summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/calico/README.md20
-rw-r--r--roles/calico/defaults/main.yaml6
-rw-r--r--roles/calico_master/defaults/main.yaml4
-rw-r--r--roles/cockpit/defaults/main.yml8
-rw-r--r--roles/cockpit/meta/main.yml5
-rw-r--r--roles/cockpit/tasks/firewall.yml40
-rw-r--r--roles/cockpit/tasks/main.yml4
-rw-r--r--roles/docker/meta/main.yml1
-rw-r--r--roles/etcd/defaults/main.yaml12
-rw-r--r--roles/etcd/meta/main.yml7
-rw-r--r--roles/etcd/tasks/firewall.yml40
-rw-r--r--roles/etcd/tasks/main.yml4
-rw-r--r--roles/etcd_common/meta/main.yml3
-rw-r--r--roles/lib_openshift/library/oc_project.py3
-rw-r--r--roles/lib_openshift/src/class/oc_project.py3
-rw-r--r--roles/lib_os_firewall/README.md63
-rwxr-xr-xroles/lib_os_firewall/library/os_firewall_manage_iptables.py (renamed from roles/os_firewall/library/os_firewall_manage_iptables.py)0
-rw-r--r--roles/nuage_master/defaults/main.yml10
-rw-r--r--roles/nuage_master/meta/main.yml5
-rw-r--r--roles/nuage_master/tasks/firewall.yml40
-rw-r--r--roles/nuage_master/tasks/main.yaml5
-rw-r--r--roles/nuage_master/tasks/serviceaccount.yml40
-rw-r--r--roles/nuage_master/vars/main.yaml4
-rw-r--r--roles/nuage_node/defaults/main.yml12
-rw-r--r--roles/nuage_node/meta/main.yml7
-rw-r--r--roles/nuage_node/tasks/firewall.yml40
-rw-r--r--roles/nuage_node/tasks/iptables.yml6
-rw-r--r--roles/nuage_node/tasks/main.yaml8
-rw-r--r--roles/nuage_node/templates/vsp-openshift.j22
-rw-r--r--roles/openshift_ca/meta/main.yml1
-rw-r--r--roles/openshift_cfme/defaults/main.yml6
-rw-r--r--roles/openshift_common/meta/main.yml1
-rw-r--r--roles/openshift_health_checker/meta/main.yml3
-rw-r--r--roles/openshift_health_checker/openshift_checks/__init__.py25
-rw-r--r--roles/openshift_health_checker/openshift_checks/disk_availability.py33
-rw-r--r--roles/openshift_health_checker/openshift_checks/docker_storage.py22
-rw-r--r--roles/openshift_health_checker/openshift_checks/etcd_imagedata_size.py17
-rw-r--r--roles/openshift_health_checker/openshift_checks/etcd_volume.py20
-rw-r--r--roles/openshift_health_checker/test/disk_availability_test.py34
-rw-r--r--roles/openshift_health_checker/test/etcd_imagedata_size_test.py5
-rw-r--r--roles/openshift_health_checker/test/etcd_volume_test.py5
-rw-r--r--roles/openshift_hosted/defaults/main.yml15
-rw-r--r--roles/openshift_hosted/meta/main.yml6
-rw-r--r--roles/openshift_hosted/tasks/registry/firewall.yml40
-rw-r--r--roles/openshift_hosted/tasks/registry/registry.yml7
-rw-r--r--roles/openshift_hosted/tasks/router/firewall.yml40
-rw-r--r--roles/openshift_hosted/tasks/router/router.yml4
-rw-r--r--roles/openshift_loadbalancer/defaults/main.yml13
-rw-r--r--roles/openshift_loadbalancer/meta/main.yml13
-rw-r--r--roles/openshift_loadbalancer/tasks/firewall.yml40
-rw-r--r--roles/openshift_loadbalancer/tasks/main.yml4
-rw-r--r--roles/openshift_logging/tasks/update_master_config.yaml1
-rw-r--r--roles/openshift_logging_fluentd/tasks/main.yaml2
-rw-r--r--roles/openshift_logging_kibana/tasks/main.yaml6
-rw-r--r--roles/openshift_master/defaults/main.yml17
-rw-r--r--roles/openshift_master/meta/main.yml16
-rw-r--r--roles/openshift_master/tasks/firewall.yml40
-rw-r--r--roles/openshift_master/tasks/main.yml4
-rw-r--r--roles/openshift_master/tasks/system_container.yml2
-rw-r--r--roles/openshift_master/tasks/systemd_units.yml2
-rw-r--r--roles/openshift_master_cluster/meta/main.yml3
-rw-r--r--roles/openshift_metrics/tasks/update_master_config.yaml1
-rw-r--r--roles/openshift_node/defaults/main.yml15
-rw-r--r--roles/openshift_node/meta/main.yml27
-rw-r--r--roles/openshift_node/tasks/firewall.yml40
-rw-r--r--roles/openshift_node/tasks/main.yml32
-rw-r--r--roles/openshift_provisioners/tasks/install_efs.yaml2
-rw-r--r--roles/openshift_storage_glusterfs/defaults/main.yml12
-rw-r--r--roles/openshift_storage_glusterfs/meta/main.yml2
-rw-r--r--roles/openshift_storage_glusterfs/tasks/firewall.yml40
-rw-r--r--roles/openshift_storage_nfs/defaults/main.yml8
-rw-r--r--roles/openshift_storage_nfs/meta/main.yml6
-rw-r--r--roles/openshift_storage_nfs/tasks/firewall.yml40
-rw-r--r--roles/openshift_storage_nfs/tasks/main.yml4
-rw-r--r--roles/openshift_version/meta/main.yml1
-rw-r--r--roles/os_firewall/README.md37
-rw-r--r--roles/os_firewall/defaults/main.yml2
-rw-r--r--roles/os_firewall/tasks/firewall/firewalld.yml16
-rw-r--r--roles/os_firewall/tasks/firewall/iptables.yml19
79 files changed, 845 insertions, 308 deletions
diff --git a/roles/calico/README.md b/roles/calico/README.md
index 9b9458bfa..65f66ebfa 100644
--- a/roles/calico/README.md
+++ b/roles/calico/README.md
@@ -6,12 +6,6 @@ Configure Calico components for the Master host.
* Ansible 2.2
-## Warning: This Calico Integration is in Alpha
-
-Calico shares the etcd instance used by OpenShift, and distributes client etcd certificates to each node.
-For this reason, **we do not (yet) recommend running Calico on any production-like
-cluster, or using it for any purpose besides early access testing.**
-
## Installation
To install, set the following inventory configuration parameters:
@@ -20,7 +14,19 @@ To install, set the following inventory configuration parameters:
* `openshift_use_openshift_sdn=False`
* `os_sdn_network_plugin_name='cni'`
-## Additional Calico/Node and Felix Configuration Options
+For more information, see [Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
+
+## Improving security with BYO-etcd
+
+By default, Calico uses the etcd set up by OpenShift. To accomplish this, it generates and distributes client etcd certificates to each node.
+Distributing these certs across the cluster in this way weakens the overall security,
+so Calico should not be deployed in production in this mode.
+
+Instead, Calico can be installed in BYO-etcd mode, where it connects to an externally
+set up etcd. For information on deploying Calico in BYO-etcd mode, see
+[Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
+
+## Calico Configuration Options
Additional parameters that can be defined in the inventory are:
diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml
index 207dee068..e7a9db92f 100644
--- a/roles/calico/defaults/main.yaml
+++ b/roles/calico/defaults/main.yaml
@@ -5,11 +5,11 @@ cni_conf_dir: "/etc/cni/net.d/"
cni_bin_dir: "/opt/cni/bin/"
cni_url: "https://github.com/containernetworking/cni/releases/download/v0.5.2/cni-amd64-v0.5.2.tgz"
-calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.8.3/calico"
-calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.8.3/calico-ipam"
+calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico"
+calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico-ipam"
calico_ipv4pool_ipip: "always"
calico_ipv4pool_cidr: "192.168.0.0/16"
calico_log_dir: "/var/log/calico"
-calico_node_image: "calico/node:v1.2.1"
+calico_node_image: "calico/node:v2.4.1"
diff --git a/roles/calico_master/defaults/main.yaml b/roles/calico_master/defaults/main.yaml
index b2df0105f..d40286aba 100644
--- a/roles/calico_master/defaults/main.yaml
+++ b/roles/calico_master/defaults/main.yaml
@@ -3,5 +3,5 @@ kubeconfig: "{{ openshift.common.config_base }}/master/openshift-master.kubeconf
calicoctl_bin_dir: "/usr/local/bin/"
-calico_url_calicoctl: "https://github.com/projectcalico/calicoctl/releases/download/v1.1.3/calicoctl"
-calico_url_policy_controller: "quay.io/calico/kube-policy-controller:v0.5.4"
+calico_url_calicoctl: "https://github.com/projectcalico/calicoctl/releases/download/v1.4.0/calicoctl"
+calico_url_policy_controller: "quay.io/calico/kube-policy-controller:v0.7.0"
diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml
new file mode 100644
index 000000000..cbe5bb92b
--- /dev/null
+++ b/roles/cockpit/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+r_cockpit_firewall_enabled: True
+r_cockpit_use_firewalld: False
+
+r_cockpit_os_firewall_deny: []
+r_cockpit_os_firewall_allow:
+- service: cockpit-ws
+ port: 9090/tcp
diff --git a/roles/cockpit/meta/main.yml b/roles/cockpit/meta/main.yml
index 0f507e75e..8c0ed3cb8 100644
--- a/roles/cockpit/meta/main.yml
+++ b/roles/cockpit/meta/main.yml
@@ -12,7 +12,4 @@ galaxy_info:
categories:
- cloud
dependencies:
-- role: os_firewall
- os_firewall_allow:
- - service: cockpit-ws
- port: 9090/tcp
+- role: lib_os_firewall
diff --git a/roles/cockpit/tasks/firewall.yml b/roles/cockpit/tasks/firewall.yml
new file mode 100644
index 000000000..e597ac84d
--- /dev/null
+++ b/roles/cockpit/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_cockpit_firewall_enabled | bool and not r_cockpit_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_cockpit_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_cockpit_os_firewall_deny }}"
+
+- when: r_cockpit_firewall_enabled | bool and r_cockpit_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_cockpit_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_cockpit_os_firewall_deny }}"
diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml
index 57f49ea11..066ee3f3b 100644
--- a/roles/cockpit/tasks/main.yml
+++ b/roles/cockpit/tasks/main.yml
@@ -1,4 +1,8 @@
---
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+
- name: Install cockpit-ws
package: name={{ item }} state=present
with_items:
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index cd4083572..b773a417c 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -10,5 +10,4 @@ galaxy_info:
versions:
- 7
dependencies:
-- role: os_firewall
- role: lib_openshift
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index c0d1d5946..d12d7a358 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -1,4 +1,7 @@
---
+r_etcd_firewall_enabled: True
+r_etcd_use_firewalld: False
+
etcd_initial_cluster_state: new
etcd_initial_cluster_token: etcd-cluster-1
@@ -7,4 +10,13 @@ etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_
etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}"
+etcd_client_port: 2379
+etcd_peer_port: 2380
+
etcd_systemd_dir: "/etc/systemd/system/{{ etcd_service }}.service.d"
+r_etcd_os_firewall_deny: []
+r_etcd_os_firewall_allow:
+- service: etcd
+ port: "{{etcd_client_port}}/tcp"
+- service: etcd peering
+ port: "{{ etcd_peer_port }}/tcp"
diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml
index 689c07a84..9a955c822 100644
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -17,11 +17,6 @@ galaxy_info:
- system
dependencies:
- role: lib_openshift
-- role: os_firewall
- os_firewall_allow:
- - service: etcd
- port: "{{etcd_client_port}}/tcp"
- - service: etcd peering
- port: "{{ etcd_peer_port }}/tcp"
+- role: lib_os_firewall
- role: etcd_server_certificates
- role: etcd_common
diff --git a/roles/etcd/tasks/firewall.yml b/roles/etcd/tasks/firewall.yml
new file mode 100644
index 000000000..4d0f6290a
--- /dev/null
+++ b/roles/etcd/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_etcd_firewall_enabled | bool and not r_etcd_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_etcd_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_etcd_os_firewall_deny }}"
+
+- when: r_etcd_firewall_enabled | bool and r_etcd_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_etcd_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_etcd_os_firewall_deny }}"
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 8c2f392ee..78e543ef1 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -6,6 +6,10 @@
etcd_hostname: "{{ etcd_hostname }}"
etcd_ip: "{{ etcd_ip }}"
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+
- name: Install etcd
package: name=etcd{{ '-' + etcd_version if etcd_version is defined else '' }} state=present
when: not etcd_is_containerized | bool
diff --git a/roles/etcd_common/meta/main.yml b/roles/etcd_common/meta/main.yml
index fb9280c9e..dfb1c7a2c 100644
--- a/roles/etcd_common/meta/main.yml
+++ b/roles/etcd_common/meta/main.yml
@@ -12,5 +12,4 @@ galaxy_info:
categories:
- cloud
- system
-dependencies:
-- { role: openshift_repos }
+dependencies: []
diff --git a/roles/lib_openshift/library/oc_project.py b/roles/lib_openshift/library/oc_project.py
index a78bc06d2..bf65ef603 100644
--- a/roles/lib_openshift/library/oc_project.py
+++ b/roles/lib_openshift/library/oc_project.py
@@ -1657,6 +1657,9 @@ class OCProject(OpenShiftCLI):
# Create it here
api_rval = oadm_project.create()
+ if api_rval['returncode'] != 0:
+ return {'failed': True, 'msg': api_rval}
+
# return the created object
api_rval = oadm_project.get()
diff --git a/roles/lib_openshift/src/class/oc_project.py b/roles/lib_openshift/src/class/oc_project.py
index 9ad8111a8..298597067 100644
--- a/roles/lib_openshift/src/class/oc_project.py
+++ b/roles/lib_openshift/src/class/oc_project.py
@@ -156,6 +156,9 @@ class OCProject(OpenShiftCLI):
# Create it here
api_rval = oadm_project.create()
+ if api_rval['returncode'] != 0:
+ return {'failed': True, 'msg': api_rval}
+
# return the created object
api_rval = oadm_project.get()
diff --git a/roles/lib_os_firewall/README.md b/roles/lib_os_firewall/README.md
new file mode 100644
index 000000000..ba8c84865
--- /dev/null
+++ b/roles/lib_os_firewall/README.md
@@ -0,0 +1,63 @@
+lib_os_firewall
+===========
+
+lib_os_firewall manages iptables firewall settings for a minimal use
+case (Adding/Removing rules based on protocol and port number).
+
+Note: firewalld is not supported on Atomic Host
+https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+
+Requirements
+------------
+
+Ansible 2.2
+
+Role Variables
+--------------
+
+| Name | Default | |
+|---------------------------|---------|----------------------------------------|
+| os_firewall_allow | [] | List of service,port mappings to allow |
+| os_firewall_deny | [] | List of service, port mappings to deny |
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+Use iptables and open tcp ports 80 and 443:
+```
+---
+- hosts: servers
+ vars:
+ os_firewall_use_firewalld: false
+ os_firewall_allow:
+ - service: httpd
+ port: 80/tcp
+ - service: https
+ port: 443/tcp
+ tasks:
+ - include_role:
+ name: lib_os_firewall
+
+ - name: set allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ with_items: "{{ os_firewall_allow }}"
+```
+
+
+License
+-------
+
+Apache License, Version 2.0
+
+Author Information
+------------------
+Jason DeTiberus - jdetiber@redhat.com
diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/lib_os_firewall/library/os_firewall_manage_iptables.py
index aeee3ede8..aeee3ede8 100755
--- a/roles/os_firewall/library/os_firewall_manage_iptables.py
+++ b/roles/lib_os_firewall/library/os_firewall_manage_iptables.py
diff --git a/roles/nuage_master/defaults/main.yml b/roles/nuage_master/defaults/main.yml
new file mode 100644
index 000000000..ffab25775
--- /dev/null
+++ b/roles/nuage_master/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+r_nuage_master_firewall_enabled: True
+r_nuage_master_use_firewalld: False
+
+nuage_mon_rest_server_port: '9443'
+
+r_nuage_master_os_firewall_deny: []
+r_nuage_master_os_firewall_allow:
+- service: openshift-monitor
+ port: "{{ nuage_mon_rest_server_port }}/tcp"
diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml
index e3ed9ac71..3da340c85 100644
--- a/roles/nuage_master/meta/main.yml
+++ b/roles/nuage_master/meta/main.yml
@@ -16,8 +16,5 @@ dependencies:
- role: nuage_ca
- role: nuage_common
- role: openshift_etcd_client_certificates
-- role: os_firewall
- role: lib_openshift
- os_firewall_allow:
- - service: openshift-monitor
- port: "{{ nuage_mon_rest_server_port }}/tcp"
+- role: lib_os_firewall
diff --git a/roles/nuage_master/tasks/firewall.yml b/roles/nuage_master/tasks/firewall.yml
new file mode 100644
index 000000000..0057dc9ab
--- /dev/null
+++ b/roles/nuage_master/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_nuage_master_firewall_enabled | bool and not r_nuage_master_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_nuage_master_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_nuage_master_os_firewall_deny }}"
+
+- when: r_nuage_master_firewall_enabled | bool and r_nuage_master_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_nuage_master_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_nuage_master_os_firewall_deny }}"
diff --git a/roles/nuage_master/tasks/main.yaml b/roles/nuage_master/tasks/main.yaml
index 4f8adb63e..d0363c981 100644
--- a/roles/nuage_master/tasks/main.yaml
+++ b/roles/nuage_master/tasks/main.yaml
@@ -1,4 +1,8 @@
---
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+
- name: Create directory /usr/share/nuage-openshift-monitor
become: yes
file: path=/usr/share/nuage-openshift-monitor state=directory
@@ -45,7 +49,6 @@
become: yes
template: src=nuage-openshift-monitor.j2 dest=/usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml owner=root mode=0644
notify:
- - restart master
- restart master api
- restart master controllers
- restart nuage-openshift-monitor
diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml
index eee448e2c..fbf2c4f8d 100644
--- a/roles/nuage_master/tasks/serviceaccount.yml
+++ b/roles/nuage_master/tasks/serviceaccount.yml
@@ -1,26 +1,6 @@
---
-- name: Create temporary directory for admin kubeconfig
- command: mktemp -u /tmp/openshift-ansible-XXXXXXX.kubeconfig
- register: nuage_tmp_conf_mktemp
- changed_when: False
- run_once: True
- delegate_to: "{{ nuage_ca_master }}"
-
-- set_fact:
- nuage_tmp_conf: "{{ nuage_tmp_conf_mktemp.stdout }}"
- run_once: True
- delegate_to: "{{ nuage_ca_master }}"
-
-- name: Copy Configuration to temporary conf
- command: >
- cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{nuage_tmp_conf}}
- changed_when: false
- run_once: True
- delegate_to: "{{ nuage_ca_master }}"
-
- name: Create Admin Service Account
oc_serviceaccount:
- kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig"
name: nuage
namespace: default
state: present
@@ -28,13 +8,12 @@
delegate_to: "{{ nuage_ca_master }}"
- name: Configure role/user permissions
- command: >
- {{ openshift.common.client_binary }} adm {{item}}
- --config={{ nuage_tmp_conf }}
- with_items: "{{nuage_tasks}}"
- register: osnuage_perm_task
- failed_when: "'the object has been modified' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0"
- changed_when: osnuage_perm_task.rc == 0
+ oc_adm_policy_user:
+ namespace: default
+ resource_name: "{{ item.resource_name }}"
+ resource_kind: "{{ item.resource_kind }}"
+ user: "{{ item.user }}"
+ with_items: "{{ nuage_tasks }}"
run_once: True
delegate_to: "{{ nuage_ca_master }}"
@@ -52,10 +31,3 @@
--user={{ nuage_service_account }}
delegate_to: "{{ nuage_ca_master }}"
run_once: True
-
-- name: Clean temporary configuration file
- command: >
- rm -f {{nuage_tmp_conf}}
- changed_when: false
- delegate_to: "{{ nuage_ca_master }}"
- run_once: True
diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml
index 651d5775c..57d5d2595 100644
--- a/roles/nuage_master/vars/main.yaml
+++ b/roles/nuage_master/vars/main.yaml
@@ -23,4 +23,6 @@ nuage_master_crt_dir: /usr/share/nuage-openshift-monitor
nuage_service_account: system:serviceaccount:default:nuage
nuage_tasks:
- - policy add-cluster-role-to-user cluster-reader {{ nuage_service_account }}
+- resource_kind: cluster-role
+ resource_name: cluster-reader
+ user: "{{ nuage_service_account }}"
diff --git a/roles/nuage_node/defaults/main.yml b/roles/nuage_node/defaults/main.yml
new file mode 100644
index 000000000..b3d2e3cec
--- /dev/null
+++ b/roles/nuage_node/defaults/main.yml
@@ -0,0 +1,12 @@
+---
+r_nuage_node_firewall_enabled: True
+r_nuage_node_use_firewalld: False
+
+nuage_mon_rest_server_port: '9443'
+
+r_nuage_node_os_firewall_deny: []
+r_nuage_node_os_firewall_allow:
+- service: vxlan
+ port: 4789/udp
+- service: nuage-monitor
+ port: "{{ nuage_mon_rest_server_port }}/tcp"
diff --git a/roles/nuage_node/meta/main.yml b/roles/nuage_node/meta/main.yml
index 3e2a5e0c9..9b0315054 100644
--- a/roles/nuage_node/meta/main.yml
+++ b/roles/nuage_node/meta/main.yml
@@ -15,9 +15,4 @@ galaxy_info:
dependencies:
- role: nuage_common
- role: nuage_ca
-- role: os_firewall
- os_firewall_allow:
- - service: vxlan
- port: 4789/udp
- - service: nuage-monitor
- port: "{{ nuage_mon_rest_server_port }}/tcp"
+- role: lib_os_firewall
diff --git a/roles/nuage_node/tasks/firewall.yml b/roles/nuage_node/tasks/firewall.yml
new file mode 100644
index 000000000..baf600d57
--- /dev/null
+++ b/roles/nuage_node/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_nuage_node_firewall_enabled | bool and not r_nuage_node_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_nuage_node_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_nuage_node_os_firewall_deny }}"
+
+- when: r_nuage_node_firewall_enabled | bool and r_nuage_node_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_nuage_node_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_nuage_node_os_firewall_deny }}"
diff --git a/roles/nuage_node/tasks/iptables.yml b/roles/nuage_node/tasks/iptables.yml
index 847c8395d..95ee8643a 100644
--- a/roles/nuage_node/tasks/iptables.yml
+++ b/roles/nuage_node/tasks/iptables.yml
@@ -15,3 +15,9 @@
when: "'nuage-underlay-overlay' not in iptablesrules.stdout"
notify:
- save iptable rules
+
+- name: Allow docker daemon traffic from underlay to overlay
+ command: /sbin/iptables -t nat -A POSTROUTING ! -s {{ hostvars[groups.oo_first_master.0].openshift.master.sdn_cluster_network_cidr }} -o svc-pat-tap -j MASQUERADE -m comment --comment "nuage-docker-underlay-overlay"
+ when: "'nuage-docker-underlay-overlay' not in iptablesrules.stdout"
+ notify:
+ - save iptable rules
diff --git a/roles/nuage_node/tasks/main.yaml b/roles/nuage_node/tasks/main.yaml
index 928f9e2e6..66d6ef4ca 100644
--- a/roles/nuage_node/tasks/main.yaml
+++ b/roles/nuage_node/tasks/main.yaml
@@ -11,6 +11,10 @@
become: yes
lineinfile: dest={{ vrs_config }} regexp=^ACTIVE_CONTROLLER line='ACTIVE_CONTROLLER={{ vsc_active_ip }}'
+- name: Set the K8S/OSE Cluster service CIDR
+ become: yes
+ lineinfile: dest={{ vrs_config }} regexp=^K8S_SERVICE_IPV4_SUBNET line='K8S_SERVICE_IPV4_SUBNET={{ k8s_cluster_service_cidr }}'
+
- name: Set the Standby Controller
become: yes
lineinfile: dest={{ vrs_config }} regexp=^STANDBY_CONTROLLER line='STANDBY_CONTROLLER={{ vsc_standby_ip }}'
@@ -54,3 +58,7 @@
- restart node
- include: iptables.yml
+
+- name: setup firewall
+ include: firewall.yml
+ static: yes
diff --git a/roles/nuage_node/templates/vsp-openshift.j2 b/roles/nuage_node/templates/vsp-openshift.j2
index 9fab53906..f6bccebc2 100644
--- a/roles/nuage_node/templates/vsp-openshift.j2
+++ b/roles/nuage_node/templates/vsp-openshift.j2
@@ -9,7 +9,7 @@ enterpriseName: {{ enterprise }}
# Name of the domain in which pods will reside
domainName: {{ domain }}
# Name of the VSD user in admin group
-vsdUser: {{ vsduser }}
+vsdUser: {{ vsd_user }}
# IP address and port number of master API server
masterApiServer: {{ api_server }}
# REST server URL
diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
index 444c5b77e..dfbdf0cc7 100644
--- a/roles/openshift_ca/meta/main.yml
+++ b/roles/openshift_ca/meta/main.yml
@@ -13,6 +13,5 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: openshift_repos
- role: openshift_cli
- role: openshift_named_certificates
diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml
index ecf85642b..393bee1f3 100644
--- a/roles/openshift_cfme/defaults/main.yml
+++ b/roles/openshift_cfme/defaults/main.yml
@@ -36,9 +36,9 @@ openshift_cfme_nfs_server: "{{ groups.nfs.0 }}"
# --template=manageiq). If False everything UP TO 'new-app' is ran.
openshift_cfme_install_app: False
# Docker image to pull
-openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods:app-latest-fine' }}"
-openshift_cfme_postgresql_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods:app-latest-fine' }}"
-openshift_cfme_memcached_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-memcached' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods:app-latest-fine' }}"
+openshift_cfme_application_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-app' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}"
+openshift_cfme_postgresql_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-postgresql' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}"
+openshift_cfme_memcached_img_name: "{{ 'registry.access.redhat.com/cloudforms45/cfme-openshift-memcached' if openshift_deployment_type == 'openshift-enterprise' else 'docker.io/manageiq/manageiq-pods' }}"
openshift_cfme_application_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'app-latest-fine' }}"
openshift_cfme_memcached_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'memcached-latest-fine' }}"
openshift_cfme_postgresql_img_tag: "{{ 'latest' if openshift_deployment_type == 'openshift-enterprise' else 'postgresql-latest-fine' }}"
diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml
index f1cf3e161..7cc95d8fa 100644
--- a/roles/openshift_common/meta/main.yml
+++ b/roles/openshift_common/meta/main.yml
@@ -13,4 +13,3 @@ galaxy_info:
- cloud
dependencies:
- role: openshift_facts
-- role: openshift_repos
diff --git a/roles/openshift_health_checker/meta/main.yml b/roles/openshift_health_checker/meta/main.yml
index cd9b55902..bc8e7bdcf 100644
--- a/roles/openshift_health_checker/meta/main.yml
+++ b/roles/openshift_health_checker/meta/main.yml
@@ -1,4 +1,3 @@
---
dependencies:
- - role: openshift_facts
- - role: openshift_repos
+- role: openshift_facts
diff --git a/roles/openshift_health_checker/openshift_checks/__init__.py b/roles/openshift_health_checker/openshift_checks/__init__.py
index 09139408c..07ec6f7ef 100644
--- a/roles/openshift_health_checker/openshift_checks/__init__.py
+++ b/roles/openshift_health_checker/openshift_checks/__init__.py
@@ -197,6 +197,31 @@ class OpenShiftCheck(object):
components = tuple(int(x) for x in components[:2])
return components
+ def find_ansible_mount(self, path):
+ """Return the mount point for path from ansible_mounts."""
+
+ # reorganize list of mounts into dict by path
+ mount_for_path = {
+ mount['mount']: mount
+ for mount
+ in self.get_var('ansible_mounts')
+ }
+
+ # NOTE: including base cases '/' and '' to ensure the loop ends
+ mount_targets = set(mount_for_path.keys()) | {'/', ''}
+ mount_point = path
+ while mount_point not in mount_targets:
+ mount_point = os.path.dirname(mount_point)
+
+ try:
+ return mount_for_path[mount_point]
+ except KeyError:
+ known_mounts = ', '.join('"{}"'.format(mount) for mount in sorted(mount_for_path))
+ raise OpenShiftCheckException(
+ 'Unable to determine mount point for path "{}".\n'
+ 'Known mount points: {}.'.format(path, known_mounts or 'none')
+ )
+
LOADER_EXCLUDES = (
"__init__.py",
diff --git a/roles/openshift_health_checker/openshift_checks/disk_availability.py b/roles/openshift_health_checker/openshift_checks/disk_availability.py
index 39ac0e4ec..6d1dea9ce 100644
--- a/roles/openshift_health_checker/openshift_checks/disk_availability.py
+++ b/roles/openshift_health_checker/openshift_checks/disk_availability.py
@@ -1,6 +1,5 @@
"""Check that there is enough disk space in predefined paths."""
-import os.path
import tempfile
from openshift_checks import OpenShiftCheck, OpenShiftCheckException
@@ -55,9 +54,6 @@ class DiskAvailability(OpenShiftCheck):
def run(self):
group_names = self.get_var("group_names")
- ansible_mounts = self.get_var("ansible_mounts")
- ansible_mounts = {mount['mount']: mount for mount in ansible_mounts}
-
user_config = self.get_var("openshift_check_min_host_disk_gb", default={})
try:
# For backwards-compatibility, if openshift_check_min_host_disk_gb
@@ -80,7 +76,7 @@ class DiskAvailability(OpenShiftCheck):
# not part of the official recommendation but present in the user
# configuration.
for path, recommendation in self.recommended_disk_space_bytes.items():
- free_bytes = self.free_bytes(path, ansible_mounts)
+ free_bytes = self.free_bytes(path)
recommended_bytes = max(recommendation.get(name, 0) for name in group_names)
config = user_config.get(path, {})
@@ -127,22 +123,17 @@ class DiskAvailability(OpenShiftCheck):
return {}
- @staticmethod
- def free_bytes(path, ansible_mounts):
+ def free_bytes(self, path):
"""Return the size available in path based on ansible_mounts."""
- mount_point = path
- # arbitry value to prevent an infinite loop, in the unlike case that '/'
- # is not in ansible_mounts.
- max_depth = 32
- while mount_point not in ansible_mounts and max_depth > 0:
- mount_point = os.path.dirname(mount_point)
- max_depth -= 1
-
+ mount = self.find_ansible_mount(path)
try:
- free_bytes = ansible_mounts[mount_point]['size_available']
+ return mount['size_available']
except KeyError:
- known_mounts = ', '.join('"{}"'.format(mount) for mount in sorted(ansible_mounts)) or 'none'
- msg = 'Unable to determine disk availability for "{}". Known mount points: {}.'
- raise OpenShiftCheckException(msg.format(path, known_mounts))
-
- return free_bytes
+ raise OpenShiftCheckException(
+ 'Unable to retrieve disk availability for "{path}".\n'
+ 'Ansible facts included a matching mount point for this path:\n'
+ ' {mount}\n'
+ 'however it is missing the size_available field.\n'
+ 'To investigate, you can inspect the output of `ansible -m setup <host>`'
+ ''.format(path=path, mount=mount)
+ )
diff --git a/roles/openshift_health_checker/openshift_checks/docker_storage.py b/roles/openshift_health_checker/openshift_checks/docker_storage.py
index 7ae384bd7..0558ddf14 100644
--- a/roles/openshift_health_checker/openshift_checks/docker_storage.py
+++ b/roles/openshift_health_checker/openshift_checks/docker_storage.py
@@ -1,6 +1,5 @@
"""Check Docker storage driver and usage."""
import json
-import os.path
import re
from openshift_checks import OpenShiftCheck, OpenShiftCheckException
from openshift_checks.mixins import DockerHostMixin
@@ -252,7 +251,7 @@ class DockerStorage(DockerHostMixin, OpenShiftCheck):
"msg": "Specified 'max_overlay_usage_percent' is not a percentage: {}".format(threshold),
}
- mount = self.find_ansible_mount(path, self.get_var("ansible_mounts"))
+ mount = self.find_ansible_mount(path)
try:
free_bytes = mount['size_available']
total_bytes = mount['size_total']
@@ -275,22 +274,3 @@ class DockerStorage(DockerHostMixin, OpenShiftCheck):
}
return {}
-
- # TODO(lmeyer): migrate to base class
- @staticmethod
- def find_ansible_mount(path, ansible_mounts):
- """Return the mount point for path from ansible_mounts."""
-
- mount_for_path = {mount['mount']: mount for mount in ansible_mounts}
- mount_point = path
- while mount_point not in mount_for_path:
- if mount_point in ["/", ""]: # "/" not in ansible_mounts???
- break
- mount_point = os.path.dirname(mount_point)
-
- try:
- return mount_for_path[mount_point]
- except KeyError:
- known_mounts = ', '.join('"{}"'.format(mount) for mount in sorted(mount_for_path)) or 'none'
- msg = 'Unable to determine mount point for path "{}". Known mount points: {}.'
- raise OpenShiftCheckException(msg.format(path, known_mounts))
diff --git a/roles/openshift_health_checker/openshift_checks/etcd_imagedata_size.py b/roles/openshift_health_checker/openshift_checks/etcd_imagedata_size.py
index ae8460b7e..f4296753a 100644
--- a/roles/openshift_health_checker/openshift_checks/etcd_imagedata_size.py
+++ b/roles/openshift_health_checker/openshift_checks/etcd_imagedata_size.py
@@ -2,7 +2,7 @@
Ansible module for determining if the size of OpenShift image data exceeds a specified limit in an etcd cluster.
"""
-from openshift_checks import OpenShiftCheck, OpenShiftCheckException
+from openshift_checks import OpenShiftCheck
class EtcdImageDataSize(OpenShiftCheck):
@@ -12,7 +12,7 @@ class EtcdImageDataSize(OpenShiftCheck):
tags = ["etcd"]
def run(self):
- etcd_mountpath = self._get_etcd_mountpath(self.get_var("ansible_mounts"))
+ etcd_mountpath = self.find_ansible_mount("/var/lib/etcd")
etcd_avail_diskspace = etcd_mountpath["size_available"]
etcd_total_diskspace = etcd_mountpath["size_total"]
@@ -68,18 +68,5 @@ class EtcdImageDataSize(OpenShiftCheck):
return {}
@staticmethod
- def _get_etcd_mountpath(ansible_mounts):
- valid_etcd_mount_paths = ["/var/lib/etcd", "/var/lib", "/var", "/"]
-
- mount_for_path = {mnt.get("mount"): mnt for mnt in ansible_mounts}
- for path in valid_etcd_mount_paths:
- if path in mount_for_path:
- return mount_for_path[path]
-
- paths = ', '.join(sorted(mount_for_path)) or 'none'
- msg = "Unable to determine a valid etcd mountpath. Paths mounted: {}.".format(paths)
- raise OpenShiftCheckException(msg)
-
- @staticmethod
def _to_gigabytes(byte_size):
return float(byte_size) / 10.0**9
diff --git a/roles/openshift_health_checker/openshift_checks/etcd_volume.py b/roles/openshift_health_checker/openshift_checks/etcd_volume.py
index e55d55e91..e5d93ff3f 100644
--- a/roles/openshift_health_checker/openshift_checks/etcd_volume.py
+++ b/roles/openshift_health_checker/openshift_checks/etcd_volume.py
@@ -1,6 +1,6 @@
"""A health check for OpenShift clusters."""
-from openshift_checks import OpenShiftCheck, OpenShiftCheckException
+from openshift_checks import OpenShiftCheck
class EtcdVolume(OpenShiftCheck):
@@ -11,8 +11,8 @@ class EtcdVolume(OpenShiftCheck):
# Default device usage threshold. Value should be in the range [0, 100].
default_threshold_percent = 90
- # Where to find ectd data, higher priority first.
- supported_mount_paths = ["/var/lib/etcd", "/var/lib", "/var", "/"]
+ # Where to find etcd data
+ etcd_mount_path = "/var/lib/etcd"
def is_active(self):
etcd_hosts = self.get_var("groups", "etcd", default=[]) or self.get_var("groups", "masters", default=[]) or []
@@ -20,7 +20,7 @@ class EtcdVolume(OpenShiftCheck):
return super(EtcdVolume, self).is_active() and is_etcd_host
def run(self):
- mount_info = self._etcd_mount_info()
+ mount_info = self.find_ansible_mount(self.etcd_mount_path)
available = mount_info["size_available"]
total = mount_info["size_total"]
used = total - available
@@ -41,15 +41,3 @@ class EtcdVolume(OpenShiftCheck):
return {"failed": True, "msg": msg}
return {}
-
- def _etcd_mount_info(self):
- ansible_mounts = self.get_var("ansible_mounts")
- mounts = {mnt.get("mount"): mnt for mnt in ansible_mounts}
-
- for path in self.supported_mount_paths:
- if path in mounts:
- return mounts[path]
-
- paths = ', '.join(sorted(mounts)) or 'none'
- msg = "Unable to find etcd storage mount point. Paths mounted: {}.".format(paths)
- raise OpenShiftCheckException(msg)
diff --git a/roles/openshift_health_checker/test/disk_availability_test.py b/roles/openshift_health_checker/test/disk_availability_test.py
index 5720eeacf..f4fd2dfed 100644
--- a/roles/openshift_health_checker/test/disk_availability_test.py
+++ b/roles/openshift_health_checker/test/disk_availability_test.py
@@ -20,12 +20,24 @@ def test_is_active(group_names, is_active):
assert DiskAvailability(None, task_vars).is_active() == is_active
-@pytest.mark.parametrize('ansible_mounts,extra_words', [
- ([], ['none']), # empty ansible_mounts
- ([{'mount': '/mnt'}], ['/mnt']), # missing relevant mount paths
- ([{'mount': '/var'}], ['/var']), # missing size_available
+@pytest.mark.parametrize('desc, ansible_mounts, expect_chunks', [
+ (
+ 'empty ansible_mounts',
+ [],
+ ['determine mount point', 'none'],
+ ),
+ (
+ 'missing relevant mount paths',
+ [{'mount': '/mnt'}],
+ ['determine mount point', '/mnt'],
+ ),
+ (
+ 'missing size_available',
+ [{'mount': '/var'}, {'mount': '/usr'}, {'mount': '/tmp'}],
+ ['missing', 'size_available'],
+ ),
])
-def test_cannot_determine_available_disk(ansible_mounts, extra_words):
+def test_cannot_determine_available_disk(desc, ansible_mounts, expect_chunks):
task_vars = dict(
group_names=['masters'],
ansible_mounts=ansible_mounts,
@@ -34,8 +46,8 @@ def test_cannot_determine_available_disk(ansible_mounts, extra_words):
with pytest.raises(OpenShiftCheckException) as excinfo:
DiskAvailability(fake_execute_module, task_vars).run()
- for word in 'determine disk availability'.split() + extra_words:
- assert word in str(excinfo.value)
+ for chunk in expect_chunks:
+ assert chunk in str(excinfo.value)
@pytest.mark.parametrize('group_names,configured_min,ansible_mounts', [
@@ -97,7 +109,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib
assert not result.get('failed', False)
-@pytest.mark.parametrize('name,group_names,configured_min,ansible_mounts,extra_words', [
+@pytest.mark.parametrize('name,group_names,configured_min,ansible_mounts,expect_chunks', [
(
'test with no space available',
['masters'],
@@ -164,7 +176,7 @@ def test_succeeds_with_recommended_disk_space(group_names, configured_min, ansib
['0.0 GB'],
),
], ids=lambda argval: argval[0])
-def test_fails_with_insufficient_disk_space(name, group_names, configured_min, ansible_mounts, extra_words):
+def test_fails_with_insufficient_disk_space(name, group_names, configured_min, ansible_mounts, expect_chunks):
task_vars = dict(
group_names=group_names,
openshift_check_min_host_disk_gb=configured_min,
@@ -174,8 +186,8 @@ def test_fails_with_insufficient_disk_space(name, group_names, configured_min, a
result = DiskAvailability(fake_execute_module, task_vars).run()
assert result['failed']
- for word in 'below recommended'.split() + extra_words:
- assert word in result.get('msg', '')
+ for chunk in 'below recommended'.split() + expect_chunks:
+ assert chunk in result.get('msg', '')
@pytest.mark.parametrize('name,group_names,context,ansible_mounts,failed,extra_words', [
diff --git a/roles/openshift_health_checker/test/etcd_imagedata_size_test.py b/roles/openshift_health_checker/test/etcd_imagedata_size_test.py
index e3d6706fa..d3aae98f2 100644
--- a/roles/openshift_health_checker/test/etcd_imagedata_size_test.py
+++ b/roles/openshift_health_checker/test/etcd_imagedata_size_test.py
@@ -1,7 +1,8 @@
import pytest
from collections import namedtuple
-from openshift_checks.etcd_imagedata_size import EtcdImageDataSize, OpenShiftCheckException
+from openshift_checks.etcd_imagedata_size import EtcdImageDataSize
+from openshift_checks import OpenShiftCheckException
from etcdkeysize import check_etcd_key_size
@@ -56,7 +57,7 @@ def test_cannot_determine_available_mountpath(ansible_mounts, extra_words):
with pytest.raises(OpenShiftCheckException) as excinfo:
check.run()
- for word in 'determine valid etcd mountpath'.split() + extra_words:
+ for word in ['Unable to determine mount point'] + extra_words:
assert word in str(excinfo.value)
diff --git a/roles/openshift_health_checker/test/etcd_volume_test.py b/roles/openshift_health_checker/test/etcd_volume_test.py
index 0b255136e..077cea3ea 100644
--- a/roles/openshift_health_checker/test/etcd_volume_test.py
+++ b/roles/openshift_health_checker/test/etcd_volume_test.py
@@ -1,6 +1,7 @@
import pytest
-from openshift_checks.etcd_volume import EtcdVolume, OpenShiftCheckException
+from openshift_checks.etcd_volume import EtcdVolume
+from openshift_checks import OpenShiftCheckException
@pytest.mark.parametrize('ansible_mounts,extra_words', [
@@ -15,7 +16,7 @@ def test_cannot_determine_available_disk(ansible_mounts, extra_words):
with pytest.raises(OpenShiftCheckException) as excinfo:
EtcdVolume(fake_execute_module, task_vars).run()
- for word in 'Unable to find etcd storage mount point'.split() + extra_words:
+ for word in ['Unable to determine mount point'] + extra_words:
assert word in str(excinfo.value)
diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml
index 0391e5602..13cbfb14e 100644
--- a/roles/openshift_hosted/defaults/main.yml
+++ b/roles/openshift_hosted/defaults/main.yml
@@ -1,4 +1,10 @@
---
+r_openshift_hosted_router_firewall_enabled: True
+r_openshift_hosted_router_use_firewalld: False
+
+r_openshift_hosted_registry_firewall_enabled: True
+r_openshift_hosted_registry_use_firewalld: False
+
registry_volume_claim: 'registry-claim'
openshift_hosted_router_edits:
@@ -26,12 +32,15 @@ openshift_hosted_routers:
- 443:443
certificate: "{{ openshift_hosted_router_certificate | default({}) }}"
-
openshift_hosted_router_certificate: {}
openshift_hosted_registry_cert_expire_days: 730
openshift_hosted_router_create_certificate: True
-os_firewall_allow:
+r_openshift_hosted_router_os_firewall_deny: []
+r_openshift_hosted_router_os_firewall_allow: []
+
+r_openshift_hosted_registry_os_firewall_deny: []
+r_openshift_hosted_registry_os_firewall_allow:
- service: Docker Registry Port
port: 5000/tcp
- when: openshift.common.use_calico | bool
+ cond: "{{ r_openshift_hosted_use_calico }}"
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
index 9e3f37130..28fd396d6 100644
--- a/roles/openshift_hosted/meta/main.yml
+++ b/roles/openshift_hosted/meta/main.yml
@@ -15,8 +15,4 @@ dependencies:
- role: openshift_cli
- role: openshift_hosted_facts
- role: lib_openshift
-- role: os_firewall
- os_firewall_allow:
- - service: Docker Registry Port
- port: 5000/tcp
- when: openshift.common.use_calico | bool
+- role: lib_os_firewall
diff --git a/roles/openshift_hosted/tasks/registry/firewall.yml b/roles/openshift_hosted/tasks/registry/firewall.yml
new file mode 100644
index 000000000..775b7d6d7
--- /dev/null
+++ b/roles/openshift_hosted/tasks/registry/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_hosted_registry_firewall_enabled | bool and not r_openshift_hosted_registry_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"
+
+- when: r_openshift_hosted_registry_firewall_enabled | bool and r_openshift_hosted_registry_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
index b946ec8ca..dcd9c87fc 100644
--- a/roles/openshift_hosted/tasks/registry/registry.yml
+++ b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -1,6 +1,10 @@
---
-- block:
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+- when: openshift.hosted.registry.replicas | default(none) is none
+ block:
- name: Retrieve list of openshift nodes matching registry selector
oc_obj:
state: list
@@ -28,7 +32,6 @@
l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}"
when: l_node_count | int > 0
- when: openshift.hosted.registry.replicas | default(none) is none
- name: set openshift_hosted facts
set_fact:
diff --git a/roles/openshift_hosted/tasks/router/firewall.yml b/roles/openshift_hosted/tasks/router/firewall.yml
new file mode 100644
index 000000000..ff90f3372
--- /dev/null
+++ b/roles/openshift_hosted/tasks/router/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_hosted_router_firewall_enabled | bool and not r_openshift_hosted_router_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_hosted_router_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"
+
+- when: r_openshift_hosted_router_firewall_enabled | bool and r_openshift_hosted_router_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_hosted_router_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"
diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml
index dd485a64a..72a1ead80 100644
--- a/roles/openshift_hosted/tasks/router/router.yml
+++ b/roles/openshift_hosted/tasks/router/router.yml
@@ -1,4 +1,8 @@
---
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+
- name: Retrieve list of openshift nodes matching router selector
oc_obj:
state: list
diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml
index 6190383b6..3f6409233 100644
--- a/roles/openshift_loadbalancer/defaults/main.yml
+++ b/roles/openshift_loadbalancer/defaults/main.yml
@@ -1,4 +1,7 @@
---
+r_openshift_loadbalancer_firewall_enabled: True
+r_openshift_loadbalancer_use_firewalld: False
+
haproxy_frontends:
- name: main
binds:
@@ -12,3 +15,13 @@ haproxy_backends:
- name: web01
address: 127.0.0.1:9000
opts: check
+
+r_openshift_loadbalancer_os_firewall_deny: []
+r_openshift_loadbalancer_os_firewall_allow:
+- service: haproxy stats
+ port: "9000/tcp"
+- service: haproxy balance
+ port: "{{ openshift_master_api_port | default(8443) }}/tcp"
+- service: nuage mon
+ port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
+ cond: "{{ openshift_use_nuage | default(false) | bool }}"
diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml
index 0dffb545f..72298b599 100644
--- a/roles/openshift_loadbalancer/meta/main.yml
+++ b/roles/openshift_loadbalancer/meta/main.yml
@@ -10,16 +10,5 @@ galaxy_info:
versions:
- 7
dependencies:
+- role: lib_os_firewall
- role: openshift_facts
-- role: os_firewall
- os_firewall_allow:
- - service: haproxy stats
- port: "9000/tcp"
- - service: haproxy balance
- port: "{{ openshift_master_api_port | default(8443) }}/tcp"
-- role: os_firewall
- os_firewall_allow:
- - service: nuage mon
- port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
- when: openshift_use_nuage | default(false) | bool
-- role: openshift_repos
diff --git a/roles/openshift_loadbalancer/tasks/firewall.yml b/roles/openshift_loadbalancer/tasks/firewall.yml
new file mode 100644
index 000000000..7d6e8ff36
--- /dev/null
+++ b/roles/openshift_loadbalancer/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
+
+- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml
index 68bb4ace8..69b061fc5 100644
--- a/roles/openshift_loadbalancer/tasks/main.yml
+++ b/roles/openshift_loadbalancer/tasks/main.yml
@@ -1,4 +1,8 @@
---
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+
- name: Install haproxy
package: name=haproxy state=present
when: not openshift.common.is_containerized | bool
diff --git a/roles/openshift_logging/tasks/update_master_config.yaml b/roles/openshift_logging/tasks/update_master_config.yaml
index 10f522b61..b96b8e29d 100644
--- a/roles/openshift_logging/tasks/update_master_config.yaml
+++ b/roles/openshift_logging/tasks/update_master_config.yaml
@@ -5,7 +5,6 @@
yaml_key: assetConfig.loggingPublicURL
yaml_value: "https://{{ openshift_logging_kibana_hostname }}"
notify:
- - restart master
- restart master api
- restart master controllers
tags:
diff --git a/roles/openshift_logging_fluentd/tasks/main.yaml b/roles/openshift_logging_fluentd/tasks/main.yaml
index 9dfc6fc86..74b4d7db4 100644
--- a/roles/openshift_logging_fluentd/tasks/main.yaml
+++ b/roles/openshift_logging_fluentd/tasks/main.yaml
@@ -1,7 +1,7 @@
---
- fail:
msg: Only one Fluentd nodeselector key pair should be provided
- when: "{{ openshift_logging_fluentd_nodeselector.keys() | count }} > 1"
+ when: openshift_logging_fluentd_nodeselector.keys() | count > 1
- fail:
msg: Application logs destination is required
diff --git a/roles/openshift_logging_kibana/tasks/main.yaml b/roles/openshift_logging_kibana/tasks/main.yaml
index 62bc26e37..166f102f7 100644
--- a/roles/openshift_logging_kibana/tasks/main.yaml
+++ b/roles/openshift_logging_kibana/tasks/main.yaml
@@ -99,17 +99,17 @@
# TODO: set up these certs differently?
- set_fact:
kibana_key: "{{ lookup('file', openshift_logging_kibana_key) | b64encode }}"
- when: "{{ openshift_logging_kibana_key | trim | length > 0 }}"
+ when: openshift_logging_kibana_key | trim | length > 0
changed_when: false
- set_fact:
kibana_cert: "{{ lookup('file', openshift_logging_kibana_cert) | b64encode }}"
- when: "{{ openshift_logging_kibana_cert | trim | length > 0 }}"
+ when: openshift_logging_kibana_cert | trim | length > 0
changed_when: false
- set_fact:
kibana_ca: "{{ lookup('file', openshift_logging_kibana_ca) | b64encode }}"
- when: "{{ openshift_logging_kibana_ca | trim | length > 0 }}"
+ when: openshift_logging_kibana_ca | trim | length > 0
changed_when: false
- set_fact:
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 2d3ce5bcd..a4c178908 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -1,4 +1,21 @@
---
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+
openshift_node_ips: []
r_openshift_master_clean_install: false
r_openshift_master_etcd3_storage: false
+r_openshift_master_os_firewall_enable: true
+r_openshift_master_os_firewall_deny: []
+r_openshift_master_os_firewall_allow:
+- service: api server https
+ port: "{{ openshift.master.api_port }}/tcp"
+- service: api controllers https
+ port: "{{ openshift.master.controllers_port }}/tcp"
+- service: skydns tcp
+ port: "{{ openshift.master.dns_port }}/tcp"
+- service: skydns udp
+ port: "{{ openshift.master.dns_port }}/udp"
+- service: etcd embedded
+ port: 4001/tcp
+ cond: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index 907f25bc5..bd2383f61 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -13,6 +13,7 @@ galaxy_info:
- cloud
dependencies:
- role: lib_openshift
+- role: lib_os_firewall
- role: openshift_master_facts
- role: openshift_hosted_facts
- role: openshift_master_certificates
@@ -25,21 +26,6 @@ dependencies:
- role: openshift_cloud_provider
- role: openshift_builddefaults
- role: openshift_buildoverrides
-- role: os_firewall
- os_firewall_allow:
- - service: api server https
- port: "{{ openshift.master.api_port }}/tcp"
- - service: api controllers https
- port: "{{ openshift.master.controllers_port }}/tcp"
- - service: skydns tcp
- port: "{{ openshift.master.dns_port }}/tcp"
- - service: skydns udp
- port: "{{ openshift.master.dns_port }}/udp"
-- role: os_firewall
- os_firewall_allow:
- - service: etcd embedded
- port: 4001/tcp
- when: groups.oo_etcd_to_config | default([]) | length == 0
- role: nickhammond.logrotate
- role: contiv
contiv_role: netmaster
diff --git a/roles/openshift_master/tasks/firewall.yml b/roles/openshift_master/tasks/firewall.yml
new file mode 100644
index 000000000..e51eeb56e
--- /dev/null
+++ b/roles/openshift_master/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_master_firewall_enabled | bool and not r_openshift_master_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_master_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_master_os_firewall_deny }}"
+
+- when: r_openshift_master_firewall_enabled | bool and r_openshift_master_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_master_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_master_os_firewall_deny }}"
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 7e71591d8..b1412c3d9 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -23,6 +23,10 @@
msg: "Pacemaker based HA is not supported at this time when used with containerized installs"
when: openshift.master.ha | bool and openshift.master.cluster_method == "pacemaker" and openshift.common.is_containerized | bool
+- name: Open up firewall ports
+ include: firewall.yml
+ static: yes
+
- name: Install Master package
package:
name: "{{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
diff --git a/roles/openshift_master/tasks/system_container.yml b/roles/openshift_master/tasks/system_container.yml
index 164beb256..8d343336f 100644
--- a/roles/openshift_master/tasks/system_container.yml
+++ b/roles/openshift_master/tasks/system_container.yml
@@ -22,7 +22,7 @@
- name: Install or Update HA controller master system container
oc_atomic_container:
name: "{{ openshift.common.service_type }}-master-controllers"
- image: "{{{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{ openshift.master.master_system_image }}:{{ openshift_image_tag }}"
+ image: "{{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.master.master_system_image }}:{{ openshift_image_tag }}"
state: latest
values:
- COMMAND=controllers
diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml
index 3affdd348..723bdb0c4 100644
--- a/roles/openshift_master/tasks/systemd_units.yml
+++ b/roles/openshift_master/tasks/systemd_units.yml
@@ -70,7 +70,7 @@
with_items: "{{ master_api_proxy.stdout_lines | default([]) }}"
- name: Restore Master API AWS Options
- when: bool and openshift.master.cluster_method == "native"
+ when: openshift.master.cluster_method == "native"
and master_api_aws.rc == 0 and
not (openshift_cloudprovider_kind is defined and openshift_cloudprovider_kind == 'aws' and openshift_cloudprovider_aws_access_key is defined and openshift_cloudprovider_aws_secret_key is defined)
lineinfile:
diff --git a/roles/openshift_master_cluster/meta/main.yml b/roles/openshift_master_cluster/meta/main.yml
index f2a67bc54..c452b165e 100644
--- a/roles/openshift_master_cluster/meta/main.yml
+++ b/roles/openshift_master_cluster/meta/main.yml
@@ -12,5 +12,4 @@ galaxy_info:
categories:
- cloud
- system
-dependencies:
-- { role: openshift_repos }
+dependencies: []
diff --git a/roles/openshift_metrics/tasks/update_master_config.yaml b/roles/openshift_metrics/tasks/update_master_config.yaml
index be1e3c3a0..5059d8d94 100644
--- a/roles/openshift_metrics/tasks/update_master_config.yaml
+++ b/roles/openshift_metrics/tasks/update_master_config.yaml
@@ -5,7 +5,6 @@
yaml_key: assetConfig.metricsPublicURL
yaml_value: "https://{{ openshift_metrics_hawkular_hostname}}/hawkular/metrics"
notify:
- - restart master
- restart master api
- restart master controllers
tags:
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index 47073ee0f..973b3a619 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -1,5 +1,8 @@
---
-os_firewall_allow:
+r_openshift_node_firewall_enabled: True
+r_openshift_node_use_firewalld: False
+r_openshift_node_os_firewall_deny: []
+r_openshift_node_os_firewall_allow:
- service: Kubernetes kubelet
port: 10250/tcp
- service: http
@@ -8,7 +11,13 @@ os_firewall_allow:
port: 443/tcp
- service: OpenShift OVS sdn
port: 4789/udp
- when: openshift.common.use_openshift_sdn | default(true) | bool
+ cond: openshift.common.use_openshift_sdn | default(true) | bool
- service: Calico BGP Port
port: 179/tcp
- when: openshift.common.use_calico | bool
+ cond: "{{ openshift.common.use_calico | bool }}"
+- service: Kubernetes service NodePort TCP
+ port: "{{ openshift_node_port_range | default('') }}/tcp"
+ cond: "{{ openshift_node_port_range is defined }}"
+- service: Kubernetes service NodePort UDP
+ port: "{{ openshift_node_port_range | default('') }}/udp"
+ cond: "{{ openshift_node_port_range is defined }}"
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index 4fb841add..06373de04 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -14,36 +14,11 @@ galaxy_info:
dependencies:
- role: openshift_node_facts
- role: lib_openshift
+- role: lib_os_firewall
- role: openshift_common
- role: openshift_clock
- role: openshift_docker
- role: openshift_node_certificates
- role: openshift_cloud_provider
-- role: os_firewall
- os_firewall_allow:
- - service: Kubernetes kubelet
- port: 10250/tcp
- - service: http
- port: 80/tcp
- - service: https
- port: 443/tcp
-- role: os_firewall
- os_firewall_allow:
- - service: OpenShift OVS sdn
- port: 4789/udp
- when: openshift.common.use_openshift_sdn | default(true) | bool
-- role: os_firewall
- os_firewall_allow:
- - service: Calico BGP Port
- port: 179/tcp
- when: openshift.common.use_calico | bool
-
-- role: os_firewall
- os_firewall_allow:
- - service: Kubernetes service NodePort TCP
- port: "{{ openshift_node_port_range | default('') }}/tcp"
- - service: Kubernetes service NodePort UDP
- port: "{{ openshift_node_port_range | default('') }}/udp"
- when: openshift_node_port_range is defined
- role: openshift_node_dnsmasq
when: openshift.common.use_dnsmasq | bool
diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml
new file mode 100644
index 000000000..255aa886a
--- /dev/null
+++ b/roles/openshift_node/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_node_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_node_os_firewall_deny }}"
+
+- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_node_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_node_os_firewall_deny }}"
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index ca4fef360..3353a22e3 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -6,6 +6,38 @@
- (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise']
- not openshift_docker_use_crio | default(false)
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+
+- name: Set node facts
+ openshift_facts:
+ role: "{{ item.role }}"
+ local_facts: "{{ item.local_facts }}"
+ with_items:
+ # Reset node labels to an empty dictionary.
+ - role: node
+ local_facts:
+ labels: {}
+ - role: node
+ local_facts:
+ annotations: "{{ openshift_node_annotations | default(none) }}"
+ debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}"
+ iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}"
+ kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}"
+ labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}"
+ registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}"
+ schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
+ sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
+ storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}"
+ set_node_ip: "{{ openshift_set_node_ip | default(None) }}"
+ node_image: "{{ osn_image | default(None) }}"
+ ovs_image: "{{ osn_ovs_image | default(None) }}"
+ proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}"
+ local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}"
+ dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}"
+ env_vars: "{{ openshift_node_env_vars | default(None) }}"
+
# https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
- name: Check for swap usage
command: grep "^[^#].*swap" /etc/fstab
diff --git a/roles/openshift_provisioners/tasks/install_efs.yaml b/roles/openshift_provisioners/tasks/install_efs.yaml
index b53b6afa1..4a6e00513 100644
--- a/roles/openshift_provisioners/tasks/install_efs.yaml
+++ b/roles/openshift_provisioners/tasks/install_efs.yaml
@@ -67,4 +67,4 @@
register: efs_output
failed_when: efs_output.rc == 1 and 'exists' not in efs_output.stderr
check_mode: no
- when: efs_anyuid.stdout.find("system:serviceaccount:{{openshift_provisioners_project}}:provisioners-efs") == -1
+ when: efs_anyuid.stdout.find("system:serviceaccount:" + openshift_provisioners_project + ":provisioners-efs") == -1
diff --git a/roles/openshift_storage_glusterfs/defaults/main.yml b/roles/openshift_storage_glusterfs/defaults/main.yml
index ff2c18812..a5887465e 100644
--- a/roles/openshift_storage_glusterfs/defaults/main.yml
+++ b/roles/openshift_storage_glusterfs/defaults/main.yml
@@ -52,3 +52,15 @@ openshift_storage_glusterfs_registry_heketi_ssh_port: "{{ openshift_storage_glus
openshift_storage_glusterfs_registry_heketi_ssh_user: "{{ openshift_storage_glusterfs_heketi_ssh_user }}"
openshift_storage_glusterfs_registry_heketi_ssh_sudo: "{{ openshift_storage_glusterfs_heketi_ssh_sudo }}"
openshift_storage_glusterfs_registry_heketi_ssh_keyfile: "{{ openshift_storage_glusterfs_heketi_ssh_keyfile | default(omit) }}"
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+r_openshift_storage_glusterfs_os_firewall_deny: []
+r_openshift_storage_glusterfs_os_firewall_allow:
+- service: glusterfs_sshd
+ port: "2222/tcp"
+- service: glusterfs_daemon
+ port: "24007/tcp"
+- service: glusterfs_management
+ port: "24008/tcp"
+- service: glusterfs_bricks
+ port: "49152-49251/tcp"
diff --git a/roles/openshift_storage_glusterfs/meta/main.yml b/roles/openshift_storage_glusterfs/meta/main.yml
index aab9851f9..0cdd33880 100644
--- a/roles/openshift_storage_glusterfs/meta/main.yml
+++ b/roles/openshift_storage_glusterfs/meta/main.yml
@@ -11,5 +11,5 @@ galaxy_info:
- 7
dependencies:
- role: openshift_hosted_facts
-- role: openshift_repos
- role: lib_openshift
+- role: lib_os_firewall
diff --git a/roles/openshift_storage_glusterfs/tasks/firewall.yml b/roles/openshift_storage_glusterfs/tasks/firewall.yml
new file mode 100644
index 000000000..09dcf1ef9
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and not r_openshift_storage_glusterfs_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
+
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and r_openshift_storage_glusterfs_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml
index 7f3c054e7..4a2bc6141 100644
--- a/roles/openshift_storage_nfs/defaults/main.yml
+++ b/roles/openshift_storage_nfs/defaults/main.yml
@@ -1,4 +1,12 @@
---
+r_openshift_storage_nfs_firewall_enabled: True
+r_openshift_storage_nfs_use_firewalld: False
+
+r_openshift_storage_nfs_os_firewall_deny: []
+r_openshift_storage_nfs_os_firewall_allow:
+- service: nfs
+ port: "2049/tcp"
+
openshift:
hosted:
registry:
diff --git a/roles/openshift_storage_nfs/meta/main.yml b/roles/openshift_storage_nfs/meta/main.yml
index 62e38bd8c..98f7c317e 100644
--- a/roles/openshift_storage_nfs/meta/main.yml
+++ b/roles/openshift_storage_nfs/meta/main.yml
@@ -10,9 +10,5 @@ galaxy_info:
versions:
- 7
dependencies:
-- role: os_firewall
- os_firewall_allow:
- - service: nfs
- port: "2049/tcp"
+- role: lib_os_firewall
- role: openshift_hosted_facts
-- role: openshift_repos
diff --git a/roles/openshift_storage_nfs/tasks/firewall.yml b/roles/openshift_storage_nfs/tasks/firewall.yml
new file mode 100644
index 000000000..c1c318ff4
--- /dev/null
+++ b/roles/openshift_storage_nfs/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_storage_nfs_firewall_enabled | bool and not r_openshift_storage_nfs_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_nfs_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"
+
+- when: r_openshift_storage_nfs_firewall_enabled | bool and r_openshift_storage_nfs_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_nfs_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"
diff --git a/roles/openshift_storage_nfs/tasks/main.yml b/roles/openshift_storage_nfs/tasks/main.yml
index 019ada2fb..51f8f4e0e 100644
--- a/roles/openshift_storage_nfs/tasks/main.yml
+++ b/roles/openshift_storage_nfs/tasks/main.yml
@@ -1,4 +1,8 @@
---
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+
- name: Install nfs-utils
package: name=nfs-utils state=present
diff --git a/roles/openshift_version/meta/main.yml b/roles/openshift_version/meta/main.yml
index ca896addd..38b398343 100644
--- a/roles/openshift_version/meta/main.yml
+++ b/roles/openshift_version/meta/main.yml
@@ -12,7 +12,6 @@ galaxy_info:
categories:
- cloud
dependencies:
-- role: openshift_repos
- role: openshift_docker_facts
- role: docker
when: openshift.common.is_containerized | default(False) | bool and not skip_docker_role | default(False) | bool
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index e7ef544f4..be0b8291a 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -1,8 +1,8 @@
OS Firewall
===========
-OS Firewall manages firewalld and iptables firewall settings for a minimal use
-case (Adding/Removing rules based on protocol and port number).
+OS Firewall manages firewalld and iptables installation.
+case.
Note: firewalld is not supported on Atomic Host
https://bugzilla.redhat.com/show_bug.cgi?id=1403331
@@ -18,8 +18,6 @@ Role Variables
| Name | Default | |
|---------------------------|---------|----------------------------------------|
| os_firewall_use_firewalld | False | If false, use iptables |
-| os_firewall_allow | [] | List of service,port mappings to allow |
-| os_firewall_deny | [] | List of service, port mappings to deny |
Dependencies
------------
@@ -29,34 +27,27 @@ None.
Example Playbook
----------------
-Use iptables and open tcp ports 80 and 443:
+Use iptables:
```
---
- hosts: servers
- vars:
- os_firewall_use_firewalld: false
- os_firewall_allow:
- - service: httpd
- port: 80/tcp
- - service: https
- port: 443/tcp
- roles:
- - os_firewall
+ task:
+ - include_role:
+ name: os_firewall
+ vars:
+ os_firewall_use_firewalld: false
```
-Use firewalld and open tcp port 443 and close previously open tcp port 80:
+Use firewalld:
```
---
- hosts: servers
vars:
- os_firewall_allow:
- - service: https
- port: 443/tcp
- os_firewall_deny:
- - service: httpd
- port: 80/tcp
- roles:
- - os_firewall
+ tasks:
+ - include_role:
+ name: os_firewall
+ vars:
+ os_firewall_use_firewalld: true
```
License
diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml
index 01859e5fc..f96a80f1c 100644
--- a/roles/os_firewall/defaults/main.yml
+++ b/roles/os_firewall/defaults/main.yml
@@ -3,5 +3,3 @@ os_firewall_enabled: True
# firewalld is not supported on Atomic Host
# https://bugzilla.redhat.com/show_bug.cgi?id=1403331
os_firewall_use_firewalld: "{{ False }}"
-os_firewall_allow: []
-os_firewall_deny: []
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index 509655b0c..2cc7af478 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -49,19 +49,3 @@
until: pkaction.rc == 0
retries: 6
delay: 10
-
-- name: Add firewalld allow rules
- firewalld:
- port: "{{ item.port }}"
- permanent: true
- immediate: true
- state: enabled
- with_items: "{{ os_firewall_allow }}"
-
-- name: Remove firewalld allow rules
- firewalld:
- port: "{{ item.port }}"
- permanent: true
- immediate: true
- state: disabled
- with_items: "{{ os_firewall_deny }}"
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
index 55f2fc471..7e1fa2c02 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/firewall/iptables.yml
@@ -29,23 +29,10 @@
masked: no
daemon_reload: yes
register: result
+ delegate_to: "{{item}}"
+ run_once: true
+ with_items: "{{ ansible_play_hosts }}"
- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
pause: seconds=10
when: result | changed
-
-- name: Add iptables allow rules
- os_firewall_manage_iptables:
- name: "{{ item.service }}"
- action: add
- protocol: "{{ item.port.split('/')[1] }}"
- port: "{{ item.port.split('/')[0] }}"
- with_items: "{{ os_firewall_allow }}"
-
-- name: Remove iptables rules
- os_firewall_manage_iptables:
- name: "{{ item.service }}"
- action: remove
- protocol: "{{ item.port.split('/')[1] }}"
- port: "{{ item.port.split('/')[0] }}"
- with_items: "{{ os_firewall_deny }}"