Prevent haproxy to run iptables during docker-puppet configuration
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
This commit is contained in:
parent
237e613a17
commit
50f160a148
|
@ -53,6 +53,11 @@
|
|||
# Should haproxy run in daemon mode or not
|
||||
# Defaults to true
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
# [*controller_hosts*]
|
||||
# IPs of host or group of hosts to load-balance the services
|
||||
# Can be a string or an array.
|
||||
|
@ -563,6 +568,7 @@ class tripleo::haproxy (
|
|||
$haproxy_daemon = true,
|
||||
$haproxy_stats_user = 'admin',
|
||||
$haproxy_stats_password = undef,
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
$controller_hosts = hiera('controller_node_ips'),
|
||||
$controller_hosts_names = hiera('controller_node_names', undef),
|
||||
$contrail_config_hosts = hiera('contrail_config_node_ips', undef),
|
||||
|
@ -881,6 +887,7 @@ class tripleo::haproxy (
|
|||
use_internal_certificates => $use_internal_certificates,
|
||||
internal_certificates_specs => $internal_certificates_specs,
|
||||
listen_options => $default_listen_options,
|
||||
manage_firewall => $manage_firewall,
|
||||
}
|
||||
|
||||
if $haproxy_stats {
|
||||
|
@ -1361,7 +1368,7 @@ class tripleo::haproxy (
|
|||
server_names => hiera('mysql_node_names', $controller_hosts_names_real),
|
||||
options => $mysql_member_options_real,
|
||||
}
|
||||
if hiera('tripleo::firewall::manage_firewall', true) {
|
||||
if $manage_firewall {
|
||||
include ::tripleo::firewall
|
||||
$mysql_firewall_rules = {
|
||||
'100 mysql_haproxy' => {
|
||||
|
@ -1443,7 +1450,7 @@ class tripleo::haproxy (
|
|||
server_names => hiera('redis_node_names', $controller_hosts_names_real),
|
||||
options => $haproxy_member_options,
|
||||
}
|
||||
if hiera('tripleo::firewall::manage_firewall', true) {
|
||||
if $manage_firewall {
|
||||
include ::tripleo::firewall
|
||||
$redis_firewall_rules = {
|
||||
'100 redis_haproxy' => {
|
||||
|
|
|
@ -86,6 +86,11 @@
|
|||
# fetching the certificate for that specific network.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
define tripleo::haproxy::endpoint (
|
||||
$internal_ip,
|
||||
$service_port,
|
||||
|
@ -103,6 +108,7 @@ define tripleo::haproxy::endpoint (
|
|||
$use_internal_certificates = false,
|
||||
$internal_certificates_specs = {},
|
||||
$service_network = undef,
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
) {
|
||||
if $public_virtual_ip {
|
||||
# service exposed to the public network
|
||||
|
@ -158,7 +164,7 @@ define tripleo::haproxy::endpoint (
|
|||
server_names => $server_names,
|
||||
options => $member_options,
|
||||
}
|
||||
if hiera('tripleo::firewall::manage_firewall', true) {
|
||||
if $manage_firewall {
|
||||
include ::tripleo::firewall
|
||||
# This block will construct firewall rules only when we specify
|
||||
# a port for the regular service and also the ssl port for the service.
|
||||
|
|
|
@ -36,6 +36,11 @@
|
|||
# (Optional) Whether or not loadbalancer is enabled.
|
||||
# Defaults to hiera('enable_load_balancer', true).
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -44,12 +49,14 @@
|
|||
class tripleo::profile::base::haproxy (
|
||||
$certificates_specs = {},
|
||||
$enable_load_balancer = hiera('enable_load_balancer', true),
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
$step = Integer(hiera('step')),
|
||||
) {
|
||||
if $step >= 1 {
|
||||
if $enable_load_balancer {
|
||||
class {'::tripleo::haproxy':
|
||||
internal_certificates_specs => $certificates_specs,
|
||||
manage_firewall => $manage_firewall,
|
||||
}
|
||||
|
||||
unless hiera('tripleo::haproxy::haproxy_service_manage', true) {
|
||||
|
|
|
@ -26,6 +26,11 @@
|
|||
# (Optional) Whether load balancing is enabled for this cluster
|
||||
# Defaults to hiera('enable_load_balancer', true)
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
# [*step*]
|
||||
# (Optional) The current step in deployment. See tripleo-heat-templates
|
||||
# for more details.
|
||||
|
@ -38,10 +43,13 @@
|
|||
class tripleo::profile::pacemaker::haproxy (
|
||||
$bootstrap_node = hiera('haproxy_short_bootstrap_node_name'),
|
||||
$enable_load_balancer = hiera('enable_load_balancer', true),
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
$step = Integer(hiera('step')),
|
||||
$pcs_tries = hiera('pcs_tries', 20),
|
||||
) {
|
||||
include ::tripleo::profile::base::haproxy
|
||||
class {'::tripleo::profile::base::haproxy':
|
||||
manage_firewall => $manage_firewall,
|
||||
}
|
||||
|
||||
if $::hostname == downcase($bootstrap_node) {
|
||||
$pacemaker_master = true
|
||||
|
|
Loading…
Reference in New Issue