пре 7 година · 4bb2f005bc
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -25,7 +25,7 @@ etc.). The result is an environment ready for openshift-ansible.
 
				 
			
 
				 ### Copy the sample inventory
			
 
				 
			
 
				-    cp openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory
			
 
				+    cp -r openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory
			
 
				 
			
 
				 ### Copy clouds.yaml
			
 
				 
			
@@ -62,6 +62,11 @@ The `openstack_num_masters`, `openstack_num_infra` and
 
				 `openstack_num_nodes` values specify the number of Master, Infra and
			
 
				 App nodes to create.
			
 
				 
			
 
				+The `openstack_flat_secgroup`, controls Neutron security groups creation for Heat
			
 
				+stacks. Set it to true, if you experience issues with sec group rules
			
 
				+quotas. It trades security for number of rules, by sharing the same set
			
 
				+of firewall rules for master, node, etcd and infra nodes.
			
 
				+
			
 
				 ### Update the DNS names in `inventory/hosts`
			
 
				 
			
 
				 The different server groups are currently grouped by the domain name,
			
@@ -96,13 +101,13 @@ Assuming your OpenStack (Keystone) credentials are in the `keystonerc`
 
				 file, this is how you stat the provisioning process:
			
 
				 
			
 
				     . keystonerc
			
 
				-    ansible-playbook -i inventory  --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
			
 
				+    ansible-playbook -i inventory --timeout 30  --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
			
 
				 
			
 
				 ### Install OpenShift
			
 
				 
			
 
				 Once it succeeds, you can install openshift by running:
			
 
				 
			
 
				-    ansible-playbook --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml
			
 
				+    ansible-playbook --timeout 30 --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml
			
 
				 
			
 
				 
			
 
				 ## License
			
--- a/playbooks/provisioning/openstack/pre_tasks.yml
+++ b/playbooks/provisioning/openstack/pre_tasks.yml
@@ -18,7 +18,7 @@
 
				 - name: Set Dynamic Inventory Filters
			
 
				   become: false
			
 
				   shell: >
			
 
				-    export OS_INV_FILTER_KEY=clusterid && OS_INV_FILTER_VALUE={{ env_id }}
			
 
				+    export OS_INV_FILTER_KEY=clusterid && export OS_INV_FILTER_VALUE={{ env_id }}
			
 
				   delegate_to: localhost
			
 
				 
			
 
				 - name: Updating DNS domain to include env_id (if not empty)
			
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
@@ -37,3 +37,6 @@ openstack_subnet_prefix: "192.168.99"
 
				 # NOTE(shadower): Do not change this value. The Ansible user is currently
			
 
				 # hardcoded to `openshift`.
			
 
				 ansible_user: openshift
			
 
				+
			
 
				+# Use a single security group for a cluster
			
 
				+openstack_flat_secgroup: false
			
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -142,6 +142,119 @@ resources:
 
				 #            cluster_id: {{ stack_name }}
			
 
				 #      public_key: {{ ssh_public_key }}
			
 
				 
			
 
				+{% if openstack_flat_secgrp|bool %}
			
 
				+  flat-secgrp:
			
 
				+    type: OS::Neutron::SecurityGroup
			
 
				+    properties:
			
 
				+      name:
			
 
				+        str_replace:
			
 
				+          template: openshift-ansible-cluster_id-flat-secgrp
			
 
				+          params:
			
 
				+            cluster_id: {{ stack_name }}
			
 
				+      description:
			
 
				+        str_replace:
			
 
				+          template: Security group for cluster_id OpenShift cluster
			
 
				+          params:
			
 
				+            cluster_id: {{ stack_name }}
			
 
				+      rules:
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 22
			
 
				+          port_range_max: 22
			
 
				+          remote_ip_prefix: {{ ssh_ingress_cidr }}
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 4001
			
 
				+          port_range_max: 4001
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 8443
			
 
				+          port_range_max: 8444
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 53
			
 
				+          port_range_max: 53
			
 
				+        - direction: ingress
			
 
				+          protocol: udp
			
 
				+          port_range_min: 53
			
 
				+          port_range_max: 53
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 8053
			
 
				+          port_range_max: 8053
			
 
				+        - direction: ingress
			
 
				+          protocol: udp
			
 
				+          port_range_min: 8053
			
 
				+          port_range_max: 8053
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 24224
			
 
				+          port_range_max: 24224
			
 
				+        - direction: ingress
			
 
				+          protocol: udp
			
 
				+          port_range_min: 24224
			
 
				+          port_range_max: 24224
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 2224
			
 
				+          port_range_max: 2224
			
 
				+        - direction: ingress
			
 
				+          protocol: udp
			
 
				+          port_range_min: 5404
			
 
				+          port_range_max: 5405
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 9090
			
 
				+          port_range_max: 9090
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 2379
			
 
				+          port_range_max: 2380
			
 
				+          remote_mode: remote_group_id
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 10250
			
 
				+          port_range_max: 10250
			
 
				+          remote_mode: remote_group_id
			
 
				+        - direction: ingress
			
 
				+          protocol: udp
			
 
				+          port_range_min: 10250
			
 
				+          port_range_max: 10250
			
 
				+          remote_mode: remote_group_id
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 10255
			
 
				+          port_range_max: 10255
			
 
				+          remote_mode: remote_group_id
			
 
				+        - direction: ingress
			
 
				+          protocol: udp
			
 
				+          port_range_min: 10255
			
 
				+          port_range_max: 10255
			
 
				+          remote_mode: remote_group_id
			
 
				+        - direction: ingress
			
 
				+          protocol: udp
			
 
				+          port_range_min: 4789
			
 
				+          port_range_max: 4789
			
 
				+          remote_mode: remote_group_id
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 30000
			
 
				+          port_range_max: 32767
			
 
				+          remote_ip_prefix: {{ node_ingress_cidr }}
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 30000
			
 
				+          port_range_max: 32767
			
 
				+          remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 80
			
 
				+          port_range_max: 80
			
 
				+        - direction: ingress
			
 
				+          protocol: tcp
			
 
				+          port_range_min: 443
			
 
				+          port_range_max: 443
			
 
				+{% else %}
			
 
				   master-secgrp:
			
 
				     type: OS::Neutron::SecurityGroup
			
 
				     properties:
			
@@ -168,10 +281,6 @@ resources:
 
				         - direction: ingress
			
 
				           protocol: tcp
			
 
				           port_range_min: 8443
			
 
				-          port_range_max: 8443
			
 
				-        - direction: ingress
			
 
				-          protocol: tcp
			
 
				-          port_range_min: 8444
			
 
				           port_range_max: 8444
			
 
				         - direction: ingress
			
 
				           protocol: tcp
			
@@ -204,10 +313,6 @@ resources:
 
				         - direction: ingress
			
 
				           protocol: udp
			
 
				           port_range_min: 5404
			
 
				-          port_range_max: 5404
			
 
				-        - direction: ingress
			
 
				-          protocol: udp
			
 
				-          port_range_min: 5405
			
 
				           port_range_max: 5405
			
 
				         - direction: ingress
			
 
				           protocol: tcp
			
@@ -317,6 +422,7 @@ resources:
 
				           protocol: tcp
			
 
				           port_range_min: 443
			
 
				           port_range_max: 443
			
 
				+{% endif %}
			
 
				 
			
 
				   dns-secgrp:
			
 
				     type: OS::Neutron::SecurityGroup
			
@@ -411,7 +517,7 @@ resources:
 
				           net:         { get_resource: net }
			
 
				           subnet:      { get_resource: subnet }
			
 
				           secgrp:
			
 
				-            - { get_resource: etcd-secgrp }
			
 
				+            - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} }
			
 
				           floating_network: {{ external_network }}
			
 
				           net_name:
			
 
				             str_replace:
			
@@ -491,11 +597,15 @@ resources:
 
				           net:         { get_resource: net }
			
 
				           subnet:      { get_resource: subnet }
			
 
				           secgrp:
			
 
				+{% if openstack_flat_secgrp|bool %}
			
 
				+            - { get_resource: flat-secgrp }
			
 
				+{% else %}
			
 
				             - { get_resource: master-secgrp }
			
 
				             - { get_resource: node-secgrp }
			
 
				 {% if num_etcd is equalto 0 %}
			
 
				             - { get_resource: etcd-secgrp }
			
 
				 {% endif %}
			
 
				+{% endif %}
			
 
				           floating_network: {{ external_network }}
			
 
				           net_name:
			
 
				             str_replace:
			
@@ -538,7 +648,7 @@ resources:
 
				           net:         { get_resource: net }
			
 
				           subnet:      { get_resource: subnet }
			
 
				           secgrp:
			
 
				-            - { get_resource: node-secgrp }
			
 
				+            - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}node-secgrp{% endif %} }
			
 
				           floating_network: {{ external_network }}
			
 
				           net_name:
			
 
				             str_replace:
			
@@ -581,8 +691,12 @@ resources:
 
				           net:         { get_resource: net }
			
 
				           subnet:      { get_resource: subnet }
			
 
				           secgrp:
			
 
				+{% if openstack_flat_secgrp|bool %}
			
 
				+            - { get_resource: flat-secgrp }
			
 
				+{% else %}
			
 
				             - { get_resource: node-secgrp }
			
 
				             - { get_resource: infra-secgrp }
			
 
				+{% endif %}
			
 
				           floating_network: {{ external_network }}
			
 
				           net_name:
			
 
				             str_replace:
			
@@ -621,7 +735,11 @@ resources:
 
				           net:         { get_resource: net }
			
 
				           subnet:      { get_resource: subnet }
			
 
				           secgrp:
			
 
				+{% if openstack_flat_secgrp|bool %}
			
 
				+            - { get_resource: flat-secgrp }
			
 
				+{% else %}
			
 
				             - { get_resource: node-secgrp }
			
 
				+{% endif %}
			
 
				             - { get_resource: dns-secgrp }
			
 
				           floating_network: {{ external_network }}
			
 
				           net_name: