summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBogdan Dobrelya <bdobreli@redhat.com>2017-06-05 16:41:09 +0200
committerTomas Sedovic <tomas@sedovic.cz>2017-06-15 12:35:09 +0200
commit4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9 (patch)
tree16b87eb066daad457104ebc5f65bf57ff5781870
parenta7300e6b7ace3098aa05794d4ac2f9e5a4cef64a (diff)
downloadopenshift-4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9.tar.gz
openshift-4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9.tar.bz2
openshift-4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9.tar.xz
openshift-4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9.zip
Add a flat sec group for openstack provider
Add a openstack_flat_secgroup, defaults to False. When set, merges sec rules for master, node, etcd, infra nodes into a single group. Less secure, but might help to mitigate quota limitations. Update docs. Use timeout 30s to mitigate the error: Timeout (12s) waiting for privilege escalation prompt. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
-rw-r--r--playbooks/provisioning/openstack/README.md11
-rw-r--r--playbooks/provisioning/openstack/pre_tasks.yml2
-rw-r--r--playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml3
-rw-r--r--roles/openstack-stack/templates/heat_stack.yaml.j2138
4 files changed, 140 insertions, 14 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md
index 68550d3a3..35f37db0d 100644
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -25,7 +25,7 @@ etc.). The result is an environment ready for openshift-ansible.
### Copy the sample inventory
- cp openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory
+ cp -r openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory
### Copy clouds.yaml
@@ -62,6 +62,11 @@ The `openstack_num_masters`, `openstack_num_infra` and
`openstack_num_nodes` values specify the number of Master, Infra and
App nodes to create.
+The `openstack_flat_secgroup`, controls Neutron security groups creation for Heat
+stacks. Set it to true, if you experience issues with sec group rules
+quotas. It trades security for number of rules, by sharing the same set
+of firewall rules for master, node, etcd and infra nodes.
+
### Update the DNS names in `inventory/hosts`
The different server groups are currently grouped by the domain name,
@@ -96,13 +101,13 @@ Assuming your OpenStack (Keystone) credentials are in the `keystonerc`
file, this is how you stat the provisioning process:
. keystonerc
- ansible-playbook -i inventory --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
+ ansible-playbook -i inventory --timeout 30 --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
### Install OpenShift
Once it succeeds, you can install openshift by running:
- ansible-playbook --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml
+ ansible-playbook --timeout 30 --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml
## License
diff --git a/playbooks/provisioning/openstack/pre_tasks.yml b/playbooks/provisioning/openstack/pre_tasks.yml
index 8446bdfbc..a4ff7c4ac 100644
--- a/playbooks/provisioning/openstack/pre_tasks.yml
+++ b/playbooks/provisioning/openstack/pre_tasks.yml
@@ -18,7 +18,7 @@
- name: Set Dynamic Inventory Filters
become: false
shell: >
- export OS_INV_FILTER_KEY=clusterid && OS_INV_FILTER_VALUE={{ env_id }}
+ export OS_INV_FILTER_KEY=clusterid && export OS_INV_FILTER_VALUE={{ env_id }}
delegate_to: localhost
- name: Updating DNS domain to include env_id (if not empty)
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
index 50aaa573d..3eb0f9f80 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
@@ -37,3 +37,6 @@ openstack_subnet_prefix: "192.168.99"
# NOTE(shadower): Do not change this value. The Ansible user is currently
# hardcoded to `openshift`.
ansible_user: openshift
+
+# Use a single security group for a cluster
+openstack_flat_secgroup: false
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index c10b1d90f..c750865a5 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -142,6 +142,119 @@ resources:
# cluster_id: {{ stack_name }}
# public_key: {{ ssh_public_key }}
+{% if openstack_flat_secgrp|bool %}
+ flat-secgrp:
+ type: OS::Neutron::SecurityGroup
+ properties:
+ name:
+ str_replace:
+ template: openshift-ansible-cluster_id-flat-secgrp
+ params:
+ cluster_id: {{ stack_name }}
+ description:
+ str_replace:
+ template: Security group for cluster_id OpenShift cluster
+ params:
+ cluster_id: {{ stack_name }}
+ rules:
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 22
+ port_range_max: 22
+ remote_ip_prefix: {{ ssh_ingress_cidr }}
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 4001
+ port_range_max: 4001
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 8443
+ port_range_max: 8444
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 53
+ port_range_max: 53
+ - direction: ingress
+ protocol: udp
+ port_range_min: 53
+ port_range_max: 53
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 8053
+ port_range_max: 8053
+ - direction: ingress
+ protocol: udp
+ port_range_min: 8053
+ port_range_max: 8053
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 24224
+ port_range_max: 24224
+ - direction: ingress
+ protocol: udp
+ port_range_min: 24224
+ port_range_max: 24224
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 2224
+ port_range_max: 2224
+ - direction: ingress
+ protocol: udp
+ port_range_min: 5404
+ port_range_max: 5405
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 9090
+ port_range_max: 9090
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 2379
+ port_range_max: 2380
+ remote_mode: remote_group_id
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 10250
+ port_range_max: 10250
+ remote_mode: remote_group_id
+ - direction: ingress
+ protocol: udp
+ port_range_min: 10250
+ port_range_max: 10250
+ remote_mode: remote_group_id
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 10255
+ port_range_max: 10255
+ remote_mode: remote_group_id
+ - direction: ingress
+ protocol: udp
+ port_range_min: 10255
+ port_range_max: 10255
+ remote_mode: remote_group_id
+ - direction: ingress
+ protocol: udp
+ port_range_min: 4789
+ port_range_max: 4789
+ remote_mode: remote_group_id
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 30000
+ port_range_max: 32767
+ remote_ip_prefix: {{ node_ingress_cidr }}
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 30000
+ port_range_max: 32767
+ remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24"
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 80
+ port_range_max: 80
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 443
+ port_range_max: 443
+{% else %}
master-secgrp:
type: OS::Neutron::SecurityGroup
properties:
@@ -168,10 +281,6 @@ resources:
- direction: ingress
protocol: tcp
port_range_min: 8443
- port_range_max: 8443
- - direction: ingress
- protocol: tcp
- port_range_min: 8444
port_range_max: 8444
- direction: ingress
protocol: tcp
@@ -204,10 +313,6 @@ resources:
- direction: ingress
protocol: udp
port_range_min: 5404
- port_range_max: 5404
- - direction: ingress
- protocol: udp
- port_range_min: 5405
port_range_max: 5405
- direction: ingress
protocol: tcp
@@ -317,6 +422,7 @@ resources:
protocol: tcp
port_range_min: 443
port_range_max: 443
+{% endif %}
dns-secgrp:
type: OS::Neutron::SecurityGroup
@@ -411,7 +517,7 @@ resources:
net: { get_resource: net }
subnet: { get_resource: subnet }
secgrp:
- - { get_resource: etcd-secgrp }
+ - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} }
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -491,11 +597,15 @@ resources:
net: { get_resource: net }
subnet: { get_resource: subnet }
secgrp:
+{% if openstack_flat_secgrp|bool %}
+ - { get_resource: flat-secgrp }
+{% else %}
- { get_resource: master-secgrp }
- { get_resource: node-secgrp }
{% if num_etcd is equalto 0 %}
- { get_resource: etcd-secgrp }
{% endif %}
+{% endif %}
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -538,7 +648,7 @@ resources:
net: { get_resource: net }
subnet: { get_resource: subnet }
secgrp:
- - { get_resource: node-secgrp }
+ - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}node-secgrp{% endif %} }
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -581,8 +691,12 @@ resources:
net: { get_resource: net }
subnet: { get_resource: subnet }
secgrp:
+{% if openstack_flat_secgrp|bool %}
+ - { get_resource: flat-secgrp }
+{% else %}
- { get_resource: node-secgrp }
- { get_resource: infra-secgrp }
+{% endif %}
floating_network: {{ external_network }}
net_name:
str_replace:
@@ -621,7 +735,11 @@ resources:
net: { get_resource: net }
subnet: { get_resource: subnet }
secgrp:
+{% if openstack_flat_secgrp|bool %}
+ - { get_resource: flat-secgrp }
+{% else %}
- { get_resource: node-secgrp }
+{% endif %}
- { get_resource: dns-secgrp }
floating_network: {{ external_network }}
net_name: