| Age | Commit message (Collapse) | Author |
|---|
|
Right now this is only available on fedora so guard it with
openshift_enable_unsupported_configurations
|
|
|
|
When a package install/update fails due to network blips or other spotty
availability, retry it. If the failure is a real failure (e.g. package
is really not there) it still fails after 3 tries (Ansible default).
|
|
|
|
If os_firewall role is called from within a play that uses serial then
it was attempting to start iptables on hosts that may not have had
iptables installed on them yet. So limit the hosts to the current batch.
According to the ansible docs on plays where serial is unused this is
the same as ansible_play_hosts.
See http://docs.ansible.com/ansible/latest/playbooks_variables.html
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1490739
|
|
* Remove openshift_facts dependency
* Move firewall initialization from std_include.yml to
openshift_cluster/config.yml
Installing firewall packages is only necessary during OpenShift
installation.
|
|
Start iptables on each master in serial
|
|
Fix task hanging when running from a master
|
|
|
|
|
|
|
|
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1436964
|
|
|
|
|
|
|
|
`systemctl show` would exit with RC=1 for non-existent services in v231.
This caused the Ansible systemd module to exit with a failure of running the
`systemctl show` command instead of exiting stating the service was not found.
This change catches both failures on either older or newer versions of systemd.
The change in systemd exit status could be resolved in systemd v232.
https://github.com/systemd/systemd/commit/3dced37b7c2c9a5c733817569d2bbbaa397adaf7
|
|
Refactor os_firewall role
|
|
* Remove unneeded tasks duplicated by new module functionality
* Ansible systemd module has 'masked' and 'daemon_reload' options
* Ansible firewalld module has 'immediate' option
|
|
The Ansible package module will call the correct package manager for the
underlying OS.
|
|
|
|
|
|
|
|
|
|
Add ability to disable os_firewall
|
|
|
|
|
|
|
|
|
|
copied from https://github.com/eparis/kubernetes-ansible/blob/17f98edd7ff53e649b43e26822b8fbc0be42b233/roles/common/tasks/main.yml
|
|
|
|
- ansible bootstrap playbook for Fedora 23+
- add conditionals to handle yum vs dnf
- add Fedora OpenShift COPR
- update BYO host README for repo configs and fedora bootstrap
Fix typo in etcd README, remove unnecessary parens in openshift_node main.yml
rebase on master, update package cache refresh handler for yum vs dnf
Fix typo in etcd README, remove unnecessary parens in openshift_node main.yml
|
|
- remove exception if INPUT rules are not found, gce centos-7 image is stripped of
default rules
- ignore_errors for systemctl mask operation, fails with permission denied on
gce centos-7 image.
|
|
- Add openshift_facts role and module
- Created new role openshift_facts that contains an openshift_facts module
- Refactor openshift_* roles to use openshift_facts instead of relying on
defaults
- Refactor playbooks to use openshift_facts
- Cleanup inventory group_vars
- Update defaults
- update openshift_master role firewall defaults
- remove etcd peer port, since we will not be supporting clustered embedded
etcd
- remove 8444 since console now runs on the api port by default
- add 8444 and 7001 to disabled services to ensure removal if updating
- Add new role os_env_extras_node that is a subset of the docker role
- previously, we were starting/enabling docker which was causing issues with some
installations
- Does not install or start docker, since the openshift-node role will
handle that for us
- Only adds root to the dockerroot group
- Update playbooks to use ops_env_extras_node role instead of docker role
- os_firewall bug fixes
- ignore ip6tables for now, since we are not configuring any ipv6 rules
- if installing package do a daemon-reload before starting/enabling service
- Add aws support to bin/cluster
- Add list action to bin/cluster
- Add update action to bin/cluster
- cleanup some stray debug statements
- some variable renaming for clarity
|
|
- Fix variable references to os_firewall_{allow,deny} instead of {allow, deny}
- Fix ordering of service stop/start to ensure firewall rules are properly
initiated after service startup
- Add test for package installed before attempting to disable or mask services
|
|
- Fix missed references to old firewall scripts
- Fix variable name references that didn't get updated
|
|
- Add os_firewall role
- Remove firewall settings from base_os, add wait task to os_firewall
- Added a iptables firewall module for maintaining the following (in a mostly
naive manner):
- ensure the OPENSHIFT_ALLOW chain is defined
- ensure that there is a jump rule in the INPUT chain for OPENSHIFT_ALLOW
- adds or removes entries from the OPENSHIFT_ALLOW chain
- issues '/usr/libexec/iptables/iptables.init save' when rules are changed
- Limitations of iptables firewall module
- only allows setting of ports/protocols to open
- no testing on ipv6 support
- made os_firewall a dependency of openshift_common
- Hardcoded openshift_common to use iptables (through the vars directory)
until upstream support is in place for firewalld
|
