Elastic Rework

2025-12-21 16:33:08 +01:00 · 2018-10-10 17:02:18 -04:00
parent bf229f65e3
commit 2760012741
3 changed files with 68 additions and 12 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -3,6 +3,7 @@ base:
    - sensors.schedule
    - sensors.{{ grains.host }}
    - static
+    - firewall.*

  'G@role:so-master':
    - masters.schedule
@@ -14,3 +15,4 @@ base:
    - nodes.schedule
    - nodes.{{ grains.host }}
    - static
+    - firewall.*
--- a/salt/elasticsearch/files/elasticsearch.yml
+++ b/salt/elasticsearch/files/elasticsearch.yml
@@ -1,3 +1,4 @@
+{% if grains['role'] == 'so-master' %}
 {%- set esclustername = salt['pillar.get']('master:esclustername', '') %}
 cluster.name: "{{ esclustername }}"
 network.host: 0.0.0.0
@@ -8,3 +9,16 @@ network.host: 0.0.0.0
 discovery.zen.minimum_master_nodes: 1
 # This is a test -- if this is here, then the volume is mounted correctly.
 path.logs: /var/log/elasticsearch
+action.destructive_requires_name: true
+{%- else %}
+{%- set esclustername = salt['grains.get']('host', '') %}
+{%- set nodeip = salt['pillar.get']('node:mainip', '') -%}
+cluster.name: "{{ esclustername }}"
+network.host: 0.0.0.0
+discovery.zen.minimum_master_nodes: 1
+path.logs: /var/log/elasticsearch
+action.destructive_requires_name: true
+transport.bind_host: 0.0.0.0
+transport.publish_host: {{ nodeip }} 
+transport.publish_port: 9300
+{%- endif %}
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -63,18 +63,6 @@ iptables_log_input_drops:
    - jump: LOGGING
    - save: True

-# Set the policy to deny everything unless defined
-#enable_reject_policy:
-#  iptables.set_policy:
-#    - table: filter
-#    - chain: INPUT
-#    - policy: DROP
-#    - require:
-#      - iptables: iptables_allow_localhost
-#      - iptables: iptables_allow_established
-#      - iptables: iptables_allow_ssh
-#      - iptables: iptables_allow_pings
-
 # Enable global DOCKER-USER block rule
 enable_docker_user_fw_policy:
  iptables.insert:
@@ -291,6 +279,58 @@ enable_standard_analyst_5601_{{ip}}:
 {% endif %}

 # Rules if you are a Storage Node
+{% if grains['role'] == 'so-node' %}
+
+#This should be more granular
+iptables_allow_docker:
+  iptables.insert:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - source: 172.17.0.0/24
+    - position: 1
+    - save: True
+
+enable_docker_ES_9200:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: 172.17.0.0/24
+    - dport: 9200
+    - position: 1
+    - save: True
+
+
+enable_docker_ES_9300:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: 172.17.0.0/24
+    - dport: 9300
+    - position: 1
+    - save: True
+
+
+{% for ip in pillar.get('masterfw')  %}
+
+enable_cluster_ES_9300_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 9300
+    - position: 1
+    - save: True
+
+
+{% endfor %}
+{% endif %}

 # Rules if you are a Sensor
 {% if grains['role'] == 'so-sensor' %}