ceph-ansible/roles/ceph-common/tasks/checks/check_firewall.yml

103 lines
3.1 KiB
YAML

---
- name: check if nmap is installed
command: "command -v nmap"
changed_when: false
failed_when: false
register: nmapexist
when: check_firewall
- name: inform that nmap is not present
debug:
msg: "nmap is not installed, can not test if ceph ports are allowed :("
when:
check_firewall and
nmapexist.rc != 0
- name: check if monitor port is not filtered
local_action: shell set -o pipefail && nmap -p 6789 {{ item }} {{ hostvars[item]['ansible_' + monitor_interface]['ipv4']['address'] }} | grep -sqo filtered
changed_when: false
failed_when: false
with_items: groups.{{ mon_group_name }}
register: monportstate
when:
check_firewall and
mon_group_name in group_names and
nmapexist.rc == 0
- name: fail if monitor port is filtered
fail:
msg: "Please allow port 6789 on your firewall"
with_items: monportstate.results
when:
check_firewall and
item.rc == 0 and
mon_group_name is defined and
mon_group_name in group_names and
nmapexist.rc == 0
- name: check if osd and mds range is not filtered
local_action: shell set -o pipefail && nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
changed_when: false
failed_when: false
with_items: groups.{{ osd_group_name }}
register: osdrangestate
when:
check_firewall and
osd_group_name in group_names and
nmapexist.rc == 0
- name: fail if osd and mds range is filtered (osd hosts)
fail:
msg: "Please allow range from 6800 to 7300 on your firewall"
with_items: osdrangestate.results
when:
check_firewall and
item.rc == 0 and
osd_group_name is defined and
osd_group_name in group_names and
nmapexist.rc == 0
- name: check if osd and mds range is not filtered
local_action: shell set -o pipefail && nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
changed_when: false
failed_when: false
with_items: groups.{{ mds_group_name }}
register: mdsrangestate
when:
check_firewall and
mds_group_name in group_names and
nmapexist.rc == 0
- name: fail if osd and mds range is filtered (mds hosts)
fail:
msg: "Please allow range from 6800 to 7300 on your firewall"
with_items: mdsrangestate.results
when:
check_firewall and
item.rc == 0 and
mds_group_name is defined and
mds_group_name in group_names and
nmapexist.rc == 0
- name: check if rados gateway port is not filtered
local_action: shell set -o pipefail && nmap -p {{ radosgw_civetweb_port }} {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
changed_when: false
failed_when: false
with_items: groups.rgws
register: rgwportstate
when:
check_firewall and
rgw_group_name in group_names and
nmapexist.rc == 0
- name: fail if rados gateway port is filtered
fail:
msg: "Please allow port {{ radosgw_civetweb_port }} on your firewall"
with_items: rgwportstate.results
when:
check_firewall and
item.rc == 0 and
rgw_group_name is defined and
rgw_group_name in group_names and
nmapexist.rc == 0