From b2a60340c235397da5fb6cff0eee2a638c84337f Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 30 Mar 2017 11:04:27 +0100 Subject: [PATCH] Enable IP routing and SNAT in seed for use during provisioning Without this there may not be a gateway configured after the control plane nodes are provisioned, meaning they cannot access the outside world. --- ansible/ip-routing.yml | 7 +++++++ ansible/kolla-bifrost-hostvars.yml | 7 +++++-- ansible/roles/ip-routing/tasks/main.yml | 11 +++++++++++ ansible/roles/snat/tasks/main.yml | 12 ++++++++++++ ansible/snat.yml | 11 +++++++++++ kayobe/cli/commands.py | 3 ++- 6 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 ansible/ip-routing.yml create mode 100644 ansible/roles/ip-routing/tasks/main.yml create mode 100644 ansible/roles/snat/tasks/main.yml create mode 100644 ansible/snat.yml diff --git a/ansible/ip-routing.yml b/ansible/ip-routing.yml new file mode 100644 index 000000000..ce16e1928 --- /dev/null +++ b/ansible/ip-routing.yml @@ -0,0 +1,7 @@ +--- +# Enable IP routing in the kernel. + +- name: Ensure IP routing is enabled + hosts: seed:controllers + roles: + - role: ip-routing diff --git a/ansible/kolla-bifrost-hostvars.yml b/ansible/kolla-bifrost-hostvars.yml index 3e970d797..6f78acad4 100644 --- a/ansible/kolla-bifrost-hostvars.yml +++ b/ansible/kolla-bifrost-hostvars.yml @@ -31,7 +31,10 @@ ipv4_interface_mac: "{% raw %}{{ extra.pxe_interface_mac | default }}{% endraw %}" ipv4_address: "{{ provision_oc_net_name | net_ip }}" ipv4_subnet_mask: "{{ provision_oc_net_name | net_cidr | ipaddr('netmask') }}" - ipv4_gateway: "{{ provision_oc_net_name | net_gateway }}" + # If the provisioning network does not have a gateway defined, use the + # seed as a gateway to allow external access until other networks have + # been configured. + ipv4_gateway: "{{ provision_oc_net_name | net_gateway or provision_oc_net_name | net_ip(seed_host) }}" ipv4_nameserver: "{{ resolv_nameservers[0] }}" tasks: - name: Ensure the Bifrost host variable files exist @@ -44,5 +47,5 @@ dest: "/etc/kolla/bifrost/inventory/host_vars/{{ inventory_hostname }}" delegate_to: "{{ item }}" with_items: - - "{{ hostvars[groups['seed'][0]].ansible_host }}" + - "{{ hostvars[seed_host].ansible_host }}" become: True diff --git a/ansible/roles/ip-routing/tasks/main.yml b/ansible/roles/ip-routing/tasks/main.yml new file mode 100644 index 000000000..aeb896b82 --- /dev/null +++ b/ansible/roles/ip-routing/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Ensure IP routing sysctls are set + sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_set: "yes" + with_items: + - { name: "net.ipv4.ip_forward", value: 1} + - { name: "net.ipv4.conf.all.rp_filter", value: 0} + - { name: "net.ipv4.conf.default.rp_filter", value: 0} + become: True diff --git a/ansible/roles/snat/tasks/main.yml b/ansible/roles/snat/tasks/main.yml new file mode 100644 index 000000000..1ddb3aff6 --- /dev/null +++ b/ansible/roles/snat/tasks/main.yml @@ -0,0 +1,12 @@ +--- +# iptables -t nat -A POSTROUTING -o {{ interface }} -j SNAT --to-source {{ source_ip }} +- name: Ensure SNAT iptables rules exist + iptables: + action: append + table: nat + chain: POSTROUTING + out_interface: "{{ item.interface }}" + jump: SNAT + to_source: "{{ item.source_ip }}" + with_items: "{{ snat_rules }}" + become: True diff --git a/ansible/snat.yml b/ansible/snat.yml new file mode 100644 index 000000000..043e2466a --- /dev/null +++ b/ansible/snat.yml @@ -0,0 +1,11 @@ +--- +# Enable SNAT using iptables. + +- name: Ensure SNAT is configured + hosts: seed:controllers + vars: + snat_rules: + - interface: "{{ ansible_default_ipv4.interface }}" + source_ip: "{{ ansible_default_ipv4.address }}" + roles: + - role: snat diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index 6af74a576..83c524d00 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -178,7 +178,8 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, Command): if parsed_args.wipe_disks: playbooks += _build_playbook_list("wipe-disks") playbooks += _build_playbook_list( - "dev-tools", "disable-selinux", "network", "ntp", "lvm") + "dev-tools", "disable-selinux", "network", "ip-routing", "snat", + "ntp", "lvm") ansible.run_playbooks(parsed_args, playbooks, limit="seed") kolla_ansible.run_seed(parsed_args, "bootstrap-servers", extra_vars={"ansible_user": ansible_user})