b356762b94
This makes it cleaner, allows reuse and outsourcing to zuul jobs and enables us to create multiple of these overlay networks for testing of more advanced scenarios. Change-Id: Id557c81f68a7f34556854e7d6efc6eddfd2e7216
73 lines
2.9 KiB
YAML
73 lines
2.9 KiB
YAML
---
|
|
# Not all variables have sensible defaults, let's ensure these are set.
|
|
- name: Ensure mandatory variables are defined
|
|
assert:
|
|
that:
|
|
- managed_interface_name is defined
|
|
- managed_network_prefix is defined
|
|
- managed_network_prefix_length is defined
|
|
- managed_network_address_family is defined
|
|
|
|
- name: Set managed interface facts
|
|
set_fact:
|
|
managed_interface_address: "{{ managed_network_prefix }}{{ groups['all'].index(inventory_hostname) + 1 }}"
|
|
|
|
- name: Add IPv4 address for managed network
|
|
become: true
|
|
vars:
|
|
managed_network_cidr: "{{ managed_interface_address }}/{{ managed_network_prefix_length }}"
|
|
# NOTE(yoctozepto): we have to compute and explicitly set the broadcast address,
|
|
# otherwise bifrost fails its pre-bootstrap sanity checks due to missing
|
|
# broadcast address as ansible picks up scope ('global') as the interface's
|
|
# broadcast address which fails checks logic
|
|
managed_network_broadcast_address: "{{ managed_network_cidr | ipaddr('broadcast') }}"
|
|
command: ip address add {{ managed_network_cidr }} broadcast {{ managed_network_broadcast_address }} dev {{ managed_interface_name }}
|
|
when: managed_network_address_family == 'ipv4'
|
|
|
|
# NOTE(yoctozepto): IPv6 has no broadcast address, let's not create confusion by setting it
|
|
- name: Add IPv6 address for managed network
|
|
become: true
|
|
command: ip address add {{ managed_interface_address }}/{{ managed_network_prefix_length }} dev {{ managed_interface_name }}
|
|
when: managed_network_address_family == 'ipv6'
|
|
|
|
- name: Accept traffic on the managed network (IN)
|
|
become: true
|
|
iptables:
|
|
state: present
|
|
action: insert
|
|
chain: INPUT
|
|
ip_version: "{{ managed_network_address_family }}"
|
|
in_interface: "{{ managed_interface_name }}"
|
|
jump: ACCEPT
|
|
|
|
# NOTE(yoctozepto): the default policy is ACCEPT but it is nicer to get statistics
|
|
- name: Accept traffic on the managed network (OUT)
|
|
become: true
|
|
iptables:
|
|
state: present
|
|
action: insert
|
|
chain: OUTPUT
|
|
ip_version: "{{ managed_network_address_family }}"
|
|
out_interface: "{{ managed_interface_name }}"
|
|
jump: ACCEPT
|
|
|
|
# NOTE(yoctozepto): IPv6 DAD may delay proper address assignment
|
|
# this task will wait until DAD is done and addresses are no longer tentative
|
|
# we assign addresses uniquely so DAD can only move it to preferred
|
|
# hence we only check whether it's no longer tentative
|
|
- name: Ensure IPv6 addresses on the managed interface are no longer tentative
|
|
become: true
|
|
command: ip -o address show tentative dev {{ managed_interface_name }}
|
|
register: tentative_addresses
|
|
until: tentative_addresses.stdout == ''
|
|
retries: 30
|
|
delay: 2
|
|
when:
|
|
- managed_network_address_family == 'ipv6'
|
|
|
|
- name: Ping across the managed network
|
|
vars:
|
|
ping_command: "{{ 'ping' if managed_network_address_family == 'ipv4' else 'ping6' }}"
|
|
command: "{{ ping_command }} -c1 {{ hostvars[item].managed_interface_address }}"
|
|
with_inventory_hostnames: all
|