Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Moving firewall rules under the role to work with refactor.

Kenny Woodson 7 years ago
parent
be7e730876
commit
6ff3544377
4 changed files with 65 additions and 26 deletions
Unified View Show Diff Stats
  1. 12 26
      playbooks/common/openshift-glusterfs/config.yml
  2. 12 0
      roles/openshift_storage_glusterfs/defaults/main.yml
  3. 1 0
      roles/openshift_storage_glusterfs/meta/main.yml
  4. 40 0
      roles/openshift_storage_glusterfs/tasks/firewall.yml

+ 12 - 26
playbooks/common/openshift-glusterfs/config.yml
View File 

@@ -1,40 +1,26 @@
 
 ---
 
 ---
 
 - name: Open firewall ports for GlusterFS nodes
 
 - name: Open firewall ports for GlusterFS nodes
 
   hosts: glusterfs
 
   hosts: glusterfs
 
-  vars:
 
-    os_firewall_allow:
 
-    - service: glusterfs_sshd
 
-      port: "2222/tcp"
 
-    - service: glusterfs_daemon
 
-      port: "24007/tcp"
 
-    - service: glusterfs_management
 
-      port: "24008/tcp"
 
-    - service: glusterfs_bricks
 
-      port: "49152-49251/tcp"
 
-  roles:
 
-  - role: os_firewall
 
+  tasks:
 
+  - include_role:
 
+      name: openshift_storage_glusterfs
 
+      tasks_from: firewall.yml
 
     when:
 
     when:
 
     - openshift_storage_glusterfs_is_native | default(True) | bool
 
     - openshift_storage_glusterfs_is_native | default(True) | bool
 
 
 
 - name: Open firewall ports for GlusterFS registry nodes
 
 - name: Open firewall ports for GlusterFS registry nodes
 
   hosts: glusterfs_registry
 
   hosts: glusterfs_registry
 
-  vars:
 
-    os_firewall_allow:
 
-    - service: glusterfs_sshd
 
-      port: "2222/tcp"
 
-    - service: glusterfs_daemon
 
-      port: "24007/tcp"
 
-    - service: glusterfs_management
 
-      port: "24008/tcp"
 
-    - service: glusterfs_bricks
 
-      port: "49152-49251/tcp"
 
-  roles:
 
-  - role: os_firewall
 
+  tasks:
 
+  - include_role:
 
+      name: openshift_storage_glusterfs
 
+      tasks_from: firewall.yml
 
     when:
 
     when:
 
     - openshift_storage_glusterfs_registry_is_native | default(True) | bool
 
     - openshift_storage_glusterfs_registry_is_native | default(True) | bool
 
 
 
 - name: Configure GlusterFS
 
 - name: Configure GlusterFS
 
   hosts: oo_first_master
 
   hosts: oo_first_master
 
-  roles:
 
-  - role: openshift_storage_glusterfs
 
+  tasks:
 
+  - name: setup glusterfs
 
+    include_role:
 
+      name: openshift_storage_glusterfs
 
     when: groups.oo_glusterfs_to_config | default([]) | count > 0
 
     when: groups.oo_glusterfs_to_config | default([]) | count > 0

+ 12 - 0
roles/openshift_storage_glusterfs/defaults/main.yml
View File 

@@ -52,3 +52,15 @@ openshift_storage_glusterfs_registry_heketi_ssh_port: "{{ openshift_storage_glus
 
 openshift_storage_glusterfs_registry_heketi_ssh_user: "{{ openshift_storage_glusterfs_heketi_ssh_user }}"
 
 openshift_storage_glusterfs_registry_heketi_ssh_user: "{{ openshift_storage_glusterfs_heketi_ssh_user }}"
 
 openshift_storage_glusterfs_registry_heketi_ssh_sudo: "{{ openshift_storage_glusterfs_heketi_ssh_sudo }}"
 
 openshift_storage_glusterfs_registry_heketi_ssh_sudo: "{{ openshift_storage_glusterfs_heketi_ssh_sudo }}"
 
 openshift_storage_glusterfs_registry_heketi_ssh_keyfile: "{{ openshift_storage_glusterfs_heketi_ssh_keyfile | default(omit) }}"
 
 openshift_storage_glusterfs_registry_heketi_ssh_keyfile: "{{ openshift_storage_glusterfs_heketi_ssh_keyfile | default(omit) }}"
 
+r_openshift_master_firewall_enabled: True
 
+r_openshift_master_use_firewalld: False
 
+r_openshift_storage_glusterfs_os_firewall_deny: []
 
+r_openshift_storage_glusterfs_os_firewall_allow:
 
+- service: glusterfs_sshd
 
+  port: "2222/tcp"
 
+- service: glusterfs_daemon
 
+  port: "24007/tcp"
 
+- service: glusterfs_management
 
+  port: "24008/tcp"
 
+- service: glusterfs_bricks
 
+  port: "49152-49251/tcp"

+ 1 - 0
roles/openshift_storage_glusterfs/meta/main.yml
View File 

@@ -13,3 +13,4 @@ dependencies:
 
 - role: openshift_hosted_facts
 
 - role: openshift_hosted_facts
 
 - role: openshift_repos
 
 - role: openshift_repos
 
 - role: lib_openshift
 
 - role: lib_openshift
 
+- role: lib_os_firewall

+ 40 - 0
roles/openshift_storage_glusterfs/tasks/firewall.yml
View File 

@@ -0,0 +1,40 @@
 
+---
 
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and not r_openshift_storage_glusterfs_use_firewalld | bool
 
+  block:
 
+  - name: Add iptables allow rules
 
+    os_firewall_manage_iptables:
 
+      name: "{{ item.service }}"
 
+      action: add
 
+      protocol: "{{ item.port.split('/')[1] }}"
 
+      port: "{{ item.port.split('/')[0] }}"
 
+    when: item.cond | default(True)
 
+    with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
 
+
 
+  - name: Remove iptables rules
 
+    os_firewall_manage_iptables:
 
+      name: "{{ item.service }}"
 
+      action: remove
 
+      protocol: "{{ item.port.split('/')[1] }}"
 
+      port: "{{ item.port.split('/')[0] }}"
 
+    when: item.cond | default(True)
 
+    with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
 
+
 
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and r_openshift_storage_glusterfs_use_firewalld | bool
 
+  block:
 
+  - name: Add firewalld allow rules
 
+    firewalld:
 
+      port: "{{ item.port }}"
 
+      permanent: true
 
+      immediate: true
 
+      state: enabled
 
+    when: item.cond | default(True)
 
+    with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
 
+
 
+  - name: Remove firewalld allow rules
 
+    firewalld:
 
+      port: "{{ item.port }}"
 
+      permanent: true
 
+      immediate: true
 
+      state: disabled
 
+    when: item.cond | default(True)
 
+    with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"