# create an osbs server - include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control" - include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes:osbs-masters" - name: make the box be real hosts: osbs-control:osbs-masters:osbs-nodes user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - base - rkhunter - nagios_client - hosts - fas_client - collectd/base - rsyncd - sudo tasks: - include: "{{ tasks_path }}/yumrepos.yml" - include: "{{ tasks_path }}/2fa_client.yml" - include: "{{ tasks_path }}/motd.yml" handlers: - include: "{{ handlers_path }}/restart_services.yml" - name: OSBS control hosts pre-req setup hosts: osbs-control:osbs-control-stg tags: - osbs-cluster-prereq user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: - name: deploy private key to control hosts copy: src: "{{private}}/files/osbs/{{env}}/control_key" dest: "/root/.ssh/id_rsa" owner: root mode: 0600 - name: set ansible to use pipelining ini_file: dest: /etc/ansible/ansible.cfg section: ssh_connection option: pipelining value: "True" - name: Setup cluster masters pre-reqs hosts: osbs-masters-stg:osbs-masters tags: - osbs-cluster-prereq user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: - name: ensure origin conf dir exists file: path: "/etc/origin" state: "directory" - name: create cert dir for openshift public facing REST API SSL file: path: "/etc/origin/master/named_certificates" state: "directory" - name: install cert for openshift public facing REST API SSL copy: src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem" - name: install key for openshift public facing REST API SSL copy: src: "{{private}}/files/osbs/{{env}}/osbs-internal.key" dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key" - name: place htpasswd file copy: src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd" dest: /etc/origin/htpasswd - name: Setup cluster hosts pre-reqs hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-cluster-prereq user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml handlers: - name: restart NetworkManager service: name: NetworkManager state: restarted tasks: - name: Install necessary packages that openshift-ansible needs package: name="{{ item }}" state=installed with_items: - tar - rsync - dbus-python - NetworkManager - libselinux-python - origin - name: Deploy controller public ssh keys to osbs cluster hosts authorized_key: user: root key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}" # This is required for OpenShift built-in SkyDNS inside the overlay network # of the cluster - name: ensure NM_CONTROLLED is set to "yes" for osbs cluster lineinfile: dest: "/etc/sysconfig/network-scripts/ifcfg-eth0" line: "NM_CONTROLLED=yes" notify: - restart NetworkManager # This is required for OpenShift built-in SkyDNS inside the overlay network # of the cluster - name: ensure NetworkManager is enabled and started service: name: NetworkManager state: started enabled: yes - name: cron entry to clean up docker storage copy: src: "{{files}}/osbs/cleanup-docker-storage" dest: "/etc/cron.d/cleanup-docker-storage" - name: copy docker-storage-setup config copy: src: "{{files}}/osbs/docker-storage-setup" dest: "/etc/sysconfig/docker-storage-setup" - name: Deploy kerberose keytab to cluster hosts hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-cluster-prereq user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - role: keytab/service owner_user: root owner_group: root service: osbs host: "osbs.fedoraproject.org" when: env == "production" - role: keytab/service owner_user: root owner_group: root service: osbs host: "osbs.stg.fedoraproject.org" when: env == "staging" - name: Deploy OpenShift Cluster hosts: osbs-control:osbs-control-stg tags: - osbs-deploy-openshift user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - { role: ansible-ansible-openshift-ansible, cluster_inventory_filename: "cluster-inventory-stg", openshift_htpasswd_file: "/etc/origin/htpasswd", openshift_master_public_api_url: "https://{{ osbs_url }}:8443", openshift_release: "v1.3.1", openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_version: "openshift-ansible-3.3.57-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: false, openshift_ansible_containerized_deploy: false, openshift_cluster_masters_group: "osbs-masters-stg", openshift_cluster_nodes_group: "osbs-nodes-stg", openshift_cluster_infra_group: "osbs-masters-stg", openshift_auth_profile: "osbs", openshift_cluster_url: "{{osbs_url}}", openshift_master_ha: false, openshift_debug_level: 2, openshift_shared_infra: true, openshift_deployment_type: "origin", when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } - { role: ansible-ansible-openshift-ansible, cluster_inventory_filename: "cluster-inventory", openshift_htpasswd_file: "/etc/origin/htpasswd", openshift_master_public_api_url: "https://{{ osbs_url }}:8443", openshift_release: "v1.3.1", openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_version: "openshift-ansible-3.3.57-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: false, openshift_ansible_containerized_deploy: false, openshift_cluster_masters_group: "osbs-masters", openshift_cluster_nodes_group: "osbs-nodes", openshift_cluster_infra_group: "osbs-masters", openshift_auth_profile: "osbs", openshift_cluster_url: "{{osbs_url}}", openshift_master_ha: false, openshift_debug_level: 2, openshift_shared_infra: true, openshift_deployment_type: "origin", when: env == 'production', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } - name: Setup OSBS requirements for OpenShift cluster hosts hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-cluster-req user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - { role: osbs-common, osbs_manage_firewalld: false, } - osbs-atomic-reactor - { role: push-docker, docker_cert_name: "containerbuild", docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org", when: env == "staging" } - { role: "manage-container-images", cert_dest_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org", cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem", key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key", when: env == "staging" } - { role: "manage-container-images", cert_dest_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org", cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem", key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key", when: env == "staging" } - { role: push-docker, docker_cert_name: "containerbuild", docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org", when: env == "production" } handlers: - name: restart dnsmasq service: name: dnsmasq state: restarted tasks: - name: install fedora dnsmasq specific config copy: src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}" dest: "/etc/dnsmasq.d/fedora-dns.conf" - name: Setup requirements for OpenShift master hosts: osbs-masters-stg:osbs-masters tags: - osbs-master-req user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: - name: set policy for koji builder in openshift for osbs shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added" args: creates: "/etc/origin/koji-builder-policy-added" when: env == "staging" - name: set policy for koji builder in openshift for osbs shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added" args: creates: "/etc/origin/koji-builder-policy-added" when: env == "production" - name: set policy for koji builder in openshift for atomic-reactor shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added" args: creates: "/etc/origin/atomic-reactor-policy-added" - name: Deploy OSBS on top of OpenShift hosts: osbs-masters-stg[0]:osbs-masters[0] tags: - osbs-deploy-on-openshift user: root gather_facts: True vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - { role: osbs-on-openshift, osbs_openshift_home: "/var/lib/origin", osbs_namespace: "default", osbs_namespace_create: "false", osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig", osbs_environment: [ KUBECONFIG: "{{ osbs_kubeconfig_path }}" ], osbs_service_accounts: [], osbs_readonly_users: [], osbs_readonly_groups: [], osbs_readwrite_users: ["{{ osbs_koji_stg_username }}"], osbs_readwrite_groups: [ "system:authenticated"], osbs_admin_users: [], osbs_admin_groups: [], osbs_docker_registry: false, osbs_docker_registry_storage: "/opt/openshift-registry", when: env == "staging" } - { role: osbs-on-openshift, osbs_openshift_home: "/var/lib/origin", osbs_namespace: "default", osbs_namespace_create: "false", osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig", osbs_environment: [ KUBECONFIG: "{{ osbs_kubeconfig_path }}" ], osbs_service_accounts: [], osbs_readonly_users: [], osbs_readonly_groups: [], osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"], osbs_readwrite_groups: [ "system:authenticated"], osbs_admin_users: [], osbs_admin_groups: [], osbs_docker_registry: false, osbs_docker_registry_storage: "/opt/openshift-registry", when: env == "production" } - name: Manage docker images and image stream hosts: osbs-masters-stg[0]:osbs-masters[0] tags: - osbs-post-install - manage-docker-images vars_files: - /srv/web/infra/ansible/vars/global.yml - /srv/private/ansible/vars.yml - /srv/private/ansible/files/openstack/passwords.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml vars: osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig osbs_environment: KUBECONFIG: "{{ osbs_kubeconfig_path }}" koji_pki_dir: /etc/pki/koji koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" koji_builder_user: dockerbuilder osbs_builder_user: builder tasks: - name: pull fedora required docker images shell: "docker pull {{item}}" with_items: "{{fedora_required_images}}" delegate_to: compose-x86-01.phx2.fedoraproject.org register: docker_pull_fedora_delegated changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout" - name: tag fedora required docker images for our registry shell: "docker tag {{item}} {{docker_registry}}/{{item}}" with_items: "{{fedora_required_images}}" delegate_to: compose-x86-01.phx2.fedoraproject.org when: docker_pull_fedora_delegated|changed - name: push fedora required docker images to our registry shell: "docker push {{docker_registry}}/{{item}}" with_items: "{{fedora_required_images}}" delegate_to: compose-x86-01.phx2.fedoraproject.org when: docker_pull_fedora_delegated|changed - name: register origin_version_out rpm query shell: "rpm -q origin --qf '%{Version}'" register: origin_version_out always_run: true changed_when: False - set_fact: origin_version: "{{origin_version_out.stdout}}" - name: pull openshift required docker images shell: "docker pull {{item}}:v{{origin_version}}" with_items: "{{openshift_required_images}}" delegate_to: compose-x86-01.phx2.fedoraproject.org register: docker_pull_openshift_delegated changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout" - name: tag openshift required docker images for our registry shell: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}" with_items: "{{openshift_required_images}}" delegate_to: compose-x86-01.phx2.fedoraproject.org when: docker_pull_openshift_delegated|changed - name: push openshift required docker images to our registry shell: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}" with_items: "{{openshift_required_images}}" delegate_to: compose-x86-01.phx2.fedoraproject.org when: docker_pull_openshift_delegated|changed - name: create fedora image stream for OpenShift shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated" environment: "{{ osbs_environment }}" args: creates: /etc/origin/fedoraimagestreamcreated - name: post-install master host osbs tasks hosts: osbs-masters-stg:osbs-masters tags: - osbs-post-install vars_files: - /srv/web/infra/ansible/vars/global.yml - /srv/private/ansible/vars.yml - /srv/private/ansible/files/openstack/passwords.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml vars: osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig osbs_environment: KUBECONFIG: "{{ osbs_kubeconfig_path }}" koji_pki_dir: /etc/pki/koji koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" koji_builder_user: dockerbuilder osbs_builder_user: builder handlers: - name: oc secrets new shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}" environment: "{{ osbs_environment }}" notify: oc secrets add - name: oc secrets add shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount" environment: "{{ osbs_environment }}" tasks: - name: Ensure koji dockerbuilder cert path exists file: path: "{{ koji_pki_dir }}" state: "directory" mode: 0400 - name: Add koji dockerbuilder cert for Content Generator import copy: src: "{{private}}/files/koji/containerbuild.pem" dest: "{{ koji_cert_path }}" notify: oc secrets new - name: Add koji dockerbuilder ca cert for Content Generator import copy: src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" dest: "{{ koji_ca_cert_path }}" notify: oc secrets new - name: cron entry to clean up old builds copy: src: "{{files}}/osbs/cleanup-old-osbs-builds" dest: "/etc/cron.d/cleanup-old-osbs-builds" - name: post-install osbs tasks hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-post-install vars_files: - /srv/web/infra/ansible/vars/global.yml - /srv/private/ansible/vars.yml - /srv/private/ansible/files/openstack/passwords.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml vars: osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig osbs_environment: KUBECONFIG: "{{ osbs_kubeconfig_path }}" koji_pki_dir: /etc/pki/koji koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" koji_builder_user: dockerbuilder osbs_builder_user: builder handlers: - name: buildroot container shell: 'docker rmi buildroot; docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/' - name: restart docker service: name: docker state: restarted - name: systemctl daemon-reload shell: 'systemctl daemon-reload' roles: - { role: osbs-client, general: { verbose: 0, build_json_dir: '/etc/osbs/input/', openshift_required_version: 1.1.0, }, default: { username: "{{ osbs_koji_stg_username }}", password: "{{ osbs_koji_stg_password }}", koji_use_kerberos: True, koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab", koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}", openshift_url: 'https://{{osbs_url}}/', registry_uri: 'https://{{docker_registry}}/v2', source_registry_uri: 'https://{{source_registry}}/v2', build_host: '{{osbs_url}}', koji_root: 'https://{{koji_url}}/koji', koji_hub: 'https://{{koji_url}}/kojihub', sources_command: 'fedpkg sources', build_type: 'prod', authoritative_registry: 'registry.example.com', vendor: 'Fedora Project', verify_ssl: true, use_auth: true, builder_use_auth: true, distribution_scope: 'private', registry_api_versions: 'v2', builder_openshift_url: 'https://{{osbs_url}}' }, when: env == "staging" } - { role: osbs-client, general: { verbose: 0, build_json_dir: '/etc/osbs/input/', openshift_required_version: 1.1.0, }, default: { username: "{{ osbs_koji_prod_username }}", password: "{{ osbs_koji_prod_password }}", koji_use_kerberos: True, koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab", koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}", openshift_url: 'https://{{osbs_url}}/', registry_uri: 'https://{{docker_registry}}/v2', source_registry_uri: 'https://{{source_registry}}/v2', build_host: '{{osbs_url}}', koji_root: 'https://{{koji_url}}/koji', koji_hub: 'https://{{koji_url}}/kojihub', sources_command: 'fedpkg sources', build_type: 'prod', authoritative_registry: 'registry.example.com', vendor: 'Fedora Project', verify_ssl: true, use_auth: true, builder_use_auth: true, distribution_scope: 'private', registry_api_versions: 'v2', builder_openshift_url: 'https://{{osbs_url}}' }, when: env == "production" } tasks: - name: copy docker iptables script copy: src: "{{files}}/osbs/fix-docker-iptables.{{ env }}" dest: /usr/local/bin/fix-docker-iptables mode: 0755 notify: - restart docker - name: copy docker service config copy: src: "{{files}}/osbs/docker.service" dest: /etc/systemd/system/docker.service notify: - systemctl daemon-reload - restart docker - name: set nrpe read access for osbs.conf for nagios monitoring acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present - name: Create buildroot container conf directory file: path: "/etc/osbs/buildroot/" state: directory - name: Upload Dockerfile for buildroot container template: src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2" dest: "/etc/osbs/buildroot/Dockerfile" mode: 0400 notify: - buildroot container - name: Upload internal CA for buildroot copy: src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" dest: "/etc/osbs/buildroot/ca.crt" mode: 0400 notify: - buildroot container - name: stat infra repofile stat: path: "/etc/yum.repos.d/infra-tags.repo" register: infra_repo_stat - name: stat /etc/osbs/buildroot/ infra repofile stat: path: "/etc/osbs/buildroot/infra-tags.repo" register: etcosbs_infra_repo_stat - name: remove old /etc/osbs/buildroot/ infra repofile file: path: "/etc/osbs/buildroot/infra-tags.repo" state: absent when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum - name: Copy repofile for buildroot container (because Docker) copy: src: "/etc/yum.repos.d/infra-tags.repo" dest: "/etc/osbs/buildroot/infra-tags.repo" remote_src: true notify: - buildroot container when: etcosbs_infra_repo_stat.stat.exists == false - name: stat /etc/ keytab stat: path: "/etc/krb5.osbs_{{osbs_url}}.keytab" register: etc_kt_stat - name: stat /etc/osbs/buildroot/ keytab stat: path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" register: etcosbs_kt_stat - name: remove old hardlink to /etc/osbs/buildroot/ keytab file: path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" state: absent when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum - name: Hardlink keytab for buildroot container (because Docker) file: src: "/etc/krb5.osbs_{{osbs_url}}.keytab" dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" state: hard notify: - buildroot container when: etcosbs_kt_stat.stat.exists == false - name: pull fedora required docker images shell: "docker pull {{docker_registry}}/{{item}}" with_items: "{{fedora_required_images}}" register: docker_pull_fedora changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout" - name: register origin_version_out rpm query shell: "rpm -q origin --qf '%{Version}'" register: origin_version_out always_run: true changed_when: False - set_fact: origin_version: "{{origin_version_out.stdout}}" - name: pull openshift required docker images shell: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}" with_items: "{{openshift_required_images}}" register: docker_pull_openshift changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout" - name: tag openshift required docker images locally shell: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}" with_items: "{{openshift_required_images}}" when: docker_pull_openshift|changed - set_fact: docker_pull_openshift: "{{ docker_pull_openshift }}" - name: Post-Install image stream refresh hosts: osbs-masters[0] tags: - osbs-post-install vars_files: - /srv/web/infra/ansible/vars/global.yml - /srv/private/ansible/vars.yml - /srv/private/ansible/files/openstack/passwords.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: - name: refresh fedora image streams shell: "oc import-image fedora --all" when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed - name: refresh fedora image streams shell: "oc import-image fedora --all" when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"]|changed - name: enable nrpe for monitoring (noc01) iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT # - name: enable nrpe for monitoring (noc01.stg) # iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=1#0.5.126.2 state=present jump=ACCEPT