Setup iptables in nodepool-setup

The keystone-only deployment does not complete on our reproducer environments setup using the nodepool-setup role. This is because there is no default rule allowing the subnodes to communicate. When iptables i brought up during deploy, we lose all network connectivity on the vxlan tunnel as a result. This patch resolves this issue by adding rules to the iptables configuration which allow all traffic on the nodes private IPs. The iptables setup during the deploy does not overwrite these rules, so this allows the keystone-only deployment to succeed in our reproducer environments. Change-Id: If0af2608d1d07eb3931ce480501d0fa789ca4248
2018-04-24 18:36:12 +00:00 · 2018-04-24 18:36:12 +00:00 · da6810a2d9
commit da6810a2d9
parent b9549a72f1
1 changed files with 24 additions and 1 deletions
--- a/roles/nodepool-setup/tasks/main.yml
+++ b/roles/nodepool-setup/tasks/main.yml
@ -43,6 +43,7 @@
    - screen
    - vim
    - wget
+    - iptables-services
  become: true

 - include: clone-ci-repos.yml
@ -69,13 +70,35 @@
    - subnodes
  become: true

- name: start services
+- name: start unbound service
  service:
    name: unbound
    state: started
    enabled: yes
  become: true

+- name: start iptables service
+  service:
+    name: iptables
+    state: started
+    enabled: true
+  become: true
+
+- name: Add iptables rules for subnodes
+  iptables:
+    chain: INPUT
+    source: "{{ hostvars[item].subnode_private_ip }}"
+    jump: ACCEPT
+    action: insert
+  with_inventory_hostnames:
+    - subnodes
+  become: true
+
+- name: Save the iptables rules
+  shell:
+    iptables-save > /etc/sysconfig/iptables
+  become: true
+
 - name: Set some env vars
  lineinfile:
    dest: /etc/environment