From 1932b8d007792e29c609099708224c6a4e29288e Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Fri, 20 Feb 2015 11:43:19 -0500 Subject: Set and export KUBECONFIG in root user .bash_profile - roles/base_os: Without this, the root user would need to manually configure this variable before attempting to run any osc commands - roles/base_os: Cleanup the firewall service definition and only pause when the service state changes. - roles/openshift_master: use Akram's suggestion of simplifying the firewall config - roles/openshift_master: explicitly disable previously exposed ports that are no longer exposed (8080/tcp I'm looking at you). --- roles/base_os/tasks/main.yaml | 23 ++++++++++++++--------- roles/openshift_master/tasks/main.yml | 25 ++++++++++++++----------- 2 files changed, 28 insertions(+), 20 deletions(-) diff --git a/roles/base_os/tasks/main.yaml b/roles/base_os/tasks/main.yaml index 01d2898c5..b18f5c40d 100644 --- a/roles/base_os/tasks/main.yaml +++ b/roles/base_os/tasks/main.yaml @@ -11,21 +11,26 @@ src: vimrc dest: /root/.vimrc -- name: Ensure vimrc is installed for user root - copy: - src: vimrc - dest: /root/.vimrc +- name: Add KUBECONFIG to .bash_profile for user root + lineinfile: + dest: /root/.bash_profile + regexp: "KUBECONFIG=" + line: "export KUBECONFIG={{ openshift_master_credentials_dir }}.kubeconfig" + state: present + insertafter: EOF - name: Install firewalld yum: pkg: firewalld state: installed -- name: enable firewalld service - command: /usr/bin/systemctl enable firewalld.service - -- name: start firewalld service - command: /usr/bin/systemctl start firewalld.service +- name: start and enable firewalld service + service: + name: firewalld + state: started + enabled: yes + register: result - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail pause: seconds=10 + when: result | changed diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index c92ca9c8f..96b889804 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -13,21 +13,24 @@ regexp: "{{ item.regex }}" line: "{{ item.line }}" with_items: - - { regex: '^OPTIONS=', line: 'OPTIONS=\"--public-master={{ oo_public_ip }} --nodes={{ oo_node_ips | join(",") }} --loglevel=5\"' } + - { regex: '^OPTIONS=', line: "OPTIONS=\"--public-master={{ oo_public_ip }} --nodes={{ oo_node_ips | join(",") }} --loglevel=5\"" } notify: - restart openshift-master -- name: Open firewalld port for etcd embedded in OpenShift - firewalld: port=4001/tcp permanent=false state=enabled +# Open etcd embedded, etcd embedded peer, openshift api, and +# openshift client ports +- name: Open firewalld ports for openshift-master + firewalld: port={{ item[0] }} permanent={{ item[1] }} state=enabled + with_nested: + - [ 4001/tcp, 7001/tcp, 8443/tcp, 8444/tcp ] + - [ true, false ] -- name: Save firewalld port for etcd embedded in - firewalld: port=4001/tcp permanent=true state=enabled - -- name: Open firewalld port for OpenShift - firewalld: port=8443/tcp permanent=false state=enabled - -- name: Save firewalld port for OpenShift - firewalld: port=8443/tcp permanent=true state=enabled +# Disable previously exposed ports that are no longer needed +- name: Close firewalld ports for openshift-master that are no longer needed + firewalld: port={{ item[0] }} permanent={{ item[1] }} state=enabled + with_nested: + - [ 8080/tcp ] + - [ true, false ] - name: Enable OpenShift service: name=openshift-master enabled=yes state=started -- cgit v1.2.3