Improve firewall checks

The firewall checks can fail for any number of reasons -- e.g., the
ceph cluster hostnames are unresolvable from the ansible host, or the
ports are filtered by some intermediate hop, etc. Make two changes to
make those checks better:

* Set pipefail when running the checks, so if nmap itself fails the
  command will be marked as 'failed'. Specifically, this fixes the
  case where the hostnames cannot be resolved.
* Add a new variable, check_firewall, which can be used to disable
  checks entirely. Specifically, this fixes the case where some
  intermediate firewall filters the ports, so nmap returns "filtered".
pull/558/head
Chris St. Pierre 2016-02-23 10:27:55 -06:00
parent 63d7824c9c
commit 53af359c65
3 changed files with 38 additions and 15 deletions

View File

@ -34,6 +34,12 @@ dummy:
#mds_group_name: mdss #mds_group_name: mdss
#restapi_group_name: restapis #restapi_group_name: restapis
# If check_firewall is true, then ansible will try to determine if the
# Ceph ports are blocked by a firewall. If the machine running ansible
# cannot reach the Ceph ports for some other reason, you may need or
# want to set this to False to skip those checks.
#check_firewall: True
# This variable determines if ceph packages can be updated. If False, the # This variable determines if ceph packages can be updated. If False, the
# package resources will use "state=present". If True, they will use # package resources will use "state=present". If True, they will use
# "state=latest". # "state=latest".

View File

@ -31,11 +31,17 @@ rgw_group_name: rgws
mds_group_name: mdss mds_group_name: mdss
restapi_group_name: restapis restapi_group_name: restapis
# This variable determines if ceph packages can be updated. If False, the # If check_firewall is true, then ansible will try to determine if the
# package resources will use "state=present". If True, they will use # Ceph ports are blocked by a firewall. If the machine running ansible
# "state=latest". # cannot reach the Ceph ports for some other reason, you may need or
upgrade_ceph_packages: False # want to set this to False to skip those checks.
check_firewall: True
# This variable determines if ceph packages can be updated. If False, the
# package resources will use "state=present". If True, they will use
# "state=latest".
upgrade_ceph_packages: False
# /!\ EITHER ACTIVE ceph_stable OR ceph_stable_ice OR ceph_dev /!\ # /!\ EITHER ACTIVE ceph_stable OR ceph_stable_ice OR ceph_dev /!\
debian_package_dependencies: debian_package_dependencies:
@ -91,11 +97,11 @@ ceph_stable_redhat_distro: el7
# ENTERPRISE VERSION ICE (old, prior to the 1.3) # ENTERPRISE VERSION ICE (old, prior to the 1.3)
ceph_stable_ice: false # use Inktank Ceph Enterprise ceph_stable_ice: false # use Inktank Ceph Enterprise
#ceph_stable_ice_url: https://download.inktank.com/enterprise #ceph_stable_ice_url: https://download.inktank.com/enterprise
# these two variables are used in `with_items` and starting # these two variables are used in `with_items` and starting
# with ansible 2.0 these need to be defined even if the tasks's # with ansible 2.0 these need to be defined even if the tasks's
# `when` clause doesn't evaluate to true # `when` clause doesn't evaluate to true
ceph_stable_ice_temp_path: /opt/ICE/ceph-repo/ ceph_stable_ice_temp_path: /opt/ICE/ceph-repo/
ceph_stable_ice_kmod: 3.10-0.1.20140702gitdc9ac62.el7.x86_64 ceph_stable_ice_kmod: 3.10-0.1.20140702gitdc9ac62.el7.x86_64
#ceph_stable_ice_distro: rhel7 # Please check the download website for the supported versions. #ceph_stable_ice_distro: rhel7 # Please check the download website for the supported versions.
#ceph_stable_ice_version: 1.2.2 #ceph_stable_ice_version: 1.2.2
#ceph_stable_ice_kmod_version: 1.2 #ceph_stable_ice_kmod_version: 1.2

View File

@ -4,19 +4,23 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
register: nmapexist register: nmapexist
when: check_firewall
- name: inform that nmap is not present - name: inform that nmap is not present
debug: debug:
msg: "nmap is not installed, can not test if ceph ports are allowed :(" msg: "nmap is not installed, can not test if ceph ports are allowed :("
when: nmapexist.rc != 0 when:
check_firewall and
nmapexist.rc != 0
- name: check if monitor port is not filtered - name: check if monitor port is not filtered
local_action: shell nmap -p 6789 {{ item }} {{ hostvars[item]['ansible_' + monitor_interface]['ipv4']['address'] }} | grep -sqo filtered local_action: shell set -o pipefail && nmap -p 6789 {{ item }} {{ hostvars[item]['ansible_' + monitor_interface]['ipv4']['address'] }} | grep -sqo filtered
changed_when: false changed_when: false
failed_when: false failed_when: false
with_items: groups.{{ mon_group_name }} with_items: groups.{{ mon_group_name }}
register: monportstate register: monportstate
when: when:
check_firewall and
mon_group_name in group_names and mon_group_name in group_names and
nmapexist.rc == 0 nmapexist.rc == 0
@ -25,18 +29,20 @@
msg: "Please allow port 6789 on your firewall" msg: "Please allow port 6789 on your firewall"
with_items: monportstate.results with_items: monportstate.results
when: when:
check_firewall and
item.rc == 0 and item.rc == 0 and
mon_group_name is defined and mon_group_name is defined and
mon_group_name in group_names and mon_group_name in group_names and
nmapexist.rc == 0 nmapexist.rc == 0
- name: check if osd and mds range is not filtered - name: check if osd and mds range is not filtered
local_action: shell nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered local_action: shell set -o pipefail && nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
changed_when: false changed_when: false
failed_when: false failed_when: false
with_items: groups.{{ osd_group_name }} with_items: groups.{{ osd_group_name }}
register: osdrangestate register: osdrangestate
when: when:
check_firewall and
osd_group_name in group_names and osd_group_name in group_names and
nmapexist.rc == 0 nmapexist.rc == 0
@ -45,18 +51,20 @@
msg: "Please allow range from 6800 to 7300 on your firewall" msg: "Please allow range from 6800 to 7300 on your firewall"
with_items: osdrangestate.results with_items: osdrangestate.results
when: when:
check_firewall and
item.rc == 0 and item.rc == 0 and
osd_group_name is defined and osd_group_name is defined and
osd_group_name in group_names and osd_group_name in group_names and
nmapexist.rc == 0 nmapexist.rc == 0
- name: check if osd and mds range is not filtered - name: check if osd and mds range is not filtered
local_action: shell nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered local_action: shell set -o pipefail && nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
changed_when: false changed_when: false
failed_when: false failed_when: false
with_items: groups.{{ mds_group_name }} with_items: groups.{{ mds_group_name }}
register: mdsrangestate register: mdsrangestate
when: when:
check_firewall and
mds_group_name in group_names and mds_group_name in group_names and
nmapexist.rc == 0 nmapexist.rc == 0
@ -65,18 +73,20 @@
msg: "Please allow range from 6800 to 7300 on your firewall" msg: "Please allow range from 6800 to 7300 on your firewall"
with_items: mdsrangestate.results with_items: mdsrangestate.results
when: when:
check_firewall and
item.rc == 0 and item.rc == 0 and
mds_group_name is defined and mds_group_name is defined and
mds_group_name in group_names and mds_group_name in group_names and
nmapexist.rc == 0 nmapexist.rc == 0
- name: check if rados gateway port is not filtered - name: check if rados gateway port is not filtered
local_action: shell nmap -p {{ radosgw_civetweb_port }} {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered local_action: shell set -o pipefail && nmap -p {{ radosgw_civetweb_port }} {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
changed_when: false changed_when: false
failed_when: false failed_when: false
with_items: groups.rgws with_items: groups.rgws
register: rgwportstate register: rgwportstate
when: when:
check_firewall and
rgw_group_name in group_names and rgw_group_name in group_names and
nmapexist.rc == 0 nmapexist.rc == 0
@ -85,6 +95,7 @@
msg: "Please allow port {{ radosgw_civetweb_port }} on your firewall" msg: "Please allow port {{ radosgw_civetweb_port }} on your firewall"
with_items: rgwportstate.results with_items: rgwportstate.results
when: when:
check_firewall and
item.rc == 0 and item.rc == 0 and
rgw_group_name is defined and rgw_group_name is defined and
rgw_group_name in group_names and rgw_group_name in group_names and