 \ - securityReadPassword=ReadPassword123 \ securityKibanaPassword=KibanaPassword123 \ securityLogstashPassword=LogstashPassword123 \ securityBeatsPassword=BeatsPassword123 \ + securityApmPassword=ApmPassword123 \ + securityRemoteMonitoringPassword=RemoteMonitoringPassword123 \ kibanaCertBlob=$kibana_cert \ kibanaKeyBlob=$kibana_key \ samlMetadataUri=$metadata_uri @@ -1309,10 +1304,11 @@ $parameters = @{ "adminPassword" = "Password1234" "securityBootstrapPassword" = "BootstrapPassword123" "securityAdminPassword" = "AdminPassword123" - "securityReadPassword" = "ReadPassword123" "securityKibanaPassword" = "KibanaPassword123" "securityLogstashPassword" = "LogstashPassword123" "securityBeatsPassword" = "BeatsPassword123" + "securityApmPassword" = "ApmPassword123" + "securityRemoteMonitoringPassword" = "RemoteMonitoringPassword123" "kibanaCertBlob" = $kibanaCert "kibanaKeyBlob" = $kibanaKey "samlMetadataUri" = $metadataUri diff --git a/docs/trial-license-warning.asciidoc b/docs/trial-license-warning.asciidoc index 60550ee0..42ac6a62 100644 --- a/docs/trial-license-warning.asciidoc +++ b/docs/trial-license-warning.asciidoc @@ -1,4 +1,4 @@ -:current: 6.6 +:current: 7.0 :register: https://register.elastic.co :elasticdocs: https://www.elastic.co/guide/en/elasticsearch/reference/{current} :licenseexpiration: {stackdocs}/license-expiration.html diff --git a/docs/troubleshooting.asciidoc b/docs/troubleshooting.asciidoc index 8183f33c..6db9789f 100644 --- a/docs/troubleshooting.asciidoc +++ b/docs/troubleshooting.asciidoc @@ -159,10 +159,11 @@ az group deployment create \ adminUsername=russ adminPassword=Password1234 \ securityBootstrapPassword=bootstrapPassword123 \ securityAdminPassword=adminPassword123 \ - securityReadPassword=readPassword123 \ securityKibanaPassword=kibanaPassword123 \ securityLogstashPassword=logstashPassword123 \ - securityBeatsPassword=beatsPassword123 + securityBeatsPassword=beatsPassword123 \ + securityApmPassword=apmPassword123 \ + securityRemoteMonitoringPassword=remoteMonitoringPassword123 ---- [source,powershell] @@ -182,10 +183,11 @@ $parameters = @{ "adminPassword" = "Password1234" "securityBootstrapPassword" = "bootstrapPassword123" "securityAdminPassword" = "adminPassword123" - "securityReadPassword" = "readPassword123" "securityKibanaPassword" = "kibanaPassword123" "securityLogstashPassword" = "logstashPassword123" "securityBeatsPassword" = "beatsPassword123" + "securityApmPassword" = "apmPassword123" + "securityRemoteMonitoringPassword" = "remoteMonitoringPassword123" } $deployment = New-AzureRmResourceGroupDeployment -ResourceGroupName "" ` diff --git a/parameters/password.parameters.json b/parameters/password.parameters.json index 3fa18108..afdfd3af 100644 --- a/parameters/password.parameters.json +++ b/parameters/password.parameters.json @@ -1,5 +1,5 @@ { - "artifactsBaseUrl":{"value":"https://raw.githubusercontent.com/elastic/azure-marketplace/master/src"}, + "artifactsBaseUrl":{"value":"https://raw.githubusercontent.com/elastic/azure-marketplace/7.0/src"}, "esVersion":{"value":"6.7.0"}, "esClusterName":{"value":"my-azure-cluster"}, "loadBalancerType":{"value":"internal"}, @@ -54,10 +54,11 @@ "adminPassword":{"value":""}, "securityBootstrapPassword":{"value":""}, "securityAdminPassword":{"value":""}, - "securityReadPassword":{"value":""}, "securityKibanaPassword":{"value":""}, "securityLogstashPassword":{"value":""}, "securityBeatsPassword":{"value":""}, + "securityApmPassword":{"value":""}, + "securityRemoteMonitoringPassword":{"value":""}, "vNetNewOrExisting": {"value":"new"}, "vNetName": {"value": "es-net"}, "vNetExistingResourceGroup": {"value": ""}, diff --git a/parameters/ssh.parameters.json b/parameters/ssh.parameters.json index 7e4d5385..116d4afb 100644 --- a/parameters/ssh.parameters.json +++ b/parameters/ssh.parameters.json @@ -1,5 +1,5 @@ { - "artifactsBaseUrl":{"value":"https://raw.githubusercontent.com/elastic/azure-marketplace/master/src"}, + "artifactsBaseUrl":{"value":"https://raw.githubusercontent.com/elastic/azure-marketplace/7.0/src"}, "esVersion":{"value":"6.7.0"}, "esClusterName":{"value":"my-azure-cluster"}, "loadBalancerType":{"value":"internal"}, @@ -54,10 +54,11 @@ "adminPassword":{"value":""}, "securityBootstrapPassword":{"value":""}, "securityAdminPassword":{"value":""}, - "securityReadPassword":{"value":""}, "securityKibanaPassword":{"value":""}, "securityLogstashPassword":{"value":""}, "securityBeatsPassword":{"value":""}, + "securityApmPassword":{"value":""}, + "securityRemoteMonitoringPassword":{"value":""}, "vNetNewOrExisting": {"value":"new"}, "vNetName": {"value": "es-net"}, "vNetExistingResourceGroup": {"value": ""}, diff --git a/src/createUiDefinition.json b/src/createUiDefinition.json index e2de3364..6f05f4ef 100644 --- a/src/createUiDefinition.json +++ b/src/createUiDefinition.json @@ -54,7 +54,7 @@ "name": "esVersion", "type": "Microsoft.Common.DropDown", "label": "Elasticsearch version", - "defaultValue": "v6.7.0", + "defaultValue": "v7.0.0", "toolTip": "Choose a version of Elasticsearch.", "constraints": { "allowedValues": [ @@ -91,8 +91,12 @@ "value": "6.6.2" }, { - "label": "v6.7.0", - "value": "6.7.0" + "label": "v6.7.1", + "value": "6.7.1" + }, + { + "label": "v7.0.0", + "value": "7.0.0" } ] } @@ -1426,18 +1430,42 @@ ] }, { - "name": "es_read", + "name": "es_apm", + "type": "Microsoft.Common.Section", + "label": "APM system user account", + "elements": [ + { + "name": "securityApmPassword", + "type": "Microsoft.Common.PasswordBox", + "label": { + "password": "'apm_system' built-in user password", + "confirmPassword": "Confirm password" + }, + "toolTip": "Password to use for the built-in 'apm_system' user. This is a built-in account that APM server uses to communicate with Elasticsearch. Required for Elasticsearch 6.5.0+", + "constraints": { + "required": true, + "regex": "^.{12,}", + "validationMessage": "Password must be at least 12 characters long" + }, + "options": { + "hideConfirmation": false + } + } + ] + }, + { + "name": "es_remote", "type": "Microsoft.Common.Section", - "label": "es_read (read only) user account", + "label": "Remote monitoring user system user account", "elements": [ { - "name": "securityReadPassword", + "name": "securityRemoteMonitoringPassword", "type": "Microsoft.Common.PasswordBox", "label": { - "password": "'es_read' user password", + "password": "'remote_monitoring_user' built-in user password", "confirmPassword": "Confirm password" }, - "toolTip": "Password to use for the 'es_read' user. This is a user account configured with limited read-only access", + "toolTip": "Password to use for the built-in 'remote_monitoring_user' user. This is a built-in account that Metricbeat uses when collecting and storing monitoring information in Elasticsearch. Required for Elasticsearch 6.5.0+", "constraints": { "required": true, "regex": "^.{12,}", @@ -1516,10 +1544,11 @@ "sshPublicKey": "[basics('password').sshPublicKey]", "securityBootstrapPassword": "", "securityAdminPassword": "[steps('securityStep').es_admin.securityAdminPassword]", - "securityReadPassword": "[steps('securityStep').es_read.securityReadPassword]", "securityKibanaPassword": "[steps('securityStep').es_kibana.securityKibanaPassword]", "securityLogstashPassword": "[steps('securityStep').es_logstash.securityLogstashPassword]", "securityBeatsPassword": "[steps('securityStep').es_beats.securityBeatsPassword]", + "securityApmPassword": "[steps('securityStep').es_apm.securityApmPassword]", + "securityRemoteMonitoringPassword": "[steps('securityStep').es_remote.securityRemoteMonitoringPassword]", "appGatewayTier": "Standard", "appGatewaySku": "Small", "appGatewayCount": 1, diff --git a/src/mainTemplate.json b/src/mainTemplate.json index 57f07657..3c76cd8d 100644 --- a/src/mainTemplate.json +++ b/src/mainTemplate.json @@ -4,7 +4,7 @@ "parameters": { "artifactsBaseUrl": { "type": "string", - "defaultValue": "https://raw.githubusercontent.com/elastic/azure-marketplace/master/src", + "defaultValue": "https://raw.githubusercontent.com/elastic/azure-marketplace/7.0/src", "metadata": { "artifactsBaseUrl": "Base URL of the Elastic template gallery package" } @@ -21,7 +21,7 @@ }, "esVersion": { "type": "string", - "defaultValue": "6.7.0", + "defaultValue": "7.0.0", "allowedValues": [ "5.6.15", "6.0.1", @@ -31,7 +31,8 @@ "6.4.3", "6.5.4", "6.6.2", - "6.7.0" + "6.7.1", + "7.0.0" ], "metadata": { "description": "Elasticsearch version to install" @@ -1114,12 +1115,6 @@ "description": "Password for the built-in 'elastic' user. Should be 12 characters or more, with a minimum of 6 characters" } }, - "securityReadPassword": { - "type": "securestring", - "metadata": { - "description": "Password for the 'es_read' user with user (read-only) role. Should be 12 characters or more, with a minimum of 6 characters" - } - }, "securityKibanaPassword": { "type": "securestring", "metadata": { @@ -1129,13 +1124,25 @@ "securityLogstashPassword": { "type": "securestring", "metadata": { - "description": "Password for the 'logstash_system' user. Should be 12 characters or more, with a minimum of 6 characters" + "description": "Password for the built-in 'logstash_system' user. Should be 12 characters or more, with a minimum of 6 characters" } }, "securityBeatsPassword": { "type": "securestring", "metadata": { - "description": "Password for the 'beats_system' user. Should be 12 characters or more, with a minimum of 6 characters. Required for Elasticsearch 6.3.0+ when xpackPlugins is 'Yes'" + "description": "Password for the built-in 'beats_system' user. Should be 12 characters or more, with a minimum of 6 characters. Required for Elasticsearch 6.3.0+ when xpackPlugins is 'Yes'" + } + }, + "securityApmPassword": { + "type": "securestring", + "metadata": { + "description": "Password for the built-in 'apm_system' user. Should be 12 characters or more, with a minimum of 6 characters. Required for Elasticsearch 6.5.0+ when xpackPlugins is 'Yes'" + } + }, + "securityRemoteMonitoringPassword": { + "type": "securestring", + "metadata": { + "description": "Password for the built-in 'remote_monitoring_user' user. Should be 12 characters or more, with a minimum of 6 characters. Required for Elasticsearch 6.5.0+ when xpackPlugins is 'Yes'" } }, "location": { @@ -1320,10 +1327,11 @@ "transportCaCertPassword": "[parameters('esTransportCaCertPassword')]", "transportCertPassword": "[parameters('esTransportCertPassword')]", "securityAdminPwd": "[parameters('securityAdminPassword')]", - "securityReadPwd": "[parameters('securityReadPassword')]", "securityKibanaPwd": "[parameters('securityKibanaPassword')]", "securityLogstashPwd": "[parameters('securityLogstashPassword')]", "securityBeatsPwd": "[parameters('securityBeatsPassword')]", + "securityApmPwd": "[parameters('securityApmPassword')]", + "securityRemoteMonitoringPwd": "[parameters('securityRemoteMonitoringPassword')]", "securityBootstrapPwd": "[if(not(empty(parameters('securityBootstrapPassword'))),parameters('securityBootstrapPassword'),uniqueString(resourceGroup().id, deployment().name, parameters('securityAdminPassword')))]", "samlMetadataUri": "[parameters('samlMetadataUri')]", "samlServiceProviderUri": "[parameters('samlServiceProviderUri')]" diff --git a/src/scripts/elasticsearch-install.sh b/src/scripts/elasticsearch-install.sh index f3111a5e..edd03b9e 100644 --- a/src/scripts/elasticsearch-install.sh +++ b/src/scripts/elasticsearch-install.sh @@ -19,18 +19,20 @@ help() echo "" echo "Options:" echo " -n elasticsearch cluster name" - echo " -v elasticsearch version e.g. 6.4.1" + echo " -v elasticsearch version e.g. 7.0.0" echo " -p hostname prefix of nodes for unicast discovery" echo " -m heap size in megabytes to allocate to JVM" echo " -d cluster uses dedicated masters" echo " -Z hint to the install script how many data nodes we are provisioning" - echo " -A admin password" - echo " -R read password" + echo " -B bootstrap password" + echo " -A elastic user password" echo " -K kibana user password" echo " -S logstash_system user password" echo " -F beats_system user password" + echo " -M apm_system user password" + echo " -R remote_monitoring_user user password" echo " -x configure as a dedicated master node" echo " -y configure as client only node (no master, no data)" @@ -50,10 +52,12 @@ help() echo " -O URI from which to retrieve the metadata file for the Identity Provider to configure SAML Single-Sign-On" echo " -P Public domain name for the instance of Kibana to configure SAML Single-Sign-On" + echo " -D Internal Load Balancer IP address" - echo " -j install azure cloud plugin for snapshot and restore" - echo " -a set the default storage account for azure cloud plugin" - echo " -k set the key for the default storage account for azure cloud plugin" + echo " -j install repository-azure plugin for snapshot and restore" + echo " -a set the default storage account for repository-azure plugin" + echo " -k set the key for the default storage account for repository-azure plugin" + echo " -E set the storage account suffix for repository-azure plugin" echo " -h view this help content" } @@ -113,13 +117,15 @@ CLUSTER_USES_DEDICATED_MASTERS=0 DATANODE_COUNT=0 MINIMUM_MASTER_NODES=3 -UNICAST_HOSTS='["'"$NAMESPACE_PREFIX"'master-0:9300","'"$NAMESPACE_PREFIX"'master-1:9300","'"$NAMESPACE_PREFIX"'master-2:9300"]' +UNICAST_HOST_PORT=":9300" +UNICAST_HOSTS='["'"$NAMESPACE_PREFIX"'master-0'"$UNICAST_HOST_PORT"'","'"$NAMESPACE_PREFIX"'master-1'"$UNICAST_HOST_PORT"'","'"$NAMESPACE_PREFIX"'master-2'"$UNICAST_HOST_PORT"'"]' USER_ADMIN_PWD="changeme" -USER_READ_PWD="changeme" +USER_REMOTE_MONITORING_PWD="changeme" USER_KIBANA_PWD="changeme" USER_LOGSTASH_PWD="changeme" USER_BEATS_PWD="changeme" +USER_APM_PWD="changeme" BOOTSTRAP_PASSWORD="changeme" SEED_PASSWORD="changeme" @@ -143,7 +149,7 @@ SAML_METADATA_URI="" SAML_SP_URI="" #Loop through options passed -while getopts :n:m:v:A:R:K:S:F:Z:p:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:xyzldjh optname; do +while getopts :n:m:v:A:R:M:K:S:F:Z:p:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:xyzldjh optname; do log "Option $optname set" case $optname in n) #set cluster name @@ -158,8 +164,8 @@ while getopts :n:m:v:A:R:K:S:F:Z:p:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:xyzldjh optna A) #security admin pwd USER_ADMIN_PWD="${OPTARG}" ;; - R) #security readonly pwd - USER_READ_PWD="${OPTARG}" + R) #security remote_monitoring_user pwd + USER_REMOTE_MONITORING_PWD="${OPTARG}" ;; K) #security kibana user pwd USER_KIBANA_PWD="${OPTARG}" @@ -170,6 +176,9 @@ while getopts :n:m:v:A:R:K:S:F:Z:p:a:k:L:C:B:E:H:G:T:W:V:J:N:D:O:P:xyzldjh optna F) #security beats_system user pwd USER_BEATS_PWD="${OPTARG}" ;; + M) #security apm_system user pwd + USER_APM_PWD="${OPTARG}" + ;; B) #bootstrap password BOOTSTRAP_PASSWORD="${OPTARG}" ;; @@ -258,19 +267,24 @@ done # Parameter state changes ######################### +# zen2 should emit the ports from hosts +if dpkg --compare-versions "$ES_VERSION" "ge" "7.0.0"; then + UNICAST_HOST_PORT="" +fi + if [ ${CLUSTER_USES_DEDICATED_MASTERS} -ne 0 ]; then MINIMUM_MASTER_NODES=2 - UNICAST_HOSTS='["'"$NAMESPACE_PREFIX"'master-0:9300","'"$NAMESPACE_PREFIX"'master-1:9300","'"$NAMESPACE_PREFIX"'master-2:9300"]' + UNICAST_HOSTS='["'"$NAMESPACE_PREFIX"'master-0'"$UNICAST_HOST_PORT"'","'"$NAMESPACE_PREFIX"'master-1'"$UNICAST_HOST_PORT"'","'"$NAMESPACE_PREFIX"'master-2'"$UNICAST_HOST_PORT"'"]' else MINIMUM_MASTER_NODES=$(((DATANODE_COUNT/2)+1)) UNICAST_HOSTS='[' for i in $(seq 0 $((DATANODE_COUNT-1))); do - UNICAST_HOSTS="$UNICAST_HOSTS\"${NAMESPACE_PREFIX}data-$i:9300\"," + UNICAST_HOSTS="$UNICAST_HOSTS\"${NAMESPACE_PREFIX}data-$i${UNICAST_HOST_PORT}\"," done UNICAST_HOSTS="${UNICAST_HOSTS%?}]" fi -if [[ "${ES_VERSION}" == \6* && ${INSTALL_XPACK} -ne 0 ]]; then +if [[ $(dpkg --compare-versions "$ES_VERSION" "ge" "6.0.0"; echo $?) -eq 0 && ${INSTALL_XPACK} -ne 0 ]]; then log "using bootstrap password as the seed password" SEED_PASSWORD="$BOOTSTRAP_PASSWORD" fi @@ -347,16 +361,21 @@ check_data_disk() fi } -# Install Oracle Java +# Install OpenJDK install_java() { - bash java-install.sh + bash java-install.sh -v "$ES_VERSION" } # Install Elasticsearch install_es() { - local PACKAGE="elasticsearch-$ES_VERSION.deb" + local OS_SUFFIX="" + if dpkg --compare-versions "$ES_VERSION" "ge" "7.0.0"; then + OS_SUFFIX="-amd64" + fi + local PACKAGE="elasticsearch-${ES_VERSION}${OS_SUFFIX}.deb" + local ALGORITHM="512" if dpkg --compare-versions "$ES_VERSION" "lt" "5.6.2"; then ALGORITHM="1" @@ -425,6 +444,12 @@ install_repository_azure_plugin() install_additional_plugins() { SKIP_PLUGINS="license shield watcher marvel-agent graph cloud-azure x-pack repository-azure" + + if dpkg --compare-versions "$ES_VERSION" "ge" "6.7.0"; then + # plugins are bundled in the distribution + SKIP_PLUGINS+=" ingest-geoip ingest-user-agent" + fi + log "[install_additional_plugins] Installing additional plugins" for PLUGIN in $(echo $INSTALL_ADDITIONAL_PLUGINS | tr ";" "\n") do @@ -446,21 +471,27 @@ install_additional_plugins() node_is_up() { - curl --output /dev/null --silent --head --fail $PROTOCOL://localhost:9200 -u elastic:$1 -H 'Content-Type: application/json' $CURL_SWITCH + curl --output /dev/null --silent --head --fail $PROTOCOL://localhost:9200 -u "elastic:$1" -H 'Content-Type: application/json' $CURL_SWITCH return $? } elastic_user_exists() { - local USER_TYPENAME curl_error_code http_code + local ELASTIC_USER_NAME USER_TYPENAME curl_error_code http_code if [[ "${ES_VERSION}" == \5* ]]; then USER_TYPENAME="reserved-user" - else + ELASTIC_USER_NAME="elastic" + elif [[ "${ES_VERSION}" == \6* ]]; then USER_TYPENAME="doc" + ELASTIC_USER_NAME="reserved-user-elastic" + else + # 7.x + + USER_TYPENAME="_doc" + ELASTIC_USER_NAME="reserved-user-elastic" fi exec 17>&1 - http_code=$(curl -H 'Content-Type: application/json' --write-out '\n%{http_code}\n' $PROTOCOL://localhost:9200/.security/$USER_TYPENAME/elastic -u elastic:$1 $CURL_SWITCH | tee /dev/fd/17 | tail -n 1) + http_code=$(curl -H 'Content-Type: application/json' --write-out '\n%{http_code}\n' $PROTOCOL://localhost:9200/.security/$USER_TYPENAME/$ELASTIC_USER_NAME -u "elastic:$1" $CURL_SWITCH | tee /dev/fd/17 | tail -n 1) curl_error_code=$? exec 17>&- if [ $http_code -eq 200 ]; then @@ -524,8 +555,15 @@ apply_security_settings() else log "[apply_security_settings] start updating roles and users" - local XPACK_USER_ENDPOINT="$PROTOCOL://localhost:9200/_xpack/security/user" - local XPACK_ROLE_ENDPOINT="$PROTOCOL://localhost:9200/_xpack/security/role" + local XPACK_SECURITY_PATH + if dpkg --compare-versions "$ES_VERSION" "ge" "7.0.0"; then + XPACK_SECURITY_PATH="_security" + else + XPACK_SECURITY_PATH="_xpack/security" + fi + + local XPACK_USER_ENDPOINT="$PROTOCOL://localhost:9200/$XPACK_SECURITY_PATH/user" + local XPACK_ROLE_ENDPOINT="$PROTOCOL://localhost:9200/$XPACK_SECURITY_PATH/role" #update builtin `elastic` account. local ADMIN_JSON=$(printf '{"password":"%s"}\n' $USER_ADMIN_PWD) @@ -569,32 +607,26 @@ apply_security_settings() log "[apply_security_settings] updated built-in beats_system user password" fi - #create a readonly role that mimics the `user` role in the old shield plugin - curl_ignore_409 -XPOST -u "elastic:$USER_ADMIN_PWD" "$XPACK_ROLE_ENDPOINT/user" -d' - { - "cluster": [ "monitor" ], - "indices": [ - { - "names": [ "*" ], - "privileges": [ "read", "monitor", "view_index_metadata" ] - } - ] - }' - if [[ $? != 0 ]]; then - log "[apply_security_settings] could not create user role" - exit 10 - fi - log "[apply_security_settings] added user role" - - # add `es_read` user with the newly created `user` role - local USER_JSON=$(printf '{"password":"%s","roles":["user"]}\n' $USER_READ_PWD) - echo $USER_JSON | curl_ignore_409 -XPOST -u "elastic:$USER_ADMIN_PWD" "$XPACK_USER_ENDPOINT/es_read" -d @- - if [[ $? != 0 ]]; then - log "[apply_security_settings] could not add es_read" - exit 10 - fi - log "[apply_security_settings] added es_read account" - log "[apply_security_settings] updated roles and users" + + if dpkg --compare-versions "$ES_VERSION" "ge" "6.5.0"; then + #update builtin `apm_system` account for Elasticsearch 6.5.0+ + local APM_JSON=$(printf '{"password":"%s"}\n' $USER_APM_PWD) + echo $APM_JSON | curl_ignore_409 -XPUT -u "elastic:$USER_ADMIN_PWD" "$XPACK_USER_ENDPOINT/apm_system/_password" -d @- + if [[ $? != 0 ]]; then + log "[apply_security_settings] could not update the built-in apm_system user" + exit 10 + fi + log "[apply_security_settings] updated built-in apm_system user password" + + #update builtin `remote_monitoring_user` account for Elasticsearch 6.5.0+ + local REMOTE_MONITORING_JSON=$(printf '{"password":"%s"}\n' $USER_REMOTE_MONITORING_PWD) + echo $REMOTE_MONITORING_JSON | curl_ignore_409 -XPUT -u "elastic:$USER_ADMIN_PWD" "$XPACK_USER_ENDPOINT/remote_monitoring_user/_password" -d @- + if [[ $? != 0 ]]; then + log "[apply_security_settings] could not update the built-in remote_monitoring_user user" + exit 10 + fi + log "[apply_security_settings] updated built-in remote_monitoring_user user password" + fi fi } @@ -712,7 +744,7 @@ configure_http_tls() log "[configure_http_tls] configuring SSL/TLS for HTTP layer" echo "xpack.security.http.ssl.enabled: true" >> $ES_CONF - if [[ "${ES_VERSION}" == \6* ]]; then + if dpkg --compare-versions "$ES_VERSION" "ge" "6.0.0"; then if [[ -f $HTTP_CERT_PATH ]]; then # dealing with PKCS#12 archive echo "xpack.security.http.ssl.keystore.path: $HTTP_CERT_PATH" >> $ES_CONF @@ -865,7 +897,7 @@ configure_transport_tls() log "[configure_transport_tls] configuring SSL/TLS for Transport layer" echo "xpack.security.transport.ssl.enabled: true" >> $ES_CONF - if [[ "${ES_VERSION}" == \6* ]]; then + if dpkg --compare-versions "$ES_VERSION" "ge" "6.0.0"; then if [[ -f $TRANSPORT_CERT_PATH ]]; then echo "xpack.security.transport.ssl.keystore.path: $TRANSPORT_CERT_PATH" >> $ES_CONF echo "xpack.security.transport.ssl.truststore.path: $TRANSPORT_CERT_PATH" >> $ES_CONF @@ -959,8 +991,15 @@ configure_elasticsearch_yaml() echo "path.data: $DATAPATH_CONFIG" >> $ES_CONF # Configure discovery - log "[configure_elasticsearch_yaml] update configuration with hosts configuration of $UNICAST_HOSTS" - echo "discovery.zen.ping.unicast.hosts: $UNICAST_HOSTS" >> $ES_CONF + if dpkg --compare-versions "$ES_VERSION" "lt" "7.0.0"; then + log "[configure_elasticsearch_yaml] update configuration with discovery.zen.ping.unicast.hosts set to $UNICAST_HOSTS" + echo "discovery.zen.ping.unicast.hosts: $UNICAST_HOSTS" >> $ES_CONF + echo "discovery.zen.minimum_master_nodes: $MINIMUM_MASTER_NODES" >> $ES_CONF + else + log "[configure_elasticsearch_yaml] update configuration with discovery.seed_hosts and cluster.initial_master_nodes set to $UNICAST_HOSTS" + echo "discovery.seed_hosts: $UNICAST_HOSTS" >> $ES_CONF + echo "cluster.initial_master_nodes: $UNICAST_HOSTS" >> $ES_CONF + fi # Configure Elasticsearch node type log "[configure_elasticsearch_yaml] configure master/client/data node type flags only master-$MASTER_ONLY_NODE only data-$DATA_ONLY_NODE" @@ -981,8 +1020,7 @@ configure_elasticsearch_yaml() echo "node.master: true" >> $ES_CONF echo "node.data: true" >> $ES_CONF fi - - echo "discovery.zen.minimum_master_nodes: $MINIMUM_MASTER_NODES" >> $ES_CONF + echo "network.host: [_site_, _local_]" >> $ES_CONF echo "node.max_local_storage_nodes: 1" >> $ES_CONF @@ -996,7 +1034,7 @@ configure_elasticsearch_yaml() # Configure Azure Cloud plugin if [[ -n "$STORAGE_ACCOUNT" && -n "$STORAGE_KEY" && -n "$STORAGE_SUFFIX" ]]; then - if [[ "${ES_VERSION}" == \6* ]]; then + if dpkg --compare-versions "$ES_VERSION" "ge" "6.0.0"; then log "[configure_elasticsearch_yaml] configure storage for repository-azure plugin in keystore" create_keystore_if_not_exists echo "$STORAGE_ACCOUNT" | /usr/share/elasticsearch/bin/elasticsearch-keystore add azure.client.default.account -xf @@ -1024,6 +1062,7 @@ configure_elasticsearch_yaml() local SKIP_LINES="cluster.name node.name path.data discovery.zen.ping.unicast.hosts " SKIP_LINES+="node.master node.data discovery.zen.minimum_master_nodes network.host " + SKIP_LINES+="discovery.seed_hosts cluster.initial_master_nodes " SKIP_LINES+="discovery.zen.ping.multicast.enabled marvel.agent.enabled " SKIP_LINES+="node.max_local_storage_nodes plugin.mandatory cloud.azure.storage.default.account " SKIP_LINES+="cloud.azure.storage.default.key azure.client.default.endpoint_suffix xpack.security.authc " @@ -1071,7 +1110,7 @@ configure_elasticsearch_yaml() fi # Configure SAML realm only for valid versions of Elasticsearch and if the conditions are met - if [[ $(dpkg --compare-versions "$ES_VERSION" "ge" "6.2.0") -eq 0 && -n "$SAML_METADATA_URI" && -n "$SAML_SP_URI" && ( -n "$HTTP_CERT" || -n "$HTTP_CACERT" ) && ${INSTALL_XPACK} -ne 0 ]]; then + if [[ $(dpkg --compare-versions "$ES_VERSION" "ge" "6.2.0"; echo $?) -eq 0 && -n "$SAML_METADATA_URI" && -n "$SAML_SP_URI" && ( -n "$HTTP_CERT" || -n "$HTTP_CACERT" ) && ${INSTALL_XPACK} -ne 0 ]]; then log "[configure_elasticsearch_yaml] configuring SAML realm named 'saml_aad' for $SAML_SP_URI" [ -d /etc/elasticsearch/saml ] || mkdir -p /etc/elasticsearch/saml wget --retry-connrefused --waitretry=1 -q "$SAML_METADATA_URI" -O /etc/elasticsearch/saml/metadata.xml @@ -1081,8 +1120,13 @@ configure_elasticsearch_yaml() local IDP_ENTITY_ID="$(grep -oP '\sentityID="(.*?)"\s' /etc/elasticsearch/saml/metadata.xml | sed 's/^.*"\(.*\)".*/\1/')" { echo -e "" - echo -e "xpack.security.authc.realms.saml_aad:" - echo -e " type: saml" + # include the realm type in the setting name in 7.x + + if dpkg --compare-versions "$ES_VERSION" "lt" "7.0.0"; then + echo -e "xpack.security.authc.realms.saml_aad:" + echo -e " type: saml" + else + echo -e "xpack.security.authc.realms.saml.saml_aad:" + fi echo -e " order: 2" echo -e " idp.metadata.path: /etc/elasticsearch/saml/metadata.xml" echo -e " idp.entity_id: \"$IDP_ENTITY_ID\"" @@ -1240,8 +1284,8 @@ setup_data_disk if [ ${INSTALL_XPACK} -ne 0 ]; then install_xpack - # in 6.x we need to set up the bootstrap.password in the keystore to use when setting up users - if [[ "${ES_VERSION}" == \6* ]]; then + # in 6.x + we need to set up the bootstrap.password in the keystore to use when setting up users + if dpkg --compare-versions "$ES_VERSION" "ge" "6.0.0"; then setup_bootstrap_password fi fi diff --git a/src/scripts/java-install.sh b/src/scripts/java-install.sh index 32dabb36..f10dca2d 100644 --- a/src/scripts/java-install.sh +++ b/src/scripts/java-install.sh @@ -29,9 +29,14 @@ log() # Parameter handling ######################### -while getopts h optname; do +ES_VERSION="" + +while getopts :v:h optname; do log "Option $optname set with value ${OPTARG}" case ${optname} in + v) #elasticsearch version number + ES_VERSION="${OPTARG}" + ;; h) #show help help exit 2 @@ -46,13 +51,19 @@ done install_java() { - log "updating apt-get" - (apt-get -y update || (sleep 15; apt-get -y update)) > /dev/null - log "updated apt-get" log "installing java" (apt-get -yq install openjdk-8-jdk || (sleep 15; apt-get -yq install openjdk-8-jdk)) command -v java >/dev/null 2>&1 || { log "java did not get installed" >&2; exit 50; } log "installed java" } -install_java +log "updating apt-get" +(apt-get -y update || (sleep 15; apt-get -y update)) > /dev/null +log "updated apt-get" + +# Only install Java if not bundled with Elasticsearch +if [[ -z "$ES_VERSION" || $(dpkg --compare-versions "$ES_VERSION" "lt" "7.0.0"; echo $?) -eq 0 ]]; then + install_java +else + log "not installing java, using JDK bundled with distribution" +fi \ No newline at end of file diff --git a/src/scripts/kibana-install.sh b/src/scripts/kibana-install.sh index 0338e718..178329e2 100644 --- a/src/scripts/kibana-install.sh +++ b/src/scripts/kibana-install.sh @@ -204,7 +204,12 @@ configure_kibana_yaml() log "[configure_kibana_yaml] Configuring kibana.yml" # set the elasticsearch URL - echo "elasticsearch.url: \"$ELASTICSEARCH_URL\"" >> $KIBANA_CONF + if dpkg --compare-versions "$KIBANA_VERSION" "lt" "7.0.0"; then + echo "elasticsearch.url: \"$ELASTICSEARCH_URL\"" >> $KIBANA_CONF + else + echo "elasticsearch.hosts: [\"$ELASTICSEARCH_URL\"]" >> $KIBANA_CONF + fi + echo "server.host:" $(hostname -I) >> $KIBANA_CONF # specify kibana log location echo "logging.dest: /var/log/kibana.log" >> $KIBANA_CONF @@ -302,7 +307,7 @@ configure_kibana_yaml() if [[ -n "$SAML_SP_URI" && ${INSTALL_XPACK} -ne 0 ]]; then log "[configure_kibana_yaml] Configuring Kibana for SAML Single-Sign-On" # Allow both saml and basic realms - echo "xpack.security.authProviders: [ saml,basic ]" >> $KIBANA_CONF + echo "xpack.security.authProviders: [ saml, basic ]" >> $KIBANA_CONF echo "server.xsrf.whitelist: [ /api/security/v1/saml ]" >> $KIBANA_CONF local PROTOCOL="`echo $SAML_SP_URI | grep '://' | sed -e's,^\(.*://\).*,\1,g'`" diff --git a/src/scripts/logstash-install.sh b/src/scripts/logstash-install.sh index 38f4b723..fef20555 100644 --- a/src/scripts/logstash-install.sh +++ b/src/scripts/logstash-install.sh @@ -287,14 +287,22 @@ configure_logstash_yaml() log "[configure_logstash_yaml] installed x-pack plugin" fi - echo 'xpack.monitoring.elasticsearch.url: "${ELASTICSEARCH_URL}"' >> $LOGSTASH_CONF + if dpkg --compare-versions "$LOGSTASH_VERSION" "lt" "7.0.0"; then + echo 'xpack.monitoring.elasticsearch.url: "${ELASTICSEARCH_URL}"' >> $LOGSTASH_CONF + else + echo 'xpack.monitoring.elasticsearch.hosts: ["${ELASTICSEARCH_URL}"]' >> $LOGSTASH_CONF + fi # assumes Security is enabled, so configure monitoring credentials echo "xpack.monitoring.elasticsearch.username: logstash_system" >> $LOGSTASH_CONF echo 'xpack.monitoring.elasticsearch.password: "${LOGSTASH_SYSTEM_PASSWORD}"' >> $LOGSTASH_CONF elif [[ $XPACK_BUNDLED -eq 0 ]]; then # configure monitoring for basic - echo 'xpack.monitoring.elasticsearch.url: "${ELASTICSEARCH_URL}"' >> $LOGSTASH_CONF + if dpkg --compare-versions "$LOGSTASH_VERSION" "lt" "7.0.0"; then + echo 'xpack.monitoring.elasticsearch.url: "${ELASTICSEARCH_URL}"' >> $LOGSTASH_CONF + else + echo 'xpack.monitoring.elasticsearch.hosts: ["${ELASTICSEARCH_URL}"]' >> $LOGSTASH_CONF + fi fi local MONITORING='true' @@ -325,7 +333,11 @@ configure_logstash_yaml() # which will not work for a HTTP cert provided by the user, where logstash communicates through internal loadbalancer. # 6.4.0 exposes verification_mode, so set this to none and document. if dpkg --compare-versions "$LOGSTASH_VERSION" "ge" "6.4.0"; then - echo 'xpack.monitoring.elasticsearch.ssl.ca: "${ELASTICSEARCH_CACERT}"' >> $LOGSTASH_CONF + if dpkg --compare-versions "$LOGSTASH_VERSION" "lt" "7.0.0"; then + echo 'xpack.monitoring.elasticsearch.ssl.ca: "${ELASTICSEARCH_CACERT}"' >> $LOGSTASH_CONF + else + echo 'xpack.monitoring.elasticsearch.ssl.certificate_authority: "${ELASTICSEARCH_CACERT}"' >> $LOGSTASH_CONF + fi echo 'xpack.monitoring.elasticsearch.ssl.verification_mode: none' >> $LOGSTASH_CONF MONITORING='true' fi @@ -348,7 +360,11 @@ configure_logstash_yaml() # HTTP certs created from a HTTP CA provided by the user will include the # IP address of the internal loadbalancer, so hostname verification will pass. - echo 'xpack.monitoring.elasticsearch.ssl.ca: "${ELASTICSEARCH_CACERT}"' >> $LOGSTASH_CONF + if dpkg --compare-versions "$LOGSTASH_VERSION" "lt" "7.0.0"; then + echo 'xpack.monitoring.elasticsearch.ssl.ca: "${ELASTICSEARCH_CACERT}"' >> $LOGSTASH_CONF + else + echo 'xpack.monitoring.elasticsearch.ssl.certificate_authority: "${ELASTICSEARCH_CACERT}"' >> $LOGSTASH_CONF + fi MONITORING='true' fi fi @@ -369,9 +385,10 @@ configure_logstash_yaml() if [[ -n "$YAML_CONFIGURATION" ]]; then log "[configure_logstash] include additional yaml configuration" - local SKIP_LINES="node.name path.data path.logs " + local SKIP_LINES="node.name path.data path.logs xpack.monitoring.elasticsearch.url xpack.monitoring.elasticsearch.hosts " SKIP_LINES+="xpack.monitoring.elasticsearch.username xpack.monitoring.elasticsearch.password " - SKIP_LINES+="xpack.monitoring.enabled xpack.monitoring.elasticsearch.ssl.ca xpack.monitoring.elasticsearch.ssl.verification_mode " + SKIP_LINES+="xpack.monitoring.enabled xpack.monitoring.elasticsearch.ssl.ca xpack.monitoring.elasticsearch.ssl.certificate_authority " + SKIP_LINES+="xpack.monitoring.elasticsearch.ssl.verification_mode " local SKIP_REGEX="^\s*("$(echo $SKIP_LINES | tr " " "|" | sed 's/\./\\\./g')")" IFS=$'\n' for LINE in $(echo -e "$YAML_CONFIGURATION"); do diff --git a/src/settings/ubuntuSettings.json b/src/settings/ubuntuSettings.json index 6a3a82a2..7eaeafdc 100644 --- a/src/settings/ubuntuSettings.json +++ b/src/settings/ubuntuSettings.json @@ -93,7 +93,7 @@ }, "installPluginsShortOpt": "[variables('installPluginsShortOpts')[parameters('esSettings').installPlugins]]", "commonShortOpts": "[concat(variables('dedicatedMasterNodesShortOpt'), variables('installPluginsShortOpt'), variables('installAzureCloudPluginShortOpt'), 'n ')]", - "commonInstallParams": "[concat(variables('quote'), parameters('esSettings').clusterName, variables('quote'), ' -v ', variables('quote'), parameters('esSettings').version, variables('quote'), ' -m ', parameters('esSettings').heapSize,' -A ', variables('quote'), replace(parameters('esSettings').securityAdminPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -R ', variables('quote'), replace(parameters('esSettings').securityReadPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -K ', variables('quote'), replace(parameters('esSettings').securityKibanaPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -S ', variables('quote'), replace(parameters('esSettings').securityLogstashPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -F ', variables('quote'), replace(parameters('esSettings').securityBeatsPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -B ', variables('quote'), replace(parameters('esSettings').securityBootstrapPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -Z ', parameters('topologySettings').vmDataNodeCount,' -p ', variables('quote'), variables('namespacePrefix'), variables('quote'), ' -a ', variables('quote'), variables('azureCloudStorageName'), variables('quote'), ' -k ', variables('quote'), variables('azureCloudStorageKey'), variables('quote'), ' -E ', variables('quote'), variables('azureCloudStorageSuffix'), variables('quote'), ' -L ', variables('quote'), parameters('esSettings').installAdditionalPlugins, variables('quote'), ' -C ', variables('quote'), replace(replace(parameters('esSettings').yamlConfiguration, variables('quote'), variables('escapedQuote')), concat(variables('backslash'), variables('doublequote')), variables('doublequote')), variables('quote'), ' -D ', variables('quote'), parameters('topologySettings').vNetLoadBalancerIp, variables('quote'), ' -H ', variables('quote'), parameters('esSettings').httpCertBlob,variables('quote'), ' -G ', variables('quote'), replace(parameters('esSettings').httpCertPassword, variables('quote'), variables('escapedQuote')), variables('quote'), ' -V ', variables('quote'), parameters('esSettings').httpCaCertBlob, variables('quote'), ' -J ', variables('quote'), replace(parameters('esSettings').httpCaCertPassword, variables('quote'), variables('escapedQuote')), variables('quote'), ' -T ', variables('quote'), parameters('esSettings').transportCaCertBlob, variables('quote'), ' -W ', variables('quote'), replace(parameters('esSettings').transportCaCertPassword, variables('quote'), variables('escapedQuote')), variables('quote'), ' -N ', variables('quote'), replace(parameters('esSettings').transportCertPassword, variables('quote'), variables('escapedQuote')), variables('quote'), ' -O ', variables('quote'), parameters('esSettings').samlMetadataUri, variables('quote'), ' -P ', variables('quote'), variables('kibanaDomainName'), variables('quote'))]", + "commonInstallParams": "[concat(variables('quote'), parameters('esSettings').clusterName, variables('quote'), ' -v ', variables('quote'), parameters('esSettings').version, variables('quote'), ' -m ', parameters('esSettings').heapSize, ' -A ', variables('quote'), replace(parameters('esSettings').securityAdminPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -R ', variables('quote'), replace(parameters('esSettings').securityRemoteMonitoringPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -K ', variables('quote'), replace(parameters('esSettings').securityKibanaPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -S ', variables('quote'), replace(parameters('esSettings').securityLogstashPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -F ', variables('quote'), replace(parameters('esSettings').securityBeatsPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -M ', variables('quote'), replace(parameters('esSettings').securityApmPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -B ', variables('quote'), replace(parameters('esSettings').securityBootstrapPwd, variables('quote'), variables('escapedQuote')), variables('quote'), ' -Z ', parameters('topologySettings').vmDataNodeCount,' -p ', variables('quote'), variables('namespacePrefix'), variables('quote'), ' -a ', variables('quote'), variables('azureCloudStorageName'), variables('quote'), ' -k ', variables('quote'), variables('azureCloudStorageKey'), variables('quote'), ' -E ', variables('quote'), variables('azureCloudStorageSuffix'), variables('quote'), ' -L ', variables('quote'), parameters('esSettings').installAdditionalPlugins, variables('quote'), ' -C ', variables('quote'), replace(replace(parameters('esSettings').yamlConfiguration, variables('quote'), variables('escapedQuote')), concat(variables('backslash'), variables('doublequote')), variables('doublequote')), variables('quote'), ' -D ', variables('quote'), parameters('topologySettings').vNetLoadBalancerIp, variables('quote'), ' -H ', variables('quote'), parameters('esSettings').httpCertBlob,variables('quote'), ' -G ', variables('quote'), replace(parameters('esSettings').httpCertPassword, variables('quote'), variables('escapedQuote')), variables('quote'), ' -V ', variables('quote'), parameters('esSettings').httpCaCertBlob, variables('quote'), ' -J ', variables('quote'), replace(parameters('esSettings').httpCaCertPassword, variables('quote'), variables('escapedQuote')), variables('quote'), ' -T ', variables('quote'), parameters('esSettings').transportCaCertBlob, variables('quote'), ' -W ', variables('quote'), replace(parameters('esSettings').transportCaCertPassword, variables('quote'), variables('escapedQuote')), variables('quote'), ' -N ', variables('quote'), replace(parameters('esSettings').transportCertPassword, variables('quote'), variables('escapedQuote')), variables('quote'), ' -O ', variables('quote'), parameters('esSettings').samlMetadataUri, variables('quote'), ' -P ', variables('quote'), variables('kibanaDomainName'), variables('quote'))]", "ubuntuScripts": [ "[concat(parameters('templateBaseUrl'), 'scripts/elasticsearch-install.sh')]", "[concat(parameters('templateBaseUrl'), 'scripts/kibana-install.sh')]",