From: Guillaume Abrioux Date: Fri, 5 Oct 2018 13:42:52 +0000 (+0200) Subject: ceph-infra: add new role ceph-infra X-Git-Tag: v3.2.0beta4~4 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b3a71eeb08e9cdb2607ed60d724f387a0a24d3de;p=ceph-ansible.git ceph-infra: add new role ceph-infra this role manages ceph infra services such as ntp, firewall, ... Signed-off-by: Guillaume Abrioux --- diff --git a/roles/ceph-common/tasks/main.yml b/roles/ceph-common/tasks/main.yml index 14b38787d..894bf8e8a 100644 --- a/roles/ceph-common/tasks/main.yml +++ b/roles/ceph-common/tasks/main.yml @@ -23,18 +23,6 @@ tags: - package-install -- name: include_tasks "misc/ntp_debian.yml" - include_tasks: "misc/ntp_debian.yml" - when: - - ansible_os_family == 'Debian' - - ntp_service_enabled - -- name: include_tasks "misc/ntp_rpm.yml" - include_tasks: "misc/ntp_rpm.yml" - when: - - ansible_os_family in ['RedHat', 'Suse'] - - ntp_service_enabled - - name: get ceph version command: ceph --version changed_when: false @@ -53,12 +41,6 @@ tags: - always -- name: include_tasks misc/configure_firewall_rpm.yml - include_tasks: misc/configure_firewall_rpm.yml - when: - - configure_firewall - - ansible_os_family in ['RedHat', 'Suse'] - - name: include facts_mon_fsid.yml include_tasks: facts_mon_fsid.yml run_once: true diff --git a/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml b/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml deleted file mode 100644 index 7a4c6c73e..000000000 --- a/roles/ceph-common/tasks/misc/configure_firewall_rpm.yml +++ /dev/null @@ -1,172 +0,0 @@ ---- -- name: check firewalld installation on redhat or suse - command: rpm -q firewalld - args: - warn: no - register: firewalld_pkg_query - ignore_errors: true - check_mode: no - changed_when: false - tags: - - firewall - -- name: start firewalld - service: - name: firewalld - state: started - enabled: yes - when: - - firewalld_pkg_query.rc == 0 - -- name: open monitor ports - firewalld: - service: ceph-mon - zone: "{{ ceph_mon_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - mon_group_name is defined - - mon_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open manager ports - firewalld: - service: ceph - zone: "{{ ceph_mgr_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - ceph_release_num[ceph_release] >= ceph_release_num.luminous - - mgr_group_name is defined - - mgr_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open osd ports - firewalld: - service: ceph - zone: "{{ ceph_osd_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - osd_group_name is defined - - osd_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open rgw ports - firewalld: - port: "{{ radosgw_frontend_port }}/tcp" - zone: "{{ ceph_rgw_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - rgw_group_name is defined - - rgw_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open mds ports - firewalld: - service: ceph - zone: "{{ ceph_mds_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - mds_group_name is defined - - mds_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open nfs ports - firewalld: - service: nfs - zone: "{{ ceph_nfs_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - nfs_group_name is defined - - nfs_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open nfs ports (portmapper) - firewalld: - port: "111/tcp" - zone: "{{ ceph_nfs_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - nfs_group_name is defined - - nfs_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open restapi ports - firewalld: - port: "{{ restapi_port }}/tcp" - zone: "{{ ceph_restapi_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - restapi_group_name is defined - - restapi_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open rbdmirror ports - firewalld: - service: ceph - zone: "{{ ceph_rbdmirror_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - rbdmirror_group_name is defined - - rbdmirror_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- name: open iscsi ports - firewalld: - port: "5001/tcp" - zone: "{{ ceph_iscsi_firewall_zone }}" - permanent: true - immediate: false # if true then fails in case firewalld is stopped - state: enabled - notify: restart firewalld - when: - - iscsi_group_name is defined - - iscsi_group_name in group_names - - firewalld_pkg_query.rc == 0 - tags: - - firewall - -- meta: flush_handlers diff --git a/roles/ceph-common/tasks/misc/ntp_debian.yml b/roles/ceph-common/tasks/misc/ntp_debian.yml deleted file mode 100644 index f1da045f1..000000000 --- a/roles/ceph-common/tasks/misc/ntp_debian.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: setup ntpd - block: - - command: timedatectl set-ntp no - - package: - name: ntp - state: present - - service: - name: ntp - enabled: yes - state: started - when: ntp_daemon_type == "ntpd" - -- name: setup chrony - block: - - command: timedatectl set-ntp no - - package: - name: chrony - state: present - - service: - name: chronyd - enabled: yes - state: started - when: ntp_daemon_type == "chronyd" - -- name: setup timesyncd - block: - - command: timedatectl set-ntp on - when: ntp_daemon_type == "timesyncd" diff --git a/roles/ceph-common/tasks/misc/ntp_rpm.yml b/roles/ceph-common/tasks/misc/ntp_rpm.yml deleted file mode 100644 index 866667c2b..000000000 --- a/roles/ceph-common/tasks/misc/ntp_rpm.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: setup ntpd - block: - - command: timedatectl set-ntp no - - package: - name: ntp - state: present - - service: - name: ntpd - enabled: yes - state: started - when: ntp_daemon_type == "ntpd" - -- name: setup chrony - block: - - command: timedatectl set-ntp no - - package: - name: chrony - state: present - - service: - name: chronyd - enabled: yes - state: started - when: ntp_daemon_type == "chronyd" - -- name: setup timesyncd - block: - - command: timedatectl set-ntp on - when: ntp_daemon_type == "timesyncd" diff --git a/roles/ceph-infra/meta/main.yml b/roles/ceph-infra/meta/main.yml new file mode 100644 index 000000000..a965e1d61 --- /dev/null +++ b/roles/ceph-infra/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + author: Guillaume Abrioux + description: Handles ceph infra requirements (ntp, firewall, ...) + license: Apache + min_ansible_version: 2.3 + platforms: + - name: Ubuntu + versions: + - xenial + - name: EL + versions: + - 7 + - name: opensuse + versions: + - 42.3 + categories: + - system +dependencies: [] diff --git a/roles/ceph-infra/tasks/configure_firewall_rpm.yml b/roles/ceph-infra/tasks/configure_firewall_rpm.yml new file mode 100644 index 000000000..7a4c6c73e --- /dev/null +++ b/roles/ceph-infra/tasks/configure_firewall_rpm.yml @@ -0,0 +1,172 @@ +--- +- name: check firewalld installation on redhat or suse + command: rpm -q firewalld + args: + warn: no + register: firewalld_pkg_query + ignore_errors: true + check_mode: no + changed_when: false + tags: + - firewall + +- name: start firewalld + service: + name: firewalld + state: started + enabled: yes + when: + - firewalld_pkg_query.rc == 0 + +- name: open monitor ports + firewalld: + service: ceph-mon + zone: "{{ ceph_mon_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - mon_group_name is defined + - mon_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open manager ports + firewalld: + service: ceph + zone: "{{ ceph_mgr_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - ceph_release_num[ceph_release] >= ceph_release_num.luminous + - mgr_group_name is defined + - mgr_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open osd ports + firewalld: + service: ceph + zone: "{{ ceph_osd_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - osd_group_name is defined + - osd_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open rgw ports + firewalld: + port: "{{ radosgw_frontend_port }}/tcp" + zone: "{{ ceph_rgw_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - rgw_group_name is defined + - rgw_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open mds ports + firewalld: + service: ceph + zone: "{{ ceph_mds_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - mds_group_name is defined + - mds_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open nfs ports + firewalld: + service: nfs + zone: "{{ ceph_nfs_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - nfs_group_name is defined + - nfs_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open nfs ports (portmapper) + firewalld: + port: "111/tcp" + zone: "{{ ceph_nfs_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - nfs_group_name is defined + - nfs_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open restapi ports + firewalld: + port: "{{ restapi_port }}/tcp" + zone: "{{ ceph_restapi_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - restapi_group_name is defined + - restapi_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open rbdmirror ports + firewalld: + service: ceph + zone: "{{ ceph_rbdmirror_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - rbdmirror_group_name is defined + - rbdmirror_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- name: open iscsi ports + firewalld: + port: "5001/tcp" + zone: "{{ ceph_iscsi_firewall_zone }}" + permanent: true + immediate: false # if true then fails in case firewalld is stopped + state: enabled + notify: restart firewalld + when: + - iscsi_group_name is defined + - iscsi_group_name in group_names + - firewalld_pkg_query.rc == 0 + tags: + - firewall + +- meta: flush_handlers diff --git a/roles/ceph-infra/tasks/main.yml b/roles/ceph-infra/tasks/main.yml new file mode 100644 index 000000000..418c257b6 --- /dev/null +++ b/roles/ceph-infra/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- name: include_tasks configure_firewall_rpm.yml + include_tasks: configure_firewall_rpm.yml + when: + - configure_firewall + - ansible_os_family in ['RedHat', 'Suse'] + +- name: include_tasks "ntp_debian.yml" + include_tasks: "ntp_debian.yml" + when: + - ansible_os_family == 'Debian' + - ntp_service_enabled + +- name: include_tasks "ntp_rpm.yml" + include_tasks: "ntp_rpm.yml" + when: + - ansible_os_family in ['RedHat', 'Suse'] + - ntp_service_enabled \ No newline at end of file diff --git a/roles/ceph-infra/tasks/ntp_debian.yml b/roles/ceph-infra/tasks/ntp_debian.yml new file mode 100644 index 000000000..f1da045f1 --- /dev/null +++ b/roles/ceph-infra/tasks/ntp_debian.yml @@ -0,0 +1,29 @@ +--- +- name: setup ntpd + block: + - command: timedatectl set-ntp no + - package: + name: ntp + state: present + - service: + name: ntp + enabled: yes + state: started + when: ntp_daemon_type == "ntpd" + +- name: setup chrony + block: + - command: timedatectl set-ntp no + - package: + name: chrony + state: present + - service: + name: chronyd + enabled: yes + state: started + when: ntp_daemon_type == "chronyd" + +- name: setup timesyncd + block: + - command: timedatectl set-ntp on + when: ntp_daemon_type == "timesyncd" diff --git a/roles/ceph-infra/tasks/ntp_rpm.yml b/roles/ceph-infra/tasks/ntp_rpm.yml new file mode 100644 index 000000000..866667c2b --- /dev/null +++ b/roles/ceph-infra/tasks/ntp_rpm.yml @@ -0,0 +1,29 @@ +--- +- name: setup ntpd + block: + - command: timedatectl set-ntp no + - package: + name: ntp + state: present + - service: + name: ntpd + enabled: yes + state: started + when: ntp_daemon_type == "ntpd" + +- name: setup chrony + block: + - command: timedatectl set-ntp no + - package: + name: chrony + state: present + - service: + name: chronyd + enabled: yes + state: started + when: ntp_daemon_type == "chronyd" + +- name: setup timesyncd + block: + - command: timedatectl set-ntp on + when: ntp_daemon_type == "timesyncd" diff --git a/site.yml.sample b/site.yml.sample index 6ead1290a..769aac56f 100644 --- a/site.yml.sample +++ b/site.yml.sample @@ -75,6 +75,7 @@ roles: - ceph-defaults - ceph-validate + - ceph-infra - hosts: mons