openstack/openstack-ansible-os_octavia
Code Issues Proposed changes
ba3e6e8e81
openstack-ansible-os_octavia/tasks/octavia_security_group.yml
German Eichberger 3d0dfb706c Set quota for octavia service project 
The default quotas are often not sufficient for a side wide
load balancing service. This will adjust them to some more
reasonable values.

The os_quota module of ansible assumes an installed
block storage service so it is not suitable for our
tests which don't install cinder. Therefore we
are using the openstack client straight.

Change-Id: If85cc3862b9316d9bf43e025bfaab8e1b7fd5576
2018-08-19 19:31:47 +00:00

133 lines
5.3 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# We set the python interpreter to the ansible runtime venv if
# the delegation is to localhost so that we get access to the
# appropriate python libraries in that venv. If the delegation
# is to another host, we assume that it is accessible by the
# system python instead.
- name: Setup the security groups
delegate_to: "{{ octavia_service_setup_host }}"
vars:
ansible_python_interpreter: >-
{{ (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
block:
- name: Setup the service project quota
# The os_quota module has a bug that it always requires a
# configured cinder service to work, so we use the CLI instead.
# TODO(_xgerman):
# Use the os_quota module once the issue is resolved.
shell: >-
openstack quota set
--os-cloud default
--cores {{ octavia_num_cores }}
--instances {{ octavia_num_instances }}
--ram {{ octavia_ram }}
--server-groups {{ octavia_num_server_groups }}
--server-group-members {{ octavia_num_server_group_members }}
--secgroups {{ octavia_num_secgroups }}
--ports {{ octavia_num_ports }}
--secgroup-rules {{ octavia_num_secgroups }}
{{ octavia_service_project_name }}
tags:
- skip_ansible_lint
- name: Create Octavia security group
os_security_group:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
name: "{{ octavia_security_group_name }}"
description: "security group for octavia amphora"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group
until: add_security_group is success
retries: 5
delay: 10
- name: Create security group rule for agent
os_security_group_rule:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
protocol: "tcp"
port_range_min: "{{ octavia_agent_port }}"
port_range_max: "{{ octavia_agent_port }}"
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
security_group: "{{ octavia_security_group_name }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group_rule
until: add_security_group_rule is success
retries: 5
delay: 10
- name: Create security group rule for ssh
os_security_group_rule:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
security_group: "{{ octavia_security_group_name }}"
protocol: tcp
port_range_min: 22
port_range_max: 22
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group_rule
until: add_security_group_rule is success
retries: 5
delay: 10
when:
- octavia_ssh_enabled | bool
- name: Create security group rule for icmp
os_security_group_rule:
auth:
auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}"
password: "{{ octavia_service_password }}"
project_name: "{{ octavia_service_project_name }}"
user_domain_name: "{{ octavia_service_user_domain_id }}"
project_domain_name: "{{ octavia_service_project_domain_id }}"
state: present
security_group: "{{ octavia_security_group_name }}"
protocol: icmp
remote_ip_prefix: "{{ octavia_security_group_rule_cidr }}"
interface: admin
verify: "{{ not keystone_service_adminuri_insecure }}"
register: add_security_group_rule
until: add_security_group_rule is success
retries: 5
delay: 10
when:
- debug | bool
View Git Blame Copy Permalink