summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/provisioning/openstack/README.md20
-rw-r--r--playbooks/provisioning/openstack/galaxy-requirements.yaml4
-rw-r--r--playbooks/provisioning/openstack/post-install.yml57
-rw-r--r--playbooks/provisioning/openstack/post-provision-openstack.yml25
-rw-r--r--playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml2
-rw-r--r--roles/openstack-stack/templates/heat_stack.yaml.j26
6 files changed, 114 insertions, 0 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md
index b9a3b23de..a277047e1 100644
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -145,6 +145,26 @@ via the public IP of the server. You can not send updates via the private
IP yet. This forces the in-stack private server to have a floating IP.
See also the [security notes](#security-notes)
+#### Flannel networking
+
+In order to configure the
+[flannel networking](https://docs.openshift.com/container-platform/3.6/install_config/configuring_sdn.html#using-flannel),
+uncomment and adjust the appropriate `inventory/group_vars/OSEv3.yml` group vars.
+Note that the `osm_cluster_network_cidr` must not overlap with the default
+Docker bridge subnet of 172.17.0.0/16. Or you should change the docker0 default
+CIDR range otherwise. For example, by adding `--bip=192.168.2.1/24` to
+`DOCKER_NETWORK_OPTIONS` located in `/etc/sysconfig/docker-network`.
+
+Also note that the flannel network will be provisioned on a separate isolated Neutron
+subnet defined from `osm_cluster_network_cidr` and having ports security disabled.
+Use the `openstack_private_data_network_name` variable to define the network
+name for the heat stack resource.
+
+After the cluster deployment done, you should run an additional post installation
+step for flannel and docker iptables configuration:
+
+ ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/post-install.yml
+
#### Other configuration variables
`openstack_ssh_key` is a Nova keypair - you can see your keypairs with
diff --git a/playbooks/provisioning/openstack/galaxy-requirements.yaml b/playbooks/provisioning/openstack/galaxy-requirements.yaml
index 93dd14ec2..1d745dcc3 100644
--- a/playbooks/provisioning/openstack/galaxy-requirements.yaml
+++ b/playbooks/provisioning/openstack/galaxy-requirements.yaml
@@ -4,3 +4,7 @@
# From 'infra-ansible'
- src: https://github.com/redhat-cop/infra-ansible
version: master
+
+# From 'openshift-ansible'
+- src: https://github.com/openshift/openshift-ansible
+ version: master
diff --git a/playbooks/provisioning/openstack/post-install.yml b/playbooks/provisioning/openstack/post-install.yml
new file mode 100644
index 000000000..417813e2a
--- /dev/null
+++ b/playbooks/provisioning/openstack/post-install.yml
@@ -0,0 +1,57 @@
+---
+- hosts: OSEv3
+ gather_facts: False
+ become: True
+ tasks:
+ - name: Save iptables rules to a backup file
+ when: openshift_use_flannel|default(False)|bool
+ shell: iptables-save > /etc/sysconfig/iptables.orig-$(date +%Y%m%d%H%M%S)
+
+# Enable iptables service on app nodes to persist custom rules (flannel SDN)
+# FIXME(bogdando) w/a https://bugzilla.redhat.com/show_bug.cgi?id=1490820
+- hosts: app
+ gather_facts: False
+ become: True
+ vars:
+ os_firewall_allow:
+ - service: dnsmasq tcp
+ port: 53/tcp
+ - service: dnsmasq udp
+ port: 53/udp
+ tasks:
+ - when: openshift_use_flannel|default(False)|bool
+ block:
+ - include_role:
+ name: openshift-ansible/roles/os_firewall
+ - include_role:
+ name: openshift-ansible/roles/lib_os_firewall
+ - name: set allow rules for dnsmasq
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ with_items: "{{ os_firewall_allow }}"
+
+- hosts: OSEv3
+ gather_facts: False
+ become: True
+ tasks:
+ - name: Apply post-install iptables hacks for Flannel SDN (the best effort)
+ when: openshift_use_flannel|default(False)|bool
+ block:
+ - name: set allow/masquerade rules for for flannel/docker
+ shell: >-
+ (iptables-save | grep -q custom-flannel-docker-1) ||
+ iptables -A DOCKER -w
+ -p all -j ACCEPT
+ -m comment --comment "custom-flannel-docker-1";
+ (iptables-save | grep -q custom-flannel-docker-2) ||
+ iptables -t nat -A POSTROUTING -w
+ -o {{flannel_interface|default('eth1')}}
+ -m comment --comment "custom-flannel-docker-2"
+ -j MASQUERADE
+
+ # NOTE(bogdando) the rules will not be restored, when iptables service unit is disabled & masked
+ - name: Persist in-memory iptables rules (w/o dynamic KUBE rules)
+ shell: iptables-save | grep -v KUBE > /etc/sysconfig/iptables
diff --git a/playbooks/provisioning/openstack/post-provision-openstack.yml b/playbooks/provisioning/openstack/post-provision-openstack.yml
index a80e8d829..e460fbf12 100644
--- a/playbooks/provisioning/openstack/post-provision-openstack.yml
+++ b/playbooks/provisioning/openstack/post-provision-openstack.yml
@@ -76,6 +76,16 @@
hosts: OSEv3
gather_facts: true
become: true
+ vars:
+ interface: "{{ flannel_interface|default('eth1') }}"
+ interface_file: /etc/sysconfig/network-scripts/ifcfg-{{ interface }}
+ interface_config:
+ DEVICE: "{{ interface }}"
+ TYPE: Ethernet
+ BOOTPROTO: dhcp
+ ONBOOT: 'yes'
+ DEFTROUTE: 'no'
+ PEERDNS: 'no'
pre_tasks:
- name: "Include DNS configuration to ensure proper name resolution"
lineinfile:
@@ -83,6 +93,21 @@
dest: /etc/sysconfig/network
regexp: "IP4_NAMESERVERS={{ hostvars['localhost'].private_dns_server }}"
line: "IP4_NAMESERVERS={{ hostvars['localhost'].private_dns_server }}"
+ - name: "Configure the flannel interface options"
+ when: openshift_use_flannel|default(False)|bool
+ block:
+ - file:
+ dest: "{{ interface_file }}"
+ state: touch
+ mode: 0644
+ owner: root
+ group: root
+ - lineinfile:
+ state: present
+ dest: "{{ interface_file }}"
+ regexp: "{{ item.key }}="
+ line: "{{ item.key }}={{ item.value }}"
+ with_dict: "{{ interface_config }}"
roles:
- node-network-manager
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml
index 70e77662d..949a323a7 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml
@@ -53,5 +53,7 @@ openshift_override_hostname_check: true
ansible_become: true
# # Flannel networking
+#osm_cluster_network_cidr: 10.128.0.0/14
#openshift_use_openshift_sdn: false
#openshift_use_flannel: true
+#flannel_interface: eth1
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index a69b7fc00..2359842a5 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -341,6 +341,12 @@ resources:
protocol: tcp
port_range_min: 9090
port_range_max: 9090
+{% if openshift_use_flannel|default(False)|bool %}
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 2379
+ port_range_max: 2379
+{% endif %}
etcd-secgrp:
type: OS::Neutron::SecurityGroup