mirror of https://github.com/ceph/ceph-ansible.git
Improve firewall checks
The firewall checks can fail for any number of reasons -- e.g., the ceph cluster hostnames are unresolvable from the ansible host, or the ports are filtered by some intermediate hop, etc. Make two changes to make those checks better: * Set pipefail when running the checks, so if nmap itself fails the command will be marked as 'failed'. Specifically, this fixes the case where the hostnames cannot be resolved. * Add a new variable, check_firewall, which can be used to disable checks entirely. Specifically, this fixes the case where some intermediate firewall filters the ports, so nmap returns "filtered".pull/558/head
parent
63d7824c9c
commit
53af359c65
|
@ -34,6 +34,12 @@ dummy:
|
||||||
#mds_group_name: mdss
|
#mds_group_name: mdss
|
||||||
#restapi_group_name: restapis
|
#restapi_group_name: restapis
|
||||||
|
|
||||||
|
# If check_firewall is true, then ansible will try to determine if the
|
||||||
|
# Ceph ports are blocked by a firewall. If the machine running ansible
|
||||||
|
# cannot reach the Ceph ports for some other reason, you may need or
|
||||||
|
# want to set this to False to skip those checks.
|
||||||
|
#check_firewall: True
|
||||||
|
|
||||||
# This variable determines if ceph packages can be updated. If False, the
|
# This variable determines if ceph packages can be updated. If False, the
|
||||||
# package resources will use "state=present". If True, they will use
|
# package resources will use "state=present". If True, they will use
|
||||||
# "state=latest".
|
# "state=latest".
|
||||||
|
|
|
@ -31,11 +31,17 @@ rgw_group_name: rgws
|
||||||
mds_group_name: mdss
|
mds_group_name: mdss
|
||||||
restapi_group_name: restapis
|
restapi_group_name: restapis
|
||||||
|
|
||||||
# This variable determines if ceph packages can be updated. If False, the
|
# If check_firewall is true, then ansible will try to determine if the
|
||||||
# package resources will use "state=present". If True, they will use
|
# Ceph ports are blocked by a firewall. If the machine running ansible
|
||||||
# "state=latest".
|
# cannot reach the Ceph ports for some other reason, you may need or
|
||||||
upgrade_ceph_packages: False
|
# want to set this to False to skip those checks.
|
||||||
|
check_firewall: True
|
||||||
|
|
||||||
|
# This variable determines if ceph packages can be updated. If False, the
|
||||||
|
# package resources will use "state=present". If True, they will use
|
||||||
|
# "state=latest".
|
||||||
|
upgrade_ceph_packages: False
|
||||||
|
|
||||||
# /!\ EITHER ACTIVE ceph_stable OR ceph_stable_ice OR ceph_dev /!\
|
# /!\ EITHER ACTIVE ceph_stable OR ceph_stable_ice OR ceph_dev /!\
|
||||||
|
|
||||||
debian_package_dependencies:
|
debian_package_dependencies:
|
||||||
|
@ -91,11 +97,11 @@ ceph_stable_redhat_distro: el7
|
||||||
# ENTERPRISE VERSION ICE (old, prior to the 1.3)
|
# ENTERPRISE VERSION ICE (old, prior to the 1.3)
|
||||||
ceph_stable_ice: false # use Inktank Ceph Enterprise
|
ceph_stable_ice: false # use Inktank Ceph Enterprise
|
||||||
#ceph_stable_ice_url: https://download.inktank.com/enterprise
|
#ceph_stable_ice_url: https://download.inktank.com/enterprise
|
||||||
# these two variables are used in `with_items` and starting
|
# these two variables are used in `with_items` and starting
|
||||||
# with ansible 2.0 these need to be defined even if the tasks's
|
# with ansible 2.0 these need to be defined even if the tasks's
|
||||||
# `when` clause doesn't evaluate to true
|
# `when` clause doesn't evaluate to true
|
||||||
ceph_stable_ice_temp_path: /opt/ICE/ceph-repo/
|
ceph_stable_ice_temp_path: /opt/ICE/ceph-repo/
|
||||||
ceph_stable_ice_kmod: 3.10-0.1.20140702gitdc9ac62.el7.x86_64
|
ceph_stable_ice_kmod: 3.10-0.1.20140702gitdc9ac62.el7.x86_64
|
||||||
#ceph_stable_ice_distro: rhel7 # Please check the download website for the supported versions.
|
#ceph_stable_ice_distro: rhel7 # Please check the download website for the supported versions.
|
||||||
#ceph_stable_ice_version: 1.2.2
|
#ceph_stable_ice_version: 1.2.2
|
||||||
#ceph_stable_ice_kmod_version: 1.2
|
#ceph_stable_ice_kmod_version: 1.2
|
||||||
|
|
|
@ -4,19 +4,23 @@
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
register: nmapexist
|
register: nmapexist
|
||||||
|
when: check_firewall
|
||||||
|
|
||||||
- name: inform that nmap is not present
|
- name: inform that nmap is not present
|
||||||
debug:
|
debug:
|
||||||
msg: "nmap is not installed, can not test if ceph ports are allowed :("
|
msg: "nmap is not installed, can not test if ceph ports are allowed :("
|
||||||
when: nmapexist.rc != 0
|
when:
|
||||||
|
check_firewall and
|
||||||
|
nmapexist.rc != 0
|
||||||
|
|
||||||
- name: check if monitor port is not filtered
|
- name: check if monitor port is not filtered
|
||||||
local_action: shell nmap -p 6789 {{ item }} {{ hostvars[item]['ansible_' + monitor_interface]['ipv4']['address'] }} | grep -sqo filtered
|
local_action: shell set -o pipefail && nmap -p 6789 {{ item }} {{ hostvars[item]['ansible_' + monitor_interface]['ipv4']['address'] }} | grep -sqo filtered
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
with_items: groups.{{ mon_group_name }}
|
with_items: groups.{{ mon_group_name }}
|
||||||
register: monportstate
|
register: monportstate
|
||||||
when:
|
when:
|
||||||
|
check_firewall and
|
||||||
mon_group_name in group_names and
|
mon_group_name in group_names and
|
||||||
nmapexist.rc == 0
|
nmapexist.rc == 0
|
||||||
|
|
||||||
|
@ -25,18 +29,20 @@
|
||||||
msg: "Please allow port 6789 on your firewall"
|
msg: "Please allow port 6789 on your firewall"
|
||||||
with_items: monportstate.results
|
with_items: monportstate.results
|
||||||
when:
|
when:
|
||||||
|
check_firewall and
|
||||||
item.rc == 0 and
|
item.rc == 0 and
|
||||||
mon_group_name is defined and
|
mon_group_name is defined and
|
||||||
mon_group_name in group_names and
|
mon_group_name in group_names and
|
||||||
nmapexist.rc == 0
|
nmapexist.rc == 0
|
||||||
|
|
||||||
- name: check if osd and mds range is not filtered
|
- name: check if osd and mds range is not filtered
|
||||||
local_action: shell nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
|
local_action: shell set -o pipefail && nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
with_items: groups.{{ osd_group_name }}
|
with_items: groups.{{ osd_group_name }}
|
||||||
register: osdrangestate
|
register: osdrangestate
|
||||||
when:
|
when:
|
||||||
|
check_firewall and
|
||||||
osd_group_name in group_names and
|
osd_group_name in group_names and
|
||||||
nmapexist.rc == 0
|
nmapexist.rc == 0
|
||||||
|
|
||||||
|
@ -45,18 +51,20 @@
|
||||||
msg: "Please allow range from 6800 to 7300 on your firewall"
|
msg: "Please allow range from 6800 to 7300 on your firewall"
|
||||||
with_items: osdrangestate.results
|
with_items: osdrangestate.results
|
||||||
when:
|
when:
|
||||||
|
check_firewall and
|
||||||
item.rc == 0 and
|
item.rc == 0 and
|
||||||
osd_group_name is defined and
|
osd_group_name is defined and
|
||||||
osd_group_name in group_names and
|
osd_group_name in group_names and
|
||||||
nmapexist.rc == 0
|
nmapexist.rc == 0
|
||||||
|
|
||||||
- name: check if osd and mds range is not filtered
|
- name: check if osd and mds range is not filtered
|
||||||
local_action: shell nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
|
local_action: shell set -o pipefail && nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
with_items: groups.{{ mds_group_name }}
|
with_items: groups.{{ mds_group_name }}
|
||||||
register: mdsrangestate
|
register: mdsrangestate
|
||||||
when:
|
when:
|
||||||
|
check_firewall and
|
||||||
mds_group_name in group_names and
|
mds_group_name in group_names and
|
||||||
nmapexist.rc == 0
|
nmapexist.rc == 0
|
||||||
|
|
||||||
|
@ -65,18 +73,20 @@
|
||||||
msg: "Please allow range from 6800 to 7300 on your firewall"
|
msg: "Please allow range from 6800 to 7300 on your firewall"
|
||||||
with_items: mdsrangestate.results
|
with_items: mdsrangestate.results
|
||||||
when:
|
when:
|
||||||
|
check_firewall and
|
||||||
item.rc == 0 and
|
item.rc == 0 and
|
||||||
mds_group_name is defined and
|
mds_group_name is defined and
|
||||||
mds_group_name in group_names and
|
mds_group_name in group_names and
|
||||||
nmapexist.rc == 0
|
nmapexist.rc == 0
|
||||||
|
|
||||||
- name: check if rados gateway port is not filtered
|
- name: check if rados gateway port is not filtered
|
||||||
local_action: shell nmap -p {{ radosgw_civetweb_port }} {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
|
local_action: shell set -o pipefail && nmap -p {{ radosgw_civetweb_port }} {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
with_items: groups.rgws
|
with_items: groups.rgws
|
||||||
register: rgwportstate
|
register: rgwportstate
|
||||||
when:
|
when:
|
||||||
|
check_firewall and
|
||||||
rgw_group_name in group_names and
|
rgw_group_name in group_names and
|
||||||
nmapexist.rc == 0
|
nmapexist.rc == 0
|
||||||
|
|
||||||
|
@ -85,6 +95,7 @@
|
||||||
msg: "Please allow port {{ radosgw_civetweb_port }} on your firewall"
|
msg: "Please allow port {{ radosgw_civetweb_port }} on your firewall"
|
||||||
with_items: rgwportstate.results
|
with_items: rgwportstate.results
|
||||||
when:
|
when:
|
||||||
|
check_firewall and
|
||||||
item.rc == 0 and
|
item.rc == 0 and
|
||||||
rgw_group_name is defined and
|
rgw_group_name is defined and
|
||||||
rgw_group_name in group_names and
|
rgw_group_name in group_names and
|
||||||
|
|
Loading…
Reference in New Issue