diff --git a/playbooks/multinode/pre.yaml b/playbooks/multinode/pre.yaml index 76c796815..0988a4a68 100644 --- a/playbooks/multinode/pre.yaml +++ b/playbooks/multinode/pre.yaml @@ -12,3 +12,7 @@ - name: Set up multi-node hosts file include_role: name: multi-node-hosts-file + + - name: Set up multi-node firewall + include_role: + name: multi-node-firewall diff --git a/roles/multi-node-firewall/README.rst b/roles/multi-node-firewall/README.rst new file mode 100644 index 000000000..c19f310dd --- /dev/null +++ b/roles/multi-node-firewall/README.rst @@ -0,0 +1,2 @@ +Configures the inventory private and public addresses in a multi-node job in +iptables in order to allow traffic to and from each node without restrictions. diff --git a/roles/multi-node-firewall/tasks/main.yaml b/roles/multi-node-firewall/tasks/main.yaml new file mode 100644 index 000000000..bdca2401a --- /dev/null +++ b/roles/multi-node-firewall/tasks/main.yaml @@ -0,0 +1,42 @@ +- name: Set up the host ip addresses + set_fact: + ipv4_addresses: > + {% set hosts = [] -%} + {% for host, vars in hostvars.items() -%} + {% set _ = hosts.append(vars['nodepool']['private_ipv4']) -%} + {% set _ = hosts.append(vars['nodepool']['public_ipv4']) -%} + {% endfor -%} + {{- hosts | sort | unique -}} + ipv6_addresses: > + {% set hosts = [] -%} + {% for host, vars in hostvars.items() -%} + {% if vars['nodepool']['public_ipv6'] -%} + {% set _ = hosts.append(vars['nodepool']['public_ipv6']) -%} + {% endif -%} + {% endfor -%} + {{- hosts | sort | unique -}} + +- name: Set up ipv4 iptables rules + become: yes + iptables: + state: present + action: insert + chain: INPUT + ip_version: ipv4 + source: "{{ item }}" + jump: ACCEPT + with_items: "{{ ipv4_addresses }}" + +- name: Set up ipv6 iptables rules + become: yes + iptables: + state: present + action: insert + chain: INPUT + ip_version: ipv6 + source: "{{ item }}" + jump: ACCEPT + with_items: "{{ ipv6_addresses }}" + when: + - ipv6_addresses is defined + - ipv6_addresses