Pierre Riteau e6cfaee10c Fix permission denied errors with ping on c8s
They seem to think ping is too dangerous for normal users.

Co-Authored-By: Pierre Riteau <pierre@stackhpc.com>
Signed-off-by: Dr. Jens Harbott <harbott@osism.tech>
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/824903
Change-Id: I30c2a7b6850350901b15fe196175508634c8e9a5
2022-01-17 08:59:45 +00:00

74 lines
2.9 KiB
YAML

---
# Not all variables have sensible defaults, let's ensure these are set.
- name: Ensure mandatory variables are defined
assert:
that:
- managed_interface_name is defined
- managed_network_prefix is defined
- managed_network_prefix_length is defined
- managed_network_address_family is defined
- name: Set managed interface facts
set_fact:
managed_interface_address: "{{ managed_network_prefix }}{{ groups['all'].index(inventory_hostname) + 1 }}"
- name: Add IPv4 address for managed network
become: true
vars:
managed_network_cidr: "{{ managed_interface_address }}/{{ managed_network_prefix_length }}"
# NOTE(yoctozepto): we have to compute and explicitly set the broadcast address,
# otherwise bifrost fails its pre-bootstrap sanity checks due to missing
# broadcast address as ansible picks up scope ('global') as the interface's
# broadcast address which fails checks logic
managed_network_broadcast_address: "{{ managed_network_cidr | ipaddr('broadcast') }}"
command: ip address add {{ managed_network_cidr }} broadcast {{ managed_network_broadcast_address }} dev {{ managed_interface_name }}
when: managed_network_address_family == 'ipv4'
# NOTE(yoctozepto): IPv6 has no broadcast address, let's not create confusion by setting it
- name: Add IPv6 address for managed network
become: true
command: ip address add {{ managed_interface_address }}/{{ managed_network_prefix_length }} dev {{ managed_interface_name }}
when: managed_network_address_family == 'ipv6'
- name: Accept traffic on the managed network (IN)
become: true
iptables:
state: present
action: insert
chain: INPUT
ip_version: "{{ managed_network_address_family }}"
in_interface: "{{ managed_interface_name }}"
jump: ACCEPT
# NOTE(yoctozepto): the default policy is ACCEPT but it is nicer to get statistics
- name: Accept traffic on the managed network (OUT)
become: true
iptables:
state: present
action: insert
chain: OUTPUT
ip_version: "{{ managed_network_address_family }}"
out_interface: "{{ managed_interface_name }}"
jump: ACCEPT
# NOTE(yoctozepto): IPv6 DAD may delay proper address assignment
# this task will wait until DAD is done and addresses are no longer tentative
# we assign addresses uniquely so DAD can only move it to preferred
# hence we only check whether it's no longer tentative
- name: Ensure IPv6 addresses on the managed interface are no longer tentative
become: true
command: ip -o address show tentative dev {{ managed_interface_name }}
register: tentative_addresses
until: tentative_addresses.stdout == ''
retries: 30
delay: 2
when:
- managed_network_address_family == 'ipv6'
- name: Ping across the managed network
become: true
vars:
ping_command: "{{ 'ping' if managed_network_address_family == 'ipv4' else 'ping6' }}"
command: "{{ ping_command }} -c1 {{ hostvars[item].managed_interface_address }}"
with_inventory_hostnames: all