diff options
author | Bogdan Dobrelya <bdobreli@redhat.com> | 2017-10-18 12:53:31 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-18 12:53:31 +0200 |
commit | d2ff422b284f04b8a19ad4c6aa388ba397d915e1 (patch) | |
tree | 18435f866cd081dfad3f0b37117ccd329afef09b /playbooks/provisioning/openstack/post-install.yml | |
parent | 0d2c1802e6e880030c64946691b0d9cad2c24b43 (diff) | |
download | openshift-d2ff422b284f04b8a19ad4c6aa388ba397d915e1.tar.gz openshift-d2ff422b284f04b8a19ad4c6aa388ba397d915e1.tar.bz2 openshift-d2ff422b284f04b8a19ad4c6aa388ba397d915e1.tar.xz openshift-d2ff422b284f04b8a19ad4c6aa388ba397d915e1.zip |
Add Flannel support (#814)
* Add flannel support
* Document Flannel SDN use case for a separate data network.
* Add post install step for flannel SDN
* Configure iptables rules as described for OCP 3.4 refarch
https://access.redhat.com/documentation/en-us/reference_architectures/2017/html/deploying_red_hat_openshift_container_platform_3.4_on_red_hat_openstack_platform_10/emphasis_manual_deployment_emphasis#run_ansible_installer
* Configure flannel interface options
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Use os_firewall from galaxy for required flannel rules
For flannel SDN:
* Add openshift-ansible as a galaxy dependency module.
* Use openshift-ansible/roles/os_firewall to apply DNS rules
for flanel SDN.
* Apply the remaining advanced rules with direct
iptables commands as os_firewall do not support advanced rules.
* Persist only iptables rules w/o dynamic KUBe rules. Those are
added runtime and need restoration after reboot or iptables restart.
* Configure and enable the masked iptables service on the app nodes.
Enable it to allow the in-memory rules to be persisted.
Disable firewalld, which is the expected default behavior of the
os_firewall module.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
* Allow access from nodes to masters' port 2379 when using flannel
Flannel requires to gather information from etcd to configure and
assign the subnets in the nodes, therefore, allow access from nodes to port 2379/tcp to the master security group.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Diffstat (limited to 'playbooks/provisioning/openstack/post-install.yml')
-rw-r--r-- | playbooks/provisioning/openstack/post-install.yml | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/playbooks/provisioning/openstack/post-install.yml b/playbooks/provisioning/openstack/post-install.yml new file mode 100644 index 000000000..417813e2a --- /dev/null +++ b/playbooks/provisioning/openstack/post-install.yml @@ -0,0 +1,57 @@ +--- +- hosts: OSEv3 + gather_facts: False + become: True + tasks: + - name: Save iptables rules to a backup file + when: openshift_use_flannel|default(False)|bool + shell: iptables-save > /etc/sysconfig/iptables.orig-$(date +%Y%m%d%H%M%S) + +# Enable iptables service on app nodes to persist custom rules (flannel SDN) +# FIXME(bogdando) w/a https://bugzilla.redhat.com/show_bug.cgi?id=1490820 +- hosts: app + gather_facts: False + become: True + vars: + os_firewall_allow: + - service: dnsmasq tcp + port: 53/tcp + - service: dnsmasq udp + port: 53/udp + tasks: + - when: openshift_use_flannel|default(False)|bool + block: + - include_role: + name: openshift-ansible/roles/os_firewall + - include_role: + name: openshift-ansible/roles/lib_os_firewall + - name: set allow rules for dnsmasq + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: add + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + with_items: "{{ os_firewall_allow }}" + +- hosts: OSEv3 + gather_facts: False + become: True + tasks: + - name: Apply post-install iptables hacks for Flannel SDN (the best effort) + when: openshift_use_flannel|default(False)|bool + block: + - name: set allow/masquerade rules for for flannel/docker + shell: >- + (iptables-save | grep -q custom-flannel-docker-1) || + iptables -A DOCKER -w + -p all -j ACCEPT + -m comment --comment "custom-flannel-docker-1"; + (iptables-save | grep -q custom-flannel-docker-2) || + iptables -t nat -A POSTROUTING -w + -o {{flannel_interface|default('eth1')}} + -m comment --comment "custom-flannel-docker-2" + -j MASQUERADE + + # NOTE(bogdando) the rules will not be restored, when iptables service unit is disabled & masked + - name: Persist in-memory iptables rules (w/o dynamic KUBE rules) + shell: iptables-save | grep -v KUBE > /etc/sysconfig/iptables |