From 4bb2f005bc6cdeb8e656c2b42ac54db8fbd67fb9 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Mon, 5 Jun 2017 16:41:09 +0200 Subject: Add a flat sec group for openstack provider Add a openstack_flat_secgroup, defaults to False. When set, merges sec rules for master, node, etcd, infra nodes into a single group. Less secure, but might help to mitigate quota limitations. Update docs. Use timeout 30s to mitigate the error: Timeout (12s) waiting for privilege escalation prompt. Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 11 ++++++++--- playbooks/provisioning/openstack/pre_tasks.yml | 2 +- .../openstack/sample-inventory/group_vars/all.yml | 3 +++ 3 files changed, 12 insertions(+), 4 deletions(-) (limited to 'playbooks') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 68550d3a3..35f37db0d 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -25,7 +25,7 @@ etc.). The result is an environment ready for openshift-ansible. ### Copy the sample inventory - cp openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory + cp -r openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory ### Copy clouds.yaml @@ -62,6 +62,11 @@ The `openstack_num_masters`, `openstack_num_infra` and `openstack_num_nodes` values specify the number of Master, Infra and App nodes to create. +The `openstack_flat_secgroup`, controls Neutron security groups creation for Heat +stacks. Set it to true, if you experience issues with sec group rules +quotas. It trades security for number of rules, by sharing the same set +of firewall rules for master, node, etcd and infra nodes. + ### Update the DNS names in `inventory/hosts` The different server groups are currently grouped by the domain name, @@ -96,13 +101,13 @@ Assuming your OpenStack (Keystone) credentials are in the `keystonerc` file, this is how you stat the provisioning process: . keystonerc - ansible-playbook -i inventory --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml + ansible-playbook -i inventory --timeout 30 --private-key ~/.ssh/openshift openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml ### Install OpenShift Once it succeeds, you can install openshift by running: - ansible-playbook --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml + ansible-playbook --timeout 30 --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml ## License diff --git a/playbooks/provisioning/openstack/pre_tasks.yml b/playbooks/provisioning/openstack/pre_tasks.yml index 8446bdfbc..a4ff7c4ac 100644 --- a/playbooks/provisioning/openstack/pre_tasks.yml +++ b/playbooks/provisioning/openstack/pre_tasks.yml @@ -18,7 +18,7 @@ - name: Set Dynamic Inventory Filters become: false shell: > - export OS_INV_FILTER_KEY=clusterid && OS_INV_FILTER_VALUE={{ env_id }} + export OS_INV_FILTER_KEY=clusterid && export OS_INV_FILTER_VALUE={{ env_id }} delegate_to: localhost - name: Updating DNS domain to include env_id (if not empty) diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml index 50aaa573d..3eb0f9f80 100644 --- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml +++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml @@ -37,3 +37,6 @@ openstack_subnet_prefix: "192.168.99" # NOTE(shadower): Do not change this value. The Ansible user is currently # hardcoded to `openshift`. ansible_user: openshift + +# Use a single security group for a cluster +openstack_flat_secgroup: false -- cgit v1.2.3