Support comma-delimited subnets in firewall

ceph.conf supports a comma separated list of
subnet CIDR's for the public_network and the
cluster network. ceph-ansible should support
setting up the firewall for this configuration.

Closes: #4425
Related: #4333
https://docs.ceph.com/docs/nautilus/rados/configuration/network-config-ref/#network-config-settings

Signed-off-by: Harald Jensås <hjensas@redhat.com>
(cherry picked from commit d94229204d)
pull/4439/head
Harald Jensås 2019-09-06 16:24:30 +02:00 committed by Dimitri Savineau
parent cb66a62ae2
commit e33e06d400
1 changed files with 26 additions and 18 deletions

View File

@ -20,15 +20,16 @@
- name: open monitor and manager ports - name: open monitor and manager ports
firewalld: firewalld:
service: "{{ item.service }}" service: "{{ item[1].service }}"
zone: "{{ item.zone }}" zone: "{{ item[1].zone }}"
source: "{{ public_network }}" source: "{{ item[0] }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: with_nested:
- { 'service': 'ceph-mon', 'zone': "{{ ceph_mon_firewall_zone }}" } - "{{ public_network.split(',') }}"
- { 'service': 'ceph', 'zone': "{{ ceph_mgr_firewall_zone }}" } - - { 'service': 'ceph-mon', 'zone': "{{ ceph_mon_firewall_zone }}" }
- { 'service': 'ceph', 'zone': "{{ ceph_mgr_firewall_zone }}" }
when: when:
- mon_group_name is defined - mon_group_name is defined
- mon_group_name in group_names - mon_group_name in group_names
@ -38,10 +39,11 @@
firewalld: firewalld:
service: ceph service: ceph
zone: "{{ ceph_mgr_firewall_zone }}" zone: "{{ ceph_mgr_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- mgr_group_name is defined - mgr_group_name is defined
- mgr_group_name in group_names - mgr_group_name in group_names
@ -55,9 +57,7 @@
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: with_items: "{{ public_network.split(',') | union(cluster_network.split(',')) }}"
- "{{ public_network }}"
- "{{ cluster_network }}"
when: when:
- osd_group_name is defined - osd_group_name is defined
- osd_group_name in group_names - osd_group_name in group_names
@ -67,10 +67,11 @@
firewalld: firewalld:
port: "{{ radosgw_frontend_port }}/tcp" port: "{{ radosgw_frontend_port }}/tcp"
zone: "{{ ceph_rgw_firewall_zone }}" zone: "{{ ceph_rgw_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- rgw_group_name is defined - rgw_group_name is defined
- rgw_group_name in group_names - rgw_group_name in group_names
@ -80,10 +81,11 @@
firewalld: firewalld:
service: ceph service: ceph
zone: "{{ ceph_mds_firewall_zone }}" zone: "{{ ceph_mds_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- mds_group_name is defined - mds_group_name is defined
- mds_group_name in group_names - mds_group_name in group_names
@ -93,10 +95,11 @@
firewalld: firewalld:
service: nfs service: nfs
zone: "{{ ceph_nfs_firewall_zone }}" zone: "{{ ceph_nfs_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- nfs_group_name is defined - nfs_group_name is defined
- nfs_group_name in group_names - nfs_group_name in group_names
@ -106,10 +109,11 @@
firewalld: firewalld:
port: "111/tcp" port: "111/tcp"
zone: "{{ ceph_nfs_firewall_zone }}" zone: "{{ ceph_nfs_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- nfs_group_name is defined - nfs_group_name is defined
- nfs_group_name in group_names - nfs_group_name in group_names
@ -119,10 +123,11 @@
firewalld: firewalld:
service: ceph service: ceph
zone: "{{ ceph_rbdmirror_firewall_zone }}" zone: "{{ ceph_rbdmirror_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- rbdmirror_group_name is defined - rbdmirror_group_name is defined
- rbdmirror_group_name in group_names - rbdmirror_group_name in group_names
@ -132,10 +137,11 @@
firewalld: firewalld:
port: "3260/tcp" port: "3260/tcp"
zone: "{{ ceph_iscsi_firewall_zone }}" zone: "{{ ceph_iscsi_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- iscsi_gw_group_name is defined - iscsi_gw_group_name is defined
- iscsi_gw_group_name in group_names - iscsi_gw_group_name in group_names
@ -145,10 +151,11 @@
firewalld: firewalld:
port: "{{ api_port | default(5000) }}/tcp" port: "{{ api_port | default(5000) }}/tcp"
zone: "{{ ceph_iscsi_firewall_zone }}" zone: "{{ ceph_iscsi_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- iscsi_gw_group_name is defined - iscsi_gw_group_name is defined
- iscsi_gw_group_name in group_names - iscsi_gw_group_name in group_names
@ -228,10 +235,11 @@
firewalld: firewalld:
port: "{{ haproxy_frontend_port | default(80) }}/tcp" port: "{{ haproxy_frontend_port | default(80) }}/tcp"
zone: "{{ ceph_rgwloadbalancer_firewall_zone }}" zone: "{{ ceph_rgwloadbalancer_firewall_zone }}"
source: "{{ public_network }}" source: "{{ item }}"
permanent: true permanent: true
immediate: true immediate: true
state: enabled state: enabled
with_items: "{{ public_network.split(',') }}"
when: when:
- rgwloadbalancer_group_name is defined - rgwloadbalancer_group_name is defined
- rgwloadbalancer_group_name in group_names - rgwloadbalancer_group_name in group_names