summaryrefslogtreecommitdiffstats
path: root/roles/os_firewall
Commit message (Collapse)AuthorAgeFilesLines
* Allow for firewalld on atomic hostScott Dodson2018-01-181-1/+4
| | | | | Right now this is only available on fedora so guard it with openshift_enable_unsupported_configurations
* Migrate to import_role for static role inclusionScott Dodson2018-01-051-2/+2
| | | | | | | | | | | | | | | | | | | | | | | In Ansible 2.2, the include_role directive came into existence as a Tech Preview. It is still a Tech Preview through Ansible 2.4 (and in current devel branch), but with a noteable change. The default behavior switched from static: true to static: false because that functionality moved to the newly introduced import_role directive (in order to stay consistent with include* being dynamic in nature and `import* being static in nature). The dynamic include is considerably more memory intensive as it will dynamically create a role import for every host in the inventory list to be used. (Also worth noting, there is at the time of this writing an object allocation inefficiency in the dynamic include that can in certain situations amplify this effect considerably) This change is meant to mitigate the pressure on memory for the Ansible control host. We need to evaluate where it makes sense to dynamically include roles and revert back to dynamic inclusion if and where it makes sense to do so.
* Deprecate using Ansible tests as filtersRussell Teague2017-12-142-9/+13
|
* retry package operationsLuke Meyer2017-11-302-0/+4
| | | | | | When a package install/update fails due to network blips or other spotty availability, retry it. If the failure is a real failure (e.g. package is really not there) it still fails after 3 tries (Ansible default).
* Include Deprecation - openshift-loadbalancerRussell Teague2017-11-221-2/+2
|
* Only attempt to start iptables on hosts in the current batchScott Dodson2017-09-131-1/+1
| | | | | | | | | | | | If os_firewall role is called from within a play that uses serial then it was attempting to start iptables on hosts that may not have had iptables installed on them yet. So limit the hosts to the current batch. According to the ansible docs on plays where serial is unused this is the same as ansible_play_hosts. See http://docs.ansible.com/ansible/latest/playbooks_variables.html Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1490739
* Default to global setting for firewall.Kenny Woodson2017-08-251-1/+1
|
* Additional os_firewall role refactoringRussell Teague2017-08-154-29/+29
| | | | | | | | | * Remove openshift_facts dependency * Move firewall initialization from std_include.yml to openshift_cluster/config.yml Installing firewall packages is only necessary during OpenShift installation.
* Merge pull request #5051 from DenverJ/fix-iptables-reloadScott Dodson2017-08-151-0/+3
|\ | | | | Start iptables on each master in serial
| * Start iptables on each master in serialDenver Janke2017-08-101-0/+3
| | | | | | Fix task hanging when running from a master
* | Updated README to reflect refactor. Moved firewall initialize into separate ↵Kenny Woodson2017-08-102-25/+14
| | | | | | | | file.
* | First attempt at refactor of os_firewallKenny Woodson2017-08-083-315/+0
|/
* Default to iptables on masterScott Dodson2017-05-102-2/+2
| | | | | | We did this in 3.5 but never on master and we never came back to add migration support. So we'll revert this on master and if/when we add migration support we'll switch the default.
* Remove vim configuration from Python filesRodolfo Carvalho2017-05-091-1/+0
| | | | | | | In a project where contributors are free to use whatever editor they want and we have linting tools that verify the proper formatting of Python files, it should not be required to have a vim-specific line in Python files.
* Don't double quote when conditionsScott Dodson2017-05-012-2/+2
|
* Restart polkitd to workaround a bug in polkitdScott Dodson2017-04-031-0/+6
|
* Wait for firewalld polkit policy to be definedScott Dodson2017-03-301-0/+10
| | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1436964
* Add 10 second wait after disabling firewalldScott Dodson2017-01-252-0/+10
|
* Remove is_containerized check for firewalld installsRussell Teague2017-01-241-2/+3
|
* [os_firewall] Fix default iptables args.Andrew Butcher2017-01-241-2/+2
|
* [os_firewall] Add -w flag to wait for iptables xtables lock.Andrew Butcher2017-01-231-1/+3
|
* Support openshift_node_port_range for configuring service NodePortsClayton Coleman2017-01-101-2/+10
| | | | | | | | | Sets the appropriate config field if openshift_node_port_range is set and also configures filewalls on each node. firewalld already supports port ranges like "30000-32000", while iptables needs that value converted to the correct "30000:32000" form for use with `--dport`. If not set, no node ports are opened.
* Enable firewalld by defaultRussell Teague2016-12-143-7/+14
|
* update tests and flake8/pylint fixesJason DeTiberus2016-11-291-24/+24
|
* Updating docs for Ansible 2.2 requirementsRussell Teague2016-11-282-2/+2
|
* Systemd `systemctl show` workaroundRussell Teague2016-11-232-2/+2
| | | | | | | | | | | `systemctl show` would exit with RC=1 for non-existent services in v231. This caused the Ansible systemd module to exit with a failure of running the `systemctl show` command instead of exiting stating the service was not found. This change catches both failures on either older or newer versions of systemd. The change in systemd exit status could be resolved in systemd v232. https://github.com/systemd/systemd/commit/3dced37b7c2c9a5c733817569d2bbbaa397adaf7
* Merge pull request #2838 from mscherer/port_py3Jason DeTiberus2016-11-221-1/+2
|\ | | | | Make os_firewall_manage_iptables run on python3
| * Make os_firewall_manage_iptables run on python3Michael Scherer2016-11-221-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It fail with that traceback: Traceback (most recent call last): File \"/tmp/ansible_ib5gpbsp/ansible_module_os_firewall_manage_iptables.py\", line 273, in <module> main() File \"/tmp/ansible_ib5gpbsp/ansible_module_os_firewall_manage_iptables.py\", line 257, in main iptables_manager.add_rule(port, protocol) File \"/tmp/ansible_ib5gpbsp/ansible_module_os_firewall_manage_iptables.py\", line 87, in add_rule self.verify_chain() File \"/tmp/ansible_ib5gpbsp/ansible_module_os_firewall_manage_iptables.py\", line 82, in verify_chain self.create_jump() File \"/tmp/ansible_ib5gpbsp/ansible_module_os_firewall_manage_iptables.py\", line 142, in create_jump input_rules = [s.split() for s in output.split('\\n')]
* | Merge pull request #2817 from mtnbikenc/os_firewall-refactorJason DeTiberus2016-11-224-105/+26
|\ \ | |/ |/| Refactor os_firewall role
| * Refactor os_firewall roleRussell Teague2016-11-214-105/+26
| | | | | | | | | | | | * Remove unneeded tasks duplicated by new module functionality * Ansible systemd module has 'masked' and 'daemon_reload' options * Ansible firewalld module has 'immediate' option
* | Refactor to use Ansible package moduleRussell Teague2016-11-172-2/+2
|/ | | | | The Ansible package module will call the correct package manager for the underlying OS.
* Added dependency of os_firewall to docker roleRussell Teague2016-11-142-1/+2
| | | | | | | | | | | The docker role requires iptables-services to be installed. Added dependency on so_firewall role to ensure the iptables service is installed first. Currently this will only work with iptables and not with firewalld. * Added allow_duplicates to os_firewall role meta * Removed unused task from docker/tasks * Corrected os_firewall Defaults in README
* Fix typosRodolfo Carvalho2016-10-191-2/+2
|
* Suppress more warnings.Andrew Butcher2016-09-281-0/+4
|
* Check if last rule is DROP when inserting iptables rules.Andrew Butcher2016-06-271-5/+5
|
* Check and unmask iptables/firewalld.Andrew Butcher2016-05-022-0/+30
|
* Default os_firewall_use_firewalld to false in os_firewall and remove overrides.Andrew Butcher2016-05-021-1/+5
|
* Cleanup various deprecation warnings.Andrew Butcher2016-04-293-12/+8
|
* Move common common facts to openshift_factsJason DeTiberus2016-03-151-1/+2
| | | | | | | - Prevents roles that need common facts from needing to require openshift_common, which pulls in the openshift binary. - Add dependency on openshift_facts to os_firewall, since it uses openshift.common facts
* Fix enabling iptables for latest rhel versionsJason DeTiberus2016-02-081-16/+16
|
* Merge pull request #1118 from detiber/os_firewall_disableBrenton Leanhardt2016-01-192-2/+3
|\ | | | | Add ability to disable os_firewall
| * Add ability to disable os_firewallJason DeTiberus2016-01-052-2/+3
| |
* | Install iptables, iptables-services when not is_aotmicScott Dodson2015-12-221-1/+1
| |
* | Skip yum/dnf ops when is_containerizedScott Dodson2015-12-151-0/+1
| |
* | Containerization work by @sdodsonScott Dodson2015-12-151-1/+1
| |
* | Initial containerization work from @ibottyTobias Florek2015-12-151-0/+1
|/ | | | copied from https://github.com/eparis/kubernetes-ansible/blob/17f98edd7ff53e649b43e26822b8fbc0be42b233/roles/common/tasks/main.yml
* Remove yum / dnf duplicationScott Dodson2015-12-092-25/+2
|
* Fedora changes:Adam Miller2015-12-022-0/+19
| | | | | | | | | | | | | - ansible bootstrap playbook for Fedora 23+ - add conditionals to handle yum vs dnf - add Fedora OpenShift COPR - update BYO host README for repo configs and fedora bootstrap Fix typo in etcd README, remove unnecessary parens in openshift_node main.yml rebase on master, update package cache refresh handler for yum vs dnf Fix typo in etcd README, remove unnecessary parens in openshift_node main.yml
* pylintJason DeTiberus2015-04-211-38/+44
|
* fixes to better deal with gce image defaultsJason DeTiberus2015-04-213-8/+3
| | | | | | | - remove exception if INPUT rules are not found, gce centos-7 image is stripped of default rules - ignore_errors for systemctl mask operation, fails with permission denied on gce centos-7 image.
generated by cgit v1.2.1 (git 2.18.0) at 2024-04-23 07:15:50 +0000