Enable IP routing and SNAT in seed for use during provisioning

Without this there may not be a gateway configured after the control plane nodes are provisioned, meaning they cannot access the outside world.
2017-03-30 11:04:27 +01:00 · 2017-03-30 11:04:27 +01:00 · b2a60340c2
commit b2a60340c2
parent df20c90e2e
6 changed files with 48 additions and 3 deletions
--- a/ansible/ip-routing.yml
+++ b/ansible/ip-routing.yml
@ -0,0 +1,7 @@
+---
+# Enable IP routing in the kernel.
+
+- name: Ensure IP routing is enabled
+  hosts: seed:controllers
+  roles:
+    - role: ip-routing
--- a/ansible/kolla-bifrost-hostvars.yml
+++ b/ansible/kolla-bifrost-hostvars.yml
@ -31,7 +31,10 @@
      ipv4_interface_mac: "{% raw %}{{ extra.pxe_interface_mac | default }}{% endraw %}"
      ipv4_address: "{{ provision_oc_net_name | net_ip }}"
      ipv4_subnet_mask: "{{ provision_oc_net_name | net_cidr | ipaddr('netmask') }}"
-      ipv4_gateway: "{{ provision_oc_net_name | net_gateway }}"
+      # If the provisioning network does not have a gateway defined, use the
+      # seed as a gateway to allow external access until other networks have
+      # been configured.
+      ipv4_gateway: "{{ provision_oc_net_name | net_gateway or provision_oc_net_name | net_ip(seed_host) }}"
      ipv4_nameserver: "{{ resolv_nameservers[0] }}"
  tasks:
    - name: Ensure the Bifrost host variable files exist
@ -44,5 +47,5 @@
        dest: "/etc/kolla/bifrost/inventory/host_vars/{{ inventory_hostname }}"
      delegate_to: "{{ item }}"
      with_items:
-        - "{{ hostvars[groups['seed'][0]].ansible_host }}"
+        - "{{ hostvars[seed_host].ansible_host }}"
      become: True
--- a/ansible/roles/ip-routing/tasks/main.yml
+++ b/ansible/roles/ip-routing/tasks/main.yml
@ -0,0 +1,11 @@
+---
+- name: Ensure IP routing sysctls are set
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    sysctl_set: "yes"
+  with_items:
+    - { name: "net.ipv4.ip_forward", value: 1}
+    - { name: "net.ipv4.conf.all.rp_filter", value: 0}
+    - { name: "net.ipv4.conf.default.rp_filter", value: 0}
+  become: True
--- a/ansible/roles/snat/tasks/main.yml
+++ b/ansible/roles/snat/tasks/main.yml
@ -0,0 +1,12 @@
+---
+# iptables -t nat -A POSTROUTING -o {{ interface }} -j SNAT --to-source {{ source_ip }}
+- name: Ensure SNAT iptables rules exist
+  iptables:
+    action: append
+    table: nat
+    chain: POSTROUTING
+    out_interface: "{{ item.interface }}"
+    jump: SNAT
+    to_source: "{{ item.source_ip }}"
+  with_items: "{{ snat_rules }}"
+  become: True
--- a/ansible/snat.yml
+++ b/ansible/snat.yml
@ -0,0 +1,11 @@
+---
+# Enable SNAT using iptables.
+
+- name: Ensure SNAT is configured
+  hosts: seed:controllers
+  vars:
+    snat_rules:
+      - interface: "{{ ansible_default_ipv4.interface }}"
+        source_ip: "{{ ansible_default_ipv4.address }}"
+  roles:
+    - role: snat
--- a/kayobe/cli/commands.py
+++ b/kayobe/cli/commands.py
@ -178,7 +178,8 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, Command):
        if parsed_args.wipe_disks:
            playbooks += _build_playbook_list("wipe-disks")
        playbooks += _build_playbook_list(
-            "dev-tools", "disable-selinux", "network", "ntp", "lvm")
+            "dev-tools", "disable-selinux", "network", "ip-routing", "snat",
+            "ntp", "lvm")
        ansible.run_playbooks(parsed_args, playbooks, limit="seed")
        kolla_ansible.run_seed(parsed_args, "bootstrap-servers",
                               extra_vars={"ansible_user": ansible_user})