mirror of https://github.com/ceph/ceph-ansible.git
Support comma-delimited subnets in firewall
ceph.conf supports a comma separated list of
subnet CIDR's for the public_network and the
cluster network. ceph-ansible should support
setting up the firewall for this configuration.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1767392
Closes: #4425
Related: #4333
https://docs.ceph.com/docs/nautilus/rados/configuration/network-config-ref/#network-config-settings
Signed-off-by: Harald Jensås <hjensas@redhat.com>
(cherry picked from commit d94229204d
)
pull/4719/head
v3.2.35
parent
dd4a4cbb66
commit
e8ed6655f3
|
@ -18,15 +18,16 @@
|
||||||
|
|
||||||
- name: open monitor and manager ports
|
- name: open monitor and manager ports
|
||||||
firewalld:
|
firewalld:
|
||||||
service: "{{ item.service }}"
|
service: "{{ item[1].service }}"
|
||||||
zone: "{{ item.zone }}"
|
zone: "{{ item[1].zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item[0] }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
with_items:
|
with_nested:
|
||||||
- { 'service': 'ceph-mon', 'zone': "{{ ceph_mon_firewall_zone }}" }
|
- "{{ public_network.split(',') }}"
|
||||||
- { 'service': 'ceph', 'zone': "{{ ceph_mgr_firewall_zone }}" }
|
- - { 'service': 'ceph-mon', 'zone': "{{ ceph_mon_firewall_zone }}" }
|
||||||
|
- { 'service': 'ceph', 'zone': "{{ ceph_mgr_firewall_zone }}" }
|
||||||
when:
|
when:
|
||||||
- mon_group_name is defined
|
- mon_group_name is defined
|
||||||
- mon_group_name in group_names
|
- mon_group_name in group_names
|
||||||
|
@ -37,10 +38,11 @@
|
||||||
firewalld:
|
firewalld:
|
||||||
service: ceph
|
service: ceph
|
||||||
zone: "{{ ceph_mgr_firewall_zone }}"
|
zone: "{{ ceph_mgr_firewall_zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
with_items: "{{ public_network.split(',') }}"
|
||||||
when:
|
when:
|
||||||
- mgr_group_name is defined
|
- mgr_group_name is defined
|
||||||
- mgr_group_name in group_names
|
- mgr_group_name in group_names
|
||||||
|
@ -55,9 +57,7 @@
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
with_items:
|
with_items: "{{ public_network.split(',') | union(cluster_network.split(',')) }}"
|
||||||
- "{{ public_network }}"
|
|
||||||
- "{{ cluster_network }}"
|
|
||||||
when:
|
when:
|
||||||
- osd_group_name is defined
|
- osd_group_name is defined
|
||||||
- osd_group_name in group_names
|
- osd_group_name in group_names
|
||||||
|
@ -68,10 +68,11 @@
|
||||||
firewalld:
|
firewalld:
|
||||||
port: "{{ radosgw_frontend_port }}/tcp"
|
port: "{{ radosgw_frontend_port }}/tcp"
|
||||||
zone: "{{ ceph_rgw_firewall_zone }}"
|
zone: "{{ ceph_rgw_firewall_zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
with_items: "{{ public_network.split(',') }}"
|
||||||
when:
|
when:
|
||||||
- rgw_group_name is defined
|
- rgw_group_name is defined
|
||||||
- rgw_group_name in group_names
|
- rgw_group_name in group_names
|
||||||
|
@ -82,10 +83,11 @@
|
||||||
firewalld:
|
firewalld:
|
||||||
service: ceph
|
service: ceph
|
||||||
zone: "{{ ceph_mds_firewall_zone }}"
|
zone: "{{ ceph_mds_firewall_zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
with_items: "{{ public_network.split(',') }}"
|
||||||
when:
|
when:
|
||||||
- mds_group_name is defined
|
- mds_group_name is defined
|
||||||
- mds_group_name in group_names
|
- mds_group_name in group_names
|
||||||
|
@ -96,10 +98,11 @@
|
||||||
firewalld:
|
firewalld:
|
||||||
service: nfs
|
service: nfs
|
||||||
zone: "{{ ceph_nfs_firewall_zone }}"
|
zone: "{{ ceph_nfs_firewall_zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
with_items: "{{ public_network.split(',') }}"
|
||||||
when:
|
when:
|
||||||
- nfs_group_name is defined
|
- nfs_group_name is defined
|
||||||
- nfs_group_name in group_names
|
- nfs_group_name in group_names
|
||||||
|
@ -110,10 +113,11 @@
|
||||||
firewalld:
|
firewalld:
|
||||||
port: "111/tcp"
|
port: "111/tcp"
|
||||||
zone: "{{ ceph_nfs_firewall_zone }}"
|
zone: "{{ ceph_nfs_firewall_zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
with_items: "{{ public_network.split(',') }}"
|
||||||
when:
|
when:
|
||||||
- nfs_group_name is defined
|
- nfs_group_name is defined
|
||||||
- nfs_group_name in group_names
|
- nfs_group_name in group_names
|
||||||
|
@ -124,10 +128,11 @@
|
||||||
firewalld:
|
firewalld:
|
||||||
service: ceph
|
service: ceph
|
||||||
zone: "{{ ceph_rbdmirror_firewall_zone }}"
|
zone: "{{ ceph_rbdmirror_firewall_zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
with_items: "{{ public_network.split(',') }}"
|
||||||
when:
|
when:
|
||||||
- rbdmirror_group_name is defined
|
- rbdmirror_group_name is defined
|
||||||
- rbdmirror_group_name in group_names
|
- rbdmirror_group_name in group_names
|
||||||
|
@ -138,10 +143,11 @@
|
||||||
firewalld:
|
firewalld:
|
||||||
port: "3260/tcp"
|
port: "3260/tcp"
|
||||||
zone: "{{ ceph_iscsi_firewall_zone }}"
|
zone: "{{ ceph_iscsi_firewall_zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
with_items: "{{ public_network.split(',') }}"
|
||||||
when:
|
when:
|
||||||
- iscsi_gw_group_name is defined
|
- iscsi_gw_group_name is defined
|
||||||
- iscsi_gw_group_name in group_names
|
- iscsi_gw_group_name in group_names
|
||||||
|
@ -152,10 +158,11 @@
|
||||||
firewalld:
|
firewalld:
|
||||||
port: "{{ api_port | default(5000) }}/tcp"
|
port: "{{ api_port | default(5000) }}/tcp"
|
||||||
zone: "{{ ceph_iscsi_firewall_zone }}"
|
zone: "{{ ceph_iscsi_firewall_zone }}"
|
||||||
source: "{{ public_network }}"
|
source: "{{ item }}"
|
||||||
permanent: true
|
permanent: true
|
||||||
immediate: true
|
immediate: true
|
||||||
state: enabled
|
state: enabled
|
||||||
|
with_items: "{{ public_network.split(',') }}"
|
||||||
when:
|
when:
|
||||||
- iscsi_gw_group_name is defined
|
- iscsi_gw_group_name is defined
|
||||||
- iscsi_gw_group_name in group_names
|
- iscsi_gw_group_name in group_names
|
||||||
|
|
Loading…
Reference in New Issue