diff options
| author | Tomas Sedovic <tomas@sedovic.cz> | 2017-11-07 14:17:27 +1100 |
|---|---|---|
| committer | Tomas Sedovic <tomas@sedovic.cz> | 2017-11-07 14:17:27 +1100 |
| commit | 6f4d509817f200ec2a273a097f4f048da5997925 (patch) | |
| tree | ebddc919d850ec5c4d308613661063b01ae89784 /playbooks/provisioning/openstack/post-install.yml | |
| parent | 0cf8cf65a89ad7cac8c1cef1f743426b610adae0 (diff) | |
| parent | 332f131e8e6457a03a4f1ab19abc8e4ceb897307 (diff) | |
| download | openshift-6f4d509817f200ec2a273a097f4f048da5997925.tar.gz openshift-6f4d509817f200ec2a273a097f4f048da5997925.tar.bz2 openshift-6f4d509817f200ec2a273a097f4f048da5997925.tar.xz openshift-6f4d509817f200ec2a273a097f4f048da5997925.zip | |
Merge ../openshift-ansible-contrib into openstack-provider-githist
This moves all the OpenStack-related code from the -contrib[1] repo
including its git history to openshift-ansible. It will then be moved
around and updated to fit the rest of the project's structure.
[1]: https://github.com/openshift/openshift-ansible-contrib
Diffstat (limited to 'playbooks/provisioning/openstack/post-install.yml')
| -rw-r--r-- | playbooks/provisioning/openstack/post-install.yml | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/playbooks/provisioning/openstack/post-install.yml b/playbooks/provisioning/openstack/post-install.yml new file mode 100644 index 000000000..417813e2a --- /dev/null +++ b/playbooks/provisioning/openstack/post-install.yml @@ -0,0 +1,57 @@ +--- +- hosts: OSEv3 + gather_facts: False + become: True + tasks: + - name: Save iptables rules to a backup file + when: openshift_use_flannel|default(False)|bool + shell: iptables-save > /etc/sysconfig/iptables.orig-$(date +%Y%m%d%H%M%S) + +# Enable iptables service on app nodes to persist custom rules (flannel SDN) +# FIXME(bogdando) w/a https://bugzilla.redhat.com/show_bug.cgi?id=1490820 +- hosts: app + gather_facts: False + become: True + vars: + os_firewall_allow: + - service: dnsmasq tcp + port: 53/tcp + - service: dnsmasq udp + port: 53/udp + tasks: + - when: openshift_use_flannel|default(False)|bool + block: + - include_role: + name: openshift-ansible/roles/os_firewall + - include_role: + name: openshift-ansible/roles/lib_os_firewall + - name: set allow rules for dnsmasq + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: add + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + with_items: "{{ os_firewall_allow }}" + +- hosts: OSEv3 + gather_facts: False + become: True + tasks: + - name: Apply post-install iptables hacks for Flannel SDN (the best effort) + when: openshift_use_flannel|default(False)|bool + block: + - name: set allow/masquerade rules for for flannel/docker + shell: >- + (iptables-save | grep -q custom-flannel-docker-1) || + iptables -A DOCKER -w + -p all -j ACCEPT + -m comment --comment "custom-flannel-docker-1"; + (iptables-save | grep -q custom-flannel-docker-2) || + iptables -t nat -A POSTROUTING -w + -o {{flannel_interface|default('eth1')}} + -m comment --comment "custom-flannel-docker-2" + -j MASQUERADE + + # NOTE(bogdando) the rules will not be restored, when iptables service unit is disabled & masked + - name: Persist in-memory iptables rules (w/o dynamic KUBE rules) + shell: iptables-save | grep -v KUBE > /etc/sysconfig/iptables |