Add a flat sec group for openstack provider

Add a openstack_flat_secgroup, defaults to False.
When set, merges sec rules for master, node, etcd, infra nodes into a
single group. Less secure, but might help to mitigate quota limitations.
Update docs. Use timeout 30s to mitigate the error:
Timeout (12s) waiting for privilege escalation prompt.

Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>

3 files changed, 12 insertions, 4 deletions

diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md
index 68550d3a3..35f37db0d 100644
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -25,7 +25,7 @@ etc.). The result is an environment ready for openshift-ansible.
 
 ### Copy the sample inventory
 
-    cp openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory
+    cp -r openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory
 
 ### Copy clouds.yaml
 
@@ -62,6 +62,11 @@ The `openstack_num_masters`, `openstack_num_infra` and
 `openstack_num_nodes` values specify the number of Master, Infra and
 App nodes to create.
 
+The `openstack_flat_secgroup`, controls Neutron security groups creation for Heat
+stacks. Set it to true, if you experience issues with sec group rules
+quotas. It trades security for number of rules, by sharing the same set
+of firewall rules for master, node, etcd and infra nodes.
+
 ### Update the DNS names in `inventory/hosts`
 
 The different server groups are currently grouped by the domain name,
@@ -96,13 +101,13 @@ Assuming your OpenStack (Keystone) credentials are in the `keystonerc`
 file, this is how you stat the provisioning process:
 
     . keystonerc
-    ansible-playbook -i inventory  --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
+    ansible-playbook -i inventory --timeout 30  --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml
 
 ### Install OpenShift
 
 Once it succeeds, you can install openshift by running:
 
-    ansible-playbook --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml
+    ansible-playbook --timeout 30 --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml
 
 
 ## License
diff --git a/playbooks/provisioning/openstack/pre_tasks.yml b/playbooks/provisioning/openstack/pre_tasks.yml
index 8446bdfbc..a4ff7c4ac 100644
--- a/playbooks/provisioning/openstack/pre_tasks.yml
+++ b/playbooks/provisioning/openstack/pre_tasks.yml
@@ -18,7 +18,7 @@
 - name: Set Dynamic Inventory Filters
   become: false
   shell: >
-    export OS_INV_FILTER_KEY=clusterid && OS_INV_FILTER_VALUE={{ env_id }}
+    export OS_INV_FILTER_KEY=clusterid && export OS_INV_FILTER_VALUE={{ env_id }}
   delegate_to: localhost
 
 - name: Updating DNS domain to include env_id (if not empty)
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
index 50aaa573d..3eb0f9f80 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
@@ -37,3 +37,6 @@ openstack_subnet_prefix: "192.168.99"
 # NOTE(shadower): Do not change this value. The Ansible user is currently
 # hardcoded to `openshift`.
 ansible_user: openshift
+
+# Use a single security group for a cluster
+openstack_flat_secgroup: false