From 90f35c759af2cb483f0dc4ccccbb9ad0cf450d7a Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Mon, 9 May 2016 11:20:00 -0400 Subject: Fix firewall rules --- roles/openshift_master/defaults/main.yml | 36 -------------------------------- roles/openshift_master/meta/main.yml | 27 ++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 36 deletions(-) (limited to 'roles') diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 16df984f9..dbd62c80f 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -1,40 +1,4 @@ --- openshift_node_ips: [] - # TODO: update setting these values based on the facts -os_firewall_allow: -- service: etcd embedded - port: 4001/tcp -- service: api server https - port: "{{ openshift.master.api_port }}/tcp" -- service: api controllers https - port: "{{ openshift.master.controllers_port }}/tcp" -- service: skydns tcp - port: "{{ openshift.master.dns_port }}/tcp" -- service: skydns udp - port: "{{ openshift.master.dns_port }}/udp" -# On HA masters version_gte facts are not properly set so open port 53 -# whenever we're not certain of the need -- service: legacy skydns tcp - port: "53/tcp" - when: "{{ 'version' not in openshift.common or openshift.common.version == None }}" -- service: legacy skydns udp - port: "53/udp" - when: "{{ 'version' not in openshift.common or openshift.common.version == None }}" -- service: Fluentd td-agent tcp - port: 24224/tcp -- service: Fluentd td-agent udp - port: 24224/udp -- service: pcsd - port: 2224/tcp -- service: Corosync UDP - port: 5404/udp -- service: Corosync UDP - port: 5405/udp -os_firewall_deny: -- service: api server http - port: 8080/tcp -- service: former etcd peer port - port: 7001/tcp - openshift_version: "{{ openshift_pkg_version | default(openshift_image_tag | default(openshift.docker.openshift_image_tag | default(''))) }}" diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index e882e0b8b..02fab6e82 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -18,3 +18,30 @@ dependencies: - role: openshift_builddefaults - role: openshift_master_facts - role: openshift_hosted_facts +- role: os_firewall + os_firewall_allow: + - service: etcd embedded + port: 4001/tcp + - service: api server https + port: "{{ openshift.master.api_port }}/tcp" + - service: api controllers https + port: "{{ openshift.master.controllers_port }}/tcp" + - service: skydns tcp + port: "{{ openshift.master.dns_port }}/tcp" + - service: skydns udp + port: "{{ openshift.master.dns_port }}/udp" + - service: Fluentd td-agent tcp + port: 24224/tcp + - service: Fluentd td-agent udp + port: 24224/udp + - service: pcsd + port: 2224/tcp + - service: Corosync UDP + port: 5404/udp + - service: Corosync UDP + port: 5405/udp + os_firewall_deny: + - service: api server http + port: 8080/tcp + - service: former etcd peer port + port: 7001/tcp -- cgit v1.2.3 From a97cbe973a76b95d64855dcb558b4f5629d82a62 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Mon, 9 May 2016 14:59:13 -0400 Subject: Remove old unused firewall rules --- roles/openshift_master/meta/main.yml | 5 ----- 1 file changed, 5 deletions(-) (limited to 'roles') diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index 02fab6e82..d8834d27f 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -40,8 +40,3 @@ dependencies: port: 5404/udp - service: Corosync UDP port: 5405/udp - os_firewall_deny: - - service: api server http - port: 8080/tcp - - service: former etcd peer port - port: 7001/tcp -- cgit v1.2.3 From b1a680fa543fa5132f0c768758437933fe8bcc20 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 10 May 2016 12:59:13 -0400 Subject: Move os_firewall out of openshift_common --- roles/openshift_common/meta/main.yml | 1 - roles/openshift_node/meta/main.yml | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) (limited to 'roles') diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml index 02150406d..f1cf3e161 100644 --- a/roles/openshift_common/meta/main.yml +++ b/roles/openshift_common/meta/main.yml @@ -12,6 +12,5 @@ galaxy_info: categories: - cloud dependencies: -- role: os_firewall - role: openshift_facts - role: openshift_repos diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index ca0c332ea..db1776632 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -17,4 +17,5 @@ dependencies: - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq +- role: os_firewall -- cgit v1.2.3 From 4fcd7a3716e8dfef3e66decd580c5bf03f2f76b5 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 10 May 2016 16:19:52 -0400 Subject: Why is the node failing to start --- roles/openshift_node/tasks/main.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'roles') diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 06fde88af..be70a170d 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -112,6 +112,17 @@ - name: Start and enable node service: name={{ openshift.common.service_type }}-node enabled=yes state=started register: node_start_result + ignore_errors: yes + +- name: Check logs on failure + command: journalctl -xe + register: node_failure + when: node_start_result | failed + +- name: Dump failure information + debug: var=node_failure + when: node_start_result | failed + - set_fact: node_service_status_changed: "{{ node_start_result | changed }}" -- cgit v1.2.3