Merge remote-tracking branch 'refs/remotes/origin/master'

roles/fluent-bit/defaults/main.yml

@@ -0,0 +1,34 @@
+fluent_bit_config:
+  service: '{{ fluent_bit_config_service }}'
+  pipeline: '{{ fluent_bit_pipeline }}'
+
+fluent_bit_config_service:
+  log_level: '{{ fluent_bit_log_level }}'
+
+fluent_bit_log_level: info
+
+fluent_bit_pipeline:
+  inputs: '{{ fluent_bit_inputs }}'
+  filters: '{{ fluent_bit_filters }}'
+  outputs: '{{ fluent_bit_outputs }}'
+
+fluent_bit_inputs: '{{ fluent_bit_default_inputs }}'
+
+fluent_bit_default_inputs:
+- '{{ fluent_bit_input_systemd }}'
+
+fluent_bit_input_systemd:
+  name: systemd
+  tag: host.*
+  db: /var/lib/fluent-bit/journal
+  lowercase: true
+  strip_underscores: true
+
+fluent_bit_filters: []
+
+fluent_bit_outputs:
+- '{{ fluent_bit_null_output }}'
+
+fluent_bit_null_output:
+  name: null
+  match: '*'

roles/fluent-bit/files/fluent-bit.service

@@ -0,0 +1,36 @@
+[Unit]
+Description=Fluent Bit
+Documentation=https://docs.fluentbit.io/manual/
+Requires=network.target
+After=network.target
+StartLimitIntervalSec=5
+StartLimitBurst=5
+
+[Service]
+Type=exec
+ExecStart=/usr/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yml -Y
+ExecReload=/bin/kill -HUP $MAINPID
+StateDirectory=fluent-bit
+Restart=always
+RestartSec=1
+BindPaths=%S/fluent-bit
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadOnlyPaths=/var/log
+ReadWritePaths=%S/fluent-bit
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+TemporaryFileSystem=%S:ro
+
+[Install]
+WantedBy=multi-user.target

roles/fluent-bit/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: restart fluent-bit
+  service:
+    name: fluent-bit
+    state: restarted
+
+- name: reload fluent-bit
+  service:
+    name: fluent-bit
+    state: reloaded

roles/fluent-bit/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+- role: systemd-base

roles/fluent-bit/tasks/main.yml

@@ -0,0 +1,53 @@
+- name: ensure fluent-bit is installed
+  package:
+    name: fluent-bit
+    state: present
+  tags:
+  - install
+
+- name: ensure fluent-bit is configured
+  copy:
+    dest: /etc/fluent-bit/fluent-bit.yml
+    content: '{{ fluent_bit_config | to_nice_yaml(indent=2) }}'
+    owner: root
+    group: root
+    mode: u=rw,go=
+  notify:
+  - restart fluent-bit
+  tags:
+  - config
+
+# The default unit configuration for fluent-bit.service sucks.  It runs
+# as root without any kind of restrictions or sandboxing, forces the
+# "classic" configuration format (which is deprecated in favor of
+# YAML), and does not support hot reload.  It's very simple, so we can
+# replace it completely without too much worry about upstream changes.
+- name: ensure custom fluent-bit systemd service unit file is installed
+  copy:
+    src: fluent-bit.service
+    dest: /etc/systemd/system/fluent-bit.service
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart fluent-bit
+  tags:
+  - systemd
+
+- name: ensure fluent-bit starts at boot
+  service:
+    name: fluent-bit
+    enabled: true
+  tags:
+  - service
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure fluent-bit is running
+  service:
+    name: fluent-bit
+    state: started
+  tags:
+  - service