diff options
author | Jason DeTiberus <detiber@gmail.com> | 2016-05-02 16:02:49 -0400 |
---|---|---|
committer | Jason DeTiberus <detiber@gmail.com> | 2016-05-02 16:02:49 -0400 |
commit | c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3 (patch) | |
tree | 3d14e2f9da936a845fa33ddcba08b64c170759e6 | |
parent | 2b3943ce16ca421cf96008cfc7e5c86e9983a932 (diff) | |
parent | 404cf230da83f91a5dd9df1f289da2c6c1b7fee7 (diff) | |
download | openshift-c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3.tar.gz openshift-c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3.tar.bz2 openshift-c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3.tar.xz openshift-c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3.zip |
Merge pull request #1854 from abutcher/v2-iptables-overrides
V2 iptables overrides
-rw-r--r-- | roles/cockpit/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/etcd/defaults/main.yaml | 1 | ||||
-rw-r--r-- | roles/haproxy/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/openshift_common/vars/main.yml | 7 | ||||
-rw-r--r-- | roles/openshift_storage_nfs/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/os_firewall/defaults/main.yml | 6 | ||||
-rw-r--r-- | roles/os_firewall/tasks/firewall/firewalld.yml | 12 | ||||
-rw-r--r-- | roles/os_firewall/tasks/firewall/iptables.yml | 18 |
8 files changed, 35 insertions, 12 deletions
diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml index ffd55f1dd..9cf665841 100644 --- a/roles/cockpit/defaults/main.yml +++ b/roles/cockpit/defaults/main.yml @@ -1,5 +1,4 @@ --- -os_firewall_use_firewalld: false os_firewall_allow: - service: cockpit-ws port: 9090/tcp diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index a2212bacd..1cb055816 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -15,7 +15,6 @@ etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_p etcd_data_dir: /var/lib/etcd/ -os_firewall_use_firewalld: False os_firewall_allow: - service: etcd port: "{{etcd_client_port}}/tcp" diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml index 937d94209..a1524cfe1 100644 --- a/roles/haproxy/defaults/main.yml +++ b/roles/haproxy/defaults/main.yml @@ -15,7 +15,6 @@ haproxy_backends: address: 127.0.0.1:9000 opts: check -os_firewall_use_firewalld: False os_firewall_allow: - service: haproxy stats port: "9000/tcp" diff --git a/roles/openshift_common/vars/main.yml b/roles/openshift_common/vars/main.yml deleted file mode 100644 index 50816d319..000000000 --- a/roles/openshift_common/vars/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# TODO: Upstream kubernetes only supports iptables currently, if this changes, -# then these variable should be moved to defaults -# TODO: it might be possible to still use firewalld if we wire up the created -# chains with the public zone (or the zone associated with the correct -# interfaces) -os_firewall_use_firewalld: False diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml index 90592e9d0..df0bb9fd4 100644 --- a/roles/openshift_storage_nfs/defaults/main.yml +++ b/roles/openshift_storage_nfs/defaults/main.yml @@ -16,7 +16,6 @@ openshift: options: "*(rw,root_squash)" volume: name: "metrics" -os_firewall_use_firewalld: False os_firewall_allow: - service: nfs port: "2049/tcp" diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml index 20413d563..c870a301a 100644 --- a/roles/os_firewall/defaults/main.yml +++ b/roles/os_firewall/defaults/main.yml @@ -1,5 +1,9 @@ --- os_firewall_enabled: True -os_firewall_use_firewalld: True +# TODO: Upstream kubernetes only supports iptables currently +# TODO: it might be possible to still use firewalld if we wire up the created +# chains with the public zone (or the zone associated with the correct +# interfaces) +os_firewall_use_firewalld: False os_firewall_allow: [] os_firewall_deny: [] diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml index 241fa8823..5ddca1fc0 100644 --- a/roles/os_firewall/tasks/firewall/firewalld.yml +++ b/roles/os_firewall/tasks/firewall/firewalld.yml @@ -24,6 +24,18 @@ command: systemctl daemon-reload when: install_result | changed +- name: Determine if firewalld service masked + command: > + systemctl is-enabled firewalld + register: os_firewall_firewalld_masked_output + changed_when: false + failed_when: false + +- name: Unmask firewalld service + command: > + systemctl unmask firewalld + when: os_firewall_firewalld_masked_output.stdout == "masked" + - name: Start and enable firewalld service service: name: firewalld diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 070fe6a3a..774916798 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -32,6 +32,24 @@ command: systemctl daemon-reload when: install_result | changed +- name: Determine if iptables service masked + command: > + systemctl is-enabled {{ item }} + with_items: + - iptables + - ip6tables + register: os_firewall_iptables_masked_output + changed_when: false + failed_when: false + +- name: Unmask iptables service + command: > + systemctl unmask {{ item }} + with_items: + - iptables + - ip6tables + when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')" + - name: Start and enable iptables service service: name: iptables |