summaryrefslogtreecommitdiffstats
path: root/roles/docker/tasks
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2017-10-27 16:40:29 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2017-10-27 16:40:29 +0200
commit2392e7f9eefb6f849553cef41251235537dca3d8 (patch)
tree45ff1fb2ca8001d99f65c00af194582a308acf9e /roles/docker/tasks
parentb8f0cb1e8a1611bee28bdf65b841a908cc4da676 (diff)
downloadopenshift-2392e7f9eefb6f849553cef41251235537dca3d8.tar.gz
openshift-2392e7f9eefb6f849553cef41251235537dca3d8.tar.bz2
openshift-2392e7f9eefb6f849553cef41251235537dca3d8.tar.xz
openshift-2392e7f9eefb6f849553cef41251235537dca3d8.zip
cri-o: open port 10010
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'roles/docker/tasks')
-rw-r--r--roles/docker/tasks/crio_firewall.yml40
-rw-r--r--roles/docker/tasks/systemcontainer_crio.yml4
2 files changed, 44 insertions, 0 deletions
diff --git a/roles/docker/tasks/crio_firewall.yml b/roles/docker/tasks/crio_firewall.yml
new file mode 100644
index 000000000..fbd1ff515
--- /dev/null
+++ b/roles/docker/tasks/crio_firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_crio_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_crio_os_firewall_deny }}"
+
+- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_crio_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_crio_os_firewall_deny }}"
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 13bbd359e..5c1211335 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -161,6 +161,10 @@
path: /etc/cni/net.d/
state: directory
+- name: setup firewall for CRI-O
+ include: crio_firewall.yml
+ static: yes
+
- name: Configure the CNI network
template:
dest: /etc/cni/net.d/openshift-sdn.conf