summaryrefslogtreecommitdiffstats
path: root/roles/os_firewall/tasks
Commit message (Collapse)AuthorAgeFilesLines
* Allow for firewalld on atomic hostScott Dodson2018-01-181-1/+4
| | | | | Right now this is only available on fedora so guard it with openshift_enable_unsupported_configurations
* Deprecate using Ansible tests as filtersRussell Teague2017-12-142-9/+13
|
* retry package operationsLuke Meyer2017-11-302-0/+4
| | | | | | When a package install/update fails due to network blips or other spotty availability, retry it. If the failure is a real failure (e.g. package is really not there) it still fails after 3 tries (Ansible default).
* Include Deprecation - openshift-loadbalancerRussell Teague2017-11-221-2/+2
|
* Only attempt to start iptables on hosts in the current batchScott Dodson2017-09-131-1/+1
| | | | | | | | | | | | If os_firewall role is called from within a play that uses serial then it was attempting to start iptables on hosts that may not have had iptables installed on them yet. So limit the hosts to the current batch. According to the ansible docs on plays where serial is unused this is the same as ansible_play_hosts. See http://docs.ansible.com/ansible/latest/playbooks_variables.html Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1490739
* Additional os_firewall role refactoringRussell Teague2017-08-153-13/+29
| | | | | | | | | * Remove openshift_facts dependency * Move firewall initialization from std_include.yml to openshift_cluster/config.yml Installing firewall packages is only necessary during OpenShift installation.
* Merge pull request #5051 from DenverJ/fix-iptables-reloadScott Dodson2017-08-151-0/+3
|\ | | | | Start iptables on each master in serial
| * Start iptables on each master in serialDenver Janke2017-08-101-0/+3
| | | | | | Fix task hanging when running from a master
* | First attempt at refactor of os_firewallKenny Woodson2017-08-082-32/+0
|/
* Don't double quote when conditionsScott Dodson2017-05-012-2/+2
|
* Restart polkitd to workaround a bug in polkitdScott Dodson2017-04-031-0/+6
|
* Wait for firewalld polkit policy to be definedScott Dodson2017-03-301-0/+10
| | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1436964
* Add 10 second wait after disabling firewalldScott Dodson2017-01-252-0/+10
|
* Remove is_containerized check for firewalld installsRussell Teague2017-01-241-2/+3
|
* Enable firewalld by defaultRussell Teague2016-12-141-0/+6
|
* Systemd `systemctl show` workaroundRussell Teague2016-11-232-2/+2
| | | | | | | | | | | `systemctl show` would exit with RC=1 for non-existent services in v231. This caused the Ansible systemd module to exit with a failure of running the `systemctl show` command instead of exiting stating the service was not found. This change catches both failures on either older or newer versions of systemd. The change in systemd exit status could be resolved in systemd v232. https://github.com/systemd/systemd/commit/3dced37b7c2c9a5c733817569d2bbbaa397adaf7
* Merge pull request #2817 from mtnbikenc/os_firewall-refactorJason DeTiberus2016-11-222-99/+20
|\ | | | | Refactor os_firewall role
| * Refactor os_firewall roleRussell Teague2016-11-212-99/+20
| | | | | | | | | | | | * Remove unneeded tasks duplicated by new module functionality * Ansible systemd module has 'masked' and 'daemon_reload' options * Ansible firewalld module has 'immediate' option
* | Refactor to use Ansible package moduleRussell Teague2016-11-172-2/+2
|/ | | | | The Ansible package module will call the correct package manager for the underlying OS.
* Suppress more warnings.Andrew Butcher2016-09-281-0/+4
|
* Check and unmask iptables/firewalld.Andrew Butcher2016-05-022-0/+30
|
* Cleanup various deprecation warnings.Andrew Butcher2016-04-292-12/+6
|
* Fix enabling iptables for latest rhel versionsJason DeTiberus2016-02-081-16/+16
|
* Merge pull request #1118 from detiber/os_firewall_disableBrenton Leanhardt2016-01-191-2/+2
|\ | | | | Add ability to disable os_firewall
| * Add ability to disable os_firewallJason DeTiberus2016-01-051-2/+2
| |
* | Install iptables, iptables-services when not is_aotmicScott Dodson2015-12-221-1/+1
| |
* | Skip yum/dnf ops when is_containerizedScott Dodson2015-12-151-0/+1
| |
* | Containerization work by @sdodsonScott Dodson2015-12-151-1/+1
| |
* | Initial containerization work from @ibottyTobias Florek2015-12-151-0/+1
|/ | | | copied from https://github.com/eparis/kubernetes-ansible/blob/17f98edd7ff53e649b43e26822b8fbc0be42b233/roles/common/tasks/main.yml
* Remove yum / dnf duplicationScott Dodson2015-12-092-25/+2
|
* Fedora changes:Adam Miller2015-12-022-0/+19
| | | | | | | | | | | | | - ansible bootstrap playbook for Fedora 23+ - add conditionals to handle yum vs dnf - add Fedora OpenShift COPR - update BYO host README for repo configs and fedora bootstrap Fix typo in etcd README, remove unnecessary parens in openshift_node main.yml rebase on master, update package cache refresh handler for yum vs dnf Fix typo in etcd README, remove unnecessary parens in openshift_node main.yml
* fixes to better deal with gce image defaultsJason DeTiberus2015-04-212-0/+2
| | | | | | | - remove exception if INPUT rules are not found, gce centos-7 image is stripped of default rules - ignore_errors for systemctl mask operation, fails with permission denied on gce centos-7 image.
* openshift_facts role/module refactor default settingsJason DeTiberus2015-04-032-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Add openshift_facts role and module - Created new role openshift_facts that contains an openshift_facts module - Refactor openshift_* roles to use openshift_facts instead of relying on defaults - Refactor playbooks to use openshift_facts - Cleanup inventory group_vars - Update defaults - update openshift_master role firewall defaults - remove etcd peer port, since we will not be supporting clustered embedded etcd - remove 8444 since console now runs on the api port by default - add 8444 and 7001 to disabled services to ensure removal if updating - Add new role os_env_extras_node that is a subset of the docker role - previously, we were starting/enabling docker which was causing issues with some installations - Does not install or start docker, since the openshift-node role will handle that for us - Only adds root to the dockerroot group - Update playbooks to use ops_env_extras_node role instead of docker role - os_firewall bug fixes - ignore ip6tables for now, since we are not configuring any ipv6 rules - if installing package do a daemon-reload before starting/enabling service - Add aws support to bin/cluster - Add list action to bin/cluster - Add update action to bin/cluster - cleanup some stray debug statements - some variable renaming for clarity
* os_firewall fixesJason DeTiberus2015-03-092-32/+46
| | | | | | | - Fix variable references to os_firewall_{allow,deny} instead of {allow, deny} - Fix ordering of service stop/start to ensure firewall rules are properly initiated after service startup - Add test for package installed before attempting to disable or mask services
* start fixing os_firewall issuesJason DeTiberus2015-03-061-1/+1
| | | | | - Fix missed references to old firewall scripts - Fix variable name references that didn't get updated
* refactor firewall management into new roleJason DeTiberus2015-03-053-0/+127
- Add os_firewall role - Remove firewall settings from base_os, add wait task to os_firewall - Added a iptables firewall module for maintaining the following (in a mostly naive manner): - ensure the OPENSHIFT_ALLOW chain is defined - ensure that there is a jump rule in the INPUT chain for OPENSHIFT_ALLOW - adds or removes entries from the OPENSHIFT_ALLOW chain - issues '/usr/libexec/iptables/iptables.init save' when rules are changed - Limitations of iptables firewall module - only allows setting of ports/protocols to open - no testing on ipv6 support - made os_firewall a dependency of openshift_common - Hardcoded openshift_common to use iptables (through the vars directory) until upstream support is in place for firewalld