diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index 42e6fa814..5c5a7fd66 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -56,12 +56,6 @@ dummy: #iscsi_gw_group_name: iscsigws #mgr_group_name: mgrs -# If check_firewall is true, then ansible will try to determine if the -# Ceph ports are blocked by a firewall. If the machine running ansible -# cannot reach the Ceph ports for some other reason, you may need or -# want to set this to False to skip those checks. -#check_firewall: False - # If configure_firewall is true, then ansible will try to configure the # appropriate firewalling rules so that Ceph daemons can communicate # with each others. diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index b260831dc..919890db4 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -56,12 +56,6 @@ fetch_directory: ~/ceph-ansible-keys #iscsi_gw_group_name: iscsigws #mgr_group_name: mgrs -# If check_firewall is true, then ansible will try to determine if the -# Ceph ports are blocked by a firewall. If the machine running ansible -# cannot reach the Ceph ports for some other reason, you may need or -# want to set this to False to skip those checks. -#check_firewall: False - # If configure_firewall is true, then ansible will try to configure the # appropriate firewalling rules so that Ceph daemons can communicate # with each others. diff --git a/roles/ceph-common/tasks/checks/check_firewall.yml b/roles/ceph-common/tasks/checks/check_firewall.yml deleted file mode 100644 index d1e6adb72..000000000 --- a/roles/ceph-common/tasks/checks/check_firewall.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- -- name: check if nmap is installed - local_action: - module: command - command -v nmap - changed_when: false - failed_when: false - register: nmapexist - run_once: true - check_mode: no - -- name: inform that nmap is not present - debug: - msg: "nmap is not installed, can not test if ceph ports are allowed :(" - run_once: true - when: - - nmapexist.rc != 0 - -- name: check if monitor port is not filtered - local_action: - module: shell - set -o pipefail && nmap -p 6789 {{ hostvars[inventory_hostname]['ansible_' + monitor_interface]['ipv4']['address'] if hostvars[inventory_hostname]['ansible_' + monitor_interface] is defined else hostvars[inventory_hostname]['monitor_address'] }} | grep -sqo -e filtered -e '0 hosts up' - changed_when: false - failed_when: false - register: monportstate - check_mode: no - when: - - mon_group_name in group_names - - nmapexist.rc == 0 - -- name: fail if monitor port is filtered - fail: - msg: "Please allow port 6789 on your firewall" - when: - - mon_group_name in group_names - - nmapexist.rc == 0 - - monportstate.rc == 0 - -- name: check if osd and mds range is not filtered (osd hosts) - local_action: - module: shell - set -o pipefail && nmap -p 6800-7300 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up' - changed_when: false - failed_when: false - register: osdrangestate - check_mode: no - when: - - osd_group_name in group_names - - nmapexist.rc == 0 - -- name: fail if osd and mds range is filtered (osd hosts) - fail: - msg: "Please allow range from 6800 to 7300 on your firewall" - when: - - osd_group_name in group_names - - nmapexist.rc == 0 - - osdrangestate.rc == 0 - -- name: check if osd and mds range is not filtered (mds hosts) - local_action: - module: shell - set -o pipefail && nmap -p 6800-7300 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up' - changed_when: false - failed_when: false - register: mdsrangestate - check_mode: no - when: - - mds_group_name in group_names - - nmapexist.rc == 0 - -- name: fail if osd and mds range is filtered (mds hosts) - fail: - msg: "Please allow range from 6800 to 7300 on your firewall" - when: - - mds_group_name in group_names - - nmapexist.rc == 0 - - mdsrangestate.rc == 0 - -- name: check if rados gateway port is not filtered - local_action: - module: shell - set -o pipefail && nmap -p {{ radosgw_frontend_port }} {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up' - changed_when: false - failed_when: false - register: rgwportstate - check_mode: no - when: - - rgw_group_name in group_names - - nmapexist.rc == 0 - -- name: fail if rados gateway port is filtered - fail: - msg: "Please allow port {{ radosgw_frontend_port }} on your firewall" - when: - - rgw_group_name in group_names - - nmapexist.rc == 0 - - rgwportstate.rc == 0 - -- name: check if NFS ports are not filtered - local_action: - module: shell - set -o pipefail && nmap -p 111,2049 {{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} | grep -sqo -e filtered -e '0 hosts up' - changed_when: false - failed_when: false - register: nfsportstate - check_mode: no - when: - - nfs_group_name in group_names - - nmapexist.rc == 0 - -- name: fail if NFS ports are filtered - fail: - msg: "Please allow ports 111 and 2049 on your firewall" - when: - - nfs_group_name in group_names - - nmapexist.rc == 0 - - nfsportstate.rc == 0 diff --git a/roles/ceph-common/tasks/main.yml b/roles/ceph-common/tasks/main.yml index 049cacf45..14b38787d 100644 --- a/roles/ceph-common/tasks/main.yml +++ b/roles/ceph-common/tasks/main.yml @@ -53,11 +53,6 @@ tags: - always -- name: include_tasks checks/check_firewall.yml - include_tasks: checks/check_firewall.yml - when: - - check_firewall - - name: include_tasks misc/configure_firewall_rpm.yml include_tasks: misc/configure_firewall_rpm.yml when: diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index 91e2aa5ea..9a1905b04 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -48,12 +48,6 @@ client_group_name: clients iscsi_gw_group_name: iscsigws mgr_group_name: mgrs -# If check_firewall is true, then ansible will try to determine if the -# Ceph ports are blocked by a firewall. If the machine running ansible -# cannot reach the Ceph ports for some other reason, you may need or -# want to set this to False to skip those checks. -check_firewall: False - # If configure_firewall is true, then ansible will try to configure the # appropriate firewalling rules so that Ceph daemons can communicate # with each others.