clean up iptables in base to not apply to cloud compute/master, osbs or os
This commit is contained in:
Kevin Fenzi
parent
d863bb3629
commit
2df1d71510
11 changed files with 32 additions and 61 deletions
|
|
@ -266,4 +266,6 @@ nagios_Check_Services:
|
||||||
dhcpd: false
|
dhcpd: false
|
||||||
httpd: false
|
httpd: false
|
||||||
|
|
||||||
|
# Set variable if we want to use our global iptables defaults
|
||||||
|
# Some things need to set their own.
|
||||||
|
baseiptables: True
|
||||||
|
|
|
||||||
|
|
@ -3,3 +3,4 @@ host_group: openstack-compute
|
||||||
nrpe_procs_warn: 1100
|
nrpe_procs_warn: 1100
|
||||||
nrpe_procs_crit: 1200
|
nrpe_procs_crit: 1200
|
||||||
ansible_ifcfg_blacklist: true
|
ansible_ifcfg_blacklist: true
|
||||||
|
baseiptables: False
|
||||||
|
|
|
||||||
|
|
@ -1,2 +1,3 @@
|
||||||
---
|
---
|
||||||
host_group: os
|
host_group: os
|
||||||
|
baseiptables: False
|
||||||
|
|
|
||||||
3
inventory/group_vars/os-stg
Normal file
3
inventory/group_vars/os-stg
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
host_group: os
|
||||||
|
baseiptables: False
|
||||||
|
|
@ -19,3 +19,5 @@ osbs_koji_username: "kojibuilder"
|
||||||
koji_url: "koji.fedoraproject.org"
|
koji_url: "koji.fedoraproject.org"
|
||||||
|
|
||||||
osbs_client_conf_path: /etc/osbs.conf
|
osbs_client_conf_path: /etc/osbs.conf
|
||||||
|
|
||||||
|
baseiptables: False
|
||||||
|
|
|
||||||
2
inventory/group_vars/osbs-stg
Normal file
2
inventory/group_vars/osbs-stg
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
baseiptables: False
|
||||||
|
|
@ -8,3 +8,5 @@ ansible_ifcfg_blacklist: true
|
||||||
nagios_Check_Services:
|
nagios_Check_Services:
|
||||||
nrpe: true
|
nrpe: true
|
||||||
sshd: true
|
sshd: true
|
||||||
|
|
||||||
|
baseiptables: False
|
||||||
|
|
|
||||||
|
|
@ -1330,6 +1330,16 @@ osbs-master01.stg.phx2.fedoraproject.org
|
||||||
osbs-node01.stg.phx2.fedoraproject.org
|
osbs-node01.stg.phx2.fedoraproject.org
|
||||||
osbs-node02.stg.phx2.fedoraproject.org
|
osbs-node02.stg.phx2.fedoraproject.org
|
||||||
|
|
||||||
|
[osbs:children]
|
||||||
|
osbs-control
|
||||||
|
osbs-nodes
|
||||||
|
osbs-masters
|
||||||
|
|
||||||
|
[osbs-stg:children]
|
||||||
|
osbs-control-stg
|
||||||
|
osbs-nodes-stg
|
||||||
|
osbs-masters-stg
|
||||||
|
|
||||||
[os-control-stg]
|
[os-control-stg]
|
||||||
os-control01.stg.phx2.fedoraproject.org
|
os-control01.stg.phx2.fedoraproject.org
|
||||||
|
|
||||||
|
|
@ -1342,7 +1352,7 @@ os-master03.stg.phx2.fedoraproject.org
|
||||||
os-node01.stg.phx2.fedoraproject.org
|
os-node01.stg.phx2.fedoraproject.org
|
||||||
os-node02.stg.phx2.fedoraproject.org
|
os-node02.stg.phx2.fedoraproject.org
|
||||||
|
|
||||||
[os:children]
|
[os-stg:children]
|
||||||
os-nodes-stg
|
os-nodes-stg
|
||||||
os-masters-stg
|
os-masters-stg
|
||||||
os-control-stg
|
os-control-stg
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,7 @@
|
||||||
- include: /srv/web/infra/ansible/playbooks/groups/buildvm.yml
|
- include: /srv/web/infra/ansible/playbooks/groups/buildvm.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/groups/bugyou.yml
|
- include: /srv/web/infra/ansible/playbooks/groups/bugyou.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/groups/busgateway.yml
|
- include: /srv/web/infra/ansible/playbooks/groups/busgateway.yml
|
||||||
|
- include: /srv/web/infra/ansible/playbooks/groups/ci.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml
|
- include: /srv/web/infra/ansible/playbooks/groups/copr-backend.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml
|
- include: /srv/web/infra/ansible/playbooks/groups/copr-dist-git.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml
|
- include: /srv/web/infra/ansible/playbooks/groups/copr-frontend.yml
|
||||||
|
|
@ -143,11 +144,11 @@
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/insim.fedorainfracloud.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/lists-dev.fedorainfracloud.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/kolinahr.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/kolinahr.fedorainfracloud.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/magazine.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/magazine2.fedorainfracloud.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/modernpaste.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/modernpaste.fedorainfracloud.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/modularity.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/modularity.fedorainfracloud.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/piwik.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/piwik.fedorainfracloud.org.yml
|
||||||
#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp.fedorainfracloud.org.yml
|
#- include: /srv/web/infra/ansible/playbooks/hosts/regcfp2.fedorainfracloud.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/respins.fedorainfracloud.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/shogun-ca.cloud.fedoraproject.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/shogun-ca.cloud.fedoraproject.org.yml
|
||||||
- include: /srv/web/infra/ansible/playbooks/hosts/shumgrepper-dev.fedorainfracloud.org.yml
|
- include: /srv/web/infra/ansible/playbooks/hosts/shumgrepper-dev.fedorainfracloud.org.yml
|
||||||
|
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
||||||
- name: check/create instance
|
|
||||||
hosts: magazine.fedorainfracloud.org
|
|
||||||
gather_facts: False
|
|
||||||
|
|
||||||
vars_files:
|
|
||||||
- /srv/web/infra/ansible/vars/global.yml
|
|
||||||
- /srv/private/ansible/vars.yml
|
|
||||||
- /srv/web/infra/ansible/vars/fedora-cloud.yml
|
|
||||||
- /srv/private/ansible/files/openstack/passwords.yml
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- include: "{{ tasks_path }}/persistent_cloud.yml"
|
|
||||||
|
|
||||||
- name: setup all the things
|
|
||||||
hosts: magazine.fedorainfracloud.org
|
|
||||||
gather_facts: True
|
|
||||||
vars_files:
|
|
||||||
- /srv/web/infra/ansible/vars/global.yml
|
|
||||||
- /srv/private/ansible/vars.yml
|
|
||||||
- /srv/private/ansible/files/openstack/passwords.yml
|
|
||||||
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- include: "{{ tasks_path }}/cloud_setup_basic.yml"
|
|
||||||
- name: set hostname (required by some services, at least postfix need it)
|
|
||||||
hostname: name="{{inventory_hostname}}"
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: add packages
|
|
||||||
yum: state=present name={{ item }}
|
|
||||||
with_items:
|
|
||||||
- httpd
|
|
||||||
- php
|
|
||||||
- php-mysql
|
|
||||||
- mariadb-server
|
|
||||||
- mariadb
|
|
||||||
- mod_ssl
|
|
||||||
- php-mcrypt
|
|
||||||
- php-mbstring
|
|
||||||
- wget
|
|
||||||
- unzip
|
|
||||||
- postfix
|
|
||||||
|
|
||||||
- name: enable httpd service
|
|
||||||
service: name=httpd enabled=yes state=started
|
|
||||||
|
|
||||||
- name: configure postfix for ipv4 only
|
|
||||||
raw: postconf -e inet_protocols=ipv4
|
|
||||||
|
|
||||||
- name: enable local postfix service
|
|
||||||
service: name=postfix enabled=yes state=started
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- nagios_client
|
|
||||||
- mariadb_server
|
|
||||||
|
|
@ -233,7 +233,7 @@
|
||||||
- iptables/iptables.{{ host_group }}
|
- iptables/iptables.{{ host_group }}
|
||||||
- iptables/iptables.{{ env }}
|
- iptables/iptables.{{ env }}
|
||||||
- iptables/iptables
|
- iptables/iptables
|
||||||
when: not inventory_hostname.startswith(('fed-cloud','osbs'))
|
when: baseiptables is true
|
||||||
notify:
|
notify:
|
||||||
- restart iptables
|
- restart iptables
|
||||||
- reload libvirtd
|
- reload libvirtd
|
||||||
|
|
@ -248,6 +248,7 @@
|
||||||
- iptables
|
- iptables
|
||||||
- service
|
- service
|
||||||
- base
|
- base
|
||||||
|
when: baseiptables is true
|
||||||
|
|
||||||
- name: ip6tables
|
- name: ip6tables
|
||||||
template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
|
template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
|
||||||
|
|
@ -257,7 +258,7 @@
|
||||||
- iptables/ip6tables.{{ host_group }}
|
- iptables/ip6tables.{{ host_group }}
|
||||||
- iptables/ip6tables.{{ env }}
|
- iptables/ip6tables.{{ env }}
|
||||||
- iptables/ip6tables
|
- iptables/ip6tables
|
||||||
when: not inventory_hostname.startswith('fed-cloud09')
|
when: baseiptables is true
|
||||||
notify:
|
notify:
|
||||||
- restart ip6tables
|
- restart ip6tables
|
||||||
- reload libvirtd
|
- reload libvirtd
|
||||||
|
|
@ -272,6 +273,7 @@
|
||||||
- ip6tables
|
- ip6tables
|
||||||
- service
|
- service
|
||||||
- base
|
- base
|
||||||
|
when: baseiptables is true
|
||||||
|
|
||||||
- name: enable journald persistence
|
- name: enable journald persistence
|
||||||
file: path=/var/log/journal state=directory
|
file: path=/var/log/journal state=directory
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue