diff options
author | Lance Dillon <landillo@cisco.com> | 2017-11-28 11:26:34 -0800 |
---|---|---|
committer | Lance Dillon <landillo@cisco.com> | 2017-11-29 11:33:24 -0800 |
commit | 17ba2eafc5b7f132ad4b0a2e63d57bb647436c68 (patch) | |
tree | cee5270467a8d43c1ad35e3ef4cee16b9fa078fc /roles | |
parent | 6b6b422245be79dd3eec0c93a58875c646bbfba7 (diff) | |
download | openshift-17ba2eafc5b7f132ad4b0a2e63d57bb647436c68.tar.gz openshift-17ba2eafc5b7f132ad4b0a2e63d57bb647436c68.tar.bz2 openshift-17ba2eafc5b7f132ad4b0a2e63d57bb647436c68.tar.xz openshift-17ba2eafc5b7f132ad4b0a2e63d57bb647436c68.zip |
Multimaster openshift+contiv fixes
Only run default contiv commands once
Fix detection of firewalld
Open up netmaster ports to all nodes
Make sure etcd ca stuff only runs once
Diffstat (limited to 'roles')
-rw-r--r-- | roles/contiv/meta/main.yml | 2 | ||||
-rw-r--r-- | roles/contiv/tasks/default_network.yml | 13 | ||||
-rw-r--r-- | roles/contiv/tasks/netmaster_iptables.yml | 8 | ||||
-rw-r--r-- | roles/contiv_facts/tasks/rpm.yml | 9 |
4 files changed, 29 insertions, 3 deletions
diff --git a/roles/contiv/meta/main.yml b/roles/contiv/meta/main.yml index a2c2f98a7..52b9d09dd 100644 --- a/roles/contiv/meta/main.yml +++ b/roles/contiv/meta/main.yml @@ -21,7 +21,7 @@ dependencies: etcd_client_port: 22379 etcd_conf_dir: /etc/contiv-etcd/ etcd_data_dir: /var/lib/contiv-etcd/ - etcd_ca_host: "{{ inventory_hostname }}" + etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_config_dir: /etc/contiv-etcd/ etcd_url_scheme: http etcd_peer_url_scheme: http diff --git a/roles/contiv/tasks/default_network.yml b/roles/contiv/tasks/default_network.yml index f679443e0..8a928ea54 100644 --- a/roles/contiv/tasks/default_network.yml +++ b/roles/contiv/tasks/default_network.yml @@ -8,51 +8,64 @@ - name: Contiv | Set globals command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" global set --fabric-mode {{ contiv_fabric_mode }} --vlan-range {{ contiv_vlan_range }} --fwd-mode {{ netplugin_fwd_mode }} --private-subnet {{ contiv_private_ext_subnet }}' + run_once: true - name: Contiv | Set arp mode to flood if ACI command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" global set --arp-mode flood' when: contiv_fabric_mode == "aci" + run_once: true - name: Contiv | Check if default-net exists command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net ls' register: net_result + run_once: true - name: Contiv | Create default-net command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_default_subnet }} -e {{ contiv_encap_mode }} -p {{ contiv_default_network_tag }} --gateway {{ contiv_default_gw }} default-net' when: net_result.stdout.find("default-net") == -1 + run_once: true - name: Contiv | Create host access infra network for VxLan routing case command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_h1_subnet_default }} --gateway={{ contiv_h1_gw_default }} --nw-type="infra" contivh1' when: (contiv_encap_mode == "vxlan") and (netplugin_fwd_mode == "routing") + run_once: true #- name: Contiv | Create an allow-all policy for the default-group # command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy create ose-allow-all-policy' # when: contiv_fabric_mode == "aci" +# run_once: true - name: Contiv | Set up aci external contract to consume default external contract command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" external-contracts create -c -a {{ apic_default_external_contract }} oseExtToConsume' when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true) + run_once: true - name: Contiv | Set up aci external contract to provide default external contract command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" external-contracts create -p -a {{ apic_default_external_contract }} oseExtToProvide' when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true) + run_once: true - name: Contiv | Create aci default-group command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" group create default-net default-group' when: contiv_fabric_mode == "aci" + run_once: true - name: Contiv | Add external contracts to the default-group command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" group create -e oseExtToConsume -e oseExtToProvide default-net default-group' when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true) + run_once: true #- name: Contiv | Add policy rule 1 for allow-all policy # command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy rule-add -d in --action allow ose-allow-all-policy 1' # when: contiv_fabric_mode == "aci" +# run_once: true #- name: Contiv | Add policy rule 2 for allow-all policy # command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy rule-add -d out --action allow ose-allow-all-policy 2' # when: contiv_fabric_mode == "aci" +# run_once: true - name: Contiv | Create default aci app profile command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" app-profile create -g default-group {{ apic_default_app_profile }}' when: contiv_fabric_mode == "aci" + run_once: true diff --git a/roles/contiv/tasks/netmaster_iptables.yml b/roles/contiv/tasks/netmaster_iptables.yml index 07bb16ea7..c98e7b6a5 100644 --- a/roles/contiv/tasks/netmaster_iptables.yml +++ b/roles/contiv/tasks/netmaster_iptables.yml @@ -13,9 +13,15 @@ - name: Netmaster IPtables | Open Netmaster with iptables command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv" with_items: - - "{{ netmaster_port }}" - "{{ contiv_rpc_port1 }}" - "{{ contiv_rpc_port2 }}" - "{{ contiv_rpc_port3 }}" when: iptablesrules.stdout.find("contiv") == -1 notify: Save iptables rules + +- name: Netmaster IPtables | Open netmaster main port + command: /sbin/iptables -I INPUT 1 -p tcp -s {{ item }} --dport {{ netmaster_port }} -j ACCEPT -m comment --comment "contiv" + with_items: + - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + netmaster_interface].ipv4.address)|list }}" + when: iptablesrules.stdout.find("contiv") == -1 + notify: Save iptables rules diff --git a/roles/contiv_facts/tasks/rpm.yml b/roles/contiv_facts/tasks/rpm.yml index 07401a6dd..d12436f96 100644 --- a/roles/contiv_facts/tasks/rpm.yml +++ b/roles/contiv_facts/tasks/rpm.yml @@ -6,10 +6,17 @@ failed_when: false check_mode: no +- name: RPM | Determine if firewalld enabled + command: "systemctl status firewalld.service" + register: ss + changed_when: false + failed_when: false + check_mode: no + - name: Set the has_firewalld fact set_fact: has_firewalld: true - when: s.rc == 0 + when: s.rc == 0 and ss.rc == 0 - name: Determine if iptables-services installed command: "rpm -q iptables-services" |