openstack/bifrost
Code Issues Proposed changes
bifrost/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
Dmitry Tantsur deaa4d7186 Use firewalld to open ports on CentOS and RHEL. 
The current code does not properly open ports in the libvirt zone
and firewalld is the default in CentOS/RHEL 8.

We will update Fedora once we switch to a newer version that
defaults to firewalld (30 apparently does not).

Change-Id: If6b3d13e2b4bf0e71b0968850e05ea93efd6f189
2020-06-29 09:42:04 +02:00

123 lines
4.4 KiB
YAML
Raw Blame History

# Copyright (c) 2015 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Setting MySQL socket fact
set_fact:
mysql_socket_path: "/var/{% if ansible_os_family | lower == 'redhat' %}lib{% else %}run{% endif %}/{% if ansible_os_family | lower == 'debian' %}mysqld/mysqld.sock{% else %}mysql/mysql.sock{% endif %}"
- name: "MySQL - Create database"
mysql_db:
login_unix_socket: "{{ mysql_socket_path | default(omit) }}"
login_user: "{{ mysql_username }}"
login_password: "{{ mysql_password }}"
name: "{{ ironic_inspector.database.name }}"
state: present
encoding: utf8
when: ironic_inspector.database.host == 'localhost'
- name: "MySQL - Create user for inspector"
mysql_user:
login_unix_socket: "{{ mysql_socket_path | default(omit) }}"
login_user: "{{ mysql_username }}"
login_password: "{{ mysql_password }}"
name: "{{ ironic_inspector.database.username }}"
password: "{{ ironic_inspector.database.password }}"
priv: "{{ ironic_inspector.database.name }}.*:ALL"
state: present
when: ironic_inspector.database.host == 'localhost'
- name: "Inspector - Ensure /etc/ironic-inspector/ exists"
file:
dest=/etc/ironic-inspector
owner=ironic
group=ironic
mode=0755
state=directory
# Note(TheJulia): The rootwrap copies will need to be re-tooled
# to possibly directly retreive current files if a source install
# is not utilized.
- name: "Copy rootwrap.conf from ironic-inspector source folder"
copy:
src: "{{ ironicinspector_git_folder }}/rootwrap.conf"
dest: "/etc/ironic-inspector/rootwrap.conf"
remote_src: yes
mode: 0644
owner: root
group: root
# Note(ashestakov): "copy" module in ansible doesn't support recursive
# copying on remote host. "cp" command used instead.
- name: "Copy rootwrap.d contents from ironic-inspector source folder"
command: cp -r "{{ ironicinspector_git_folder }}/rootwrap.d/" "/etc/ironic-inspector/rootwrap.d"
- name: "Populate keystone for ironic-inspector "
include: keystone_setup_inspector.yml
when: enable_keystone is defined and enable_keystone | bool == true
- name: "Inspector - Place Configuration"
template:
src=ironic-inspector.conf.j2
dest=/etc/ironic-inspector/inspector.conf
owner=ironic
group=ironic
mode=0740
- name: "Inspector - create data folder"
file:
name="{{ inspector_data_dir }}"
state=directory
owner=ironic
group=ironic
mode=0755
- name: "Inspector - create log folder"
file:
name="{{ inspector_data_dir }}/log"
state=directory
owner=ironic
group=ironic
mode=0755
- name: "Upgrade inspector DB Schema"
shell: ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf upgrade
become: true
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
- name: "Inspector - Get ironic-inspector install location"
shell: echo $(dirname $(which ironic-inspector))
register: ironic_install_prefix
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
- name: "Inspector - Place service"
template:
src: systemd_template.j2
dest: "{{ init_dest_dir }}{{item.service_name}}.service"
owner: root
group: root
loop:
- { service_path: "{{ ironic_install_prefix.stdout | default('') }}", service_name: 'ironic-inspector', username: 'ironic', args: '--config-file /etc/ironic-inspector/inspector.conf'}
- name: "Inspector - Explicitly permit TCP/5050 for ironic-inspector callback"
iptables:
chain: INPUT
action: insert
protocol: tcp
destination_port: 5050
in_interface: "{{ network_interface }}"
jump: ACCEPT
when: ansible_distribution not in ["CentOS", "RedHat"]
- name: "Inspector - Enable port in firewalld"
firewalld:
port: "5050/tcp"
zone: "{{ 'libvirt' if testing else 'public' }}"
state: enabled
permanent: yes
immediate: yes
when: ansible_distribution in ["CentOS", "RedHat"]
View Git Blame Copy Permalink