From 53af359c658d1841e06673c6e459988dbeef7441 Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Tue, 23 Feb 2016 10:27:55 -0600 Subject: [PATCH] Improve firewall checks The firewall checks can fail for any number of reasons -- e.g., the ceph cluster hostnames are unresolvable from the ansible host, or the ports are filtered by some intermediate hop, etc. Make two changes to make those checks better: * Set pipefail when running the checks, so if nmap itself fails the command will be marked as 'failed'. Specifically, this fixes the case where the hostnames cannot be resolved. * Add a new variable, check_firewall, which can be used to disable checks entirely. Specifically, this fixes the case where some intermediate firewall filters the ports, so nmap returns "filtered". --- group_vars/all.sample | 6 +++++ roles/ceph-common/defaults/main.yml | 26 ++++++++++++------- .../tasks/checks/check_firewall.yml | 21 +++++++++++---- 3 files changed, 38 insertions(+), 15 deletions(-) diff --git a/group_vars/all.sample b/group_vars/all.sample index 7eeb4ad3d..a7fd24672 100644 --- a/group_vars/all.sample +++ b/group_vars/all.sample @@ -34,6 +34,12 @@ dummy: #mds_group_name: mdss #restapi_group_name: restapis +# If check_firewall is true, then ansible will try to determine if the +# Ceph ports are blocked by a firewall. If the machine running ansible +# cannot reach the Ceph ports for some other reason, you may need or +# want to set this to False to skip those checks. +#check_firewall: True + # This variable determines if ceph packages can be updated. If False, the # package resources will use "state=present". If True, they will use # "state=latest". diff --git a/roles/ceph-common/defaults/main.yml b/roles/ceph-common/defaults/main.yml index cfe014bcc..43a73f68c 100644 --- a/roles/ceph-common/defaults/main.yml +++ b/roles/ceph-common/defaults/main.yml @@ -31,11 +31,17 @@ rgw_group_name: rgws mds_group_name: mdss restapi_group_name: restapis -# This variable determines if ceph packages can be updated. If False, the -# package resources will use "state=present". If True, they will use -# "state=latest". -upgrade_ceph_packages: False - +# If check_firewall is true, then ansible will try to determine if the +# Ceph ports are blocked by a firewall. If the machine running ansible +# cannot reach the Ceph ports for some other reason, you may need or +# want to set this to False to skip those checks. +check_firewall: True + +# This variable determines if ceph packages can be updated. If False, the +# package resources will use "state=present". If True, they will use +# "state=latest". +upgrade_ceph_packages: False + # /!\ EITHER ACTIVE ceph_stable OR ceph_stable_ice OR ceph_dev /!\ debian_package_dependencies: @@ -91,11 +97,11 @@ ceph_stable_redhat_distro: el7 # ENTERPRISE VERSION ICE (old, prior to the 1.3) ceph_stable_ice: false # use Inktank Ceph Enterprise #ceph_stable_ice_url: https://download.inktank.com/enterprise -# these two variables are used in `with_items` and starting -# with ansible 2.0 these need to be defined even if the tasks's -# `when` clause doesn't evaluate to true -ceph_stable_ice_temp_path: /opt/ICE/ceph-repo/ -ceph_stable_ice_kmod: 3.10-0.1.20140702gitdc9ac62.el7.x86_64 +# these two variables are used in `with_items` and starting +# with ansible 2.0 these need to be defined even if the tasks's +# `when` clause doesn't evaluate to true +ceph_stable_ice_temp_path: /opt/ICE/ceph-repo/ +ceph_stable_ice_kmod: 3.10-0.1.20140702gitdc9ac62.el7.x86_64 #ceph_stable_ice_distro: rhel7 # Please check the download website for the supported versions. #ceph_stable_ice_version: 1.2.2 #ceph_stable_ice_kmod_version: 1.2 diff --git a/roles/ceph-common/tasks/checks/check_firewall.yml b/roles/ceph-common/tasks/checks/check_firewall.yml index 6ea56b218..a03dca4dd 100644 --- a/roles/ceph-common/tasks/checks/check_firewall.yml +++ b/roles/ceph-common/tasks/checks/check_firewall.yml @@ -4,19 +4,23 @@ changed_when: false failed_when: false register: nmapexist + when: check_firewall - name: inform that nmap is not present debug: msg: "nmap is not installed, can not test if ceph ports are allowed :(" - when: nmapexist.rc != 0 + when: + check_firewall and + nmapexist.rc != 0 - name: check if monitor port is not filtered - local_action: shell nmap -p 6789 {{ item }} {{ hostvars[item]['ansible_' + monitor_interface]['ipv4']['address'] }} | grep -sqo filtered + local_action: shell set -o pipefail && nmap -p 6789 {{ item }} {{ hostvars[item]['ansible_' + monitor_interface]['ipv4']['address'] }} | grep -sqo filtered changed_when: false failed_when: false with_items: groups.{{ mon_group_name }} register: monportstate when: + check_firewall and mon_group_name in group_names and nmapexist.rc == 0 @@ -25,18 +29,20 @@ msg: "Please allow port 6789 on your firewall" with_items: monportstate.results when: + check_firewall and item.rc == 0 and mon_group_name is defined and mon_group_name in group_names and nmapexist.rc == 0 - name: check if osd and mds range is not filtered - local_action: shell nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered + local_action: shell set -o pipefail && nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered changed_when: false failed_when: false with_items: groups.{{ osd_group_name }} register: osdrangestate when: + check_firewall and osd_group_name in group_names and nmapexist.rc == 0 @@ -45,18 +51,20 @@ msg: "Please allow range from 6800 to 7300 on your firewall" with_items: osdrangestate.results when: + check_firewall and item.rc == 0 and osd_group_name is defined and osd_group_name in group_names and nmapexist.rc == 0 - name: check if osd and mds range is not filtered - local_action: shell nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered + local_action: shell set -o pipefail && nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered changed_when: false failed_when: false with_items: groups.{{ mds_group_name }} register: mdsrangestate when: + check_firewall and mds_group_name in group_names and nmapexist.rc == 0 @@ -65,18 +73,20 @@ msg: "Please allow range from 6800 to 7300 on your firewall" with_items: mdsrangestate.results when: + check_firewall and item.rc == 0 and mds_group_name is defined and mds_group_name in group_names and nmapexist.rc == 0 - name: check if rados gateway port is not filtered - local_action: shell nmap -p {{ radosgw_civetweb_port }} {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered + local_action: shell set -o pipefail && nmap -p {{ radosgw_civetweb_port }} {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered changed_when: false failed_when: false with_items: groups.rgws register: rgwportstate when: + check_firewall and rgw_group_name in group_names and nmapexist.rc == 0 @@ -85,6 +95,7 @@ msg: "Please allow port {{ radosgw_civetweb_port }} on your firewall" with_items: rgwportstate.results when: + check_firewall and item.rc == 0 and rgw_group_name is defined and rgw_group_name in group_names and