Merge pull request #1870 from sdodson/fix-firewall

Fix master firewall rules by deferring them

roles/openshift_common/meta/main.yml

@@ -12,6 +12,5 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- role: os_firewall
 - role: openshift_facts
 - role: openshift_repos

roles/openshift_master/defaults/main.yml

@@ -1,40 +1,4 @@
 ---
 openshift_node_ips: []
-
 # TODO: update setting these values based on the facts
-os_firewall_allow:
-- service: etcd embedded
-  port: 4001/tcp
-- service: api server https
-  port: "{{ openshift.master.api_port }}/tcp"
-- service: api controllers https
-  port: "{{ openshift.master.controllers_port }}/tcp"
-- service: skydns tcp
-  port: "{{ openshift.master.dns_port }}/tcp"
-- service: skydns udp
-  port: "{{ openshift.master.dns_port }}/udp"
-# On HA masters version_gte facts are not properly set so open port 53
-# whenever we're not certain of the need
-- service: legacy skydns tcp
-  port: "53/tcp"
-  when: "{{ 'version' not in openshift.common or openshift.common.version == None }}"
-- service: legacy skydns udp
-  port: "53/udp"
-  when: "{{ 'version' not in openshift.common or openshift.common.version == None }}"
-- service: Fluentd td-agent tcp
-  port: 24224/tcp
-- service: Fluentd td-agent udp
-  port: 24224/udp
-- service: pcsd
-  port: 2224/tcp
-- service: Corosync UDP
-  port: 5404/udp
-- service: Corosync UDP
-  port: 5405/udp
-os_firewall_deny:
-- service: api server http
-  port: 8080/tcp
-- service: former etcd peer port
-  port: 7001/tcp
-
 openshift_version: "{{ openshift_pkg_version | default(openshift_image_tag | default(openshift.docker.openshift_image_tag | default(''))) }}"

roles/openshift_master/meta/main.yml

@@ -18,3 +18,25 @@ dependencies:
 - role: openshift_builddefaults
 - role: openshift_master_facts
 - role: openshift_hosted_facts
+- role: os_firewall
+  os_firewall_allow:
+  - service: etcd embedded
+    port: 4001/tcp
+  - service: api server https
+    port: "{{ openshift.master.api_port }}/tcp"
+  - service: api controllers https
+    port: "{{ openshift.master.controllers_port }}/tcp"
+  - service: skydns tcp
+    port: "{{ openshift.master.dns_port }}/tcp"
+  - service: skydns udp
+    port: "{{ openshift.master.dns_port }}/udp"
+  - service: Fluentd td-agent tcp
+    port: 24224/tcp
+  - service: Fluentd td-agent udp
+    port: 24224/udp
+  - service: pcsd
+    port: 2224/tcp
+  - service: Corosync UDP
+    port: 5404/udp
+  - service: Corosync UDP
+    port: 5405/udp

roles/openshift_node/meta/main.yml

@@ -17,4 +17,5 @@ dependencies:
 - role: openshift_common
 - role: openshift_node_dnsmasq
   when: openshift.common.use_dnsmasq
+- role: os_firewall
 

roles/openshift_node/tasks/main.yml

@@ -112,6 +112,17 @@
 - name: Start and enable node
   service: name={{ openshift.common.service_type }}-node enabled=yes state=started
   register: node_start_result
+  ignore_errors: yes
+  
+- name: Check logs on failure
+  command: journalctl -xe
+  register: node_failure
+  when: node_start_result | failed
+  
+- name: Dump failure information
+  debug: var=node_failure
+  when: node_start_result | failed
+  
 
 - set_fact:
     node_service_status_changed: "{{ node_start_result | changed }}"