summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason DeTiberus <detiber@gmail.com>2016-05-02 16:02:49 -0400
committerJason DeTiberus <detiber@gmail.com>2016-05-02 16:02:49 -0400
commitc7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3 (patch)
tree3d14e2f9da936a845fa33ddcba08b64c170759e6
parent2b3943ce16ca421cf96008cfc7e5c86e9983a932 (diff)
parent404cf230da83f91a5dd9df1f289da2c6c1b7fee7 (diff)
downloadopenshift-c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3.tar.gz
openshift-c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3.tar.bz2
openshift-c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3.tar.xz
openshift-c7a7c48f6ffd0d3c2ed7f1cf46dedcfe8d4f3fc3.zip
Merge pull request #1854 from abutcher/v2-iptables-overrides
V2 iptables overrides
-rw-r--r--roles/cockpit/defaults/main.yml1
-rw-r--r--roles/etcd/defaults/main.yaml1
-rw-r--r--roles/haproxy/defaults/main.yml1
-rw-r--r--roles/openshift_common/vars/main.yml7
-rw-r--r--roles/openshift_storage_nfs/defaults/main.yml1
-rw-r--r--roles/os_firewall/defaults/main.yml6
-rw-r--r--roles/os_firewall/tasks/firewall/firewalld.yml12
-rw-r--r--roles/os_firewall/tasks/firewall/iptables.yml18
8 files changed, 35 insertions, 12 deletions
diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml
index ffd55f1dd..9cf665841 100644
--- a/roles/cockpit/defaults/main.yml
+++ b/roles/cockpit/defaults/main.yml
@@ -1,5 +1,4 @@
---
-os_firewall_use_firewalld: false
os_firewall_allow:
- service: cockpit-ws
port: 9090/tcp
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index a2212bacd..1cb055816 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -15,7 +15,6 @@ etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_p
etcd_data_dir: /var/lib/etcd/
-os_firewall_use_firewalld: False
os_firewall_allow:
- service: etcd
port: "{{etcd_client_port}}/tcp"
diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
index 937d94209..a1524cfe1 100644
--- a/roles/haproxy/defaults/main.yml
+++ b/roles/haproxy/defaults/main.yml
@@ -15,7 +15,6 @@ haproxy_backends:
address: 127.0.0.1:9000
opts: check
-os_firewall_use_firewalld: False
os_firewall_allow:
- service: haproxy stats
port: "9000/tcp"
diff --git a/roles/openshift_common/vars/main.yml b/roles/openshift_common/vars/main.yml
deleted file mode 100644
index 50816d319..000000000
--- a/roles/openshift_common/vars/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-# TODO: Upstream kubernetes only supports iptables currently, if this changes,
-# then these variable should be moved to defaults
-# TODO: it might be possible to still use firewalld if we wire up the created
-# chains with the public zone (or the zone associated with the correct
-# interfaces)
-os_firewall_use_firewalld: False
diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml
index 90592e9d0..df0bb9fd4 100644
--- a/roles/openshift_storage_nfs/defaults/main.yml
+++ b/roles/openshift_storage_nfs/defaults/main.yml
@@ -16,7 +16,6 @@ openshift:
options: "*(rw,root_squash)"
volume:
name: "metrics"
-os_firewall_use_firewalld: False
os_firewall_allow:
- service: nfs
port: "2049/tcp"
diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml
index 20413d563..c870a301a 100644
--- a/roles/os_firewall/defaults/main.yml
+++ b/roles/os_firewall/defaults/main.yml
@@ -1,5 +1,9 @@
---
os_firewall_enabled: True
-os_firewall_use_firewalld: True
+# TODO: Upstream kubernetes only supports iptables currently
+# TODO: it might be possible to still use firewalld if we wire up the created
+# chains with the public zone (or the zone associated with the correct
+# interfaces)
+os_firewall_use_firewalld: False
os_firewall_allow: []
os_firewall_deny: []
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index 241fa8823..5ddca1fc0 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -24,6 +24,18 @@
command: systemctl daemon-reload
when: install_result | changed
+- name: Determine if firewalld service masked
+ command: >
+ systemctl is-enabled firewalld
+ register: os_firewall_firewalld_masked_output
+ changed_when: false
+ failed_when: false
+
+- name: Unmask firewalld service
+ command: >
+ systemctl unmask firewalld
+ when: os_firewall_firewalld_masked_output.stdout == "masked"
+
- name: Start and enable firewalld service
service:
name: firewalld
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
index 070fe6a3a..774916798 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/firewall/iptables.yml
@@ -32,6 +32,24 @@
command: systemctl daemon-reload
when: install_result | changed
+- name: Determine if iptables service masked
+ command: >
+ systemctl is-enabled {{ item }}
+ with_items:
+ - iptables
+ - ip6tables
+ register: os_firewall_iptables_masked_output
+ changed_when: false
+ failed_when: false
+
+- name: Unmask iptables service
+ command: >
+ systemctl unmask {{ item }}
+ with_items:
+ - iptables
+ - ip6tables
+ when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')"
+
- name: Start and enable iptables service
service:
name: iptables