diff options
7 files changed, 85 insertions, 84 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 37868b2ea..a542e1493 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -75,6 +75,17 @@ stacks. Set it to true, if you experience issues with sec group rules quotas. It trades security for number of rules, by sharing the same set of firewall rules for master, node, etcd and infra nodes. +#### Security notes + +Configure required `*_ingress_cidr` variables to restrict public access +to provisioned servers from your laptop (a /32 notation should be used) +or your trusted network. The most important is the `node_ingress_cidr` +that restricts public access to the deployed DNS server and cluster +nodes' ephemeral ports range. + +Note, the command ``curl https://api.ipify.org`` helps fiding an external +IP address of your box (the ansible admin node). + ### Update the DNS names in `inventory/hosts` The different server groups are currently grouped by the domain name, diff --git a/playbooks/provisioning/openstack/post-provision-openstack.yml b/playbooks/provisioning/openstack/post-provision-openstack.yml index 4e42c1c7f..918f9e065 100644 --- a/playbooks/provisioning/openstack/post-provision-openstack.yml +++ b/playbooks/provisioning/openstack/post-provision-openstack.yml @@ -1,6 +1,7 @@ --- # Assign hostnames - hosts: cluster_hosts + gather_facts: False become: true pre_tasks: - include: pre_tasks.yml @@ -9,6 +10,7 @@ # Subscribe DNS Host to allow for configuration below - hosts: dns + gather_facts: False become: true roles: - role: subscription-manager @@ -17,11 +19,14 @@ # Determine which DNS server(s) to use for our generated records - hosts: localhost + gather_facts: False + become: False roles: - dns-server-detect # Build the DNS Server Views and Configure DNS Server(s) - hosts: dns + gather_facts: False become: true pre_tasks: - include: pre_tasks.yml @@ -32,6 +37,8 @@ # Build and process DNS Records - hosts: localhost + gather_facts: False + become: False pre_tasks: - include: pre_tasks.yml - name: "Generate dns records" @@ -41,6 +48,7 @@ # OpenShift Pre-Requisites - hosts: OSEv3 + gather_facts: False become: true tasks: - name: "Edit /etc/resolv.conf on masters/nodes" diff --git a/playbooks/provisioning/openstack/provision-openstack.yml b/playbooks/provisioning/openstack/provision-openstack.yml index 628044de6..feea15d5d 100644 --- a/playbooks/provisioning/openstack/provision-openstack.yml +++ b/playbooks/provisioning/openstack/provision-openstack.yml @@ -1,6 +1,7 @@ --- - hosts: localhost gather_facts: True + become: False pre_tasks: - include: pre_tasks.yml roles: @@ -32,12 +33,13 @@ - name: Refresh Server inventory hosts: localhost connection: local + become: False gather_facts: False tasks: - meta: refresh_inventory - hosts: cluster_hosts - gather_facts: false + gather_facts: True tasks: - name: Debug hostvar debug: diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml index 32ec43387..72a03132b 100644 --- a/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml +++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml @@ -8,3 +8,7 @@ openshift_master_default_subdomain: "apps.{{ env_id }}.{{ public_dns_domain }}" openshift_node_labels: "{{ openstack.metadata.node_labels }}" osm_default_node_selector: 'region=primary' + +# For POCs or demo environments that are using smaller instances than +# the official recommended values for RAM and DISK, uncomment the line below. +#openshift_disable_check: disk_availability,memory_availability diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml index ff9aaab63..7c9033828 100644 --- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml +++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml @@ -21,40 +21,40 @@ openstack_subnet_prefix: "192.168.99" # # Red Hat subscription # # Using Red Hat Satellite: -# rhsm_register: True -# rhsm_satellite: 'sat-6.example.com' -# rhsm_org: 'OPENSHIFT_ORG' -# rhsm_activationkey: '<activation-key>' +#rhsm_register: True +#rhsm_satellite: 'sat-6.example.com' +#rhsm_org: 'OPENSHIFT_ORG' +#rhsm_activationkey: '<activation-key>' # # Or using RHN username, password and optionally pool: -# rhsm_register: True -# rhsm_username: '<username>' -# rhsm_password: '<password>' -# rhsm_pool: '<pool id>' +#rhsm_register: True +#rhsm_username: '<username>' +#rhsm_password: '<password>' +#rhsm_pool: '<pool id>' -# rhsm_repos: -# - "rhel-7-server-rpms" -# - "rhel-7-server-ose-3.5-rpms" -# - "rhel-7-server-extras-rpms" -# - "rhel-7-fast-datapath-rpms" +#rhsm_repos: +# - "rhel-7-server-rpms" +# - "rhel-7-server-ose-3.5-rpms" +# - "rhel-7-server-extras-rpms" +# - "rhel-7-fast-datapath-rpms" # # Roll-your-own DNS -# openstack_num_dns: 0 -# external_nsupdate_keys: -# public: -# key_secret: 'SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg==' -# key_algorithm: 'hmac-md5' -# server: '192.168.1.1' -# private: -# key_secret: 'kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw==' -# key_algorithm: 'hmac-md5' -# server: '192.168.1.2' +#openstack_num_dns: 0 +#external_nsupdate_keys: +# public: +# key_secret: 'SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg==' +# key_algorithm: 'hmac-md5' +# server: '192.168.1.1' +# private: +# key_secret: 'kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw==' +# key_algorithm: 'hmac-md5' +# server: '192.168.1.2' # NOTE(shadower): Do not change this value. The Ansible user is currently # hardcoded to `openshift`. ansible_user: openshift -# Use a single security group for a cluster +# # Use a single security group for a cluster openstack_flat_secgrp: false diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index 32ea5ec1d..7fa7133ea 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -142,18 +142,17 @@ resources: # cluster_id: {{ stack_name }} # public_key: {{ ssh_public_key }} -{% if openstack_flat_secgrp|bool %} - flat-secgrp: + common-secgrp: type: OS::Neutron::SecurityGroup properties: name: str_replace: - template: openshift-ansible-cluster_id-flat-secgrp + template: openshift-ansible-cluster_id-common-secgrp params: cluster_id: {{ stack_name }} description: str_replace: - template: Security group for cluster_id OpenShift cluster + template: Basic ssh/dns security group for cluster_id OpenShift cluster params: cluster_id: {{ stack_name }} rules: @@ -164,20 +163,36 @@ resources: remote_ip_prefix: {{ ssh_ingress_cidr }} - direction: ingress protocol: tcp - port_range_min: 4001 - port_range_max: 4001 - - direction: ingress - protocol: tcp - port_range_min: 8443 - port_range_max: 8444 - - direction: ingress - protocol: tcp port_range_min: 53 port_range_max: 53 - direction: ingress protocol: udp port_range_min: 53 port_range_max: 53 + +{% if openstack_flat_secgrp|bool %} + flat-secgrp: + type: OS::Neutron::SecurityGroup + properties: + name: + str_replace: + template: openshift-ansible-cluster_id-flat-secgrp + params: + cluster_id: {{ stack_name }} + description: + str_replace: + template: Security group for cluster_id OpenShift cluster + params: + cluster_id: {{ stack_name }} + rules: + - direction: ingress + protocol: tcp + port_range_min: 4001 + port_range_max: 4001 + - direction: ingress + protocol: tcp + port_range_min: 8443 + port_range_max: 8444 - direction: ingress protocol: tcp port_range_min: 8053 @@ -246,14 +261,6 @@ resources: port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" - - direction: ingress - protocol: tcp - port_range_min: 80 - port_range_max: 80 - - direction: ingress - protocol: tcp - port_range_min: 443 - port_range_max: 443 {% else %} master-secgrp: type: OS::Neutron::SecurityGroup @@ -271,11 +278,6 @@ resources: rules: - direction: ingress protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp port_range_min: 4001 port_range_max: 4001 - direction: ingress @@ -284,14 +286,6 @@ resources: port_range_max: 8444 - direction: ingress protocol: tcp - port_range_min: 53 - port_range_max: 53 - - direction: ingress - protocol: udp - port_range_min: 53 - port_range_max: 53 - - direction: ingress - protocol: tcp port_range_min: 8053 port_range_max: 8053 - direction: ingress @@ -335,11 +329,6 @@ resources: rules: - direction: ingress protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp port_range_min: 2379 port_range_max: 2379 remote_mode: remote_group_id @@ -366,11 +355,6 @@ resources: rules: - direction: ingress protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp port_range_min: 10250 port_range_max: 10250 remote_mode: remote_group_id @@ -399,6 +383,7 @@ resources: port_range_min: 30000 port_range_max: 32767 remote_ip_prefix: "{{ openstack_subnet_prefix }}.0/24" +{% endif %} infra-secgrp: type: OS::Neutron::SecurityGroup @@ -422,7 +407,6 @@ resources: protocol: tcp port_range_min: 443 port_range_max: 443 -{% endif %} dns-secgrp: type: OS::Neutron::SecurityGroup @@ -472,11 +456,6 @@ resources: rules: - direction: ingress protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress - protocol: tcp port_range_min: {{ openshift_master_api_port | default(8443) }} port_range_max: {{ openshift_master_api_port | default(8443) }} remote_ip_prefix: {{ lb_ingress_cidr }} @@ -518,6 +497,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}etcd-secgrp{% endif %} } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -558,6 +538,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: lb-secgrp } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -606,6 +587,7 @@ resources: - { get_resource: etcd-secgrp } {% endif %} {% endif %} + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -651,6 +633,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: {% if openstack_flat_secgrp|bool %}flat-secgrp{% else %}node-secgrp{% endif %} } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -693,12 +676,8 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: -{% if openstack_flat_secgrp|bool %} - - { get_resource: flat-secgrp } -{% else %} - - { get_resource: node-secgrp } - { get_resource: infra-secgrp } -{% endif %} + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: @@ -737,11 +716,6 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: -{% if openstack_flat_secgrp|bool %} - - { get_resource: flat-secgrp } -{% else %} - - { get_resource: node-secgrp } -{% endif %} - { get_resource: dns-secgrp } floating_network: {{ external_network }} net_name: diff --git a/roles/openstack-stack/test/stack-create-test.yml b/roles/openstack-stack/test/stack-create-test.yml index 0fbf66f34..d80472193 100644 --- a/roles/openstack-stack/test/stack-create-test.yml +++ b/roles/openstack-stack/test/stack-create-test.yml @@ -1,5 +1,7 @@ --- - hosts: localhost + gather_facts: True + become: False roles: - role: openstack-stack stack_name: test-stack |