Check for blocked ports

As raised in #466 it is important in order to avoid unnecessary
troubleshooting to check that ceph ports are allowed on the platform.
The check runs a nmap command from the host running Ansible
to all the ceph nodes with their respective ports.

Signed-off-by: Sébastien Han <seb@redhat.com>

diff --git a/roles/ceph-common/tasks/checks/check_firewall.yml b/roles/ceph-common/tasks/checks/check_firewall.yml
new file mode 100644 (file)
index 0000000..632a856
--- /dev/null
+++ b/roles/ceph-common/tasks/checks/check_firewall.yml
@@ -0,0 +1,80 @@
+---
+- name: check if nmap is installed
+  shell: "command -v nmap"
+  changed_when: false
+  failed_when: false
+  register: nmapexist
+
+- name: fail if nmap is not present
+  fail:
+      msg: "nmap is needed to make sure ceph ports are not filtered, please install it"
+  when: nmapexist.rc != 0
+
+- name: check if monitor port is not filtered
+  local_action: shell nmap -p 6789 {{ item }} {{ hostvars[item]['ansible_' + monitor_interface]['ipv4']['address'] }} | grep -sqo filtered
+  changed_when: false
+  failed_when: false
+  with_items: groups.{{ mon_group_name }}
+  register: monportstate
+  register: monportstate
+  when: mon_group_name in group_names
+
+- name: fail if monitor port is filtered
+  fail:
+      msg: "Please allow port 6789 on your firewall"
+  with_items: monportstate.results
+  when:
+    item.rc == 0 and
+    mon_group_name is defined and
+    mon_group_name in group_names
+
+- name: check if osd and mds range is not filtered
+  local_action: shell nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
+  changed_when: false
+  failed_when: false
+  with_items: groups.{{ osd_group_name }}
+  register: osdrangestate
+  when: osd_group_name in group_names
+
+- name: fail if osd and mds range is filtered (osd hosts)
+  fail:
+      msg: "Please allow range from 6800 to 7300 on your firewall"
+  with_items: osdrangestate.results
+  when:
+    item.rc == 0 and
+    osd_group_name is defined and
+    osd_group_name in group_names
+
+- name: check if osd and mds range is not filtered
+  local_action: shell nmap -p 6800-7300 {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
+  changed_when: false
+  failed_when: false
+  with_items: groups.{{ mds_group_name }}
+  register: mdsrangestate
+  when: mds_group_name in group_names
+
+- name: fail if osd and mds range is filtered (mds hosts)
+  fail:
+      msg: "Please allow range from 6800 to 7300 on your firewall"
+  with_items: mdsrangestate.results
+  when:
+    item.rc == 0 and
+    mds_group_name is defined and
+    mds_group_name in group_names
+
+- name: check if rados gateway port is not filtered
+  local_action: shell nmap -p {{ radosgw_civetweb_port }} {{ item }} {{ hostvars[item]['ansible_default_ipv4']['address'] }} | grep -sqo filtered
+  changed_when: false
+  failed_when: false
+  with_items: groups.rgws
+  register: rgwportstate
+  when: rgw_group_name in group_names
+
+- name: fail if rados gateway port is filtered
+  fail:
+      msg: "Please allow port {{ radosgw_civetweb_port }} on your firewall"
+  with_items: rgwportstate.results
+  when:
+    item.rc == 0 and
+    rgw_group_name is defined and
+    rgw_group_name in group_names

diff --git a/roles/ceph-common/tasks/main.yml b/roles/ceph-common/tasks/main.yml
index 7e6075c93c374fab6a78a6fe198f558c858259d5..5f404671be814ae648f5b612e53c48a29e02b19e 100644 (file)
--- a/roles/ceph-common/tasks/main.yml
+++ b/roles/ceph-common/tasks/main.yml
@@ -3,6 +3,8 @@
 
 - include: ./checks/check_mandatory_vars.yml
 
+- include: ./checks/check_firewall.yml
+
 - include: ./misc/system_tuning.yml
   when: osd_group_name in group_names