diff options
| author | Jason DeTiberus <detiber@gmail.com> | 2016-05-12 12:39:21 -0400 |
|---|---|---|
| committer | Jason DeTiberus <detiber@gmail.com> | 2016-05-12 12:39:21 -0400 |
| commit | 1165565b15f27d913a10ba64441608d76907c3ba (patch) | |
| tree | 12a7050e0d3d98db3c6b0ea5cddab30ff37f18c4 | |
| parent | f63985e045852aa6eace6b1f25c4b76abbf1e1c5 (diff) | |
| parent | 4fcd7a3716e8dfef3e66decd580c5bf03f2f76b5 (diff) | |
| download | openshift-1165565b15f27d913a10ba64441608d76907c3ba.tar.gz openshift-1165565b15f27d913a10ba64441608d76907c3ba.tar.bz2 openshift-1165565b15f27d913a10ba64441608d76907c3ba.tar.xz openshift-1165565b15f27d913a10ba64441608d76907c3ba.zip | |
Merge pull request #1870 from sdodson/fix-firewall
Fix master firewall rules by deferring them
| -rw-r--r-- | roles/openshift_common/meta/main.yml | 1 | ||||
| -rw-r--r-- | roles/openshift_master/defaults/main.yml | 36 | ||||
| -rw-r--r-- | roles/openshift_master/meta/main.yml | 22 | ||||
| -rw-r--r-- | roles/openshift_node/meta/main.yml | 1 | ||||
| -rw-r--r-- | roles/openshift_node/tasks/main.yml | 11 |
5 files changed, 34 insertions, 37 deletions
diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml index 02150406d..f1cf3e161 100644 --- a/roles/openshift_common/meta/main.yml +++ b/roles/openshift_common/meta/main.yml @@ -12,6 +12,5 @@ galaxy_info: categories: - cloud dependencies: -- role: os_firewall - role: openshift_facts - role: openshift_repos diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 16df984f9..dbd62c80f 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -1,40 +1,4 @@ --- openshift_node_ips: [] - # TODO: update setting these values based on the facts -os_firewall_allow: -- service: etcd embedded - port: 4001/tcp -- service: api server https - port: "{{ openshift.master.api_port }}/tcp" -- service: api controllers https - port: "{{ openshift.master.controllers_port }}/tcp" -- service: skydns tcp - port: "{{ openshift.master.dns_port }}/tcp" -- service: skydns udp - port: "{{ openshift.master.dns_port }}/udp" -# On HA masters version_gte facts are not properly set so open port 53 -# whenever we're not certain of the need -- service: legacy skydns tcp - port: "53/tcp" - when: "{{ 'version' not in openshift.common or openshift.common.version == None }}" -- service: legacy skydns udp - port: "53/udp" - when: "{{ 'version' not in openshift.common or openshift.common.version == None }}" -- service: Fluentd td-agent tcp - port: 24224/tcp -- service: Fluentd td-agent udp - port: 24224/udp -- service: pcsd - port: 2224/tcp -- service: Corosync UDP - port: 5404/udp -- service: Corosync UDP - port: 5405/udp -os_firewall_deny: -- service: api server http - port: 8080/tcp -- service: former etcd peer port - port: 7001/tcp - openshift_version: "{{ openshift_pkg_version | default(openshift_image_tag | default(openshift.docker.openshift_image_tag | default(''))) }}" diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index e882e0b8b..d8834d27f 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -18,3 +18,25 @@ dependencies: - role: openshift_builddefaults - role: openshift_master_facts - role: openshift_hosted_facts +- role: os_firewall + os_firewall_allow: + - service: etcd embedded + port: 4001/tcp + - service: api server https + port: "{{ openshift.master.api_port }}/tcp" + - service: api controllers https + port: "{{ openshift.master.controllers_port }}/tcp" + - service: skydns tcp + port: "{{ openshift.master.dns_port }}/tcp" + - service: skydns udp + port: "{{ openshift.master.dns_port }}/udp" + - service: Fluentd td-agent tcp + port: 24224/tcp + - service: Fluentd td-agent udp + port: 24224/udp + - service: pcsd + port: 2224/tcp + - service: Corosync UDP + port: 5404/udp + - service: Corosync UDP + port: 5405/udp diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index ca0c332ea..db1776632 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -17,4 +17,5 @@ dependencies: - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq +- role: os_firewall diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 06fde88af..be70a170d 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -112,6 +112,17 @@ - name: Start and enable node service: name={{ openshift.common.service_type }}-node enabled=yes state=started register: node_start_result + ignore_errors: yes + +- name: Check logs on failure + command: journalctl -xe + register: node_failure + when: node_start_result | failed + +- name: Dump failure information + debug: var=node_failure + when: node_start_result | failed + - set_fact: node_service_status_changed: "{{ node_start_result | changed }}" |