Multimaster openshift+contiv fixes

Only run default contiv commands once
Fix detection of firewalld
Open up netmaster ports to all nodes
Make sure etcd ca stuff only runs once

roles/contiv/meta/main.yml

@@ -21,7 +21,7 @@ dependencies:
   etcd_client_port: 22379
   etcd_conf_dir: /etc/contiv-etcd/
   etcd_data_dir: /var/lib/contiv-etcd/
-  etcd_ca_host: "{{ inventory_hostname }}"
+  etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}"
   etcd_cert_config_dir: /etc/contiv-etcd/
   etcd_url_scheme: http
   etcd_peer_url_scheme: http

roles/contiv/tasks/default_network.yml

@@ -8,51 +8,64 @@
 
 - name: Contiv | Set globals
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" global set --fabric-mode {{ contiv_fabric_mode }} --vlan-range {{ contiv_vlan_range }} --fwd-mode {{ netplugin_fwd_mode }} --private-subnet {{ contiv_private_ext_subnet }}'
+  run_once: true
 
 - name: Contiv | Set arp mode to flood if ACI
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" global set --arp-mode flood'
   when: contiv_fabric_mode == "aci"
+  run_once: true
 
 - name: Contiv | Check if default-net exists
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net ls'
   register: net_result
+  run_once: true
 
 - name: Contiv | Create default-net
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_default_subnet }} -e {{ contiv_encap_mode }} -p {{ contiv_default_network_tag }} --gateway {{ contiv_default_gw }} default-net'
   when: net_result.stdout.find("default-net") == -1
+  run_once: true
 
 - name: Contiv | Create host access infra network for VxLan routing case
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_h1_subnet_default }} --gateway={{ contiv_h1_gw_default }} --nw-type="infra" contivh1'
   when: (contiv_encap_mode == "vxlan") and (netplugin_fwd_mode == "routing")
+  run_once: true
 
 #- name: Contiv | Create an allow-all policy for the default-group
 #  command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy create ose-allow-all-policy'
 #  when: contiv_fabric_mode == "aci"
+#  run_once: true
 
 - name: Contiv | Set up aci external contract to consume default external contract
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" external-contracts create -c -a {{ apic_default_external_contract }} oseExtToConsume'
   when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true)
+  run_once: true
 
 - name: Contiv | Set up aci external contract to provide default external contract
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" external-contracts create -p -a {{ apic_default_external_contract }} oseExtToProvide'
   when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true)
+  run_once: true
 
 - name: Contiv | Create aci default-group
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" group create default-net default-group'
   when: contiv_fabric_mode == "aci"
+  run_once: true
 
 - name: Contiv | Add external contracts to the default-group
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" group create -e oseExtToConsume -e oseExtToProvide default-net default-group'
   when: (contiv_fabric_mode == "aci") and (apic_configure_default_policy == true)
+  run_once: true
 
 #- name: Contiv | Add policy rule 1 for allow-all policy
 #  command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy rule-add -d in --action allow ose-allow-all-policy 1'
 #  when: contiv_fabric_mode == "aci"
+#  run_once: true
 
 #- name: Contiv | Add policy rule 2 for allow-all policy
 #  command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" policy rule-add -d out --action allow ose-allow-all-policy 2'
 #  when: contiv_fabric_mode == "aci"
+#  run_once: true
 
 - name: Contiv | Create default aci app profile
   command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" app-profile create -g default-group {{ apic_default_app_profile }}'
   when: contiv_fabric_mode == "aci"
+  run_once: true

roles/contiv/tasks/netmaster_iptables.yml

@@ -13,9 +13,15 @@
 - name: Netmaster IPtables | Open Netmaster with iptables
   command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv"
   with_items:
-    - "{{ netmaster_port }}"
     - "{{ contiv_rpc_port1 }}"
     - "{{ contiv_rpc_port2 }}"
     - "{{ contiv_rpc_port3 }}"
   when: iptablesrules.stdout.find("contiv") == -1
   notify: Save iptables rules
+
+- name: Netmaster IPtables | Open netmaster main port
+  command: /sbin/iptables -I INPUT 1 -p tcp -s {{ item }} --dport {{ netmaster_port }} -j ACCEPT -m comment --comment "contiv"
+  with_items:
+    - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + netmaster_interface].ipv4.address)|list }}"
+  when: iptablesrules.stdout.find("contiv") == -1
+  notify: Save iptables rules

roles/contiv_facts/tasks/rpm.yml

@@ -6,10 +6,17 @@
   failed_when: false
   check_mode: no
 
+- name: RPM | Determine if firewalld enabled
+  command: "systemctl status firewalld.service"
+  register: ss
+  changed_when: false
+  failed_when: false
+  check_mode: no
+
 - name: Set the has_firewalld fact
   set_fact:
     has_firewalld: true
-  when: s.rc == 0
+  when: s.rc == 0 and ss.rc == 0
 
 - name: Determine if iptables-services installed
   command: "rpm -q iptables-services"