From 4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9 Mon Sep 17 00:00:00 2001
From: Bogdan Dobrelya <bdobreli@redhat.com>
Date: Mon, 5 Jun 2017 16:41:09 +0200
Subject: Add a flat sec group for openstack provider
Add a openstack_flat_secgroup, defaults to False.
When set, merges sec rules for master, node, etcd, infra nodes into a
single group. Less secure, but might help to mitigate quota limitations.
Update docs. Use timeout 30s to mitigate the error:
Timeout (12s) waiting for privilege escalation prompt.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
---
playbooks/provisioning/openstack/README.md | 11 ++++++++---
playbooks/provisioning/openstack/pre_tasks.yml | 2 +-
.../openstack/sample-inventory/group_vars/all.yml | 3 +++
3 files changed, 12 insertions(+), 4 deletions(-)
(limited to 'playbooks/provisioning/openstack')
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md
index 68550d3a3..35f37db0d 100644
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -25,7 +25,7 @@ etc.). The result is an environment ready for openshift-ansible.
### Copy the sample inventory
- cp openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory
+ cp -r openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory
### Copy clouds.yaml
@@ -62,6 +62,11 @@ The `openstack_num_masters`, `openstack_num_infra` and
`openstack_num_nodes` values specify the number of Master, Infra and
App nodes to create.
+The `openstack_flat_secgroup`, controls Neutron security groups creation for Heat
+stacks. Set it to true, if you experience issues with sec group rules
+quotas. It trades security for number of rules, by sharing the same set
+of firewall rules for master, node, etcd and infra nodes.
+
### Update the DNS names in `inventory/hosts`
The different server groups are currently grouped by the domain name,
@@ -96,13 +101,13 @@ Assuming your OpenStack (Keystone) credentials are in the `keystonerc`
file, this is how you stat the provisioning process:
. keystonerc
- ansible-playbook -i inventory --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
+ ansible-playbook -i inventory --timeout 30 --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
### Install OpenShift
Once it succeeds, you can install openshift by running:
- ansible-playbook --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml
+ ansible-playbook --timeout 30 --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml
## License
diff --git a/playbooks/provisioning/openstack/pre_tasks.yml b/playbooks/provisioning/openstack/pre_tasks.yml
index 8446bdfbc..a4ff7c4ac 100644
--- a/playbooks/provisioning/openstack/pre_tasks.yml
+++ b/playbooks/provisioning/openstack/pre_tasks.yml
@@ -18,7 +18,7 @@
- name: Set Dynamic Inventory Filters
become: false
shell: >
- export OS_INV_FILTER_KEY=clusterid && OS_INV_FILTER_VALUE={{ env_id }}
+ export OS_INV_FILTER_KEY=clusterid && export OS_INV_FILTER_VALUE={{ env_id }}
delegate_to: localhost
- name: Updating DNS domain to include env_id (if not empty)
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
index 50aaa573d..3eb0f9f80 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
@@ -37,3 +37,6 @@ openstack_subnet_prefix: "192.168.99"
# NOTE(shadower): Do not change this value. The Ansible user is currently
# hardcoded to `openshift`.
ansible_user: openshift
+
+# Use a single security group for a cluster
+openstack_flat_secgroup: false
--
cgit v1.2.3