9b333bd72c
Initial attempt at getting ansible to work with installing Browbeat in each of these situations: * Install on Undercloud from Local Machine * Install on Undercloud from Undercloud * Install on Non-Undercloud from Local Machine * Install on Non-Undercloud from Non-Undercloud Improvements/Cleanup: * Install instructions from Browbeat VM * Separate Browbeat machine from Undercloud * Flavor/Image upload via python-OpenStackClient from browbeat-venv * Separate install components into separate roles for easier debugging * Separate Flavors/Images Upload from browbeat install into separate role * Change order of vars for easier understanding * Support CentOS iptables setup with another var * Download and then convert qcow2 into raw image for upload Change-Id: I99365ef933c57a9ec0faedefcdc2d7c0f92f0ec4
117 lines
4.4 KiB
YAML
117 lines
4.4 KiB
YAML
---
|
|
#
|
|
# Setup firewalld or iptables for Browbeat
|
|
#
|
|
|
|
- name: Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall is in use
|
|
- skip_ansible_lint
|
|
|
|
- name: Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | egrep -vq 'inactive|unknown'
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if firewall is active
|
|
- skip_ansible_lint
|
|
|
|
- name: (shaker) Determine if TCP/{{shaker_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{shaker_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_shaker_port_exists
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if port is already active
|
|
- skip_ansible_lint
|
|
|
|
- name: (browbeat_results) Determine if TCP/{{browbeat_results_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{browbeat_results_port}}/tcp"
|
|
when: browbeat_results_in_httpd
|
|
ignore_errors: true
|
|
register: firewalld_browbeat_results_port_exists
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if port is already active
|
|
- skip_ansible_lint
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{shaker_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_shaker_port_exists.rc != 0
|
|
|
|
- name: (browbeat_results) Add firewall rule for TCP/{{browbeat_results_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{browbeat_results_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: browbeat_results_in_httpd and firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_browbeat_results_port_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: (shaker) check firewall rules for TCP/{{shaker_port}} (iptables-services)
|
|
shell: "grep \"dport {{shaker_port}} \\-j ACCEPT\" {{iptables_file}} | wc -l"
|
|
ignore_errors: true
|
|
become: true
|
|
register: iptables_shaker_port_exists
|
|
failed_when: iptables_shaker_port_exists == 127
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if port is already active
|
|
- skip_ansible_lint
|
|
|
|
- name: (browbeat_results) Check firewall rules for TCP/{{browbeat_results_port}} (iptables-services)
|
|
shell: "grep \"dport {{browbeat_results_port}} \\-j ACCEPT\" {{iptables_file}} | wc -l"
|
|
when: browbeat_results_in_httpd
|
|
ignore_errors: true
|
|
become: true
|
|
register: iptables_browbeat_results_port_exists
|
|
failed_when: iptables_browbeat_results_port_exists == 127
|
|
no_log: true
|
|
tags:
|
|
# Skip ANSIBLE0012 Commands should not change things if nothing needs doing
|
|
# Need to check if port is already active
|
|
- skip_ansible_lint
|
|
|
|
- name: (shaker) Add firewall rule for TCP/{{shaker_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: "{{iptables_file}}"
|
|
line: '-A INPUT -p tcp -m tcp --dport {{shaker_port}} -j ACCEPT'
|
|
insertbefore: '^-A INPUT -i lo'
|
|
backup: yes
|
|
become: true
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_shaker_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: (browbeat_results) Add firewall rule for TCP/{{browbeat_results_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: "{{iptables_file}}"
|
|
line: '-A INPUT -p tcp -m tcp --dport {{browbeat_results_port}} -j ACCEPT'
|
|
insertbefore: '^-A INPUT -i lo'
|
|
backup: yes
|
|
become: true
|
|
when: browbeat_results_in_httpd and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_browbeat_results_port_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: Restart iptables-services (iptables-services)
|
|
command: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
become: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|