57415688ce
Fixes several rules with test-playbooks and remove path exclusions. Since we introduced the progressive mode, exclusions are no longer needed and not haivng them will assure newly added code follows the same guidelines. Change-Id: I0a72d34aff8cf23172e26c7f44e0f61571ec74b6
96 lines
3.6 KiB
YAML
96 lines
3.6 KiB
YAML
- name: Test the persistent-firewall role
|
|
hosts: all
|
|
roles:
|
|
# We're including multi-node-bridge a second time with the toggle for
|
|
# enabling firewall rules for the bridge network subnet
|
|
# By this time, multi-node-firewall has already ran, we don't need to run
|
|
# it again -- we're testing here that both are persisted properly.
|
|
- { role: multi-node-bridge, bridge_authorize_internal_traffic: true }
|
|
post_tasks:
|
|
# NOTE (dmsimard): Using with_first_found and include_vars can yield
|
|
# unexpected results, see multinode_firewall_persistence_vars/README.rst
|
|
- name: Include OS-specific variables
|
|
include_vars: "{{ item }}"
|
|
with_first_found:
|
|
- "multinode_firewall_persistence_vars/{{ ansible_distribution }}_{{ ansible_distribution_release }}.yaml"
|
|
- "multinode_firewall_persistence_vars/{{ ansible_distribution }}.yaml"
|
|
- "multinode_firewall_persistence_vars/{{ ansible_os_family }}.yaml"
|
|
- "multinode_firewall_persistence_vars/default.yaml"
|
|
|
|
- name: Flush iptables rules
|
|
become: yes
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- iptables --flush
|
|
- ip6tables --flush
|
|
|
|
# NOTE (dmsimard): We're using with_items here because RedHat and Gentoo
|
|
# need to restart both iptables and ip6tables.
|
|
- name: Restart iptables
|
|
become: yes
|
|
service:
|
|
name: "{{ item }}"
|
|
state: restarted
|
|
when: iptables_service is defined
|
|
with_items: "{{ iptables_service }}"
|
|
|
|
# If there is no iptables service (ie on opensuse), run the rc file to apply the rules
|
|
- name: Check for boot.local
|
|
stat:
|
|
path: /etc/init.d/boot.local
|
|
register: boot_local_file
|
|
when: ansible_os_family == "Suse"
|
|
|
|
- name: Restore iptables
|
|
become: yes
|
|
command: "/etc/init.d/boot.local"
|
|
when:
|
|
- ansible_os_family == "Suse"
|
|
- iptables_service is not defined
|
|
- boot_local_file.stat.exists
|
|
|
|
- name: switch and peer nodes should be in the ipv4 firewall
|
|
become: yes
|
|
command: iptables-save
|
|
changed_when: false
|
|
failed_when: false
|
|
register: iptables_rules
|
|
|
|
- name: Validate ipv4 private firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|
|
when:
|
|
- hostvars[item]['nodepool']['private_ipv4']
|
|
|
|
- name: Validate ipv4 public firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|
|
when:
|
|
- hostvars[item]['nodepool']['public_ipv4']
|
|
|
|
- name: Validate ipv4 bridge firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -d {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -j ACCEPT' in iptables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|
|
|
|
# ipv6_addresses is set by the multi-node-firewall role
|
|
- when: ipv6_addresses | length > 0
|
|
block:
|
|
- name: switch and peer nodes should be in the ipv6 firewall
|
|
become: yes
|
|
command: ip6tables-save
|
|
changed_when: false
|
|
failed_when: false
|
|
register: ip6tables_rules
|
|
|
|
- name: Validate ipv6 firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|